finish

2026-04-15 09:01:16 +00:00 · 2026-03-30 21:44:55 -04:00 · 2026-03-30 21:44:55 -04:00 · 9cfe51145d
commit 9cfe51145d
parent 1dc4ed5f1a
3 changed files with 341 additions and 10 deletions
--- a/hosts/netty/configuration.nix
+++ b/hosts/netty/configuration.nix
@ -102,12 +102,166 @@ in
  environment.systemPackages = packageSets.extras ++ [
    pkgs.bubblewrap
    pkgs.pnpm
+    pkgs.nodejs
  ];

  systemd.tmpfiles.rules = [
    "L /usr/bin/bwrap - - - - ${pkgs.bubblewrap}/bin/bwrap"
  ];

+  # --- ACME / Let's Encrypt ---
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "rathiharivansh@gmail.com";
+  };
+
+  # --- Nginx reverse proxy ---
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+    clientMaxBodySize = "512m";
+
+    virtualHosts."sandbox.example.dev" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:2470";
+    };
+
+    virtualHosts."git.example.dev" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/".proxyPass = "http://127.0.0.1:3000";
+    };
+  };
+
+  # --- Forgejo ---
+  users.users.git = {
+    isSystemUser = true;
+    home = "/var/lib/forgejo";
+    group = "git";
+    shell = "${pkgs.bash}/bin/bash";
+  };
+  users.groups.git = { };
+
+  services.forgejo = {
+    enable = true;
+    user = "git";
+    group = "git";
+    settings = {
+      server = {
+        DOMAIN = "git.example.dev";
+        ROOT_URL = "https://git.example.dev/";
+        HTTP_PORT = 3000;
+        SSH_DOMAIN = "git.example.dev";
+      };
+      service.DISABLE_REGISTRATION = true;
+      session.COOKIE_SECURE = true;
+      mirror = {
+        DEFAULT_INTERVAL = "1h";
+        MIN_INTERVAL = "10m";
+      };
+    };
+  };
+
+  # --- Forgejo mirror sync (hourly) ---
+  systemd.services.forgejo-mirror-sync = {
+    description = "Sync GitHub mirrors to Forgejo";
+    after = [ "forgejo.service" ];
+    requires = [ "forgejo.service" ];
+    serviceConfig = {
+      Type = "oneshot";
+      EnvironmentFile = "/etc/forgejo-mirror.env";
+    };
+    path = [ pkgs.curl pkgs.jq pkgs.coreutils ];
+    script = ''
+      set -euo pipefail
+
+      # Fetch all GitHub repos
+      page=1
+      repos=""
+      while true; do
+        batch=$(curl -sf -H "Authorization: token $GITHUB_TOKEN" \
+          "https://api.github.com/user/repos?per_page=100&page=$page&affiliation=owner")
+        count=$(echo "$batch" | jq length)
+        [ "$count" -eq 0 ] && break
+        repos="$repos$batch"
+        page=$((page + 1))
+      done
+
+      echo "$repos" | jq -r '.[].clone_url' | while read -r clone_url; do
+        repo_name=$(basename "$clone_url" .git)
+
+        # Check if mirror already exists in Forgejo
+        status=$(curl -sf -o /dev/null -w '%{http_code}' \
+          -H "Authorization: token $FORGEJO_TOKEN" \
+          "$FORGEJO_URL/api/v1/repos/$FORGEJO_OWNER/$repo_name")
+
+        if [ "$status" = "404" ]; then
+          # Create mirror
+          curl -sf -X POST \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            -H "Content-Type: application/json" \
+            "$FORGEJO_URL/api/v1/repos/migrate" \
+            -d "{
+              \"clone_addr\": \"$clone_url\",
+              \"auth_token\": \"$GITHUB_TOKEN\",
+              \"uid\": $(curl -sf -H "Authorization: token $FORGEJO_TOKEN" "$FORGEJO_URL/api/v1/user" | jq .id),
+              \"repo_name\": \"$repo_name\",
+              \"mirror\": true,
+              \"service\": \"github\"
+            }"
+          echo "Created mirror: $repo_name"
+        else
+          # Trigger sync on existing mirror
+          curl -sf -X POST \
+            -H "Authorization: token $FORGEJO_TOKEN" \
+            "$FORGEJO_URL/api/v1/repos/$FORGEJO_OWNER/$repo_name/mirror-sync" || true
+          echo "Synced mirror: $repo_name"
+        fi
+      done
+    '';
+  };
+
+  systemd.timers.forgejo-mirror-sync = {
+    wantedBy = [ "timers.target" ];
+    timerConfig = {
+      OnCalendar = "hourly";
+      Persistent = true;
+      RandomizedDelaySec = "5m";
+    };
+  };
+
+  # --- Sandbox Agent (declarative systemd services) ---
+  systemd.services.sandbox-agent = {
+    description = "Sandbox Agent";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      User = username;
+      Group = "users";
+      EnvironmentFile = "/home/${username}/.config/sandbox-agent/agent.env";
+      ExecStart = "/home/${username}/.local/bin/sandbox-agent";
+      Restart = "on-failure";
+      RestartSec = 5;
+    };
+  };
+
+  systemd.services.sandbox-cors-proxy = {
+    description = "Sandbox CORS Proxy";
+    after = [ "sandbox-agent.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      User = username;
+      Group = "users";
+      ExecStart = "${pkgs.nodejs}/bin/node /home/${username}/.config/sandbox-agent/cors-proxy.js";
+      Restart = "on-failure";
+      RestartSec = 5;
+    };
+  };
+
  system.configurationRevision = self.rev or self.dirtyRev or null;
  system.stateVersion = "24.11";
 }