2026-01-14 15:29:17 +11:00
5 changed files with 87 additions and 0 deletions
--- a/modules/nixos/bundles/server.nix
+++ b/modules/nixos/bundles/server.nix
@ -8,6 +8,7 @@
    "bazarr"
    "copyparty"
    "couchdb"
    "firefly"
    "homepage-dashboard"
    "immich"
    "jellyfin"
--- a/modules/nixos/features/firefly.nix
+++ b/modules/nixos/features/firefly.nix
@ -0,0 +1,65 @@
 {
  config,
  ...
 }:
 {
  services = {
    firefly-iii = {
      enable = true;
      dataDir = "/srv/firefly";
      group = "nginx";
      settings = {
        # keep-sorted start
        ALLOW_WEBHOOKS = "true";
        APP_KEY_FILE = config.age.secrets.firefly.path;
        APP_URL = "https://firefly.fi33.buzz";
        DEFAULT_LANGUAGE = "en_GB";
        REPORT_ERRORS_ONLINE = "false";
        TRUSTED_PROXIES = "**";
        TZ = "Australia/Melbourne";
        # keep-sorted end
      };
    };
    borgmatic.settings.sqlite_databases = [
      {
        name = "firefly";
        path = "/srv/firefly/storage/database/database.sqlite";
      }
    ];
    nginx.virtualHosts."firefly.fi33.buzz" = {
      forceSSL = true;
      useACMEHost = "fi33.buzz";
      root = "${config.services.firefly-iii.package}/public";
      locations = {
        "/" = {
          tryFiles = "$uri $uri/ /index.php?$query_string";
          index = "index.php";
          extraConfig = ''
            sendfile off;
          '';
        };
        "~ \\.php$" = {
          extraConfig = ''
            include ${config.services.nginx.package}/conf/fastcgi_params ;
            fastcgi_param SCRIPT_FILENAME $request_filename;
            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
            fastcgi_pass unix:${config.services.phpfpm.pools.firefly-iii.socket};
          '';
        };
      };
    };
  };
  age.secrets = {
    firefly = {
      file = ../../../secrets/firefly.age;
      owner = "firefly-iii";
    };
    firefly-db = {
      file = ../../../secrets/firefly-db.age;
      owner = "firefly-iii";
    };
  };
 }
--- a/secrets/firefly-db.age
+++ b/secrets/firefly-db.age
@ -0,0 +1,9 @@
 age-encryption.org/v1
 -> ssh-ed25519 qLT+DQ zL4NAxPigHwUnYz0KUoDXlzXJ3PtnxIYl81oLP3e40M
 yricJ+r8OTXwGd0Bt4+CsW7/M8lOSha04i0Fb0QCHGo
 -> ssh-ed25519 7+xRyQ 2UhHfwz3DvXT/bEDp8QrluyPa/po5CCB5rUKxBqfn2c
 2pWexi7bU3UlOo9SKfw/9k/DJ535tsgPvZXAbLruL00
 -> ssh-ed25519 LtK9yQ 8XOO4u1di+FedjGcaj/Fhna8Y+LRRPa9L4ShAx5dASA
 F51SLqQEZ1LQAP2SgXphszVBhKaB+/OAVWEHr/thtFo
 --- ovyL3oCODPSbd8Fe7KdS3sKCc+bjcj2y+6aS1qVqQsg
 ﾝ福 %隸>ｷｶIOﾕ､<EFBE95>ﾅ7ﾚ7ZFh､uｻｩ<ｧ4ﾘ)ｼcﾒ啅ｳZｬ*UCk|ｴﾎxC覚噎
P
--- a/secrets/firefly.age
+++ b/secrets/firefly.age
@ -0,0 +1,10 @@
 age-encryption.org/v1
 -> ssh-ed25519 qLT+DQ DhWZZ8fB3bwSaI88j9M5Ix/jCwoJWPUVmR56OwxJFUs
 /pxA0PTShUGloixcyUoAW5cOKWAjD9M0byLAQUgnPvA
 -> ssh-ed25519 7+xRyQ LrUQ5trcyyhcjK8IhGKVOAz6g7HjBI8t0m/snDiVMkE
 hi0My/e0Enno50niPMKcy278Wr5z1sq3X1yJn7H8uBo
 -> ssh-ed25519 LtK9yQ ke0bLtqFny2oUkCvtawPcHzPlyi2Lvi6WpZP2lDyelE
 VFjTwnbTcayuruXVmVnfK97KcwB+luOoLU2x6Ug3HVM
 --- NxMB9mtZ480lLRRmk0ne5BaL/tfF81Yr3wGBUvECGQY
 ááÂH•¬öšH9‡…?†Ü‚ç<E2809A> 
Á|½<>Ø½1þ³5¶Ái/éFl©G$E·à¿w–Gç
 šÍ¾‘;ÒÍß½Ý¤Ã$þÉóÿ}ê/¾[g]
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -19,6 +19,8 @@ in
  "borgmatic-pg.age".publicKeys = users;
  "borgmatic.age".publicKeys = users;
  "copyparty-will.age".publicKeys = users;
  "firefly-db.age".publicKeys = users;
  "firefly.age".publicKeys = users;
  "immich.age".publicKeys = users;
  "jellyfin.age".publicKeys = users;
  "karakeep.age".publicKeys = users;