Add SD image pipeline, documentation overhaul, and fix module issues

- Add automatic SD image builds for Raspberry Pi via Forgejo Actions
- Enable binfmt emulation on cryodev-main for aarch64 cross-builds
- Add sd-image.nix module to cryodev-pi configuration
- Create comprehensive docs/ structure with installation guides
- Split installation docs into: first-install (server), reinstall, new-client (Pi)
- Add lib/utils.nix and apps/rebuild from synix
- Fix headplane module for new upstream API (tale/headplane)
- Fix various module issues (mailserver stateVersion, option conflicts)
- Add placeholder secrets.yaml files for both hosts
- Remove old INSTRUCTIONS.md (content moved to docs/)

hosts/cryodev-main/services/forgejo.nix

@@ -1,6 +1,5 @@
 {
   config,
-  pkgs,
   outputs,
   constants,
   ...
@@ -31,14 +30,17 @@
         USER = "forgejo@${constants.domain}";
       };
     };
-    sops = true; # Enable sops integration for secrets
   };
 
   services.forgejo-runner = {
     enable = true;
     url = "https://${constants.services.forgejo.fqdn}";
-    # Token needs to be set up via sops/secrets
-    sops = true;
+    tokenFile = config.sops.secrets."forgejo-runner/token".path;
+  };
+
+  sops.secrets."forgejo-runner/token" = {
+    # gitea-runner user is created by gitea-actions-runner service
+    mode = "0400";
   };
 
   services.nginx.virtualHosts."${constants.services.forgejo.fqdn}" = {

hosts/cryodev-main/services/headplane.nix

@@ -1,6 +1,4 @@
 {
-  config,
-  pkgs,
   outputs,
   constants,
   ...
@@ -14,14 +12,11 @@
   services.headplane = {
     enable = true;
     port = constants.services.headplane.port;
-    headscale = {
-      url = "http://127.0.0.1:${toString constants.services.headscale.port}";
-      public_url = "https://${constants.services.headscale.fqdn}";
-    };
-    # Secrets for headplane need to be configured via sops
-    sops.secrets = {
-      "headplane/cookie_secret" = { };
-      "headplane/agent_pre_authkey" = { };
+    settings = {
+      headscale = {
+        url = "http://127.0.0.1:${toString constants.services.headscale.port}";
+        public_url = "https://${constants.services.headscale.fqdn}";
+      };
     };
   };
 

hosts/cryodev-main/services/headscale.nix

@@ -1,6 +1,4 @@
 {
-  config,
-  pkgs,
   outputs,
   constants,
   ...
@@ -17,7 +15,9 @@
     port = constants.services.headscale.port;
     settings = {
       server_url = "https://${constants.services.headscale.fqdn}";
-      dns_config.base_domain = constants.domain;
+      # dns.base_domain must be different from the server domain
+      # Using "tail" for internal Tailscale DNS (e.g., host.tail)
+      dns.base_domain = "tail";
     };
   };
 

hosts/cryodev-main/services/mailserver.nix

@@ -1,6 +1,4 @@
 {
-  config,
-  pkgs,
   outputs,
   constants,
   ...
@@ -21,7 +19,9 @@
         aliases = [ "postmaster" ];
       };
     };
-    certificateScheme = "acme-nginx";
-    sops = true;
+    x509.useACMEHost = constants.services.mail.fqdn;
   };
+
+  # ACME certificate for mail server
+  security.acme.certs.${constants.services.mail.fqdn} = { };
 }