vps update

file sharing and forgejo
2026-03-13 00:19:07 -06:00 · 2026-03-13 00:19:07 -06:00 · ace2b38ec9
commit ace2b38ec9
parent 6f530b1d5d
11 changed files with 329 additions and 124 deletions
--- a/hosts/magus.nix
+++ b/hosts/magus.nix
@ -1,8 +1,5 @@
 {
-  config,
  pkgs,
-  lib,
-  inputs,
  modulesPath,
  ...
 }: {
@ -22,8 +19,9 @@
    ./modules/rust.nix
    ./modules/python.nix
    ./modules/go.nix
-    ./modules/ld.nix
-    ./modules/core.nix
+    ./modules/misc.nix
+    ./server/forgejo.nix
+    ./server/copyparty.nix
  ];
  system.stateVersion = "25.11";

@ -34,20 +32,10 @@

  programs.fish.enable = true;

-  npm.enable = true;
-
  environment.systemPackages = with pkgs; [
    xclip
    direnv
  ];
-  nix = {
-    gc = {
-      automatic = true;
-      dates = "weekly";
-      options = "--delete-older-than 30d";
-    };
-    settings.auto-optimise-store = true;
-  };
  services = {
    fstrim.enable = true;
    xserver.enable = false;
--- a/hosts/server/copyparty.nix
+++ b/hosts/server/copyparty.nix
@ -0,0 +1,64 @@
+{config, ...}: {
+  sops = {
+    defaultSopsFile = ../../secrets/secrets.yaml;
+    defaultSopsFormat = "yaml";
+    age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
+    secrets.copyparty = {
+      owner = "copyparty";
+    };
+  };
+  services.copyparty = {
+    enable = true;
+    settings = {
+      i = "127.0.0.1";
+      p = [3923];
+      e2dsa = true;
+      e2ts = true;
+      xff-src = "127.0.0.1";
+      og-ua = "(Discord|Twitter|Slack)bot";
+    };
+    accounts = {
+      admin.passwordFile = config.sops.secrets.copyparty.path;
+    };
+    volumes = {
+      "/" = {
+        path = "/srv/copyparty";
+        access = {
+          A = "admin";
+          g = "*";
+        };
+        flags = {
+          e2d = true;
+          dedup = true;
+        };
+      };
+    };
+  };
+  systemd.tmpfiles.rules = [
+    "d /srv/copyparty 0750 copyparty copyparty -"
+  ];
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    virtualHosts."share.monaie.ca" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3923";
+        proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 0;
+          proxy_buffering off;
+          proxy_request_buffering off;
+          proxy_buffers 32 8k;
+          proxy_buffer_size 16k;
+          proxy_busy_buffers_size 24k;
+          proxy_set_header Connection "Keep-Alive";
+          proxy_read_timeout 36000s;
+          proxy_send_timeout 36000s;
+        '';
+      };
+    };
+  };
+}
--- a/hosts/server/filebrowser.nix
+++ b/hosts/server/filebrowser.nix
@ -0,0 +1,34 @@
+{...}: {
+  services.filebrowser = {
+    enable = true;
+    settings = {
+      address = "127.0.0.1";
+      port = 6767;
+      root = "/srv/filebrowser";
+      database = "/var/lib/filebrowser/filebrowser.db";
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/filebrowser 0750 filebrowser filebrowser -"
+  ];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."share.monaie.ca" = {
+      forceSSL = true;
+      enableACME = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:6767";
+        proxyWebsockets = true;
+        extraConfig = ''
+          client_max_body_size 0;
+        '';
+      };
+    };
+  };
+}
--- a/hosts/server/forgejo.nix
+++ b/hosts/server/forgejo.nix
@ -0,0 +1,79 @@
+{...}: let
+  domain = "git.monaie.ca";
+  port = 3000;
+in {
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = ["forgejo"];
+    ensureUsers = [
+      {
+        name = "forgejo";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.forgejo = {
+    enable = true;
+    database.type = "postgres";
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = domain;
+        ROOT_URL = "https://${domain}/";
+        HTTP_ADDR = "127.0.0.1";
+        HTTP_PORT = port;
+        SSH_DOMAIN = domain;
+      };
+      service = {
+        DISABLE_REGISTRATION = true;
+        REQUIRE_SIGNIN_VIEW = false;
+      };
+      session = {
+        PROVIDER = "redis";
+        PROVIDER_CONFIG = "network=unix,addr=/run/redis-forgejo/redis.sock,db=0,pool_size=100,idle_timeout=180";
+      };
+      cache = {
+        ADAPTER = "redis";
+        HOST = "network=unix,addr=/run/redis-forgejo/redis.sock,db=1,pool_size=100,idle_timeout=180";
+      };
+      queue = {
+        TYPE = "redis";
+        CONN_STR = "network=unix,addr=/run/redis-forgejo/redis.sock,db=2";
+      };
+      log.LEVEL = "Warn";
+      security.INSTALL_LOCK = true;
+      actions.ENABLED = false;
+    };
+  };
+
+  services.redis.servers.forgejo = {
+    enable = true;
+    port = 0;
+    unixSocket = "/run/redis-forgejo/redis.sock";
+    unixSocketPerm = 660;
+  };
+  users.users.forgejo.extraGroups = ["redis-forgejo"];
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
+    recommendedGzipSettings = true;
+    virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = "client_max_body_size 0M;";
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${toString port}";
+        proxyWebsockets = true;
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "riiidge.racer@gmail.com";
+  };
+}
--- a/hosts/server/networking.nix
+++ b/hosts/server/networking.nix
@ -1,8 +1,4 @@
-{
-  config,
-  lib,
-  ...
-}: {
+{...}: {
  networking = {
    hostName = "magus";
    useDHCP = false;
--- a/hosts/server/redis.nix
+++ b/hosts/server/redis.nix
@ -1,8 +1,4 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
+{...}: {
  services.redis.servers."" = {
    enable = true;
    bind = "127.0.0.1";
--- a/hosts/server/security.nix
+++ b/hosts/server/security.nix
@ -1,8 +1,4 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
+{pkgs, ...}: {
  services.openssh = {
    enable = true;
    ports = [8123];