Compare commits
2 commits
f5d4d16c03
...
334a41619a
Author | SHA1 | Date | |
---|---|---|---|
334a41619a | |||
62147d93c9 |
7 changed files with 69 additions and 3 deletions
|
@ -2,7 +2,10 @@
|
|||
networking.firewall.enable = true;
|
||||
|
||||
services = {
|
||||
fail2ban.enable = true;
|
||||
fail2ban = {
|
||||
enable = true;
|
||||
bantime-increment.enable = true;
|
||||
};
|
||||
openssh = {
|
||||
enable = true;
|
||||
ports = [22];
|
||||
|
|
|
@ -36,6 +36,9 @@ in {
|
|||
|
||||
"services/prometheus/minio-bearer-token.age".publicKeys = default;
|
||||
|
||||
"services/renovate/git-private-key.age".publicKeys = default;
|
||||
"services/renovate/token.age".publicKeys = default;
|
||||
|
||||
"services/wakapi/password-salt.env.age".publicKeys = default;
|
||||
|
||||
"system/password-root.age".publicKeys = default;
|
||||
|
|
BIN
config/secrets/services/renovate/git-private-key.age
Normal file
BIN
config/secrets/services/renovate/git-private-key.age
Normal file
Binary file not shown.
7
config/secrets/services/renovate/token.age
Normal file
7
config/secrets/services/renovate/token.age
Normal file
|
@ -0,0 +1,7 @@
|
|||
age-encryption.org/v1
|
||||
-> piv-p256 ML6NcA Ao9/TS4lWCYUOERyHoTh6GgOQ6OPPOjITxq+VJoVirJ+
|
||||
cHPtNKHVure5Gc8FDjtk8GDq8iFTK7RqwhK9LKGSSag
|
||||
-> ssh-ed25519 zj2A2A CpogQj8V/F4OZFq0m6Iptr2N5/ekc5HQbFnp/59eVV8
|
||||
8U3QBr107hm0BG8X0eEf0aD9wSeCoLDcEMdH1FJDu58
|
||||
--- aku/Nskd2GKHFtL8C/hMJvPOiGQkrPDKOPsrPPc575o
|
||||
ÅpV÷8ߨÑùŠ‚DzIþ˹‡Ð ╺Ȉ½‹wYo€˜uv+Ók‰<>¡a4Oü™´1¾Ó¥q{¸Gš<47>gÈ7ÊÛ
|
|
@ -11,6 +11,7 @@
|
|||
./nextcloud.nix
|
||||
./nginx.nix
|
||||
./postgres.nix
|
||||
./renovate.nix
|
||||
./wakapi.nix
|
||||
./website
|
||||
];
|
||||
|
|
|
@ -61,7 +61,15 @@ in {
|
|||
ENABLED_ISSUE_BY_LABEL = true;
|
||||
};
|
||||
|
||||
repository.ENABLE_PUSH_CREATE_USER = true;
|
||||
repository = {
|
||||
ENABLE_PUSH_CREATE_USER = true;
|
||||
};
|
||||
|
||||
"repository.signing" = {
|
||||
SIGNING_KEY = "040C2D69C44F7B38065208FCCEED88FF3F03801B";
|
||||
SIGNING_NAME = "winston's Forgejo";
|
||||
SIGNING_EMAIL = "code@winston.sh";
|
||||
};
|
||||
|
||||
server = rec {
|
||||
DOMAIN = "code.winston.sh";
|
||||
|
@ -93,7 +101,9 @@ in {
|
|||
MINIO_USE_SSL = true;
|
||||
};
|
||||
|
||||
"ui.meta".AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
|
||||
"ui.meta" = {
|
||||
AUTHOR = "nekowinston's Forgejo - Beyond coding. We forge.";
|
||||
};
|
||||
|
||||
other = {
|
||||
SHOW_FOOTER_VERSION = false;
|
||||
|
|
42
config/services/renovate.nix
Normal file
42
config/services/renovate.nix
Normal file
|
@ -0,0 +1,42 @@
|
|||
{
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
...
|
||||
}: {
|
||||
imports = ["${inputs.nixpkgs-unstable}/nixos/modules/services/misc/renovate.nix"];
|
||||
|
||||
services.renovate = {
|
||||
enable = true;
|
||||
# N.B.: only needs to be specified while pulling the module from unstable
|
||||
package = pkgs.unstable.renovate;
|
||||
|
||||
schedule = "hourly";
|
||||
|
||||
runtimePackages = with pkgs; [
|
||||
# for nix lockfile maintenance
|
||||
nix
|
||||
];
|
||||
|
||||
settings = {
|
||||
endpoint = "https://${config.services.forgejo.settings.server.DOMAIN}";
|
||||
platform = "gitea";
|
||||
gitAuthor = "renovate[bot] <renovate@winston.sh>";
|
||||
autodiscover = true;
|
||||
autodiscoverTopics = ["managed-by-renovate"];
|
||||
|
||||
# performance
|
||||
cachePrivatePackages = true;
|
||||
repositoryCache = "enabled";
|
||||
|
||||
# experimental
|
||||
osvVulnerabilityAlerts = true;
|
||||
};
|
||||
credentials = {
|
||||
# can reuse the GHCR token to read changelogs
|
||||
GITHUB_COM_TOKEN = config.age.secrets."containers/ghcr-token".path;
|
||||
RENOVATE_GIT_PRIVATE_KEY = config.age.secrets."services/renovate/git-private-key".path;
|
||||
RENOVATE_TOKEN = config.age.secrets."services/renovate/token".path;
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Reference in a new issue