nixos-config/machines/yuzuru/services/li7y.nix

# SPDX-FileCopyrightText: 2024 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later

{ config, pkgs, ... }:

{
  sops.secrets.li7y-environment = {
    sopsFile = ../secrets.yaml;
    owner = "li7y";
  };

  users.users.li7y = {
    isSystemUser = true;
    home = "/var/lib/li7y";
    createHome = true;
    group = "li7y";
  };
  users.groups.li7y = { };

  virtualisation = {
    podman = {
      enable = true;
      defaultNetwork.settings = {
        ipv6_enabled = true;
      };
    };
  };

  systemd.services.podman-li7y = {
    wantedBy = [ "multi-user.target" ];

    serviceConfig = {
      ExecStartPre = "${pkgs.podman}/bin/podman pull git.sbruder.de/simon/li7y";
      ExecStart = "${pkgs.podman}/bin/podman run --rm --name=li7y --userns=keep-id -v /run/postgresql:/run/postgresql --env-file ${config.sops.secrets.li7y-environment.path} -e 'DATABASE_URL=postgres:///?port=5432&host=/run/postgresql' -e LISTEN_ADDRESS=:: -p 127.0.0.1:8080:8080 git.sbruder.de/simon/li7y";
      User = "li7y";
    };
  };

  services.nginx = {
    enable = true;
    virtualHosts."i7y.eu" = {
      forceSSL = true;
      enableACME = true;

      locations."/".proxyPass = "http://127.0.0.1:8080";
    };
  };

  services.postgresql = {
    enable = true;
    ensureDatabases = [ "li7y" ];
    ensureUsers = [
      {
        name = "li7y";
        ensureDBOwnership = true;
      }
    ];
  };
}