Merge branch 'forgejo'

modules/hosts/janus/default.nix

@@ -4,30 +4,31 @@ let
   hostname = "janus";
   ca-url = "https://janus.john-stream.com/";
   fingerprint = "2036c44f7b5901566ff7611ea6c927291ecc6d2dd00779c0eead70ec77fa10d6";
-
 in
 {
-  flake.modules.nixos.janus-ca = { config, lib, ... }:
-  let
-    johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
-    johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
-    mkStepRules = home: user: group: [
-      "d ${home}/.step 0700 ${user} ${group} -"
-      "d ${home}/.step/config 0700 ${user} ${group} -"
-      "d ${home}/.step/certs 0700 ${user} ${group} -"
-      "L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json"
-      "L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt"
-    ];
-  in {
-    environment.etc."step/config/defaults.json".text = builtins.toJSON {
-      inherit ca-url fingerprint;
-      root = "/etc/step/certs/root_ca.crt";
+  flake.modules.nixos.janus-ca =
+    { config, lib, ... }:
+    let
+      johnHome = lib.attrByPath [ "users" "users" username "home" ] "/home/${username}" config;
+      johnGroup = lib.attrByPath [ "users" "users" username "group" ] username config;
+      mkStepRules = home: user: group: [
+        "d ${home}/.step 0700 ${user} ${group} -"
+        "d ${home}/.step/config 0700 ${user} ${group} -"
+        "d ${home}/.step/certs 0700 ${user} ${group} -"
+        "L+ ${home}/.step/config/defaults.json - - - - /etc/step/config/defaults.json"
+        "L+ ${home}/.step/certs/root_ca.crt - - - - /etc/step/certs/root_ca.crt"
+      ];
+    in
+    {
+      environment.etc."step/config/defaults.json".text = builtins.toJSON {
+        inherit ca-url fingerprint;
+        root = "/etc/step-ca/certs/root_ca.crt";
+      };
+      environment.etc."step-ca/certs/root_ca.crt".source = ./root_ca.crt;
+      systemd.tmpfiles.rules =
+        mkStepRules johnHome username johnGroup
+        ++ mkStepRules "/root" "root" "root";
     };
-    environment.etc."step/certs/root_ca.crt".source = ./root_ca.crt;
-    systemd.tmpfiles.rules =
-      mkStepRules johnHome username johnGroup
-      ++ mkStepRules "/root" "root" "root";
-  };
 
   flake.modules.homeManager.janus-ca = { config, ... }: {
     home.file.".step/config/defaults.json".text = builtins.toJSON {
@@ -73,4 +74,23 @@ in
       }
     ];
   };
+
+  flake-file.inputs = {
+    wrappers = {
+      url = "github:lassulus/wrappers";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+  };
+
+  perSystem = { pkgs, lib, ... }: {
+    packages.janus-ca = inputs.wrappers.lib.wrapPackage {
+      inherit pkgs;
+      package = pkgs.step-cli;
+      binName = "janus-cert";
+      args = [
+        "ca" "certificate"
+        "--ca-url=${ca-url}"
+      ];
+    };
+  };
 }

modules/hosts/john-p14s/configuration.nix

@@ -5,7 +5,7 @@
       hostname = "john-p14s";
       homeDirectory = config.home-manager.users.john.home.homeDirectory;
       flakeDir = "${homeDirectory}/Documents/dendritic";
-      my-neovim = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
+      my-neovim = inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim;
     in
     {
       imports = [
@@ -130,6 +130,7 @@
             appdaemon = true;
             homelab = true;
             dev = true;
+            certs = true;
           };
         }
       ];

modules/hosts/john-pc/default.nix

@@ -3,7 +3,7 @@ let
   username = "john";
   hostname = "john-pc-ubuntu";
 
-  testHost = "soteria";
+  testHost = "soteria"; # which host to test build
   testTarget = "fded:fb16:653e:25da:be24:11ff:fea0:753f"; # test-nix
   # testTarget = "fded:fb16:653e:25da:be24:11ff:fe89:1cc3"; # soteria
 
@@ -12,8 +12,6 @@ in
   flake.modules.homeManager."${hostname}" = { config, pkgs, lib, ... }:
   let
     flakeDir = "${config.xdg.configHome}/home-manager/jsl-dendritic";
-    certDir = "${config.mtls.certDir}";
-    mtlsBundle = "${certDir}/${config.mtls.bundleFilename}";
     resticPasswordFile = "${config.xdg.configHome}/restic/password.txt";
 
     testPushCmd = (pkgs.writeShellScriptBin "test-push" ''

modules/hosts/soteria/soteria.nix

@@ -14,6 +14,7 @@ in
       nixos.docker
       nixos.mtls
       nixos.janus-ca
+      nixos.forgejo
       # nixos.restic-server
       # nixos.restic-envoy
       ({ pkgs, ... }: {
@@ -60,6 +61,13 @@ in
             homeManager."${hostname}"
           ];
         };
+
+        environment.systemPackages = [
+          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.janus-ca
+          inputs.self.packages.${pkgs.stdenv.hostPlatform.system}.my-neovim
+        ];
+
+        forgejo.enable = true;
       })
     ];
   };