add forgejo and forgejo runner flake and test commands

forgejo_runner.nix

@@ -0,0 +1,153 @@
+[badmomber@nixos-playground:/etc/nixos]$ cat flake.nix
+# /etc/nixos/flake.nix
+{
+  description = "NixOS config - Forgejo (Single Flake File) - Nginx Fix v3";
+
+  inputs = {
+    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";
+
+    home-manager = {
+      url = "github:nix-community/home-manager";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+    # sops-nix ...
+  };
+
+  outputs = { self, nixpkgs, ... }@inputs: {
+
+    nixosConfigurations."nixos-playground" = nixpkgs.lib.nixosSystem {
+      system = "x86_64-linux";
+      specialArgs = { inherit inputs; };
+
+      modules = [
+        # Modul 1: Hardware-Konfiguration importieren
+        ./hardware-configuration.nix
+
+        # Modul 2: Kombinierte Konfiguration inline
+        ( { config, pkgs, lib, ... }:
+          let
+            badmomberPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEK60zKqFTL66ltnQbWJZFR6voqDqIxzego6BXv2Wq1H kersten@MacBook-Pro-von-Kersten.local";
+            systemSshPort = 2424;
+            forgejoSshPort = 2222;
+            forgejoDomain = "git.kriegbaum.io";
+            acmeEmail = "contact@git.kriegbaum.io";
+            forgejoHttpPort = 3000;
+          in
+          {
+            # --- Basiskonfiguration ---
+            boot.loader.systemd-boot.enable = true;
+            boot.loader.efi.canTouchEfiVariables = true;
+            networking.hostName = "nixos-playground";
+            networking.useDHCP = true;
+            time.timeZone = "Europe/Berlin";
+            i18n.defaultLocale = "de_DE.UTF-8";
+            nix.settings.experimental-features = [ "nix-command" "flakes" ];
+            environment.systemPackages = with pkgs; [
+              vim git wget curl htop tree fail2ban
+            ];
+
+            # --- Benutzerkonfiguration ---
+            users.users.badmomber = {
+              isNormalUser = true;
+              description = "admin";
+              group = "users";
+              extraGroups = [ "wheel" ];
+              openssh.authorizedKeys.keys = [ badmomberPubKey ];
+            };
+
+            # --- Sicherheit: SSH Server (Hauptzugang) ---
+            services.openssh = {
+              enable = true;
+              ports = [ systemSshPort ];
+              settings = {
+                PermitRootLogin = "no";
+                PubkeyAuthentication = true;
+                PasswordAuthentication = false;
+                KbdInteractiveAuthentication = false;
+              };
+            };
+
+            # --- Sicherheit: Firewall ---
+            networking.firewall = {
+              enable = true;
+              allowedTCPPorts = [ systemSshPort forgejoSshPort 80 443 ];
+            };
+
+            # --- Sicherheit: Fail2ban ---
+            services.fail2ban.enable = true;
+
+            # --- Forgejo Service ---
+            services.forgejo = {
+              enable = true;
+              settings = {
+                # log.LEVEL = "Debug"; # Debug Log wieder aus
+                server = {
+                  DOMAIN = forgejoDomain;
+                  ROOT_URL = "https://${forgejoDomain}/";
+                  HTTP_ADDR = "127.0.0.1";
+                  HTTP_PORT = forgejoHttpPort;
+                  PROTOCOL = "http";
+                  SSH_DOMAIN = forgejoDomain;
+                  SSH_PORT = forgejoSshPort; # Der Port, der in URLs angezeigt wird (2222)
+
+                  # ---- HINZUGEFÜGTE ZEILEN ----
+                  START_SSH_SERVER = true;  # Sicherstellen, dass der interne SSH-Server startet
+                  SSH_LISTEN_PORT = forgejoSshPort; # Sage dem internen Server, auf Port 2222 zu lauschen
+                  # SSH_LISTEN_HOST = "0.0.0.0"; # Lausche auf allen Interfaces (ist meist Standard)
+                  # -----------------------------
+
+                  ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
+                  ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true;
+                  ENABLE_REVERSE_PROXY_LIMIT = true;
+                };
+                service.DISABLE_REGISTRATION = true;
+              };
+            };
+
+            # --- Nginx Reverse Proxy ---
+            services.nginx = {
+              enable = true;
+              # Setze Upload Limit global im http-Block (korrekte NixOS-Option)
+              clientMaxBodySize = "512M"; # <-- KORREKTE STELLE
+              # recommendedProxySettings = true; # Bleibt weg
+              recommendedTlsSettings = true;
+              virtualHosts.${forgejoDomain} = {
+                forceSSL = true;
+                enableACME = true;
+                # clientMaxBodySize hier falsch platziert
+
+                locations."/" = {
+                  proxyPass = "http://127.0.0.1:${toString forgejoHttpPort}";
+                  # clientMaxBodySize hier auch falsch platziert
+
+                  extraConfig = ''
+                    # Nötig für Websockets / Keep-Alive
+                    proxy_http_version 1.1;
+                    # Header für Websockets (könnten 400er verursachen!)
+                    proxy_set_header Upgrade $http_upgrade;
+                    proxy_set_header Connection $http_connection;
+                    # Standard Proxy Header
+                    proxy_set_header Host $host;
+                    proxy_set_header X-Real-IP $remote_addr;
+                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                    proxy_set_header X-Forwarded-Proto $scheme;
+                  '';
+                };
+              };
+            };
+
+            # --- ACME / Let's Encrypt ---
+            security.acme = {
+              acceptTerms = true;
+              defaults.email = acmeEmail;
+            };
+
+            # --- State Version ---
+            system.stateVersion = "24.11"; # Ggf. anpassen
+
+          }
+        ) # Ende des inline Moduls
+      ]; # Ende der Modul-Liste
+    }; # Ende der nixosConfiguration
+  }; # Ende der outputs
+}