Local config hell.

2026-02-06 22:02:53 +01:00 · 2026-02-06 22:02:53 +01:00 · 6e399b829a
commit 6e399b829a
parent 9e349b7164
2 changed files with 194 additions and 145 deletions
--- a/nix-system-configs/modules/system/forgejo.nix
+++ b/nix-system-configs/modules/system/forgejo.nix
@ -8,79 +8,104 @@
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
 in {
+  options.local = {
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      default = "nixos-default";
+      description = "System hostname";
+    };
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "user";
+      description = "Primary user username";
+    };
+    userDescription = lib.mkOption {
+      type = lib.types.str;
+      default = "NixOS User";
+      description = "Primary user description";
+    };
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "10.1.1.100";
+      description = "Static IP address";
+    };
+  };
+
+  config = {
    local.hostname = "forgejoprg";
    local.username = "forgejoprg";
    local.userDescription = "Forgejo Admin";
    local.address = "10.1.1.4";

-  # Enable Fedgejo service
-  services.nginx = {
-    enable = true;
-    virtualHosts."git.prg.local" = {
-      # Remove forceSSL and enableACME for local network
-      # forceSSL = true;
-      # enableACME = true;
-      extraConfig = ''
-        client_max_body_size 512M;
-      '';
-      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
-    };
-  };
-
-  # Enable PostgreSQL for Forgejo
-  services.postgresql.enable = true;
-
-  # Forgejo configuration
-  services.forgejo = {
-    enable = true;
-    database = {
-      type = "postgres";
-      host = "10.1.1.251"; # IP of your database server
-      name = "forgejo";
-      user = "forgejo";
-      passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security
-    };
-    lfs.enable = true;
-
-    settings = {
-      server = {
-        DOMAIN = "git.prg-radio.org";
-        ROOT_URL = "https://git.prg-radio.org/";
-        HTTP_PORT = 3000;
-        # SSH integration
-        SSH_PORT = lib.head config.services.openssh.ports;
+    # Enable Fedgejo service
+    services.nginx = {
+      enable = true;
+      virtualHosts."git.prg.local" = {
+        # Remove forceSSL and enableACME for local network
+        # forceSSL = true;
+        # enableACME = true;
+        extraConfig = ''
+          client_max_body_size 512M;
+        '';
+        locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
      };
-
-      # Temporarily allow registration to create admin user
-      service.DISABLE_REGISTRATION = false;
-
-      # Enable Actions support
-      actions = {
-        ENABLED = true;
-        DEFAULT_ACTIONS_URL = "github";
-      };
-
-      # Optional: Email configuration
-      # mailer = {
-      #   ENABLED = false;
-      # };
    };
+
+    # Enable PostgreSQL for Forgejo
+    services.postgresql.enable = true;
+
+    # Forgejo configuration
+    services.forgejo = {
+      enable = true;
+      database = {
+        type = "postgres";
+        host = "10.1.1.251"; # IP of your database server
+        name = "forgejo";
+        user = "forgejo";
+        passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security
+      };
+      lfs.enable = true;
+
+      settings = {
+        server = {
+          DOMAIN = "git.prg-radio.org";
+          ROOT_URL = "https://git.prg-radio.org/";
+          HTTP_PORT = 3000;
+          # SSH integration
+          SSH_PORT = lib.head config.services.openssh.ports;
+        };
+
+        # Temporarily allow registration to create admin user
+        service.DISABLE_REGISTRATION = false;
+
+        # Enable Actions support
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+
+        # Optional: Email configuration
+        # mailer = {
+        #   ENABLED = false;
+        # };
+      };
+    };
+
+    # Open ports in the firewall.
+    networking.firewall.allowedTCPPorts = [3000];
+
+    imports = [
+      # ./secrets/secrets.nix  # Add this locally after running add-secrets.zsh
+      # Optionally import local secrets if present (won't fail if missing)
+      (lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix)
+      ./modules/desktop-manager/sway_greetd_homemanager.nix
+      ./modules/local/hostname_username.nix
+      ./modules/local/networking_local.nix
+      ./modules/toolsets/remote_building.nix
+      ./modules/bootloader/seabios.nix
+      ./modules/lix-default.nix
+    ];
+
+    system.stateVersion = "25.11";
  };
-
-  # Open ports in the firewall.
-  networking.firewall.allowedTCPPorts = [3000];
-
-  imports = [
-    # ./secrets/secrets.nix  # Add this locally after running add-secrets.zsh
-    # Optionally import local secrets if present (won't fail if missing)
-    (lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix)
-    ./modules/desktop-manager/sway_greetd_homemanager.nix
-    ./modules/local/hostname_username.nix
-    ./modules/local/networking_local.nix
-    ./modules/toolsets/remote_building.nix
-    ./modules/bootloader/seabios.nix
-    ./modules/lix-default.nix
-  ];
-
-  system.stateVersion = "25.11";
 }
--- a/nix-system-configs/modules/system/traefik.nix
+++ b/nix-system-configs/modules/system/traefik.nix
@ -4,99 +4,123 @@
  lib,
  ...
 }: {
+  options.local = {
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      default = "nixos-default";
+      description = "System hostname";
+    };
+    username = lib.mkOption {
+      type = lib.types.str;
+      default = "user";
+      description = "Primary user username";
+    };
+    userDescription = lib.mkOption {
+      type = lib.types.str;
+      default = "NixOS User";
+      description = "Primary user description";
+    };
+    address = lib.mkOption {
+      type = lib.types.str;
+      default = "10.1.1.100";
+      description = "Static IP address";
+    };
+  };
+
+  config = {
    local.hostname = "nixos-traefik";
    local.username = "traefikprg";
    local.userDescription = "NixOS PRG Traefik Service";
    local.address = "10.1.1.250";

-
-  services.traefik = {
-    enable = true;
-    group = "acme";
-    staticConfigOptions = {
-      entryPoints = {
-        web = {
-          address = ":80";
-          asDefault = true;
-          http.redirections.entrypoint = {
-            to = "websecure";
-            scheme = "https";
+    services.traefik = {
+      enable = true;
+      group = "acme";
+      staticConfigOptions = {
+        entryPoints = {
+          web = {
+            address = ":80";
+            asDefault = true;
+            http.redirections.entrypoint = {
+              to = "websecure";
+              scheme = "https";
+            };
+          };
+          websecure = {
+            address = ":443";
+            asDefault = true;
+            http.tls = {
+              domains = [
+                {
+                  main = "prg-radio.org";
+                  sans = ["*.prg-radio.org"];
+                }
+              ];
+            };
          };
        };
-        websecure = {
-          address = ":443";
-          asDefault = true;
-          http.tls = {
-            domains = [
-              {
-                main = "prg-radio.org";
-                sans = ["*.prg-radio.org"];
-              }
+        log = {
+          level = "INFO";
+          filePath = "${config.services.traefik.dataDir}/traefik.log";
+          format = "json";
+        };
+        api.dashboard = true;
+        api.insecure = true;
+      };
+      dynamicConfigOptions = {
+        tls.certificates = [
+          {
+            certFile = "/var/lib/acme/prg-radio.org/cert.pem";
+            keyFile = "/var/lib/acme/prg-radio.org/key.pem";
+          }
+        ];
+        http.routers = {
+          forgejo = {
+            rule = "Host(`git.prg-radio.org`)";
+            service = "forgejo";
+            entryPoints = ["websecure"];
+            tls = {};
+          };
+        };
+        http.services = {
+          forgejo.loadBalancer = {
+            servers = [
+              {url = "http://10.1.1.4:3000";}
            ];
          };
        };
      };
-      log = {
-        level = "INFO";
-        filePath = "${config.services.traefik.dataDir}/traefik.log";
-        format = "json";
-      };
-      api.dashboard = true;
-      api.insecure = true;
    };
-    dynamicConfigOptions = {
-      tls.certificates = [
-        {
-          certFile = "/var/lib/acme/prg-radio.org/cert.pem";
-          keyFile = "/var/lib/acme/prg-radio.org/key.pem";
-        }
-      ];
-      http.routers = {
-        forgejo = {
-          rule = "Host(`git.prg-radio.org`)";
-          service = "forgejo";
-          entryPoints = ["websecure"];
-          tls = {};
-        };
-      };
-      http.services = {
-        forgejo.loadBalancer = {
-          servers = [
-            {url = "http://10.1.1.4:3000";}
-          ];
-        };
+
+    security.acme = {
+      acceptTerms = true;
+      defaults.email = "dtu.prg@gmail.com";
+      certs."prg-radio.org" = {
+        domain = "*.prg-radio.org";
+        group = "acme";
+        dnsProvider = "cloudflare";
+        environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
+        reloadServices = ["traefik.service"];
      };
    };
-  };

-  security.acme = {
-    acceptTerms = true;
-    defaults.email = "dtu.prg@gmail.com";
-    certs."prg-radio.org" = {
-      domain = "*.prg-radio.org";
-      group = "acme";
-      dnsProvider = "cloudflare";
-      environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
-      reloadServices = ["traefik.service"];
+    systemd.services.traefik = {
+      after = ["acme-finished-prg-radio.org.target"];
+      wants = ["acme-finished-prg-radio.org.target"];
    };
+
+    networking.firewall.allowedTCPPorts = [80 443];
+    networking.firewall.allowedUDPPorts = [80 443];
+
+    imports = [
+      ./modules/desktop-manager/sway_greetd_homemanager.nix
+      ./modules/local/hostname_username.nix
+      ./modules/local/networking_local.nix
+      ./modules/bootloader/seabios.nix
+      ./modules/lix-default.nix
+      # Optionally: ./modules/toolsets/remote_building.nix
+    ];
+
+    system.stateVersion = "25.11";
  };
-
-  systemd.services.traefik = {
-    after = ["acme-finished-prg-radio.org.target"];
-    wants = ["acme-finished-prg-radio.org.target"];
-  };
-
-  networking.firewall.allowedTCPPorts = [80 443];
-  networking.firewall.allowedUDPPorts = [80 443];
-
-  imports = [
-    ./modules/desktop-manager/sway_greetd_homemanager.nix
-    ./modules/local/hostname_username.nix
-    ./modules/local/networking_local.nix
-    ./modules/bootloader/seabios.nix
-    ./modules/lix-default.nix
-    # Optionally: ./modules/toolsets/remote_building.nix
-  ];
-
-  system.stateVersion = "25.11";
 }