os/kay/alina: initHEADmaster

4 files changed, 54 insertions, 8 deletions

diff --git a/os/kay/configuration.nix b/os/kay/configuration.nix
index 746676b..5370b45 100644
--- a/os/kay/configuration.nix
+++ b/os/kay/configuration.nix
@@ -19,6 +19,7 @@
     ./modules/nix-cache.nix
     ./modules/immich.nix
     ./modules/observability
+    ./modules/alina.nix
   ];
 
   boot = {
diff --git a/os/kay/modules/alina.nix b/os/kay/modules/alina.nix
new file mode 100644
index 0000000..ef6331b
--- /dev/null
+++ b/os/kay/modules/alina.nix
@@ -0,0 +1,24 @@
+{ config, pkgs, ... }: let
+  domain = "alinafs.com";
+in {
+  sops.secrets."misc/alina" = {};
+
+  services.postgresql = {
+    ensureDatabases = [ "alina" ];
+    ensureUsers = [{
+      name = "alina";
+      ensureDBOwnership = true;
+    }];
+  };
+
+  services.alina = {
+    enable = true;
+    port = 8006;
+    environmentFile = config.sops.secrets."misc/alina".path;
+    settings.server = {
+      data = "/hdd/alina";
+      file_size_limit = 1024 * 1024 * 1024; /* 1GB */
+      public_url = "https://${domain}";
+    };
+  };
+}
diff --git a/os/kay/modules/www.nix b/os/kay/modules/www.nix
index 3903396..39e5b4b 100644
--- a/os/kay/modules/www.nix
+++ b/os/kay/modules/www.nix
@@ -226,6 +226,31 @@ in
           }";
         };
       };
+
+
+      "www.alinafs.com" = defaultOpts // {
+        useACMEHost = null;
+        enableACME = true;
+        globalRedirect = "alinafs.com/home";
+      };
+      "alinafs.com" = defaultOpts // {
+        useACMEHost = null;
+        enableACME = true;
+
+        locations = {
+          "/metrics".return = "307 /home/";
+          "/" = {
+            proxyWebsockets = true;
+            proxyPass = "http://127.0.0.1:${builtins.toString config.services.alina.port}";
+          };
+        };
+
+        extraConfig = ''
+          proxy_buffering off;
+          proxy_request_buffering off;
+          client_max_body_size 0;
+        '';
+      };
     };
   };
 }
diff --git a/os/kay/secrets.yaml b/os/kay/secrets.yaml
index 7713d37..5a98d3f 100644
--- a/os/kay/secrets.yaml
+++ b/os/kay/secrets.yaml
@@ -22,11 +22,8 @@ misc:
     wireguard: ENC[AES256_GCM,data:kbUtxJv3xSmikJWgtu87TSo5N8tUb2BiH3dH3oOV36waYyXI3bp2aBeAl1k=,iv:yB4UIyMDNRS+JmSnt9XuBhNRTLz+k0FqkK4ofjosRto=,tag:BDSD9SfQuQppKT4+6Cu65w==,type:str]
     default_password: ENC[AES256_GCM,data:6I3Z4Y1r8eTVvyc=,iv:0yMAY6JfsHEkKsrVAgPxb+3So4A5xvWV4ME1Oi33TvQ=,tag:/7dUtXPrVMNkERdxlk0FOw==,type:str]
     nixbin.sinanmohd.com: ENC[AES256_GCM,data:WQDzDzOozWa73Bitex6BpE7D7KdVcgIKD1Yx92RbCoNzSa8+b33YtY92Vetu7OlH1Zw4tneKBH/hAjz4ytK1SHoFfKj9wvfdzR5L+8gRKYEwxnvcHyc5gekmAaeQr2bWyUS9PBYRRWTRLiL/5A==,iv:3hlqF2CvpnXS5oDpbW9RIERbDHPLMrgQ+TJ+q9EyrZM=,tag:U4E3b2oBqjMFXEONbz8eKw==,type:str]
+    alina: ENC[AES256_GCM,data:Mr0FK2JLSXVM3nL+HrAQflj7N0r+tEDiYz8PfI9bcKz4hfnnhSndFBPgVtMFTIfqgzX+HF28NBcMmA3qr9eGawJ6tTBy3bMPrFUjCo7oz0gW+4s=,iv:tKK50u4foAp9essD5tl5hnDSgc5ZVVVhraDzUQV/rv4=,tag:xuwA2qBbpSXGm/OFeyEoFw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1q5sfy74d53n6jxlgsc2zrsz4wcl9d830nxuagc3wfmdkrrp55ckq9ev6nv
           enc: |
@@ -46,8 +43,7 @@ sops:
             OXgwSml4bkc1dnloNUFsRGFFcXFHc2cK26l2eiKbZUkogmAXoha6HTUs3YFKixYz
             bTkpKKyOAIIin3YM975wwvkCuWNG4tbnHBHQFh5JGK2OEyLDXuV7Pg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-03-18T07:20:05Z"
-    mac: ENC[AES256_GCM,data:n0/qgqNEZo61lprSqE5u98F1sqWrKCLF8MIA0kBg05MDoySsppowYyClYq8KE8HVwQFmRbdl3ATUJg3DMzwkqXTi3M9ZQvDkf+f01DXMw4D1ruSwBqnUxlxy65xcQB8xAHcbptgy5erNZXRX88MwtqZrgspzZAhpdkE3UTn9kEw=,iv:iybukQKeiPudtY5I79V1J3+ItzzNEkFDRONDh1tVJrk=,tag:l+V4FIlsK/7fg6chbvRuRg==,type:str]
-    pgp: []
+    lastmodified: "2025-05-09T08:03:32Z"
+    mac: ENC[AES256_GCM,data:SJeRVT11Ps1B9ILQdgYwW8YEWPJ9gnxq4t14nTcjh5MTodifipmo6T9j3HWEZPrQjzEv4QtlxlP2HwRw5cHa+/20fA9kiZR68PAj5GTuwFaNsRBPD8qLBpZZNNWT/u+moyKJGM8hXhFc41OOaez6+ZTIpK3DPzsI3aeJdxoIaMY=,iv:NCkEJJgLOATms+iVR+tyLf6MM6SPQvsPx5+9peqdaOQ=,tag:hkTbvp0h4qSEKVjRHmp8gQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2