gitea: hide actions when not logged in

new site-config.nix holds values previously duplicated across hosts:
  domain, old_domain, contact_email, timezone, binary_cache (url + pubkey),
  dns_servers, lan (cidr + gateway), hosts.{muffin,yarn} (ip/alias/ssh_host_key),
  ssh_keys.{laptop,desktop,ci_deploy}.

threaded through specialArgs on all three hosts + home-manager extraSpecialArgs +
homeConfigurations.primary + serverLib. service-configs.nix now takes
{ site_config } as a function arg and drops its https namespace; per-service
domains (gitea/matrix/ntfy/mollysocket/livekit/firefox-sync/grafana) are
derived from site_config.domain. ~15 service files and 6 vm tests migrated.

breakage fixes rolled in:
 - home/progs/zen/dark-reader.nix: 5 stale *.gardling.com entries in
   disabledFor rewritten to *.sigkill.computer (caddy 301s the old names so
   these never fired and the new sigkill urls were getting dark-reader applied)
 - modules/desktop-common.nix: drop unused hugepagesz=1G/hugepages=3
   kernelParams (no consumer on mreow or yarn; xmrig on muffin still reserves
   its own via services/monero/xmrig.nix)

verification: muffin toplevel is bit-identical to pre-refactor baseline.
mreow/yarn toplevels differ only in boot.json kernelParams + darkreader
storage.js (nix-diff verified). deployGuardTest and fail2banVaultwardenTest
(latter exercises site_config.domain via bitwarden.nix) pass.

flake.nix

@@ -180,17 +180,20 @@
         targetPlatform = system;
         buildPlatform = builtins.currentSystem;
       };
-      serviceConfigs = import ./hosts/muffin/service-configs.nix;
+      siteConfig = import ./site-config.nix;
+      serviceConfigs = import ./hosts/muffin/service-configs.nix { site_config = siteConfig; };
       serverLib = import ./lib {
         inherit inputs;
         lib = nixpkgs-stable.lib;
         pkgs = serverPkgs;
         service_configs = serviceConfigs;
+        site_config = siteConfig;
       };
       testSuite = import ./tests/tests.nix {
         pkgs = serverPkgs;
         lib = serverLib;
         inherit inputs;
+        site_config = siteConfig;
         config = self.nixosConfigurations.muffin.config;
       };
 
@@ -203,6 +206,7 @@
           specialArgs = {
             inherit inputs username hostname;
             niri-package = niriPackage;
+            site_config = siteConfig;
           };
           modules = [
             home-manager.nixosModules.home-manager
@@ -222,6 +226,7 @@
                   niri-package = niriPackage;
                   homeDirectory = "/home/${username}";
                   stateVersion = config.system.stateVersion;
+                  site_config = siteConfig;
                 };
                 home-manager.users.${username} = import ./hosts/${hostname}/home.nix;
               }
@@ -241,6 +246,7 @@
           hostname = "muffin";
           eth_interface = "enp4s0";
           service_configs = serviceConfigs;
+          site_config = siteConfig;
           lib = serverLib;
         };
         modules = [
@@ -349,6 +355,9 @@
           (
             { ... }:
             {
+              home-manager.extraSpecialArgs = {
+                site_config = siteConfig;
+              };
               home-manager.users.${username} = import ./hosts/muffin/home.nix;
             }
           )
@@ -376,6 +385,9 @@
       # Ships the shared terminal profile (fish, helix, modern CLI, git).
       homeConfigurations.primary = home-manager.lib.homeManagerConfiguration {
         pkgs = desktopPkgs;
+        extraSpecialArgs = {
+          site_config = siteConfig;
+        };
         modules = [
           ./home/profiles/terminal.nix
           {
@@ -389,7 +401,7 @@
       };
 
       deploy.nodes.muffin = {
-        hostname = "server-public";
+        hostname = siteConfig.hosts.muffin.alias;
         profiles.system = {
           sshUser = "root";
           user = "root";

home/profiles/terminal.nix

@@ -10,6 +10,7 @@
 # tools, no GUI-adjacent utilities — those belong in profiles layered on top.
 {
   lib,
+  site_config,
   pkgs,
   ...
 }:
@@ -83,7 +84,7 @@
       push.autoSetupRemote = true;
       user = {
         name = "Simon Gardling";
-        email = "titaniumtown@proton.me";
+        email = site_config.contact_email;
       };
     };
 

home/progs/zen/dark-reader.nix

@@ -68,19 +68,19 @@ in
       "element.envs.net"
       "mail.proton.me"
       "mail.google.com"
-      "www.gardling.com"
+      "www.sigkill.computer"
       "projects.fivethirtyeight.com"
       "secure.bankofamerica.com"
       "billpay-ui.bankofamerica.com"
       "plus.pearson.com"
-      "immich.gardling.com"
+      "immich.sigkill.computer"
       "huggingface.co"
       "session.masteringphysics.com"
       "brainly.com"
       "www.270towin.com"
       "phet.colorado.edu"
       "8042-1.portal.athenahealth.com"
-      "torrent.gardling.com"
+      "torrent.sigkill.computer"
       "nssb-p.adm.fit.edu"
       "mail.openbenchmarking.org"
       "moneroocean.stream"
@@ -89,11 +89,11 @@ in
       "chat.deepseek.com"
       "n21.ultipro.com"
       "www.egaroucid.nyanyan.dev"
-      "bitmagnet.gardling.com"
+      "bitmagnet.sigkill.computer"
       "frame.work"
       "www.altcancer.net"
       "jenkins.jpenilla.xyz"
-      "soulseek.gardling.com"
+      "soulseek.sigkill.computer"
       "discord.com"
       "www.lufthansa.com"
       "surveys.hyundaicx.com"

hosts/muffin/default.nix

@@ -5,6 +5,7 @@
   hostname,
   username,
   eth_interface,
+  site_config,
   service_configs,
   options,
   ...
@@ -79,16 +80,22 @@
   ];
 
   # Hosts entries for CI/CD deploy targets
-  networking.hosts."192.168.1.50" = [ "server-public" ];
+  networking.hosts.${site_config.hosts.muffin.ip} = [ site_config.hosts.muffin.alias ];
-  networking.hosts."192.168.1.223" = [ "desktop" ];
+  networking.hosts.${site_config.hosts.yarn.ip} = [ site_config.hosts.yarn.alias ];
 
-  # SSH known_hosts for CI runner (pinned host keys)
+  # SSH known_hosts for CI runner (pinned host keys). All four names resolve to
-  environment.etc."ci-known-hosts".text = ''
+  # the same muffin host and therefore serve the same host key.
-    server-public ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
+  environment.etc."ci-known-hosts".text =
-    192.168.1.50 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
+    let
-    git.sigkill.computer ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
+      key = site_config.hosts.muffin.ssh_host_key;
-    git.gardling.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu
+      names = [
-  '';
+        site_config.hosts.muffin.alias
+        site_config.hosts.muffin.ip
+        "git.${site_config.domain}"
+        "git.${site_config.old_domain}"
+      ];
+    in
+    lib.concatMapStrings (n: "${n} ${key}\n") names;
 
   services.deployGuard.enable = true;
 
@@ -149,9 +156,6 @@
     };
   };
 
-  # Set your time zone.
-  time.timeZone = "America/New_York";
-
   hardware.graphics = {
     enable = true;
     extraPackages = with pkgs; [
@@ -183,10 +187,7 @@
   ];
 
   networking = {
-    nameservers = [
+    nameservers = site_config.dns_servers;
-      "1.1.1.1"
-      "9.9.9.9"
-    ];
 
     hostName = hostname;
     hostId = "0f712d56";
@@ -200,8 +201,7 @@
     interfaces.${eth_interface} = {
       ipv4.addresses = [
         {
-          address = "192.168.1.50";
+          address = site_config.hosts.muffin.ip;
-          # address = "10.1.1.102";
           prefixLength = 24;
         }
       ];
@@ -213,8 +213,7 @@
       ];
     };
     defaultGateway = {
-      #address = "10.1.1.1";
+      address = site_config.lan.gateway;
-      address = "192.168.1.1";
       interface = eth_interface;
     };
     # TODO! fix this

hosts/muffin/service-configs.nix

@@ -1,3 +1,4 @@
+{ site_config }:
 rec {
   zpool_ssds = "tank";
   zpool_hdds = "hdds";
@@ -206,15 +207,9 @@ rec {
     };
   };
 
-  https = {
-    certs = services_dir + "/http_certs";
-    domain = "sigkill.computer";
-    old_domain = "gardling.com"; # Redirect traffic from old domain
-  };
-
   gitea = {
     dir = services_dir + "/gitea";
-    domain = "git.${https.domain}";
+    domain = "git.${site_config.domain}";
   };
 
   postgres = {
@@ -278,19 +273,19 @@ rec {
 
   matrix = {
     dataDir = "/var/lib/continuwuity";
-    domain = "matrix.${https.domain}";
+    domain = "matrix.${site_config.domain}";
   };
 
   ntfy = {
-    domain = "ntfy.${https.domain}";
+    domain = "ntfy.${site_config.domain}";
   };
 
   mollysocket = {
-    domain = "mollysocket.${https.domain}";
+    domain = "mollysocket.${site_config.domain}";
   };
 
   livekit = {
-    domain = "livekit.${https.domain}";
+    domain = "livekit.${site_config.domain}";
   };
 
   syncthing = {
@@ -324,12 +319,12 @@ rec {
   };
 
   firefox_syncserver = {
-    domain = "firefox-sync.${https.domain}";
+    domain = "firefox-sync.${site_config.domain}";
   };
 
   grafana = {
     dir = services_dir + "/grafana";
-    domain = "grafana.${https.domain}";
+    domain = "grafana.${site_config.domain}";
   };
 
   trilium = {

hosts/yarn/default.nix

@@ -4,6 +4,7 @@
   lib,
   username,
   inputs,
+  site_config,
   ...
 }:
 {
@@ -43,8 +44,8 @@
     };
     ipv4 = {
       method = "manual";
-      address1 = "192.168.1.223/24,192.168.1.1";
+      address1 = "${site_config.hosts.yarn.ip}/24,${site_config.lan.gateway}";
-      dns = "1.1.1.1;9.9.9.9;";
+      dns = lib.concatMapStrings (n: "${n};") site_config.dns_servers;
     };
     ipv6.method = "disabled";
   };
@@ -59,12 +60,12 @@
   };
 
   users.users.${username}.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+    site_config.ssh_keys.laptop
   ];
 
   users.users.root.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+    site_config.ssh_keys.laptop
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin"
+    site_config.ssh_keys.ci_deploy
   ];
 
   programs.steam = {
@@ -99,7 +100,7 @@
           ]
         }
 
-        STORE_PATH=$(curl -sf --max-time 30 "https://nix-cache.sigkill.computer/deploy/yarn" || true)
+        STORE_PATH=$(curl -sf --max-time 30 "${site_config.binary_cache.url}/deploy/yarn" || true)
         if [ -z "$STORE_PATH" ]; then
           echo "server unreachable"
           exit 1
@@ -152,7 +153,7 @@
     (
       final: prev:
       let
-        deploy-url = "https://nix-cache.sigkill.computer/deploy/yarn";
+        deploy-url = "${site_config.binary_cache.url}/deploy/yarn";
 
         steamos-update-script = final.writeShellScript "steamos-update" ''
           export PATH=${

lib/default.nix

@@ -2,6 +2,7 @@
   inputs,
   pkgs,
   service_configs,
+  site_config,
   lib ? inputs.nixpkgs-stable.lib,
   ...
 }:
@@ -195,7 +196,7 @@ lib.extend (
       assert (subdomain != null) != (domain != null);
       { config, ... }:
       let
-        vhostDomain = if domain != null then domain else "${subdomain}.${service_configs.https.domain}";
+        vhostDomain = if domain != null then domain else "${subdomain}.${site_config.domain}";
         upstream =
           if vpn then
             "${config.vpnNamespaces.wg.namespaceAddress}:${builtins.toString port}"

modules/common.nix

@@ -2,10 +2,15 @@
   config,
   lib,
   pkgs,
+  site_config,
   username,
   ...
 }:
 {
+  # Shared timezone. Plain priority so it wins against srvos's mkDefault "UTC";
+  # mreow overrides via lib.mkForce when travelling.
+  time.timeZone = site_config.timezone;
+
   # Common Nix daemon settings. Host-specific overrides (binary cache substituters,
   # gc retention) live in the host's default.nix.
   nix = {

modules/desktop-common.nix

@@ -5,6 +5,7 @@
   lib,
   username,
   inputs,
+  site_config,
   niri-package,
   ...
 }:
@@ -64,11 +65,11 @@
   swapDevices = [ ];
 
   # Desktop-specific Nix cache — muffin serves it, desktops consume.
-  # Base nix settings (optimise, gc, experimental-features) come from common-nix.nix.
+  # Base nix settings (optimise, gc, experimental-features) come from common.nix.
   nix.settings = {
-    substituters = [ "https://nix-cache.sigkill.computer" ];
+    substituters = [ site_config.binary_cache.url ];
     trusted-public-keys = [
-      "nix-cache.sigkill.computer-1:ONtQC9gUjL+2yNgMWB68NudPySXhyzJ7I3ra56/NPgk="
+      site_config.binary_cache.public_key
     ];
     netrc-file = "${../secrets/desktop/nix-cache-netrc}";
   };
@@ -337,12 +338,6 @@
       "msr"
       "btusb"
     ];
-
-    kernelParams = [
-      # 1gb huge pages
-      "hugepagesz=1G"
-      "hugepages=3"
-    ];
   };
 
   services = {
@@ -381,9 +376,6 @@
     };
   };
 
-  # EST
-  time.timeZone = "America/New_York";
-
   # Select internationalisation properties.
   i18n.defaultLocale = "en_US.UTF-8";
 

modules/desktop-networkmanager.nix

@@ -1,4 +1,4 @@
-{ hostname, ... }:
+{ hostname, site_config, ... }:
 {
   # speed up boot times (by about three seconds)
   systemd.services.NetworkManager-wait-online.enable = false;
@@ -9,10 +9,7 @@
     networkmanager = {
       enable = true;
 
-      appendNameservers = [
+      appendNameservers = site_config.dns_servers;
-        "1.1.1.1"
-        "9.9.9.9"
-      ];
 
       wifi = {
         scanRandMacAddress = true;

services/bitwarden.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  site_config,
   service_configs,
   ...
 }:
@@ -25,7 +26,7 @@
     configurePostgres = true;
     config = {
       # Refer to https://github.com/dani-garcia/vaultwarden/blob/main/.env.template
-      DOMAIN = "https://bitwarden.${service_configs.https.domain}";
+      DOMAIN = "https://bitwarden.${site_config.domain}";
       SIGNUPS_ALLOWED = false;
 
       ROCKET_ADDRESS = "127.0.0.1";
@@ -34,7 +35,7 @@
     };
   };
 
-  services.caddy.virtualHosts."bitwarden.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."bitwarden.${site_config.domain}".extraConfig = ''
     encode zstd gzip
 
     reverse_proxy :${toString config.services.vaultwarden.config.ROCKET_PORT} {

services/caddy/caddy.nix

@@ -1,5 +1,6 @@
 {
   config,
+  site_config,
   service_configs,
   pkgs,
   lib,
@@ -42,8 +43,8 @@ let
     '';
   };
 
-  newDomain = service_configs.https.domain;
+  newDomain = site_config.domain;
-  oldDomain = service_configs.https.old_domain;
+  oldDomain = site_config.old_domain;
 in
 {
   imports = [
@@ -54,7 +55,7 @@ in
 
   services.caddy = {
     enable = true;
-    email = "titaniumtown@proton.me";
+    email = site_config.contact_email;
 
     # Build with Njalla DNS provider for DNS-01 ACME challenges (wildcard certs)
     package = pkgs.caddy.withPlugins {
@@ -146,8 +147,9 @@ in
       # defaults: maxretry=5, findtime=10m, bantime=10m
 
       # Ignore local network IPs - NAT hairpinning causes all LAN traffic to
-      # appear from the router IP (192.168.1.1). Banning it blocks all internal access.
+      # appear from the router IP (site_config.lan.gateway). Banning it
-      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
+      # blocks all internal access.
+      ignoreip = "127.0.0.1/8 ::1 ${site_config.lan.cidr}";
     };
     filter.Definition = {
       # Only match 401s where an Authorization header was actually sent.

services/caddy/caddy_senior_project.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  site_config,
   service_configs,
   inputs,
   ...
@@ -32,7 +33,7 @@ let
   };
 in
 {
-  services.caddy.virtualHosts."senior-project.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."senior-project.${site_config.domain}".extraConfig = ''
     root * ${hugoWebsite}
     file_server browse
   '';

services/gitea/gitea.nix

@@ -49,6 +49,32 @@
     };
   };
 
+  # Hide repo Actions/workflow details from anonymous visitors. Gitea's own
+  # REQUIRE_SIGNIN_VIEW=expensive mode does not cover /{user}/{repo}/actions,
+  # so we gate the path at Caddy: forward_auth probes Gitea's /api/v1/user
+  # with the incoming request's Cookie/Authorization headers. A logged-in
+  # session answers 200 and the original request falls through to the
+  # reverse_proxy from mkCaddyReverseProxy; a 401 is turned into a redirect
+  # to the login page so the browser shows the login form instead of the
+  # workflow list. Workflow status badges stay public so README links keep
+  # rendering.
+  services.caddy.virtualHosts.${service_configs.gitea.domain}.extraConfig = ''
+    @repoActionsNotBadge {
+      path_regexp ^/[^/]+/[^/]+/actions(/.*)?$
+      not path_regexp ^/[^/]+/[^/]+/actions/workflows/[^/]+/badge\.svg$
+    }
+    handle @repoActionsNotBadge {
+      forward_auth :${toString service_configs.ports.private.gitea.port} {
+        uri /api/v1/user
+
+        @unauthorized status 401
+        handle_response @unauthorized {
+          redir * /user/login?redirect_to={uri} 302
+        }
+      }
+    }
+  '';
+
   services.postgresql = {
     ensureDatabases = [ config.services.gitea.user ];
     ensureUsers = [

services/graphing-calculator.nix

@@ -1,4 +1,5 @@
 {
+  site_config,
   service_configs,
   inputs,
   pkgs,
@@ -9,7 +10,7 @@ let
     inputs.ytbn-graphing-software.packages.${pkgs.stdenv.targetPlatform.system}.web;
 in
 {
-  services.caddy.virtualHosts."graphing.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."graphing.${site_config.domain}".extraConfig = ''
     root * ${graphing-calculator}
     file_server browse
   '';

services/harmonia.nix

@@ -1,6 +1,7 @@
 {
   config,
   lib,
+  site_config,
   service_configs,
   ...
 }:
@@ -19,7 +20,7 @@
 
   # serve latest deploy store paths (unauthenticated — just a path string)
   # CI writes to /var/lib/nix-deploy/<hostname> after building
-  services.caddy.virtualHosts."nix-cache.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."nix-cache.${site_config.domain}".extraConfig = ''
     handle_path /deploy/* {
         root * /var/lib/nix-deploy
         file_server

services/jellyfin/jellyfin.nix

@@ -1,6 +1,7 @@
 {
   pkgs,
   config,
+  site_config,
   service_configs,
   lib,
   ...
@@ -24,7 +25,7 @@
     inherit (service_configs.jellyfin) dataDir cacheDir;
   };
 
-  services.caddy.virtualHosts."jellyfin.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."jellyfin.${site_config.domain}".extraConfig = ''
     reverse_proxy :${builtins.toString service_configs.ports.private.jellyfin.port} {
       # Disable response buffering for streaming. Caddy's default partial
       # buffering delays fMP4-HLS segments and direct-play responses where

services/llama-cpp.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  site_config,
   service_configs,
   config,
   inputs,
@@ -24,7 +25,7 @@ in
   # "Invalid API Key" warning has no client IP, and behind Caddy the
   # llama-server access log only sees 127.0.0.1. Caddy's JSON log has
   # the real client IP via request.remote_ip.
-  services.caddy.virtualHosts."llm.${service_configs.https.domain}".extraConfig = ''
+  services.caddy.virtualHosts."llm.${site_config.domain}".extraConfig = ''
     log {
       output file /var/log/caddy/access-llama-cpp.log
       format json
@@ -52,8 +53,8 @@ in
       # defaults: maxretry=5, findtime=10m, bantime=10m
 
       # NAT hairpinning sends LAN traffic via the router IP. Don't ban
-      # 192.168.1.0/24 or we lock ourselves out.
+      # our LAN or we lock ourselves out.
-      ignoreip = "127.0.0.1/8 ::1 192.168.1.0/24";
+      ignoreip = "127.0.0.1/8 ::1 ${site_config.lan.cidr}";
     };
     filter.Definition = {
       failregex = ''^.*"remote_ip":"<HOST>".*"status":401.*$'';

services/matrix/coturn.nix

@@ -1,13 +1,14 @@
 {
   config,
   lib,
+  site_config,
   service_configs,
   ...
 }:
 {
   services.coturn = {
     enable = true;
-    realm = service_configs.https.domain;
+    realm = site_config.domain;
     use-auth-secret = true;
     static-auth-secret-file = config.age.secrets.coturn-auth-secret.path;
     listening-port = service_configs.ports.public.coturn.port;

services/matrix/matrix.nix

@@ -1,5 +1,6 @@
 {
   config,
+  site_config,
   service_configs,
   lib,
   ...
@@ -23,7 +24,7 @@
 
     settings.global = {
       port = [ service_configs.ports.private.matrix.port ];
-      server_name = service_configs.https.domain;
+      server_name = site_config.domain;
       allow_registration = true;
       registration_token_file = config.age.secrets.matrix-reg-token.path;
 
@@ -43,14 +44,14 @@
       # TURN server config (coturn)
       turn_secret_file = config.age.secrets.matrix-turn-secret.path;
       turn_uris = [
-        "turn:${service_configs.https.domain}?transport=udp"
+        "turn:${site_config.domain}?transport=udp"
-        "turn:${service_configs.https.domain}?transport=tcp"
+        "turn:${site_config.domain}?transport=tcp"
       ];
       turn_ttl = 86400;
     };
   };
 
-  services.caddy.virtualHosts.${service_configs.https.domain}.extraConfig = lib.mkBefore ''
+  services.caddy.virtualHosts.${site_config.domain}.extraConfig = lib.mkBefore ''
     header /.well-known/matrix/* Content-Type application/json
     header /.well-known/matrix/* Access-Control-Allow-Origin *
     respond /.well-known/matrix/server `{"m.server": "${service_configs.matrix.domain}:${builtins.toString service_configs.ports.public.https.port}"}`

services/minecraft.nix

@@ -1,5 +1,6 @@
 {
   pkgs,
+  site_config,
   service_configs,
   lib,
   config,
@@ -177,7 +178,7 @@
   };
 
   services.caddy.virtualHosts = lib.mkIf (config.services.caddy.enable) {
-    "map.${service_configs.https.domain}".extraConfig = ''
+    "map.${site_config.domain}".extraConfig = ''
       root * ${service_configs.minecraft.parent_dir}/${service_configs.minecraft.server_name}/squaremap/web
       file_server browse
     '';

services/ssh.nix

@@ -2,6 +2,7 @@
   config,
   lib,
   pkgs,
+  site_config,
   username,
   ...
 }:
@@ -25,14 +26,14 @@
   ];
 
   users.users.${username}.openssh.authorizedKeys.keys = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH" # laptop
+    site_config.ssh_keys.laptop
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi" # desktop
+    site_config.ssh_keys.desktop
   ];
 
   # used for deploying configs to server
   users.users.root.openssh.authorizedKeys.keys =
     config.users.users.${username}.openssh.authorizedKeys.keys
     ++ [
-      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin"
+      site_config.ssh_keys.ci_deploy
     ];
 }

site-config.nix

@@ -0,0 +1,63 @@
+# Site-wide constants shared across all three hosts and home-manager profiles.
+#
+# This file is pure data — no package refs, no module config. Import it from
+# flake.nix and pass it as the `site_config` specialArg (and extraSpecialArg for
+# home-manager). Callers read values; they do not set them.
+#
+# Adding a value: only add if it's used by ≥2 hosts/modules. Host-specific
+# single-use values stay in the host's default.nix. Muffin-only service
+# infrastructure (ports, zpool names, hugepage budgets) stays in
+# hosts/muffin/service-configs.nix.
+rec {
+  # --- Identity ---
+  domain = "sigkill.computer";
+  old_domain = "gardling.com"; # served by muffin via permanent redirect (services/caddy/caddy.nix)
+  contact_email = "titaniumtown@proton.me";
+
+  # All three hosts run on the same timezone. Override per-host via
+  # lib.mkForce when travelling (see hosts/mreow/default.nix for the pattern).
+  timezone = "America/New_York";
+
+  # --- Binary cache (muffin serves via harmonia, desktops consume) ---
+  binary_cache = {
+    url = "https://nix-cache.${domain}";
+    public_key = "nix-cache.${domain}-1:ONtQC9gUjL+2yNgMWB68NudPySXhyzJ7I3ra56/NPgk=";
+  };
+
+  # --- LAN topology ---
+  dns_servers = [
+    "1.1.1.1"
+    "9.9.9.9"
+  ];
+
+  lan = {
+    cidr = "192.168.1.0/24";
+    gateway = "192.168.1.1";
+  };
+
+  # Per-host network info. mreow is laptop-on-DHCP so it has no entry.
+  hosts = {
+    muffin = {
+      ip = "192.168.1.50";
+      # Canonical alias used by deploy.sh, CI workflows, and borg backup target.
+      # Resolves via /etc/hosts on muffin and the desktops' NetworkManager DNS.
+      alias = "server-public";
+      # SSH host key — same key is served for every alias muffin answers to
+      # (server-public, the IP, git.${domain}, git.${old_domain}).
+      ssh_host_key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFMjgaMnE+zS7tL+m5E7gh9Q9U1zurLdmU0qcmEmaucu";
+    };
+    yarn = {
+      ip = "192.168.1.223";
+      alias = "desktop";
+    };
+  };
+
+  # --- SSH pubkeys ---
+  # One line per key, referenced by name from services/ssh.nix (muffin) and
+  # hosts/yarn/default.nix. Rotating a key means changing it here, nowhere else.
+  ssh_keys = {
+    laptop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIO4jL6gYOunUlUtPvGdML0cpbKSsPNqQ1jit4E7U1RyH";
+    desktop = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBJjT5QZ3zRDb+V6Em20EYpSEgPW5e/U+06uQGJdraxi";
+    ci_deploy = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC5ZYN6idL/w/mUIfPOH1i+Q/SQXuzAMQUEuWpipx1Pc ci-deploy@muffin";
+  };
+}

tests/deploy-guard.nix

@@ -12,10 +12,10 @@
   ...
 }:
 let
-  baseServiceConfigs = import ../hosts/muffin/service-configs.nix;
+  baseSiteConfig = import ../site-config.nix;
+  baseServiceConfigs = import ../hosts/muffin/service-configs.nix { site_config = baseSiteConfig; };
   testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
     zpool_ssds = "";
-    https.domain = "test.local";
   };
 
   alwaysOk = pkgs.writeShellApplication {

tests/fail2ban/gitea.nix

@@ -5,7 +5,10 @@
   ...
 }:
 let
-  baseServiceConfigs = import ../../hosts/muffin/service-configs.nix;
+  baseSiteConfig = import ../../site-config.nix;
+  baseServiceConfigs = import ../../hosts/muffin/service-configs.nix {
+    site_config = baseSiteConfig;
+  };
   testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
     zpool_ssds = "";
     gitea = {

tests/fail2ban/immich.nix

@@ -5,10 +5,12 @@
   ...
 }:
 let
-  baseServiceConfigs = import ../../hosts/muffin/service-configs.nix;
+  baseSiteConfig = import ../../site-config.nix;
+  baseServiceConfigs = import ../../hosts/muffin/service-configs.nix {
+    site_config = baseSiteConfig;
+  };
   testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
     zpool_ssds = "";
-    https.domain = "test.local";
     ports.private.immich = {
       port = 2283;
       proto = "tcp";

tests/fail2ban/jellyfin.nix

@@ -5,10 +5,12 @@
   ...
 }:
 let
-  baseServiceConfigs = import ../../hosts/muffin/service-configs.nix;
+  baseSiteConfig = import ../../site-config.nix;
+  baseServiceConfigs = import ../../hosts/muffin/service-configs.nix {
+    site_config = baseSiteConfig;
+  };
   testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
     zpool_ssds = "";
-    https.domain = "test.local";
     jellyfin = {
       dataDir = "/var/lib/jellyfin";
       cacheDir = "/var/cache/jellyfin";
@@ -33,6 +35,7 @@ let
         (import ../../services/jellyfin/jellyfin.nix {
           inherit config pkgs;
           lib = testLib;
+          site_config = baseSiteConfig;
           service_configs = testServiceConfigs;
         })
       ];

tests/fail2ban/vaultwarden.nix

@@ -5,10 +5,12 @@
   ...
 }:
 let
-  baseServiceConfigs = import ../../hosts/muffin/service-configs.nix;
+  baseSiteConfig = import ../../site-config.nix;
+  baseServiceConfigs = import ../../hosts/muffin/service-configs.nix {
+    site_config = baseSiteConfig;
+  };
   testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
     zpool_ssds = "";
-    https.domain = "test.local";
   };
 
   testLib = lib.extend (
@@ -28,6 +30,7 @@ let
         (import ../../services/bitwarden.nix {
           inherit config pkgs;
           lib = testLib;
+          site_config = baseSiteConfig;
           service_configs = testServiceConfigs;
         })
       ];

tests/gitea-hide-actions.nix

@@ -0,0 +1,181 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  baseSiteConfig = import ../site-config.nix;
+  baseServiceConfigs = import ../hosts/muffin/service-configs.nix {
+    site_config = baseSiteConfig;
+  };
+  testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
+    zpool_ssds = "";
+    gitea = {
+      dir = "/var/lib/gitea";
+      # `:80` makes Caddy bind all hosts on HTTP port 80 with no Host-header
+      # matching — simplest path to a reachable vhost inside the test VM
+      # where there is no ACME / DNS and no TLS terminator.
+      domain = ":80";
+    };
+    ports.private.gitea = {
+      port = 3000;
+      proto = "tcp";
+    };
+  };
+
+  testLib = lib.extend (
+    final: prev: {
+      serviceMountWithZpool =
+        serviceName: zpool: dirs:
+        { ... }:
+        { };
+      serviceFilePerms = serviceName: tmpfilesRules: { ... }: { };
+    }
+  );
+
+  giteaModule =
+    { config, pkgs, ... }:
+    {
+      imports = [
+        (import ../services/gitea/gitea.nix {
+          inherit config pkgs;
+          lib = testLib;
+          service_configs = testServiceConfigs;
+        })
+      ];
+    };
+in
+pkgs.testers.runNixOSTest {
+  name = "gitea-hide-actions";
+
+  nodes = {
+    server =
+      {
+        config,
+        lib,
+        pkgs,
+        ...
+      }:
+      {
+        imports = [
+          ../modules/server-security.nix
+          giteaModule
+        ];
+
+        # The shared gitea.nix module derives DOMAIN/ROOT_URL from the
+        # `service_configs.gitea.domain` string, which here is the full URL
+        # `http://server`. Override to valid bare values so Gitea doesn't
+        # get a malformed ROOT_URL like `https://http://server`.
+        services.gitea.settings.server = {
+          DOMAIN = lib.mkForce "server";
+          ROOT_URL = lib.mkForce "http://server/";
+        };
+        services.caddy = {
+          enable = true;
+          # No DNS / ACME in the VM test network — serve plain HTTP.
+          globalConfig = ''
+            auto_https off
+          '';
+        };
+
+        services.postgresql.enable = true;
+
+        # Stub out zfs/mount ordering added by the real serviceMountWithZpool.
+        systemd.services."gitea-mounts".enable = lib.mkForce false;
+        systemd.services.gitea = {
+          wants = lib.mkForce [ ];
+          after = lib.mkForce [ "postgresql.service" ];
+          requires = lib.mkForce [ ];
+        };
+
+        networking.firewall.allowedTCPPorts = [
+          80
+          3000
+        ];
+      };
+
+    client =
+      { pkgs, ... }:
+      {
+        environment.systemPackages = [ pkgs.curl ];
+      };
+  };
+
+  testScript = ''
+    start_all()
+    server.wait_for_unit("postgresql.service")
+    server.wait_for_unit("gitea.service")
+    server.wait_for_unit("caddy.service")
+    server.wait_for_open_port(3000)
+    server.wait_for_open_port(80)
+
+    # Admin user — used to exercise the authenticated path via Basic Auth.
+    server.succeed(
+        "su -l gitea -s /bin/sh -c '${pkgs.gitea}/bin/gitea admin user create "
+        "--username testuser --password testpassword "
+        "--email test@test.local --must-change-password=false "
+        "--work-path /var/lib/gitea'"
+    )
+
+    def curl(args):
+        cmd = (
+            "curl -4 -s -o /dev/null "
+            "-w '%{http_code}|%{redirect_url}' " + args
+        )
+        return client.succeed(cmd).strip()
+
+    with subtest("Anonymous /{user}/{repo}/actions redirects to login"):
+        result = curl("http://server/foo/bar/actions")
+        code, _, redir = result.partition("|")
+        print(f"anon /foo/bar/actions -> {result!r}")
+        assert code == "302", f"expected 302, got {code!r} (full: {result!r})"
+        assert "/user/login" in redir, f"expected login redirect, got {redir!r}"
+        assert "redirect_to=" in redir, f"expected redirect_to param, got {redir!r}"
+
+    with subtest("Anonymous deep /actions paths also redirect"):
+        for path in ["/foo/bar/actions/", "/foo/bar/actions/runs/1", "/foo/bar/actions/workflows/build.yaml"]:
+            result = curl(f"http://server{path}")
+            code, _, redir = result.partition("|")
+            print(f"anon {path} -> {result!r}")
+            assert code == "302", f"{path}: expected 302, got {code!r}"
+            assert "/user/login" in redir, f"{path}: expected login redirect, got {redir!r}"
+
+    with subtest("Anonymous workflow badge stays public"):
+        # Repo doesn't exist → Gitea answers 404, but Caddy does NOT intercept
+        # with a login redirect so README badges keep rendering.
+        result = curl("http://server/foo/bar/actions/workflows/ci.yaml/badge.svg")
+        code, _, redir = result.partition("|")
+        print(f"anon badge -> {result!r}")
+        assert code != "302" or "/user/login" not in redir, (
+            f"badge path should not redirect to login, got {result!r}"
+        )
+
+    with subtest("Authenticated /{user}/{repo}/actions does not redirect to login"):
+        result = curl(
+            "-u testuser:testpassword "
+            "http://server/testuser/nonexistent/actions"
+        )
+        code, _, redir = result.partition("|")
+        print(f"auth /testuser/nonexistent/actions -> {result!r}")
+        # Gitea will 404 the missing repo — the key assertion is that the
+        # Caddy gate let the request through instead of redirecting to login.
+        assert not (code == "302" and "/user/login" in redir), (
+            f"authenticated actions request was intercepted by login gate: {result!r}"
+        )
+
+    with subtest("Anonymous /explore/repos is served without gating"):
+        result = curl("http://server/explore/repos")
+        code, _, _ = result.partition("|")
+        print(f"anon /explore/repos -> {result!r}")
+        assert code == "200", f"expected 200 for public explore page, got {result!r}"
+
+    with subtest("Anonymous /{user}/{repo} (non-actions) is not login-gated"):
+        result = curl("http://server/foo/bar")
+        code, _, redir = result.partition("|")
+        print(f"anon /foo/bar -> {result!r}")
+        assert not (code == "302" and "/user/login" in redir), (
+            f"non-actions repo path should not redirect to login: {result!r}"
+        )
+  '';
+}

tests/minecraft.nix

@@ -6,10 +6,10 @@
   ...
 }:
 let
-  baseServiceConfigs = import ../hosts/muffin/service-configs.nix;
+  baseSiteConfig = import ../site-config.nix;
+  baseServiceConfigs = import ../hosts/muffin/service-configs.nix { site_config = baseSiteConfig; };
   testServiceConfigs = lib.recursiveUpdate baseServiceConfigs {
     zpool_ssds = "";
-    https.domain = "test.local";
     minecraft.parent_dir = "/var/lib/minecraft";
     minecraft.memory = rec {
       heap_size_m = 1000;
@@ -31,6 +31,7 @@ testPkgs.testers.runNixOSTest {
 
   node.specialArgs = {
     inherit inputs lib;
+    site_config = baseSiteConfig;
     service_configs = testServiceConfigs;
     username = "testuser";
   };

tests/tests.nix

@@ -40,4 +40,7 @@ in
 
   # gitea runner test
   giteaRunnerTest = handleTest ./gitea-runner.nix;
+
+  # gitea actions visibility gate test
+  giteaHideActionsTest = handleTest ./gitea-hide-actions.nix;
 }