john/dendritic
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: john/dendritic:main
Branches Tags
john/dendritic:main john/dendritic:wrappers john/dendritic:forgejo
...
compare: john/dendritic:bccb96a0b3cae3a67015a15790c7a14eb3b47c6e
Branches Tags
john/dendritic:wrappers john/dendritic:forgejo john/dendritic:main

13 Commits
main ... bccb96a0b3

Author SHA1 Message Date
John Lancaster bccb96a0b3 updated soteria settings 2026-04-04 12:26:05 -05:00
John Lancaster 44fd737afe reorg 2026-04-04 12:25:56 -05:00
John Lancaster 0854439bdf disabled TCP connections for postgres 2026-04-04 12:21:50 -05:00
John Lancaster ff70a35078 janus-ca pkg updates 2026-04-04 12:09:13 -05:00
John Lancaster b8b8a445f9 mTLS generate script improvements 2026-04-04 11:09:25 -05:00
John Lancaster 13a841c8db mtls optimizations 2026-04-04 10:44:37 -05:00
John Lancaster 6c26e898b2 improving renew script 2026-04-04 09:46:55 -05:00
John Lancaster 710f13ace4 renew script tweaks 2026-04-04 09:33:08 -05:00
John Lancaster 1a7a1189e7 privileged port permissions for https 2026-04-03 18:16:29 -05:00
John Lancaster ff74205c57 mtls file permissions 2026-04-03 18:16:12 -05:00
John Lancaster 32b7932916 script tweaks 2026-04-02 17:28:06 -05:00
John Lancaster f05a3af30d forgejo secrets 2026-04-02 17:24:32 -05:00
John Lancaster 3e84eb641f added forgejo secrets to soteria 2026-04-02 07:56:35 -05:00
5 changed files with 244 additions and 139 deletions
Expand all files Collapse all files
modules/features/forgejo.nix
+91 -33
View File
@@ -2,6 +2,7 @@
flake.modules.nixos.forgejo = {config, pkgs, lib, ... }:
let
cfg = config.forgejo;
needsPrivilegedPort = cfg.port < 1024;
in
{
options.forgejo = {
@@ -25,40 +26,97 @@
config = lib.mkIf cfg.enable {
networking.firewall.allowedTCPPorts = lib.optionals cfg.openFirewall [ cfg.port ];
services.forgejo = {
enable = true;
lfs.enable = true;
settings.server = lib.mkMerge [
{
HTTP_PORT = cfg.port;
DISABLE_SSH = true;
}
(lib.mkIf cfg.https {
ROOT_URL = "https://forgejo.john-stream.com";
PROTOCOL = "https";
COOKIE_SECURE = true;
KEY_FILE = config.mtls.keyFile;
CERT_FILE = config.mtls.certFile;
})
systemd.services.forgejo.serviceConfig = lib.mkIf needsPrivilegedPort {
AmbientCapabilities = [ "CAP_NET_BIND_SERVICE" ];
CapabilityBoundingSet = [ "CAP_NET_BIND_SERVICE" ];
PrivateUsers = lib.mkForce false;
};
sops.secrets = {
"forgejo/secret_key".owner = config.services.forgejo.user;
"forgejo/internal_token".owner = config.services.forgejo.user;
"forgejo/jwt_secret".owner = config.services.forgejo.user;
"forgejo/lfs_jwt_secret".owner = config.services.forgejo.user;
};
services = {
forgejo = {
enable = true;
lfs.enable = true;
database.type = "postgres";
settings = {
DEFAULT = {
RUN_MODE = "dev";
};
server = lib.mkMerge [
{
HTTP_PORT = cfg.port;
DISABLE_SSH = true;
ROOT_URL = "https://forgejo.john-stream.com";
}
(lib.mkIf cfg.https {
PROTOCOL = "https";
COOKIE_SECURE = true;
KEY_FILE = config.mtls.keyFile;
CERT_FILE = config.mtls.certFile;
})
];
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
ui.SHOW_USER_EMAIL = false;
markup = {
ENABLED = true;
};
};
secrets = {
security = {
SECRET_KEY = lib.mkForce config.sops.secrets."forgejo/secret_key".path;
INTERNAL_TOKEN = lib.mkForce config.sops.secrets."forgejo/internal_token".path;
};
oauth2.JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/jwt_secret".path;
server.LFS_JWT_SECRET = lib.mkForce config.sops.secrets."forgejo/lfs_jwt_secret".path;
};
# dump = {
# enable = true;
# interval = "12h";
# };
};
postgresql = {
enable = true;
enableTCPIP = false;
};
};
environment.systemPackages =
let
systemctl = lib.getExe' pkgs.systemd "systemctl";
clean-forgejo = (pkgs.writeShellScriptBin "clean-forgejo" ''
set -e
sudo ${systemctl} stop forgejo.service
${lib.getExe' pkgs.coreutils "echo"} "Stopped Forgejo"
sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.forgejo.stateDir}
${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.forgejo.stateDir}"
'');
clean-postgres = (pkgs.writeShellScriptBin "clean-postgres" ''
set -e
sudo ${systemctl} stop postgresql.service
${lib.getExe' pkgs.coreutils "echo"} "Stopped PostgreSQL"
sudo ${lib.getExe' pkgs.coreutils "rm"} -rf ${config.services.postgresql.dataDir}
${lib.getExe' pkgs.coreutils "echo"} "Removed ${config.services.postgresql.dataDir}"
'');
in [
clean-forgejo
clean-postgres
(pkgs.writeShellScriptBin "clean-all" ''
set -e
${lib.getExe clean-forgejo}
${lib.getExe clean-postgres}
${lib.getExe' pkgs.coreutils "echo"} "Removed everything related to forgejo"
'')
];
database = {
type = "postgres";
port = config.services.postgresql.settings.port;
# createDatabase = false;
};
# dump = {
# enable = true;
# interval = "12h";
# };
};
services.postgresql = {
enable = true;
settings = {
};
};
};
};
}
modules/features/mtls.nix
+88 -72
View File
@@ -66,9 +66,9 @@ let
default = "root";
};
group = lib.mkOption {
description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user when null.";
description = "Group to run the mTLS renewal service as. Defaults to the configured renewal user.";
type = lib.types.nullOr lib.types.str;
default = null;
default = "mtls";
};
reloadUnits = lib.mkOption {
description = "systemd units to try-reload-or-restart after a successful certificate renewal.";
@@ -92,8 +92,13 @@ let
keyFile,
bundleFile,
lifetime,
user,
group,
}:
let
catCmd = lib.getExe' pkgs.coreutils "cat";
chownCmd = lib.getExe' pkgs.coreutils "chown";
chmodCmd = lib.getExe' pkgs.coreutils "chmod";
stepCmd = lib.getExe pkgs.step-cli;
sanArgs = lib.concatMapStringsSep " " (s: "--san \"${s}\"") san;
in
@@ -105,7 +110,10 @@ let
--provisioner ${provisioner} \
${sanArgs} \
"$@"
cat ${certFile} ${keyFile} > ${bundleFile}
(umask 077; ${catCmd} ${certFile} ${keyFile} > ${bundleFile})
${chownCmd} ${user}:${group} ${certFile} ${keyFile} ${bundleFile}
${chmodCmd} 640 ${certFile} ${keyFile} ${bundleFile}
printf '\033[32m\033[0m \033[1mmTLS Bundle:\033[0m %s\n' ${lib.escapeShellArg bundleFile}
'';
mkMtlsCheckScript = { pkgs, bundleFile }: pkgs.writeShellScriptBin "mtls-check" ''
@@ -117,75 +125,83 @@ let
mkMtlsRenewScript = {
pkgs,
certFile,
keyFile,
bundleFile,
reloadUnits ? [ ],
postCommands ? [ ],
cfg,
systemctlArgs ? [ ],
}:
let
catCmd = lib.getExe' pkgs.coreutils "cat";
echoCmd = lib.getExe' pkgs.coreutils "echo";
systemctl = lib.getExe' pkgs.systemd "systemctl";
escapedArgs = lib.escapeShellArgs systemctlArgs;
systemctlCommand = "${systemctl} ${escapedArgs}";
chownCmd = lib.getExe' pkgs.coreutils "chown";
chmodCmd = lib.getExe' pkgs.coreutils "chmod";
stepCmd = lib.getExe pkgs.step-cli;
systemctlCmd = "${lib.getExe' pkgs.systemd "systemctl"} ${lib.escapeShellArgs systemctlArgs}";
hasReloadUnits = cfg.renew.reloadUnits != [ ];
renewReloadScript = lib.concatMapStringsSep "\n" (unit: ''
if ${systemctlCommand} --quiet is-active "${unit}"; then
${systemctlCommand} try-reload-or-restart "${unit}"
if ${systemctlCmd} --quiet is-active "${unit}"; then
${systemctlCmd} try-reload-or-restart "${unit}"
fi
'') reloadUnits;
renewPostCommands = lib.concatStringsSep "\n" postCommands;
'') cfg.renew.reloadUnits;
hasPostCommands = cfg.renew.postCommands != [ ];
renewPostCommands = lib.concatStringsSep "\n" cfg.renew.postCommands;
fileOwner = "${cfg.renew.user}:${cfg.renew.group}";
in
pkgs.writeShellScriptBin "mtls-renew" ''
set -euo pipefail
if ${lib.getExe pkgs.step-cli} certificate needs-renewal "${certFile}"; then
${echoCmd} "Renewing mTLS certificate"
else
YELLOW_BANG="\e[33m!\e[0m"
force=0
while [[ $# -gt 0 ]]; do
case $1 in
--force)
force=1
shift
;;
*)
${echoCmd} -e "$YELLOW_BANG Warning: ignoring unrecognized argument '$1'"
exit 1
;;
esac
done
if [[ $force -eq 0 ]] && ! ${stepCmd} certificate needs-renewal "${cfg.certFile}"; then
${echoCmd} "Skipping renew"
exit "$?"
exit 0
fi
${lib.getExe pkgs.step-cli} ca renew --force "${certFile}" "${keyFile}"
${echoCmd} "Renewing mTLS certificate"
${stepCmd} ca renew --force "${cfg.certFile}" "${cfg.keyFile}"
(umask 077; ${catCmd} "${cfg.certFile}" "${cfg.keyFile}" > "${cfg.bundleFile}")
${chownCmd} ${fileOwner} ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
${chmodCmd} 640 ${cfg.certFile} ${cfg.keyFile} ${cfg.bundleFile}
umask 077
${lib.getExe' pkgs.coreutils "cat"} "${certFile}" "${keyFile}" > "${bundleFile}"
${echoCmd} "Reloading units:"
${lib.optionalString hasReloadUnits ''
${echoCmd} "Reloading units: ${lib.concatStringsSep ", " cfg.renew.reloadUnits}"
${renewReloadScript}
''}
${lib.optionalString hasPostCommands ''
${echoCmd} "Post commands:"
${renewPostCommands}
''}
'';
mkNixosMtlsRenewService = {
pkgs,
certFile,
keyFile,
bundleFile,
reloadUnits ? [ ],
postCommands ? [ ],
user ? "root",
group ? null,
}:
let
serviceGroup = if group == null then user else group;
renewScript = mkMtlsRenewScript {
inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
mkNixosMtlsRenewService = { pkgs, cfg, ... }:
{
description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = cfg.renew.user;
Group = cfg.renew.group;
ExecStart = lib.getExe (mkMtlsRenewScript { inherit pkgs cfg; });
};
};
in
{
description = "Renew the mTLS certificate when Smallstep marks it ready";
wantedBy = [ ];
after = [ "network-online.target" ];
wants = [ "network-online.target" ];
serviceConfig = {
Type = "oneshot";
User = user;
Group = serviceGroup;
ExecStart = lib.getExe renewScript;
};
};
mkNixosMtlsRenewTimer = {
onCalendar,
@@ -203,17 +219,10 @@ let
};
};
mkHomeManagerMtlsRenewService = {
pkgs,
certFile,
keyFile,
bundleFile,
reloadUnits ? [ ],
postCommands ? [ ],
}:
mkHomeManagerMtlsRenewService = { pkgs, cfg, ... }:
let
renewScript = mkMtlsRenewScript {
inherit pkgs certFile keyFile bundleFile reloadUnits postCommands;
inherit pkgs cfg;
systemctlArgs = [ "--user" ];
};
in
@@ -263,28 +272,36 @@ in
type = lib.types.str;
default = "/etc/step-ca/certs";
};
certReaders = lib.mkOption {
description = "";
type = lib.types.listOf lib.types.str;
default = [ ];
};
};
config = lib.mkIf cfg.enable {
users.groups.certReaders = {
name = cfg.renew.group;
members = cfg.certReaders;
};
environment.systemPackages = with pkgs; lib.optionals cfg.enable [
# step-cli
(mkMtlsGenerateScript {
inherit pkgs;
inherit (cfg) subject provisioner san certFile keyFile bundleFile lifetime;
inherit (cfg.renew) user group;
})
(mkMtlsCheckScript { inherit pkgs; inherit (cfg) bundleFile; })
(mkMtlsRenewScript { inherit pkgs; inherit (cfg) certFile keyFile bundleFile; })
(mkMtlsRenewScript { inherit pkgs cfg; })
];
systemd.tmpfiles.rules = [
"d ${cfg.certDir} 0750 ${cfg.renew.user} ${if cfg.renew.group == null then cfg.renew.user else cfg.renew.group} -"
"d ${cfg.certDir} 0750 ${cfg.renew.user} ${cfg.renew.group} -"
];
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewService {
inherit pkgs;
inherit (cfg) certFile keyFile bundleFile;
inherit (cfg.renew) reloadUnits postCommands user group;
});
systemd.services.mtls-renew = lib.mkIf cfg.renew.enable
(mkNixosMtlsRenewService { inherit pkgs cfg; });
systemd.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkNixosMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec;
@@ -314,20 +331,19 @@ in
# step-cli
(mkMtlsGenerateScript {
inherit (cfg) subject provisioner san lifetime;
inherit (cfg.renew) user group;
inherit pkgs certFile keyFile bundleFile;
})
(mkMtlsCheckScript { inherit pkgs bundleFile; })
(mkMtlsRenewScript { inherit pkgs certFile keyFile bundleFile; })
(mkMtlsRenewScript { inherit pkgs cfg; systemctlArgs = [ "--user" ]; })
];
systemd.user.tmpfiles.rules = lib.mkIf cfg.enable [
"d ${cfg.certDir} 0700 - - -"
];
systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewService {
inherit pkgs certFile keyFile bundleFile;
inherit (cfg.renew) reloadUnits postCommands;
});
systemd.user.services.mtls-renew = lib.mkIf cfg.renew.enable
(mkHomeManagerMtlsRenewService { inherit pkgs cfg; });
systemd.user.timers.mtls-renew = lib.mkIf cfg.renew.enable (mkHomeManagerMtlsRenewTimer {
inherit (cfg.renew) onCalendar randomizedDelaySec;
modules/hosts/janus/default.nix
+29 -9
View File
@@ -9,25 +9,45 @@ in
flake.modules.nixos.janus-ca =
{ config, lib, ... }:
let
cfg = config.janus-ca;
johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
cfgInEtc = lib.hasPrefix "/etc/" cfg.certDir;
certDirEtcPath =
if cfgInEtc then
lib.removePrefix "/etc/" cfg.certDir
else
cfg.certDir;
certRootEtcPath = "${certDirEtcPath}/root_ca.crt";
mkStepRules = home: user: group: [
"d ${home}/.step 0700 ${user} ${group} -"
"d ${home}/.step/config 0700 ${user} ${group} -"
"d ${home}/.step/certs 0700 ${user} ${group} -"
"L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json"
"L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt"
"L+ ${home}/.step/config/defaults.json - - - - /etc/step-ca/defaults.json"
"L+ ${home}/.step/certs/root_ca.crt - - - - ${cfg.certDir}/root_ca.crt"
];
in
{
environment.etc."step/config/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
root = "/etc/step-ca/certs/root_ca.crt";
options.janus-ca = {
certDir = lib.mkOption {
description = "String path to where the mtls certs will be stored.";
type = lib.types.str;
default = "/etc/step-ca/certs";
};
};
config = {
environment.etc = lib.mkIf cfgInEtc {
"step-ca/defaults.json".text = builtins.toJSON {
inherit ca-url fingerprint;
root = "/etc/${certRootEtcPath}";
};
"${certRootEtcPath}".source = ./root_ca.crt;
};
systemd.tmpfiles.rules =
mkStepRules johnHome username johnGroup
++ mkStepRules "/root" "root" "root";
};
environment.etc."step-ca/certs/root_ca.crt".source = ./root_ca.crt;
systemd.tmpfiles.rules =
mkStepRules johnHome username johnGroup
++ mkStepRules "/root" "root" "root";
};
flake.modules.homeManager.janus-ca = { config, ... }: {
modules/hosts/soteria/secrets.yaml
+11 -3
View File
@@ -1,5 +1,13 @@
janus:
admin_jwk: ENC[AES256_GCM,data:2XcN5X77wTQ+OUXa4C9xAErGvrwJKseHjCcgoj6jt+c=,iv:9x+M1wM0dYND1JYkJjM4N8pSOok2OF+P9vmm9NCumTI=,tag:dTCfh+KB1iRJBVoNsGqvuw==,type:str]
forgejo:
#ENC[AES256_GCM,data:/wtm0uXbiWFoGNWtlTzVuNxBR7CPm2FMB98t3AxSj5V5rltLvzF9BjgWoJCiX3ltzmU=,iv:xaZXbUIGJHxPrLRQzEQI7hgRgc0y061jIhoE3zlcMaA=,tag:fQGheCIdBKm6wE+vtj7g6A==,type:comment]
secret_key: ENC[AES256_GCM,data:/jcyeDcsryLqu9Q3VnNaENb71/Tl5JUr0zDzxt8L5UCtnJ/YHA6MKItrQ9ZHFv1XROtnSfZl9D5kKomeM8EVqA==,iv:HxMKAMVQ08gkq6SWENj0/d8i9PhcgPCp5eqbztj9bSg=,tag:nO2dFWT/vfgGc/9JIDZrGw==,type:str]
#ENC[AES256_GCM,data:TADqVsZwXpH/zfrXNclavH8Sv++jX081UjK/Mkys5x52gU5fU0ikk478EmwzeergsHpmxxon,iv:v9HsIsud+eiko7F0u622MBrTVDsIxlpqru0Viifvqow=,tag:FLgNTW0EcGhHT6iI9I6Bsg==,type:comment]
internal_token: ENC[AES256_GCM,data:7eZM+misgHZz1p6HH9VzCAPIIFjp2vT0kyc9B1KllE+x2URyrgs5IR9SZ+T5vNdMdnlNzF25pUhKzjbak8tVN554rYWp06SczzqhLyaoHKs8iGBohMqfJkoZxxIVSB7g7GC+/SAsb719,iv:XbBXqXh/PqjEcAj0qsajR7Ij56KGT/9Spdp5T549p9I=,tag:o4ONucOkIE2VJ6VjOlPb6w==,type:str]
#ENC[AES256_GCM,data:ZqwgnKjaolJtjcy287fnDOkb/oSLnBpfWfsTeVPwbIE8YLRSoPP4gbCnHJBLq+TJNNI=,iv:zTvw4ZS6C1ifUwOijNLuTfUQ3JM+5gj1X2f/s8MwWXc=,tag:Y1yKlL+jIRHVBulGlSErog==,type:comment]
jwt_secret: ENC[AES256_GCM,data:e59MlATOorsTIQjtTUKfX5Yo3CVsbbfuKczp1gh1m2D1kkZK3ORFztYpjg==,iv:JH3PVUmXToiThEKDkDJ8MGVMAPlIEgPSWhru+9WgNjk=,tag:FfDpaCPejpw6kGDkxJwDWw==,type:str]
lfs_jwt_secret: ENC[AES256_GCM,data:xi9PEKFUGRyc3YOg3JM3KrrENi9xsbeBjiz4R16SK5WDafoGFLazN6KRJQ==,iv:1IhPyQDwA8tZ22pfZJiU8TRTCLCHC/HAnKdmSGDfvcM=,tag:rLdREVSKBm67rt8ayN16Vw==,type:str]
sops:
age:
- recipient: age1ykcs39e62pz3xu6cedg8ea685kv5d5qsrhgkndygzm8rx30xd5ys5t3qxt
@@ -29,7 +37,7 @@ sops:
Yjd0MUcxcExvWVpCOUR3MkdZdGQyWUkKnru0Y2A98+0Mps7EtVK7ct3vPqIGveUt
E5fzpcKvdefzObrx7BPTwJ19t2fZg/dSi7HKwx3vmKZSzyQaqJOzsg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-03-29T22:44:20Z"
mac: ENC[AES256_GCM,data:f2QVZsCNZJIxnsWsBXVyD6JFSmsMktZqCXQWAJcLfSaojEld9CMu1rJjDyCbG3GPJStrMS20WZbtQvx7H6gosnkxXL401L8SwIoy/gNNEIx0qVLUneoEsuvjSTIiiUG7B2Y9lBKQ/kO/iKrJMURSke0wWWC1Ng5mUePfZ94FVTg=,iv:xOFeak0pjBt4iTFr9vt4cuA9WzFD/ipVThgulNOp100=,tag:YPLXK4RmQLa+ADl6DohmBQ==,type:str]
lastmodified: "2026-04-02T03:47:52Z"
mac: ENC[AES256_GCM,data:NvCF78rzYOv2Ulf3TLB4eKtYEqNkfSzPBPRXcpTTO9QoSH3axdapkhUzsSq2d30RV/F/PLMbMaERMgW1SFT0Uikvk0s5ALmwN29MMwA6BMyup5bzOQeOIxOoeYrKOeqCJdI3ZhtqV/ebvyTebVI7Q6Jw0QKf+9SW2RfYGFJkKF0=,iv:VSoGZkzSzI9SPnvrzyIgWgW/teRNiFlf5fdmHKVg2TE=,tag:qm/jUdQ63MdWUxBDJ9kxww==,type:str]
unencrypted_suffix: _unencrypted
version: 3.12.1
version: 3.12.2
modules/hosts/soteria/soteria.nix
+25 -22
View File
@@ -17,21 +17,8 @@ in
nixos.forgejo
# nixos.restic-server
# nixos.restic-envoy
({ pkgs, ... }: {
({ config, pkgs, ... }: {
networking.hostName = hostname;
mtls = {
enable = true;
subject = hostname;
san = [
"${hostname}.john-stream.com"
"192.168.1.142"
];
lifetime = "1h";
renew.onCalendar = "*:3/15";
renew.postCommands = [
"${lib.getExe pkgs.docker} restart envoy"
];
};
# Removes password for sudo
security.sudo-rs.extraRules = lib.mkAfter [
@@ -45,13 +32,31 @@ in
];
}
];
# nix.settings.build-dir = "/var/tmp/nix-build";
# systemd.tmpfiles.rules = [
# "d /var/tmp/nix-build 1777 root root -"
# ];
step-ssh-host = {
hostname = hostname;
users.users."${username}".extraGroups = [ "mtls" ];
mtls = {
enable = true;
certDir = config.janus-ca.certDir;
subject = hostname;
san = [
"${hostname}.john-stream.com"
# "192.168.1.142"
"forgejo.john-stream.com"
"192.168.1.244"
];
lifetime = "12h";
renew.onCalendar = "*:3/15";
renew.reloadUnits = [ "forgejo.service" ];
certReaders = [ config.services.forgejo.user "postgres" ];
};
forgejo = {
enable = true;
https = true;
port = 443;
};
step-ssh-host.hostname = hostname;
# This provides the secrets at install time
sops.defaultSopsFile = ./secrets.yaml;
@@ -66,8 +71,6 @@ in
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
];
forgejo.enable = true;
})
];
};