nixos-workspace/forgejo_runner.nix

[badmomber@nixos-playground:/etc/nixos]$ cat flake.nix
# /etc/nixos/flake.nix
{
  description = "NixOS config - Forgejo (Single Flake File) - Nginx Fix v3";

  inputs = {
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable";

    home-manager = {
      url = "github:nix-community/home-manager";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    # sops-nix ...
  };

  outputs = { self, nixpkgs, ... }@inputs: {

    nixosConfigurations."nixos-playground" = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      specialArgs = { inherit inputs; };

      modules = [
        # Modul 1: Hardware-Konfiguration importieren
        ./hardware-configuration.nix

        # Modul 2: Kombinierte Konfiguration inline
        ( { config, pkgs, lib, ... }:
          let
            badmomberPubKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEK60zKqFTL66ltnQbWJZFR6voqDqIxzego6BXv2Wq1H kersten@MacBook-Pro-von-Kersten.local";
            systemSshPort = 2424;
            forgejoSshPort = 2222;
            forgejoDomain = "git.kriegbaum.io";
            acmeEmail = "contact@git.kriegbaum.io";
            forgejoHttpPort = 3000;
          in
          {
            # --- Basiskonfiguration ---
            boot.loader.systemd-boot.enable = true;
            boot.loader.efi.canTouchEfiVariables = true;
            networking.hostName = "nixos-playground";
            networking.useDHCP = true;
            time.timeZone = "Europe/Berlin";
            i18n.defaultLocale = "de_DE.UTF-8";
            nix.settings.experimental-features = [ "nix-command" "flakes" ];
            environment.systemPackages = with pkgs; [
              vim git wget curl htop tree fail2ban
            ];

            # --- Benutzerkonfiguration ---
            users.users.badmomber = {
              isNormalUser = true;
              description = "admin";
              group = "users";
              extraGroups = [ "wheel" ];
              openssh.authorizedKeys.keys = [ badmomberPubKey ];
            };

            # --- Sicherheit: SSH Server (Hauptzugang) ---
            services.openssh = {
              enable = true;
              ports = [ systemSshPort ];
              settings = {
                PermitRootLogin = "no";
                PubkeyAuthentication = true;
                PasswordAuthentication = false;
                KbdInteractiveAuthentication = false;
              };
            };

            # --- Sicherheit: Firewall ---
            networking.firewall = {
              enable = true;
              allowedTCPPorts = [ systemSshPort forgejoSshPort 80 443 ];
            };

            # --- Sicherheit: Fail2ban ---
            services.fail2ban.enable = true;

            # --- Forgejo Service ---
            services.forgejo = {
              enable = true;
              settings = {
                # log.LEVEL = "Debug"; # Debug Log wieder aus
                server = {
                  DOMAIN = forgejoDomain;
                  ROOT_URL = "https://${forgejoDomain}/";
                  HTTP_ADDR = "127.0.0.1";
                  HTTP_PORT = forgejoHttpPort;
                  PROTOCOL = "http";
                  SSH_DOMAIN = forgejoDomain;
                  SSH_PORT = forgejoSshPort; # Der Port, der in URLs angezeigt wird (2222)

                  # ---- HINZUGEFÜGTE ZEILEN ----
                  START_SSH_SERVER = true;  # Sicherstellen, dass der interne SSH-Server startet
                  SSH_LISTEN_PORT = forgejoSshPort; # Sage dem internen Server, auf Port 2222 zu lauschen
                  # SSH_LISTEN_HOST = "0.0.0.0"; # Lausche auf allen Interfaces (ist meist Standard)
                  # -----------------------------

                  ENABLE_REVERSE_PROXY_AUTHENTICATION = true;
                  ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true;
                  ENABLE_REVERSE_PROXY_LIMIT = true;
                };
                service.DISABLE_REGISTRATION = true;
              };
            };

            # --- Nginx Reverse Proxy ---
            services.nginx = {
              enable = true;
              # Setze Upload Limit global im http-Block (korrekte NixOS-Option)
              clientMaxBodySize = "512M"; # <-- KORREKTE STELLE
              # recommendedProxySettings = true; # Bleibt weg
              recommendedTlsSettings = true;
              virtualHosts.${forgejoDomain} = {
                forceSSL = true;
                enableACME = true;
                # clientMaxBodySize hier falsch platziert

                locations."/" = {
                  proxyPass = "http://127.0.0.1:${toString forgejoHttpPort}";
                  # clientMaxBodySize hier auch falsch platziert

                  extraConfig = ''
                    # Nötig für Websockets / Keep-Alive
                    proxy_http_version 1.1;
                    # Header für Websockets (könnten 400er verursachen!)
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $http_connection;
                    # Standard Proxy Header
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                    proxy_set_header X-Forwarded-Proto $scheme;
                  '';
                };
              };
            };

            # --- ACME / Let's Encrypt ---
            security.acme = {
              acceptTerms = true;
              defaults.email = acmeEmail;
            };

            # --- State Version ---
            system.stateVersion = "24.11"; # Ggf. anpassen

          }
        ) # Ende des inline Moduls
      ]; # Ende der Modul-Liste
    }; # Ende der nixosConfiguration
  }; # Ende der outputs
}