Update server configurations and remove outdated documentation

2026-02-16 13:25:54 -08:00 · 2026-02-16 13:25:54 -08:00 · fea03b98ca
commit fea03b98ca
parent 8fdbb33939
5 changed files with 44 additions and 1261 deletions
--- a/docs/README-unstable
+++ b/docs/README-unstable
@ -1,117 +0,0 @@
 # Hybrid Package Management: Stable + Unstable
 This NixOS configuration uses a hybrid approach where the system runs on the stable NixOS 24.05 branch but can selectively use packages from the unstable branch when needed.
 ## How It Works
 The `flake.nix` includes both stable and unstable nixpkgs inputs:
 ```nix
 inputs = {
  nixpkgs.url = "nixpkgs/nixos-24.05";           # Stable base
  nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; # Unstable packages
  # ... other inputs
 };
 ```
 The unstable packages are made available to all system configurations via `specialArgs`:
 ```nix
 nixosConfigurations = {
  framework = nixpkgs.lib.nixosSystem {
    system = "x86_64-linux";
    specialArgs = {
      pkgs-unstable = import nixpkgs-unstable {
        system = "x86_64-linux";
        config.allowUnfree = true;
      };
    };
    modules = [ /* ... */ ];
  };
 };
 ```
 ## Using Unstable Packages
 ### In System Configuration Files
 To use an unstable package in any `.nix` configuration file:
 1. **Add `pkgs-unstable` to the function parameters:**
   ```nix
   { config, pkgs, pkgs-unstable, ... }:
   ```
 2. **Use the unstable package:**
   ```nix
   environment.systemPackages = with pkgs; [
     # Stable packages
     firefox
     git
     # Unstable packages
     pkgs-unstable.windsurf
     pkgs-unstable.some-other-package
   ];
   ```
 ### Example: Current Usage
 See `desktop/dev.nix` for a working example:
 ```nix
 { config, pkgs, pkgs-unstable, ... }:
 {
  environment.systemPackages = with pkgs; [
    # Stable packages
    nodejs
    rpi-imager
    # Unstable packages
    pkgs-unstable.windsurf  # Use windsurf from unstable
  ];
 }
 ```
 ## When to Use Unstable Packages
 Use unstable packages when:
 - A package is not available in the stable branch
 - You need a newer version with specific features or bug fixes
 - You're developing with cutting-edge tools
 ## Benefits of This Approach
 1. **System Stability**: Core system components use stable, well-tested packages
 2. **Package Availability**: Access to the latest packages when needed
 3. **Selective Updates**: Choose which packages to get from unstable
 4. **Easy Maintenance**: Clear separation between stable and unstable dependencies
 ## Adding New Unstable Packages
 To add a new unstable package:
 1. Find the configuration file where you want to add the package
 2. Ensure the file accepts `pkgs-unstable` parameter
 3. Add `pkgs-unstable.package-name` to the appropriate list
 4. Test with `nixos-rebuild dry-run --flake .#framework`
 5. Apply with `nixos-rebuild switch --flake .#framework`
 ## Updating Packages
 - **Stable packages**: Updated when you update the flake lock
 - **Unstable packages**: Updated when you run `nix flake update`
 To update only unstable packages:
 ```bash
 nix flake lock --update-input nixpkgs-unstable
 ```
 ## Current Unstable Packages in Use
 - `windsurf` - Modern code editor (in `desktop/dev.nix`)
 ---
 This hybrid approach gives you the stability of NixOS stable with the flexibility to use cutting-edge packages when needed.
--- a/docs/agents.md
+++ b/docs/agents.md
--- a/flake.nix
+++ b/flake.nix
@ -85,6 +85,7 @@
          ./systems/common.nix
          ./users/jsutter.nix
          ./systems/warp.nix
          ./servers/nginx.nix
          ./servers/forgejo.nix
        ];
      };
--- a/servers/forgejo.nix
+++ b/servers/forgejo.nix
@ -12,25 +12,50 @@ let
  adminUser  = "jsutter";
  adminEmail = "jsutter@symbiotrip.com";
 in
 {
-  security.acme.certs.${fqdn}.group = config.services.nginx.group;
+  # DNS-based ACME certificate configuration
  # Uses defaults (dnsProvider, email, credentials) from nginx.nix
  security.acme.certs.${fqdn} = {
    # Group needs to be set so nginx can read the certificate
    group = config.services.nginx.group;
    # Inherit DNS challenge configuration from security.acme.defaults (set in nginx.nix)
    # This includes: dnsProvider = "cloudflare", environmentFile with Cloudflare token, email
    # Explicitly ensure DNS mode (not HTTP-01)
    webroot = null;
  };
  # Nginx virtual host for Forgejo
  services.nginx.virtualHosts.${fqdn} = {
    # CRITICAL FIX: Don't set enableACME = true
    # That would create an HTTP-01 challenge handler, which conflicts with DNS challenge
    # Instead, we use useACMEHost to reference the DNS-obtained certificate
    enableACME = false;  # Disable automatic ACME for this vhost
    useACMEHost = fqdn;  # Use the certificate obtained via DNS challenge
    forceSSL = true;
-    enableACME = true;
+
-    useACMEHost = fqdn;
+    # acmeRoot is not needed/used with DNS challenge method
-    acmeRoot = null;
+    # acmeRoot = null;  # Removed - implicit with enableACME = false
    extraConfig = ''
      client_max_body_size 512M;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      # Logging for debugging
      access_log /var/log/nginx/${fqdn}-access.log;
      error_log /var/log/nginx/${fqdn}-error.log warn;
    '';
    locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
  };
  # Forgejo service configuration
  services.forgejo = {
    enable = true;
    database.type = "postgres";
@ -41,6 +66,8 @@ in
        DOMAIN = fqdn;
        ROOT_URL = "https://${fqdn}/";
        HTTP_PORT = 3000;
        # Bind to localhost only - nginx handles public HTTPS
        LOCAL_ROOT_URL = "http://localhost:3000/";
      };
      service.DISABLE_REGISTRATION = true;
@ -60,7 +87,13 @@ in
    };
  };
-  # Create/ensure admin user
+  # Ensure nginx starts after ACME certificate is available
  systemd.services.nginx = {
    after = [ "acme-${fqdn}.service" "acme-${fqdn}-renew.service" ];
    requires = [ "acme-${fqdn}.service" ];
  };
  # Create/ensure admin user on startup
  systemd.services.forgejo.preStart = let
    adminCmd = "${lib.getExe cfg.package} admin user";
  in ''
@ -72,9 +105,10 @@ in
      --must-change-password=false || true
  '';
-  # Actions runner (runs jobs in Docker containers per labels)
+  # Enable Docker for Forgejo Actions runner
  virtualisation.docker.enable = true;
  # Configure Forgejo Actions runner
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
--- a/servers/nginx.nix
+++ b/servers/nginx.nix
@ -1,8 +1,9 @@
 { config, lib, pkgs, ... }:
 let
  # WARNING: this ends up world-readable in the Nix store if you inline it.
  # For production, use agenix or pass through systemd credentials
  cloudflareEnv = pkgs.writeText "cloudflare-acme.env" ''
-    umnyPSYOr9U3m404_IBMl4PTOzg29nz_XzNEGw2v
+    CLOUDFLARE_DNS_API_TOKEN=umnyPSYOr9U3m404_IBMl4PTOzg29nz_XzNEGw2v
  '';
 in
 {