break out secrets from overseer, setup salt rim

2026-01-11 09:44:08 -05:00 · 2025-01-22 11:06:08 -05:00 · 2025-01-22 11:06:08 -05:00 · f6f50f7a5b
commit f6f50f7a5b
parent edd578a5c5
3 changed files with 96 additions and 19 deletions
--- a/modules/users/overseer/default.nix
+++ b/modules/users/overseer/default.nix
@ -6,5 +6,6 @@
  imports = [
    ./user.nix
    ./services.nix
+    ./secrets.nix
  ];
 }
--- a/modules/users/overseer/secrets.nix
+++ b/modules/users/overseer/secrets.nix
@ -0,0 +1,37 @@
+{
+  lib,
+  inputs,
+  config,
+  pkgs,
+  ...
+}:
+lib.mkIf config.user.overseer.enable {
+  sops = {
+    defaultSopsFile = inputs.nix-secrets.secrets.overseer;
+    age.keyFile = "/var/lib/sops-nix/key.txt";
+    age.generateKey = true;
+  };
+
+  # Restic secrets
+  sops.secrets."restic/url" = {};
+  sops.secrets."restic/key" = {};
+
+  # Homepage.dev secrets
+  sops.secrets."homepage/openmeteo/lat" = {};
+  sops.secrets."homepage/openmeteo/long" = {};
+  sops.templates."homepage-environment".content = ''
+    HOMEPAGE_VAR_LAT = ${config.sops.placeholder."homepage/openmeteo/lat"}
+    HOMEPAGE_VAR_LONG = ${config.sops.placeholder."homepage/openmeteo/long"}
+  '';
+
+  # Meilisearch secrets
+  sops.secrets."meilisearch/masterkey" = {};
+  sops.templates."meilisearch-environment".content = ''
+    MEILI_MASTER_KEY = ${config.sops.placeholder."meilisearch/masterkey"}
+  '';
+
+  # Bar Assistant secrets
+  sops.templates."barassistant-environment".content = ''
+    MEILISEARCH_KEY = ${config.sops.placeholder."meilisearch/masterkey"}
+  '';
+}
--- a/modules/users/overseer/services.nix
+++ b/modules/users/overseer/services.nix
@ -10,20 +10,15 @@ in
  }:
    lib.mkIf config.user.overseer.enable {
      # Some scafolding for secrets
-      sops = {
-        defaultSopsFile = inputs.nix-secrets.secrets.overseer;
-        age.keyFile = "/var/lib/sops-nix/key.txt";
-        age.generateKey = true;
-      };

      # Create the dirs we need
      systemd.tmpfiles.rules = [
        "d ${volumePath}"
+
+        "d ${volumePath}/bar-assistant"
+        "d ${volumePath}/meilisearch"
      ];

-      # Pull in the restic secrets from sops
-      sops.secrets."restic/url" = {};
-      sops.secrets."restic/key" = {};
      # (Arguably) Most Important Service - backups
      services.restic.backups = {
        homebox = {
@ -40,10 +35,6 @@ in
        };
      };

-      # OCI services
-      virtualisation.podman.enable = true;
-      virtualisation.oci-containers.backend = "podman";
-
      # These ports are needed for NGINX Proxy Manager
      networking.firewall.allowedTCPPorts = [
        443
@ -70,16 +61,26 @@ in
              proxyWebsockets = true;
            };
          };
+          "bar.wanderingcrow.net" = {
+            extraConfig = ''
+              allow 192.168.0.0/16;
+              deny all;
+            '';
+            locations = {
+              "/bar/" = {
+                proxyPass = "http://localhost:3000";
+              };
+              "/search/" = {
+                proxyPass = "http://localhost:7700";
+              };
+              "/" = {
+                proxyPass = "http://localhost:3001";
+              };
+            };
+          };
        };
      };

-      sops.secrets."homepage/openmeteo/lat" = {};
-      sops.secrets."homepage/openmeteo/long" = {};
-      sops.templates."homepage-environment".content = ''
-        HOMEPAGE_VAR_LAT = ${config.sops.placeholder."homepage/openmeteo/lat"}
-        HOMEPAGE_VAR_LONG = ${config.sops.placeholder."homepage/openmeteo/long"}
-      '';
-
      services = {
        homebox = {
          enable = true;
@ -178,4 +179,42 @@ in
          ];
        };
      };
+
+      virtualisation.oci-containers = {
+        backend = "podman";
+        containers = {
+          "meilisearch" = {
+            image = "getmeili/meilisearch:v1.8";
+            volumes = ["${volumePath}/meilisearch:/meili_data"];
+            ports = ["7700:7700"];
+            environmentFile = [config.sops.templates."meilisearch-environment".path];
+            environment = {
+              MEILI_ENV = "production";
+            };
+          };
+          "bar-assistant" = {
+            image = "barassistant/server:v4";
+            volumes = ["${volumePath}/bar-assistant:/var/www/cocktails/storage/bar-assistant"];
+            ports = ["3000:3000"];
+            dependsOn = ["meilisearch"];
+            environmentFile = [config.sops.templates."barassistant-environment".path];
+            environment = {
+              APP_URL = "bar.wanderingcrow.net/bar";
+              MEILISEARCH_HOST = "http://localhost:7700";
+              CACHE_DRIVER = "file";
+              SESSION_DRIVER = "file";
+              ALLOW_REGISTRATION = "true";
+            };
+          };
+          "salt-rim" = {
+            image = "barassistant/salt-rim:v3";
+            ports = ["3001:8080"];
+            dependsOn = ["bar-assistant"];
+            environment = {
+              API_URL = "bar.wanderingcrow.net/bar";
+              MEILIESEARCH_URL = "bar.wanderingcrow.net/search";
+            };
+          };
+        };
+      };
    }