diff --git a/hosts/muffin/default.nix b/hosts/muffin/default.nix index 5401583..c0cd5ae 100644 --- a/hosts/muffin/default.nix +++ b/hosts/muffin/default.nix @@ -53,6 +53,7 @@ # ../../services/llama-cpp.nix ../../services/trilium.nix + ../../services/firefly-iii.nix ../../services/ups.nix diff --git a/hosts/muffin/service-configs.nix b/hosts/muffin/service-configs.nix index 037f3d7..2043d85 100644 --- a/hosts/muffin/service-configs.nix +++ b/hosts/muffin/service-configs.nix @@ -335,6 +335,11 @@ rec { dataDir = services_dir + "/trilium"; }; + firefly_iii = { + dataDir = services_dir + "/firefly-iii"; + domain = "firefly.${site_config.domain}"; + }; + media = { moviesDir = torrents_path + "/media/movies"; tvDir = torrents_path + "/media/tv"; diff --git a/modules/server-age-secrets.nix b/modules/server-age-secrets.nix index 116b4b7..9eaec0f 100644 --- a/modules/server-age-secrets.nix +++ b/modules/server-age-secrets.nix @@ -191,5 +191,13 @@ owner = "caddy"; group = "caddy"; }; + + # Firefly III application encryption key (base64:<32 random bytes>) + firefly-iii-app-key = { + file = ../secrets/server/firefly-iii-app-key.age; + mode = "0400"; + owner = "firefly-iii"; + group = "caddy"; + }; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1f9ede2..afc5dd5 100644 Binary files a/secrets/secrets.nix and b/secrets/secrets.nix differ diff --git a/secrets/server/firefly-iii-app-key.age b/secrets/server/firefly-iii-app-key.age new file mode 100644 index 0000000..be36b5c Binary files /dev/null and b/secrets/server/firefly-iii-app-key.age differ diff --git a/services/firefly-iii.nix b/services/firefly-iii.nix new file mode 100644 index 0000000..5c7f0e2 --- /dev/null +++ b/services/firefly-iii.nix @@ -0,0 +1,59 @@ +{ + config, + lib, + service_configs, + site_config, + ... +}: +{ + imports = [ + # firefly-iii has no service of its own — phpfpm-firefly-iii.service runs + # the app and firefly-iii-setup.service runs migrations/cache rebuild. + # Wire the zfs mount into firefly-iii-setup so the upstream `requiredBy` + # chain (setup → phpfpm) inherits the dependency. + (lib.serviceMountWithZpool "firefly-iii-setup" service_configs.zpool_ssds [ + service_configs.firefly_iii.dataDir + ]) + ]; + + services.firefly-iii = { + enable = true; + dataDir = service_configs.firefly_iii.dataDir; + # Run under the caddy group so caddy can read the php-fpm unix socket + # (default mode 0660, owner = user, group = group). + group = "caddy"; + virtualHost = service_configs.firefly_iii.domain; + settings = { + APP_ENV = "production"; + APP_KEY_FILE = config.age.secrets.firefly-iii-app-key.path; + SITE_OWNER = site_config.contact_email; + + # PostgreSQL via local Unix socket + peer auth (DB_HOST defaults to + # /run/postgresql for pgsql, no password needed). + DB_CONNECTION = "pgsql"; + DB_DATABASE = "firefly-iii"; + DB_USERNAME = "firefly-iii"; + + # Trust X-Forwarded-* from caddy on the loopback. + TRUSTED_PROXIES = "127.0.0.1,::1"; + }; + }; + + services.postgresql = { + ensureDatabases = [ "firefly-iii" ]; + ensureUsers = [ + { + name = "firefly-iii"; + ensureDBOwnership = true; + } + ]; + }; + + services.caddy.virtualHosts.${service_configs.firefly_iii.domain}.extraConfig = '' + encode zstd gzip + + root * ${config.services.firefly-iii.package}/public + php_fastcgi unix/${config.services.phpfpm.pools.firefly-iii.socket} + file_server + ''; +}