linode: Remove old server

acme: Don't attempt to get certs if the domain is wrong
hetzner: Add new server config
2024-03-11 00:33:00 +01:00 · 2024-03-11 00:33:00 +01:00 · 2024-03-11 00:32:47 +01:00 · 2023-12-30 22:09:32 +01:00
17 changed files with 378 additions and 452 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,6 +1,7 @@
 keys:
  - &tlater 535B61015823443941C744DD12264F6BBDFABA89
  - &server_tlaternet 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
  - &server_hetzner1 0af7641adb8aa843136cf6d047f71da3e5ad79f9
  - &server_staging 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
 creation_rules:
@ -9,6 +10,7 @@ creation_rules:
      - pgp:
          - *tlater
          - *server_tlaternet
          - *server_hetzner1
  - path_regex: keys/staging.yaml
    key_groups:
      - pgp:
--- a/README.md
+++ b/README.md
@ -34,5 +34,5 @@ Deployment is handled using
 [deploy-rs](https://github.com/serokell/deploy-rs):
 ```
-deploy .#tlaternet
+deploy .#
 ```
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -7,6 +7,7 @@
  ...
 }: {
  imports = [
    flake-inputs.disko.nixosModules.disko
    flake-inputs.sops-nix.nixosModules.sops
    flake-inputs.tlaternet-webserver.nixosModules.default
@ -55,7 +56,6 @@
  boot.kernelParams = ["highres=off" "nohz=off"];
  networking = {
    hostName = "tlaternet";
    usePredictableInterfaceNames = false;
    useDHCP = false;
@ -137,7 +137,6 @@
    recommendedGzipSettings = true;
    recommendedProxySettings = true;
    clientMaxBodySize = "10G";
    domain = "tlater.net";
    statusPage = true; # For metrics, should be accessible only from localhost
--- a/configuration/hardware-specific/hetzner/default.nix
+++ b/configuration/hardware-specific/hetzner/default.nix
@ -0,0 +1,47 @@
 {
  imports = [
    ./hardware-configuration.nix
    ./disko.nix
  ];
  # Intel's special encrypted memory<->CPU feature. Hetzner's BIOS
  # disables it by default.
  #
  # TODO(tlater): See if would be useful for anything?
  boot.kernelParams = ["nosgx"];
  networking.hostName = "hetzner-1";
  services.nginx.domain = "tlater.net";
  systemd.network.networks."eth0" = {
    matchConfig.MACAddress = "90:1b:0e:c1:8c:62";
    addresses = [
      # IPv4
      {
        addressConfig = {
          Address = "116.202.158.55/32";
          Peer = "116.202.158.1/32"; # Gateway
        };
      }
      # IPv6
      {
        addressConfig.Address = "2a01:4f8:10b:3c85::2/64";
      }
    ];
    networkConfig = {
      Gateway = [
        "116.202.158.1"
        "fe80::1"
      ];
      DNS = [
        "185.12.64.1"
        "185.12.64.2"
        "2a01:4ff:ff00::add:1"
        "2a01:4ff:ff00::add:2"
      ];
    };
  };
 }
--- a/configuration/hardware-specific/hetzner/disko.nix
+++ b/configuration/hardware-specific/hetzner/disko.nix
@ -0,0 +1,82 @@
 {
  disko.devices.disk = let
    bootPartition = {
      size = "1M";
      type = "EF02";
    };
    swapPartition = {
      # 8G is apparently recommended for this much RAM, but we set up
      # 4G on both disks for mirroring purposes.
      #
      # That'll still be 8G during normal operation, and it's probably
      # not too bad to have slightly less swap if a disk dies.
      size = "4G";
      content = {
        type = "swap";
        randomEncryption = true;
      };
    };
    mountOptions = ["compress=zstd" "noatime"];
  in {
    sda = {
      type = "disk";
      device = "/dev/sda";
      content = {
        type = "gpt";
        partitions = {
          boot = bootPartition;
          swap = swapPartition;
          disk1 = {
            size = "100%";
            # Empty partition to combine in RAID0 with the other disk
          };
        };
      };
    };
    sdb = {
      type = "disk";
      device = "/dev/sdb";
      content = {
        type = "gpt";
        partitions = {
          boot = bootPartition;
          swap = swapPartition;
          disk2 = {
            size = "100%";
            content = {
              type = "btrfs";
              # Hack to get multi-device btrfs going
              # See https://github.com/nix-community/disko/issues/99
              extraArgs = ["-d" "raid1" "-m" "raid1" "--runtime-features" "quota" "/dev/sda3"];
              subvolumes = {
                "/volume" = {};
                "/volume/root" = {
                  inherit mountOptions;
                  mountpoint = "/";
                };
                "/volume/home" = {
                  inherit mountOptions;
                  mountpoint = "/home";
                };
                "/volume/var" = {
                  inherit mountOptions;
                  mountpoint = "/var";
                };
                "/volume/nix-store" = {
                  inherit mountOptions;
                  mountpoint = "/nix";
                };
                "/snapshots" = {};
              };
            };
          };
        };
      };
    };
  };
 }
--- a/configuration/hardware-specific/hetzner/hardware-configuration.nix
+++ b/configuration/hardware-specific/hetzner/hardware-configuration.nix
@ -5,35 +5,21 @@
 {
  imports =
-    [ (modulesPath + "/profiles/qemu-guest.nix")
+    [ (modulesPath + "/installer/scan/not-detected.nix")
    ];
-  boot.initrd.availableKernelModules = [ "virtio_pci" "virtio_scsi" "ahci" "sd_mod" ];
+  boot.initrd.availableKernelModules = [ "xhci_pci" "ahci" "sd_mod" ];
  boot.initrd.kernelModules = [ ];
-  boot.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-intel" ];
  boot.extraModulePackages = [ ];
  fileSystems."/" =
    { device = "/dev/disk/by-uuid/e541bdc3-79d6-459f-9169-92b13b0a8959";
      fsType = "ext4";
    };
  fileSystems."/var" =
    { device = "/dev/disk/by-uuid/79f8fbbd-476d-4e1a-9675-a8474d98f42f";
      fsType = "ext4";
    };
  swapDevices =
    [ { device = "/dev/disk/by-uuid/45c8ad29-3861-4e68-a566-47e6d9269dca"; }
    ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's
  # still possible to use this option, but it's recommended to use it in conjunction
  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
  networking.useDHCP = lib.mkDefault true;
-  # networking.interfaces.eth0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp0s31f6.useDHCP = lib.mkDefault true;
  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
-  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+  hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
 }
--- a/configuration/hardware-specific/linode/default.nix
+++ b/configuration/hardware-specific/linode/default.nix
@ -1,60 +0,0 @@
 {
  imports = [
    ./hardware-configuration.nix
  ];
  # Required for the lish console
  boot.kernelParams = ["console=ttyS0,19200n8"];
  boot.loader = {
    # Timeout to allow lish to connect
    timeout = 10;
    grub = {
      device = "nodev";
      extraConfig = ''
        serial --speed=19200 --unit=0 --word=8 --parity=no --stop=1;
        terminal_input serial;
        terminal_output serial;
      '';
    };
  };
  systemd.network.networks."10-eth0" = {
    matchConfig.Name = "eth0";
    networkConfig = {
      DHCP = "no";
      Address = "178.79.137.55/24";
      Gateway = "178.79.137.1";
      Domains = "ip.linodeusercontent.com";
      DNS = [
        "178.79.182.5"
        "176.58.107.5"
        "176.58.116.5"
        "176.58.121.5"
        "151.236.220.5"
        "212.71.252.5"
        "212.71.253.5"
        "109.74.192.20"
        "109.74.193.20"
        "109.74.194.20"
        "2a01:7e00::9"
        "2a01:7e00::3"
        "2a01:7e00::c"
        "2a01:7e00::5"
        "2a01:7e00::6"
        "2a01:7e00::8"
        "2a01:7e00::b"
        "2a01:7e00::4"
        "2a01:7e00::7"
        "2a01:7e00::2"
      ];
      IPv6PrivacyExtensions = "no";
      IPv6AcceptRA = "yes";
    };
  };
 }
--- a/configuration/hardware-specific/vm.nix
+++ b/configuration/hardware-specific/vm.nix
@ -4,9 +4,10 @@
  # Disable graphical tty so -curses works
  boot.kernelParams = ["nomodeset"];
  networking.hostName = "testvm";
  # Sets the base domain for nginx to localhost so that we
  # can easily test locally with the VM.
-  services.nginx.domain = lib.mkOverride 99 "localhost";
+  services.nginx.domain = "localhost";
  # Use the staging secrets
  sops.defaultSopsFile = lib.mkOverride 99 ../../keys/staging.yaml;
--- a/configuration/services/gitea.nix
+++ b/configuration/services/gitea.nix
@ -6,12 +6,10 @@
 }: let
  domain = "gitea.${config.services.nginx.domain}";
 in {
-  services.gitea = {
+  services.forgejo = {
    enable = true;
    database.type = "postgres";
    appName = "Gitea: Git with a cup of tea";
    settings = {
      server = {
        DOMAIN = domain;
@ -29,18 +27,18 @@ in {
    };
  };
-  systemd.services.gitea.serviceConfig.ExecStartPre = let
+  systemd.services.forgejo.serviceConfig.ExecStartPre = let
    replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret";
-    secretPath = config.sops.secrets."gitea/metrics-token".path;
+    secretPath = config.sops.secrets."forgejo/metrics-token".path;
-    runConfig = "${config.services.gitea.customDir}/conf/app.ini";
+    runConfig = "${config.services.forgejo.customDir}/conf/app.ini";
  in [
    "+${replaceSecretBin} '#metricstoken#' '${secretPath}' '${runConfig}'"
  ];
  # Set up SSL
  services.nginx.virtualHosts."${domain}" = let
-    httpAddress = config.services.gitea.settings.server.HTTP_ADDR;
+    httpAddress = config.services.forgejo.settings.server.HTTP_ADDR;
-    httpPort = config.services.gitea.settings.server.HTTP_PORT;
+    httpPort = config.services.forgejo.settings.server.HTTP_PORT;
  in {
    forceSSL = true;
    enableACME = true;
@ -62,40 +60,39 @@ in {
  # Block repeated failed login attempts
  #
-  # TODO(tlater): Update to the new regex, since apparently this one
+  # TODO(tlater): Update this - we switched to forgejo, who knows what
-  # is deprecated (but the new one doesn't work on the current version
+  # the new matches are.
-  # of gitea yet): https://docs.gitea.io/en-us/fail2ban-setup/
+  # environment.etc = {
-  environment.etc = {
+  #   "fail2ban/filter.d/gitea.conf".text = ''
-    "fail2ban/filter.d/gitea.conf".text = ''
+  #     [Definition]
-      [Definition]
+  #     failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
-      failregex = .*(Failed authentication attempt|invalid credentials|Attempted access of unknown user).* from <HOST>
+  #     journalmatch = _SYSTEMD_UNIT=forgejo.service + _COMM=forgejo + SYSLOG_IDENTIFIER=forgejo
-      journalmatch = _SYSTEMD_UNIT=gitea.service + _COMM=gitea + SYSLOG_IDENTIFIER=gitea
+  #   '';
-    '';
+  # };
  };
-  services.fail2ban.jails = {
+  # services.fail2ban.jails = {
-    gitea = ''
+  #   gitea = ''
-      enabled = true
+  #     enabled = true
-    '';
+  #   '';
-  };
+  # };
-  services.backups.gitea = {
+  services.backups.forgejo = {
-    user = "gitea";
+    user = "forgejo";
    paths = [
-      "/var/lib/gitea/gitea-db.sql"
+      "/var/lib/forgejo/forgejo-db.sql"
-      "/var/lib/gitea/repositories/"
+      "/var/lib/forgejo/repositories/"
-      "/var/lib/gitea/data/"
+      "/var/lib/forgejo/data/"
-      "/var/lib/gitea/custom/"
+      "/var/lib/forgejo/custom/"
      # Conf is backed up via nix
    ];
    preparation = {
      packages = [config.services.postgresql.package];
-      text = "pg_dump ${config.services.gitea.database.name} --file=/var/lib/gitea/gitea-db.sql";
+      text = "pg_dump ${config.services.forgejo.database.name} --file=/var/lib/forgejo/forgejo-db.sql";
    };
    cleanup = {
      packages = [pkgs.coreutils];
-      text = "rm /var/lib/gitea/gitea-db.sql";
+      text = "rm /var/lib/forgejo/forgejo-db.sql";
    };
-    pauseServices = ["gitea.service"];
+    pauseServices = ["forgejo.service"];
  };
 }
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@ -6,9 +6,9 @@
    ];
    scrapeConfigs = {
-      gitea = {
+      forgejo = {
-        targets = ["127.0.0.1:${toString config.services.gitea.settings.server.HTTP_PORT}"];
+        targets = ["127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}"];
-        extraSettings.authorization.credentials_file = config.sops.secrets."gitea/metrics-token".path;
+        extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
      };
      coturn.targets = ["127.0.0.1:9641"];
    };
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@ -4,8 +4,8 @@
    secrets = {
      # Gitea
-      "gitea/metrics-token" = {
+      "forgejo/metrics-token" = {
-        owner = "gitea";
+        owner = "forgejo";
        group = "metrics";
        mode = "0440";
      };
--- a/flake.lock
+++ b/flake.lock
@ -1,39 +1,5 @@
 {
  "nodes": {
    "all-cabal-json": {
      "flake": false,
      "locked": {
        "lastModified": 1665552503,
        "narHash": "sha256-r14RmRSwzv5c+bWKUDaze6pXM7nOsiz1H8nvFHJvufc=",
        "owner": "nix-community",
        "repo": "all-cabal-json",
        "rev": "d7c0434eebffb305071404edcf9d5cd99703878e",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "hackage",
        "repo": "all-cabal-json",
        "type": "github"
      }
    },
    "crane": {
      "flake": false,
      "locked": {
        "lastModified": 1681175776,
        "narHash": "sha256-7SsUy9114fryHAZ8p1L6G6YSu7jjz55FddEwa2U8XZc=",
        "owner": "ipetkov",
        "repo": "crane",
        "rev": "445a3d222947632b5593112bb817850e8a9cf737",
        "type": "github"
      },
      "original": {
        "owner": "ipetkov",
        "ref": "v0.12.1",
        "repo": "crane",
        "type": "github"
      }
    },
    "deploy-rs": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -54,47 +20,38 @@
        "type": "github"
      }
    },
-    "devshell": {
+    "disko": {
-      "flake": false,
+      "inputs": {
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
-        "lastModified": 1663445644,
+        "lastModified": 1709286488,
-        "narHash": "sha256-+xVlcK60x7VY1vRJbNUEAHi17ZuoQxAIH4S4iUFUGBA=",
+        "narHash": "sha256-RDpTZ72zLu05djvXRzK76Ysqp9zSdh84ax/edEaJucs=",
-        "owner": "numtide",
+        "owner": "nix-community",
-        "repo": "devshell",
+        "repo": "disko",
-        "rev": "e3dc3e21594fe07bdb24bdf1c8657acaa4cb8f66",
+        "rev": "bde7dd352c07d43bd5b8245e6c39074a391fdd46",
        "type": "github"
      },
      "original": {
-        "owner": "numtide",
+        "owner": "nix-community",
-        "repo": "devshell",
+        "repo": "disko",
        "type": "github"
      }
    },
    "dream2nix": {
      "inputs": {
        "all-cabal-json": "all-cabal-json",
        "crane": "crane",
        "devshell": "devshell",
        "drv-parts": "drv-parts",
        "flake-compat": "flake-compat_3",
        "flake-parts": "flake-parts",
        "flake-utils-pre-commit": "flake-utils-pre-commit",
        "ghc-utils": "ghc-utils",
        "gomod2nix": "gomod2nix",
        "mach-nix": "mach-nix",
        "nix-pypi-fetcher": "nix-pypi-fetcher",
        "nixpkgs": "nixpkgs_3",
-        "nixpkgsV1": "nixpkgsV1",
+        "purescript-overlay": "purescript-overlay",
-        "poetry2nix": "poetry2nix",
+        "pyproject-nix": "pyproject-nix"
        "pre-commit-hooks": "pre-commit-hooks",
        "pruned-racket-catalog": "pruned-racket-catalog"
      },
      "locked": {
-        "lastModified": 1686064783,
+        "lastModified": 1702457430,
-        "narHash": "sha256-qyptOk4vDut2JkRMJ+815eJNqqd8gIfjpz3l4WCCtMY=",
+        "narHash": "sha256-8NQiXtYCOiC7XFayy6GPGDudCBrPROry3mfWjpdVj5g=",
        "owner": "nix-community",
        "repo": "dream2nix",
-        "rev": "0c064fa9dd025069cc215b0a8b4eb5ea734aceb0",
+        "rev": "262198033e23e9ee832f0cc8133d38f07598f555",
        "type": "github"
      },
      "original": {
@ -103,38 +60,6 @@
        "type": "github"
      }
    },
    "drv-parts": {
      "inputs": {
        "flake-compat": [
          "tlaternet-webserver",
          "dream2nix",
          "flake-compat"
        ],
        "flake-parts": [
          "tlaternet-webserver",
          "dream2nix",
          "flake-parts"
        ],
        "nixpkgs": [
          "tlaternet-webserver",
          "dream2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1680698112,
        "narHash": "sha256-FgnobN/DvCjEsc0UAZEAdPLkL4IZi2ZMnu2K2bUaElc=",
        "owner": "davhau",
        "repo": "drv-parts",
        "rev": "e8c2ec1157dc1edb002989669a0dbd935f430201",
        "type": "github"
      },
      "original": {
        "owner": "davhau",
        "repo": "drv-parts",
        "type": "github"
      }
    },
    "fenix": {
      "inputs": {
        "nixpkgs": [
@ -144,11 +69,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1686637310,
+        "lastModified": 1704003651,
-        "narHash": "sha256-sGfKyioVsxQppDM0eDO62wtFiz+bZOD0cBMMIEjqn4I=",
+        "narHash": "sha256-bA3d4E1CX5G7TVbKwJOm9jZfVOGOPp6u5CKEUzNsE8E=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "6fbeedcd2fc1fba77152e13fd7492824d77a4060",
+        "rev": "c6d82e087ac96f24b90c5787a17e29a72566c2b4",
        "type": "github"
      },
      "original": {
@ -189,44 +114,6 @@
        "type": "github"
      }
    },
    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-parts": {
      "inputs": {
        "nixpkgs-lib": [
          "tlaternet-webserver",
          "dream2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1675933616,
        "narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=",
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "rev": "47478a4a003e745402acf63be7f9a092d51b83d7",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "flake-parts",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems_2"
@ -245,21 +132,6 @@
        "type": "github"
      }
    },
    "flake-utils-pre-commit": {
      "locked": {
        "lastModified": 1644229661,
        "narHash": "sha256-1YdnJAsNy69bpcjuoKdOYQX0YxZBiCYZo4Twxerqv7k=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "3cecb5b042f7f209c56ffd8371b2711a290ec797",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "foundryvtt": {
      "inputs": {
        "nixpkgs": [
@ -267,11 +139,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1701473318,
+        "lastModified": 1709504473,
-        "narHash": "sha256-QdCJN8GeNl/V8wMjrvNkrWzNXnahgfjBfCSya4qQdrc=",
+        "narHash": "sha256-hXzXxaZaI9Pn5tO4otY2gJUvW/orDGDAMdstm3AY8RU=",
        "owner": "reckenrode",
        "repo": "nix-foundryvtt",
-        "rev": "f624c0ceabe13dd876ecff871e0dc7f55f96e993",
+        "rev": "5cf4e6d9ed7b662dbea7a61d785b67a878598986",
        "type": "github"
      },
      "original": {
@ -280,69 +152,6 @@
        "type": "github"
      }
    },
    "ghc-utils": {
      "flake": false,
      "locked": {
        "lastModified": 1662774800,
        "narHash": "sha256-1Rd2eohGUw/s1tfvkepeYpg8kCEXiIot0RijapUjAkE=",
        "ref": "refs/heads/master",
        "rev": "bb3a2d3dc52ff0253fb9c2812bd7aa2da03e0fea",
        "revCount": 1072,
        "type": "git",
        "url": "https://gitlab.haskell.org/bgamari/ghc-utils"
      },
      "original": {
        "type": "git",
        "url": "https://gitlab.haskell.org/bgamari/ghc-utils"
      }
    },
    "gomod2nix": {
      "flake": false,
      "locked": {
        "lastModified": 1627572165,
        "narHash": "sha256-MFpwnkvQpauj799b4QTBJQFEddbD02+Ln5k92QyHOSk=",
        "owner": "tweag",
        "repo": "gomod2nix",
        "rev": "67f22dd738d092c6ba88e420350ada0ed4992ae8",
        "type": "github"
      },
      "original": {
        "owner": "tweag",
        "repo": "gomod2nix",
        "type": "github"
      }
    },
    "mach-nix": {
      "flake": false,
      "locked": {
        "lastModified": 1634711045,
        "narHash": "sha256-m5A2Ty88NChLyFhXucECj6+AuiMZPHXNbw+9Kcs7F6Y=",
        "owner": "DavHau",
        "repo": "mach-nix",
        "rev": "4433f74a97b94b596fa6cd9b9c0402104aceef5d",
        "type": "github"
      },
      "original": {
        "id": "mach-nix",
        "type": "indirect"
      }
    },
    "nix-pypi-fetcher": {
      "flake": false,
      "locked": {
        "lastModified": 1669065297,
        "narHash": "sha256-UStjXjNIuIm7SzMOWvuYWIHBkPUKQ8Id63BMJjnIDoA=",
        "owner": "DavHau",
        "repo": "nix-pypi-fetcher",
        "rev": "a9885ac6a091576b5195d547ac743d45a2a615ac",
        "type": "github"
      },
      "original": {
        "owner": "DavHau",
        "repo": "nix-pypi-fetcher",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1702272962,
@ -391,21 +200,6 @@
        "type": "github"
      }
    },
    "nixpkgsV1": {
      "locked": {
        "lastModified": 1678500271,
        "narHash": "sha256-tRBLElf6f02HJGG0ZR7znMNFv/Uf7b2fFInpTHiHaSE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "5eb98948b66de29f899c7fe27ae112a47964baf8",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "ref": "nixos-22.11",
        "type": "indirect"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1703467016,
@ -424,17 +218,18 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1665580254,
+        "lastModified": 1702272962,
-        "narHash": "sha256-hO61XPkp1Hphl4HGNzj1VvDH5URt7LI6LaY/385Eul4=",
+        "narHash": "sha256-D+zHwkwPc6oYQ4G3A1HuadopqRwUY/JkMwHz1YF7j4Q=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "f634d427b0224a5f531ea5aa10c3960ba6ec5f0f",
+        "rev": "e97b3e4186bcadf0ef1b6be22b8558eab1cdeb5d",
        "type": "github"
      },
      "original": {
-        "id": "nixpkgs",
+        "owner": "NixOS",
-        "ref": "nixos-unstable",
+        "ref": "nixpkgs-unstable",
-        "type": "indirect"
+        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nvfetcher": {
@ -459,70 +254,50 @@
        "type": "github"
      }
    },
-    "poetry2nix": {
+    "purescript-overlay": {
      "flake": false,
      "locked": {
        "lastModified": 1666918719,
        "narHash": "sha256-BkK42fjAku+2WgCOv2/1NrPa754eQPV7gPBmoKQBWlc=",
        "owner": "nix-community",
        "repo": "poetry2nix",
        "rev": "289efb187123656a116b915206e66852f038720e",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "1.36.0",
        "repo": "poetry2nix",
        "type": "github"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-utils": [
          "tlaternet-webserver",
          "dream2nix",
          "flake-utils-pre-commit"
        ],
        "nixpkgs": [
          "tlaternet-webserver",
          "dream2nix",
          "nixpkgs"
-        ]
+        ],
        "slimlock": "slimlock"
      },
      "locked": {
-        "lastModified": 1646153636,
+        "lastModified": 1696022621,
-        "narHash": "sha256-AlWHMzK+xJ1mG267FdT8dCq/HvLCA6jwmx2ZUy5O8tY=",
+        "narHash": "sha256-eMjFmsj2G1E0Q5XiibUNgFjTiSz0GxIeSSzzVdoN730=",
-        "owner": "cachix",
+        "owner": "thomashoneyman",
-        "repo": "pre-commit-hooks.nix",
+        "repo": "purescript-overlay",
-        "rev": "b6bc0b21e1617e2b07d8205e7fae7224036dfa4b",
+        "rev": "047c7933abd6da8aa239904422e22d190ce55ead",
        "type": "github"
      },
      "original": {
-        "owner": "cachix",
+        "owner": "thomashoneyman",
-        "repo": "pre-commit-hooks.nix",
+        "repo": "purescript-overlay",
        "type": "github"
      }
    },
-    "pruned-racket-catalog": {
+    "pyproject-nix": {
      "flake": false,
      "locked": {
-        "lastModified": 1672537287,
+        "lastModified": 1702448246,
-        "narHash": "sha256-SuOvXVcLfakw18oJB/PuRMyvGyGG1+CQD3R+TGHIv44=",
+        "narHash": "sha256-hFg5s/hoJFv7tDpiGvEvXP0UfFvFEDgTdyHIjDVHu1I=",
-        "owner": "nix-community",
+        "owner": "davhau",
-        "repo": "pruned-racket-catalog",
+        "repo": "pyproject.nix",
-        "rev": "c8b89557fb53b36efa2ee48a769c7364df0f6262",
+        "rev": "5a06a2697b228c04dd2f35659b4b659ca74f7aeb",
        "type": "github"
      },
      "original": {
-        "owner": "nix-community",
+        "owner": "davhau",
-        "ref": "catalog",
+        "ref": "dream2nix",
-        "repo": "pruned-racket-catalog",
+        "repo": "pyproject.nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "deploy-rs": "deploy-rs",
        "disko": "disko",
        "foundryvtt": "foundryvtt",
        "nixpkgs": "nixpkgs_2",
        "nixpkgs-unstable": "nixpkgs-unstable",
@ -534,11 +309,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1686586902,
+        "lastModified": 1703965384,
-        "narHash": "sha256-+zfBFBmUxWutKbhdntI9uvF4D5Rh7BhcByM2l+ReyTw=",
+        "narHash": "sha256-3iyouqkBvhh/E48TkBlt4JmmcIEyfQwY7pokKBx9WNg=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "1f1fe81f0db301124b3026bd2940294526cdd852",
+        "rev": "e872f5085cf5b0e44558442365c1c033d486eff2",
        "type": "github"
      },
      "original": {
@ -548,6 +323,29 @@
        "type": "github"
      }
    },
    "slimlock": {
      "inputs": {
        "nixpkgs": [
          "tlaternet-webserver",
          "dream2nix",
          "purescript-overlay",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1688610262,
        "narHash": "sha256-Wg0ViDotFWGWqKIQzyYCgayeH8s4U1OZcTiWTQYdAp4=",
        "owner": "thomashoneyman",
        "repo": "slimlock",
        "rev": "b5c6cdcaf636ebbebd0a1f32520929394493f1a6",
        "type": "github"
      },
      "original": {
        "owner": "thomashoneyman",
        "repo": "slimlock",
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
@ -608,11 +406,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1686688441,
+        "lastModified": 1704840002,
-        "narHash": "sha256-rcqAQzExGu0uV9Din8yy+Nn8FQvG/Itm8hp66amDj6o=",
+        "narHash": "sha256-ik2LeuRjcnRXwBLoRSOyGEMXscE+coO8G79IFhZhdJk=",
        "ref": "refs/heads/master",
-        "rev": "c573a6f81827594ceeffbfa058659e2fc20e4a1e",
+        "rev": "d14f50c8dcc8ab30a5e5fa907b392ac0df6c7b52",
-        "revCount": 66,
+        "revCount": 73,
        "type": "git",
        "url": "https://gitea.tlater.net/tlaternet/tlaternet.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -4,6 +4,10 @@
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-23.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
    disko = {
      url = "github:nix-community/disko";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    deploy-rs.url = "github:serokell/deploy-rs";
    sops-nix = {
      url = "github:Mic92/sops-nix";
@ -38,13 +42,13 @@
    ##################
    nixosConfigurations = {
      # The actual system definition
-      tlaternet = nixpkgs.lib.nixosSystem {
+      hetzner-1 = nixpkgs.lib.nixosSystem {
        inherit system;
        specialArgs.flake-inputs = inputs;
        modules = [
          ./configuration
-          ./configuration/hardware-specific/linode
+          ./configuration/hardware-specific/hetzner
        ];
      };
    };
@ -52,16 +56,18 @@
    ############################
    # Deployment configuration #
    ############################
-    deploy.nodes.tlaternet = {
+    deploy.nodes = {
-      hostname = "tlater.net";
+      hetzner-1 = {
        hostname = "116.202.158.55";
-      profiles.system = {
+        profiles.system = {
-        user = "root";
+          user = "root";
-        path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.tlaternet;
+          path = deploy-rs.lib.${system}.activate.nixos self.nixosConfigurations.hetzner-1;
        };
        sshUser = "tlater";
        sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
      };
      sshUser = "tlater";
      sshOpts = ["-p" "2222" "-o" "ForwardAgent=yes"];
    };
    #########
--- a/keys/hosts/hetzner1.asc
+++ b/keys/hosts/hetzner1.asc
@ -0,0 +1,28 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 xsFNBAAAAAABEADQWw0P407m704eEqPWA2SxNYdVIOAWPFPS1AJBOQycDMW3Mgv3
 v26H5Oan4t1ZD4yLYsJu6HcrGsIY3Xnhd/JGHVd8eazxl092rdAWUaLRPXusUKxY
 KbtBij1U4dkV5npcWyzBN3pzNbU8iItyYS9aOTO6N51QJ3sNIflp+tSf+0Yg26DM
 cXZsAQLERdCgttnbd8hoYE3ge02FDwKIY/pr7cVvdOnrsFcOugNTCvCsJQPVknUz
 sE/BOtFEBnV5Hw7S5ahO4EEvdQpW+VJLa6XRrH8vXB/LJIoPtw11AKA6Rpb/AvG9
 JOKxhSEODVLcdmg5y2dZDrSg5tSzWikCkhPgxcDdhYK+kYwOOCZCwijMmD+cm2J9
 aDPuQho0LBwnwbTsQuXrPNMSGMFP9F1LVbr4X64x0J2E/70ic96xI3F5E+KHpTFL
 kBOr66IFfd91gWLIbxYYtwyx19dPQ7LgZ0GWAMgfHnOdtMwO0Tduubhvq8m7to5B
 wD3VN2Tz/2OUa0gbJrnznaMrSOIj1nOU3FLBjT9/wh9DpXMbZw6D2fzqdt03Kpw9
 XjqJzXN1iRkcMpYkxic1Eq2yoAEtLr13cLv+9Dlkvi01kwN/MxwgnQGuc7/R4ZyA
 Z4aQtviPhT7geIOtY1jH9ZKosEVg2eXyI7YSxHvdXY+vCcwqzh8x+gRJowARAQAB
 zSlyb290IChJbXBvcnRlZCBmcm9tIFNTSCkgPHJvb3RAbG9jYWxob3N0PsLBYgQT
 AQgAFgUCAAAAAAkQR/cdo+WtefkCGw8CGQEAAHNAEACZcvbykefvO1cYp3VEGyHI
 rjCdA+docXXpyZOe9OcNzB1HBjOLwe9cJgkPnTtDZMYhrN6vnb2td7xiX8LVvhgZ
 npSCWtdqXo/EbkN88CP4GraT/9aaB6Joa2RSlZz5jSv3kuq+Q1QXxQqly5/qYhpS
 Ibz3ZWcovI1tMcdvA/u74oQ+4m0Mgqbyg9G2vwAygsexdHQMY+L0SDXI1GMX8z0A
 zFmtIlYkgqMoJY8qeJniwkmrHoLyFLIjnjQERV0FtQJ3S3sL63JVDNiA4OmwxIlR
 M+6LcRDcVqPDEOJxgCKkd6Cg9vOGyCdMTsI42pMuQOflhntx6Ez9tkyQQtkH1dS6
 n9wqmBL47GaZE32GepzvJw3aix87UouuZr8NlzsIr937rp9s3kW4+WpzakimBNjs
 kRWNhMaty2az171g3rvnL8yDejibE1OCHMakq7RUtYWC7Z8pNm2eHtHfTnH9qAZe
 mRcTiiY308ZI046muN9BAg1/m7v/sD3uEI8YXz7kb3lTWb0iioyUZqo0bqNhADEG
 5WLka2RK5fPnsyEalZ8mumUdGCH5iXKmXjK85GUaRwHgJUjhTdnpuqiuwVS3fxvN
 KlPP59q/kbWXL6bnVokvzBuW5GRl8im7qw8ggrEuxmSFD1WQLkvswLum6mVvDFpS
 HX938nRTHMgZfPW/gvR2aA==
 =nrXn
 -----END PGP PUBLIC KEY BLOCK-----
--- a/keys/production.yaml
+++ b/keys/production.yaml
@ -1,5 +1,5 @@
-gitea:
+forgejo:
-    metrics-token: ENC[AES256_GCM,data:/7/zvVl2ZOBoekrJR32vl/QQcG5XqTmltgpHEMUpbXVeqwnq29idzE2Qyjau96ZHObmSI73/ZtW95uXF6LH9Qw==,iv:iWZECCZSh1CN7wMBqstXR5QWtriR7QLKVqhekGnpXl0=,tag:HEr9km8VYmruBzf0I/5HuA==,type:str]
+    metrics-token: ENC[AES256_GCM,data:WVbD5JloJlHNjeEwe1uEd4Haj6L3ilj1Pnux6yrelUQP18ZPAh90aDO1OIZHaPJR7tTeyATr8BIzZL1zkNhCuA==,iv:eTYXN3hymIN3bTX1YxNGkAYE0KVDbdz2ds8UQAHlALE=,tag:A61loGdu0pfsiez96u2Qsg==,type:str]
 grafana:
    adminPassword: ENC[AES256_GCM,data:/qw//J7cOkIGa58bG4GgdzndvKof32AmQeWB00IX8WhA22PDCOc4VdUEoB3wVJJqI/ucoHFInYyhg2rFYoYBesBjAt0QS3+O+8WblIunUuYeqlBuYJJK1TLhy6ql6+aqvfiW/rJLm4LpgA7CboyDD2OYHcAbvGSD2GWwFcHTR/Y=,iv:KK6p8GKzc9SBDZZFkEwCdIjSxriPGNMDNcr97tfbwTI=,tag:gLRNSGdJWFD+V9K5TfJvXw==,type:str]
    secretKey: ENC[AES256_GCM,data:OUXWOE6I3a26SrFEOczWNIwyR3Rx62fbsRBBcfh0xyEbxOIPhexH6lIqlVG9Ltwra9+rAldNM4/0BydtxIDj7A==,iv:fiNO/or5yZnhpDPMANDnEC5dtXmbKBZsV+BPmvCN/HI=,tag:Q0M0OtLWdWAJgQmUlL//fg==,type:str]
@ -26,43 +26,68 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-10-12T18:40:26Z"
+    lastmodified: "2023-12-28T00:07:08Z"
-    mac: ENC[AES256_GCM,data:F+yQ20jCtLRKeQDFVKoqrYCgtwGkXxrK6aQO0MFZTIMJAnbTVPM2ZJGQ1RxXb+Zs4T+44EEc2xN4LjeANvgpE6MfOz2VTw+sEEjcYwUyB6RcXHia9XlFLa8lh7/Wx/9DxlSFjjSrxmDkNB6r+n5UF81cdRXF2E9ibdH346ST98A=,iv:xVxFN1IDKrLskaGqnWvOWx1zUII0jRSjQxEsaTf2GNw=,tag:lnp1AvgMOXXlg1vFjHEWUQ==,type:str]
+    mac: ENC[AES256_GCM,data:P2bNJLjzn69Kg2bJHXmofER7J8wbEj9C4jq9ePWewXBOt45GEiqgnqIaISwZkyzQmm9cxZd95Lr780ICwoKDFdtSCCcC7CdYxYEfyyhnvU3W2qzEghvkypL8JbiEtPSlQ9xOlCk7p41A9eRrV+JziIVSv5UEUs4NubrG9Mkwv3k=,iv:Yq2gANTTgx6cFxkdustUZ1MPszxGSkao/bS1KHAkzJc=,tag:kqJibocgRQXkxTJze6O5MA==,type:str]
    pgp:
-        - created_at: "2022-10-12T00:46:51Z"
+        - created_at: "2024-03-02T21:16:50Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQEMA7x7stsXx45CAQf9Hivg5x2NEKp3icdAIXKoBVTp5jnqJ2S5xDpK4cbCUwRd
+            hQIMAzWu0p84AOApARAAi+GxJ9z+cMaMgENnDC0Kq6ZJZ/rkXnUIjVxpdXLVhnCc
-            Z2VyNjxAXdTgKsviXseWbtsEbqo41oqjtpZwXK36gT/miKSPYyBSLb689L70RpWR
+            E2S8NoXJI5jcqsYI08wVQm7OWzsNK6GuJET1i3YdHVDOiwYK+WNGeMA6JdIuJzXV
-            aC4QzOHbYr1Trr1whkTVaQG1vd2u9ZEyxsi13ItiYVylu7tgMqaDqzE4Y47RPZtz
+            EDcuarLusygqIV1UcZCwTl362zuLi5kPs/fGsn7BJeI8Q7CtMEP1cmCk0LlHotjz
-            FWFY4chO5Tq/DL0blP8oCTLFx4LSL82JbZswCfqrSHX44HGZ/OELHqNhYNF6hkCr
+            Pl53bUos1WUqSv0EQw9Cz1dhL6LGlUtoIJaPbB9OO/+chzQCFUJGbCO5KJ/+3fFq
-            DgYYh7l7s08farE+PnTbWt808Kd3kP8fCRaLm9nt1X1c5QQElaWBjGIscK9fOsV4
+            2DhQZw1GvgNf9/66f39tgY+jeQq5OyuoFSpuzyjxCeK+eX6Jkxs4zOVlcJoztSVc
-            iVFQfPBdwBi8aawCmwvXOcg6sX050Ow3NeYQBJVICtJeAeHyetxxEYip6CrADsiq
+            FEiPIO4YfcgDXToLJWSWA2uGJ+KCvqDXDWyPATQupytAItw05oFyfZOPuh45Wj46
-            UG1Np+p6Pcbq/k6E1vT6bsRrhUWPYC4yuh6Edg5p/jxa4DAlsq/OgDI9pquE9aIt
+            6Dm9QYKZMsFj6xfgNl6VEK0KK34zi0EcBKm4wmfF8hw4o5T2U542iPzgKv53jbC2
-            F8cQMHfIkNP8/HiM/KwmdHoTJiy8YCwqP/UalSJdVw==
+            F1dn7GI8ZkSGDPlw7UWSIRLmRYilZhbR+2RJX23nXoarP9oxigCpqhIGBGizdBEx
-            =lnlW
+            PpUYQjiPUuytk/B3DP+0q01lVvdqcxchA3s88iZwc5GSwBfEMVJ2MJOFkiwIkttO
            9PkmtXAaFAt7jjRCzhH05/S7g9xt/1zid/lHCGKcfaZJqX6YIu9+mXeERsZ7OdMs
            uur8T7r14DC4ffPOYQR6BIfNZ3vPUyEP2/fSncAtyDFKO2Cc6ry3JvxBCdPGErjS
            XgFwk6xHtOsIU3ozokW3aupo5eSNBEPpfIK28P0ivouIZsU64sVJFjc7zPpZnaF+
            bEnAXMK8FrHvYZz3v4+LSaYZyoKWYly0wCWrSOZTEphTJHFrW/KsJ2hmVTpjS58=
            =qqF7
            -----END PGP MESSAGE-----
          fp: 535B61015823443941C744DD12264F6BBDFABA89
-        - created_at: "2022-10-12T00:46:51Z"
+        - created_at: "2024-03-02T21:16:50Z"
-          enc: |
+          enc: |-
            -----BEGIN PGP MESSAGE-----
-            hQIMA9ahl2ynTH87AQ/+ID/6Dcbat+YRvT8VpfKpZf2O6EFbI3dlPDkZ+f4yFW0R
+            hQIMA9ahl2ynTH87ARAApU/UkNVGbtqxwQ83Zl3f7Zp/PTIeLtcvmuOUjSnPYrYi
-            uGKkLR69utM8FoEn1XUkPG3klDk5t/gQikS/d1lPZ6cPOsVzY4P2Te6LizP25vCE
+            60H1ZPVJUhAv+gcTwRBZ+aN39mUI43qBgCjNu7Z7Bmevf+TXCvK1CwsxuxVbG1tl
-            cHkztZG/IuBCBfLp8xsEjF1OXEDnb7Klqd3aJuYrvJNm3SreNydRAGyM1E94+iQL
+            sL8FtVH0p8KETq+v8aylTzaV339BmEgnLOBLCE9oP+PhLEERqIT1sz5CeaI71z4F
-            zLrHF0WbD+dVdVG+ZoHKouGHVVmcxTkfi8Ce63pHKxOiMgqJLnImC357mle4DlJV
+            wETPCfJKEouCQpT0P6hSN1f/9h43PZDQQW5MLY2m1o8t+pFHfowADIlsAmZziXBf
-            1My0CPV9Y1ElY+W5s+a7sRgursR0AVOkuvWYT39VW+RmFpUZyRCgyW+L6ilCEcOV
+            t/IezzM7oo/QKITpLI8NND9nZfvG7leubG3L2TIL0xIgQeLBs4a+jfFSpt8DR0ii
-            VXJHf0IFylkqevh11BssIetHAtT8anqZ+wo3ON4gEHjcahufc1h8rOxEEsWe/qUC
+            YGf1RgrtpnlkA4B75KHTfEq1LMEn0wOJj89Z38x5MZEw3suUc8W+1PcKoKIgt4Dw
-            XZzfwilOsY/vKJ+GTz5Cp8XAviozQL5o2O5H9PiHxQl019QHZgprJclGMlukCBkR
+            RN4K+CS/4Ud8pNLoO+zZ4moRlM9ltWpCJ9kSHNeMShxtsIEPxkhh3CqWU+Ta/4er
-            Uo3h1Rl2na8JqcolAlFGQ1/QxsOnJ/KAmOpUZ7fZqG2qnsXnFjXcuqo+0e58odaT
+            1W2bkII2ieS4mLlJM6qqLYAb8VJpaKi3BQmB66KtDS4n4HEXvOO+nurmz9luKZZt
-            sZLIspvsEHBHKzsvUa6BT8bTc+GlsB3hFolBVdX4y9kTWuzxy0K6bKA9HMTf4FPW
+            1e3t8ABBowOu+LOVxUbx9DKFObBJ1CDDPQHxRDmGxeSz3ZccHlXsC83QSHCtcm8G
-            w2hIlvYhlgEx9MVqKLbemN3ye2rC3GRUBXxVXmlXBmb7nXPZCOGqL6nrvtsQ1E4h
+            uFtUZLOCaR0iB7DbEUX43p40xFZ5ieqY9XDC3uGJfzoEZRfaX05I3MX267EZBKSp
-            D9+sN+cvYh5lYPByjXYinT8TqFVpqX++qnpgHC+5c6WtDHlhRAyfIQK51wCyiZbS
+            H6kyYPnTBqI0UhIsDtd6AWd9huqOZ/TrWubTeDf07s6VDusMYrtE+WaVczaYUkPS
-            UAG6iDEbCWwD7uHZjDmVycC2R/0HnO+o9xMBI6teKYziFhvn8m7R9gzr7zn/0x3t
+            WAHYUCmSFUN5z3Emds26kMUQvWTKMvx8TgaEf9LwOfjo4LXhvNKjU5yi+hqZqlO8
-            dVMXtojhfbMPzYK0gT6xOn8SbYGH0MV7ddOm7+Kl3Z8Y
+            AOvcgnksjHUhonEl7GLaOvPPiyoB6F6ZuOFlzOeL1OB3QxJiEoRFbF8=
-            =zDer
+            =574h
            -----END PGP MESSAGE-----
          fp: 8a3737d48f1035fe6c3a0a8fd6a1976ca74c7f3b
        - created_at: "2024-03-02T21:16:50Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA0f3HaPlrXn5AQ/8Cvb9YhG/wYRhu+B3iSTCOq1xiPbCOPs9BcCg85G2yI+5
            LA8G18XVDpaxlT4lyOE3p4XEbJkP+ceLhNbldiQns9HCDQXanRonZndLjwSdEuRj
            /A/ql2Q27Xhad34Bu0n+hoNfQ2qKjjx6q5lbbKLIIGOvEBF35oImnWF+Vc2cYpzp
            J0PT/gkKkGnBCihiUrmpISU+7grFMFT59UnWSthCpACG8ocjzF0PBdzPOj2QSDiv
            eDiPEdd72KcGXVfRodrdAbApFXJx2goaxYobAFCyC7G3UHJTliCOEG/5PNSb8lSl
            Xv8NJnYI7bs8bRMFTvpEIsogrVeXy0yDl+qogQWPKYwpStn6yqOMIvs2C476nY/f
            llRLfjJLTEmPuq+JYhWfZ4o0tOZNECmq4DiAg30ePqThZNXJLNyk9sfkjuDz+zbh
            rYnJ1Xb1UM7ZKyjGcxSU9eAba0MBJpVZa/ZDrb4GjysPq+rsEb8LO6WPPbYfLbr/
            kfiK7e4Rv4AgUdd7NjRwBHJSjIFCul8I2hF4v/vp+da11CktPXC0sJNsYXWBR1I+
            FeKxc+WkLTfuS6evb8Y+UuyQkTDI3mb13QfXaX1V8I63LivdCE7zsTOlnOWPT1k7
            cqhQ2VpNxBtt7gNG7MAYHn9KAwGbyQ/Ma6Qx//ftjmf47b8qnZuJe8HEg0Nh5uDS
            WAGdbEL/ZXTT4ZxNm/QHVctZVzCAqDUMIkMK4vCCR+Bs8FvLFUo6YoVEnajqTSj8
            pkEyS0RuM68KTpivAjDhqlY4vJsMmiRBjx/q5rSwi29vOuhK9ttSj38=
            =KQd3
            -----END PGP MESSAGE-----
          fp: 0af7641adb8aa843136cf6d047f71da3e5ad79f9
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@ -1,5 +1,5 @@
-gitea:
+forgejo:
-    metrics-token: ENC[AES256_GCM,data:T1NYXRWbruA=,iv:usgHYHwWJFbaEdHLO6JX3z/42MVheY2wu0YrXmnz2ng=,tag:W+B7pKGOc/wX/0My0dWY5w==,type:str]
+    metrics-token: ENC[AES256_GCM,data:HEDV/GK/WtI=,iv:ihPEusEGVUNZjjjxz2ys6Nfag/og4n7Cqmd4rroT6Ww=,tag:Brcv7XW6HfzzgF3emtuT2A==,type:str]
 grafana:
    adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
    secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
@ -26,8 +26,8 @@ sops:
    azure_kv: []
    hc_vault: []
    age: []
-    lastmodified: "2023-12-29T15:14:54Z"
+    lastmodified: "2023-12-30T14:09:03Z"
-    mac: ENC[AES256_GCM,data:yJUprLcfw4ypsrSlhot7vsavVqzaFlJoJeEC/DdTfKDoJ0L607r6aCfXtCSg+qrR5JA2bvEATwDJM5qgA2vbMhSOqmc3zT7yBPUKC4Sk24Me3IOOum2DhNID/l/PLtxUIk3Rzz49PJZECUsIKnT7k6KvZ5nWe5sEUupCBgdKjG4=,iv:Axpml84/6wgBxld94AB+Ybdo3r/7Bym6Lsj/49P7jWE=,tag:wXAx3AoopQS7i6rbo70AYg==,type:str]
+    mac: ENC[AES256_GCM,data:kuyzVV1Dhlb2LemqRzw2xPr9jtTWqSbFMv70LUEbRmsDpjwQsAIARgoaj32EXdDRTHYXBplTYieR7KvmxykL/8rkj0g4+IuRLY1TcbRS31Gi74FiXvV2apscHhQWXhHPHIHMbwZAfDSHdMrf8hPu28SC9QdbP3SXYNt28Imstrc=,iv:UALUiWGHlWEBmIVWeSyEa16ZdcDZvgtlpHETDV2CcRY=,tag:rxbd3ph+pPf11jup/CMEzw==,type:str]
    pgp:
        - created_at: "2023-12-29T15:25:27Z"
          enc: |
--- a/modules/default.nix
+++ b/modules/default.nix
@ -1,8 +1,23 @@
-{lib, ...}: let
+{
-  inherit (lib) mkOption types;
+  pkgs,
-in {
+  config,
  lib,
  ...
 }: {
  options.services.nginx.domain = lib.mkOption {
    type = lib.types.str;
    description = "The base domain name to append to virtual domain names";
  };
  config = {
    # Don't attempt to run acme if the domain name is not tlater.net
    systemd.services = let
      confirm = ''[[ "tlater.net" = ${config.services.nginx.domain} ]]'';
    in
      lib.mapAttrs' (cert: _:
        lib.nameValuePair "acme-${cert}" {
          serviceConfig.ExecCondition = ''${pkgs.runtimeShell} -c '${confirm}' '';
        })
      config.security.acme.certs;
  };
 }
Author	SHA1	Message	Date
Tristan Daniël Maat	1aa0bd089a	linode: Remove old server	2024-03-11 00:33:00 +01:00
Tristan Daniël Maat	b040b22e08	acme: Don't attempt to get certs if the domain is wrong	2024-03-11 00:33:00 +01:00
Tristan Daniël Maat	dd41fa1ac4	hetzner: Add new server config	2024-03-11 00:32:47 +01:00
Tristan Daniël Maat	3e1c95797c	WIP: gitea: Migrate to forgejo	2023-12-30 22:09:32 +01:00