From 931557e4b5a4fed933f2e3e49b27b2197d4f8564 Mon Sep 17 00:00:00 2001
From: harry123 <harryh@ik.me>
Date: Wed, 7 May 2025 19:51:50 +0200
Subject: [PATCH] updated sisyphe

---
 hosts/sisyphe/configuration.nix             |  2 +-
 hosts/sisyphe/features/backups.nix          | 37 +-----------
 hosts/sisyphe/features/services/forgejo.nix | 67 ++++++++++++++-------
 3 files changed, 46 insertions(+), 60 deletions(-)

diff --git a/hosts/sisyphe/configuration.nix b/hosts/sisyphe/configuration.nix
index 896da0c..d3cbd41 100644
--- a/hosts/sisyphe/configuration.nix
+++ b/hosts/sisyphe/configuration.nix
@@ -79,7 +79,7 @@ in
       allowedTCPPorts = [
         22 # ssh
         80 # http
-        443 # ssh
+        443 # ssl
         8080
       ];
       allowedUDPPorts = [ ];
diff --git a/hosts/sisyphe/features/backups.nix b/hosts/sisyphe/features/backups.nix
index 990b06b..7722fca 100644
--- a/hosts/sisyphe/features/backups.nix
+++ b/hosts/sisyphe/features/backups.nix
@@ -8,6 +8,7 @@
   imports = [
     ./backups-repos.nix
   ];
+
   sops.secrets.borgRepoPassword = { };
   sops.secrets.borgRemoteServerPassword = {
     sopsFile = "${secrets}/secrets/backup.yaml";
@@ -21,42 +22,6 @@
     sopsFile = "${secrets}/secrets/backup.yaml";
   };
 
-  services.borgbackup.jobs = {
-    /*
-            localBackup = {
-              paths = "/";
-              exclude = [
-                "/nix"
-                "/srv/Multimedia"
-                "/srv/media"
-                "/srv/backups/serverBackups"
-                "/srv/backups/localComputerBackups"
-                "/var/cache"
-                "/var/run"
-                "/tmp"
-                "/proc"
-                "/sys"
-                "/dev"
-                "/mnt"
-                "/run"
-              ];
-              repo = "/srv/backups/serverBackups";
-              doInit = true;
-              encryption = {
-                mode = "repokey";
-                passCommand = "cat /run/secrets/borgRepoPassword";
-              };
-              compression = "auto,lzma";
-              startAt = "weekly";
-            };
-
-            /*
-              serverBackup = {
-
-              };
-    */
-  };
-
   services.borgbackup.repos = {
     borgPersonalServer = {
       authorizedKeys = [
diff --git a/hosts/sisyphe/features/services/forgejo.nix b/hosts/sisyphe/features/services/forgejo.nix
index c5e898e..1253392 100644
--- a/hosts/sisyphe/features/services/forgejo.nix
+++ b/hosts/sisyphe/features/services/forgejo.nix
@@ -1,4 +1,9 @@
-{ config, lib, pkgs, ... }:
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
 {
   imports = [ ./forgejo-smtp.nix ];
   sops.secrets.smtp_address = { };
@@ -36,34 +41,50 @@
     mailerPasswordFile = config.sops.secrets.smtp_password.path;
   };
 
-/*
-  sops.secrets.forgejo-runner-token = {
-    owner = "forgejo";
-  };
-  services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
-    instances.default = {
-      enable = true;
-      name = "monolith";
-      url = "https://git.hypervirtual.world";
-      # Obtaining the path to the runner token file may differ
-      # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
-      tokenFile = config.sops.secrets.forgejo-runner-token.path;
-      labels = [
-        "ubuntu-latest:docker://node:16-bullseye"
-        "ubuntu-22.04:docker://node:16-bullseye"
-        ## optionally provide native execution on the host:
-        # "native:host"
-      ];
+  servuces.fail2ban = {
+    enable = true;
+    jails = {
+      forgejo = {
+        settings = {
+          logpath = "/var/log/forgejo/log/gitea.log";
+          filter = "forgejo";
+          port = "http,https,ssh";
+          maxretry = 20;
+          findtime = 300;
+          bantime = 900;
+        };
+      };
     };
   };
-*/
+
+  /*
+    sops.secrets.forgejo-runner-token = {
+      owner = "forgejo";
+    };
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://git.hypervirtual.world";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = config.sops.secrets.forgejo-runner-token.path;
+        labels = [
+          "ubuntu-latest:docker://node:16-bullseye"
+          "ubuntu-22.04:docker://node:16-bullseye"
+          ## optionally provide native execution on the host:
+          # "native:host"
+        ];
+      };
+    };
+  */
   systemd.services.forgejo.preStart = ''
     create="${lib.getExe config.services.forgejo.package} admin user create"
     $create --admin --email "`cat ${config.sops.secrets.forgejoInitialMail.path}`" --username you --password "`cat ${config.sops.secrets.forgejoInitialPassword.path}`" &>/dev/null || true
   '';
 
   services.caddy.virtualHosts."http://git.hypervirtual.world".extraConfig = ''
-        reverse_proxy :3333
-      '';
+    reverse_proxy :3333
+  '';
 }