all repos — nixfiles @ f4bf3448aa862ee7efe0dc64bd0fb86562b1e52e

System and user configuration, managed by nix and home-manager

linde: add pr.alin.ovh for anonymous git patch requests

Alan Pearce
commit

f4bf3448aa862ee7efe0dc64bd0fb86562b1e52e

parent

524904051df123be3f6ed164c85929eefc61d999

1 file changed, 59 insertions(+), 1 deletion(-)

changed files
M system/hosts/linde.nixsystem/hosts/linde.nix
@@ -17,7 +17,9 @@ hostname = "linde";
   net-ip4 = "116.203.248.56";
   net-mask4 = 32;
   net-gw = "172.31.1.1";
-  net-ip6 = "2a01:4f8:c012:23a4::1";
+  prefix6 = "2a01:4f8:c012:23a4";
+  gitpr6 = "${prefix6}::2222";
+  net-ip6 = "${prefix6}::1";
   net-mask6 = 64;
   net-gw6 = "fe80::1";
   domain = "alin.ovh";

@@ -78,6 +80,16 @@ # Initial empty root password for easy login:
   users.users.root.initialHashedPassword = "";
   services.openssh = {
     enable = true;
+    listenAddresses = [
+      {
+        addr = net-ip4;
+        port = 22;
+      }
+      {
+        addr = net-ip6;
+        port = 22;
+      }
+    ];
   };
   services.sshguard = {
     enable = true;

@@ -187,6 +199,10 @@ {
             address = net-ip6;
             prefixLength = net-mask6;
           }
+          {
+            address = gitpr6;
+            prefixLength = net-mask6;
+          }
         ];
       };
     };

@@ -543,11 +559,15 @@ acl sniff_ssh req.payload(0,7) -m str "SSH-2.0"
         tcp-request content accept if sniff_https
         use_backend ssh if sniff_ssh
         use_backend ssh if { req_ssl_sni -i ssh.alin.ovh }
+        use_backend pr_caddy if { req_ssl_sni -i pr.alin.ovh }
 
         default_backend caddy
 
       backend caddy
         server caddy [${net-ip6}]:443
+
+      backend pr_caddy
+        server pr_caddy [${gitpr6}]:443
 
       backend ssh
         mode tcp

@@ -752,6 +772,16 @@ extraConfig = ''
             redir https://{labels.2}.${domain}{uri}
           '';
         };
+        "pr.${domain}" =
+          let
+            srv = config.services.git-pr.settings;
+          in
+          {
+            extraConfig = ''
+              bind [${gitpr6}]
+              reverse_proxy ${srv.host}:${toString srv.web_port}
+            '';
+          };
       };
   };
   systemd.services.caddy.serviceConfig = {

@@ -1183,6 +1213,34 @@ users.users.laminar = {
     homeMode = "770";
   };
   users.groups.laminar.members = [ "caddy" ];
+
+  services.git-pr = {
+    enable = true;
+    package = pkgs.git-pr.overrideAttrs (old: {
+      version = "2025-08-28";
+      src = pkgs.fetchFromGitHub {
+        owner = "picosh";
+        repo = "git-pr";
+        rev = "caaef17cd726985f97b6243b76425958534dd080";
+        hash = "sha256-O8uqsB+F1IkZsp1JA+i7Ct30pPbbc6HPjiG7505oV+Q=";
+      };
+      vendorHash = "sha256-0s6wIsfm8vIjrzA0l7vWg/CV4WF1aYcatZBa9N8WBMU=";
+
+      subPackages = [ "cmd/git-pr" ];
+
+      postInstall = '''';
+    });
+    settings = {
+      url = "pr.alin.ovh";
+      host = "[${prefix6}::2222]";
+      ssh_port = 22;
+      web_port = 3333;
+      admins = [
+        "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPMYpBXLaupevah9A2Ci/EOaDmoPfi3/o45pNx71Oyxpgb1n5lesDp6Q5b83hTskZ3xpOOVrOjFD2FwBLtK1oXY= alin@marvin"
+      ];
+      theme = "modus-operandi";
+    };
+  };
 
   services.gitea-actions-runner = {
     package = pkgs.forgejo-actions-runner;