Update server configurations and remove outdated documentation

servers/forgejo.nix

@@ -12,25 +12,50 @@ let
   adminUser  = "jsutter";
   adminEmail = "jsutter@symbiotrip.com";
 
-
 in
 
 {
-  security.acme.certs.${fqdn}.group = config.services.nginx.group;
+  # DNS-based ACME certificate configuration
+  # Uses defaults (dnsProvider, email, credentials) from nginx.nix
+  security.acme.certs.${fqdn} = {
+    # Group needs to be set so nginx can read the certificate
+    group = config.services.nginx.group;
+
+    # Inherit DNS challenge configuration from security.acme.defaults (set in nginx.nix)
+    # This includes: dnsProvider = "cloudflare", environmentFile with Cloudflare token, email
+
+    # Explicitly ensure DNS mode (not HTTP-01)
+    webroot = null;
+  };
+
+  # Nginx virtual host for Forgejo
   services.nginx.virtualHosts.${fqdn} = {
+    # CRITICAL FIX: Don't set enableACME = true
+    # That would create an HTTP-01 challenge handler, which conflicts with DNS challenge
+    # Instead, we use useACMEHost to reference the DNS-obtained certificate
+    enableACME = false;  # Disable automatic ACME for this vhost
+    useACMEHost = fqdn;  # Use the certificate obtained via DNS challenge
+
     forceSSL = true;
-    enableACME = true;
-    useACMEHost = fqdn;
-    acmeRoot = null;
+
+    # acmeRoot is not needed/used with DNS challenge method
+    # acmeRoot = null;  # Removed - implicit with enableACME = false
+
     extraConfig = ''
       client_max_body_size 512M;
       proxy_set_header Host $host;
       proxy_set_header X-Forwarded-Proto $scheme;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # Logging for debugging
+      access_log /var/log/nginx/${fqdn}-access.log;
+      error_log /var/log/nginx/${fqdn}-error.log warn;
     '';
+
     locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
   };
 
+  # Forgejo service configuration
   services.forgejo = {
     enable = true;
     database.type = "postgres";
@@ -41,6 +66,8 @@ in
         DOMAIN = fqdn;
         ROOT_URL = "https://${fqdn}/";
         HTTP_PORT = 3000;
+        # Bind to localhost only - nginx handles public HTTPS
+        LOCAL_ROOT_URL = "http://localhost:3000/";
       };
 
       service.DISABLE_REGISTRATION = true;
@@ -60,7 +87,13 @@ in
     };
   };
 
-  # Create/ensure admin user
+  # Ensure nginx starts after ACME certificate is available
+  systemd.services.nginx = {
+    after = [ "acme-${fqdn}.service" "acme-${fqdn}-renew.service" ];
+    requires = [ "acme-${fqdn}.service" ];
+  };
+
+  # Create/ensure admin user on startup
   systemd.services.forgejo.preStart = let
     adminCmd = "${lib.getExe cfg.package} admin user";
   in ''
@@ -72,9 +105,10 @@ in
       --must-change-password=false || true
   '';
 
-  # Actions runner (runs jobs in Docker containers per labels)
+  # Enable Docker for Forgejo Actions runner
   virtualisation.docker.enable = true;
 
+  # Configure Forgejo Actions runner
   services.gitea-actions-runner = {
     package = pkgs.forgejo-runner;
     instances.default = {

servers/nginx.nix

@@ -1,8 +1,9 @@
 { config, lib, pkgs, ... }:
 let
   # WARNING: this ends up world-readable in the Nix store if you inline it.
+  # For production, use agenix or pass through systemd credentials
   cloudflareEnv = pkgs.writeText "cloudflare-acme.env" ''
-    umnyPSYOr9U3m404_IBMl4PTOzg29nz_XzNEGw2v
+    CLOUDFLARE_DNS_API_TOKEN=umnyPSYOr9U3m404_IBMl4PTOzg29nz_XzNEGw2v
   '';
 in
 {