nixos/services: add gitea server

nixos/services: add nginx base configuration
nixos/networking: add own fqdn to extraHosts
2026-05-04 01:42:02 +02:00 · 2026-05-04 01:42:02 +02:00 · 2026-05-04 01:42:02 +02:00 · 2026-05-04 01:42:02 +02:00 · 2026-05-04 01:42:02 +02:00 · 2026-05-04 01:41:59 +02:00
12 changed files with 167 additions and 36 deletions
@@ -1,4 +1,8 @@
 {
  error = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
-  javalsai = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCufzCHLqMfuHpKKisd9Y+3l6hudbQQyaHg1lgQs5XEO58f0dIoUK3gc8iVO6dGGeY5q2o0cDcildHiT0PYc96rq7WJLCY00mAuclEuhmRSPjsei2IT3rWTawIheD2tWq+vAQjIBKibYWnVYwNOsbR3Zz1uKG/LNqqDnyYO/t4iMmhO1qcl6j8dRVBtzWYu3TnTrwx45sj54Y9hqZZiwB1xlzhHznSw6YPOe51hUO/yUtXKF2FCyfG7LHELZBMXkPQD6h4mDu+QNPN2D5RGd+Q5WzHcXcrXH/DvogVW6g3YGpBjTNKllCjGJYdYgjcjzQOS3I8ZOL6CUQzcZt2QwO3P42s4cjGzBwIub2zFnMOCyGgbKCYh3G7KKcde9qAX0yl8k+XNPIletJAV7pDrivzmgRLdy3iWud+q8TytkDLhcd/7g+pE6FE8y3IbejwXGNUn8CXJOKWH5zk0MVWSpNqz+6rlV43iPb4yuO7TFVnzuw/wKyOoc8RlFGEb/XLXwPs=";
+  javalsai = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
+  max = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
+
+  vectorum = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCwfPaylCSN7ZqB6Trz8CmQlyzf0NUIy06uschdIOkdzjUNe/dPGbyEFZy/4SDBhg585x8hwfhfYjLGrneYq+O42DBDTDKxduWnIdl5zgPRqt7jB59jkukf9WUdpUdZsKCM5K97HCnizNEKGRnYllVPVQSapPhOm5dZlUD9YVv1UqbDuxtWOLvArkL52e9T+yL6FagRg6NPqA70MXPMk+S2H7lotFVxP2Eg//BCaQ0/H1vhNy6P4N6LLq3sVK1DSJyd2v8zHkdb2Zo0/Ygukol10KizSsEcihm8+bXp699uSgWIsaIQgDZlE1yx2iabmzQST1kL9+USnZZBZ+KxwtLCCI8mpCv6sxlhq2Zzim5HvsyMYM+zdHWIn1s2c6mEl4ntBAB4s5wAggS5Gjh/BfJLSvGsTFMC/XYX4gWFXynY5NlcopeENL2Afg4gbQvKkxYkWB/TMZWuqj5c5kCy+7F0881DpYxapq6kQ6IE4gkGiEQdhVFGWEFoV/k9iHrl6aanqvFtvuBHHgkXAGPpHAZDVZdp9lU0tqNQIM/eGINq4Or6wd9XDYyj5ezDEBxx1pPgweUDZrNe9+vKR+3AwbzB/XQPxTCcjd4d7Yx58jPLflFP1dDYT+3bvp+vA7UpHcJnISbVNu0SiSaIqLYhwDj1od5l6JDfRCqnMF1T59nRCQ==";
+  pickzelle = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPUYQUWoL8iGc+PSrRrHyNwcOcmgGwPvJAM9HRJkPqcW pixel@DOOM-Machine";
 }
@@ -4,6 +4,7 @@
  lib,
  pkgs,
  self,
+  config,
  ...
 }:
 let
@@ -92,13 +93,23 @@ in
  networking = {
    networkmanager.enable = true;

-    firewall = {
-      enable = true;
+    firewall.enable = true;

-      allowedTCPPorts = [
-        22
-      ];
-    };
+    extraHosts =
+      let
+        subdomains = [ "" ".git" ];
+      in
+      builtins.foldl' (
+        hosts-acc: domain-prefix:
+        let
+          host = "${domain-prefix}${config.networking.fqdn}";
+        in
+        hosts-acc
+        + ''
+          127.0.0.1 ${host}
+          ::1 ${host}
+        ''
+      ) "" subdomains;
  };

  virtualisation.podman.enable = true;
@@ -31,5 +31,7 @@ in
 {
  flake.nixosConfigurations = {
    tuxcord-ca = mkSystem "tuxcord-ca" "x86_64-linux";
+
+    tuxcord-test = mkSystem "tuxcord-test" "x86_64-linux";
  };
 }
@@ -4,5 +4,6 @@
    ./storage.nix
  ];

+  networking.fqdn = "tuxcord.net";
  time.timeZone = "Canada/Eastern";
 }
@@ -0,0 +1,3 @@
+{
+  networking.fqdn = "tuxcord.test";
+}
@@ -1,9 +1,11 @@
 {
  imports = [
    ./fail2ban.nix
-    ./sysctl.nix
+    ./gitea.nix
    ./host.nix
+    ./nginx.nix
    ./snapper.nix
    ./substituters.nix
+    ./sysctl.nix
  ];
 }
@@ -0,0 +1,27 @@
+{ config, lib, ... }:
+{
+  services.gitea = {
+    enable = true;
+
+    appName = "Tuxcord's Gitea";
+    database.type = "mysql";
+
+    lfs.enable = true;
+
+    settings.server.DOMAIN = config.networking.fqdn;
+    # settings.server.ROOT_URL = "https://git.tuxcord.net/"; ? would also depend on ssl status
+    settings.server.HTTP_PORT = 3000;
+
+    settings.service.DISABLE_REGISTRATION = true;
+    settings.service.REQUIRE_SIGNIN_VIEW = false;
+
+    settings.repository.ENABLE_PUSH_CREATE_USER = true;
+    settings.repository.ENABLE_PUSH_CREATE_ORG = true;
+    settings.repository.DEFAULT_BRANCH = "main";
+
+    # settings.ui.DEFAULT_THEME = "...";
+
+    # TODO: once we have email setup this would be nice
+    settings.mailer.ENABLED = true;
+  };
+}
@@ -0,0 +1,41 @@
+{ config, ... }:
+let
+  inherit (config.networking) fqdn;
+
+  mkVhost =
+    attrs:
+    {
+      forceSSL = false; # TODO: tweak per host
+    }
+    // attrs;
+
+  mkProxy = port: {
+    proxyPass = "http://127.0.0.1:${toString port}/";
+  };
+in
+{
+  services.nginx = {
+    enable = true;
+
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    recommendedGzipSettings = true;
+    recommendedOptimisation = true;
+
+    # services.nginx.virtualHosts."${fqdn}" = {
+    #   addSSL = true;
+    #   root = "/var/www/myhost.org";
+    #   default = true;
+    # };
+
+    virtualHosts."git.${fqdn}" = mkVhost {
+      locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    80
+    443
+  ];
+}
@@ -1,17 +1,15 @@
-{ self, ... }:
 {
  services.openssh = {
    enable = true;

    settings = {
      ClientAliveInterval = 300;
+
      KbdInteractiveAuthentication = false;
      PasswordAuthentication = false;
      PermitRootLogin = "no";
    };
  };

-  users.users.root.openssh.authorizedKeys.keys = builtins.attrValues {
-    inherit (import "${self}/lib/ssh/keys.nix") error javalsai;
-  };
+  networking.firewall.allowedTCPPorts = [ 22 ];
 }
@@ -16,6 +16,9 @@ let
    {
      name = "vectorum";
    }
+    {
+      name = "pickzelle";
+    }
  ];

  adminGroups = [
@@ -27,32 +30,41 @@ let
    "wheel"
  ];

-  mkUser = name: uid: options: {
-    users.users.${name} = {
-      isNormalUser = true;
-      extraGroups = lib.optionals (options.admin or false) adminGroups;
-      inherit uid;
+  getSSHKeys =
+    username:
+    let
+      sshKeys = import "${self}/lib/ssh/keys.nix";
+    in
+    if (builtins.hasAttr username sshKeys) then
+      lib.lists.toList sshKeys.${username}
+    else
+      lib.warn "user ${username} declared without ssh key" [ ];

-      openssh.authorizedKeys.keys =
-        let
-          keys = import "${self}/lib/ssh/keys.nix";
-        in
-        if (builtins.hasAttr name keys) then
-          [ keys.${name} ]
-        else
-          lib.warn "user ${name} declared without ssh key" [ ];
-    };
+  mkUser =
+    name: uid: options:
+    let
+      admin = options.admin or false;

-    systemd.slices."user-${builtins.toString uid}".sliceConfig = {
-      CPUQuota = "50%";
-      CPUWeight = "10";
-      IOAccounting = true;
-      IOWeight = "10";
-      MemoryMax = "2G";
-      MemorySwapMax = "1G";
-      TasksMax = "100";
+    in
+    {
+      users.users.${name} = {
+        isNormalUser = true;
+        extraGroups = lib.optionals admin adminGroups;
+        inherit uid;
+
+        openssh.authorizedKeys.keys = getSSHKeys name;
+      };
+
+      systemd.slices."user-${builtins.toString uid}".sliceConfig = {
+        CPUQuota = "50%";
+        CPUWeight = "10";
+        IOAccounting = true;
+        IOWeight = "10";
+        MemoryMax = "2G";
+        MemorySwapMax = "1G";
+        TasksMax = "100";
+      };
    };
-  };
 in
 lib.recursiveUpdate
  (builtins.foldl'
@@ -67,5 +79,11 @@ lib.recursiveUpdate
    users
  ).options
  {
-    users.users.root.initialPassword = "tuxcord";
+    users.users.root = {
+      initialPassword = "tuxcord";
+
+      openssh.authorizedKeys.keys = lib.lists.concatLists (
+        map (user: getSSHKeys user.name) (builtins.filter (user: user.options.admin or false) users)
+      );
+    };
  }
@@ -1,8 +1,14 @@
+{ lib, ... }:
 {
  virtualisation.vmVariant.virtualisation = {
    cores = 2;
    diskSize = 8192;
    graphics = false;
    memorySize = 4096;
+
+    qemu.networkingOptions = lib.mkForce [
+      "-nic bridge,br=virbr0,id=hn0,model=virt-net-pci,helper=\${QEMU_BRIDGE_HELPER_PATH}"
+      "-device virtio-net-pci,netdev=hn0,id=nic1,\${QEMU_NET_OPTS:+,$QEMU_NET_OPTS}"
+    ];
  };
 }
@@ -5,6 +5,24 @@
    {
      devShells.default = pkgs.mkShell {
        name = "configuration.nix";
+
+        shellHook = ''
+          for path in \
+            /usr/lib/qemu/qemu-bridge-helper \
+            /run/wrappers/bin/qemu-bridge-helper
+          do
+            if [ -x "$path" ]; then
+              export QEMU_BRIDGE_HELPER_PATH="$path"
+              break
+            fi
+          done
+
+          if [ -z "$QEMU_BRIDGE_HELPER_PATH" ]; then
+            printf "\033[1;33m%s\033[0m\n" \
+              "WARN: 'qemu-bridge-helper' not found, make sure it is installed and the nix shell hook is looking for it" >&2
+          fi
+        '';
+
        packages = with pkgs; [
          bat
          cachix
Author	SHA1	Message	Date
javalsai	2137529066	nixos/services: add gitea server Check / Nix flake (push) Failing after 10s Details Lint / Nix expressions (push) Failing after 11s Details	2026-05-04 01:42:02 +02:00
javalsai	b393d9b591	nixos/services: add nginx base configuration	2026-05-04 01:42:02 +02:00
javalsai	7921d6db61	nixos/networking: add own fqdn to extraHosts	2026-05-04 01:42:02 +02:00
javalsai	6cc9f8e3d0	nixos/hosts: add tuxcord-vm host configuration	2026-05-04 01:42:02 +02:00
ErrorNoInternet	3c5e671d44	nixos: separate openssh firewall port	2026-05-04 01:42:02 +02:00
javalsai	897096830c	lib/ssh: add more ssh keys	2026-05-04 01:41:59 +02:00
javalsai	be40620840	nixos/vm: enable qemu network bridge	2026-05-04 01:41:18 +02:00