change dns setup

switch to forgejo

enable miniflux

autodefenestrate

hosts/gerg-desktop/services/ddns.nix

@@ -78,6 +78,7 @@
       }
 
       func "*.gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8"
+      func "gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8" "false"
       func "minecraft.gerg-l.com" "8f76f071c5edbc0f947a5c5f9c5df9f8" "false"
       func "*.nix-fu.com" "cc2df9163c3730f58b866409ac5a108c"
       func "nix-fu.com" "cc2df9163c3730f58b866409ac5a108c"

hosts/gerg-desktop/services/forgejo.nix

@@ -0,0 +1,37 @@
+{ lib, config }:
+{
+  users = {
+    groups.${config.services.forgejo.group} = { };
+    users = {
+      ${config.services.forgejo.user} = {
+        isSystemUser = true;
+        group = config.services.forgejo.group;
+        extraGroups = [ "postgres" ];
+        openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
+      };
+
+      ${config.services.nginx.user}.extraGroups = [ config.services.forgejo.group ];
+    };
+  };
+  services.forgejo = {
+    enable = true;
+    stateDir = "/persist/services/forgejo";
+    settings = {
+      DEFAULT.APP_NAME = "Powered by NixOS";
+      server = {
+        DOMAIN = "git.gerg-l.com";
+        ROOT_URL = "https://git.gerg-l.com/";
+        LANDING_PAGE = "/explore/repos";
+        HTTP_ADDR = "/run/forgejo/forgejo.sock";
+        PROTOCOL = "http+unix";
+        UNIX_SOCKET_PERMISSION = "660";
+      };
+      ui.DEFAULT_THEME = "forgejo-dark";
+      service.DISABLE_REGISTRATION = true;
+    };
+    database = {
+      type = "postgres";
+      createDatabase = true;
+    };
+  };
+}

hosts/gerg-desktop/services/gitea.nix

@@ -1,34 +0,0 @@
-{ lib, config }:
-{
-  config = lib.mkIf false {
-    users.users = {
-      ${config.services.gitea.user} = {
-        openssh.authorizedKeys.keys = [ config.local.keys.gerg_gerg-desktop ];
-        extraGroups = [ "postgres" ];
-      };
-      ${config.services.nginx.user}.extraGroups = [ config.services.gitea.group ];
-    };
-    services.gitea = {
-      enable = false;
-      stateDir = "/persist/services/gitea";
-      appName = "Powered by NixOS";
-      settings = {
-        server = {
-          DOMAIN = "git.gerg-l.com";
-          ROOT_URL = "https://git.gerg-l.com/";
-          LANDING_PAGE = "/explore/repos";
-          HTTP_ADDR = "/run/gitea/gitea.sock";
-          PROTOCOL = "http+unix";
-          UNIX_SOCKET_PERMISSION = "660";
-        };
-        ui.DEFAULT_THEME = "arc-green";
-        service.DISABLE_REGISTRATION = true;
-      };
-      database = {
-        type = "postgres";
-        socket = "/run/postgresql";
-        createDatabase = true;
-      };
-    };
-  };
-}

hosts/gerg-desktop/services/miniflux.nix

@@ -8,7 +8,7 @@
 
   systemd.services = {
     miniflux = {
-      enable = false;
+      enable = true;
 
       description = "Miniflux service";
       wantedBy = [ "multi-user.target" ];

hosts/gerg-desktop/services/nginx.nix

@@ -13,20 +13,33 @@
         inherit (config.services.nginx) group;
       });
 
+  security.acme = {
+    acceptTerms = true;
+    certs."gerg-l.com" = {
+      email = "GregLeyda@proton.me";
+      webroot = "/var/lib/acme/acme-challenge";
+      extraDomainNames = [
+        "search.gerg-l.com"
+        "git.gerg-l.com"
+        "next.gerg-l.com"
+        "flux.gerg-l.com"
+        "cache.gerg-l.com"
+      ];
+    };
+  };
+
+  systemd.tmpfiles.rules = [ "L+ /var/lib/acme - - - - /persist/services/acme" ];
+
+  users.users.${config.services.nginx.user}.extraGroups = [ "acme" ];
+
   services.nginx = {
     enable = true;
+    recommendedZstdSettings = true;
     recommendedGzipSettings = true;
     recommendedOptimisation = true;
     recommendedProxySettings = true;
     recommendedTlsSettings = true;
     virtualHosts = {
-      "_" = {
-        default = true;
-        forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".return = "404";
-      };
       "nix-fu.com" = {
         forceSSL = true;
         sslCertificate = config.sops.secrets.nixfu_ssl_cert.path;
@@ -34,35 +47,51 @@
         serverAliases = [ "www.nix-fu.com" ];
         globalRedirect = "github.com/Gerg-L";
       };
+      "_" = {
+        default = true;
+        forceSSL = true;
+        useACMEHost = "gerg-l.com";
+
+        locations."/".return = "404";
+      };
       "search.gerg-l.com" = {
         forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        useACMEHost = "gerg-l.com";
+
         locations."/".extraConfig = "uwsgi_pass unix:${config.services.searx.uwsgiConfig.socket};";
         extraConfig = "access_log off;";
       };
       "git.gerg-l.com" = {
         forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".proxyPass = "http://unix:${config.services.gitea.settings.server.HTTP_ADDR}";
-      };
-      "next.gerg-l.com" = {
-        forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        useACMEHost = "gerg-l.com";
+
+        locations."/".proxyPass = "http://unix:${config.services.forgejo.settings.server.HTTP_ADDR}";
       };
       "flux.gerg-L.com" = {
         forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
+        useACMEHost = "gerg-l.com";
+
         locations."/".proxyPass = "http://unix:${config.systemd.services.miniflux.environment.LISTEN_ADDR}";
       };
+      "next.gerg-l.com" = {
+        forceSSL = true;
+        useACMEHost = "gerg-l.com";
+        extraConfig = ''
+          zstd on;
+          zstd_types "*";
+        '';
+      };
       "cache.gerg-L.com" = {
         forceSSL = true;
-        sslCertificate = config.sops.secrets.gerg_ssl_cert.path;
-        sslCertificateKey = config.sops.secrets.gerg_ssl_key.path;
-        locations."/".proxyPass = "http://unix:/run/nix-serve/nix-serve.sock";
+        useACMEHost = "gerg-l.com";
+
+        locations."/" = {
+          proxyPass = "http://unix:/run/nix-serve/nix-serve.sock";
+          extraConfig = ''
+            zstd on;
+            zstd_types "*";
+          '';
+        };
       };
     };
   };

hosts/gerg-desktop/services/postgresql.nix

@@ -7,7 +7,6 @@
 
     ensureDatabases = [
       "miniflux"
-      config.services.gitea.database.user
     ];
     ensureUsers = [
       {