server/server.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83

{
  config,
  modulesPath,
  lib,
  pkgs,
  ...
}@args:
{
  imports = [
    ./bootstrap.nix
  ];

  users.mutableUsers = false;

  users.users.git = {
    isNormalUser = true;
    group = "git";
    home = "/var/git";
    createHome = true;
    homeMode = "750";
    description = "Git repository hosting user";
    packages = [ pkgs.git ];
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINPtvI9cG6YLKUWY3R4vg/ky2wAV0izTAkMgWiOS8Tzr him@jakezerrer.com"
    ];
  };

  users.groups.git = {
    members = [ "cgit" ];
  };

  systemd.tmpfiles.rules = [
    "d /var/git 0750 git git -"
    "Z /var/git - git git -"
  ];

  sops = {
    defaultSopsFile = ./secrets/secrets.yaml;
    defaultSopsFormat = "yaml";

    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];

    secrets = { };
  };

  networking.firewall = {
    allowedTCPPorts = lib.mkForce [
      22
      80
      443
    ];
  };

  services.cgit.main = {
    enable = true;

    nginx.virtualHost = "git.jakezerrer.com";
    nginx.location = "/";

    scanPath = "/var/git";

    settings = {
      root-title = "jake's git host";
      enable-git-config = true;
      source-filter = "${pkgs.cgit}/lib/cgit/filters/syntax-highlighting.py";
      enable-index-owner = false;
    };
  };

  services.nginx = {
    enable = true;

    virtualHosts."git.jakezerrer.com" = {
      enableACME = true;
      forceSSL = true;
    };
  };

  security.acme = {
    acceptTerms = true;
    defaults.email = "him@jakezerrer.com";
  };
}