Refactor the Nix config management.

nix-system-configs/modules/system/forgejo.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: let
+  home-manager = builtins.fetchTarball "https://github.com/nix-community/home-manager/archive/release-25.11.tar.gz";
+  cfg = config.services.forgejo;
+  srv = cfg.settings.server;
+in {
+  local.hostname = "forgejoprg";
+  local.username = "forgejoprg";
+  local.userDescription = "Forgejo Admin";
+  local.address = "10.1.1.4";
+
+  # Enable Fedgejo service
+  services.nginx = {
+    enable = true;
+    virtualHosts."git.prg.local" = {
+      # Remove forceSSL and enableACME for local network
+      # forceSSL = true;
+      # enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+  };
+
+  # Enable PostgreSQL for Forgejo
+  services.postgresql.enable = true;
+
+  # Forgejo configuration
+  services.forgejo = {
+    enable = true;
+    database = {
+      type = "postgres";
+      host = "10.1.1.251"; # IP of your database server
+      name = "forgejo";
+      user = "forgejo";
+      passwordFile = "/home/forgejoprg/password.txt"; # Store password in a separate file for security
+    };
+    lfs.enable = true;
+
+    settings = {
+      server = {
+        DOMAIN = "git.prg-radio.org";
+        ROOT_URL = "https://git.prg-radio.org/";
+        HTTP_PORT = 3000;
+        # SSH integration
+        SSH_PORT = lib.head config.services.openssh.ports;
+      };
+
+      # Temporarily allow registration to create admin user
+      service.DISABLE_REGISTRATION = false;
+
+      # Enable Actions support
+      actions = {
+        ENABLED = true;
+        DEFAULT_ACTIONS_URL = "github";
+      };
+
+      # Optional: Email configuration
+      # mailer = {
+      #   ENABLED = false;
+      # };
+    };
+  };
+
+  # Open ports in the firewall.
+  networking.firewall.allowedTCPPorts = [3000];
+
+  imports = [
+    # ./secrets/secrets.nix  # Add this locally after running add-secrets.zsh
+    # Optionally import local secrets if present (won't fail if missing)
+    (lib.optional (builtins.pathExists ./secrets/secrets.nix) ./secrets/secrets.nix)
+    ./modules/desktop-manager/sway_greetd_homemanager.nix
+    ./modules/local/hostname_username.nix
+    ./modules/local/networking_local.nix
+    ./modules/toolsets/remote_building.nix
+    ./modules/bootloader/seabios.nix
+    ./modules/lix-default.nix
+  ];
+
+  system.stateVersion = "25.11";
+}

nix-system-configs/modules/system/traefik.nix

@@ -0,0 +1,101 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  local.hostname = "nixos-traefik";
+  local.username = "traefikprg";
+  local.userDescription = "NixOS PRG Traefik Service";
+  local.address = "10.1.1.250";
+
+  services.traefik = {
+    enable = true;
+    group = "acme";
+    staticConfigOptions = {
+      entryPoints = {
+        web = {
+          address = ":80";
+          asDefault = true;
+          http.redirections.entrypoint = {
+            to = "websecure";
+            scheme = "https";
+          };
+        };
+        websecure = {
+          address = ":443";
+          asDefault = true;
+          http.tls = {
+            domains = [
+              {
+                main = "prg-radio.org";
+                sans = ["*.prg-radio.org"];
+              }
+            ];
+          };
+        };
+      };
+      log = {
+        level = "INFO";
+        filePath = "${config.services.traefik.dataDir}/traefik.log";
+        format = "json";
+      };
+      api.dashboard = true;
+      api.insecure = true;
+    };
+    dynamicConfigOptions = {
+      tls.certificates = [
+        {
+          certFile = "/var/lib/acme/prg-radio.org/cert.pem";
+          keyFile = "/var/lib/acme/prg-radio.org/key.pem";
+        }
+      ];
+      http.routers = {
+        forgejo = {
+          rule = "Host(`git.prg-radio.org`)";
+          service = "forgejo";
+          entryPoints = ["websecure"];
+          tls = {};
+        };
+      };
+      http.services = {
+        forgejo.loadBalancer = {
+          servers = [
+            {url = "http://10.1.1.4:3000";}
+          ];
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "dtu.prg@gmail.com";
+    certs."prg-radio.org" = {
+      domain = "*.prg-radio.org";
+      group = "acme";
+      dnsProvider = "cloudflare";
+      environmentFile = "/home/traefikprg/cloudflare/cloudflare.env";
+      reloadServices = ["traefik.service"];
+    };
+  };
+
+  systemd.services.traefik = {
+    after = ["acme-finished-prg-radio.org.target"];
+    wants = ["acme-finished-prg-radio.org.target"];
+  };
+
+  networking.firewall.allowedTCPPorts = [80 443];
+  networking.firewall.allowedUDPPorts = [80 443];
+
+  imports = [
+    ./modules/desktop-manager/sway_greetd_homemanager.nix
+    ./modules/local/hostname_username.nix
+    ./modules/local/networking_local.nix
+    ./modules/bootloader/seabios.nix
+    ./modules/lix-default.nix
+    # Optionally: ./modules/toolsets/remote_building.nix
+  ];
+
+  system.stateVersion = "25.11";
+}