some changes

modules/nixos/sites/cache/default.nix

@@ -24,6 +24,7 @@ in {
     services.nix-serve = {
       enable = true;
       secretKeyFile = sec.cache_key.path;
+      port = 12024;
     };
 
     services.nginx.virtualHosts."cache.zoeys.computer" = {

modules/nixos/sites/code/default.nix

@@ -0,0 +1,107 @@
+{
+  lib,
+  config,
+  pkgs,
+  inputs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.sites.forgejo;
+  frg = config.services.forgejo;
+  srv = frg.settings.server;
+in {
+  options.sites.forgejo = with types; {
+    enable = mkBoolOpt false "Enable Forgejo site";
+
+    domain = mkStringOpt "code.zoeys.cloud" "The domain for the site";
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx.virtualHosts.${frg.settings.server.DOMAIN} = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        client_max_body_size 512M;
+      '';
+      locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
+    };
+
+    catppuccin.forgejo.enable = true;
+
+    services.gitea-actions-runner = {
+      package = pkgs.forgejo-actions-runner;
+      instances.default = {
+        enable = true;
+        name = "monolith";
+        url = "https://code.zoeys.cloud";
+        # Obtaining the path to the runner token file may differ
+        # tokenFile should be in format TOKEN=<secret>, since it's EnvironmentFile for systemd
+        tokenFile = config.age.secrets.forgejo-runner-token.path;
+        labels = [
+          "ubuntu-latest:docker://node:16-bullseye"
+          "ubuntu-22.04:docker://node:16-bullseye"
+          "ubuntu-20.04:docker://node:16-bullseye"
+          "ubuntu-18.04:docker://node:16-buster"
+          ## optionally provide native execution on the host:
+          # "native:host"
+        ];
+      };
+    };
+
+    services.forgejo = {
+      enable = true;
+      database.type = "postgres";
+
+      lfs.enable = true;
+      settings = {
+        server = {
+          DOMAIN = cfg.domain;
+          ROOT_URL = "https://${srv.DOMAIN}";
+          HTTP_PORT = 7201;
+        };
+        service.DISABLE_REGISTRATION = true;
+        actions = {
+          ENABLED = true;
+          DEFAULT_ACTIONS_URL = "github";
+        };
+        mailer = {
+          ENABLED = true;
+          SMTP_ADDR = "mail.zoeys.cloud";
+          FROM = "no-reply@${srv.DOMAIN}";
+          USER = "no-reply@${srv.DOMAIN}";
+        };
+      };
+      secrets = {
+        mailer = {
+          PASSWD = config.age.secrets.forgejo-mailer-password.path;
+        };
+      };
+    };
+
+    systemd.services.forgejo.preStart = let
+      adminCmd = "${lib.getExe frg.package} admin user";
+      pwd = config.age.secrets.forgejo-pw;
+      user = "zoey";
+    in ''
+      ${adminCmd} create --admin --email "hi@zoeys.computer" --username ${user} --password "$(tr -d '\n' < ${pwd.path})" || true'';
+
+    age.secrets = {
+      forgejo-mailer-password = {
+        file = ../sourcehut/sec/smtpPassword.age;
+        mode = "400";
+        owner = "forgejo";
+      };
+      forgejo-pw = {
+        file = ./forgejoPw.age;
+        mode = "400";
+        owner = "forgejo";
+      };
+      forgejo-runner-token = {
+        file = ./forgejoRunner.age;
+        mode = "400";
+        owner = "forgejo";
+      };
+    };
+  };
+}

modules/nixos/sites/code/forgejoRunner.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 CtmR6w oShhq0zXjjMoDW0+AZx/ro5x3XZ/Smf//Han2rZdA0o
+ucJn5M9x66gxKPmkVg1E4F/PsZ7rBTA8MlUAbmIC+2s
+-> ssh-ed25519 RMNffg GBNcFhRuZyme2t/yrWDS/lrQzpm1wHUkAhjLz86ZG3I
+bpsZdqqP205zT9F7Ca5jtCn/qfKcI/gTxANQOPLWnnA
+--- JbJQpU8FaE6TPHMyX4SmDQLEI8b67SaFG73nUc+Ud3s
+"'Åx<C385>táop‹h°ðhç5]Ž|Új1‰_e#mDö~mv
ŒÈ¢osõ˜ÊRfúù’‚€’ðfëoÕ<>óÅ"RžÜêf8uuU?¯

modules/nixos/sites/gitlab/default.nix

@@ -57,44 +57,6 @@ in {
 
     boot.kernel.sysctl."net.ipv4.ip_forward" = true; # 1
 
-    services.gitlab-runner = {
-      enable = true;
-      services = {
-        nix = with lib; {
-          authenticationTokenConfigFile = sec.gitlab_runner.path;
-          dockerImage = "alpine";
-          dockerVolumes = [
-            "/nix/store:/nix/store:ro"
-            "/nix/var/nix/db:/nix/var/nix/db:ro"
-            "/nix/var/nix/daemon-socket:/nix/var/nix/daemon-socket:ro"
-          ];
-          dockerDisableCache = true;
-          preBuildScript = pkgs.writeScript "setup-container" ''
-            mkdir -p -m 0755 /nix/var/log/nix/drvs
-            mkdir -p -m 0755 /nix/var/nix/gcroots
-            mkdir -p -m 0755 /nix/var/nix/profiles
-            mkdir -p -m 0755 /nix/var/nix/temproots
-            mkdir -p -m 0755 /nix/var/nix/userpool
-            mkdir -p -m 1777 /nix/var/nix/gcroots/per-user
-            mkdir -p -m 1777 /nix/var/nix/profiles/per-user
-            mkdir -p -m 0755 /nix/var/nix/profiles/per-user/root
-            mkdir -p -m 0700 "$HOME/.nix-defexpr"
-            . ${pkgs.nix}/etc/profile.d/nix-daemon.sh
-            ${pkgs.nix}/bin/nix-channel --add https://nixos.org/channels/nixos-24.11 nixpkgs # 3
-            ${pkgs.nix}/bin/nix-channel --update nixpkgs
-            ${pkgs.nix}/bin/nix-env -i ${concatStringsSep " " (with pkgs; [nix cacert git openssh])}
-          '';
-          environmentVariables = {
-            ENV = "/etc/profile";
-            USER = "root";
-            NIX_REMOTE = "daemon";
-            PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin";
-            NIX_SSL_CERT_FILE = "/nix/var/nix/profiles/default/etc/ssl/certs/ca-bundle.crt";
-          };
-        };
-      };
-    };
-
     services.gitlab = {
       enable = true;
       databasePasswordFile = sec.gitlab_db.path;

modules/nixos/sites/sourcehut/default.nix

@@ -0,0 +1,204 @@
+{
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib;
+with lib.custom; let
+  cfg = config.sites.sourcehut;
+
+  srhtCfg = config.services.sourcehut;
+
+  fqdn = "zoeys.cloud";
+
+  sec = config.age.secrets;
+
+  sourcehutGroup = "sourcehut-secrets";
+
+  mkSrhtBindOverrides = serviceNames:
+    lib.listToAttrs (map (name: {
+        name = name;
+
+        value = {
+          serviceConfig.BindReadOnlyPaths = lib.mkMerge ["/run/agenix"];
+        };
+      })
+      serviceNames);
+
+  metaServices = lib.mkIf srhtCfg.meta.enable (mkSrhtBindOverrides [
+    "metasrht" # Main web service
+    "metashrt-daily"
+    "metasrht-api" # API service
+    "metasrht-webhooks" # Webhook worker
+  ]);
+
+  gitServices = lib.mkIf srhtCfg.git.enable (mkSrhtBindOverrides [
+    "gitsrht" # Main web service
+    "gitsrht-api" # API service
+    "gitsrht-periodic" # Timer service
+    "gitsrht-webhooks" # Webhook worker
+    "gitsrht-fcgiwrap" # FCGIWrap for git http backend (might need access if hooks use secrets)
+  ]);
+
+  manServices = lib.mkIf srhtCfg.man.enable (mkSrhtBindOverrides [
+    "mansrht" # Main web service
+    # Add others if man gains sub-services
+  ]);
+in {
+  options.sites.sourcehut = with types; {
+    enable = mkBoolOpt false "Enable SRHT";
+  };
+
+  config = mkIf cfg.enable {
+    users.groups.sourcehut-secrets = {};
+
+    users.users.metasrht.extraGroups = ["sourcehut-secrets"];
+    users.users.gitsrht.extraGroups = ["sourcehut-secrets"];
+
+    systemd.services = lib.mkMerge [
+      metaServices
+      gitServices
+    ];
+
+    age.secrets = {
+      network-key = {
+        file = ./sec/networkKey.age;
+        owner = "root";
+        group = sourcehutGroup;
+        mode = "0440";
+      };
+      service-key = {
+        file = ./sec/serviceKey.age;
+        owner = "root";
+        group = sourcehutGroup;
+        mode = "0440";
+      };
+      webhook-key = {
+        file = ./sec/webhookKey.age;
+        owner = "root";
+        group = sourcehutGroup;
+        mode = "0440";
+      };
+      smtp-password = {
+        file = ./sec/smtpPassword.age;
+        owner = "root";
+        group = sourcehutGroup;
+        mode = "0440";
+      };
+
+      pgp-pub-key = {
+        file = ./sec/pgpPubKey.age;
+        owner = "root";
+        group = sourcehutGroup;
+        mode = "0440"; # Or 0444 if it needs to be world-readable, but 0440 is safer
+      };
+      pgp-priv-key = {
+        file = ./sec/pgpPrivKey.age;
+        owner = "root";
+        group = sourcehutGroup;
+        mode = "0440"; # Private key needs strict permissions
+      };
+
+      git-client-secret = {
+        file = ./sec/gitClientSecret.age;
+        owner = "root";
+        group = sourcehutGroup;
+        mode = "0440";
+      };
+      man-client-secret = {
+        file = ./sec/gitClientSecret.age;
+        owner = "root";
+        group = sourcehutGroup;
+        mode = "0440";
+      };
+    };
+
+    services.sourcehut = {
+      enable = true;
+
+      git.enable = true;
+      git.redis.host = "redis://localhost:6379?db=0";
+      man.enable = true;
+      man.redis.host = "redis://localhost:6379?db=0";
+      meta.enable = true;
+      meta.redis.host = "redis://localhost:6379?db=0";
+      # todo.enable = true;
+      # paste.enable = true;
+      # lists.enable = true;
+
+      nginx.enable = true;
+      postgresql.enable = true;
+      redis.enable = true;
+
+      postfix.enable = false;
+
+      settings = {
+        "sr.ht" = {
+          environment = "production";
+          global-domain = fqdn;
+
+          origin = "https://${fqdn}";
+
+          owner-email = "admin@${fqdn}";
+          owner-name = "zoey";
+          site-name = "zoey's cloud";
+
+          network-key = sec.network-key.path;
+          service-key = sec.service-key.path;
+        };
+
+        webhooks = {
+          private-key = sec.webhook-key.path;
+        };
+
+        "git.sr.ht" = {
+          oauth-client-id = "bdd69307-d8b9-4f02-b079-2a1055c3e865";
+          oauth-client-secret = sec.git-client-secret.path;
+        };
+
+        "man.sr.ht" = {
+          oauth-client-id = "9c64aac1-51cb-48f0-9ff8-a2af377dd38e";
+          oauth-client-secret = sec.man-client-secret.path;
+        };
+
+        mail = {
+          smtp-host = "mail.zoeys.email";
+          smtp-port = 465;
+          smtp-user = "srht@${fqdn}";
+          smtp-password = sec.smtp-password.path;
+          smtp-from = "no-reply@${fqdn}";
+
+          smtp-ssl = true;
+
+          pgp-pubkey = sec.pgp-pub-key.path;
+          pgp-privkey = sec.pgp-priv-key.path;
+
+          pgp-key-id = "0xD82899ACCD75CC48";
+
+          error-to = "errors@${fqdn}";
+          error-from = "sourcehut-errors@${fqdn}";
+        };
+
+        "meta.sr.ht::settings" = {
+          registration = true;
+        };
+      };
+    };
+
+    security.acme.certs."${fqdn}".extraDomainNames = [
+      "meta.${fqdn}"
+      "man.${fqdn}"
+      "git.${fqdn}"
+    ];
+
+    services.nginx = {
+      virtualHosts = {
+        "${fqdn}".enableACME = true;
+        "meta.${fqdn}".enableACME = true;
+        "man.${fqdn}".enableACME = true;
+        "git.${fqdn}".enableACME = true;
+      };
+    };
+  };
+}

modules/nixos/sites/sourcehut/sec/networkKey.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 CtmR6w sWwNYqQ3g9UMu35p8kvAXj4uEy35g0///7gpHFO69zs
+1lQ0r74sGR+K/ynikwClNB5UZ3ZD1fTpxSdJE5Dk0nM
+-> ssh-ed25519 RMNffg vqaQVHXN7yjv10wz2xZCpJ6O7fqXaNYCPqKEdufkdCc
+FLFvodvpQGPYbjv8yoyjHE2+a+YyZkBGZZbOx33GpRo
+--- H3zEDss69sqnW3LM5GlWR11xx9E8u04/id6jlZqNgfg
+J^s=†ÕYЭ_ÂŒü¤/À ÉȤ¸Ziýþ#‹?Lu—œ”Ú3Ñ~vH¢c9^î™Cù‡²…²üuŸ»ßÚp[ÉcúCS<43>Sv¹S

modules/nixos/sites/sourcehut/sec/smtpPassword.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 CtmR6w ExpktzFWkofB1qmGIexwu0UAnUeGzQIeeEMHiZNXQkY
+YDNPPLtB8N7A0NB0VwVkQAN3DNeknLo3rv+WdcUdLD0
+-> ssh-ed25519 RMNffg GFHzl2/nPuIVH4RzUnbUl/LHFmkXQ+pPUGuQzcEZi3o
+Z6iMUjgD0K7LCYWV0qZMbyzWmUsbhp0anr3niecdyPs
+--- wjP9Fn9/VIrsgwbTVZv/vzbEskwMKmQbHohtNyfF02w
+Ýžsý§‘zš‡<EFBFBD>ÍKQŽÐä‘b	#&™ÖTÆ3v/<2F>ÂÐg‘¨Õ¨%ë½fõî›\^œj²QÜqh