From ed2651662530bd1d0e7a6c38945b5db06c6b9872 Mon Sep 17 00:00:00 2001
From: muon <admin@muon.host>
Date: Sat, 17 May 2025 10:54:00 +0000
Subject: [PATCH] Add lemmy

---
 hosts/muho/configuration.nix     |  3 +-
 hosts/ports.nix                  | 42 ++++++++++------
 modules/nixos/server/default.nix |  1 +
 modules/nixos/server/lemmy.nix   | 83 ++++++++++++++++++++++++++++++++
 modules/nixos/sops/default.nix   |  3 ++
 modules/nixos/sops/secrets.yaml  | 12 ++---
 6 files changed, 121 insertions(+), 23 deletions(-)
 create mode 100644 modules/nixos/server/lemmy.nix

diff --git a/hosts/muho/configuration.nix b/hosts/muho/configuration.nix
index 5074d66..b28d2d1 100644
--- a/hosts/muho/configuration.nix
+++ b/hosts/muho/configuration.nix
@@ -42,6 +42,7 @@ in {
   mods.server.cal.enable = true;
   mods.server.chat.enable = true;
   mods.server.ntfy.enable = true;
+  mods.server.lemmy.enable = true;
 
   mods.server.dash.enable = false;
   mods.server.nginx.ports.dash = 3009;
@@ -138,5 +139,5 @@ in {
   # hardware.nvidia.powerManagement.enable = false;
 
   # Version of first install
-  system.stateVersion = "23.05";
+  system.stateVersion = "23.11";
 }
diff --git a/hosts/ports.nix b/hosts/ports.nix
index c620c36..e3ca744 100644
--- a/hosts/ports.nix
+++ b/hosts/ports.nix
@@ -1,18 +1,32 @@
 { pkgs, lib, config, ... }: {
-  mods.server.nginx.ports = {
-    photos = 3001;
-    homebox = 3002;
-    # immich-machine-learning = 3003;
-    share = 3004;
-    vault = 3005;
-    git = 3006;
-    cal = 3007;
-    chat = 3008;
-    # dash = 3009;
-    ntfy = 3010;
+  options.mods.server = with lib; {
+    local.ports = mkOption {
+      type = types.attrsOf (types.ints.u16);
+      default = { };
+    };
+  };
+  config = {
+    mods.server.nginx.ports = {
+      photos = 3001;
+      homebox = 3002;
+      # immich-machine-learning = 3003;
+      share = 3004;
+      vault = 3005;
+      git = 3006;
+      cal = 3007;
+      chat = 3008;
+      # dash = 3009;
+      ntfy = 3010;
+      lemmy = 3011;
 
-    search = 8081;
-    videos = 8082;
-    reddit = 8083;
+      search = 8081;
+      videos = 8082;
+      reddit = 8083;
+    };
+    mods.server.local.ports = {
+      # grav = 5001
+      lemmy-api = 5002;
+      pict-rs = 5003;
+    };
   };
 }
diff --git a/modules/nixos/server/default.nix b/modules/nixos/server/default.nix
index 212b477..3d1168e 100644
--- a/modules/nixos/server/default.nix
+++ b/modules/nixos/server/default.nix
@@ -22,5 +22,6 @@
     ./dash.nix
     ./nvr.nix
     ./ntfy.nix
+    ./lemmy.nix
   ];
 }
diff --git a/modules/nixos/server/lemmy.nix b/modules/nixos/server/lemmy.nix
new file mode 100644
index 0000000..2dc56b2
--- /dev/null
+++ b/modules/nixos/server/lemmy.nix
@@ -0,0 +1,83 @@
+{ pkgs, lib, config, ... }:
+let
+  inherit (lib) mkEnableOption;
+  cfg = config.mods.server.lemmy;
+  port = config.mods.server.local.ports.lemmy-api;
+  port-ui = config.mods.server.nginx.ports.lemmy;
+  port-pict = config.mods.server.local.ports.pict-rs;
+  hostname = "lemmy.muon.host";
+  bind = "0.0.0.0";
+in {
+  options.mods.server.lemmy = {
+    enable = mkEnableOption {
+      default = false;
+      description = "enables lemmy engine server";
+    };
+  };
+
+  config = {
+    services.lemmy = lib.mkIf cfg.enable {
+      enable = true;
+
+      ui.port = port-ui;
+
+      settings = { inherit port hostname bind; };
+
+      database.createLocally = true;
+    };
+
+    systemd.services.lemmy-ui = lib.mkIf cfg.enable {
+      environment = lib.mkForce {
+        LEMMY_UI_HOST = "${bind}:${toString port-ui}";
+        LEMMY_UI_LEMMY_INTERNAL_HOST = "${bind}:${toString port}";
+        LEMMY_UI_LEMMY_EXTERNAL_HOST = hostname;
+        LEMMY_UI_HTTPS = "false";
+        NODE_ENV = "production";
+      };
+    };
+
+    services.pict-rs = lib.mkIf cfg.enable {
+      enable = true;
+      port = port-pict;
+      address = "0.0.0.0";
+    };
+
+    services.nginx.virtualHosts."${hostname}".locations = let
+      ui = "http://10.0.0.3:${toString port-ui}";
+      backend = "http://10.0.0.3:${toString port}";
+    in lib.mkIf config.mods.server.nginx.enable {
+      "~ ^/(api|pictrs|feeds|nodeinfo|.well-known)" = {
+        # backend requests
+        proxyPass = backend;
+        proxyWebsockets = true;
+        recommendedProxySettings = true;
+      };
+      "/" = {
+        # mixed frontend and backend requests, based on the request headers
+        extraConfig = ''
+          set $proxpass "${ui}";
+          if ($http_accept = "application/activity+json") {
+            set $proxpass "${backend}";
+          }
+          if ($http_accept = "application/ld+json; profile=\"https://www.w3.org/ns/activitystreams\"") {
+            set $proxpass "${backend}";
+          }
+          if ($request_method = POST) {
+            set $proxpass "${backend}";
+          }
+
+          # Cuts off the trailing slash on URLs to make them valid
+          rewrite ^(.+)/+$ $1 permanent;
+
+          proxy_pass $proxpass;
+          # Proxied `Host` header is required to validate ActivityPub HTTP signatures for incoming events.
+          # The other headers are optional, for the sake of better log data.
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header Host $host;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        '';
+      };
+    };
+  };
+}
+
diff --git a/modules/nixos/sops/default.nix b/modules/nixos/sops/default.nix
index 30c4d4d..01891a7 100644
--- a/modules/nixos/sops/default.nix
+++ b/modules/nixos/sops/default.nix
@@ -14,5 +14,8 @@ in with lib; {
       owner = "radicale";
       group = "radicale";
     };
+    secrets.lemmy-password = mkIf cfg.server.lemmy.enable {
+
+    };
   };
 }
diff --git a/modules/nixos/sops/secrets.yaml b/modules/nixos/sops/secrets.yaml
index 631279b..11a90ca 100644
--- a/modules/nixos/sops/secrets.yaml
+++ b/modules/nixos/sops/secrets.yaml
@@ -1,11 +1,8 @@
 muon-password: ENC[AES256_GCM,data:K2ifHvs8hQXK4//FXf3vfDliiklx0dTn8gpirTBT07Q1XIMJR1Vgn/f1uo62bu4a/bknAR5gEBfd/cSRUTdBBxd7Lec2k3fxQg==,iv:j1JTzyfjcKEqh+PK5tyCWBMV7MpwvIG9MJ9eiajksxM=,tag:ZcSEVBW1UOCvE40yIsaBFQ==,type:str]
 zipline-secret: ENC[AES256_GCM,data:cdqPWBUg6FZkBrUYNkm7imntc2hXUAxDjd1Ymr3j9y763cbXDYEu44wJF0W1Ng==,iv:sdjV4SkRCTO04AvXqtoPOPyASlitrS4nS+M0Z2lZURA=,tag:gNcOdJvg9PtrRlm84CdbsQ==,type:str]
 htpasswd: ENC[AES256_GCM,data:YbDNElLsvRtC1ezgxIYI6U+ZZES1Lr6BXamNdbxQibj0NfC9oobP7ed8MQpFTlhhJZx5I5Xa6XtFrvjdo13NtdU=,iv:P98P1XxtdCp7+TuAwKybzjcWGF1OQtnAuQs4ObZct7o=,tag:gXrQaBxUvuVSB5yYhWcihA==,type:str]
+lemmy-password: ENC[AES256_GCM,data:VVPbhW6l+VYSUfmlySPSwITwonKQHaIY,iv:XcwM7Sz2novn3cHt4EK5HAZkYVPfPqwIcGtTWMQPByg=,tag:0b8epk98eTcx7b57yGcjpw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1m97a3eptxwpdd7h5kkqe9gkmhg6rquc64qjmlsfqfhfqv8q72crqrylhgc
           enc: |
@@ -34,8 +31,7 @@ sops:
             cThxTVpmcEMrcG9Lczd3dkdyQ0paSHMKUfkx9jh7zIqBkUjxaH3dVKvNJG3Mipts
             OjmJ5aVVIR5U8MhgSgECb22mGlOgW8SU/x4gxcWgafZwbv2vbON6OA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-01-25T15:55:13Z"
-    mac: ENC[AES256_GCM,data:M/IPR1hqkiLHqt/fgmZ+HezGrmAKbu0LJJkMMr0895neP6WB571AQ29+VLRm+7jDp9qjKgelwDOU/t/UdUgKP1hSK0cOcHR1B7KecHVCFKHNdfaD70xzA4PUQpTFIc6bHyLSMeQAwoEDKkW3inuKwD6k1RVQmOOUMT9shs6Oe48=,iv:I6XbpfScaJwZPXyVkvreKL2tDwgt7p8Eub/pSD6Bm8g=,tag:6wdBYdoOgf9iX0cGT63v3Q==,type:str]
-    pgp: []
+    lastmodified: "2025-05-17T09:59:07Z"
+    mac: ENC[AES256_GCM,data:ewURL+W/C0XnEJiXipeSXr5F5hItD3LPMdThjBg1ObY/N7Tb28Tm18vCOpbr37H0gDWnDjNu2rzVN3+XjrbVzXe7n4YUzN2sZa2zZEJhHDTyQWdiPtMpApXeu1Va621EQymDyTm7N2hJz3MvadiWYIv/ft685FPY7qRX7pluUFc=,iv:FIoClE4hX8+PBHY5LOFeSowxSrAHIaDPFblD6Pkakes=,tag:FepKajXRusCbLTlJGPKm6g==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.3
+    version: 3.10.2