From 97a592a53e4d147e5f4af472dd5f884644f2cf93 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20B=C3=A4dorf?= Date: Fri, 8 Dec 2023 17:09:32 +0100 Subject: [PATCH 1/2] forgejo: allow webhooks to all pub.solar subdomains This should fix the following error that was occuring while trying to post notices to matrix channels: ``` Delivery: Put "https://matrix.pub.solar/_matrix/client/r0/rooms/[...]": dial tcp [::1]:443: webhook can only call allowed HTTP servers (check your webhook.ALLOWED_HOST_LIST setting), deny 'matrix.pub.solar([::1]:443)' ``` --- hosts/nachtigall/apps/forgejo.nix | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix index 638b605..080b931 100644 --- a/hosts/nachtigall/apps/forgejo.nix +++ b/hosts/nachtigall/apps/forgejo.nix @@ -51,7 +51,9 @@ HTTP_ADDR = "127.0.0.1"; HTTP_PORT = 3000; }; + log.LEVEL = "Warn"; + mailer = { ENABLED = true; PROTOCOL = "smtps"; @@ -60,14 +62,17 @@ FROM = ''"pub.solar git server" ''; USER = "admins@pub.solar"; }; + "repository.signing" = { SIGNING_KEY = "default"; MERGES = "always"; }; + openid = { ENABLE_OPENID_SIGNIN = true; ENABLE_OPENID_SIGNUP = true; }; + service = { # uncomment after initial deployment, first user is admin user # required to setup SSO (oauth openid-connect, keycloak auth provider) @@ -75,15 +80,28 @@ ENABLE_NOTIFY_MAIL = true; DEFAULT_KEEP_EMAIL_PRIVATE = true; }; + session = { PROVIDER = "db"; COOKIE_SECURE = lib.mkForce true; }; + + # https://forgejo.org/docs/latest/admin/config-cheat-sheet/#webhook-webhook + webhook = { + ALLOWED_HOST_LIST = [ + "loopback" + "external" + "*.pub.solar" + ]; + }; + # See https://forgejo.org/docs/latest/admin/actions/ - actions.ENABLED = true; - # In an actions workflow, when uses: does not specify an absolute URL, - # the value of DEFAULT_ACTIONS_URL is prepended to it. - actions.DEFAULT_ACTIONS_URL = "https://code.forgejo.org"; + actions = { + ENABLED = true; + # In an actions workflow, when uses: does not specify an absolute URL, + # the value of DEFAULT_ACTIONS_URL is prepended to it. + DEFAULT_ACTIONS_URL = "https://code.forgejo.org"; + }; }; }; -- 2.44.2 From 6bfeb835c2f6822cce4580f9b272b9480e8276c5 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Fri, 8 Dec 2023 17:37:28 +0100 Subject: [PATCH 2/2] fix: type INI atom (null, bool, int, float or string) option `services.gitea.settings.webhook.ALLOWED_HOST_LIST' is not of type `INI atom (null, bool, int, float or string)' --- hosts/nachtigall/apps/forgejo.nix | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/hosts/nachtigall/apps/forgejo.nix b/hosts/nachtigall/apps/forgejo.nix index 080b931..70c965b 100644 --- a/hosts/nachtigall/apps/forgejo.nix +++ b/hosts/nachtigall/apps/forgejo.nix @@ -88,11 +88,7 @@ # https://forgejo.org/docs/latest/admin/config-cheat-sheet/#webhook-webhook webhook = { - ALLOWED_HOST_LIST = [ - "loopback" - "external" - "*.pub.solar" - ]; + ALLOWED_HOST_LIST = "loopback,external,*.pub.solar"; }; # See https://forgejo.org/docs/latest/admin/actions/ -- 2.44.2