This commit is contained in:
Philip Peterson 2026-05-25 23:19:34 -08:00
parent 31bb508d8f
commit 005b8e62e5
3 changed files with 4 additions and 2 deletions

View file

@ -99,3 +99,4 @@ Note: `secrets/default.nix` is the agenix recipients file. Agenix looks for `sec
- `gitea-runner` is a `DynamicUser` in the systemd service, so it has no persistent uid. Setting `age.secrets.forgejo-runner-token.owner = "gitea-runner"` causes a chown error at activation; use `owner = "root"` instead (the service reads it via `EnvironmentFile` which runs as root before privilege drop).
- `secrets/default.nix` must have the public key from `keys/mainframe.pub` as the recipient — if the host SSH keys change, you must also update `mainframe.pub` and re-key all secrets.
- `pullomatic` uses `/root/.ssh/id_rsa.pem` (a PEM-format SSH key) to pull private git repos.
- **ACME cyclic dependency list**: `linux.nix` has a `systemd.services.nginx.after = lib.mkForce [...]` list that breaks a systemd cycle between nginx and ACME services. Every new domain added with `enableACME = true` in `nginx.nix` **must** also have its `acme-selfsigned-<domain>.service` added to this list in `linux.nix`, otherwise nixos-rebuild will fail with a cyclic dependency error.

View file

@ -377,6 +377,7 @@ in {
"acme-selfsigned-coldairnetworks.com.service"
"acme-selfsigned-fbksdigital.com.service"
"acme-selfsigned-forge.quinefoundation.com.service"
"acme-selfsigned-hyper.quineglobal.com.service"
"acme-selfsigned-pdxdestiny.com.service"
"acme-selfsigned-philippeterson.com.service"
"acme-selfsigned-riverside.coldairnetworks.com.service"

View file

@ -149,9 +149,9 @@
};
"hyper.quineglobal.com" = {
enableACME = false;
enableACME = true;
forceSSL = false;
addSSL = false;
addSSL = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3013/";