harbor: add gitea

flake.lock

@@ -20,11 +20,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1755946532,
+        "lastModified": 1759499898,
-        "narHash": "sha256-POePremlUY5GyA1zfbtic6XLxDaQcqHN6l+bIxdT5gc=",
+        "narHash": "sha256-UNzYHLWfkSzLHDep5Ckb5tXc0fdxwPIrT+MY4kpQttM=",
         "owner": "hyprwm",
         "repo": "aquamarine",
-        "rev": "81584dae2df6ac79f6b6dae0ecb7705e95129ada",
+        "rev": "655e067f96fd44b3f5685e17f566b0e4d535d798",
         "type": "github"
       },
       "original": {
@@ -41,11 +41,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1757578366,
+        "lastModified": 1759439824,
-        "narHash": "sha256-gPxQdaX0sP/ddT1g/TFHstcvBSGFnrrDHNaU9WBGnRc=",
+        "narHash": "sha256-bOmAhQG3Ek2ZpNcnkFo3yiGeSmklk1uLm09BwDdnpWM=",
         "owner": "polygon",
         "repo": "audio.nix",
-        "rev": "598aacc9542ca3f933fd7b63821587c566568e18",
+        "rev": "8595d27a844a11bd14819de330ce6c9f724923bb",
         "type": "github"
       },
       "original": {
@@ -82,11 +82,11 @@
       },
       "locked": {
         "dir": "pkgs/firefox-addons",
-        "lastModified": 1758427412,
+        "lastModified": 1760846615,
-        "narHash": "sha256-VbVedyzFU0URoEccHZOzZI3tuCVfGFz12F1/bFdDyAk=",
+        "narHash": "sha256-ept30QIKVAx/f7fHBGIfCPhPdZNd4yaBTq2Frz1LkFM=",
         "owner": "rycee",
         "repo": "nur-expressions",
-        "rev": "72d7daed5a5e07593b70a3ab26ad0fdecadc49c3",
+        "rev": "afeaf06f6cbc7fd65e8cdbe53ddf3f3c643b36d1",
         "type": "gitlab"
       },
       "original": {
@@ -216,11 +216,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758192433,
+        "lastModified": 1759490292,
-        "narHash": "sha256-CR6RnqEJSTiFgA6KQY4TTLUWbZ8RBnb+hxQqesuQNzQ=",
+        "narHash": "sha256-T6iWzDOXp8Wv0KQOCTHpBcmAOdHJ6zc/l9xaztW6Ivc=",
         "owner": "hyprwm",
         "repo": "hyprgraphics",
-        "rev": "c44e749dd611521dee940d00f7c444ee0ae4cfb7",
+        "rev": "9431db625cd9bb66ac55525479dce694101d6d7a",
         "type": "github"
       },
       "original": {
@@ -247,11 +247,11 @@
         "xdph": "xdph"
       },
       "locked": {
-        "lastModified": 1758383869,
+        "lastModified": 1760874867,
-        "narHash": "sha256-L93loAJMQzETzHt4zkaKeKgKyMiV1HvGeFCmr6jW2Xg=",
+        "narHash": "sha256-w2JettCPyqWKMYoJRCTc5/nsSvGrSV9jG4kbn8Q0pZk=",
         "owner": "hyprwm",
         "repo": "Hyprland",
-        "rev": "41dad381770300fe1015ad8cdd1f370a8fd4e5d5",
+        "rev": "59ff7b2f891d06f4097128faf7027a3863542167",
         "type": "github"
       },
       "original": {
@@ -277,11 +277,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758382384,
+        "lastModified": 1760659005,
-        "narHash": "sha256-tF9YAZlU8WrtLhEeB7p/TEwZrUM5P6JQ1q4giLh8YZ8=",
+        "narHash": "sha256-wyS6tXYJuzbwckOeaCoRtT4qIG2UZ0YvSZx7EBNjTV0=",
         "owner": "hyprwm",
         "repo": "hyprland-plugins",
-        "rev": "c8b2be350290e77e5cb8d482cde6b4c7e7f62099",
+        "rev": "a5a6f93d72d5fb37e78b98c756cfd8b340e71a19",
         "type": "github"
       },
       "original": {
@@ -370,11 +370,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1757694755,
+        "lastModified": 1759080228,
-        "narHash": "sha256-j+w5QUUr2QT/jkxgVKecGYV8J7fpzXCMgzEEr6LG9ug=",
+        "narHash": "sha256-RgDoAja0T1hnF0pTc56xPfLfFOO8Utol2iITwYbUhTk=",
         "owner": "hyprwm",
         "repo": "hyprland-qtutils",
-        "rev": "5ffdfc13ed03df1dae5084468d935f0a3f2c9a4c",
+        "rev": "629b15c19fa4082e4ce6be09fdb89e8c3312aed7",
         "type": "github"
       },
       "original": {
@@ -399,11 +399,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756810301,
+        "lastModified": 1758927902,
-        "narHash": "sha256-wgZ3VW4VVtjK5dr0EiK9zKdJ/SOqGIBXVG85C3LVxQA=",
+        "narHash": "sha256-LZgMds7M94+vuMql2bERQ6LiFFdhgsEFezE4Vn+Ys3A=",
         "owner": "hyprwm",
         "repo": "hyprlang",
-        "rev": "3d63fb4a42c819f198deabd18c0c2c1ded1de931",
+        "rev": "4dafa28d4f79877d67a7d1a654cddccf8ebf15da",
         "type": "github"
       },
       "original": {
@@ -424,11 +424,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1756117388,
+        "lastModified": 1759619523,
-        "narHash": "sha256-oRDel6pNl/T2tI+nc/USU9ZP9w08dxtl7hiZxa0C/Wc=",
+        "narHash": "sha256-r1ed7AR2ZEb2U8gy321/Xcp1ho2tzn+gG1te/Wxsj1A=",
         "owner": "hyprwm",
         "repo": "hyprutils",
-        "rev": "b2ae3204845f5f2f79b4703b441252d8ad2ecfd0",
+        "rev": "3df7bde01efb3a3e8e678d1155f2aa3f19e177ef",
         "type": "github"
       },
       "original": {
@@ -506,11 +506,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1757943327,
+        "lastModified": 1760106635,
-        "narHash": "sha256-w6cDExPBqbq7fTLo4dZ1ozDGeq3yV6dSN4n/sAaS6OM=",
+        "narHash": "sha256-2GoxVaKWTHBxRoeUYSjv0AfSOx4qw5CWSFz2b+VolKU=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "67a709cfe5d0643dafd798b0b613ed579de8be05",
+        "rev": "9ed85f8afebf2b7478f25db0a98d0e782c0ed903",
         "type": "github"
       },
       "original": {
@@ -554,11 +554,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1758277210,
+        "lastModified": 1760524057,
-        "narHash": "sha256-iCGWf/LTy+aY0zFu8q12lK8KuZp7yvdhStehhyX1v8w=",
+        "narHash": "sha256-EVAqOteLBFmd7pKkb0+FIUyzTF61VKi7YmvP1tw4nEw=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "8eaee110344796db060382e15d3af0a9fc396e0e",
+        "rev": "544961dfcce86422ba200ed9a0b00dd4b1486ec5",
         "type": "github"
       },
       "original": {
@@ -570,11 +570,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1758346548,
+        "lastModified": 1760580664,
-        "narHash": "sha256-afXE7AJ7MY6wY1pg/Y6UPHNYPy5GtUKeBkrZZ/gC71E=",
+        "narHash": "sha256-/YdfibIrnqXAL8p5kqCU345mzpHoOtuVIkMiI2pF4Dc=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b2a3852bd078e68dd2b3dfa8c00c67af1f0a7d20",
+        "rev": "98ff3f9af2684f6136c24beef08f5e2033fc5389",
         "type": "github"
       },
       "original": {
@@ -594,11 +594,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758185783,
+        "lastModified": 1759321049,
-        "narHash": "sha256-6fX2CG8PzdBNwJGBISnf/nVHUVMZdCsekT1mP672Uh8=",
+        "narHash": "sha256-8XkU4gIrLT2DJZWQyvsP5woXGZF5eE/7AnKfwQkiwYU=",
         "owner": "pjones",
         "repo": "plasma-manager",
-        "rev": "6a7d78cebd9a0f84a508bec9bc47ac504c5f51f4",
+        "rev": "205dcfd4a30d4a5d1b4f28defee69daa7c7252cd",
         "type": "github"
       },
       "original": {
@@ -674,11 +674,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1758425756,
+        "lastModified": 1760845571,
-        "narHash": "sha256-L3N8zV6wsViXiD8i3WFyrvjDdz76g3tXKEdZ4FkgQ+Y=",
+        "narHash": "sha256-PwGzU3EOU65Ef1VvuNnVLie+l+P0g/fzf/PGUG82KbM=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "e0fdaea3c31646e252a60b42d0ed8eafdb289762",
+        "rev": "9c9a9798be331ed3f4b2902933d7677d0659ee61",
         "type": "github"
       },
       "original": {

home/jonas@comfy-station.nix

@@ -1,4 +1,8 @@
-{config, ...}: rec {
+{
+  config,
+  pkgs,
+  ...
+}: {
   imports = [
     (./. + "/jonas@comfy-station/" + /borg.nix)
   ];
@@ -9,7 +13,7 @@
   home.homeDirectory = "/home/jonas";
 
   sops = {
-    age.keyFile = "${home.homeDirectory}/.config/sops/age/keys.txt";
+    age.keyFile = "${config.home.homeDirectory}/.config/sops/age/keys.txt";
   };
 
   # hive modules
@@ -94,4 +98,17 @@
       key = "4000EB35E1AE0F07";
     };
   };
+
+  programs.jujutsu = {
+    enable = true;
+    settings = {
+      user = {
+        name = config.programs.git.userName;
+        email = config.programs.git.userEmail;
+      };
+      ui = {
+        diff-formatter = ["${pkgs.difftastic}/bin/difft" "--color=always" "$left" "$right"];
+      };
+    };
+  };
 }

hosts/comfy-station/configuration.nix

@@ -68,10 +68,10 @@
     firefox
     gimp
     git
+    (gnome-network-displays.overrideAttrs (final: prev: {buildInputs = prev.buildInputs ++ [glib-networking];}))
     insomnia
     krita
     libreoffice
-    miraclecast
     mosquitto
     mpv
     mupdf
@@ -95,6 +95,7 @@
   nixpkgs.config.permittedInsecurePackages = [
     "electron-25.9.0" # required by obsidian
   ];
+  services.avahi.enable = true;
   services.udev.packages = [pkgs.openhantek6022];
   virtualisation.docker.enable = true;
 

hosts/harbor/configuration.nix

@@ -18,6 +18,10 @@
     sopsFile = ../../secrets/harbor/wg.yaml;
     key = "privateKey";
   };
+  sops.secrets."gitea-db-pass" = {
+    sopsFile = ../../secrets/harbor/gitea.yaml;
+    key = "databasePassword";
+  };
 
   # Configure nix and garbage collection
   nix = {
@@ -50,6 +54,9 @@
   };
 
   # hive modules
+  hive.gitea-instance.enable = true;
+  hive.gitea-instance.instanceFQDN = "git.jroeger.de";
+  hive.gitea-instance.databasePasswordFile = config.sops.secrets.gitea-db-pass.path;
   hive.nextcloud-instance.enable = true;
   hive.nextcloud-instance.ssl = true;
   hive.nextcloud-instance.adminPasswordFile = config.sops.secrets.nextcloud-admin-pass.path;

modules/bin/nix-scripts.nix

@@ -86,9 +86,10 @@
         ${pkgs.git}/bin/git switch "$branch_current"
       fi
 
-      nix store diff-closures \
+      nix store --log-format internal-json -v diff-closures \
           '.?ref='"$branch_current"'#nixosConfigurations.'"$(${pkgs.hostname}/bin/hostname)"'.config.system.build.toplevel' \
-          '.?ref='"$branch_staging"'#nixosConfigurations.'"$(${pkgs.hostname}/bin/hostname)"'.config.system.build.toplevel'
+          '.?ref='"$branch_staging"'#nixosConfigurations.'"$(${pkgs.hostname}/bin/hostname)"'.config.system.build.toplevel' \
+          |& ${pkgs.nix-output-monitor}/bin/nom --json
 
       popd
     '';

modules/default.nix

@@ -27,6 +27,7 @@
       ./programs/games.nix
       ./programs/spotify-shortcuts.nix
       ./services/borg-server.nix
+      ./services/gitea-instance.nix
       ./services/kdeconnect.nix
       ./services/nextcloud-instance.nix
       ./services/virt-manager.nix

modules/services/gitea-instance.nix

@@ -0,0 +1,70 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  cfg = config.hive.gitea-instance;
+in {
+  options.hive.gitea-instance = {
+    enable = lib.mkEnableOption "Enable the Gitea instance";
+
+    instanceFQDN = lib.mkOption {
+      type = lib.types.singleLineStr;
+      example = "git.example.com";
+      description = "Fully qualified domain name of the Gitea instance";
+    };
+
+    databasePasswordFile = lib.mkOption {
+      type = lib.types.path;
+      example = "/etc/gitea-db-pass.txt";
+      description = "Path to the file containing the Gitea database password";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # Gitea instance
+    services.gitea = {
+      enable = true;
+      appName = "Git yourself some Tea!";
+      database = {
+        name = "gitea";
+        type = "postgres";
+        passwordFile = cfg.databasePasswordFile;
+      };
+      settings = {
+        server.PROTOCOL = "http+unix";
+        server.ROOT_URL = "https://${cfg.instanceFQDN}/";
+        server.DOMAIN = cfg.instanceFQDN;
+      };
+    };
+
+    # Fallback server with only 403
+    services.nginx.virtualHosts.${config.networking.domain} = lib.mkDefault {
+      default = true;
+      locations."/".return = 403;
+      forceSSL = true;
+      enableACME = true;
+    };
+
+    # Virtual host for gitea
+    services.nginx.virtualHosts."${cfg.instanceFQDN}" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://unix:/run/gitea/gitea.sock";
+      };
+    };
+
+    # Database setup
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [config.services.gitea.user];
+      ensureUsers = [
+        {
+          name = config.services.gitea.database.user;
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+  };
+}

secrets/harbor/gitea.yaml

@@ -0,0 +1,25 @@
+databasePassword: ENC[AES256_GCM,data:D0pt10IJXbmx5Fj/yvMxyPjVPGctrQ==,iv:OiBSQIr4/lLCAV2mlIBfIfiVT51SeTGU1xJustlXZes=,tag:6FRtjip5pR7PeaJXRw1DVw==,type:str]
+sops:
+    age:
+        - recipient: age1wf0rq27v0n27zfy0es8ns3n25e2fdt063dgn68tt3f89rgrtu9csq4yhsp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMnU3bE51SGhMbnFJZitN
+            RGJTMVBndVBhVVFGTVhHTU5BbWxEVnBMRjM4CnNZTy94T3h5TlZlNFdFV3JKVzEw
+            R1Y4dzNOYnR4TE9GN3E0ejNjVklHUzgKLS0tIHd2YUdXRnBtaFVjdDlOVi9wVjRJ
+            MVFrRDc3VkwxTDBqZkJNbmtGYXJkOEUK2N0kZdgCYYmGdgTdozqMSfEPOtWvol9X
+            CqVW0cp4BbycA1yV14H555ywFkz2n9tp8vuapt7FP1guFGiVYxK5Wg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1expg8vyduf290pz7l4f3mjzvk9f0azfdn48pyjzs3m6p7v4qjq0qwtn36z
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtNXhsTzNrQkwyQnJXdU1x
+            ZHZMNkdqV1NzRnRwQktrRzMzenRnTDFwTmx3CnB2UDJUbUJvcE5zbzlqRlFtUjdt
+            MU1JNGlJOUtMUE1MQzhZdmF2M0I0c3MKLS0tICsxUTFTbm5udUMyRyt0VnprU3dG
+            c1N5VHJZY1JkSCtPTGdHQlI1QUxQZncKzHuz+/0jj/0AL2atUTw56fL8J3bKBNmg
+            hCIsy3SeMeNXs2KN/yka3mfvzoCHeqHRXhQr8MzTkHaGmUhCv5ix/A==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-10-20T22:17:16Z"
+    mac: ENC[AES256_GCM,data:hN0eKuZyls/R5fbL7+U5INi0cq/TYVdTR9PYqgsrPWJL+HtN6KA6ZpaWR27ZBLv9/zB6FHPTg2Js+RQqYE6CZP+0scIx4p5uUe+kUV3qfX3/ZL6wh0vHpn8Jv+Y2NE8OMTeztYSqSDfTgqxeOfY0AchgMFiwgNITDl0IBrPfRSY=,iv:nY5bDlzNGc3N1xU5Zgt/aBgcelfvO5JEuf3sMVNfS14=,tag:oAhw2ZjGA0/DEISS4aqvkA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.11.0