diff --git a/nixos/CLAUDE.md b/nixos/CLAUDE.md index 5bbdc16..9fb7a2f 100644 --- a/nixos/CLAUDE.md +++ b/nixos/CLAUDE.md @@ -99,3 +99,4 @@ Note: `secrets/default.nix` is the agenix recipients file. Agenix looks for `sec - `gitea-runner` is a `DynamicUser` in the systemd service, so it has no persistent uid. Setting `age.secrets.forgejo-runner-token.owner = "gitea-runner"` causes a chown error at activation; use `owner = "root"` instead (the service reads it via `EnvironmentFile` which runs as root before privilege drop). - `secrets/default.nix` must have the public key from `keys/mainframe.pub` as the recipient — if the host SSH keys change, you must also update `mainframe.pub` and re-key all secrets. - `pullomatic` uses `/root/.ssh/id_rsa.pem` (a PEM-format SSH key) to pull private git repos. +- **ACME cyclic dependency list**: `linux.nix` has a `systemd.services.nginx.after = lib.mkForce [...]` list that breaks a systemd cycle between nginx and ACME services. Every new domain added with `enableACME = true` in `nginx.nix` **must** also have its `acme-selfsigned-.service` added to this list in `linux.nix`, otherwise nixos-rebuild will fail with a cyclic dependency error. diff --git a/nixos/linux.nix b/nixos/linux.nix index 4ae7cb8..834e102 100644 --- a/nixos/linux.nix +++ b/nixos/linux.nix @@ -377,6 +377,7 @@ in { "acme-selfsigned-coldairnetworks.com.service" "acme-selfsigned-fbksdigital.com.service" "acme-selfsigned-forge.quinefoundation.com.service" + "acme-selfsigned-hyper.quineglobal.com.service" "acme-selfsigned-pdxdestiny.com.service" "acme-selfsigned-philippeterson.com.service" "acme-selfsigned-riverside.coldairnetworks.com.service" diff --git a/nixos/nginx.nix b/nixos/nginx.nix index c704045..5d7789c 100644 --- a/nixos/nginx.nix +++ b/nixos/nginx.nix @@ -149,9 +149,9 @@ }; "hyper.quineglobal.com" = { - enableACME = false; + enableACME = true; forceSSL = false; - addSSL = false; + addSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:3013/";