run gradient cache

hosts/gradient/README.md

@@ -0,0 +1,210 @@
+# Git Host - Forgejo
+
+Forgejo git server at 141.56.51.7 running in an LXC container.
+
+## Overview
+
+- **Hostname**: git
+- **FQDN**: git.adm.htw.stura-dresden.de
+- **IP Address**: 141.56.51.7
+- **Type**: Proxmox LXC Container
+- **Services**: Forgejo, Nginx (reverse proxy), OpenSSH
+
+## Services
+
+### Forgejo
+
+Forgejo is a self-hosted Git service (fork of Gitea) providing:
+- Git repository hosting
+- Web interface for repository management
+- Issue tracking
+- Pull requests
+- OAuth2 integration support
+
+**Configuration**:
+- **Socket**: `/run/forgejo/forgejo.sock` (Unix socket)
+- **Root URL**: https://git.adm.htw.stura-dresden.de
+- **Protocol**: HTTP over Unix socket (Nginx handles TLS)
+
+### Nginx
+
+Nginx acts as a reverse proxy between the network and Forgejo:
+- Receives HTTPS requests (TLS termination)
+- Forwards to Forgejo via Unix socket
+- Manages ACME/Let's Encrypt certificates
+- WebSocket support enabled for live updates
+
+### OAuth2 Auto-Registration
+
+OAuth2 client auto-registration is enabled:
+- `ENABLE_AUTO_REGISTRATION = true`
+- `REGISTER_EMAIL_CONFIRM = false`
+- Username field: email
+
+This allows users to register automatically via OAuth2 providers without manual approval.
+
+## Deployment
+
+See the [main README](../../README.md) for deployment methods.
+
+### Initial Installation
+
+**Using nixos-anywhere:**
+```bash
+nix run github:nix-community/nixos-anywhere -- --flake .#git --target-host root@141.56.51.7
+```
+
+**Using container tarball:**
+```bash
+nix build .#containers-git
+scp result/tarball/nixos-system-x86_64-linux.tar.xz root@proxmox-host:/var/lib/vz/template/cache/
+pct create 107 /var/lib/vz/template/cache/nixos-system-x86_64-linux.tar.xz \
+  --hostname git \
+  --net0 name=eth0,bridge=vmbr0,ip=141.56.51.7/24,gw=141.56.51.254 \
+  --memory 2048 \
+  --cores 2 \
+  --rootfs local-lvm:8 \
+  --unprivileged 1 \
+  --features nesting=1
+pct start 107
+```
+
+### Updates
+
+```bash
+# From local machine
+nixos-rebuild switch --flake .#git --target-host root@141.56.51.7
+
+# Or use auto-generated script
+nix run .#git-update
+```
+
+## Post-Deployment Steps
+
+After deploying for the first time:
+
+1. **Access the web interface:**
+   ```
+   https://git.adm.htw.stura-dresden.de
+   ```
+
+2. **Complete initial setup:**
+   - Create the first admin account via web UI
+   - Configure any additional settings
+   - Set up SSH keys for git access
+
+3. **Configure OAuth2 (optional):**
+   - If using an external identity provider (e.g., authentik)
+   - Add OAuth2 application in the provider
+   - Configure OAuth2 settings in Forgejo admin panel
+   - Auto-registration is already enabled in configuration
+
+4. **Set up repositories:**
+   - Create organizations
+   - Create repositories
+   - Configure access permissions
+
+## Integration with Proxy
+
+The central proxy at 141.56.51.1 handles:
+- **SNI routing**: Inspects TLS handshake and routes HTTPS traffic for git.adm.htw.stura-dresden.de
+- **HTTP routing**: Routes HTTP traffic based on Host header
+- **ACME challenges**: Forwards `/.well-known/acme-challenge/` requests to this host for Let's Encrypt verification
+- **Auto-redirect**: Redirects HTTP to HTTPS (except ACME challenges)
+
+This host handles its own TLS certificates via ACME. The proxy passes through encrypted traffic without decryption.
+
+## Troubleshooting
+
+### Forgejo socket permissions
+
+If Forgejo fails to start or Nginx cannot connect:
+
+```bash
+# Check socket exists
+ls -l /run/forgejo/forgejo.sock
+
+# Check Forgejo service status
+systemctl status forgejo
+
+# Check Nginx service status
+systemctl status nginx
+
+# View Forgejo logs
+journalctl -u forgejo -f
+```
+
+**Solution**: Ensure the Forgejo user has proper permissions and the socket path is correct in both Forgejo and Nginx configurations.
+
+### Nginx proxy configuration
+
+If the web interface is unreachable:
+
+```bash
+# Check Nginx configuration
+nginx -t
+
+# View Nginx error logs
+journalctl -u nginx -f
+
+# Test socket connection
+curl --unix-socket /run/forgejo/forgejo.sock http://localhost/
+```
+
+**Solution**: Verify the `proxyPass` directive in Nginx configuration points to the correct Unix socket.
+
+### SSH access issues
+
+If git operations over SSH fail:
+
+```bash
+# Check SSH service
+systemctl status sshd
+
+# Test SSH connection
+ssh -T git@git.adm.htw.stura-dresden.de
+
+# Check Forgejo SSH settings
+cat /var/lib/forgejo/custom/conf/app.ini | grep -A 5 "\[server\]"
+```
+
+**Solution**: Ensure SSH keys are properly added to user accounts and SSH daemon is running.
+
+### ACME certificate issues
+
+If HTTPS is not working:
+
+```bash
+# Check ACME certificate status
+systemctl status acme-git.adm.htw.stura-dresden.de
+
+# View ACME logs
+journalctl -u acme-git.adm.htw.stura-dresden.de -f
+
+# Manually trigger certificate renewal
+systemctl start acme-git.adm.htw.stura-dresden.de
+```
+
+**Solution**: Verify DNS points to proxy (141.56.51.1) and proxy is forwarding ACME challenges correctly.
+
+## Files and Directories
+
+- **Configuration**: `/nix/store/.../forgejo/` (managed by Nix)
+- **Data directory**: `/var/lib/forgejo/`
+- **Custom config**: `/var/lib/forgejo/custom/conf/app.ini`
+- **Repositories**: `/var/lib/forgejo/data/gitea-repositories/`
+- **Socket**: `/run/forgejo/forgejo.sock`
+
+## Network
+
+- **Interface**: eth0 (LXC container)
+- **IP**: 141.56.51.7/24
+- **Gateway**: 141.56.51.254
+- **Firewall**: Ports 22, 80, 443 allowed
+
+## See Also
+
+- [Main README](../../README.md) - Deployment methods and architecture
+- [Proxy README](../proxy/README.md) - How the central proxy routes traffic
+- [Forgejo Documentation](https://forgejo.org/docs/latest/)
+- [NixOS Forgejo Options](https://search.nixos.org/options?query=services.forgejo)

hosts/gradient/default.nix

@@ -0,0 +1,86 @@
+{
+  config,
+  lib,
+  pkgs,
+  modulesPath,
+  ...
+}:
+{
+  imports = [
+    "${modulesPath}/virtualisation/proxmox-lxc.nix"
+  ];
+
+  sops = {
+    defaultSopsFile = ./secrets.sops.yaml;
+    secrets = {
+      "gradient-jwt".owner = "gradient";
+      "gradient-crypt".owner = "gradient";
+      "gradient-worker".owner = "gradient-worker";
+    };
+  };
+
+  networking = {
+    hostName = "gradient";
+    fqdn = "gradient.adm.htw.stura-dresden.de";
+    interfaces.eth0.ipv4.addresses = [
+      {
+        address = "141.56.51.127";
+        prefixLength = 24;
+      }
+    ];
+
+    defaultGateway = {
+      address = "141.56.51.254";
+      interface = "eth0";
+    };
+    firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+  };
+
+  services = {
+    openssh.enable = true;
+
+    gradient = {
+      enable            = true;
+      frontend.enable   = true;
+      domain            = "${config.networking.fqdn}";
+      jwtSecretFile     = "/run/secrets/gradient-jwt";
+      cryptSecretFile   = "/run/secrets/gradient-crypt";
+      configurePostgres = true;
+      configureNginx    = true;
+      # serveCache        = true;
+      reportErrors      = true; # optional: will send crash reports to us
+    };
+
+    nginx.virtualHosts."${config.networking.fqdn}".listen = [
+      {
+        port = 80;
+        addr = "0.0.0.0";
+      }
+      {
+        port = 443;
+        addr = "0.0.0.0";
+        ssl = true;
+        proxyProtocol = true;
+      }
+    ];
+
+    gradient.worker = {
+      enable    = true;
+      serverUrl = "ws://127.0.0.1:3000/proto";
+      workerId  = "8f56dd3a-5698-4512-8bf7-ab8dcfaed46c";
+      peersFile = "/run/secrets/gradient-worker-peers";
+      capabilities = {
+        fetch = true;
+        eval  = true;
+        build = true;
+      };
+    };
+  };
+
+
+  system.stateVersion = "25.11";
+
+}

hosts/gradient/secrets.sops.yaml

@@ -0,0 +1,27 @@
+gradient-jwt: ENC[AES256_GCM,data:0RgUOHbz5qtBOE1+wldyhzE6b4275JTkzdjgQBbVUnHtNVvqmQUs94JGfB2HRteVJS2pRmRxyh+YYUpuErkmaw==,iv:C6AqWjVs6MGjTJ/QEFq9kz7kSglMXi+rtlmkEK0i4r0=,tag:HvmCN947JveYFDITZfAEMA==,type:str]
+gradient-crypt: ENC[AES256_GCM,data:j6KRaxQItKtolZXPxN1Rp4NalX5rYnHvQzL/R0naobgM2nMUiOJJeKiZ5yooXbaNC1wrwWNfMrNDYkm8bxVJeA==,iv:2wiiyJu3u9cEwwos0DhgKiwp0qYSw1z6MdOvpWsf+Is=,tag:GOfN78rlovnPXgiCAE9diA==,type:str]
+gradient-worker: ENC[AES256_GCM,data:IktOl14QzBee16ZxZZMmseMomlyF+teJoxsNmqDXcPHq4ZZv7QWDQAjIct4hz1CHofaBfXzVM372WSLTX51/zw==,iv:OZsC9EX4fRUv7Q9AbnXBaskX9hS/wgFctOepz39NyDU=,tag:GHPx4yXb7ta5pj4+yI2PRQ==,type:str]
+sops:
+    age:
+        - recipient: age1kfxhahmxprheer63shv68slpmk5qz29nyx3kp4q6n879zz9ha34q04n50x
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2OHc0aWRocmx2QkUzcnFa
+            T3Z5MWp3U2I1c2RZMytnU1hkd0p4ZHNWSW5vCmFuZHBJYjMrSUwranVDNHR1RmFr
+            dVhSVmdPUGd1czFjM3p3dlBLcTU0T1UKLS0tIDl1eHBkL1lBUWh0ckhya1dJTjdY
+            WmhPVEl3ZytOdmdaQ3pkN2lLTnRPMzAKCKj7VvRPTBXfsqa6FnJi3ZkWNUXN8JG8
+            NlcK9QL/pMoExpoLHfw8ram4Y2i9up4oONeA2iKR12Dh86Y8RUUJfg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age16m8vvvpw4azfy6gygtstyyj6nd2sf848f7f7argaghwhct38muxsgxpeek
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVXNoVktTL0VvdVIrVWx6
+            cFpLMnhJcmFWYlVKWWZIVUR1NGMzRWhOWngwClVRZ092dDFEMHJ3d3JkdFkwVVI2
+            YW9BK0hBNnB6UmM0bzBYYVNqS0QxcFEKLS0tIHljSm03TTRjTVlSam4xN2NhMUJ6
+            aDNFUi9SL1BhZHMxVUFkTzR6bk16cWsKeS3Y8b/WlvdgmY5yLjTfTHJwBZoZ7RU8
+            GPLB8ezNB3U7XxO05hwlUQJbTkMVhSzu+nKfEavdS1KMoXaxfxhrwA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-22T08:34:30Z"
+    mac: ENC[AES256_GCM,data:74FyYHQ/bMZ3wxodMlvAXYl2UWNkv8arWSDeJwCEfRWz05bzXWy6UaMLWc+dSoqJsVvT3SRVuBMrtilsckVqCVQ4C96c730IVWB/b5juIXtEsp1JiWgS+F3yC992HDGmoGnAkSE/vzZBu3DRA8/eMwkoTtGscpDhnAzUVrkCNUk=,iv:BzhopR3jxZyKZhwRxh1lKaIaGgE5IbIe/AG35D1juZA=,tag:frnRzapbiU49TpkISZ4GEQ==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.1