From f5a0bc582d7207fbc8e0521f61f4db657cfa3bd3 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Sun, 1 Feb 2026 15:23:10 +0100 Subject: [PATCH 1/4] feat: fw final switch to forgejo --- hosts/fw/configuration.nix | 6 ++---- hosts/fw/modules/dnsmasq.nix | 3 +-- hosts/fw/modules/firewall.nix | 4 ++-- hosts/fw/modules/forgejo-runner.nix | 2 +- hosts/fw/modules/forgejo.nix | 11 ++++------- hosts/fw/modules/web/proxies.nix | 8 -------- 6 files changed, 10 insertions(+), 24 deletions(-) diff --git a/hosts/fw/configuration.nix b/hosts/fw/configuration.nix index 0c7af8d..5e29c0d 100644 --- a/hosts/fw/configuration.nix +++ b/hosts/fw/configuration.nix @@ -32,7 +32,6 @@ # microvm ./modules/microvm.nix - ./modules/gitea-vm.nix ./modules/forgejo-runner.nix ./modules/dev-microvm.nix # ./modules/vscode-server.nix # Add VS Code Server microvm @@ -45,8 +44,7 @@ ./modules/web # git - ./modules/gitea.nix - ./modules/forgejo.nix # Migration: autoStart=false, start after migration script + ./modules/forgejo.nix # ./modules/fwmetrics.nix # ha customers @@ -81,7 +79,7 @@ networkPrefix = "10.42"; # Systemd services to monitor - services.victoriametrics.monitoredServices = [ "ai-mailer" "container@git" "microvm@git-runner-" "microvm@fj-runner-" ]; + services.victoriametrics.monitoredServices = [ "ai-mailer" "container@forgejo" "microvm@fj-runner-" ]; nixpkgs.overlays = [ (import ./utils/overlays/packages.nix) diff --git a/hosts/fw/modules/dnsmasq.nix b/hosts/fw/modules/dnsmasq.nix index 768f255..9e16d42 100644 --- a/hosts/fw/modules/dnsmasq.nix +++ b/hosts/fw/modules/dnsmasq.nix @@ -103,8 +103,7 @@ "/mopidy.cloonar.com/${config.networkPrefix}.97.21" "/snapcast.cloonar.com/${config.networkPrefix}.97.21" "/lms.cloonar.com/${config.networkPrefix}.97.21" - "/git.cloonar.com/${config.networkPrefix}.97.50" - "/forgejo.cloonar.com/${config.networkPrefix}.97.55" + "/git.cloonar.com/${config.networkPrefix}.97.55" "/feeds.cloonar.com/188.34.191.144" "/nukibridge1a753f72.cloonar.smart/${config.networkPrefix}.100.112" "/allywatch.cloonar.com/${config.networkPrefix}.97.5" diff --git a/hosts/fw/modules/firewall.nix b/hosts/fw/modules/firewall.nix index 22bc6a1..c876e13 100644 --- a/hosts/fw/modules/firewall.nix +++ b/hosts/fw/modules/firewall.nix @@ -118,7 +118,7 @@ iifname "smart" oifname "server" ip daddr ${config.networkPrefix}.97.20/32 tcp dport { 1883 } counter accept # Forward to git server - oifname "server" ip daddr ${config.networkPrefix}.97.50 tcp dport { 22 } counter accept + oifname "server" ip daddr ${config.networkPrefix}.97.55 tcp dport { 22 } counter accept oifname "server" ip daddr ${config.networkPrefix}.97.5 tcp dport { 80, 443 } counter accept # lan and vpn to any @@ -167,7 +167,7 @@ chain prerouting { type nat hook prerouting priority filter; policy accept; iifname "server" ip daddr ${config.networkPrefix}.96.255 udp dport { 9 } dnat to ${config.networkPrefix}.96.255 - iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.50 + iifname "wan" tcp dport { 22 } dnat to ${config.networkPrefix}.97.55 iifname "wan" tcp dport { 80, 443 } dnat to ${config.networkPrefix}.97.5 iifname "wan" tcp dport { 5000 } dnat to ${config.networkPrefix}.97.51 iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to ${config.networkPrefix}.97.201 diff --git a/hosts/fw/modules/forgejo-runner.nix b/hosts/fw/modules/forgejo-runner.nix index 06befd1..c8f93f8 100644 --- a/hosts/fw/modules/forgejo-runner.nix +++ b/hosts/fw/modules/forgejo-runner.nix @@ -51,7 +51,7 @@ in { services.gitea-actions-runner.instances.${runner} = { enable = true; - url = "https://forgejo.cloonar.com"; + url = "https://git.cloonar.com"; name = runner; tokenFile = "/run/secrets/forgejo-runner-token"; labels = [ diff --git a/hosts/fw/modules/forgejo.nix b/hosts/fw/modules/forgejo.nix index d364f72..afb4cd1 100644 --- a/hosts/fw/modules/forgejo.nix +++ b/hosts/fw/modules/forgejo.nix @@ -19,13 +19,12 @@ in users.users.forgejo = user; users.groups.forgejo = group; - # Reuse the existing git.cloonar.com ACME cert from gitea.nix - security.acme.certs."forgejo.cloonar.com" = { + security.acme.certs."git.cloonar.com" = { group = "nginx"; }; containers.forgejo = { - autoStart = false; # Don't start until migration is complete + autoStart = true; ephemeral = false; # because of ssh key privateNetwork = true; hostBridge = "server"; @@ -37,8 +36,7 @@ in isReadOnly = false; }; "/var/lib/acme/forgejo/" = { - # hostPath = config.security.acme.certs.${domain}.directory; - hostPath = config.security.acme.certs."forgejo.cloonar.com".directory; + hostPath = config.security.acme.certs.${domain}.directory; isReadOnly = true; }; "/run/secrets/forgejo-mailer-password" = { @@ -146,7 +144,6 @@ in sops.secrets.forgejo-mailer-password = { owner = "forgejo"; - # restartUnits removed - would start the container even with autoStart=false - # Re-add after migration: restartUnits = [ "container@forgejo.service" ]; + restartUnits = [ "container@forgejo.service" ]; }; } diff --git a/hosts/fw/modules/web/proxies.nix b/hosts/fw/modules/web/proxies.nix index 1709e39..421ea1a 100644 --- a/hosts/fw/modules/web/proxies.nix +++ b/hosts/fw/modules/web/proxies.nix @@ -1,13 +1,5 @@ { config, lib, ... }: { services.nginx.virtualHosts."git.cloonar.com" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyPass = "https://git.cloonar.com/"; - }; - }; - services.nginx.virtualHosts."forgejo.cloonar.com" = { forceSSL = true; enableACME = true; acmeRoot = null; From 646bbde71ca2e180e3e1023763de323129cffb92 Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Sun, 1 Feb 2026 15:23:25 +0100 Subject: [PATCH 2/4] feat: forgejo alerts --- .../modules/grafana/alerting/service/services_down.nix | 5 +++-- hosts/web-arm/modules/prometheus.nix | 8 ++++---- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/hosts/web-arm/modules/grafana/alerting/service/services_down.nix b/hosts/web-arm/modules/grafana/alerting/service/services_down.nix index 8d04832..7172280 100644 --- a/hosts/web-arm/modules/grafana/alerting/service/services_down.nix +++ b/hosts/web-arm/modules/grafana/alerting/service/services_down.nix @@ -7,8 +7,9 @@ let { name = "Postfix"; service = "postfix.service"; instance = "mail:9100"; } { name = "Dovecot"; service = "dovecot.service"; instance = "mail:9100"; } { name = "OpenLDAP"; service = "openldap.service"; instance = "mail:9100"; } - { name = "Gitea"; service = "container@git.service"; instance = "fw:9100"; } - { name = "Gitea Runner"; service = "microvm@git-runner-1.service"; instance = "fw:9100"; } + { name = "Forgejo"; service = "container@forgejo.service"; instance = "fw:9100"; } + { name = "Forgejo Runner 1"; service = "microvm@fj-runner-1.service"; instance = "fw:9100"; } + { name = "Forgejo Runner 2"; service = "microvm@fj-runner-2.service"; instance = "fw:9100"; } { name = "WireGuard"; service = "wireguard-wg_cloonar.service"; instance = "fw:9100"; } { name = "MySQL"; service = "mysql.service"; instance = "amzebs-01:9100"; } { name = "Nginx"; service = "nginx.service"; instance = "amzebs-01:9100"; } diff --git a/hosts/web-arm/modules/prometheus.nix b/hosts/web-arm/modules/prometheus.nix index dc70321..bdd5a8f 100644 --- a/hosts/web-arm/modules/prometheus.nix +++ b/hosts/web-arm/modules/prometheus.nix @@ -118,10 +118,10 @@ description="homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}" } - ALERT gitea - IF rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3 + ALERT forgejo + IF rate(promhttp_metric_handler_requests_total{job="forgejo", code="500"}[5m]) > 3 ANNOTATIONS { - description="{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes" + description="{{$labels.instance}}: forgejo instances error rate went up: {{$value}} errors in 5 minutes" } '' ]; @@ -198,7 +198,7 @@ ]; } { - job_name = "gitea"; + job_name = "forgejo"; scrape_interval = "60s"; metrics_path = "/metrics"; From 0af34231472203db9db1fb03664534cf271b336b Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Sun, 1 Feb 2026 15:36:29 +0100 Subject: [PATCH 3/4] feat: add dev host to fleet --- fleet.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fleet.nix b/fleet.nix index e8a8ab5..2084c8b 100644 --- a/fleet.nix +++ b/fleet.nix @@ -51,6 +51,10 @@ username = "nas"; key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICS6b97LPUpr7/kWvOcI40s5e+gfbfz0I2/hAPL6zTmU"; } + { + username = "dev"; + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICS6b97LPUpr7/kWvOcI40s5e+gfbfz0I2/hAPL6zTmU"; + } { username = "amzebs-01"; From d140a20ed95e8f6a00823ca446050f184a7fab2b Mon Sep 17 00:00:00 2001 From: Dominik Polakovics Date: Sun, 1 Feb 2026 15:47:41 +0100 Subject: [PATCH 4/4] feat: remove tmux from dev and add claude resume shortcut --- hosts/dev/configuration.nix | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/hosts/dev/configuration.nix b/hosts/dev/configuration.nix index bca1d31..7fcc526 100644 --- a/hosts/dev/configuration.nix +++ b/hosts/dev/configuration.nix @@ -55,13 +55,18 @@ in programs.zsh.enable = true; users.defaultUserShell = pkgs.zsh; - # Auto-attach to tmux on SSH login - environment.interactiveShellInit = '' - if [[ -n "$SSH_CONNECTION" ]] && [[ -z "$TMUX" ]]; then - tmux attach-session -t main 2>/dev/null || tmux new-session -s main - fi + # Welcome message with Claude Code reminder + users.motd = '' + Welcome to dev + + Claude Code: claude or cr (resume last session) ''; + # Short alias for resuming Claude sessions + programs.zsh.shellAliases = { + cr = "claude --resume"; + }; + # Passwordless sudo for dominik security.sudo.extraRules = [{ users = [ "dominik" ];