Add forge server, clean up common nginx configuration, and update for

latest nixos configuration expectations

nix/home/programs/forgejo/backendserver.nix

@@ -0,0 +1,29 @@
+{lib, ...}:
+
+let
+ domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain;
+ port = 9090;
+in
+{
+  networking.firewall = {
+    allowedTCPPorts = [ port ];
+    allowedUDPPorts = [ port ];
+  };
+
+  services.forgejo = {
+    enable = true;
+    # database.type = "postgres";
+    # Enable support for Git Large File Storage
+    lfs.enable = true;
+    settings = {
+      server = {
+        DOMAIN = domain;
+        # You need to specify this to remove the port from URLs in the web UI.
+        ROOT_URL = "https://${domain}/";
+        HTTP_PORT = port;
+      };
+      # You can temporarily allow registration to create an admin user.
+      service.DISABLE_REGISTRATION = true;
+    };
+  };
+}

nix/home/programs/forgejo/webserver.nix

@@ -0,0 +1,40 @@
+{ lib, ... }:
+
+let
+ domain = lib.strings.fileContents ../../../../secrets/letsencrypt/mediaserver/forgedomain;
+in
+{
+   services.nginx = {
+    virtualHosts.${domain} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        # Provide the ssl cert and key for the vhost
+        #Some players don't reopen a socket and playback stops totally instead of resuming after an extended pause
+        send_timeout 100m;
+
+        # Why this is important: https://blog.cloudflare.com/ocsp-stapling-how-cloudflare-just-made-ssl-30/
+        ssl_stapling on;
+        ssl_stapling_verify on;
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+        # ssl_prefer_server_ciphers on;
+        #Intentionally not hardened for security for player support and encryption video streams has a lot of overhead with something like AES-256-GCM-SHA384.
+        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-RSA-DES-CBC3-SHA:ECDHE-ECDSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
+
+        # A LOT of javascript, xml and html. This helps a lot, but if it causes playback issues with devices turn it off.
+        gzip on;
+        gzip_vary on;
+        gzip_min_length 1000;
+        gzip_proxied any;
+        gzip_types text/plain text/css text/xml application/xml text/javascript application/x-javascript image/svg+xml;
+        gzip_disable "MSIE [1-6]\.";
+
+        # Nginx default client_max_body_size is 1MB, which breaks Camera Upload feature from the phones.
+        # Increasing the limit fixes the issue. Anyhow, if 4K videos are expected to be uploaded, the size might need to be increased even more
+        client_max_body_size 100M;
+      '';
+      locations."/".proxyPass = "http://192.168.1.168:9090";
+    };
+  };
+}