diff --git a/.direnv/flake-profile b/.direnv/flake-profile index 8030af1..b9f8d1a 120000 --- a/.direnv/flake-profile +++ b/.direnv/flake-profile @@ -1 +1 @@ -flake-profile-9-link \ No newline at end of file +flake-profile-10-link \ No newline at end of file diff --git a/.direnv/flake-profile-10-link b/.direnv/flake-profile-10-link new file mode 120000 index 0000000..f4f9a9a --- /dev/null +++ b/.direnv/flake-profile-10-link @@ -0,0 +1 @@ +/nix/store/cmsv2fznjjsyg9cj2yvkaccjj2iv4r9h-nix-shell-env \ No newline at end of file diff --git a/.direnv/flake-profile-9-link b/.direnv/flake-profile-9-link deleted file mode 120000 index 4162ae4..0000000 --- a/.direnv/flake-profile-9-link +++ /dev/null @@ -1 +0,0 @@ -/nix/store/k88yspmzczh2hz8assh7447skldwjdw7-nix-shell-env \ No newline at end of file diff --git a/fili/services/default.nix b/fili/services/default.nix index 88e607e..444d7b2 100644 --- a/fili/services/default.nix +++ b/fili/services/default.nix @@ -4,6 +4,7 @@ _: { ./databases.nix ./matrix-synapse.nix ./forgejo.nix + ./obsidian-sync.nix ./media ./websites diff --git a/fili/services/forgejo.nix b/fili/services/forgejo.nix index 49bca76..01920c8 100644 --- a/fili/services/forgejo.nix +++ b/fili/services/forgejo.nix @@ -1,9 +1,8 @@ -{ - lib, - pkgs, - config, - flakes, - ... +{ lib +, pkgs +, config +, flakes +, ... }: let cfg = config.services.forgejo; @@ -15,23 +14,29 @@ in key = "email_password"; format = "yaml"; }; - - users.groups.forgejo = { }; - users.users.forgejo = { - isSystemUser = true; - group = "forgejo"; - extraGroups = [ "storage" ]; + users = { + groups = { + forgejo = { }; + forgejo-runner = { }; + }; + users.forgejo = { + isSystemUser = true; + group = "forgejo"; + extraGroups = [ "storage" ]; + }; + users.forgejo-runner = { + isSystemUser = true; + group = "forgejo-runner"; + }; }; - services.nginx = { - virtualHosts."git.donsz.nl" = { - forceSSL = true; - enableACME = true; - extraConfig = '' - client_max_body_size 512M; - ''; - locations."/".proxyPass = "http://[::1]:13121"; - }; + services.nginx.virtualHosts."git.donsz.nl" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://[::1]:13121"; }; services.forgejo = { @@ -80,12 +85,6 @@ in mailerPasswordFile = config.sops.secrets.forgejo.path; }; - users.groups.forgejo-runner = { }; - users.users.forgejo-runner = { - isSystemUser = true; - group = "forgejo-runner"; - }; - sops.secrets.forgejo-runner = { sopsFile = ../../secrets/forgejo-runner.env; }; diff --git a/fili/services/obsidian-sync.nix b/fili/services/obsidian-sync.nix new file mode 100644 index 0000000..d3f2145 --- /dev/null +++ b/fili/services/obsidian-sync.nix @@ -0,0 +1,51 @@ +{ pkgs, config, ... }: +let + port = 5984; +in +{ + sops.secrets.obsidian-sync = { + sopsFile = ../../secrets/obsidian-sync.ini; + format = "ini"; + owner = "couchdb"; + }; + + services.couchdb = { + enable = true; + inherit port; + package = pkgs.couchdb3; + configFile = config.sops.secrets.obsidian-sync.path; + + extraConfig = { + chttpd = { + require_valid_user = true; + enable_cors = true; + max_http_request_size = 4294967296; + }; + + chttpd_auth.require_valid_user = true; + httpd = { + WWW-Authenticate = ''Basic realm="couchdb"''; + enable_cors = true; + }; + + couchdb.max_document_size = 50000000; + + cors = { + credentials = true; + headers = "accept, authorization, content-type, origin, referer"; + methods = "GET,PUT,POST,HEAD,DELETE"; + max_age = 3600; + origins = "app://obsidian.md,capacitor://localhost,http://localhost,https://localhost,capacitor://obsidian.donsz.nl,http://obsidian.donsz.nl,https://obsidian.donsz.nl"; + }; + }; + }; + + services.nginx.virtualHosts."obsidian.donsz.nl" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://localhost:${toString port}"; + }; +} diff --git a/fili/services/websites/reviewqueue.nix b/fili/services/websites/reviewqueue.nix index ff8934e..15d9d60 100644 --- a/fili/services/websites/reviewqueue.nix +++ b/fili/services/websites/reviewqueue.nix @@ -11,7 +11,8 @@ enableACME = true; locations."/" = { - proxyPass = "http://[::1]:3000"; + proxyPass = "http://localhost:3000"; + proxyWebsockets = true; }; }; }; @@ -20,9 +21,9 @@ description = "Review Queue"; wantedBy = [ "multi-user.target" ]; - after = [ "network.target" ]; # if networking is needed + after = [ "network.target" ]; - restartIfChanged = true; # set to false, if restarting is problematic + restartIfChanged = true; serviceConfig = { ExecStart = "${flakes.reviewqueue.packages.${pkgs.system}.default}/bin/reviewqueue"; diff --git a/flake.lock b/flake.lock index 2c5e0b2..1194130 100644 --- a/flake.lock +++ b/flake.lock @@ -9,11 +9,11 @@ "stable": "stable" }, "locked": { - "lastModified": 1749739748, - "narHash": "sha256-csQQPoCA5iv+Nd9yCOCQNKflP7qUKEe7D27wsz+LPKM=", + "lastModified": 1755272288, + "narHash": "sha256-ypTPb2eKcOBbOoyvPV0j4ZOXs4kayo73/2KI456QnE0=", "owner": "zhaofengli", "repo": "colmena", - "rev": "c61641b156dfa3e82fc0671e77fccf7d7ccfaa3b", + "rev": "5bf4ce6a24adba74a5184f4a9bef01d545a09473", "type": "github" }, "original": { @@ -246,11 +246,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1746461020, - "narHash": "sha256-7+pG1I9jvxNlmln4YgnlW4o+w0TZX24k688mibiFDUE=", + "lastModified": 1750134718, + "narHash": "sha256-v263g4GbxXv87hMXMCpjkIxd/viIF7p3JpJrwgKdNiI=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "3730d8a308f94996a9ba7c7138ede69c1b9ac4ae", + "rev": "9e83b64f727c88a7711a2c463a7b16eedb69a84c", "type": "github" }, "original": { @@ -342,11 +342,11 @@ }, "nixpkgs_5": { "locked": { - "lastModified": 1751104741, - "narHash": "sha256-xPlVbk6WlgTzDvWFRyzvXMdh/ZFLEOTCQik18wg5AFQ=", + "lastModified": 1757345582, + "narHash": "sha256-HnJYHM9zCVV5Avil6/IPw1m1s2vLd+fmFN7VR/UkidA=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "e6117712d8b930e3aa8cf77b4816a3f0a88b3637", + "rev": "49a25608bff9b2add8edcee8ff92dda38909e671", "type": "github" }, "original": { @@ -491,16 +491,16 @@ }, "stable": { "locked": { - "lastModified": 1746557022, - "narHash": "sha256-QkNoyEf6TbaTW5UZYX0OkwIJ/ZMeKSSoOMnSDPQuol0=", + "lastModified": 1750133334, + "narHash": "sha256-urV51uWH7fVnhIvsZIELIYalMYsyr2FCalvlRTzqWRw=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1d3aeb5a193b9ff13f63f4d9cc169fb88129f860", + "rev": "36ab78dab7da2e4e27911007033713bab534187b", "type": "github" }, "original": { "owner": "NixOS", - "ref": "nixos-24.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } diff --git a/secrets/obsidian-sync.ini b/secrets/obsidian-sync.ini new file mode 100644 index 0000000..84ae687 --- /dev/null +++ b/secrets/obsidian-sync.ini @@ -0,0 +1,10 @@ +[admins] +admin = ENC[AES256_GCM,data:9Wedypebky9mFblWKZZOZpDCBXA=,iv:XHUSlwWzka9I7VaOrbUdCVb975RhKUyT2MuQDZa9QwU=,tag:t9SgAbFywqrcvHPIFfqd5A==,type:str] + +[sops] +age__list_0__map_recipient = age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +age__list_0__map_enc = -----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SThmQmdObUxLQlN0ZFVk\nTUJZVHdoUTNxbWtrd3ozWXFmV1l1VjJEUUdJCjdGUDZDcmZndHlEb2I4Y25kZ1NY\nSjRYY2k5Vy9vRU5xWlQrR1FYMGY4bGsKLS0tIDY3bVZnYmRiVk5oaE5JS0dveTlP\nM3hLV3R2UktOaXd0U3FUNHJPWUZBdjgKRVDf0DnRLwmHq7ykz4bElUFJQXORA3e2\nkc5y6RU2CF36y1WFk+nMlX/nB/FPSPWD9412Lm136CNrmM354orz6g==\n-----END AGE ENCRYPTED FILE-----\n +lastmodified = 2025-09-08T22:59:22Z +mac = ENC[AES256_GCM,data:X/FNnm3v9CrI1/HW6iNRV8icNXzDGWsLrxQkNvTePGV37nUpY3hzlgMJd21/TeZMCHkRdE/1zRPjyXNUrgSwDdtEZ3CLoq1AXMMHxILWiWGcA/pM1Rn/WVfmGexCwIjw0/0XHvk6jWCPAiUUNCVJALeqlNjPqzeQFqE6VJZyqPg=,iv:7Zd91r2jgi5EEJQeiWcf2vF5AtnxibGNhEqQUzim22g=,tag:REUNXGa77Q2khYWKR7Zasg==,type:str] +unencrypted_suffix = _unencrypted +version = 3.10.2