add: ntfy & mollysocketmain

author: m4siri <git@m4siri.com> 2025-11-29 10:37:28 +0545
committer: m4siri <git@m4siri.com> 2025-11-29 10:38:01 +0545
commit: 9b9edc04c48f4108321f0752abe354ee3c493d69 (patch)
tree: a7595710cc1023bfcb24928e85302cd6245b5fd4 /hosts/experimental-nixos
parent: bc3e939c9362321bdd0a956594b531046b8cbffd (diff)
7 files changed, 122 insertions, 2 deletions
diff --git a/hosts/experimental-nixos/services/acme.nix b/hosts/experimental-nixos/services/acme.nix
index 1517b19..b6c16ba 100644
--- a/hosts/experimental-nixos/services/acme.nix
+++ b/hosts/experimental-nixos/services/acme.nix
@@ -10,5 +10,22 @@
     certs."mail.m4siri.com" = {
       webroot = "/var/lib/acme/acme-challenge/";
     };
+    certs."shashwothapa.com.np" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+    };
+    certs."mail.shashwothapa.com.np" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+    };
+    certs."mail" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+      domain = "mail.m4siri.com";
+      extraDomainNames = [ "mail.shashwothapa.com.np" ];
+    };
+    certs."ntfy.m4siri.com" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+    };
+    certs."ms.m4siri.com" = {
+      webroot = "/var/lib/acme/acme-challenge/";
+    };
   };
 }
diff --git a/hosts/experimental-nixos/services/mollysocket.nix b/hosts/experimental-nixos/services/mollysocket.nix
new file mode 100644
index 0000000..435fa24
--- /dev/null
+++ b/hosts/experimental-nixos/services/mollysocket.nix
@@ -0,0 +1,18 @@
+{ config, ...}: {
+
+  secrets.molly = {
+    file = ./secrets/molly-env.age;
+    mode = "444";
+  };
+  
+  services.mollysocket.enable = true;
+  services.mollysocket = {
+    settings = {
+      allowed_endpoints = [ "https://ntfy.m4siri.com" ];
+      host = "127.0.0.1";
+      port = 8091;
+      vapid_key_file = config.secrets.molly.path;
+      allowed_uuids = [ "aaf05a34-1da0-4e15-a46d-3f871d6c3ea2" ];
+    };
+  };
+}
diff --git a/hosts/experimental-nixos/services/nginx.nix b/hosts/experimental-nixos/services/nginx.nix
index 07a1a7c..fa857db 100644
--- a/hosts/experimental-nixos/services/nginx.nix
+++ b/hosts/experimental-nixos/services/nginx.nix
@@ -7,6 +7,15 @@
     http2 = true;
     addSSL = true;
     useACMEHost = "m4siri.com";
+
+    locations."/molly" = {
+      proxyPass = "http://localhost:8091/";
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Original-URL $request_uri;
+      '';
+    };
+
   };
   services.nginx.virtualHosts."mail.m4siri.com" = {
     http2 = true;
@@ -31,4 +40,42 @@
       proxyWebsockets = true;
     };
   };
+
+  services.nginx.virtualHosts."ntfy.m4siri.com" = {
+    http2 = true;
+    addSSL = true;
+    useACMEHost = "ntfy.m4siri.com";
+
+    locations."/" = {
+      proxyPass = "http://localhost:8090";
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+      '';
+    };
+  };
+
+  services.nginx.virtualHosts."shashwothapa.com.np" = {
+    http2 = true;
+    addSSL = true;
+    useACMEHost = "shashwothapa.com.np";
+
+    locations."/" = {
+      return = "418";
+    };
+  };
+
+  services.nginx.virtualHosts."mail.shashwothapa.com.np" = {
+    http2 = true;
+    addSSL = true;
+    useACMEHost = "mail.shashwothapa.com.np";
+
+    locations."/" = {
+      proxyPass = "http://localhost:8080";
+      proxyWebsockets = true;
+    };
+  };
 }
diff --git a/hosts/experimental-nixos/services/ntfy-sh.nix b/hosts/experimental-nixos/services/ntfy-sh.nix
new file mode 100644
index 0000000..a8e1c90
--- /dev/null
+++ b/hosts/experimental-nixos/services/ntfy-sh.nix
@@ -0,0 +1,31 @@
+{
+  pkgs,
+  nixpkgs-unstable,
+  unstable,
+  config,
+  ...
+}: {
+
+  disabledModules = ["services/misc/ntfy-sh.nix"];
+  imports = [
+    "${nixpkgs-unstable}/nixos/modules/services/misc/ntfy-sh.nix"
+  ];
+
+  services.ntfy-sh.enable = true;
+  services.ntfy-sh = {
+    package = unstable.ntfy-sh;
+    settings = {
+      base-url = "https://ntfy.m4siri.com";
+      listen-http = ":8090";
+      behind-proxy = true;
+      auth-file = "/var/lib/ntfy-sh/user.db";
+      auth-users = [ "siri:$2a$10$nUCo79YppcG1wtuZCHRDquxfoXu3PIBdB2TzvXZj3EthED5LSKXWa:admin"  ];
+      auth-access = ["*:up*:wo" ];
+      auth-default-access = "deny-all";
+      require-login = true;
+      enable-login = true;
+      web-root = "disable";
+    };
+  };  
+
+}
diff --git a/hosts/experimental-nixos/services/secrets/ldap-content.age b/hosts/experimental-nixos/services/secrets/ldap-content.age
index a0616e2..c14c3a2 100644
--- a/hosts/experimental-nixos/services/secrets/ldap-content.age
+++ b/hosts/experimental-nixos/services/secrets/ldap-content.age
diff --git a/hosts/experimental-nixos/services/secrets/molly-env.age b/hosts/experimental-nixos/services/secrets/molly-env.age
new file mode 100644
index 0000000..a07e679
--- /dev/null
+++ b/hosts/experimental-nixos/services/secrets/molly-env.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 AylPmg CnwhTmQ058EW35b47hleqZqP5Z5qBHdiN+TzIc76s1E
+2IBALJerRqeGG1mrD8zF1zVrAe1VD2H24Z4IoD6KX0E
+-> HB"kYi-grease VI@47;R 4
+jBenx2W29nzOq628P39QlA
+--- u1Kj1ud20GlNUXX49gWQuzHN/NmzPKZ/czhRwau24+4
+e��q�6�ϼ`�%��D��P!t߃`#�ED��L��sT�z��pg^>��S�c!��
+;�����Dn�o���
+\ No newline at end of file
diff --git a/hosts/experimental-nixos/services/stalwart.nix b/hosts/experimental-nixos/services/stalwart.nix
index 4321234..9cc9c95 100644
--- a/hosts/experimental-nixos/services/stalwart.nix
+++ b/hosts/experimental-nixos/services/stalwart.nix
@@ -27,8 +27,8 @@
     openFirewall = true;
     settings = {
       certificate.default = {
-        cert = "%{file:/var/lib/acme/mail.m4siri.com/fullchain.pem}%";
-        private-key = "%{file:/var/lib/acme/mail.m4siri.com/key.pem}%";
+        cert = "%{file:/var/lib/acme/mail/cert.pem}%";
+        private-key = "%{file:/var/lib/acme/mail/key.pem}%";
         default = true;
       };
       http.url = "protocol + '://' + config_get('server.hostname')";
author	m4siri <git@m4siri.com>	2025-11-29 10:37:28 +0545
committer	m4siri <git@m4siri.com>	2025-11-29 10:38:01 +0545
commit	9b9edc04c48f4108321f0752abe354ee3c493d69 (patch)
tree	a7595710cc1023bfcb24928e85302cd6245b5fd4 /hosts/experimental-nixos
parent	bc3e939c9362321bdd0a956594b531046b8cbffd (diff)