fix(etna): switch forgejo to vesuvio proxy

ssh url now matches https!!! yay!!!

systems/etna/dendrite.nix

@@ -91,35 +91,5 @@ in
         }
       ];
     };
-
-    nginx.virtualHosts."m.uku.moe".locations =
-      let
-        server = {
-          "m.server" = "m.uku.moe:443";
-        };
-        client = {
-          "m.homeserver"."base_url" = "https://m.uku.moe";
-        };
-      in
-      {
-        "=/.well-known/matrix/server" = {
-          return = "200 '${builtins.toJSON server}'";
-        };
-
-        "=/.well-known/matrix/client" = {
-          return = "200 '${builtins.toJSON client}'";
-        };
-
-        "/" = {
-          proxyPass = "http://localhost:8008";
-          proxyWebsockets = true;
-          extraConfig = ''
-            proxy_set_header Host      $host;
-            proxy_set_header X-Real-IP $remote_addr;
-            proxy_read_timeout         600;
-            client_max_body_size       100M;
-          '';
-        };
-      };
   };
 }

systems/etna/forgejo.nix

@@ -20,8 +20,6 @@ in
 {
   imports = [ secrets.generate ];
 
-  cfTunnels."git.uku3lig.net" = "http://localhost:3000";
-
   services = {
     forgejo = {
       enable = true;
@@ -42,9 +40,11 @@ in
 
         server = {
           ROOT_URL = "https://git.uku3lig.net";
+          HTTP_ADDR = "0.0.0.0";
+          HTTP_PORT = 3000;
           START_SSH_SERVER = true;
           BUILTIN_SSH_SERVER_USER = "git";
-          SSH_DOMAIN = "ssh.uku.moe";
+          SSH_DOMAIN = "git.uku3lig.net";
           SSH_LISTEN_PORT = 2222;
         };
 
@@ -120,7 +120,7 @@ in
         name = "forgejo-ssh";
         type = "tcp";
         localIp = "127.0.0.1";
-        localPort = 2222;
+        localPort = config.services.forgejo.settings.server.SSH_LISTEN_PORT;
         remotePort = 22;
       }
     ];

systems/etna/immich.nix

@@ -1,12 +1,7 @@
-{ config, _utils, ... }:
-let
-  frp = _utils.mkFrpPassthrough "immich" config.services.immich.port;
-in
 {
-  imports = [ frp ];
-
   services.immich = {
     enable = true;
+    host = "0.0.0.0";
 
     settings = null;
     mediaLocation = "/data/immich";

systems/vesuvio/default.nix

@@ -16,7 +16,6 @@
   ];
 
   services = {
-    nginx.enable = true;
     openssh = {
       ports = [ 4269 ];
       openFirewall = true;

systems/vesuvio/nginx.nix

@@ -1,52 +1,92 @@
 {
-  services.nginx.virtualHosts = {
+  services.nginx = {
-    # default server
+    enable = true;
-    "vps.uku3lig.net" = {
+    virtualHosts = {
-      default = true;
+      # default server
-      addSSL = true;
+      "vps.uku3lig.net" = {
-      enableACME = true;
+        default = true;
-      locations."/".return = "404";
+        addSSL = true;
-    };
+        enableACME = true;
-
+        locations."/".return = "404";
-    # immich
-    "im.uku.moe" = {
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://localhost:2283";
-        proxyWebsockets = true;
       };
 
-      extraConfig = ''
+      # immich
-        client_max_body_size 5000M;
+      "im.uku.moe" = {
-        proxy_read_timeout 600s;
+        forceSSL = true;
-        proxy_send_timeout 600s;
+        enableACME = true;
-        send_timeout 600s;
+        locations."/" = {
-      '';
+          proxyPass = "http://etna:2283";
-    };
+          proxyWebsockets = true;
+        };
 
-    # dendrite
+        extraConfig = ''
-    "m.uku.moe" = {
+          client_max_body_size 5000M;
-      forceSSL = true;
+          proxy_read_timeout 600s;
-      enableACME = true;
+          proxy_send_timeout 600s;
-      locations."/" = {
+          send_timeout 600s;
-        proxyPass = "http://etna:80";
+        '';
-        recommendedProxySettings = true;
-      };
-    };
-
-    "zipline.uku3lig.net" = {
-      serverAliases = [ "v.uku.moe" ];
-      forceSSL = true;
-      enableACME = true;
-      locations."/" = {
-        proxyPass = "http://etna:3001";
-        recommendedProxySettings = true;
       };
 
-      extraConfig = ''
+      # dendrite
-        client_max_body_size 1000M;
+      "m.uku.moe" = {
-      '';
+        forceSSL = true;
+        enableACME = true;
+        locations =
+          let
+            server = {
+              "m.server" = "m.uku.moe:443";
+            };
+            client = {
+              "m.homeserver"."base_url" = "https://m.uku.moe";
+            };
+          in
+          {
+            "=/.well-known/matrix/server" = {
+              return = "200 '${builtins.toJSON server}'";
+            };
+
+            "=/.well-known/matrix/client" = {
+              return = "200 '${builtins.toJSON client}'";
+            };
+
+            "/" = {
+              proxyPass = "http://etna:8008";
+              proxyWebsockets = true;
+              extraConfig = ''
+                proxy_set_header Host      $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_read_timeout         600;
+                client_max_body_size       100M;
+              '';
+            };
+          };
+      };
+
+      "zipline.uku3lig.net" = {
+        serverAliases = [ "v.uku.moe" ];
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://etna:3001";
+          recommendedProxySettings = true;
+        };
+
+        extraConfig = ''
+          client_max_body_size 1000M;
+        '';
+      };
+
+      "git.uku3lig.net" = {
+        forceSSL = true;
+        enableACME = true;
+        locations."/" = {
+          proxyPass = "http://etna:3000";
+          recommendedProxySettings = true;
+        };
+      };
     };
   };
+
+  # we depend on etna, which makes nginx fail if it's started before tailscale
+  systemd.services.nginx.after = [ "tailscaled.service" ];
 }