WIP

2025-10-15 14:26:28 -07:00
9 changed files with 173 additions and 43 deletions
--- a/flake.lock
+++ b/flake.lock
@ -98,6 +98,22 @@
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1758690382,
        "narHash": "sha256-NY3kSorgqE5LMm1LqNwGne3ZLMF2/ILgLpFr1fS4X3o=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "e643668fd71b949c53f8626614b21ff71a07379d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "phps": {
      "inputs": {
        "flake-compat": "flake-compat",
@ -124,7 +140,8 @@
      "inputs": {
        "agenix": "agenix",
        "nixpkgs": "nixpkgs",
-        "phps": "phps"
+        "phps": "phps",
        "winboat": "winboat"
      }
    },
    "systems": {
@ -174,6 +191,24 @@
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "winboat": {
      "inputs": {
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1760183562,
        "narHash": "sha256-lauscAI61WXjLTuGiRDMUAEeTqvOTSWhRoHDaor5sfE=",
        "owner": "TibixDev",
        "repo": "winboat",
        "rev": "ae60de6c2cba7a2001fef1027d5c2e06614e6904",
        "type": "github"
      },
      "original": {
        "owner": "TibixDev",
        "repo": "winboat",
        "type": "github"
      }
    }
  },
  "root": "root",
--- a/flake.nix
+++ b/flake.nix
@ -11,6 +11,7 @@
      url = "github:ryantm/agenix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    winboat.url = "github:TibixDev/winboat";
  };
  outputs = inputs: {
--- a/hosts/astral/links.nix
+++ b/hosts/astral/links.nix
@ -1,21 +1,39 @@
-{ pkgs, lib, ... }:
+{ pkgs, ... }:
 let
  domain = "nettika.leaf.ninja";
  root = "/srv/links";
  webhookHandler = pkgs.writeScript "webhook-handler.py" ''
    #!${pkgs.python3}/bin/python3
    import http.server
    import socketserver
    import subprocess
    import os
    class WebhookHandler(http.server.SimpleHTTPRequestHandler):
        def do_POST(self):
            os.chdir('${root}')
            subprocess.run(['${pkgs.git}/bin/git', 'pull'], check=True)
            self.send_response(200)
            self.end_headers()
            self.wfile.write(b'OK')
    with socketserver.TCPServer(("127.0.0.1", 8081), WebhookHandler) as httpd:
        httpd.serve_forever()
  '';
 in {
-  services.caddy.virtualHosts = {
+  # systemd.services.links-webhook = {
-    ${domain}.extraConfig = ''
+  #   wantedBy = [ "multi-user.target" ];
-      root * ${root}
+  #   after = [ "network.target" ];
-      file_server
+  #   serviceConfig = {
-    '';
+  #     Type = "simple";
-    "http://localhost:8081".extraConfig = let git = lib.getExe pkgs.git;
+  #     ExecStart = "${pkgs.python3}/bin/python3 ${webhookHandler}";
-    in ''
+  #     Restart = "always";
-      route {
+  #   };
-        exec {
+  # };
-          command ${git} pull --rebase 
+
-          directory ${root}
+  services.caddy.virtualHosts.${domain}.extraConfig = ''
-        }
+    root * ${root}
-      }
+    file_server
-    '';
+  '';
  };
 }
--- a/hosts/astral/radicale.nix
+++ b/hosts/astral/radicale.nix
@ -1,10 +1,24 @@
-{ config, ... }:
+{ pkgs, config, lib, ... }:
 let domain = "radicale.leaf.ninja";
 in {
-  age.secrets.radicale-htpasswd = {
+  users.users.radicale-sync = {
-    file = ./secrets/radicale-htpasswd;
+    isSystemUser = true;
-    mode = "400";
+    group = "radicale-sync";
-    owner = "radicale";
+  };
  users.groups.radicale-sync = { };
  age.secrets = {
    radicale-htpasswd = {
      file = ./secrets/radicale-htpasswd;
      mode = "400";
      owner = "radicale";
    };
    radicale-sync-secrets = {
      file = ./secrets/radicale-sync-secrets.fish;
      mode = "400";
      owner = "radicale-sync";
    };
  };
  services.radicale = {
@ -17,9 +31,70 @@ in {
        htpasswd_encryption = "plain";
      };
    };
    rights = {
      root = {
        user = ".+";
        collection = "";
        permissions = "R";
      };
      principal = {
        user = ".+";
        collection = "{user}";
        permissions = "RW";
      };
      calendars = {
        user = ".+";
        collection = "{user}/[^/]+";
        permissions = "rw";
      };
      remote = {
        user = ".+";
        collection = "remote/.+";
        permissions = "r";
      };
    };
  };
  services.caddy.virtualHosts.${domain}.extraConfig = ''
    reverse_proxy localhost:5232
  '';
  systemd.timers.radicale-sync = {
    wantedBy = [ "timers.target" ];
    timerConfig = {
      OnBootSec = "5min";
      OnCalendar = "*-*-* *:0/4:00";
    };
  };
  systemd.services.radicale-sync = let
    radicaleUrl = "http://localhost:5232";
    remoteCollections = [{
      collection = "devhack";
      url = "https://devhack.net/calendar.ics";
    }];
    remoteCollectionsFile = pkgs.writers.writeText "remote-collections"
      (lib.concatMapStringsSep "\n"
        ({ collection, url }: "${collection} ${url}") remoteCollections);
    syncScript = pkgs.writers.writeFish "sync.fish" ''
      alias curl ${lib.getExe pkgs.curl}
      source ${config.age.secrets.radicale-sync-secrets.path}
      while read -l name url
        set tempfile (mktemp)
        curl -sf $url -o $tempfile
        curl -sf -u "remote:$password" \
             -X PUT "${radicaleUrl}/remote/$name" \
             -H 'Content-Type: text/calendar; charset=utf-8' \
             --data-binary @$tempfile
        echo "Uploaded $name"
      end < ${remoteCollectionsFile}
    '';
  in {
    serviceConfig = {
      Type = "oneshot";
      User = "radicale-sync";
      Group = "radicale-sync";
      ExecStart = syncScript;
    };
  };
 }
--- a/hosts/astral/secrets/radicale-htpasswd
+++ b/hosts/astral/secrets/radicale-htpasswd
@ -1,9 +1,7 @@
 age-encryption.org/v1
-> ssh-ed25519 f+PJrQ pKqLrqz0R7kAzNQZ3ChRsoWa63JEN2H2KHtGguF5nSc
+-> ssh-ed25519 f+PJrQ iGtaCi4amFijPCydakWm6qo6eYPiRHp5Rrr7TpnRLxo
-6Mk1qDWKx26jPdEzaVMh0vgUeVWjAGcmIPpvSU8BFNE
+MiFAmPkU9gDBYdNqGA9CdYike2n780nQ7o8nAZ0GGtE
-> ssh-ed25519 nz/vnw 0PuVNQ97Qa6iCk4pPf34lgS1aPb4CeDB4Qclk5F24T4
+-> ssh-ed25519 nz/vnw FiTGU3HNakVR1VNVyUPdiu+WhEMf9t/ONBgoQRILExA
-OwJOYMTlTY9+Pj/BwG09z4q2/QViii710Kh3xPU5FRA
+TjDSkxA6z1ovqu2mA0G1UY1k29f35HFHDZQWA90XSzM
--- mSdutlC3gFq8lDjeOGqi361i+DUI1Yg6Bpl7hCfznJA
+--- WK1KjkiLaqH1jN3zIgetSHEe5xEddBYjlt3Qu5Z/Bcg
-“ÜtQÆ/í rNeKeíé¸Ñ¥Äè~ˆý¾×Ÿ{_¡o
+„™æ¤Ï¹%sçlmaæ†á@OÔ§ë>
K<ç(<28>š†©CoÕ6ªhÓ–LÁëÉ (ö_›h”ð¶R2ð²ÈŠ"®znp/M¿W}—æÕLò‘‰‘Nàe»ª˜%²’ÂCÌº•¡7?#jè3—Ò‹G? Ã<>X{V%Ym¯æ 
lf™Õ
 y_Ü}‹¸Ã»P*W5<57>»´õFû.ECø¡‘Z©å#;
 £¢ð§Ûli…Ô§±*´Î]yT
--- a/hosts/astral/secrets/radicale-sync-secrets.fish
+++ b/hosts/astral/secrets/radicale-sync-secrets.fish
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 f+PJrQ f+4sexgdKNmdc7DQe3h6v8CveCiHN+dLFX0vdMzBOBQ
 /nSP3nPNdxKjOUIn0xzH/ht4QC68aMxCLplP8kIeKr4
 -> ssh-ed25519 nz/vnw ejIzeXNfCDxPhho7426oR6WQWlJxDprp1j90lgCGnmM
 yaq9bU726x5xtHhK7ZQc1Onlg681cSQsSxSCRU/GBAU
 --- UT7B9uDmsNJwTLroGj+JQdKbsOHhgSnnlhMru4tY7/M
 uKÒ¿Tiö,®Mß`‚ø“S4<EFBFBD>÷~–š™6Ï’¿jÓÑçÒ«9Õï$H0dô¡?ñ<>ÒpƒXV%ÙIËJØ˜ "Ò¾dËùâÓWO¹ÓÄ
--- a/hosts/default.nix
+++ b/hosts/default.nix
@ -1,4 +1,4 @@
-{ self, nixpkgs, phps, agenix }:
+{ self, nixpkgs, phps, agenix, winboat }:
 let
  baseSpecialArgs = {
    inherit (self) nixosModules;
@ -11,7 +11,7 @@ in {
  marauder = nixosSystem {
    system = "x86_64-linux";
    modules = [ ./marauder ];
-    specialArgs = { inherit phps; };
+    specialArgs = { inherit phps winboat; };
  };
  astral = nixosSystem {
    system = "x86_64-linux";
--- a/hosts/marauder/default.nix
+++ b/hosts/marauder/default.nix
@ -1,4 +1,4 @@
-{ pkgs, nixosModules, phps, agenix, ... }:
+{ pkgs, nixosModules, phps, agenix, winboat, ... }:
 let
  fortune = pkgs.writeShellScript "cgi" ''
    echo "Content-type: text/html"
@ -76,7 +76,6 @@ in {
    };
    kernelModules = [ "kvm-amd" ];
    kernelParams = [ "amd_pstate=active" ];
    binfmt.emulatedSystems = [ "aarch64-linux" ];
  };
  hardware = {
@ -103,7 +102,7 @@ in {
  environment.systemPackages = with pkgs; [
    # Chat clients
    discord
-    cinny-desktop
+    element-desktop
    signal-desktop
    slack
    telegram-desktop
@ -120,7 +119,6 @@ in {
    krita
    openscad-unstable
    orca-slicer
    plasticity
    # Multimedia
    ffcheck
@ -134,8 +132,6 @@ in {
    # Dev Tools
    fossil
    just
    kondo
    nixd
    nixfmt-classic
    nixpkgs-fmt
@ -153,6 +149,7 @@ in {
    dig
    htop
    jq
    just
    unzip
    zip
@ -160,17 +157,14 @@ in {
    mullvad-vpn
    qbittorrent
    # Utility Apps
    baobab
    gparted
    system-config-printer
    # Misc
    gcc
    intiface-central
    openssl
    pkg-config
    prismlauncher
    system-config-printer
    winboat.packages.x86_64-linux.winboat
  ];
  programs.git = {
--- a/secrets.nix
+++ b/secrets.nix
@ -14,4 +14,6 @@ in {
  "hosts/astral/secrets/forgejo-mailer-password.age".publicKeys =
    [ marauder astral ];
  "hosts/astral/secrets/radicale-htpasswd".publicKeys = [ marauder astral ];
  "hosts/astral/secrets/radicale-sync-secrets.fish".publicKeys =
    [ marauder astral ];
 }