depot/ops/nixos/bvm-forgejo/default.nix

# SPDX-FileCopyrightText: 2020 Luke Granger-Brown <depot@lukegb.com>
#
# SPDX-License-Identifier: Apache-2.0

{ config, depot, lib, pkgs, ... }:
let
  inherit (depot.ops) secrets;
  systemConfig = config;
in {
  imports = [
    ../lib/bvm.nix
    ../lib/pomerium.nix
  ];

  # Networking!
  networking = {
    hostName = "bvm-forgejo";
    hostId = "9cdd4290";
    tempAddresses = "disabled";

    interfaces.enp1s0 = {
      ipv4.addresses = [{ address = "10.100.0.208"; prefixLength = 23; }];
    };
    interfaces.enp2s0 = {
      ipv4.addresses = [{ address = "92.118.28.7"; prefixLength = 24; }];
      ipv6.addresses = [{ address = "2a09:a441::7"; prefixLength = 32; }];
    };
    interfaces.lo = {
      ipv4.addresses = [
        { address = "127.0.0.1"; prefixLength = 8; }
      ];
      ipv6.addresses = [
        { address = "::1"; prefixLength = 128; }
      ];
    };
    defaultGateway = { address = "92.118.28.1"; interface = "enp2s0"; };
    defaultGateway6 = { address = "2a09:a441::1"; interface = "enp2s0"; };

    firewall = {
      allowedTCPPorts = [ 22 80 443 20022 ];
      allowedUDPPorts = [ 443 ];
    };
  };
  my.ip.tailscale = "100.103.26.78";
  my.ip.tailscale6 = "fd7a:115c:a1e0::8d01:1a4e";
  boot.kernel.sysctl = {
    # We have statically-configured v6.
    "net.ipv6.conf.all.accept_ra" = 0;
    "net.ipv6.conf.default.accept_ra" = 0;
  };

  services.openssh.ports = [ 20022 ];
  my.deploy.args = "-p 20022";
  my.rundeck.hostname = "${config.networking.fqdn}:20022";

  users.users.postfix.extraGroups = [ "opendkim" ];

  services.postfix = {
    enable = true;
    domain = "git.lukegb.com";
    hostname = "git.lukegb.com";
    extraConfig = ''
      milter_protocol = 2
      milter_default_action = accept
      smtpd_milters = ${config.services.opendkim.socket}
      non_smtpd_milters = ${config.services.opendkim.socket}
    '';
  };
  services.opendkim = {
    enable = true;
    domains = "csl:git.lukegb.com";
    selector = "bvm-forgejo";
  };
  systemd.services.opendkim.serviceConfig.UMask = lib.mkForce "0007";

  services.pomerium = {
    settings = {
      services = "proxy";
      autocert = true;
      routes = [{
        from = "https://git.lukegb.com";
        to = "http://localhost:3000";
        pass_identity_headers = true;
        remove_request_headers = [
          "X-WebAuth-User"
          "X-WebAuth-Email"
          "X-WebAuth-FullName"
        ];
      }];
    };
  };

  environment.systemPackages = with pkgs; [ forgejo-cli forgejo ];
  services.forgejo = {
    enable = true;
    lfs.enable = true;
    package = pkgs.forgejo;
    secrets = let
      customDir = config.services.forgejo.customDir;
    in {
      storage.MINIO_SECRET_ACCESS_KEY = "${customDir}/conf/s3_secret_key";
    };
    settings = {
      server = {
        DOMAIN = "git.lukegb.com";
        ROOT_URL = "https://git.lukegb.com/";

        START_SSH_SERVER = true;
        BUILTIN_SSH_SERVER_USER = "git";
        SSH_TRUSTED_USER_CA_KEYS = builtins.readFile ../../secrets/client-ca.pub;
        SSH_AUTHORIZED_PRINCIPALS_ALLOW = "username";
      };
      session = {
        COOKIE_SECURE = true;
      };
      storage = {
        STORAGE_TYPE = "minio";
        MINIO_ENDPOINT = "objdump.zxcvbnm.ninja";
        MINIO_BUCKET = "lukegb-forgejo";
        MINIO_LOCATION = "london";
        MINIO_USE_SSL = true;
        MINIO_BUCKET_LOOKUP = "dns";
        MINIO_ACCESS_KEY_ID = "AKIALUKEGBFORGEJO000";
      };
      security = {
        COOKIE_REMEMBER_NAME = "forgejo_remember_me";
        REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-Pomerium-Claim-Email";
      };
      service = {
        DISABLE_REGISTRATION = true;
        ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
        ENABLE_REVERSE_PROXY_EMAIL = true;
      };
      mailer = {
        ENABLED = true;
        PROTOCOL = "smtp";
        SMTP_ADDR = "localhost";
        SMTP_PORT = 25;
        FROM = "lukegb.com Forgejo <forgejo@git.lukegb.com>";
      };
      cron = {
        ENABLED = true;
      };
      log.LEVEL = "Trace";
    };
  };
  systemd.services.forgejo.serviceConfig = {
    PrivateUsers = lib.mkForce false;

    # Allow forgejo to bind port 22.
    AmbientCapabilities = "CAP_NET_BIND_SERVICE";
    CapabilityBoundingSet = lib.mkForce "CAP_NET_BIND_SERVICE";
  };

  system.stateVersion = "24.11";
}