Update server configurations and remove outdated documentation

2026-02-16 13:25:54 -08:00 · 2026-02-16 13:25:54 -08:00 · fea03b98ca
commit fea03b98ca
parent 8fdbb33939
5 changed files with 44 additions and 1261 deletions
--- a/docs/README-unstable
+++ b/docs/README-unstable
@ -1,117 +0,0 @@
-# Hybrid Package Management: Stable + Unstable
-
-This NixOS configuration uses a hybrid approach where the system runs on the stable NixOS 24.05 branch but can selectively use packages from the unstable branch when needed.
-
-## How It Works
-
-The `flake.nix` includes both stable and unstable nixpkgs inputs:
-
-```nix
-inputs = {
-  nixpkgs.url = "nixpkgs/nixos-24.05";           # Stable base
-  nixpkgs-unstable.url = "nixpkgs/nixos-unstable"; # Unstable packages
-  # ... other inputs
-};
-```
-
-The unstable packages are made available to all system configurations via `specialArgs`:
-
-```nix
-nixosConfigurations = {
-  framework = nixpkgs.lib.nixosSystem {
-    system = "x86_64-linux";
-    specialArgs = {
-      pkgs-unstable = import nixpkgs-unstable {
-        system = "x86_64-linux";
-        config.allowUnfree = true;
-      };
-    };
-    modules = [ /* ... */ ];
-  };
-};
-```
-
-## Using Unstable Packages
-
-### In System Configuration Files
-
-To use an unstable package in any `.nix` configuration file:
-
-1. **Add `pkgs-unstable` to the function parameters:**
-   ```nix
-   { config, pkgs, pkgs-unstable, ... }:
-   ```
-
-2. **Use the unstable package:**
-   ```nix
-   environment.systemPackages = with pkgs; [
-     # Stable packages
-     firefox
-     git
-     
-     # Unstable packages
-     pkgs-unstable.windsurf
-     pkgs-unstable.some-other-package
-   ];
-   ```
-
-### Example: Current Usage
-
-See `desktop/dev.nix` for a working example:
-
-```nix
-{ config, pkgs, pkgs-unstable, ... }:
-
-{
-  environment.systemPackages = with pkgs; [
-    # Stable packages
-    nodejs
-    rpi-imager
-    
-    # Unstable packages
-    pkgs-unstable.windsurf  # Use windsurf from unstable
-  ];
-}
-```
-
-## When to Use Unstable Packages
-
-Use unstable packages when:
- A package is not available in the stable branch
- You need a newer version with specific features or bug fixes
- You're developing with cutting-edge tools
-
-## Benefits of This Approach
-
-1. **System Stability**: Core system components use stable, well-tested packages
-2. **Package Availability**: Access to the latest packages when needed
-3. **Selective Updates**: Choose which packages to get from unstable
-4. **Easy Maintenance**: Clear separation between stable and unstable dependencies
-
-## Adding New Unstable Packages
-
-To add a new unstable package:
-
-1. Find the configuration file where you want to add the package
-2. Ensure the file accepts `pkgs-unstable` parameter
-3. Add `pkgs-unstable.package-name` to the appropriate list
-4. Test with `nixos-rebuild dry-run --flake .#framework`
-5. Apply with `nixos-rebuild switch --flake .#framework`
-
-## Updating Packages
-
- **Stable packages**: Updated when you update the flake lock
- **Unstable packages**: Updated when you run `nix flake update`
-
-To update only unstable packages:
-```bash
-nix flake lock --update-input nixpkgs-unstable
-```
-
-## Current Unstable Packages in Use
-
- `windsurf` - Modern code editor (in `desktop/dev.nix`)
-
---
-
-This hybrid approach gives you the stability of NixOS stable with the flexibility to use cutting-edge packages when needed.
--- a/docs/agents.md
+++ b/docs/agents.md
--- a/flake.nix
+++ b/flake.nix
@ -85,6 +85,7 @@
          ./systems/common.nix
          ./users/jsutter.nix
          ./systems/warp.nix
+          ./servers/nginx.nix
          ./servers/forgejo.nix
        ];
      };
--- a/servers/forgejo.nix
+++ b/servers/forgejo.nix
@ -12,25 +12,50 @@ let
  adminUser  = "jsutter";
  adminEmail = "jsutter@symbiotrip.com";

-
 in

 {
-  security.acme.certs.${fqdn}.group = config.services.nginx.group;
+  # DNS-based ACME certificate configuration
+  # Uses defaults (dnsProvider, email, credentials) from nginx.nix
+  security.acme.certs.${fqdn} = {
+    # Group needs to be set so nginx can read the certificate
+    group = config.services.nginx.group;
+
+    # Inherit DNS challenge configuration from security.acme.defaults (set in nginx.nix)
+    # This includes: dnsProvider = "cloudflare", environmentFile with Cloudflare token, email
+
+    # Explicitly ensure DNS mode (not HTTP-01)
+    webroot = null;
+  };
+
+  # Nginx virtual host for Forgejo
  services.nginx.virtualHosts.${fqdn} = {
+    # CRITICAL FIX: Don't set enableACME = true
+    # That would create an HTTP-01 challenge handler, which conflicts with DNS challenge
+    # Instead, we use useACMEHost to reference the DNS-obtained certificate
+    enableACME = false;  # Disable automatic ACME for this vhost
+    useACMEHost = fqdn;  # Use the certificate obtained via DNS challenge
+
    forceSSL = true;
-    enableACME = true;
-    useACMEHost = fqdn;
-    acmeRoot = null;
+
+    # acmeRoot is not needed/used with DNS challenge method
+    # acmeRoot = null;  # Removed - implicit with enableACME = false
+
    extraConfig = ''
      client_max_body_size 512M;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-Proto $scheme;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+
+      # Logging for debugging
+      access_log /var/log/nginx/${fqdn}-access.log;
+      error_log /var/log/nginx/${fqdn}-error.log warn;
    '';
+
    locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
  };

+  # Forgejo service configuration
  services.forgejo = {
    enable = true;
    database.type = "postgres";
@ -41,6 +66,8 @@ in
        DOMAIN = fqdn;
        ROOT_URL = "https://${fqdn}/";
        HTTP_PORT = 3000;
+        # Bind to localhost only - nginx handles public HTTPS
+        LOCAL_ROOT_URL = "http://localhost:3000/";
      };

      service.DISABLE_REGISTRATION = true;
@ -60,7 +87,13 @@ in
    };
  };

-  # Create/ensure admin user
+  # Ensure nginx starts after ACME certificate is available
+  systemd.services.nginx = {
+    after = [ "acme-${fqdn}.service" "acme-${fqdn}-renew.service" ];
+    requires = [ "acme-${fqdn}.service" ];
+  };
+
+  # Create/ensure admin user on startup
  systemd.services.forgejo.preStart = let
    adminCmd = "${lib.getExe cfg.package} admin user";
  in ''
@ -72,9 +105,10 @@ in
      --must-change-password=false || true
  '';

-  # Actions runner (runs jobs in Docker containers per labels)
+  # Enable Docker for Forgejo Actions runner
  virtualisation.docker.enable = true;

+  # Configure Forgejo Actions runner
  services.gitea-actions-runner = {
    package = pkgs.forgejo-runner;
    instances.default = {
--- a/servers/nginx.nix
+++ b/servers/nginx.nix
@ -1,8 +1,9 @@
 { config, lib, pkgs, ... }:
 let
  # WARNING: this ends up world-readable in the Nix store if you inline it.
+  # For production, use agenix or pass through systemd credentials
  cloudflareEnv = pkgs.writeText "cloudflare-acme.env" ''
-    umnyPSYOr9U3m404_IBMl4PTOzg29nz_XzNEGw2v
+    CLOUDFLARE_DNS_API_TOKEN=umnyPSYOr9U3m404_IBMl4PTOzg29nz_XzNEGw2v
  '';
 in
 {