- Fix Pi kernel build: disable includeDefaultModules in initrd.
NixOS all-hardware.nix includes dw-hdmi which doesn't exist in
the RPi4 kernel 6.12, causing module-shrunk to fail.
- Fix CI: SD image build now depends on build-hosts instead of
flake-check, so it won't run if the Pi build fails.
- Apply same fix to raspberry-pi template.
- Add Comin service for cryodev-main (polls git repo, auto-deploys)
- Fix cryodev-pi Comin URL (cryodev-server.git -> cryodev.git)
- Remove deploy-rs from CI pipeline (was insecure with shared runner)
- Remove deploy SSH key, root SSH login, sudo rules for gitea-runner
- Revert PermitRootLogin back to 'no'
- CI now only runs flake-check + build (no deploy)
- Deployment happens via Comin (both hosts poll and self-deploy)
- Move forgejo-deploy pubkey from users/steffen to hosts/cryodev-main/
(deploy key belongs to the host, not a user)
- Remove deploy key from steffen's authorized keys
- Add users ralph and benjamin (pubkeys pending)
- Register both new users in cryodev-main host config
- Change PermitRootLogin from 'no' to 'prohibit-password' (key-only)
- Add forgejo-deploy public key to root's authorized_keys
- Revert deploy-rs user back to root (needs root for activation)
Root can only login via SSH key, password auth remains disabled.
NixOS headscale module generates a minimal config.yaml with only
explicitly set values. Headplane with config_strict=true rejects this
because fields like database, derp, dns, listen_addr are missing
(headscale fills these with internal defaults). Setting config_strict
to false makes headplane tolerate the incomplete config.
Runner on the same host cannot reach Forgejo via the public HTTPS URL
during boot (ACME certs not ready, nginx not fully up). Use the local
HTTP endpoint instead.
The gitea-actions-runner NixOS module expects tokenFile to be an
EnvironmentFile containing TOKEN=<value>, but sops-nix writes only
the raw secret value. Use a sops template to prepend TOKEN= prefix.
- Rename SOPS key alias from generic admin_key to steffen_key in
.sops.yaml and all docs (keys should identify the person, not a role)
- Add step 3.6 to first-install docs: create Forgejo admin account
via CLI (required since DISABLE_REGISTRATION is enabled)
- Fix cryodev-pi_key comment naming in .sops.yaml
- Extract forgejo-runner config from forgejo.nix into forgejo-runner.nix
- Move forgejo-runner to stage 2 (requires running Forgejo for token)
- Remove all stage-2 secrets from sops.nix (each service file owns its secrets)
- Update first-install docs with corrected staged deployment flow
- Fixes deployment failure caused by runner crashing with placeholder token
- Add automatic SD image builds for Raspberry Pi via Forgejo Actions
- Enable binfmt emulation on cryodev-main for aarch64 cross-builds
- Add sd-image.nix module to cryodev-pi configuration
- Create comprehensive docs/ structure with installation guides
- Split installation docs into: first-install (server), reinstall, new-client (Pi)
- Add lib/utils.nix and apps/rebuild from synix
- Fix headplane module for new upstream API (tale/headplane)
- Fix various module issues (mailserver stateVersion, option conflicts)
- Add placeholder secrets.yaml files for both hosts
- Remove old INSTRUCTIONS.md (content moved to docs/)
