[badmomber@nixos-playground:/etc/nixos]$ cat flake.nix # /etc/nixos/flake.nix { description = "NixOS config - Forgejo (Single Flake File) - Nginx Fix v3"; inputs = { nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; home-manager = { url = "github:nix-community/home-manager"; inputs.nixpkgs.follows = "nixpkgs"; }; # sops-nix ... }; outputs = { self, nixpkgs, ... }@inputs: { nixosConfigurations."nixos-playground" = nixpkgs.lib.nixosSystem { system = "x86_64-linux"; specialArgs = { inherit inputs; }; modules = [ # Modul 1: Hardware-Konfiguration importieren ./hardware-configuration.nix # Modul 2: Kombinierte Konfiguration inline ( { config, pkgs, lib, ... }: let badmomberPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEK60zKqFTL66ltnQbWJZFR6voqDqIxzego6BXv2Wq1H kersten@MacBook-Pro-von-Kersten.local"; systemSshPort = 2424; forgejoSshPort = 2222; forgejoDomain = "git.kriegbaum.io"; acmeEmail = "contact@git.kriegbaum.io"; forgejoHttpPort = 3000; in { # --- Basiskonfiguration --- boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; networking.hostName = "nixos-playground"; networking.useDHCP = true; time.timeZone = "Europe/Berlin"; i18n.defaultLocale = "de_DE.UTF-8"; nix.settings.experimental-features = [ "nix-command" "flakes" ]; environment.systemPackages = with pkgs; [ vim git wget curl htop tree fail2ban ]; # --- Benutzerkonfiguration --- users.users.badmomber = { isNormalUser = true; description = "admin"; group = "users"; extraGroups = [ "wheel" ]; openssh.authorizedKeys.keys = [ badmomberPubKey ]; }; # --- Sicherheit: SSH Server (Hauptzugang) --- services.openssh = { enable = true; ports = [ systemSshPort ]; settings = { PermitRootLogin = "no"; PubkeyAuthentication = true; PasswordAuthentication = false; KbdInteractiveAuthentication = false; }; }; # --- Sicherheit: Firewall --- networking.firewall = { enable = true; allowedTCPPorts = [ systemSshPort forgejoSshPort 80 443 ]; }; # --- Sicherheit: Fail2ban --- services.fail2ban.enable = true; # --- Forgejo Service --- services.forgejo = { enable = true; settings = { # log.LEVEL = "Debug"; # Debug Log wieder aus server = { DOMAIN = forgejoDomain; ROOT_URL = "https://${forgejoDomain}/"; HTTP_ADDR = "127.0.0.1"; HTTP_PORT = forgejoHttpPort; PROTOCOL = "http"; SSH_DOMAIN = forgejoDomain; SSH_PORT = forgejoSshPort; # Der Port, der in URLs angezeigt wird (2222) # ---- HINZUGEFÜGTE ZEILEN ---- START_SSH_SERVER = true; # Sicherstellen, dass der interne SSH-Server startet SSH_LISTEN_PORT = forgejoSshPort; # Sage dem internen Server, auf Port 2222 zu lauschen # SSH_LISTEN_HOST = "0.0.0.0"; # Lausche auf allen Interfaces (ist meist Standard) # ----------------------------- ENABLE_REVERSE_PROXY_AUTHENTICATION = true; ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true; ENABLE_REVERSE_PROXY_LIMIT = true; }; service.DISABLE_REGISTRATION = true; }; }; # --- Nginx Reverse Proxy --- services.nginx = { enable = true; # Setze Upload Limit global im http-Block (korrekte NixOS-Option) clientMaxBodySize = "512M"; # <-- KORREKTE STELLE # recommendedProxySettings = true; # Bleibt weg recommendedTlsSettings = true; virtualHosts.${forgejoDomain} = { forceSSL = true; enableACME = true; # clientMaxBodySize hier falsch platziert locations."/" = { proxyPass = "http://127.0.0.1:${toString forgejoHttpPort}"; # clientMaxBodySize hier auch falsch platziert extraConfig = '' # Nötig für Websockets / Keep-Alive proxy_http_version 1.1; # Header für Websockets (könnten 400er verursachen!) proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; # Standard Proxy Header proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; ''; }; }; }; # --- ACME / Let's Encrypt --- security.acme = { acceptTerms = true; defaults.email = acmeEmail; }; # --- State Version --- system.stateVersion = "24.11"; # Ggf. anpassen } ) # Ende des inline Moduls ]; # Ende der Modul-Liste }; # Ende der nixosConfiguration }; # Ende der outputs }