From 284bd502f0df6922a817ebc1f6cffe4d4f630ef0 Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Thu, 6 Nov 2025 23:09:12 +0100
Subject: [PATCH 1/2] Server/forgejo: use unix socket

---
 roles/server/forgejo.nix | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/roles/server/forgejo.nix b/roles/server/forgejo.nix
index c7f1780..763cce2 100644
--- a/roles/server/forgejo.nix
+++ b/roles/server/forgejo.nix
@@ -32,6 +32,7 @@ in {
       };
       server = {
         OFFLINE_MODE = false;
+        PROTOCOL = "http+unix";
         ROOT_URL = "https://git.toast003.xyz";
         START_SSH_SERVER = true;
         SSH_PORT = 4222;
@@ -61,7 +62,7 @@ in {
   services.caddy.virtualHosts.forgejo = {
     hostName = "git.toast003.xyz";
     extraConfig = ''
-      reverse_proxy localhost:${toString config.services.forgejo.settings.server.HTTP_PORT}
+      reverse_proxy unix/${config.services.forgejo.settings.server.HTTP_ADDR}
     '';
   };
 }

From afab4c4d0a822e8f849d078454dfb81fef5d7f8f Mon Sep 17 00:00:00 2001
From: Toast <toast003@tutamail.com>
Date: Fri, 7 Nov 2025 02:16:55 +0100
Subject: [PATCH 2/2] Server: remove school.nix Haven't used this in months

---
 roles/server/school.nix | 138 ----------------------------------------
 1 file changed, 138 deletions(-)
 delete mode 100644 roles/server/school.nix

diff --git a/roles/server/school.nix b/roles/server/school.nix
deleted file mode 100644
index e255c1f..0000000
--- a/roles/server/school.nix
+++ /dev/null
@@ -1,138 +0,0 @@
-{
-  flakeSelf,
-  config,
-  ...
-}: let
-  hostSecrets = "${flakeSelf.inputs.secrets}/" + config.networking.hostName + "/";
-in {
-  networking.nat = {
-    enable = true;
-    internalInterfaces = ["ve-+"];
-    externalInterface = "eno1";
-  };
-
-  age.secrets.mongodb-uri = {
-    file = hostSecrets + "mongodb-uri.age";
-  };
-
-  containers.school = {
-    autoStart = true;
-    privateNetwork = true;
-    ephemeral = true;
-    hostAddress = "192.168.100.10";
-    localAddress = "192.168.100.11";
-    specialArgs = {
-      showsApi = flakeSelf.inputs.shows-api;
-    };
-    bindMounts = {
-      secret = {
-        mountPoint = "/mongodb.env";
-        isReadOnly = true;
-        hostPath = config.age.secrets.mongodb-uri.path;
-      };
-    };
-    config = {
-      config,
-      pkgs,
-      lib,
-      showsApi,
-      ...
-    }: {
-      environment.systemPackages = [pkgs.htop];
-
-      users.users.shows = {
-        name = "shows";
-        group = "shows";
-        isSystemUser = true;
-      };
-      users.groups.shows = {};
-
-      systemd.services = let
-        commonServiceConfig = {
-          Type = "simple";
-          Restart = "on-failure";
-          RestartSec = 3;
-
-          # Hardening
-          CapabilityBoundingSet = "";
-          NoNewPrivileges = true;
-          PrivateUsers = true;
-          PrivateTmp = true;
-          PrivateDevices = true;
-          PrivateMounts = true;
-          ProtectClock = true;
-          ProtectControlGroups = true;
-          ProtectHome = true;
-          ProtectHostname = true;
-          ProtectKernelLogs = true;
-          ProtectKernelModules = true;
-          ProtectKernelTunables = true;
-          RestrictAddressFamilies = [
-            "AF_INET"
-            "AF_INET6"
-            "AF_UNIX"
-          ];
-          RestrictNamespaces = true;
-          RestrictRealtime = true;
-          RestrictSUIDSGID = true;
-        };
-      in {
-        shows-api = {
-          description = "NestJS API to store info about shows on a MongoDB database";
-          after = ["network.target"];
-          wantedBy = ["multi-user.target"];
-          serviceConfig =
-            commonServiceConfig
-            // {
-              ExecStart = lib.getExe showsApi.packages.x86_64-linux.default;
-              StateDirectory = ["shows-api"];
-              RuntimeDirectory = ["shows-api"];
-              User = "shows";
-              Group = "shows";
-              EnvironmentFile = "/mongodb.env";
-            };
-        };
-      };
-
-      networking = {
-        firewall.allowedTCPPorts = [3000];
-
-        # Use systemd-resolved inside the container
-        # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-        useHostResolvConf = lib.mkForce false;
-      };
-
-      services.resolved.enable = true;
-
-      system.stateVersion = "24.11";
-    };
-  };
-  services = {
-    headscale.settings.dns.extra_records = [
-      {
-        name = "shows.everest.tailscale";
-        type = "A";
-        value = "100.100.0.1";
-      }
-    ];
-    caddy.virtualHosts.shows= {
-      hostName = "shows.everest.tailscale";
-      extraConfig = ''
-        import tailscale
-        handle {
-         respond "Ionic app goes here"
-        }
-
-        redir /admin /admin/
-        handle_path /admin/* {
-          respond "Angular admin panel goes here"
-        }
-
-        redir /api /api/
-        handle_path /api/* {
-          reverse_proxy ${config.containers.school.localAddress}:3000
-        }
-      '';
-    };
-  };
-}