midwitmoneymgmt/m3-cloud
2
1
Fork 0
Code Issues Pull requests Projects Releases Activity Actions
No description
56 commits 1 branch 0 tags 130 KiB
  • Nix 100%
Find a file
Exact
AlexCaswen 98535194d0
All checks were successful
Validate NixOS configuration / build (push) Successful in 7s
Details
Deploy to m3-cloud-00 / deploy (push) Successful in 0s
Details
alexcaswen-improved-merge-health-check (#13) 
Reviewed-on: #13
2026-06-11 13:40:42 +00:00
.forgejo Update deploy.yml to fail loud and skip sudo password screen (#10) 2026-06-11 11:46:46 +00:00
modules alexcaswen-improved-merge-health-check (#13) 2026-06-11 13:40:42 +00:00
pkgs Remove ToolHive and Podman from m3-cloud-00 2026-06-09 06:51:44 +00:00
claude.md Add claude.md 2026-06-06 06:24:18 +00:00
configuration.nix add neovim (#12) 2026-06-11 13:03:24 +00:00
flake.lock Pin nixos-26.05 (25.11 EOL June 30, database requires Forgejo 15) 2026-06-08 23:39:39 +00:00
flake.nix Pin nixos-26.05 (25.11 EOL June 30, database requires Forgejo 15) 2026-06-08 23:39:39 +00:00
hardware-configuration.nix Upload files to "/" 2026-06-06 03:26:40 +00:00
README.md Upload files to "/" 2026-06-06 03:27:02 +00:00

README.md

m3-cloud

NixOS configuration and services for M3's Hetzner VPS (m3-cloud-00, CPX21, Ashburn).

This is a flake-based NixOS deployment. Nixpkgs is pinned in flake.lock; upgrades happen by running nix flake update to advance the pin, committing, and deploying. There is no channel-based auto-upgrade.

Deploying

From the repo directory on m3-cloud-00 (always in tmux):

nix flake update                          # advance nixpkgs pin (when upgrading)
nixos-rebuild switch --flake .#m3-cloud-00

Layout

flake.nix                  # entry point — pins nixpkgs, defines nixosConfigurations
configuration.nix          # top-level imports and global settings
hardware-configuration.nix # Hetzner CPX21 hardware (QEMU guest)
modules/
  networking.nix            # Tailscale, firewall
  forgejo.nix               # Forgejo server, Actions runner, runner secrets, tofu dirs
  caddy.nix                 # reverse proxy behind Cloudflare
  setec.nix                 # Setec secrets server (tsnet, AWS KMS)
pkgs/
  setec.nix                 # setec package derivation

Services

  • Forgejoforgejo.midwitmoneymgmt.com, the single forge for all M3 code. HTTP on :3000, SSH on :2222, behind Caddy + Cloudflare. Tracks the stable channel's forgejo-lts.
  • Setec — Tailscale's secrets server, run as a tsnet node (setec.taild30b6f.ts.net) backed by AWS KMS. Authoritative store for all M3 secrets, namespaced under ci/*.
  • Caddy — reverse proxy fronting Forgejo.
  • Forgejo Actions runner (gitea-runner-m3) — native:host runner. Its registration token is pulled from Setec at startup by the forgejo-runner-secrets oneshot, which waits for Setec to be reachable on the tailnet before writing the token file.

CI/CD

CI is Forgejo Actions with a native:host runner. The previous Woodpecker server, agent, and the setec-woodpecker-bridge were removed in May 2026; do not reintroduce them.