nixlab/config/nix01.nix

{ modulesPath, pkgs, config, lib, ... }:

{
  imports = [
    # Include the default lxd configuration.
    "${modulesPath}/virtualisation/proxmox-lxc.nix"
    # Include the container-specific autogenerated configuration.
    ./lxd.nix
    ./services/sharkey.nix
  ];

  networking = {
    dhcpcd.enable = false;
    useDHCP = false;
    useHostResolvConf = false;
    firewall.enable = false;
    nameservers = ["192.168.1.155" "1.1.1.1"];
  };

  environment.systemPackages = with pkgs; [
    git
    curl
    vim
  ];

  services.postgresql = {
    enable = true;
    enableTCPIP = true;
    ensureDatabases = [ "authentik" "blog" "forgejo" "infisical" "sharkey" ];
    ensureUsers = [
      {
        name = "authentik";
        ensureDBOwnership = true;
      }
      {
        name = "blog";
        ensureDBOwnership = true;
      }
      {
        name = "forgejo";
        ensureDBOwnership = true;
      }
      {
        name = "infisical";
        ensureDBOwnership = true;
      }
      {
        name = "sharkey";
        ensureDBOwnership = true;
      }
    ]; 

    authentication = pkgs.lib.mkOverride 10 ''
      # type database  DBuser  auth-method
      local all      all     trust
      # ipv4
      host  all      all     127.0.0.1/32   trust
      # ipv6
      host all       all     ::1/128        trust
      # LAN
      host all       all     192.168.0.0/16 trust
    '';
  };

  services.calibre-server = {
    enable = true;
    auth = {
      enable = true;
      userDb = "/var/lib/calibre-server/.config/calibre/server-users.sqlite";
    };
    libraries = [
      "/var/lib/calibre-server"
    ];
  };

  services.pgadmin = {
    enable = true;
    initialEmail = "hello@amyerskine.me";
    initialPasswordFile = config.age.secrets."pgadmin.password".path;
  };

  services.nginx.enable = true;
  services.nginx.virtualHosts."pg.nix01.cluster" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:5050";
      proxyWebsockets = true;
    };
  };

  services.nginx.virtualHosts."sharkey.nix01.cluster" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:3001";
      proxyWebsockets = true;
    };
  };

  services.nginx.virtualHosts."calibre.nix01.cluster" = {
    locations."/" = {
      proxyPass = "http://127.0.0.1:8080";
      proxyWebsockets = true;
    };
  };

  services.sharkey = {
    enable = true;
    domain = "fedi.amy.mov";
    package = (pkgs.callPackage ./services/sharkey-pkg.nix {});
    
    database = {
      passwordFile = config.age.secrets."sharkey.dbpass".path;
    };
    
    redis = {
      passwordFile = config.age.secrets."sharkey.redispass".path;
    };

    meilisearch = {
      createLocally = false;
    };
    
    settings = {
      id = "aidx";
      port = 3001;

      maxNoteLength = 8192;
      maxFileSize = 1024 * 1024 * 1024;
      proxyRemoteFiles = true;

      # at the suggestion of Sharkey maintainers,
      # this allows the server to run multiple workers
      # and without this (and postgres tuning), the instance runs slowly
      clusterLimit = 3;

      signToActivityPubGet = true;
      CheckActivityPubGetSigned = false;
    };
  };

  system.stateVersion = "24.11"; # Did you read the comment?
}