From 9590b879ed28c4450d8d432d87cba762ddf736fe Mon Sep 17 00:00:00 2001
From: Andrea Ciceri <andrea.ciceri@autistici.org>
Date: Wed, 1 Jan 2025 17:02:29 +0100
Subject: [PATCH 1/2] Add `firefly-app-key` agenix secret

---
 secrets/firefly-app-key.age | 17 +++++++++++++++++
 secrets/secrets.nix         | 30 ++++--------------------------
 2 files changed, 21 insertions(+), 26 deletions(-)
 create mode 100644 secrets/firefly-app-key.age

diff --git a/secrets/firefly-app-key.age b/secrets/firefly-app-key.age
new file mode 100644
index 0000000..0560320
--- /dev/null
+++ b/secrets/firefly-app-key.age
@@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> ssh-rsa /AagBw
+MmxPeP4hU2l5lrGOzfZk9opd2NoVG8Y2fdSLCZH7bJwHEWexmsSFJN8n6XrmbMwo
+LthbkBhkdANoyeVlCOvz35k5lzTsLcYjizfEYaqliCEIRFvcUxhcyk4HzV1D11jD
+mMEzk1WsqGdd9ejLebqskUkCFRKp4d+W0tODeOo+qoXhDJ/rq/zitXqLQbajK2a1
+11S/UhOElizE65Onv2PgLKMiRkpjdVwAzf2CMnGKJ0E9CSwBLgHeqdDHooxzXPMb
+OGWdg3xTxLALfbeEBgfxmTGafe44cFjq/T80qte9Q2eWzboO8GqvxTgF/Cx4nVgF
+InJhD7cdubO31CfdZGb6pIHgRs2De9MRjQ7oO4F8N1q79Wh/3NSAaeItyHM7AnK6
+Yc0lO2HQF8NhDfeu+dca5G6TF8Zi7ehLe1tv6WNOC3OVo/11X12M3Nqu6oKhRiGz
+VXiJ8EHwGm4MHcBP8j8ulBkHJUR9MERZuVengROYl4TkT/bWKYu+4ISjl8sLJorh
+jHmfjViGtAD1sqrYpCzylm7ufZeZ4sv38EwEpMneG/1SIpIwP47wkzKUjb8RdXrc
+xWqFzLP0Lj4PAwT1lB0awTc2+niko+3P+ABpxnJ3QLNJLOtXJuuVAcsLl5EsEFKc
+VDmwA/tzgfXkNI3eGXukrM/GiwpRYMfkWzz6/ijvLug
+-> ssh-ed25519 +vdRnA m9PlgKXpW2mKUt+S1mgWrbVvv3LDzVUKg0u22QMmXis
+3rdA1dsQ26+vacNk+5j/+uMfG/zE2pE21zMKZy6MxsI
+--- CDzukG+NpxaQvo7SFGfBbS8MV5yCl/tmla59lpSaT5s
+:}ôàn4q‹}Ó'”ð6EßEc°+’!ñïi_™Ä´$Í|ùà¥È¥efƒ™´úEâðâÕŒ!(I/Dë†¢Áb»›tYS íÔ:Tbø“
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index a322a52..fb4a4c4 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -37,62 +37,52 @@ with keys.users;
   ];
   "autistici-password.age".publicKeys = [
     ccr-ssh
-
     kirk
     picard
     sisko
   ];
   "hercules-ci-join-token.age".publicKeys = [
     ccr-ssh
-
     mothership
     sisko
     picard
   ];
   "hercules-ci-binary-caches.age".publicKeys = [
     ccr-ssh
-
     mothership
     sisko
     picard
   ];
   "hercules-ci-secrets-json.age".publicKeys = [
     ccr-ssh
-
     mothership
     sisko
     picard
   ];
   "minio-credentials.age".publicKeys = [
     ccr-ssh
-
     picard
     sisko
   ];
   "aws-credentials.age".publicKeys = [
     ccr-ssh
-
     picard
     sisko
   ];
   "nextcloud-admin-pass.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "home-planimetry.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "home-assistant-token.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "chatgpt-token.age".publicKeys = [
     ccr-ssh
-
     kirk
     mothership
     picard
@@ -100,86 +90,74 @@ with keys.users;
   ];
   "cloudflare-dyndns-api-token.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "restic-hetzner-password.age".publicKeys = [
     ccr-ssh
-
     picard
     sisko
     kirk
   ];
   "hass-ssh-key.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "grafana-password.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "matrix-registration-shared-secret.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "matrix-sliding-sync-secret.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "forgejo-runners-token.age".publicKeys = [
     ccr-ssh
-
     picard
   ];
   "forgejo-nix-access-tokens.age".publicKeys = [
     ccr-ssh
-
     picard
   ];
   "garmin-collector-environment.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "hetzner-storage-box-sisko-ssh-password.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "sisko-restic-password.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "sisko-attic-environment-file.age".publicKeys = [
     ccr-ssh
-
+    sisko
+  ];
+  "firefly-app-key.age".publicKeys = [
+    ccr-ssh
     sisko
   ];
 
   # WireGuard
   "picard-wireguard-private-key.age".publicKeys = [
     ccr-ssh
-
     picard
   ];
   "sisko-wireguard-private-key.age".publicKeys = [
     ccr-ssh
-
     sisko
   ];
   "kirk-wireguard-private-key.age".publicKeys = [
     ccr-ssh
-
     kirk
   ];
   "deltaflyer-wireguard-private-key.age".publicKeys = [
     ccr-ssh
-
     deltaflyer
   ];
   "tpol-wireguard-private-key.age".publicKeys = [

From 61fecf3bdb7452c087cb28b8f4dcd1aceb1cb559 Mon Sep 17 00:00:00 2001
From: Andrea Ciceri <andrea.ciceri@autistici.org>
Date: Wed, 1 Jan 2025 17:03:05 +0100
Subject: [PATCH 2/2] Add `firefly` to `sisko`

---
 hosts/default.nix                     |  2 +-
 hosts/sisko/default.nix               |  1 +
 modules/cloudflare-dyndns/default.nix |  2 +
 modules/firefly/default.nix           | 67 +++++++++++++++++++++++++++
 4 files changed, 71 insertions(+), 1 deletion(-)
 create mode 100644 modules/firefly/default.nix

diff --git a/hosts/default.nix b/hosts/default.nix
index aa8d2fb..7488615 100644
--- a/hosts/default.nix
+++ b/hosts/default.nix
@@ -116,7 +116,7 @@
             owner = "grafana";
             group = "forgejo";
           };
-
+          "firefly-app-key".owner = "firefly-iii";
         };
       };
 
diff --git a/hosts/sisko/default.nix b/hosts/sisko/default.nix
index e5d6e87..e69404e 100644
--- a/hosts/sisko/default.nix
+++ b/hosts/sisko/default.nix
@@ -32,6 +32,7 @@
       "syncthing"
       "atticd"
       "jellyfin"
+      "firefly"
     ]
     ++ [
       ./disko.nix
diff --git a/modules/cloudflare-dyndns/default.nix b/modules/cloudflare-dyndns/default.nix
index 9aaab39..77f1e46 100644
--- a/modules/cloudflare-dyndns/default.nix
+++ b/modules/cloudflare-dyndns/default.nix
@@ -15,6 +15,8 @@
       "photos.aciceri.dev"
       "status.aciceri.dev"
       "jelly.aciceri.dev"
+      "firefly.aciceri.dev"
+      "import.firefly.aciceri.dev"
     ];
     apiTokenFile = config.age.secrets.cloudflare-dyndns-api-token.path;
   };
diff --git a/modules/firefly/default.nix b/modules/firefly/default.nix
new file mode 100644
index 0000000..cb4becd
--- /dev/null
+++ b/modules/firefly/default.nix
@@ -0,0 +1,67 @@
+{ pkgs, config, ... }:
+let
+  domain = "firefly.aciceri.dev";
+  domainImporter = "import.firefly.aciceri.dev";
+  dbUser = config.services.firefly-iii.user;
+in
+{
+  services.firefly-iii = {
+    enable = true;
+    package = pkgs.firefly-iii;
+    virtualHost = domain;
+    enableNginx = true;
+    settings = {
+      APP_ENV = "production";
+      APP_KEY_FILE = config.age.secrets.firefly-app-key.path;
+      SITE_OWNER = "andrea.ciceri@autistici.org";
+      DB_CONNECTION = "pgsql";
+      DEFAULT_LANGUAGE = "en_US";
+      TZ = "Europe/Rome";
+    };
+  };
+
+  services.firefly-iii-data-importer = {
+    enable = true;
+    enableNginx = true;
+    virtualHost = domainImporter;
+    settings = {
+      IGNORE_DUPLICATE_ERRORS = "false";
+      APP_ENV = "production";
+      APP_DEBUG = "false";
+      LOG_CHANNEL = "stack";
+      TRUSTED_PROXIES = "**";
+      TZ = "Europe/Rome";
+      FIREFLY_III_URL = "https://${domain}";
+      VANITY_URL = "https://${domain}";
+    };
+  };
+
+  imports = [ ../nginx-base ];
+
+  services.nginx.virtualHosts = {
+    ${domain} = {
+      enableACME = true;
+      forceSSL = true;
+    };
+    ${domainImporter} = {
+      enableACME = true;
+      forceSSL = true;
+    };
+  };
+
+  services.postgresql = {
+    ensureUsers = [
+      {
+        name = dbUser;
+        ensureDBOwnership = true;
+        ensureClauses.login = true;
+      }
+    ];
+    ensureDatabases = [ dbUser ];
+  };
+
+  environment.persistence."/persist".directories = [
+    config.services.firefly-iii.dataDir
+    config.services.firefly-iii-data-importer.dataDir
+  ];
+}