plumjam/nixos - Change ISKRPSY5MU5XKIV7FTBDYDPRKV6ONINH2SDIXY7QDGTXNCYN7YFQC

server: caddy and hosts setup for forgejo

Created by James Plummer on September 3, 2025

ISKRPSY5MU5XKIV7FTBDYDPRKV6ONINH2SDIXY7QDGTXNCYN7YFQC

Dependencies

In channels

main

Change contents

Insertion in secrets.nix at line 11 [5.1]

[4.413]

[5.178]

	"modules/acme/environment.age".publicKeys    = all;

Replacement in modules/forgejo.nix at line 3 [6.3]
B:BD[6.74] → [6.74:99]
```
  inherit (lib) enabled;
```
[6.74]
[6.99]
```
  inherit (lib) enabled mkForce;
```

Insertion in modules/forgejo.nix at line 12 [6.3]

[4.417]

  # combine AcceptEnv settings for SSH and Git protocol
  services.openssh.settings.AcceptEnv = mkForce "SHELLS COLORTERM GIT_PROTOCOL";

Replacement in modules/forgejo.nix at line 22 [6.3]

B:BD[6.198] → [6.198:248]

  services.forgejo = enabled {
    lfs = enabled;

[6.198]

[6.248]

  # backup configuration for sqlite database and data
  systemd.services.forgejo-backup = {
    description = "Backup Forgejo data and database";
    after = [ "forgejo.service" ];

Replacement in modules/forgejo.nix at line 27 [6.3]

B:BD[6.249] → [6.249:290]

B:BD[6.290] → [4.579:586]

    database = {
      type = "sqlite3";
    };

[6.249]

[4.586]

    script = ''
      mkdir -p /var/backup/forgejo
      cp -r /var/lib/forgejo /var/backup/forgejo/$(date +%Y%m%d_%H%M%S)

Replacement in modules/forgejo.nix at line 31 [6.3]

B:BD[4.587] → [4.587:776]

    # backup configuration for sqlite database and data
    systemd.services.forgejo-backup = {
      description = "Backup Forgejo data and database";
      after = [ "forgejo.service" ];

[4.587]

[4.776]

      # keep only last 7 backups
      ls -1t /var/backup/forgejo/ | tail -n +8 | xargs -r rm -rf
    '';

Replacement in modules/forgejo.nix at line 35 [6.3]

B:BD[4.777] → [4.777:906]

      script = ''
        mkdir -p /var/backup/forgejo
        cp -r /var/lib/forgejo /var/backup/forgejo/$(date +%Y%m%d_%H%M%S)

[4.777]

[4.906]

    serviceConfig = {
      Type = "oneshot";
      User = "forgejo";
    };
  };

Replacement in modules/forgejo.nix at line 41 [6.3]

B:BD[4.907] → [4.907:1019]

        # keep only last 7 backups
        ls -1t /var/backup/forgejo/ | tail -n +8 | xargs -r rm -rf
      '';

[4.907]

[4.1019]

  systemd.timers.forgejo-backup = {
    description = "Run Forgejo backup daily";
    wantedBy = [ "timers.target" ];

Replacement in modules/forgejo.nix at line 45 [6.3]

B:BD[4.1020] → [4.1020:1105]

      serviceConfig = {
        Type = "oneshot";
        User = "forgejo";
      };

[4.1020]

[6.290]

    timerConfig = {
      OnCalendar = "daily";
      Persistent = true;

Insertion in modules/forgejo.nix at line 49 [6.3]
[6.297]
[6.297]
```
  };
```

Replacement in modules/forgejo.nix at line 51 [6.3]

B:BD[6.298] → [4.1106:1230]

    systemd.timers.forgejo-backup = {
      description = "Run Forgejo backup daily";
      wantedBy = [ "timers.target" ];

[6.298]

[4.1230]

  services.forgejo = enabled {
    lfs = enabled;

Replacement in modules/forgejo.nix at line 54 [6.3]

B:BD[4.1231] → [4.1231:1319]

      timerConfig = {
        OnCalendar = "daily";
        Persistent = true;
      };

[4.1231]

[4.1319]

    database = {
      type = "sqlite3";

Insertion in modules/forgejo.nix at line 124 [6.3]

[6.1768]

  };
  # caddy reverse proxy configuration
  services.caddy.virtualHosts.${fqdn} = {
    useACMEHost = domain;
    extraConfig = /* caddy */ ''
      reverse_proxy http://[::1]:${toString port}
      
      import cors
    '';

File addition: caddy.nix (----------)

[7.2]

{ self, config, lib, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled mkConst;
in {
  imports = [(self + /modules/acme)];
  options.services.caddy.sslTemplate = mkConst {
    useACMEHost = domain;
  };
  options.services.caddy.headers = mkConst /* caddy */ ''
    header {
      Access-Control-Allow-Origin {$allow_origin}
      Access-Control-Allow-Methods {$allow_methods}
      Strict-Transport-Security {$hsts_header}
      Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self';"
      Referrer-Policy "no-referrer"
      X-Frame-Options "DENY"
    }
  '';
  config.networking.firewall = {
    allowedTCPPorts = [ 443 80 ];
    allowedUDPPorts = [ 443 ];
  };
  config.services.caddy = enabled {
    globalConfig = /* caddy */ ''
      {
        admin 0.0.0.0:2019
      }
    '';
    extraConfig = /* caddy */ ''
      (hsts) {
        @https {
          scheme https
        }
        header @https Strict-Transport-Security "max-age=31536000; includeSubdomains; preload"
      }
      (cors) {
        @cors_origin header Origin ~^https://(?:.+\.)?${domain}$
        @cors_methods {
          method OPTIONS
        }
        header @cors_origin {
          Access-Control-Allow-Origin {header.origin}
          Access-Control-Allow-Methods "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE"
        }
        respond @cors_methods "" 204
        ${config.services.caddy.headers}
      }
    '';
  };
  config.security.acme.users = [ "caddy" ];
}

File addition: environment.age (----------)
[7.23]

Replacement in modules/acme/default.nix at line 7 [7.41]

B:BD[7.181] → [7.181:240]

  config.secrets.acmeEnvironment.file = ./environment.age;

[7.181]

[7.240]

  config.age.secrets.acmeEnvironment.file = ./environment.age;

Replacement in modules/acme/default.nix at line 15 [7.41]

B:BD[7.376] → [7.376:437]

      environmentFile = config.secrets.acmeEnvironment.path;

[7.376]

[7.437]

      environmentFile = config.age.secrets.acmeEnvironment.path;

File addition: option.nix (----------)

[8.1]

_: _: super: let
  inherit (super) mkOption;
in {
  mkConst = value: mkOption {
    default  = value;
    readOnly = true;
  };
  mkValue = default: mkOption {
    inherit default;
  };
}

Insertion in lib/default.nix at line 3 [8.2394]
[8.2478]
[8.2478]
```
  option     = import ./option.nix     inputs self super;
```

Replacement in lib/default.nix at line 6 [8.2394]

B:BD[8.2594] → [2.923:979]

in filesystem // system // values // { inherit inputs; }

[8.2594]

in filesystem // option // system // values // { inherit inputs; }

Replacement in hosts/plum/password.age at line 2 [5.225]
B:BD[5.248] → [9.113:486]
[5.248]
Replacement in hosts/plum/id.age at line 2 [10.596]
B:BD[10.619] → [9.488:1186]
[10.619]
Replacement in hosts/plum/forgejo-password.age at line 2 [4.1344]
B:BD[4.1367] → [4.1367:1740]
[4.1367]
Insertion in hosts/plum/configuration.nix at line 12 [11.1247]
[11.1407]
[11.1407]
```
		../../modules/forgejo.nix
```
Insertion in hosts/plum/configuration.nix at line 76 [11.1247]
[11.2240]
[3.99]
```
    domain = "plumj.am";
```
Replacement in hosts/pear/id.age at line 2 [12.187]
B:BD[12.210] → [9.1191:1890]
[12.210]
Replacement in hosts/kiwi/password.age at line 2 [13.2141]
B:BD[13.2164] → [9.1896:2269]
[13.2164]
Replacement in hosts/kiwi/id.age at line 2 [13.2583]
B:BD[13.2606] → [9.2271:2969]
[13.2606]

server: caddy and hosts setup for forgejo

Dependencies

In channels

Change contents

Insertion in secrets.nix at line 11 [5.1]

Replacement in modules/forgejo.nix at line 3 [6.3]

Insertion in modules/forgejo.nix at line 12 [6.3]

Replacement in modules/forgejo.nix at line 22 [6.3]

Replacement in modules/forgejo.nix at line 27 [6.3]

Replacement in modules/forgejo.nix at line 31 [6.3]

Replacement in modules/forgejo.nix at line 35 [6.3]

Replacement in modules/forgejo.nix at line 41 [6.3]

Replacement in modules/forgejo.nix at line 45 [6.3]

Insertion in modules/forgejo.nix at line 49 [6.3]

Replacement in modules/forgejo.nix at line 51 [6.3]

Replacement in modules/forgejo.nix at line 54 [6.3]

Insertion in modules/forgejo.nix at line 124 [6.3]

File addition: caddy.nix (----------)

File addition: environment.age (----------)

Replacement in modules/acme/default.nix at line 7 [7.41]

Replacement in modules/acme/default.nix at line 15 [7.41]

File addition: option.nix (----------)

Insertion in lib/default.nix at line 3 [8.2394]

Replacement in lib/default.nix at line 6 [8.2394]

Replacement in hosts/plum/password.age at line 2 [5.225]

Replacement in hosts/plum/id.age at line 2 [10.596]

Replacement in hosts/plum/forgejo-password.age at line 2 [4.1344]

Insertion in hosts/plum/configuration.nix at line 12 [11.1247]

Insertion in hosts/plum/configuration.nix at line 76 [11.1247]

Replacement in hosts/pear/id.age at line 2 [12.187]

Replacement in hosts/kiwi/password.age at line 2 [13.2141]

Replacement in hosts/kiwi/id.age at line 2 [13.2583]