From 10e8a345863355655bee458089b451b3bb54fa55 Mon Sep 17 00:00:00 2001
From: Bryan Ramos <bryan@ramos.codes>
Date: Sat, 11 Jan 2025 05:52:22 -0500
Subject: [PATCH] added server configs

---
 src/system/machines/server/system.nix  |  2 +
 src/system/modules/bitcoin/default.nix |  8 ++-
 src/system/modules/forgejo/default.nix | 58 +++++++++++++++++
 src/system/modules/nginx/default.nix   | 86 ++++++++++++++++++++++++++
 4 files changed, 152 insertions(+), 2 deletions(-)
 create mode 100644 src/system/modules/forgejo/default.nix
 create mode 100644 src/system/modules/nginx/default.nix

diff --git a/src/system/machines/server/system.nix b/src/system/machines/server/system.nix
index 8c4d9f9..3f51b82 100644
--- a/src/system/machines/server/system.nix
+++ b/src/system/machines/server/system.nix
@@ -6,6 +6,8 @@
 
   modules = {
     system = {
+      nginx.enable = true;
+      forgejo.enable = true;
       bitcoin = {
         enable = true;
         electrum.enable = true;
diff --git a/src/system/modules/bitcoin/default.nix b/src/system/modules/bitcoin/default.nix
index 3b4e150..37e8070 100644
--- a/src/system/modules/bitcoin/default.nix
+++ b/src/system/modules/bitcoin/default.nix
@@ -3,6 +3,7 @@
 with lib;
 let
   cfg = config.modules.system.bitcoin;
+  nginx = config.modules.system.nginx;
 
   home = "/var/lib/bitcoind";
 
@@ -35,6 +36,11 @@ in
           group = "bitcoin";
           createHome = true;
         };
+        "nginx" = {
+          extraGroups = mkIf nginx.enable [
+            "bitcoin"
+          ];
+        };
       };
       groups = {
         "bitcoin" = {
@@ -49,8 +55,6 @@ in
       btc = "bitcoind";
     };
 
-    networking.firewall.allowedTCPPorts = [ 8333 ];
-
     services.bitcoind = {
       "btc" = {
         enable = true;
diff --git a/src/system/modules/forgejo/default.nix b/src/system/modules/forgejo/default.nix
new file mode 100644
index 0000000..f9a3eca
--- /dev/null
+++ b/src/system/modules/forgejo/default.nix
@@ -0,0 +1,58 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.forgejo;
+  nginx = config.modules.system.nginx;
+
+in
+{ options.modules.system.forgejo = { enable = mkEnableOption "Forgejo Server"; };
+  config = mkIf cfg.enable {
+    users = {
+      users = {
+        "git" = {
+          description = "Git server system user";
+          isSystemUser = true;
+          group = "git";
+          extraGroups = mkIf nginx.enable [
+            "web"
+          ];
+        };
+        "nginx" = {
+          extraGroups = mkIf nginx.enable [
+            "git"
+          ];
+        };
+      };
+      groups = {
+        "git" = {
+          members = [
+            "git"
+          ];
+        };
+      };
+    };
+
+    services.forgejo = rec {
+      enable = true;
+      user = "git";
+      group = "git";
+      stateDir = "/var/lib/forgejo";
+      
+      settings = {
+        server = {
+          PROTOCOL = "http+unix";
+          DOMAIN = "127.0.0.1";
+          HTTP_ADDR = "/run/forgejo/forgejo.sock";
+        };
+      };
+
+      database = {
+        inherit user;
+        type = "sqlite3";
+        path = "${stateDir}/data/forgejo.db";
+        createDatabase = true;
+      };
+    };
+  };
+}
diff --git a/src/system/modules/nginx/default.nix b/src/system/modules/nginx/default.nix
new file mode 100644
index 0000000..5aded22
--- /dev/null
+++ b/src/system/modules/nginx/default.nix
@@ -0,0 +1,86 @@
+{ pkgs, lib, config, ... }:
+
+with lib;
+let
+  cfg = config.modules.system.nginx;
+  module = config.modules.system;
+
+in
+{ options.modules.system.nginx = { enable = mkEnableOption "Nginx Reverse Proxy"; };
+  config = mkIf cfg.enable {
+    users = {
+      users = {
+        "nginx" = {
+          description = "Web server system user";
+          isSystemUser = true;
+          group = mkForce "web";
+        };
+        "btc" = {
+          extraGroups = mkIf module.bitcoin.enable [
+            "web"
+          ];
+        };
+        "git" = {
+          extraGroups = mkIf module.forgejo.enable [
+            "web"
+          ];
+        };
+      };
+      groups = {
+        "web" = {
+          members = [
+            "nginx"
+          ];
+        };
+      };
+    };
+
+    security.acme = 
+    let
+      acmeDir = "/var/lib/acme";
+    in
+    {
+      acceptTerms = true;
+      certs = {
+        "ramos.codes" = {
+          #webroot = "${acmeDir}/acme-challenge";
+          directory = "${acmeDir}/ramos.codes";
+          email = config.user.email;
+          group = "web";
+          validMinDays = 90;
+          extraDomainNames = attrNames config.services.nginx.virtualHosts;
+          listenHTTP = ":80";
+        };
+      };
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts = 
+      let
+        certPath = config.security.acme.certs."ramos.codes".directory;
+        sslCertificate = "${certPath}/fullchain.pem";
+        sslCertificateKey = "${certPath}/key.pem";
+
+        withSSL = hosts: mapAttrs (name: hostConfig: hostConfig // {
+          inherit sslCertificate sslCertificateKey;
+          forceSSL = true;
+        }) hosts;
+
+      in withSSL
+      {
+        "git.ramos.codes" = mkIf module.forgejo.enable {
+          locations = {
+            "/" = {
+              proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
+            };
+          };
+        };
+        #"btc.ramos.codes" = mkIf module.bitcoin.enable {
+        #  locations = {
+        #  };
+        #};
+      };
+    };
+  };
+}