Move forgejo to hetznix

nix/hosts/hetznix/configuration.nix

@@ -15,9 +15,17 @@
     ./secrets.nix
     ./security
     ./services
+
+    ../../users/opdavies
   ];
 
-  nix.nixPath = [ "nixpkgs=${inputs.nixpkgs-2405}" ];
+  nix = {
+    extraOptions = ''
+      trusted-users = root opdavies
+    '';
+
+    nixPath = [ "nixpkgs=${inputs.nixpkgs-2405}" ];
+  };
 
   networking.firewall.allowedTCPPorts = [
     80

nix/hosts/hetznix/security/acme.nix

@@ -18,6 +18,7 @@
         # TODO Refactor to use a wildcard certificate.
         "2020.oliverdavies.uk"
         "bootstrap-with-tailwind.oliverdavies.uk"
+        "code.oliverdavies.uk"
         "florida-drupalcamp-tailwind-css.oliverdavies.uk"
         "luke.oliverdavies.uk"
         "phpsw-sculpin-demo.oliverdavies.uk"

nix/hosts/hetznix/services/default.nix

@@ -1,10 +1,7 @@
 {
   imports = [
-    ./acme.nix
     ./caddy
+    ./forgejo.nix
+    ./openssl.nix
   ];
-
-  services = {
-    openssh.enable = true;
-  };
 }

nix/hosts/hetznix/services/forgejo.nix

@@ -0,0 +1,28 @@
+{ config, ... }:
+
+{
+  services = {
+    forgejo = {
+      enable = true;
+
+      settings = {
+        server = {
+          DOMAIN = "code.oliverdavies.uk";
+          HTTP_PORT = 2223;
+        };
+
+        service = {
+          DISABLE_REGISTRATION = true;
+        };
+      };
+    };
+
+    caddy.virtualHosts."${config.services.forgejo.settings.server.DOMAIN}" = {
+      useACMEHost = "oliverdavies.uk";
+
+      extraConfig = "reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}";
+    };
+
+    openssh.settings.AllowUsers = [ "forgejo" ];
+  };
+}

nix/hosts/hetznix/services/openssl.nix

@@ -0,0 +1,10 @@
+{
+  services.openssh = {
+    enable = true;
+
+    settings = {
+      AllowUsers = [ "opdavies" ];
+      PermitRootLogin = "no";
+    };
+  };
+}