Compare commits
2 commits
f5d4d16c03
...
334a41619a
Author | SHA1 | Date | |
---|---|---|---|
334a41619a | |||
62147d93c9 |
7 changed files with 69 additions and 3 deletions
|
@ -2,7 +2,10 @@
|
||||||
networking.firewall.enable = true;
|
networking.firewall.enable = true;
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
fail2ban.enable = true;
|
fail2ban = {
|
||||||
|
enable = true;
|
||||||
|
bantime-increment.enable = true;
|
||||||
|
};
|
||||||
openssh = {
|
openssh = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ports = [22];
|
ports = [22];
|
||||||
|
|
|
@ -36,6 +36,9 @@ in {
|
||||||
|
|
||||||
"services/prometheus/minio-bearer-token.age".publicKeys = default;
|
"services/prometheus/minio-bearer-token.age".publicKeys = default;
|
||||||
|
|
||||||
|
"services/renovate/git-private-key.age".publicKeys = default;
|
||||||
|
"services/renovate/token.age".publicKeys = default;
|
||||||
|
|
||||||
"services/wakapi/password-salt.env.age".publicKeys = default;
|
"services/wakapi/password-salt.env.age".publicKeys = default;
|
||||||
|
|
||||||
"system/password-root.age".publicKeys = default;
|
"system/password-root.age".publicKeys = default;
|
||||||
|
|
BIN
config/secrets/services/renovate/git-private-key.age
Normal file
BIN
config/secrets/services/renovate/git-private-key.age
Normal file
Binary file not shown.
7
config/secrets/services/renovate/token.age
Normal file
7
config/secrets/services/renovate/token.age
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
age-encryption.org/v1
|
||||||
|
-> piv-p256 ML6NcA Ao9/TS4lWCYUOERyHoTh6GgOQ6OPPOjITxq+VJoVirJ+
|
||||||
|
cHPtNKHVure5Gc8FDjtk8GDq8iFTK7RqwhK9LKGSSag
|
||||||
|
-> ssh-ed25519 zj2A2A CpogQj8V/F4OZFq0m6Iptr2N5/ekc5HQbFnp/59eVV8
|
||||||
|
8U3QBr107hm0BG8X0eEf0aD9wSeCoLDcEMdH1FJDu58
|
||||||
|
--- aku/Nskd2GKHFtL8C/hMJvPOiGQkrPDKOPsrPPc575o
|
||||||
|
ÅpV÷8ߨÑùŠ‚DzIþ˹‡Ð ╺Ȉ½‹wYo€˜uv+Ók‰<>¡a4Oü™´1¾Ó¥q{¸Gš<47>gÈ7ÊÛ
|
|
@ -11,6 +11,7 @@
|
||||||
./nextcloud.nix
|
./nextcloud.nix
|
||||||
./nginx.nix
|
./nginx.nix
|
||||||
./postgres.nix
|
./postgres.nix
|
||||||
|
./renovate.nix
|
||||||
./wakapi.nix
|
./wakapi.nix
|
||||||
./website
|
./website
|
||||||
];
|
];
|
||||||
|
|
|
@ -61,7 +61,15 @@ in {
|
||||||
ENABLED_ISSUE_BY_LABEL = true;
|
ENABLED_ISSUE_BY_LABEL = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
repository.ENABLE_PUSH_CREATE_USER = true;
|
repository = {
|
||||||
|
ENABLE_PUSH_CREATE_USER = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
"repository.signing" = {
|
||||||
|
SIGNING_KEY = "040C2D69C44F7B38065208FCCEED88FF3F03801B";
|
||||||
|
SIGNING_NAME = "winston's Forgejo";
|
||||||
|
SIGNING_EMAIL = "code@winston.sh";
|
||||||
|
};
|
||||||
|
|
||||||
server = rec {
|
server = rec {
|
||||||
DOMAIN = "code.winston.sh";
|
DOMAIN = "code.winston.sh";
|
||||||
|
@ -93,7 +101,9 @@ in {
|
||||||
MINIO_USE_SSL = true;
|
MINIO_USE_SSL = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
"ui.meta".AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
|
"ui.meta" = {
|
||||||
|
AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
|
||||||
|
};
|
||||||
|
|
||||||
other = {
|
other = {
|
||||||
SHOW_FOOTER_VERSION = false;
|
SHOW_FOOTER_VERSION = false;
|
||||||
|
|
42
config/services/renovate.nix
Normal file
42
config/services/renovate.nix
Normal file
|
@ -0,0 +1,42 @@
|
||||||
|
{
|
||||||
|
config,
|
||||||
|
inputs,
|
||||||
|
pkgs,
|
||||||
|
...
|
||||||
|
}: {
|
||||||
|
imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
|
||||||
|
|
||||||
|
services.renovate = {
|
||||||
|
enable = true;
|
||||||
|
# N.B.: only needs to be specified while pulling the module from unstable
|
||||||
|
package = pkgs.unstable.renovate;
|
||||||
|
|
||||||
|
schedule = "hourly";
|
||||||
|
|
||||||
|
runtimePackages = with pkgs; [
|
||||||
|
# for nix lockfile maintenance
|
||||||
|
nix
|
||||||
|
];
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
endpoint = "https://${config.services.forgejo.settings.server.DOMAIN}";
|
||||||
|
platform = "gitea";
|
||||||
|
gitAuthor = "renovate[bot] <renovate@winston.sh>";
|
||||||
|
autodiscover = true;
|
||||||
|
autodiscoverTopics = ["managed-by-renovate"];
|
||||||
|
|
||||||
|
# performance
|
||||||
|
cachePrivatePackages = true;
|
||||||
|
repositoryCache = "enabled";
|
||||||
|
|
||||||
|
# experimental
|
||||||
|
osvVulnerabilityAlerts = true;
|
||||||
|
};
|
||||||
|
credentials = {
|
||||||
|
# can reuse the GHCR token to read changelogs
|
||||||
|
GITHUB_COM_TOKEN = config.age.secrets."containers/ghcr-token".path;
|
||||||
|
RENOVATE_GIT_PRIVATE_KEY = config.age.secrets."services/renovate/git-private-key".path;
|
||||||
|
RENOVATE_TOKEN = config.age.secrets."services/renovate/token".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
Loading…
Reference in a new issue