wizzy/home-server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: wizzy:ae93cac1d683fd34fed1659484fd17f927f3ba01
Branches Tags
wizzy:master
..
compare: wizzy:753d9a581e29c29ed304a79a05c9cce8a56f386e
Branches Tags
wizzy:master

No commits in common. "ae93cac1d683fd34fed1659484fd17f927f3ba01" and "753d9a581e29c29ed304a79a05c9cce8a56f386e" have entirely different histories.
ae93cac1d6 ... 753d9a581e

4 changed files with 20 additions and 18 deletions
Download patch file Download diff file Expand all files Collapse all files

8
common.nix
View file

@ -24,8 +24,14 @@
PasswordAuthentication = false; PasswordAuthentication = false;
KbdInteractiveAuthentication = false; KbdInteractiveAuthentication = false;
PermitRootLogin = "no"; PermitRootLogin = "no";
AllowUsers = [ "ellie" "borg" ]; AllowUsers = [ "ellie" "forgejo" ];
}; };
extraConfig = ''
Match User forgejo Address 10.10.0.1
AllowTcpForwarding no
X11Forwarding no
PermitTunnel no
'';
}; };
services.fail2ban = { services.fail2ban = {

1
flake.nix
View file

@ -86,6 +86,7 @@
./services/coturn.nix ./services/coturn.nix
./services/wireguard-outer.nix ./services/wireguard-outer.nix
./services/borgbackup-vps.nix ./services/borgbackup-vps.nix
./services/syncthing-relay.nix
]; ];
}; };

14
services/forgejo.nix
View file

@ -1,8 +1,17 @@
{ ... }: { ... }:
{ {
systemd.services.forgejo = {
wants = [ "network-online.target" ];
after = [ "network-online.target" ];
preStart = ''
mkdir -p /var/lib/forgejo/.ssh
chmod 700 /var/lib/forgejo/.ssh
'';
};
networking.firewall.interfaces.wg0.allowedTCPPorts = [ networking.firewall.interfaces.wg0.allowedTCPPorts = [
2222 22
3000 3000
]; ];
@ -15,10 +24,9 @@
ROOT_URL = "https://forgejo.ellie.town/"; ROOT_URL = "https://forgejo.ellie.town/";
HTTP_ADDR = "10.10.0.2"; HTTP_ADDR = "10.10.0.2";
HTTP_PORT = 3000; HTTP_PORT = 3000;
START_SSH_SERVER = true; START_SSH_SERVER = false;
SSH_DOMAIN = "forgejo.ellie.town"; SSH_DOMAIN = "forgejo.ellie.town";
SSH_PORT = 2222; SSH_PORT = 2222;
SSH_LISTEN_PORT = 2222;
}; };
}; };
} }

15
services/wireguard-outer.nix
View file

@ -1,8 +1,6 @@
{ lib, pkgs, config, ... }: { lib, pkgs, config, ... }:
{ {
boot.kernel.sysctl."net.ipv4.ip_forward" = 1;
sops.secrets."wireguard/private_key" = { sops.secrets."wireguard/private_key" = {
sopsFile = ./secrets/wireguard_vps.yaml; sopsFile = ./secrets/wireguard_vps.yaml;
mode = "0400"; mode = "0400";
@ -23,20 +21,9 @@
peers = [ peers = [
{ {
# Home server
publicKey = "s2plHABMTF83iqrCHlQ+o5ieJSAfudx3upm3v77y1DI="; publicKey = "s2plHABMTF83iqrCHlQ+o5ieJSAfudx3upm3v77y1DI=";
allowedIPs = [ "10.10.0.2/32" ]; allowedIPs = [ "10.10.0.2/32" ];
} }
{
# Desktop
publicKey = "nMQY5RsyTkUi3p6i8pElY9b2Z0vFEeSUdqtw7eQnbQM=";
allowedIPs = [ "10.10.0.3/32" ];
}
{
# Phone
publicKey = "4MDcBaF7oafv5ZC2fjgFHuXnrpwaRglM7fmSw7zo6CQ=";
allowedIPs = [ "10.10.0.4/32" ];
}
]; ];
}; };
@ -110,7 +97,7 @@
} }
upstream forgejo_ssh { upstream forgejo_ssh {
server 10.10.0.2:2222; server 10.10.0.2:22;
} }
server { server {
listen 2222; listen 2222;