migrate to radicle

hosts/box/default.nix

@@ -30,6 +30,7 @@
     ../profiles/gpodder
     ../profiles/transmission
     ../profiles/raven
+    ../profiles/radicle-node
     # ../profiles/postgres_upgrade_script # one-time use
   ];
 
@@ -58,6 +59,7 @@
       "/tank/postgres" # postgres data
       "/tank/media/photos"
       "/tank/media/music"
+      "/var/lib/radicle"
     ];
   };
 

hosts/helix/default.nix

@@ -1,18 +1,25 @@
-{ self, profiles, suites, pkgs, ... }:
+{
+  self,
+  profiles,
+  suites,
+  pkgs,
+  ...
+}:
 {
   imports = [
     ./configuration.nix
     ../profiles/core
     ../profiles/server
     # ../profiles/metrics
-    ../profiles/gitea
+    # ../profiles/gitea  # Replaced by radicle
+    ../profiles/radicle-seed
     # ../profiles/woodpecker-server
     ../profiles/rss-bridge
     # ../profiles/mount-mossnet
     ../profiles/freshrss
     ../profiles/microbin
     ../profiles/site
-    
+
     # ../profiles/postgres_upgrade_script
   ];
 
@@ -50,7 +57,7 @@
   services.postgresqlBackup = {
     # TODO needs working wireguard to box
     enable = false;
-    databases = [ "gitea" "freshrss"  ]; # "woodpecker"
+    databases = [ "freshrss" ]; # gitea removed (now using radicle)
     location = "/mnt/two/postgres";
   };
 
@@ -58,7 +65,8 @@
     enable = true;
     name = "helix";
     paths = [
-      "/var/lib/gitea"
+      # "/var/lib/gitea"  # Replaced by radicle
+      "/var/lib/radicle"
       "/var/lib/freshrss"
       # "/var/lib/woodpecker"
       "/var/lib/microbin"

hosts/profiles/dns/default.nix

@@ -1,14 +1,22 @@
-{ config, pkgs, lib, ... }:
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
 let
   adblockLocalZones = pkgs.stdenv.mkDerivation {
     name = "unbound-zones-adblock";
 
-    src = (pkgs.fetchFromGitHub {
-      owner = "StevenBlack";
-      repo = "hosts";
-      rev = "3.12.21";
-      sha256 = "Yzr6PY/zqQE+AHH0J6ioHTsgkikM+dz4aelbGpQJa1s=";
-    } + "/hosts");
+    src = (
+      pkgs.fetchFromGitHub {
+        owner = "StevenBlack";
+        repo = "hosts";
+        rev = "3.12.21";
+        sha256 = "Yzr6PY/zqQE+AHH0J6ioHTsgkikM+dz4aelbGpQJa1s=";
+      }
+      + "/hosts"
+    );
 
     phases = [ "installPhase" ];
 
@@ -40,9 +48,11 @@ let
     "photos.mossnet.lan"
     "pod.mossnet.lan"
     "mast.mossnet.lan"
+    "rad.mossnet.lan"
   ];
 
-in {
+in
+{
   services.unbound = {
     enable = true;
     settings = {
@@ -53,9 +63,17 @@ in {
         # private-address = "192.168.1.0/24";
         cache-min-ttl = 0;
         serve-expired = "yes";
-        interface = [ "0.0.0.0" "::" ];
-        access-control =
-          [ "127.0.0.0/8 allow" "192.168.1.0/24 allow" "10.0.69.0/24 allow" "::1 allow" "fd7d:587a:4300:1::/64 allow" ];
+        interface = [
+          "0.0.0.0"
+          "::"
+        ];
+        access-control = [
+          "127.0.0.0/8 allow"
+          "192.168.1.0/24 allow"
+          "10.0.69.0/24 allow"
+          "::1 allow"
+          "fd7d:587a:4300:1::/64 allow"
+        ];
         access-control-view = "10.0.69.0/24 wireguard";
         # so-reuseport = "yes";
         tls-upstream = "yes";
@@ -63,15 +81,17 @@ in {
         local-zone = ''"mossnet.lan." redirect'';
         local-data = ''"mossnet.lan. IN A ${mossnet}"'';
       };
-      forward-zone = [{
-        name = ".";
-        forward-addr = [
-          "45.90.28.0#6939b9.dns.nextdns.io"
-          "1.1.1.1@853#cloudflare-dns.com"
-        ];
-        # non-tls
-        # forward-addr = ["45.90.30.49" "45.90.28.49" "1.1.1.1" "8.8.8.8"] 
-      }];
+      forward-zone = [
+        {
+          name = ".";
+          forward-addr = [
+            "45.90.28.0#6939b9.dns.nextdns.io"
+            "1.1.1.1@853#cloudflare-dns.com"
+          ];
+          # non-tls
+          # forward-addr = ["45.90.30.49" "45.90.28.49" "1.1.1.1" "8.8.8.8"]
+        }
+      ];
       view = {
         name = "wireguard";
         local-zone = ''"mossnet.lan." redirect'';

hosts/profiles/radicle-node/default.nix

@@ -0,0 +1,85 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}:
+let
+  # Custom radicle-explorer configured for local box node
+  localExplorer = pkgs.radicle-explorer.withConfig {
+    preferredSeeds = [
+      {
+        hostname = "rad.mossnet.lan";
+        port = 80;
+        scheme = "http";
+      }
+    ];
+  };
+in
+{
+  age.secrets.radicle-box-key.file = "${self}/secrets/radicle-box-key.age";
+  age.secrets.radicle-box-key.owner = "radicle";
+
+  services.radicle = {
+    enable = true;
+    privateKeyFile = config.age.secrets.radicle-box-key.path;
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII2QC5AbaTHCRVzGluWgXUlyBNFDxcLiIeViv81f3TYw mossnet.lan";
+
+    node = {
+      listenAddress = "0.0.0.0"; # Listen on all interfaces for local LAN access
+      listenPort = 8776;
+      openFirewall = true;
+    };
+
+    settings = {
+      node = {
+        alias = "mossnet.lan";
+        connect = [ "z6MkfPhJnbrHbB4FNcub7weT8CRcqFgfJinDfSYjPwK9tSXy@10.0.69.5:8776" ];
+        seedingPolicy.default = "block";
+      };
+    };
+
+    # HTTP API for local web access
+    httpd = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      listenPort = 8888;
+    };
+  };
+
+  # Nginx to serve radicle-explorer + proxy API
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+
+    virtualHosts."rad.mossnet.lan" = {
+      root = localExplorer;
+
+      locations."/" = {
+        tryFiles = "$uri $uri/ /index.html";
+        index = "index.html";
+      };
+
+      # Proxy API requests to radicle-httpd
+      locations."/api" = {
+        proxyPass = "http://127.0.0.1:8888";
+      };
+
+      # Proxy raw file access to radicle-httpd
+      locations."/raw" = {
+        proxyPass = "http://127.0.0.1:8888";
+      };
+
+      # Proxy git protocol requests (rad:xxx) to radicle-httpd
+      locations."~ ^/rad:" = {
+        proxyPass = "http://127.0.0.1:8888";
+      };
+    };
+  };
+
+  # Open firewall for nginx
+  networking.firewall.allowedTCPPorts = [ 80 ];
+
+  # rad CLI for interactive use
+  environment.systemPackages = [ pkgs.radicle-node ];
+}

hosts/profiles/radicle-seed/default.nix

@@ -0,0 +1,85 @@
+{
+  self,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  # Custom radicle-explorer with our seed as preferred
+  customExplorer = pkgs.radicle-explorer.withConfig {
+    preferredSeeds = [
+      {
+        hostname = "git.sealight.xyz";
+        port = 443;
+        scheme = "https";
+      }
+    ];
+  };
+in
+{
+  age.secrets.radicle-helix-key.file = "${self}/secrets/radicle-helix-key.age";
+  age.secrets.radicle-helix-key.owner = "radicle";
+
+  services.radicle = {
+    enable = true;
+    privateKeyFile = config.age.secrets.radicle-helix-key.path;
+    publicKey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIA3x7XH24gEr8xHnt1qKQx38Se2AoXiUnb48/VwfL8/A git.sealight.xyz";
+
+    node = {
+      listenAddress = "0.0.0.0";
+      listenPort = 8776;
+      openFirewall = true;
+    };
+
+    settings = {
+      node = {
+        alias = "git.sealight.xyz";
+        externalAddresses = [ "git.sealight.xyz:8776" ];
+        connect = [ "z6MkoyrvcRdeGU5PyB2SbHj9mNj3nb5p34rZamkEz64GX1c3@10.0.69.4:8776" ];
+        seedingPolicy.default = "block";
+      };
+    };
+
+    httpd = {
+      enable = true;
+      listenAddress = "127.0.0.1";
+      listenPort = 8080;
+      # Don't use the module's nginx integration - we'll configure it manually
+      nginx = null;
+    };
+  };
+
+  # Configure nginx manually for radicle-explorer + httpd API
+  services.nginx.virtualHosts."git.sealight.xyz" = {
+    enableACME = true;
+    forceSSL = true;
+
+    # Serve radicle-explorer static files at root
+    root = customExplorer;
+
+    locations."/" = {
+      tryFiles = "$uri $uri/ /index.html";
+      index = "index.html";
+    };
+
+    # Proxy API requests to radicle-httpd
+    locations."/api" = {
+      proxyPass = "http://127.0.0.1:8080";
+      recommendedProxySettings = true;
+    };
+
+    # Proxy raw file access to radicle-httpd
+    locations."/raw" = {
+      proxyPass = "http://127.0.0.1:8080";
+      recommendedProxySettings = true;
+    };
+
+    # Proxy git protocol requests (rad:xxx) to radicle-httpd
+    # These are requests to /:rid/* where rid starts with "rad:"
+    locations."~ ^/rad:" = {
+      proxyPass = "http://127.0.0.1:8080";
+      recommendedProxySettings = true;
+    };
+  };
+}