push

.stfolder/syncthing-folder-a0745f.txt

@@ -2,4 +2,4 @@
 # Do not delete.
 
 folderID: nix
-created: 2026-01-29T23:05:44-06:00
+created: 2026-01-29T23:06:32-06:00

modules/hosts/box/box.nix

@@ -3,11 +3,11 @@
   den.aspects.box = {
     includes = with den.aspects; [
       den.default
-      den.provides.home-manager
+      # den.provides.home-manager
       syncthing
       fish
 
-      cloudflared
+      #cloudflared
       searxng
       copyparty
       glances
@@ -20,6 +20,15 @@
       dns
       openssh
       gitea
+
+
+      (den.provides.cloudflared-tunnel "tvtun"   3001)
+      (den.provides.cloudflared-tunnel "search"  8888)
+      (den.provides.cloudflared-tunnel "files"   3210)
+      (den.provides.cloudflared-tunnel "tube"    3030)
+      (den.provides.cloudflared-tunnel "monitor" 61208)
+      (den.provides.cloudflared-tunnel "reddit"  8975)
+      (den.provides.cloudflared-tunnel "git"     3000)
     ];
 
     nixos = {

modules/infra/cloudflare-tunnel.nix

@@ -0,0 +1,55 @@
+# cloudflared/battery.nix
+{ den, ... }:
+let
+
+  description = ''
+    Configures a Cloudflare tunnel ingress rule for a given subdomain and port.
+    Assumes the tunnel UUID and credentials are fixed for this machine.
+
+    Usage:
+
+      den.aspects.bug.includes = [
+        (den.provides.cloudflared-tunnel "search" 8888)
+        (den.provides.cloudflared-tunnel "tube"   3030)
+        (den.provides.cloudflared-tunnel "git"    3000)
+      ];
+
+    Each call adds one ingress entry: <subdomain>.bug.tools -> http://127.0.0.1:<port>
+    The base tunnel setup (enable, credentials, default) is included every time
+    and merges safely via the NixOS module system.
+  '';
+
+  TUNNEL_UUID = "4118935e-359b-4dd2-95bd-eb27f7b0c5bb";
+  DOMAIN      = "bug.tools";
+  CREDS_PATH  = "/home/bug/.cloudflared/${TUNNEL_UUID}.json";
+
+  tunnelNixos = subdomain: port: { pkgs, ... }: {
+    environment.systemPackages = [ pkgs.cloudflared ];
+
+    environment.etc."cloudflared/${TUNNEL_UUID}.json".source = CREDS_PATH;
+
+    services.cloudflared = {
+      enable = true;
+
+      tunnels.${TUNNEL_UUID} = {
+        credentialsFile = "/etc/cloudflared/${TUNNEL_UUID}.json";
+        default = "http_status:404";
+
+        ingress = {
+          "${subdomain}.${DOMAIN}" = "http://127.0.0.1:${toString port}";
+        };
+      };
+    };
+  };
+
+in
+{
+  den.provides.cloudflared-tunnel =
+    subdomain: port:
+    den.lib.parametric {
+      inherit description;
+      includes = [
+        (_: { nixos = tunnelNixos subdomain port; })
+      ];
+    };
+}

modules/infra/cloudflared.nix

@@ -1,3 +1,4 @@
+/*
 {
   den.aspects.cloudflared = {
     nixos = { pkgs, ...}: let
@@ -30,3 +31,6 @@
     };
   };
 }
+*/
+
+{}

modules/services/gitea.nix

@@ -3,16 +3,11 @@
     nixos = {
       services.gitea = {
         enable = true;
-        config = {
-          database = {
-            type = "sqlite3";
-            path = "/var/lib/gitea/gitea.db";
-          };
 
-          server = {
-            domain = "example.com";
-            httpPort = 3000;
-          };
+        database.type = "mysql";
+
+        settings.service = {
+          DISABLE_REGISTRATION = true;
         };
       };
     };

modules/services/mailserver.nix

@@ -41,6 +41,7 @@
               "matrix@bug.tools"
               "fluxer@bug.tools"
               "git@bug.tools"
+              "contact@bug.tools"
             ];
           };
 

modules/services/searxng/searxng.yml

@@ -1,7 +1,5 @@
 general:
-  # Debug mode, only for development. Is overwritten by ${SEARXNG_DEBUG}
   debug: false
-  # displayed name
   instance_name: "search.bug.tools"
   # For example: https://example.com/privacy
   privacypolicy_url: false
@@ -9,7 +7,7 @@ general:
   # use false to disable the donation link
   donation_url: false
   # mailto:contact@example.com
-  contact_url: false
+  contact_url: contact@bug.tools
   # record stats
   enable_metrics: true
   # expose stats in open metrics format at /metrics