move forgejo to it's own module and enable fail2ban for it

os/forgejo.nix

@@ -0,0 +1,59 @@
+{config, pkgs, ... }: 
+let utils = import ./utils.nix; in
+{
+  services.nginx.virtualHosts."git.antoinevaure.fr" = (utils.reverseProxy config.services.forgejo.settings.server.HTTP_PORT);
+
+  services.fail2ban.jails.forgejo = {
+    enabled = true;
+    filter = "forgejo";
+  };
+
+  services.forgejo = {
+    enable = true;
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = "git.antoinevaure.fr";
+        ROOT_URL = "https://git.antoinevaure.fr/"; 
+        HTTP_PORT = 3000;
+      };
+      # You can temporarily allow registration to create an admin user.
+      service.DISABLE_REGISTRATION = true; 
+      # Add support for actions, based on act: https://github.com/nektos/act
+      actions = {
+        ENABLED = true;
+        # DEFAULT_ACTIONS_URL = "github";
+      };
+
+      repository = {
+        ENABLE_PUSH_CREATE_USER = true;
+        ENABLE_PUSH_CREATE_ORG = true;
+      };
+      # Sending emails is completely optional
+      # You can send a test email from the web UI at:
+      # Profile Picture > Site Administration > Configuration >  Mailer Configuration 
+      # mailer = {
+      #   ENABLED = true;
+      #   SMTP_ADDR = "mail.example.com";
+      #   FROM = "noreply@${srv.DOMAIN}";
+      #   USER = "noreply@${srv.DOMAIN}";
+      # };
+    };
+  };
+
+  services.gitea-actions-runner = {
+    package = pkgs.forgejo-actions-runner;
+    instances.default = {
+      enable = true;
+      name = "monolith";
+      url = "https://git.antoinevaure.fr";
+      # Obtaining the path to the runner token file may differ
+      # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+      tokenFile = /root/forgejo_runner_token;
+      labels = [
+        "native:host"
+      ];
+      hostPackages = with pkgs; [ bash coreutils gitMinimal config.nix.package ];
+    };
+  };
+}

os/hs/configuration.nix

@@ -8,6 +8,7 @@ let
     hs
   ];
   domain = "antoinev.freeboxos.fr";
+  utils = import ../utils.nix;
 in {
   imports = [
     ./hardware-configuration.nix
@@ -15,6 +16,7 @@ in {
     ./disks.nix
     ./backup.nix
     ../common.nix
+    ../forgejo.nix
     (import ../remote-disk-unlock.nix ["r8169"] sshKeys)
   ];
 
@@ -97,16 +99,7 @@ in {
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
-    virtualHosts = let
+    virtualHosts = {
-      reverseProxy = port: {
-        enableACME = true;
-        forceSSL = true;
-        locations."/" = {
-          proxyPass = "http://127.0.0.1:${builtins.toString port}";
-          proxyWebsockets = true;
-        };
-      };
-    in {
       "immich.antoinevaure.fr" = {
         enableACME = true;
         forceSSL = true;
@@ -124,65 +117,16 @@ in {
         };
       };
 
-      "jellyfin.antoinevaure.fr" = (reverseProxy 8096);
+      "jellyfin.antoinevaure.fr" = (utils.reverseProxy 8096);
       # "sonarr.${domain}" = (reverseProxy 8989);
       # "radarr.${domain}" = (reverseProxy 7878);
       # "qbittorrent.${domain}" = (reverseProxy qbittorrentPort);
-      "git.antoinevaure.fr" = (reverseProxy 3000);
+      "git.antoinevaure.fr" = (utils.reverseProxy 3000);
       # "nextcloud.${domain}" = {
       #   enableACME = true;
       #   forceSSL = true;
       # };
-      "nixcache.antoinevaure.fr" = (reverseProxy config.services.nix-serve.port);
+      "nixcache.antoinevaure.fr" = (utils.reverseProxy config.services.nix-serve.port);
-    };
-  };
-
-  services.forgejo = {
-    enable = true;
-    lfs.enable = true;
-    settings = {
-      server = {
-        DOMAIN = "git.antoinevaure.fr";
-        ROOT_URL = "https://git.antoinevaure.fr/"; 
-        HTTP_PORT = 3000;
-      };
-      # You can temporarily allow registration to create an admin user.
-      service.DISABLE_REGISTRATION = true; 
-      # Add support for actions, based on act: https://github.com/nektos/act
-      actions = {
-        ENABLED = true;
-        # DEFAULT_ACTIONS_URL = "github";
-      };
-
-      repository = {
-        ENABLE_PUSH_CREATE_USER = true;
-        ENABLE_PUSH_CREATE_ORG = true;
-      };
-      # Sending emails is completely optional
-      # You can send a test email from the web UI at:
-      # Profile Picture > Site Administration > Configuration >  Mailer Configuration 
-      # mailer = {
-      #   ENABLED = true;
-      #   SMTP_ADDR = "mail.example.com";
-      #   FROM = "noreply@${srv.DOMAIN}";
-      #   USER = "noreply@${srv.DOMAIN}";
-      # };
-    };
-  };
-
-  services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
-    instances.default = {
-      enable = true;
-      name = "monolith";
-      url = "https://git.antoinevaure.fr";
-      # Obtaining the path to the runner token file may differ
-      # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
-      tokenFile = /root/forgejo_runner_token;
-      labels = [
-        "native:host"
-      ];
-      hostPackages = with pkgs; [ bash coreutils gitMinimal config.nix.package ];
     };
   };
 

os/utils.nix

@@ -0,0 +1,10 @@
+{
+  reverseProxy = port: {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${builtins.toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}