diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md index 49c0aa0..da9edcc 100644 --- a/.github/copilot-instructions.md +++ b/.github/copilot-instructions.md @@ -68,6 +68,7 @@ just secret-edit # Edit an encrypted secret ### Safety Boundaries **CRITICAL**: As an AI agent, you are **FORBIDDEN** from executing commands that permanently modify the system state or perform remote deployments. + - **DO NOT** run `just switch` or `just boot`. - **DO NOT** run `just switch `. - Use `just test` or `just build-system` if you need to verify that a configuration builds successfully. @@ -85,7 +86,7 @@ Secrets use agenix + agenix-rekey with YubiKey master identity: ## Adding New Features 1. **New program**: Create `modules/programs/.nix`, guard with `lib.mkIf config.fireproof.desktop.enable` or similar -2. **New homelab service**: Create `modules/homelab/.nix`, add to `modules/homelab/default.nix` imports +2. **New homelab service**: Create `modules/homelab/.nix`, add to `modules/homelab/default.nix` imports, and **add a link to the dashboard in `modules/homelab/glance.nix`** 3. **New host**: Run `just new-host `, then add to `hosts/default.nix` ## Common Patterns diff --git a/modules/homelab/default.nix b/modules/homelab/default.nix index f2cbdf3..b3dd8b6 100644 --- a/modules/homelab/default.nix +++ b/modules/homelab/default.nix @@ -7,6 +7,7 @@ ./arr.nix ./audiobookshelf.nix ./freshrss.nix + ./forgejo.nix ./glance.nix ./home-assistant ./jellyfin.nix diff --git a/modules/homelab/forgejo.nix b/modules/homelab/forgejo.nix new file mode 100644 index 0000000..a20e1cc --- /dev/null +++ b/modules/homelab/forgejo.nix @@ -0,0 +1,75 @@ +{ + config, + lib, + pkgs, + ... +}: +lib.mkIf config.fireproof.homelab.enable (let + domain = "forgejo.nickolaj.com"; +in { + age.secrets.forgejo-runner-token = { + rekeyFile = ../../secrets/hosts/homelab/forgejo-runner-token.age; + mode = "0600"; + }; + + services.forgejo = { + enable = true; + database.type = "postgres"; + dump = { + enable = true; + interval = "daily"; + }; + settings = { + server = { + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; + HTTP_PORT = 3000; + HTTP_ADDR = "127.0.0.1"; + }; + service = { + DISABLE_REGISTRATION = true; + ENABLE_INTERNAL_SIGNIN = false; + }; + actions = { + ENABLED = true; + }; + }; + }; + + services.gitea-actions-runner = { + package = pkgs.forgejo-runner; + instances.homelab = { + enable = true; + name = "homelab"; + url = "https://${domain}"; + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:20-bookworm" + ]; + }; + }; + systemd.services.gitea-runner-default.serviceConfig.DynamicUser = lib.mkForce false; + + services.postgresql = { + ensureDatabases = ["forgejo"]; + ensureUsers = [ + { + name = "forgejo"; + ensureDBOwnership = true; + } + ]; + }; + + services.restic.backups.homelab.paths = [ + config.services.forgejo.stateDir + config.services.forgejo.dump.backupDir + ]; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + }; + }; +}) diff --git a/modules/homelab/glance.nix b/modules/homelab/glance.nix index 426df8f..c3534cd 100644 --- a/modules/homelab/glance.nix +++ b/modules/homelab/glance.nix @@ -216,6 +216,12 @@ in { icon = "sh:freshrss"; same-tab = true; } + { + title = "Forgejo"; + url = "https://forgejo.nickolaj.com"; + icon = "sh:forgejo"; + same-tab = true; + } { title = "Sonarr"; url = "https://sonarr.nickolaj.com"; diff --git a/modules/system/ssh.nix b/modules/system/ssh.nix index ab83071..3ebbba9 100644 --- a/modules/system/ssh.nix +++ b/modules/system/ssh.nix @@ -17,6 +17,11 @@ in { mode = "0600"; owner = username; }; + age.secrets.forgejo-ssh-key = { + rekeyFile = ../../secrets/forgejo-ssh-key.age; + mode = "0600"; + owner = username; + }; age.secrets.ssh-key-ao = lib.mkIf workEnabled { rekeyFile = ../../secrets/ssh-key-ao.age; mode = "0600"; @@ -40,6 +45,11 @@ in { hostname = "x.nickolaj.com"; user = "nickolaj"; }; + "forgejo.nickolaj.com" = { + hostname = "forgejo.nickolaj.com"; + user = "git"; + identityFile = "${config.age.secrets.forgejo-ssh-key.path}"; + }; } // lib.optionalAttrs workEnabled { # Work hostnames definded in ./networking.nix diff --git a/secrets/forgejo-ssh-key.age b/secrets/forgejo-ssh-key.age new file mode 100644 index 0000000..6adb410 Binary files /dev/null and b/secrets/forgejo-ssh-key.age differ diff --git a/secrets/hosts/bootstrap/.rekey/bdc52981b52c8735530cc4358f5c0913-forgejo-ssh-key.age b/secrets/hosts/bootstrap/.rekey/bdc52981b52c8735530cc4358f5c0913-forgejo-ssh-key.age new file mode 100644 index 0000000..b7608a6 Binary files /dev/null and b/secrets/hosts/bootstrap/.rekey/bdc52981b52c8735530cc4358f5c0913-forgejo-ssh-key.age differ diff --git a/secrets/hosts/desktop-wsl/.rekey/9a411f84fe7d4308015913d2d7b32915-forgejo-ssh-key.age b/secrets/hosts/desktop-wsl/.rekey/9a411f84fe7d4308015913d2d7b32915-forgejo-ssh-key.age new file mode 100644 index 0000000..6f2be36 --- /dev/null +++ b/secrets/hosts/desktop-wsl/.rekey/9a411f84fe7d4308015913d2d7b32915-forgejo-ssh-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 KDYMLA 3XX1km6w6wqWFXVoPVo9+pHr9POhVlQ2ITm0b9Rc2Xo +syQAnCjVkK8FuVj/rv05mC3uo3FyNJW8TG6LhqnokEI +-> 8Ae$E-grease M1 +PcS1jY8MbdwwWwPCRvBBYVkRmvD9UUQyjCgJtmKdBUw+Ziv7 +--- Gjix1IgomW7LXSfoOXRm4/zMXHfS5WFeD4C5nYwxH30 +wqQ {4_VN?C3?Vۛ,b_,\rY4ޫ9zKb=(&3x5F\t`-J~)Mb`#-LKjp Rx+ H&ݕKU +e%c/=XڬGCݺ2>-(YxѶ73gى k,-X$u6|VͱlNĘ 4 o„*ώNL3k YB-j)vR37R~O!'{T +&s-zr wȁhfػʎkT9`eG8Qj*6ٳ&V+j$6,KLw0ΰ+7?.iHL("jҴ #yqXmNOQ{1-gOG, y s \ No newline at end of file diff --git a/secrets/hosts/desktop/.rekey/a3fe8763891b7de6d9abcae5a166f745-forgejo-ssh-key.age b/secrets/hosts/desktop/.rekey/a3fe8763891b7de6d9abcae5a166f745-forgejo-ssh-key.age new file mode 100644 index 0000000..c86ea75 Binary files /dev/null and b/secrets/hosts/desktop/.rekey/a3fe8763891b7de6d9abcae5a166f745-forgejo-ssh-key.age differ diff --git a/secrets/hosts/homelab/.rekey/387158a9d90fcba2ab73cb530a2edc55-forgejo-runner-token.age b/secrets/hosts/homelab/.rekey/387158a9d90fcba2ab73cb530a2edc55-forgejo-runner-token.age new file mode 100644 index 0000000..aaf3909 Binary files /dev/null and b/secrets/hosts/homelab/.rekey/387158a9d90fcba2ab73cb530a2edc55-forgejo-runner-token.age differ diff --git a/secrets/hosts/homelab/.rekey/a9c15eed169576a0aea8c75c70c4fb53-forgejo-ssh-key.age b/secrets/hosts/homelab/.rekey/a9c15eed169576a0aea8c75c70c4fb53-forgejo-ssh-key.age new file mode 100644 index 0000000..a0a9ce4 Binary files /dev/null and b/secrets/hosts/homelab/.rekey/a9c15eed169576a0aea8c75c70c4fb53-forgejo-ssh-key.age differ diff --git a/secrets/hosts/homelab/forgejo-runner-token.age b/secrets/hosts/homelab/forgejo-runner-token.age new file mode 100644 index 0000000..521e0e4 --- /dev/null +++ b/secrets/hosts/homelab/forgejo-runner-token.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> X25519 /7xd7wW72ibsmB1cpyfT14TM+y2Qo0G/vTEURUZprmg +KPKazzWC9mxDGAcZLrTkjhmXq/RsJAp4mdZysjvQI6E +-> piv-p256 q3LNVw Axl/D2SGpYP/eHdoTrOrTgzZZdcNSNPcOhfkwnCsBzSH +L6TMeLKBtUGtlSLUcHh+XHNvfLi6iwgkznNldu+mmXQ +-> gdcz[!v-grease x `{t0 +mWsv +--- RGBGe47nVpK4mlxh8cUFzg8R52AAtY3iNUb7bYO6e1E +i1aekG} rƌ'֢$ULg|À/J@7i+ aAXTwWC3y)a]l \ No newline at end of file diff --git a/secrets/hosts/laptop/.rekey/a3fe8763891b7de6d9abcae5a166f745-forgejo-ssh-key.age b/secrets/hosts/laptop/.rekey/a3fe8763891b7de6d9abcae5a166f745-forgejo-ssh-key.age new file mode 100644 index 0000000..e7f5a44 Binary files /dev/null and b/secrets/hosts/laptop/.rekey/a3fe8763891b7de6d9abcae5a166f745-forgejo-ssh-key.age differ diff --git a/secrets/hosts/work/.rekey/a3e27d220088df9084e07b44b361d309-forgejo-ssh-key.age b/secrets/hosts/work/.rekey/a3e27d220088df9084e07b44b361d309-forgejo-ssh-key.age new file mode 100644 index 0000000..bf23f68 Binary files /dev/null and b/secrets/hosts/work/.rekey/a3e27d220088df9084e07b44b361d309-forgejo-ssh-key.age differ