From 873479d8931e4fcfd97d2e0b48449900b26c4d9a Mon Sep 17 00:00:00 2001
From: Sic mundus creatus est <asyncnomi@pendragon.asn>
Date: Tue, 1 Jul 2025 22:26:25 +0200
Subject: [PATCH] more generic approach, but stills limited to vogon, for the
 forgejo profile

---
 profiles/forgejo.nix     | 29 ++++++++++++++++++-----------
 profiles/vogon/guest.nix | 40 ++++++++++++++++++++++++++++------------
 2 files changed, 46 insertions(+), 23 deletions(-)

diff --git a/profiles/forgejo.nix b/profiles/forgejo.nix
index b5a51f0..40e660d 100644
--- a/profiles/forgejo.nix
+++ b/profiles/forgejo.nix
@@ -7,8 +7,21 @@ let
     domain = "federez.net";
     fqdn = "git.${domain}";
 
-    sys-ip = "193.54.193.164";
-    git-ip = "193.54.193.165";
+    hasValidLastOctet = 
+        config ? vogon.networking.last-octet &&
+        builtins.length config.vogon.networking.last-octet >= 2;
+    
+    lastOctetValues = 
+        if hasValidLastOctet 
+        then config.vogon.networking.last-octet
+        else abort ''Forgejo can only be deploy on vogon for now, 
+            and it requires two public ip address, the first one 
+            for ssh access from wan, and the second for the
+            forgejo dedicated ssh server'';
+    
+    sys-ip = "193.54.193.${toString (builtins.elemAt lastOctetValues 0)}";
+    git-ip = "193.54.193.${toString (builtins.elemAt lastOctetValues 1)}";
+
 in
 {
     age.secrets = lib.mapAttrs
@@ -24,13 +37,7 @@ in
         postgresqlDatabases = [ cfg.database.name ];
     };
 
-    services.openssh = {
-        listenAddresses = [{
-            addr = "${sys-ip}";
-            port = 22;
-        }];
-        startWhenNeeded = false;
-    };
+    services.openssh.startWhenNeeded = false;
 
     services.forgejo = {
         enable = true;
@@ -98,7 +105,7 @@ in
         user = "wizard";
     in ''
         # || true -> avoid systemd to crash on that command if user already exist by forcing a 0 return value
-        ${adminCmd} create --admin --email "root@localhost" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
+        ${adminCmd} create --admin --email "admin@federez.net" --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
         ${adminCmd} change-password --username ${user} --password "$(tr -d '\n' < ${pwd})" || true
     '';
 
@@ -115,7 +122,7 @@ in
             "git.federez.net" = {
                 enableACME = true;
                 forceSSL = true;
-                locations."/".proxyPass = "http://localhost:3000";
+                locations."/".proxyPass = "http://localhost:${toString cfg.settings.server.HTTP_PORT}";
                 extraConfig = ''
                     client_max_body_size 1G;
                 '';
diff --git a/profiles/vogon/guest.nix b/profiles/vogon/guest.nix
index e90db43..53e9d54 100644
--- a/profiles/vogon/guest.nix
+++ b/profiles/vogon/guest.nix
@@ -1,4 +1,4 @@
-{ config, lib, ... }:
+{ config, lib, network, ... }:
 
 let
   inherit (lib) mkOption types;
@@ -17,25 +17,41 @@ in
       };
       wan-mac = mkOption {
         type = types.str;
-        description = '''
+        description = ''
           Adresse MAC de l'interface réseau WAN
           qui portera l'IPv4 interne.
         '';
         example = "BC:24:11:B7:AE:80";
       };
+      ssh-octets = mkOption {
+        type = types.listOf (types.ints.between 161 174);
+        default = [ (builtins.head cfg.networking.last-octet) ];
+        defaultText = "[ (first element of last-octet) ]";
+        description = ''
+          Liste des octets à utiliser pour la configuration SSH.
+          Par défaut, utilise le premier élément de last-octet.
+        '';
+        example = [ 163 165 ];
+      };
     };
   };
 
-  config.systemd.network  = {
-    links."10-wan" = {
-      matchConfig.MACAddress = cfg.networking.wan-mac;
-      linkConfig.Name = "wan";
-    };
-    networks."10-wan" = {
-      matchConfig.Name = "wan";
-      address = map (octet: "193.54.193.${toString octet}/28") cfg.networking.last-octet;
-      routes = [ { Gateway = "193.54.193.174"; } ];
-      linkConfig.RequiredForOnline = "routable";
+  config = {
+    systemd.network = {
+      links."10-wan" = {
+        matchConfig.MACAddress = cfg.networking.wan-mac;
+        linkConfig.Name = "wan";
+      };
+      networks."10-wan" = {
+        matchConfig.Name = "wan";
+        address = map (octet: "193.54.193.${toString octet}/28") cfg.networking.last-octet;
+        routes = [ { Gateway = "193.54.193.174"; } ];
+        linkConfig.RequiredForOnline = "routable";
+      };
     };
+    services.openssh.listenAddresses = [
+      { addr = network.infra.nodes.${config.networking.hostName}.ipv4; port = 22; }
+      { addr = network.infra.nodes.${config.networking.hostName}.ipv6; port = 22; }
+    ] ++ map (octet: { addr = "193.54.193.${toString octet}"; port = 22; }) cfg.networking.ssh-octets;
   };
 }
\ No newline at end of file