feat: add renovate

feat(fail2ban): enable bantime increment
2024-09-18 15:43:28 +02:00 · 2024-09-17 22:02:02 +02:00
7 changed files with 69 additions and 3 deletions
--- a/config/network.nix
+++ b/config/network.nix
@ -2,7 +2,10 @@
  networking.firewall.enable = true;

  services = {
-    fail2ban.enable = true;
+    fail2ban = {
+      enable = true;
+      bantime-increment.enable = true;
+    };
    openssh = {
      enable = true;
      ports = [22];
--- a/config/secrets/secrets.nix
+++ b/config/secrets/secrets.nix
@ -36,6 +36,9 @@ in {

  "services/prometheus/minio-bearer-token.age".publicKeys = default;

+  "services/renovate/git-private-key.age".publicKeys = default;
+  "services/renovate/token.age".publicKeys = default;
+
  "services/wakapi/password-salt.env.age".publicKeys = default;

  "system/password-root.age".publicKeys = default;
--- a/config/secrets/services/renovate/git-private-key.age
+++ b/config/secrets/services/renovate/git-private-key.age
--- a/config/secrets/services/renovate/token.age
+++ b/config/secrets/services/renovate/token.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> piv-p256 ML6NcA Ao9/TS4lWCYUOERyHoTh6GgOQ6OPPOjITxq+VJoVirJ+
+cHPtNKHVure5Gc8FDjtk8GDq8iFTK7RqwhK9LKGSSag
+-> ssh-ed25519 zj2A2A CpogQj8V/F4OZFq0m6Iptr2N5/ekc5HQbFnp/59eVV8
+8U3QBr107hm0BG8X0eEf0aD9wSeCoLDcEMdH1FJDu58
+--- aku/Nskd2GKHFtL8C/hMJvPOiGQkrPDKOPsrPPc575o
+ÅpV÷8ß¨ÑùŠ‚Ç²IþË¹‡Ð â•ºÈˆ½‹wYo€˜uv+Ók‰<>¡a4Oü™´1¾Ó¥q{¸Gš<47>gÈ7ÊÛ
--- a/config/services/default.nix
+++ b/config/services/default.nix
@ -11,6 +11,7 @@
    ./nextcloud.nix
    ./nginx.nix
    ./postgres.nix
+    ./renovate.nix
    ./wakapi.nix
    ./website
  ];
--- a/config/services/forgejo.nix
+++ b/config/services/forgejo.nix
@ -61,7 +61,15 @@ in {
        ENABLED_ISSUE_BY_LABEL = true;
      };

-      repository.ENABLE_PUSH_CREATE_USER = true;
+      repository = {
+        ENABLE_PUSH_CREATE_USER = true;
+      };
+
+      "repository.signing" = {
+        SIGNING_KEY = "040C2D69C44F7B38065208FCCEED88FF3F03801B";
+        SIGNING_NAME = "winston's Forgejo";
+        SIGNING_EMAIL = "code@winston.sh";
+      };

      server = rec {
        DOMAIN = "code.winston.sh";
@ -93,7 +101,9 @@ in {
        MINIO_USE_SSL = true;
      };

-      "ui.meta".AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
+      "ui.meta" = {
+        AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
+      };

      other = {
        SHOW_FOOTER_VERSION = false;
--- a/config/services/renovate.nix
+++ b/config/services/renovate.nix
@ -0,0 +1,42 @@
+{
+  config,
+  inputs,
+  pkgs,
+  ...
+}: {
+  imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
+
+  services.renovate = {
+    enable = true;
+    # N.B.: only needs to be specified while pulling the module from unstable
+    package = pkgs.unstable.renovate;
+
+    schedule = "hourly";
+
+    runtimePackages = with pkgs; [
+      # for nix lockfile maintenance
+      nix
+    ];
+
+    settings = {
+      endpoint = "https://${config.services.forgejo.settings.server.DOMAIN}";
+      platform = "gitea";
+      gitAuthor = "renovate[bot] <renovate@winston.sh>";
+      autodiscover = true;
+      autodiscoverTopics = ["managed-by-renovate"];
+
+      # performance
+      cachePrivatePackages = true;
+      repositoryCache = "enabled";
+
+      # experimental
+      osvVulnerabilityAlerts = true;
+    };
+    credentials = {
+      # can reuse the GHCR token to read changelogs
+      GITHUB_COM_TOKEN = config.age.secrets."containers/ghcr-token".path;
+      RENOVATE_GIT_PRIVATE_KEY = config.age.secrets."services/renovate/git-private-key".path;
+      RENOVATE_TOKEN = config.age.secrets."services/renovate/token".path;
+    };
+  };
+}
Author	SHA1	Message	Date
winston	334a41619a	feat: add renovate	2024-09-18 15:43:28 +02:00
winston	62147d93c9	feat(fail2ban): enable bantime increment	2024-09-17 22:02:02 +02:00