35 lines
1.1 KiB
Nix
35 lines
1.1 KiB
Nix
{ ... }:
|
|
|
|
{
|
|
networking.firewall.interfaces.wg0.allowedTCPPorts = [
|
|
2222
|
|
3000
|
|
];
|
|
|
|
services.forgejo = {
|
|
enable = true;
|
|
settings.service.DISABLE_REGISTRATION = true;
|
|
settings.actions.ENABLED = true;
|
|
settings.server = {
|
|
DOMAIN = "forgejo.ellie.town";
|
|
ROOT_URL = "https://forgejo.ellie.town/";
|
|
HTTP_ADDR = "10.10.0.2";
|
|
HTTP_PORT = 3000;
|
|
START_SSH_SERVER = true;
|
|
SSH_DOMAIN = "forgejo.ellie.town";
|
|
SSH_PORT = 2222;
|
|
SSH_LISTEN_PORT = 2222;
|
|
};
|
|
};
|
|
|
|
# Forgejo binds HTTP to 10.10.0.2 (the wg0 inner address). Without this
|
|
# ordering, forgejo races wireguard at boot, fails to bind, and stays up
|
|
# only on its all-interfaces SSH listener — leaving the web UI 502'd.
|
|
# nixpkgs 25.11 routes networking.wireguard.interfaces through
|
|
# systemd-networkd, so the gate is network-online.target (which pulls in
|
|
# systemd-networkd-wait-online.service) rather than wireguard-wg0.service.
|
|
systemd.services.forgejo = {
|
|
after = [ "network-online.target" ];
|
|
wants = [ "network-online.target" ];
|
|
};
|
|
}
|