firefly-iii: init

services/firefly-iii.nix

@@ -0,0 +1,59 @@
+{
+  config,
+  lib,
+  service_configs,
+  site_config,
+  ...
+}:
+{
+  imports = [
+    # firefly-iii has no service of its own — phpfpm-firefly-iii.service runs
+    # the app and firefly-iii-setup.service runs migrations/cache rebuild.
+    # Wire the zfs mount into firefly-iii-setup so the upstream `requiredBy`
+    # chain (setup → phpfpm) inherits the dependency.
+    (lib.serviceMountWithZpool "firefly-iii-setup" service_configs.zpool_ssds [
+      service_configs.firefly_iii.dataDir
+    ])
+  ];
+
+  services.firefly-iii = {
+    enable = true;
+    dataDir = service_configs.firefly_iii.dataDir;
+    # Run under the caddy group so caddy can read the php-fpm unix socket
+    # (default mode 0660, owner = user, group = group).
+    group = "caddy";
+    virtualHost = service_configs.firefly_iii.domain;
+    settings = {
+      APP_ENV = "production";
+      APP_KEY_FILE = config.age.secrets.firefly-iii-app-key.path;
+      SITE_OWNER = site_config.contact_email;
+
+      # PostgreSQL via local Unix socket + peer auth (DB_HOST defaults to
+      # /run/postgresql for pgsql, no password needed).
+      DB_CONNECTION = "pgsql";
+      DB_DATABASE = "firefly-iii";
+      DB_USERNAME = "firefly-iii";
+
+      # Trust X-Forwarded-* from caddy on the loopback.
+      TRUSTED_PROXIES = "127.0.0.1,::1";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "firefly-iii" ];
+    ensureUsers = [
+      {
+        name = "firefly-iii";
+        ensureDBOwnership = true;
+      }
+    ];
+  };
+
+  services.caddy.virtualHosts.${service_configs.firefly_iii.domain}.extraConfig = ''
+    encode zstd gzip
+
+    root * ${config.services.firefly-iii.package}/public
+    php_fastcgi unix/${config.services.phpfpm.pools.firefly-iii.socket}
+    file_server
+  '';
+}