trajto(reciproka-web): konverti al floko

resolves #13

LICENSE

@@ -1,7 +1,7 @@
                              ANARCHIST LICENSE
                          Version 1.0, 1 May, 2021
 
-Copyright © 2023 Reciproka Kolectiva
+Copyright © 2024 Reciproka Kolektivo
 
 This is Anarchist software, released for free use by individuals and
 organizations that do not operate by capitalist principles.

README.rst

@@ -1,10 +1,21 @@
-Reciproka Ops
+Reciproka Kolektivo Ops
-=============
+=======================
 
-Colmena_ deployment configuration for services hosted by `Reciproka Kolectiva`_ services.
+Colmena_ deployment configuration for services hosted by `Reciproka Kolektivo`_ services.
 
 The canonical home for this repo is
 https://reciproka.dev/reciproka/reciproka-ops
 
 .. _Colmena: https://colmena.cli.rs/
-.. _Reciproka Kolectiva: https://reciproka.co/
+.. _Reciproka Kolektivo: https://reciproka.co/
+
+.. toctree::
+
+Building for aarch64 Targets
+----------------------------
+
+If you don't have your own ``aarch64`` build server, you can apply to use the
+`aarch64 build box`_ provided by the `Nix Community`_.
+
+.. _aarch64 build box: https://github.com/NixOS/aarch64-build-box
+.. _Nix Community: https://github.com/nix-community

flake.nix

@@ -8,19 +8,16 @@
       inputs.nixpkgs.follows = "nixpkgs";
     };
     hakyll-skeleton = {
-      flake = false;
+      url = "git+https://reciproka.dev/reciproka/hakyll-skeleton/?ref=consensus";
-      url = git+https://reciproka.dev/reciproka/hakyll-skeleton/?ref=consensus;
+      inputs.nixpkgs.follows = "nixpkgs";
-    };
-    reciproka-web = {
-      flake = false;
-      url = git+https://reciproka.dev/reciproka/reciproka-web/?ref=reciproka-migration;
     };
+    reciproka-web.url = "git+https://reciproka.dev/reciproka/reciproka-web/?ref=consensus";
     resrok-web = {
       flake = false;
       url = git+https://reciproka.dev/resrok/resrok-web/?ref=consensus;
     };
-    nix.url = "github:NixOS/nix/?ref=2.10.3";
+    nix.url = github:NixOS/nix/?ref=2.24.6;
-    nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-23.05;
+    nixpkgs.url = github:NixOS/nixpkgs/?ref=nixos-24.05;
     nixpkgsUnstable.url = github:NixOS/nixpkgs/?ref=nixos-unstable;
     utils.url = "github:numtide/flake-utils";
     voc-web = {

hardware/binaryLane_vm.nix

@@ -0,0 +1,51 @@
+# Configuration common to all Reciproka Kolektivo Binary Lane VMs
+{
+  config,
+  pkgs,
+  lib,
+  modulesPath,
+  ...
+}: {
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix") # Import the NixOS Qemu guest settings
+    ../profiles/host_common.nix
+    ../profiles/server_common.nix
+  ];
+
+  boot = {
+    initrd = {
+      availableKernelModules = ["ata_piix" "sr_mod" "uhci_hcd" "virtio_blk" "virtio_pci"];
+    };
+    loader = {
+      grub = {
+        enable = true;
+        device = "/dev/vda";
+      };
+    };
+  };
+
+  # File systems configuration for the Linode VMs
+  fileSystems."/" = {
+    device = "/dev/disk/by-label/nixos";
+    fsType = "ext4";
+  };
+
+  swapDevices = [
+    {
+      device = "/dev/disk/by-label/swap";
+    }
+  ];
+
+  nix.settings.max-jobs = lib.mkDefault 4;
+
+  networking = {
+    domain = "reciproka.co";
+    useDHCP = lib.mkDefault true;
+    firewall = {
+      enable = true;
+      trustedInterfaces = ["lo"];
+    };
+  };
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+}

hardware/linode_vm.nix

@@ -1,4 +1,4 @@
-# Configuration common to all Reciproka Kolectiva Linode VMs
+# Configuration common to all Reciproka Kolektivo Linode VMs
 {
   config,
   pkgs,

hardware/pi3B.nix

@@ -0,0 +1,80 @@
+# Configuration common to all Raspberry Pi 3 Model B devices
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "bcm2835_dma" # Allows early (earlier) mode setting
+        "i2c_bcm2835" # Allows early (earlier) mode setting
+        "usbhid"
+        "usb_storage"
+        "vc4" # Allows early (earlier) mode setting
+      ];
+    };
+    kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
+    kernelParams = [
+      "cma=32M" # Needed for the virtual console to work on the RPi 3
+      "console=ttyS0,115200n8" # Enable the serial console
+      "console=tty0"
+    ];
+    loader = {
+      generic-extlinux-compatible = {
+        enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
+      };
+      grub = {
+        enable = false; # NixOS wants to enable GRUB by default.
+      };
+      raspberryPi = {
+        enable = false;
+        version = 3;
+        uboot.enable = true;
+        firmwareConfig = ''
+          arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
+          hdmi_force_hotplug=1   # Enable headless booting
+        '';
+      };
+    };
+  };
+
+  # File systems configuration for using the installer's partition layout
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+    "/boot/firmware" = {
+      device = "/dev/disk/by-label/FIRMWARE";
+      fsType = "vfat";
+      # Alternatively, this could be removed from the configuration.
+      # The filesystem is not needed at runtime, it could be treated
+      # as an opaque blob instead of a discrete FAT32 filesystem.
+      options = ["nofail" "noauto"];
+    };
+  };
+
+  # !!! Adding a swap file is optional, but strongly recommended!
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 1024;
+    }
+  ];
+
+  hardware = {
+    enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
+  };
+
+  networking = {
+    enableB43Firmware = true; # If true, enable Pi wireless firmware
+  };
+
+  nixpkgs.config.allowUnfree = true; # required by B34Firmare above
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi # Userland tools for the Raspberry Pi board
+  ];
+}

hardware/raspberry_pi_3_model_B.nix

@@ -0,0 +1,86 @@
+# Configuration common to all Raspberry Pi 3 Model B devices
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  boot = {
+    initrd = {
+      availableKernelModules = [
+        "bcm2835_dma" # Allows early (earlier) mode setting
+        "i2c_bcm2835" # Allows early (earlier) mode setting
+        "usbhid"
+        "usb_storage"
+        "vc4" # Allows early (earlier) mode setting
+      ];
+    };
+    kernelPackages = pkgs.linuxPackages_5_15; # For a Raspberry Pi 2 or 3)
+    kernelParams = [
+      "cma=320M" # Needed for the virtual console to work on the RPi 3
+      "console=ttyS0,115200n8" # Enable the serial console
+      "console=tty0"
+    ];
+    loader = {
+      generic-extlinux-compatible = {
+        enable = true; # Enables the generation of /boot/extlinux/extlinux.conf
+        configurationLimit = 5;
+      };
+      grub = {
+        enable = false; # NixOS wants to enable GRUB by default.
+      };
+      raspberryPi = {
+        enable = false;
+        version = 3;
+        firmwareConfig = ''
+          arm_64bit=1            # Force kernel loading system to assume a 64-bit kernel
+          display_auto_detect=1  # Enable auto detection of screen resolution
+          gpu_mem=128
+          hdmi_force_hotplug=1   # Enable headless booting
+        '';
+      };
+    };
+  };
+
+  # File systems configuration for using the installer's partition layout
+  fileSystems = {
+    "/" = {
+      device = "/dev/disk/by-label/NIXOS_SD";
+      fsType = "ext4";
+    };
+    "/boot/firmware" = {
+      device = "/dev/disk/by-label/FIRMWARE";
+      fsType = "vfat";
+      # Alternatively, this could be removed from the configuration.
+      # The filesystem is not needed at runtime, it could be treated
+      # as an opaque blob instead of a discrete FAT32 filesystem.
+      options = ["nofail" "noauto"];
+    };
+    #"/var" = {
+    #  device = "/dev/disk/by-label/var";
+    #  fsType = "ext4";
+    #};
+  };
+
+  # !!! Adding a swap file is optional, but strongly recommended!
+  swapDevices = [
+    {
+      device = "/swapfile";
+      size = 1024;
+    }
+  ];
+
+  hardware = {
+    enableRedistributableFirmware = true; # Enable support for Pi firmware blobs
+  };
+
+  networking = {
+    enableB43Firmware = true; # If true, enable Pi wireless firmware
+  };
+
+  nixpkgs.config.allowUnfree = true; # required by B34Firmare above
+
+  environment.systemPackages = with pkgs; [
+    libraspberrypi # Userland tools for the Raspberry Pi board
+  ];
+}

modules/piCommon/default.nix

@@ -0,0 +1,14 @@
+# Configuration common to all my servers
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  environment = {
+    # Set the system-wide environment
+    systemPackages = with pkgs; [
+      usbutils # Tools for working with USB devices, such as lsusb
+    ];
+  };
+}

networks/pi3B_rack.nix

@@ -0,0 +1,26 @@
+# NixOps configuration for the Raspberry Pi 3B Rack
+{
+  imports = [
+    <nixpkgs/nixos/modules/installer/scan/not-detected.nix>
+    ../hardware/raspberry_pi_3_model_B.nix
+    ../profiles/host_common.nix
+    ../profiles/server_common.nix
+  ];
+
+  # Ensure the right package architecture is used
+  nixpkgs.localSystem = {
+    system = "aarch64-linux";
+    config = "aarch64-unknown-linux-gnu";
+    allowUnfree = true;
+  };
+
+  systemd.network.networks.eth0.ipv6SendRAConfig = {
+    EmitDNS = true;
+    Managed = true;
+    OtherInformation = true;
+  };
+
+  documentation = {
+    nixos.enable = false; # Save some space by disabling the manual
+  };
+}

nixos/configurations.nix

@@ -2,7 +2,6 @@
   self,
   nixpkgs,
   inputs,
-  nix,
   ...
 }: let
   nixosSystem = nixpkgs.lib.makeOverridable nixpkgs.lib.nixosSystem;

nixos/hosts/flemming/default.nix

@@ -0,0 +1,26 @@
+# NixOS configuration for flemming
+#
+# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
+# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
+# grave diggers in Australia
+#
+# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
+# https://slackbastard.anarchobase.com/
+# https://www.3cr.org.au/yeahnahpasaran
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../networks/pi3B_rack.nix
+    ../../../profiles/hakyll-skeleton.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "10.42.0.202";
+  networking.hostName = "flemming"; # Define your hostname.
+
+  system.stateVersion = "23.11"; # The version of NixOS originally installed
+}

nixos/hosts/hollows/default.nix

@@ -0,0 +1,25 @@
+# NixOS configuration for flemming
+#
+# Andy Flemming, AKA Slackbastard is the psuedonym of an Australian anarchist
+# who hosts Yeah Nah Pasaran on radio 3CR and documents fascism and its
+# grave diggers in Australia
+#
+# https://en.wikipedia.org/wiki/Andy_Fleming_(activist)
+# https://slackbastard.anarchobase.com/
+# https://www.3cr.org.au/yeahnahpasaran
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}: {
+  imports = [
+    ../../../networks/pi3B_rack.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "10.42.0.203";
+  networking.hostName = "hollows"; # Define your hostname.
+
+  system.stateVersion = "22.05"; # The version of NixOS originally installed
+}

nixos/hosts/pred/default.nix

@@ -0,0 +1,33 @@
+# NixOS configuration for pred
+#
+# <predator>, AKA Michael Carlton or just "pred", was an Australian
+# anarcho-sydnicalist who helped set up Catalyst, a radical community activist
+# tech collective in Sydney, Australia. They went on to provide information
+# technology services for a wide range of activist and commmunity based
+# organisations around both Sydney and Australia. In the process, knowledge was
+# shared, skills were learned and taught - from building and maintaining
+# hardware to writing computer code. It was from this original initiative that
+# an open-posting model of web publishing was developed for the J18 protest
+# that occured worldwide in 1999. The codebase was named 'Active' and went on
+# to power the first Indymedia site. As they say, "the rest is history."
+#
+# Rest in Power, Pred, we miss ya.
+#
+# https://archive.org/stream/PredTxt/Pred-txt_djvu.txt
+# https://indymedia.org.au/2012/04/25/interview-with-pred-predaor-mike-carlton.html
+# https://www.youtube.com/watch?v=Cfe3ExZivdQ
+{
+  config,
+  pkgs,
+  ...
+}: {
+  imports = [
+    ../../../hardware/binaryLane_vm.nix
+  ];
+
+  # Comment out deployment when building the SD Image.
+  deployment.targetHost = "203.57.51.158";
+  networking.hostName = "pred"; # Define your hostname.
+
+  system.stateVersion = "23.11"; # The version of NixOS originally installed
+}

nixos/hosts/toscano/configuration.nix

@@ -1,5 +1,9 @@
 # Nix configuration for toscano
 #
+# Dr Joseph Toscano has presented an anarchist analysis on local, national and
+# international news and events that has been distributed nationally on the
+# Community Radio Network since 1977.
+#
 # https://en.wikipedia.org/wiki/Joseph_Toscano
 {
   config,
@@ -9,7 +13,6 @@
 }: {
   imports = [
     ../../../networks/linode.nix
-    ../../../profiles/hakyll-skeleton.nix
     ../../../profiles/reciproka-web.nix
     ../../../profiles/reciproka-forgejo.nix
     ../../../profiles/resrok-web.nix
@@ -20,8 +23,8 @@
   age.secrets = {
     forgejo = {
       file = ../../../secrets/forgejo.age;
-      owner = "gitea";
+      owner = "forgejo";
-      group = "gitea";
+      group = "forgejo";
     };
   };
 

outputs.nix

@@ -18,26 +18,45 @@ in {
   devShell =
     pkgs.callPackage
     ./shell.nix {
+      inherit (nix.packages."${pkgs.system}") nix;
       inherit (ragenix.packages."${pkgs.system}") ragenix;
       inherit (colmena.packages."${pkgs.system}") colmena;
-      inherit (nix.packages."${pkgs.system}") nix;
       inherit (nixpkgsUnstable.legacyPackages."${pkgs.system}") alejandra;
     };
 }))
 // {
   colmena = {
     meta = {
-      description = "NixOS deployment for Reciproka Kolectiva";
+      description = "NixOS deployment for Reciproka Kolektivo";
       name = "reciproka-ops";
       nixpkgs = import nixpkgs {
         system = "x86_64-linux";
         overlays = [];
       };
     };
+    defaults = {pkgs, ...}: {
+      imports = [
+        ragenix.nixosModules.default
+      ];
+    };
+    flemming = {
+      imports = [
+        ./nixos/hosts/flemming
+      ];
+    };
+    hollows = {
+      imports = [
+        ./nixos/hosts/hollows
+      ];
+    };
+    pred = {
+      imports = [
+        ./nixos/hosts/pred
+      ];
+    };
     toscano = {
       imports = [
         ./nixos/hosts/toscano/configuration.nix
-        ragenix.nixosModules.default
       ];
     };
   };

profiles/bash.nix

@@ -1,4 +1,4 @@
-# Configuration common to all Reciproka Kolectiva servers
+# Configuration common to all Reciproka Kolektivo servers
 {config, ...}: {
   # Program defaults for all hosts
   programs.bash = {

profiles/hakyll-skeleton.nix

@@ -1,4 +1,4 @@
-# NixOS configuration for deploying the Reciproka Kolectiva website
+# NixOS configuration for deploying the Reciproka Kolektivo website
 {
   self,
   config,
@@ -6,8 +6,8 @@
   ...
 }: let
   flake = builtins.getFlake (toString ../.);
-  hakyll-skeleton = import flake.inputs.hakyll-skeleton {};
+  hakyll-skeleton = flake.inputs.hakyll-skeleton.packages."${pkgs.system}".default;
-  webdomain = "skeleton.reciproka.co";
+  webdomain = "skeleton.reciproka.dev";
 in {
   environment.sessionVariables = {
     LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";

profiles/host_common.nix

@@ -1,4 +1,4 @@
-# Configuration common to all Reciproka Kolectiva servers
+# Configuration common to all Reciproka Kolektivo servers
 {
   config,
   pkgs,
@@ -27,7 +27,7 @@
   # Set the defaul console properties
   console = {
     keyMap = "us"; # Set the default console key map
-    font = "ter-powerline-v16Rv"; # Set the default console font
+    font = "ter-powerline-v32n"; # Set the default console font
   };
 
   time.timeZone = "Etc/UTC";
@@ -38,12 +38,14 @@
   security.sudo.wheelNeedsPassword = false;
 
   # Configure and install required fonts
-  fonts.enableDefaultFonts = true;
+  fonts = {
-  fonts.fontDir.enable = true;
+    enableDefaultPackages = true;
-  fonts.fonts = with pkgs; [
+    fontDir.enable = true;
-    powerline-fonts # Required for Powerline prompts
+    packages = with pkgs; [
-  ];
+      powerline-fonts # Required for Powerline prompts
-  fonts.fontconfig.includeUserConf = false;
+    ];
+    fontconfig.includeUserConf = false;
+  };
 
   # Adapted from gchristensen and clever
   nix = {

profiles/neovim.nix

@@ -157,7 +157,7 @@
             set undodir=/tmp/.vim-undo-dir
             set undofile
 
-            " Reciproka Kolectiva Markdown environment
+            " Reciproka Kolektivo Markdown environment
             function! MarkdownSettings()
                 set textwidth=79
                 set spell spelllang=en_au
@@ -165,7 +165,7 @@
             autocmd BufNewFile,BufFilePre,BufRead *.mdwn :call MarkdownSettings()
             autocmd BufNewFile,BufFilePre,BufRead *.md :call MarkdownSettings()
 
-            " Reciproka Kolectiva ReStructured Text environment
+            " Reciproka Kolektivo ReStructured Text environment
             function! ReStructuredSettings()
                 set textwidth=79
                 set spell spelllang=en_au
@@ -176,14 +176,14 @@
             autocmd BufNewFile,BufFilePre,BufRead *.rst :call ReStructuredSettings()
             autocmd BufNewFile,BufFilePre,BufRead *.txt :call ReStructuredSettings()
 
-            " Reciproka Kolectiva LaTeX environment:
+            " Reciproka Kolektivo LaTeX environment:
             function! LaTeXSettings()
                 set textwidth=79
                 set spell spelllang=en_au
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.tex :call LaTeXSettings()
 
-            " Settings for Reciproka Kolectiva Haskell environment:
+            " Settings for Reciproka Kolektivo Haskell environment:
             function! HaskellSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -192,7 +192,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.hs :call HaskellSettings()
 
-            " Settings for Reciproka Kolectiva Nix environment:
+            " Settings for Reciproka Kolektivo Nix environment:
             function! NixSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -202,7 +202,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.nix :call NixSettings()
 
-            " Settings for Reciproka Kolectiva Cue environment:
+            " Settings for Reciproka Kolektivo Cue environment:
             function! CueSettings()
                 set noexpandtab
                 set tabstop=2
@@ -212,7 +212,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.cue :call CueSettings()
 
-            " Settings for Reciproka Kolectiva Rust environment:
+            " Settings for Reciproka Kolektivo Rust environment:
             function! RustSettings()
                 set tabstop=4
                 set shiftwidth=4
@@ -222,7 +222,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.rs :call RustSettings()
 
-            " Settings for Reciproka Kolectiva Crystal environment:
+            " Settings for Reciproka Kolektivo Crystal environment:
             function! CrystalSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -232,7 +232,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.cr :call CrystalSettings()
 
-            " Settings for Reciproka Kolectiva Golang environment:
+            " Settings for Reciproka Kolektivo Golang environment:
             function! GoSettings()
                 set tabstop=7
                 set shiftwidth=7
@@ -240,7 +240,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.go :call GoSettings()
 
-            " Settings for Reciproka Kolectiva Python environment:
+            " Settings for Reciproka Kolektivo Python environment:
             function! PythonSettings()
                 set tabstop=4
                 set shiftwidth=4
@@ -250,7 +250,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.py :call PythonSettings()
 
-            " Reciproka Kolectiva Mutt environment
+            " Reciproka Kolektivo Mutt environment
             function! MuttSettings()
                 set textwidth=79
                 set spell spelllang=en_au
@@ -261,7 +261,7 @@
             autocmd BufNewFile,BufFilePre,BufRead mutt-* :call MuttSettings()
             autocmd BufNewFile,BufFilePre,BufRead neomutt-* :call MuttSettings()
 
-            " Settings for Reciproka Kolectiva C environment:
+            " Settings for Reciproka Kolektivo C environment:
             function! CSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -270,7 +270,7 @@
             endfunction
             autocmd BufNewFile,BufFilePre,BufRead *.c :call CSettings()
 
-            " Settings for Reciproka Kolectiva YAML environment:
+            " Settings for Reciproka Kolektivo YAML environment:
             function! YAMLSettings()
                 set tabstop=2
                 set shiftwidth=2
@@ -284,7 +284,7 @@
             autocmd BufNewFile,BufFilePre,BufRead *.yaml :call YAMLSettings()
             autocmd BufNewFile,BufFilePre,BufRead *.yml :call YAMLSettings()
 
-            " Settings for Reciproka Kolectiva Bash environment:
+            " Settings for Reciproka Kolektivo Bash environment:
             function! BashSettings()
                 set tabstop=4
                 set shiftwidth=4

profiles/nix-direnv.nix

@@ -16,11 +16,11 @@
   environment = {
     systemPackages = with pkgs; [
       direnv # A shell extension that manages your environment
-      nix-direnv # A fast, persistent use_nix implementation for direnv
+      #nix-direnv # A fast, persistent use_nix implementation for direnv
-    ];
-    pathsToLink = [
-      "/share/nix-direnv"
     ];
+    #  pathsToLink = [
+    #    "/share/nix-direnv"
+    #  ];
   };
 
   nixpkgs.overlays = [

profiles/reciproka-forgejo.nix

@@ -1,4 +1,4 @@
-# Nix configuration for the Reciproka Forgejo service
+# Nix configuration for the Reciproka Kolectivo Forgejo service
 {
   config,
   pkgs,
@@ -8,29 +8,23 @@
   flake = builtins.getFlake (toString ../.);
   nixpkgsUnstable = flake.inputs.nixpkgsUnstable;
 in {
-  services.gitea = {
+  services.forgejo = {
     enable = true; # Enable Forgejo
-    appName = "Reciproka Kolectiva: Forgejo Service"; # Give the site a name
+    appName = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
     database = {
       type = "postgres"; # Database type
       passwordFile = config.age.secrets.forgejo.path;
     };
     domain = "reciproka.dev"; # Domain name
     httpPort = 3002; # Provided unique port
-    package = pkgs.forgejo; # a soft fork of gitea
     rootUrl = "https://reciproka.dev/"; # Root web URL
     settings = let
-      docutils = pkgs.python39.withPackages (ps:
+      DEFAULT.APP_NAME = "Reciproka Kolektivo: Forgejo Service"; # Give the site a name
-        with ps; [
-          docutils # Provides rendering of ReStructured Text files
-          pygments # Provides syntax highlighting
-        ]);
       server = {
         DOMAIN = "reciproka.dev"; # Domain name
         HTTP_PORT = 3002; # Provided unique port
         ROOT_URL = "https://reciproka.dev/"; # Root web URL
       };
-      service.DISABLE_REGISTRATION = true;
     in {
       mailer = {
         ENABLED = true;
@@ -40,27 +34,28 @@ in {
         DEFAULT_BRANCH = "consensus";
       };
       service = {
+        DISABLE_REGISTRATION = true;
         REGISTER_EMAIL_CONFIRM = true;
       };
       "markup.restructuredtext" = {
         ENABLED = true;
         FILE_EXTENSIONS = ".rst";
-        RENDER_COMMAND = "${docutils}/bin/rst2html.py";
+        RENDER_COMMAND = "timeout 30s ${pkgs.pandoc}/bin/pandoc +RTS -M512M -RTS -f rst";
         IS_INPUT_FILE = false;
       };
       ui = {
         DEFAULT_THEME = "forgejo-auto"; # Set the default theme
-        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,gitea";
+        THEMES = "forgejo-auto,forgejo-light,forgejo-dark,auto,arc-green,forgejo";
       };
     };
   };
 
   systemd = {
     services = {
-      gitea = {
+      forgejo = {
-        # Ensure gitea starts after keys are loaded
+        # Ensure forgejo starts after keys are loaded
-        after = ["gitea-dbpass-key.service"];
+        after = ["forgejo-dbpass-key.service"];
-        wants = ["gitea-dbpass-key.service"];
+        wants = ["forgejo-dbpass-key.service"];
       };
     };
   };
@@ -68,24 +63,28 @@ in {
   services.postgresql = {
     enable = true; # Ensure postgresql is enabled
     authentication = ''
-      local gitea all ident map=gitea-users
+      local forgejo all ident map=forgejo-users
     '';
     identMap =
-      # Map the gitea user to postgresql
+      # Map the forgejo user to postgresql
       ''
-        gitea-users gitea gitea
+        forgejo-users forgejo forgejo
       '';
-    ensureDatabases = ["gitea"]; # Ensure the database persists
+    ensureDatabases = ["forgejo"]; # Ensure the database persists
     ensureUsers = [
       {
-        name = "gitea"; # Ensure the database user persists
+        name = "forgejo"; # Ensure the database user persists
-        ensurePermissions = {
+        ensureDBOwnership = true;
-          # Ensure the database permissions persist
-          "DATABASE gitea" = "ALL PRIVILEGES";
-          "ALL TABLES IN SCHEMA public" = "ALL PRIVILEGES";
-        };
       }
     ];
+    package = pkgs.postgresql_16;
+  };
+
+  services.postgresqlBackup = {
+    enable = true;
+    compression = "zstd";
+    databases = ["forgejo"];
+    startAt = "*-*-* 15:00:00";
   };
 
   services.nginx = {

profiles/reciproka-web.nix

@@ -1,4 +1,4 @@
-# Nix configuration for deploying the Reciproka Kolectiva website
+# Nix configuration for deploying the Reciproka Kolektivo website
 {
   self,
   config,
@@ -6,8 +6,8 @@
   ...
 }: let
   flake = builtins.getFlake (toString ../.);
-  reciproka-web = import flake.inputs.reciproka-web {};
+  reciproka-web = flake.inputs.reciproka-web.packages."${pkgs.system}".default;
-  webdomain = "reciproka.co";
+  webdomain = "reciproka.net";
 in {
   environment.sessionVariables = {
     LOCALE_ARCHIVE = "/run/current-system/sw/lib/locale/locale-archive";
@@ -29,6 +29,13 @@ in {
       "www.${webdomain}" = {
         # Respect our elders :-)
         locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
+      };
+      "reciproka.co" = {
+        locations."/".extraConfig = "return 301 $scheme://${webdomain}$request_uri;";
+        enableACME = true; # Use ACME certs
+        forceSSL = true; # Force SSL
       };
     };
   };
@@ -36,10 +43,9 @@ in {
   security.acme = {
     acceptTerms = true;
     certs = {
-      "${webdomain}" = {
+      "${webdomain}" = {email = "admin@${webdomain}";};
-        email = "admin@${webdomain}";
+      "www.${webdomain}" = {email = "admin@${webdomain}";};
-        #group = "matrix-synapse";
+      "reciproka.co" = {email = "admin@${webdomain}";};
-      };
     };
   };
 

profiles/server_common.nix

@@ -1,4 +1,4 @@
-# Configuration common to all Reciproka Kolectiva servers
+# Configuration common to all Reciproka Kolektivo servers
 {
   config,
   pkgs,

profiles/users.nix

@@ -1,4 +1,4 @@
-# User configuration common to all Reciproka Kolectiva servers
+# User configuration common to all Reciproka Kolektivo servers
 {
   config,
   pkgs,
@@ -19,7 +19,7 @@
     group = "fiscalvelvetpoet";
     extraGroups = ["wheel"];
     # fix this
-    passwordFile = config.age.secrets.fiscalvelvetpoet.path;
+    hashedPasswordFile = config.age.secrets.fiscalvelvetpoet.path;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@reciproka"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"
@@ -28,7 +28,7 @@
 
   users.users.root = {
     # fix this
-    passwordFile = config.age.secrets.root.path;
+    hashedPasswordFile = config.age.secrets.root.path;
     openssh.authorizedKeys.keys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so fiscalvelvetpoet@reciproka"
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID7qAXTCAnqq+3ks4L8/2f4J8RxmrFaMOCA7m9ImbW2m fiscalvelvetpoet@sealgair"

profiles/zsh.nix

@@ -1,4 +1,4 @@
-# Configuration common to all Reciproka Kolectiva servers
+# Configuration common to all Reciproka Kolektivo servers
 {
   config,
   pkgs,

secrets/fiscalvelvetpoet.age

@@ -1,14 +1,21 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBabmpl
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBSMUhj
-K3V2ZWV4c2pXcmtHYlhPaWVTd0Z2UnUrRTU0UHJxSlNGVGxrMEFZCjdsNW1IQTZY
+Zk9XdkxaZkpXYkF3K2lpbkR5dmZYYzJhUi9UanpBVEI1S2IvZXhNCnpyT09mZHNv
-VWR5MG9YbjlHVGk1OEFEbGthNXVsbkpHbnlyN0lOU3dxOWsKLT4gc3NoLWVkMjU1
+YktCcUd5Y2w1bnNNajFjaWl6Um9yWFpUTkFGdjRINnZFRW8KLT4gc3NoLWVkMjU1
-MTkgZjVUaEFnIDIwdjFwUmc5dEhGdTd3WFdLMlJzN2NqQ1R1YWV2RXBwbTE5OU0x
+MTkgUWQwZXBRIHE3RXdLUC82TVNJdHIvU2xnWGF1QktCZGkxbFhsT0dxVDRZZWgy
-Y3hHMDAKcFhOYjdDcncwTnplamd3UTlaWVFiMXBHTlpuNFVSa01iaER4amlhdHdR
+aVBUbDQKUkxqdTc5ZlhQaG5OOXhtSVBlR2FCR2c3ZGR2cnFUWnN0WkQxRDRlWlg1
-MAotPiBRLWdyZWFzZSBjCkRMREtPUVdTeER4WWhjcjJOWSsvUkxtK2JTUnRhblB4
+YwotPiBzc2gtZWQyNTUxOSB1N1ozancgR2pTOVZ5cGpmdzMzT1ZYelAwTTI1TVpG
-KzFxMW5BVGp5U2hmdGtOZ1FDbFkrdUpNR1JuKzRLTWUKVTZCZk5nRTRUcnUzWURp
+QUdlZ0xBZEo4NkpoZlZEVGlFTQpFelJDQ0RKaFFsVlRESERmMWJIQjZJcmh1QzBI
-MVplUGhTQjBrQU1UNwotLS0gSm52ejc3TXRBdlYrS0pRamQzeHo4N0pvcktHMDEv
+VFU3QmZGZ2JKcFMyNmJrCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBYSHdCdXJRTUVI
-RzdXakJMVlZrYzNtMAp8HicX1xAaiwdoitp+OGbp3imWarnmMynCZxHsdPGmDIYG
+eDFJZHRHY2JhUTRha1JNRFg5c3ppbVo0OGdQSXdPOUdJCjBFSTVpd2JWd2xkTjZx
-CEYqJ9JJVXAtzUL7kIE7uQOSZvgp4MvWahk5a0ITQkJDLbXef1mxhavGI6SYkhKP
+VDVuMlVHb1Z1aEhYU2kxWkpwV2hJUDZQRzNkckUKLT4gc3NoLWVkMjU1MTkgZjVU
-4fYc4GN7xAcxTRvb/oBP67lhc8Pt1W+h6BLphYMYbMM7XT/zHAVCUBrCCKTW2Swc
+aEFnIG1zay9zeUFtd3dkOTJQUFR6S0ZnUm9jbmQ0TkJQU2pJTTYrMmNEaE5KeTAK
-NgJYUgwf7rI+hg/AKeXDXWYyidcYMrvb+L7jiIwZ6Q==
+WXN2OFM2anNYYXF6Wk9rUnFjQzNGSjdhTGFyVDhhd1dORWxRaUpuRG9XUQotPiBe
+d3pXUTxFLWdyZWFzZSBvVT16IFw3Oz02IGQ/ZFVjQS4KVnBKTVc0YzR3SEhaOS80
+bzE1NXMxaHh1QStNaXZ4eGZrbDdrV0k5YW5rQTdKbGJsbzZsRzFLMi9veTAKLS0t
+IGdEblEzcTdkcWVFVURycTJsTUl5MHEySUdTRTJub1hMVnJNekMxQTAxTGcKot0G
+3I1FgBm5Hw3MkQXfRdX6FgzAAEmH0t+v8R087u7vDbzVFVwVWGm4qQuHTwYNa1Yu
+5gcM8LAg9N/ZV6Mc7+OlqKoKTs6S+VhphfbuDPrwJZUJT/OO30MgEdgemZ+JtQoA
+O5str1O/0MBTQRyqJglcIjD2rPQcl9cZQupvJeaTOkdoLQ3Pv8aUrZBg3yHg6JX4
+N5siGxgv/NfGcpCvkUM=
 -----END AGE ENCRYPTED FILE-----

secrets/forgejo.age

@@ -1,11 +1,13 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBzblFC
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBuMjdR
-eUZrZEw3R24weVJ2TUw3QWZ6WDNYS1NDZVpGTktnakk4M2FnVEhFCjUxK1BucVBu
+ZzN1QTRIend1TWhLSDZzQ0JQUG9tZFdGZUo4QUljV3pnaEdDR1VzCi9PRXFnTDlD
-Vm52cXhyK1RyRFdTd2w1WU9NWDUranZTRkhzOHIwbXVHTlkKLT4gc3NoLWVkMjU1
+NFhtYW4reHphUFFqUVBDd2pxY2liOXgwRUlIZzcvZTdWWTAKLT4gc3NoLWVkMjU1
-MTkgZjVUaEFnIERNWExUWk95Wk1udHYxWm1vKzAwR29kUC9JeUJoMVI3MUx3UmFG
+MTkgZjVUaEFnIGRvQUFSMzFzVmZLT0Z4SlczNmdicThCYklBbisvcmlzejI4b3Jm
-aDFCakkKSitsbEtsVzQ5eDAzZ0VUOXIrUkNsSkFFRXJGbEUyVTZNKzcwcTBhWnYy
+ZVRTVmsKWDlKTkV6STJaSEVDL0tMVmMvcUt0L3pOS0xXU281bjRXSkJDSXloLzZE
-RQotPiBsbS1ncmVhc2UgLTwpJyAxTmtRMgp5OVpBSDh2azhrYjI1cmNjVmdKdlh0
+OAotPiBVLWdyZWFzZSBCZTMgM01ZIEd0OWcKdnMvd0FJOEhmQTdTcElld0JsNXdD
-d2ZJZwotLS0gSGRZZ2k2ZDhqc3E1clBkOVZ4K3FjZUtGUG1XZ1ozVDRpZkd3ZkhG
+bS9hWUtHam1PR0tyTmowck1rVEEzZXc0QjhWNjVNZVU0anRCS1lrMkRtVApQcVdV
-d3ZuYwocfVjJedKaGHSUGZE2tTu5W47y68PW51+NdYxQOT65fyZD9/Vxi+7HiFqM
+djJORHppTEFib1VLOC9LbG5OdWhNdEZKWGJyQ3Z6dUFTOEw5WjZsT2E4SDRSSUlK
-0xrmCMh3IsOvPa60vuY=
+aEpWRUNYRlZTdwotLS0geFBJK21QRGZxd3lZRjZRanhDeFRDTTd6T1p2UGhiNXBm
+NnhaWkptcDFsYwqWryUWy5DtJHpelFVJu9DnS2rUS9JVnjIHCj2MNYrs6f5cxzZP
+4+CUjz1Agu+ODFUvsl/ccIvcaS0=
 -----END AGE ENCRYPTED FILE-----

secrets/root.age

@@ -1,15 +1,22 @@
 -----BEGIN AGE ENCRYPTED FILE-----
-YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBoaDBJ
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFAvWjlQZyBsWm9s
-M2E4THRwVmtpWTMwMGpKZ2owdC9aci9zMVZGSzdRYk1Xb2VoUmxzCjVveDgzUUc5
+UzB6bzM2VU9IR3Y2MUcrdmtJTk1nM3h0VFV4WFNaaU9pZ0pHMWxBClpiRDZ3VVU1
-SG1OUEVPb0pFTm5VdG93a2lBbVF3OXh1eGNsL1dZWGY1T3MKLT4gc3NoLWVkMjU1
+VkE5SHhJZXc4RGJOenY3Qzc1eXN6Y1M2d1ZnU1dIbHFvQUUKLT4gc3NoLWVkMjU1
-MTkgZjVUaEFnIDhFWHNoaFFkeVJ3NXBKc3oxVXdzeWtEc1NqSjAvRDZMWG9XSFVR
+MTkgUWQwZXBRIGVCZURhelZkTFpoRldaVlZoZzVBenBjbEROUlIrTERnN2VpNmhP
-UnVzMlEKMEJVOU45OUhVd0FEWTIrLzV2WnN6VmVJWjRHM0xRUk5YdFdNS0J1YVBD
+dVFNSDQKNXNWNU5iOGRBV3ZMVzdSVXRPSTkvQzJpblVsbERJekM0VHdnbEwyd0tG
-NAotPiB4WyMtZ3JlYXNlIFBBaTM8IDsgSDIgTChDaFRtcUcKSUlkVHFnRDA5cWIy
+VQotPiBzc2gtZWQyNTUxOSB1N1ozancgY2pvTllQbytTbDBZaHlSbVFxa2ZYbmFt
-Mjk4THJPREpRTW5FZ2RVR3lhTWFTOXhPaHdldVRBYWd2WE1Pc0IzbFZFQ0Q2RTAz
+OTlvYTQrMUcybVdJd2gxb2Jsbwo4RXBLMkdYSFY3aHYxSGZnS0h4S21ablBueFBz
-Q2MySgpYUUNDNE9GM2JrUVpWbE1kenFLVGtDaFFGZjFvTFhYbWY0ZlI0MTlLVXFW
+L2JFaEhaYWR5VFFNQzhVCi0+IHNzaC1lZDI1NTE5IFpEOGxNdyBDZGNmblJIWGtx
-d2d5dUdtL2hoSXcKLS0tIHZZMWk2amdIZHpCVzNtSUFvTyt0V3IyVm9NWWVyc3lG
+QWhEeldzVGZmUWJ6anM4Y2hTT0tpUVNpNDVyRDJRQ240Clk2bmpCVlI4RWduRS80
-WDZpYmNtUkkzTDAKUHVWJeK+gcL0T5tHLBFQQP0EKHtO3Y2MFfNti/dtUhMoOnl0
+cVRVWWwycDdtdVpFS25BSDAzOEh5YUcxdW9GclkKLT4gc3NoLWVkMjU1MTkgZjVU
-cKi+siTFVAR6hasO8eM+NYgDg0mCt5ThQfAQyr0c2VoPyNu1ITJKwZZndk52y6nv
+aEFnIDZBbXVIQVdoaVl6TlZXR1FmeEtwL0hBNWc4c0lvSFlQTzZVc1VJZ09PMXcK
-g95L4myoHPlJOKEb2pzSyDYKQZw4kUB4JKC5i7zy7a0TsMzVXUjZRDuOvWxcvXw8
+VnhFVVg4eTZiRU1YbUhxUzJrYXRUeWpVVFdOSWpUNHNvUWZCRXd1U3Y3VQotPiBB
-QbjtYbRJUZ+pFN445/awGVcZyMIE6KhrazU+WSU=
+IW9WfGMlLWdyZWFzZQo2WmhadWt6cFZ3S2FONDFIWUFPWWpMOXFRT1d2alNPajVI
+aUJrdmVVT1J1OHA3Uy9LMjdadSs4RnhldGNxWGNtCitJSHhKSlhnMzI0UDdtSFBX
+T0tuY0NvRkI5Q0F6YkJmSHI3aFlReHJORVNLL1RJMkI5QUt5NllmcGcKLS0tIGFQ
+YXpDdDhnR05PaGQ0WEdVd2hMUURnRmtnbDVvWkt0ZDNtaVhxT0ZIbFUKcYbxjmgx
+v7X82tsU3fuTUo9l2q3HmHECwKlvyqsXyyJst+/jJgANfE7/tHm0t6Dm4fPgBvdN
+0AqTDx1p7PLvfQhMuhD2G9mHGLwcom3xUOI8h6JkMCv+bojWD9RCEB+wsAwfCzVV
+pStMrMl6copsy1/E4yXkkm+kBgIMFeGzQvRyZ+UCri0rjzsGFQWEgUgD3fFcNJIq
+HCYi0uW970YK2qI=
 -----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -1,12 +1,20 @@
 # Used by ragenix nix only.
 # Ensure that $RULES has been set via direnv
+# Edit a key: `agenix -i ~/.ssh/id_ed25519 -e secrets/someKey.age`
+# run `ragenix -r -i /path/to/your/key` after modifying any keys below
+#
+# Re-keying is required after adding new hosts or keys:
+# run `ragenix -r -i /path/to/your/key`
 let
   fiscalvelvetpoet = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJDMAhG6+40YiYy9wqruHK9M2fLwYAqikJSJ/pRjR/so";
   ops = [fiscalvelvetpoet];
   users = [fiscalvelvetpoet];
 
+  flemming = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK16f3Fjj0BY9vjtXahezMAP3I329hHEQXCceRTkr+Yu";
+  hollows = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEGB8EUbqoarM4GmPgE2DBF4z/L6wVNc+lF27Z83XDUz";
+  pred = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMK5BOK1ldtZ+SV4QxfNm/PfOLOWv3/VHf/JbdMMoMzw";
   toscano = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGWcukRkNUQUbgXQle8q9xszDZOnDf3BVpPSFgycJVVE";
-  systems = [toscano];
+  systems = [flemming hollows pred toscano];
 in {
   "root.age".publicKeys = ops ++ systems;
   "fiscalvelvetpoet.age".publicKeys = [fiscalvelvetpoet] ++ systems;

shell.nix

@@ -12,7 +12,7 @@ with pkgs;
       ragenix # CLI management of secrets encrypted via existing SSH keys
       alejandra # The Uncompromising Nix Code Formatter
       colmena # simple, stateless NixOS deployment tool
-      nix # Powerful package manager, makes packaging reliable & reproducible
+      nix # Powerful package manager that makes package management reliable and reproducible
       tea # Gitea official CLI client
       treefmt # one CLI to format the code tree
     ];