add forgejo microvm

2025-02-03 17:12:11 +00:00 · 2025-02-03 17:12:11 +00:00 · 20ac636eb8
commit 20ac636eb8
parent 9ebfe0c59b
9 changed files with 278 additions and 3 deletions
--- a/hosts/cloud/networking.nix
+++ b/hosts/cloud/networking.nix
@ -19,7 +19,9 @@
      networkConfig = {
        Address = [
          "188.245.196.27/32"
+          "116.202.5.66/32"
          "2a01:4f8:c17:7f8a::1/64"
+          "2a01:4f8:c17:7f8a::617/64"
        ];
        DNS = [
          "2a01:4ff:ff00::add:1"
--- a/hosts/cloud/proxy/default.nix
+++ b/hosts/cloud/proxy/default.nix
@ -6,6 +6,7 @@ in
  imports = [
    ./auth.nix
    ./dav.nix
+    ./git.nix
    ./immich.nix
    ./news.nix
  ];
@ -51,8 +52,7 @@ in
      # Prevent injection of code in other mime types (XSS Attacks)
      add_header X-Content-Type-Options nosniff;
    '';
-    # default vhost
- 
+
    virtualHosts."oxapentane.com" = {
      forceSSL = true;
      enableACME = true;
--- a/hosts/cloud/proxy/git.nix
+++ b/hosts/cloud/proxy/git.nix
@ -0,0 +1,68 @@
+{ ... }:
+{
+  # ssh config for forgejo
+  # need ip forward for nat
+  boot.kernel.sysctl = {
+    "net.ipv4.ip_forward" = 1;
+  };
+
+  networking.firewall = {
+    # open port explicitly
+    allowedTCPPorts = [ 22 ];
+    # git.oxapentane.com: port forward 22 to forgejo
+    # TODO do a proper thing with ipv6
+    extraCommands = ''
+      iptables -t nat -I PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222
+      iptables ! -o lo -t nat -A POSTROUTING -j MASQUERADE
+    '';
+    extraStopCommands = ''
+      iptables -t nat -D PREROUTING -p tcp --dport 22 -d 116.202.5.66 -j DNAT --to-destination 10.89.88.15:2222 || true
+    '';
+  };
+  # host sshd: only listen on oxapentane.com and mgmt vpn
+  services.openssh.listenAddresses =
+    map
+      (a: {
+        addr = a;
+        port = 22;
+      })
+      [
+        # enp1s0
+        "188.245.196.27"
+        "2a01:4f8:c17:7f8a::1"
+        # wg-0xa-mgmt
+        "10.89.87.1"
+        "fd31:185d:722e::1"
+      ];
+
+  services.nginx.upstreams.forgejo = {
+    servers = {
+      "10.89.88.15:3000" = { };
+      "[fd31:185d:722f::15]:3000" = { };
+    };
+  };
+
+  services.nginx.virtualHosts."git.oxapentane.com" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://forgejo";
+      extraConfig = ''
+        client_max_body_size 50000M;
+
+        proxy_set_header Host              $host;
+        proxy_set_header X-Real-IP         $remote_addr;
+        proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection "upgrade";
+
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
+        send_timeout 600s;
+      '';
+    };
+  };
+}