forgejo cert todo

flake.nix

@@ -77,10 +77,15 @@
           ./system/hardware/arielle.nix
           ./system
           ./system/web-server
+
+          #infrastructure
+          ./system/web-server/mail
           ./system/web-server/radicale.nix
           ./system/web-server/outline.nix
-          ./system/web-server/jenkins.nix
+          ./system/web-server/forgejo.nix
-          ./system/web-server/mail
+          # ./system/web-server/jenkins.nix
+
+          # web hosting
           ./system/web-server/oopsidentify.nix
           ./system/web-server/fundkorb-button.nix
           ./system/web-server/ksh-map.nix

system/web-server/forgejo.nix

@@ -10,11 +10,10 @@ in
 {
 
   security.acme.certs."${config.networking.domain}".extraDomainNames = [
-    "outline.${config.networking.domain}"
+    "git.ktiu.net"
   ];
 
-  services.nginx = {
+  services.nginx.virtualHosts."${srv.DOMAIN}" = {
-    virtualHosts.${cfg.settings.server.DOMAIN} = {
     forceSSL = true;
     useACMEHost = config.networking.domain;
     locations."/".proxyPass = "http://localhost:${toString srv.HTTP_PORT}";
@@ -22,7 +21,6 @@ in
       client_max_body_size 512M;
     '';
   };
-  };
 
   services.forgejo = {
 
@@ -37,11 +35,11 @@ in
         DOMAIN = "git.${config.networking.domain}";
         # You need to specify this to remove the port from URLs in the web UI.
         ROOT_URL = "https://${srv.DOMAIN}/"; 
-        HTTP_PORT = 3000;
+        HTTP_PORT = 3080;
       };
 
       # You can temporarily allow registration to create an admin user.
-      # service.DISABLE_REGISTRATION = true; 
+      service.DISABLE_REGISTRATION = true; 
       # Add support for actions, based on act: https://github.com/nektos/act
 
       actions = {

system/web-server/ksh-map.nix

@@ -4,7 +4,6 @@
   services.nginx.virtualHosts."karte.kein-schlussstrich-hessen.org" = {
     forceSSL = true;
     enableACME = true;
-    onlySSL = true;
     root = "/var/www/ksh-map/dist";
   };
 }

system/web-server/mail/postfix.nix

@@ -51,8 +51,12 @@ in {
       "[::1]/128"
     ];
 
-    sslKey = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/key.pem";
+    settings.main.smtpd_tls_chain_files = [
-    sslCert = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/cert.pem";
+      "${config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/key.pem"}"
+      "${config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/cert.pem"}"
+    ];
+    # sslKey = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/key.pem";
+    # sslCert = config.security.acme.certs."${config.networking.fqdn}-postfix".directory + "/cert.pem";
 
     enableSubmission = true;
     submissionOptions = {