feat: fw final switch to forgejo

hosts/fw/modules/dnsmasq.nix

@@ -103,8 +103,7 @@
         "/mopidy.cloonar.com/${config.networkPrefix}.97.21"
         "/snapcast.cloonar.com/${config.networkPrefix}.97.21"
         "/lms.cloonar.com/${config.networkPrefix}.97.21"
-        "/git.cloonar.com/${config.networkPrefix}.97.50"
-        "/forgejo.cloonar.com/${config.networkPrefix}.97.55"
+        "/git.cloonar.com/${config.networkPrefix}.97.55"
         "/feeds.cloonar.com/188.34.191.144"
         "/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112"
         "/allywatch.cloonar.com/${config.networkPrefix}.97.5"

hosts/fw/modules/firewall.nix

@@ -118,7 +118,7 @@
               iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 tcp dport { 1883 } counter accept
 
               # Forward to git server
-              oifname "server" ip daddr ${config.networkPrefix}.97.50 tcp dport { 22 } counter accept 
+              oifname "server" ip daddr ${config.networkPrefix}.97.55 tcp dport { 22 } counter accept 
               oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept 
 
               # lan and vpn to any
@@ -167,7 +167,7 @@
             chain prerouting {
               type nat hook prerouting priority filter; policy accept;
               iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255
-              iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.50
+              iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.55
               iifname "wan" tcp dport { 80, 443 } dnat to ${config.networkPrefix}.97.5
               iifname "wan" tcp dport { 5000 } dnat to ${config.networkPrefix}.97.51
               iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to ${config.networkPrefix}.97.201

hosts/fw/modules/forgejo-runner.nix

@@ -51,7 +51,7 @@ in {
 
       services.gitea-actions-runner.instances.${runner} = {
         enable = true;
-        url = "https://forgejo.cloonar.com";
+        url = "https://git.cloonar.com";
         name = runner;
         tokenFile = "/run/secrets/forgejo-runner-token";
         labels = [

hosts/fw/modules/forgejo.nix

@@ -19,13 +19,12 @@ in
   users.users.forgejo = user;
   users.groups.forgejo = group;
 
-  # Reuse the existing git.cloonar.com ACME cert from gitea.nix
-  security.acme.certs."forgejo.cloonar.com" = {
+  security.acme.certs."git.cloonar.com" = {
     group = "nginx";
   };
 
   containers.forgejo = {
-    autoStart = false;  # Don't start until migration is complete
+    autoStart = true;
     ephemeral = false; # because of ssh key
     privateNetwork = true;
     hostBridge = "server";
@@ -37,8 +36,7 @@ in
         isReadOnly = false;
       };
       "/var/lib/acme/forgejo/" = {
-        # hostPath = config.security.acme.certs.${domain}.directory;
-        hostPath = config.security.acme.certs."forgejo.cloonar.com".directory;
+        hostPath = config.security.acme.certs.${domain}.directory;
         isReadOnly = true;
       };
       "/run/secrets/forgejo-mailer-password" = {
@@ -146,7 +144,6 @@ in
 
   sops.secrets.forgejo-mailer-password = {
     owner = "forgejo";
-    # restartUnits removed - would start the container even with autoStart=false
-    # Re-add after migration: restartUnits = [ "container@forgejo.service" ];
+    restartUnits = [ "container@forgejo.service" ];
   };
 }

hosts/fw/modules/web/proxies.nix

@@ -1,13 +1,5 @@
 { config, lib, ... }: {
   services.nginx.virtualHosts."git.cloonar.com" = {
-    forceSSL = true;
-    enableACME = true;
-    acmeRoot = null;
-    locations."/" = {
-      proxyPass = "https://git.cloonar.com/";
-    };
-  };
-  services.nginx.virtualHosts."forgejo.cloonar.com" = {
     forceSSL = true;
     enableACME = true;
     acmeRoot = null;