zaphyra's git: nixfiles

config/nixos/modules/websites: add `things.zaphyra.eu` (and enable on host `morio`)

diff --git a/config/nixos/modules/websites/things.zaphyra.eu.nix b/config/nixos/modules/websites/things.zaphyra.eu.nix
@@ -0,0 +1,63 @@
+{
+  povSelf,
+  hostConfig,
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  inherit (lib) types;
+  cfg = lib.getAttrFromPath povSelf config;
+
+in
+{
+
+  options = {
+    enable = {
+      type = types.bool;
+      default = false;
+    };
+    domain = {
+      type = types.str;
+      default = "zaphyra.eu";
+    };
+    subdomain = {
+      type = types.str;
+      default = "things";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    dns.zones."${cfg.domain}".subdomains."${cfg.subdomain}".CNAME = [ "${config.networking.fqdn}." ];
+
+    sops.secrets."resticPasswords/things" = { };
+
+    modules.services.resticBackup.paths = {
+      things = {
+        enable = true;
+        user = "things";
+        passwordFile = config.sops.secrets."resticPasswords/things".path;
+        paths = [ config.services.things.storagePath ];
+      };
+    };
+
+    services.things = {
+      enable       = true;
+      storagePath  = "/var/lib/things";
+      nginx.enable = true;
+      nginx.domain = "${cfg.subdomain}.${cfg.domain}";
+    };
+
+    services.nginx = {
+      enable = true;
+      virtualHosts."${cfg.subdomain}.${cfg.domain}" = {
+        useACMEHost = "${config.networking.fqdn}";
+        forceSSL = true;
+        kTLS = true;
+      };
+    };
+  };
+
+}

diff --git a/flake.lock b/flake.lock
@@ -901,7 +901,8 @@
         "oeffisearch": "oeffisearch",
         "simpleNixosMailserver": "simpleNixosMailserver",
         "sopsNix": "sopsNix",
-        "stagit": "stagit"
+        "stagit": "stagit",
+        "things": "things"
       }
     },
     "rust-analyzer-src": {

@@ -1026,6 +1027,26 @@
         "repo": "default",
         "type": "github"
       }
+    },
+    "things": {
+      "inputs": {
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1748352824,
+        "narHash": "sha256-7hVboDWOXSD54IWa7xVQB1G8Q8YBqPhBHzondmDzeEQ=",
+        "ref": "refs/heads/main",
+        "rev": "5aa1fd6a6bfa2d86e5a337686a701c6b220fc956",
+        "revCount": 8,
+        "type": "git",
+        "url": "https://git.zaphyra.eu/things"
+      },
+      "original": {
+        "type": "git",
+        "url": "https://git.zaphyra.eu/things"
+      }
     }
   },
   "root": "root",

diff --git a/flake.nix b/flake.nix
@@ -83,6 +83,7 @@
                 inputs.flauschehornSexy.overlays.default
                 inputs.gpxMap.overlays.default
                 inputs.oeffisearch.overlays.default
+                inputs.things.overlays.default
               ];
             }
 

@@ -104,6 +105,7 @@
             inputs.sopsNix.nixosModules.sops
             inputs.simpleNixosMailserver.nixosModules.default
             inputs.grapevine.nixosModules.default
+            inputs.things.nixosModules.default
 
             inputs.self.nixosModules.default
             hostConfig.configuration

@@ -212,6 +214,9 @@
     oeffisearch.url = "git+https://git.zaphyra.eu/oeffisearch";
     oeffisearch.inputs.nixpkgs.follows = "nixpkgs";
 
+    things.url = "git+https://git.zaphyra.eu/things";
+    things.inputs.nixpkgs.follows = "nixpkgs";
+
     firefoxGnomeTheme.flake = false;
     firefoxGnomeTheme.url = "github:rafaelmardojai/firefox-gnome-theme/v137";
   };

diff --git a/hosts/morio/default.nix b/hosts/morio/default.nix
@@ -89,6 +89,7 @@
           "grapevine.zaphyra.eu".enable = true;
           "vault.zaphyra.eu".enable = true;
           "oeffi.zaphyra.eu".enable = true;
+          "things.zaphyra.eu".enable = true;
         };
 
         users.katja.enable = true;

diff --git a/secrets/morio.yaml b/secrets/morio.yaml
@@ -12,6 +12,7 @@ resticPasswords:
     gotosocial: ENC[AES256_GCM,data:8zc4JZVTyPZQADDUrobjAOuRr/3CpfNROO8edY63nk4=,iv:nxfSNSw+aypsTKXJO68B6SkqFfBbfWFARfcNTPODSBA=,tag:ozsw8R6xbpS8E+fNzCosUQ==,type:str]
     grapevine: ENC[AES256_GCM,data:ElNtJC2elPstqJ1vTJRJpNr0OyhTuTxCulh22qq459c=,iv:sgQCekPMcnyFzir/fISJAQZvV91e+43z9D9xShAz4Pg=,tag:LVjr6ZxFO9VmPXZWtz20Uw==,type:str]
     vaultwarden: ENC[AES256_GCM,data:MmXXWit37MC4dpJG1654IpxfRdw0b+2mpfu7K80ZTRQ=,iv:4wRi3ovrLrzCkUjiGpEpWWPSDkHUdpI82joofhoIP8U=,tag:zgTTK+h/vqLmxCNNtfrxwg==,type:str]
+    things: ENC[AES256_GCM,data:9jjtqiUHwtCJKF1Mfg5bNZQhGHDFNZlAm04umn0SqnM=,iv:5sx+9tOTX/GHk7KwEZo1r4vJVX8LTe7clNsjxIhRAYw=,tag:D5b7/H4CWCCnAmTPPyCMyg==,type:str]
 knotKeys: ENC[AES256_GCM,data:rlTFDvonfEQFST1eSHHcaG3e1CSt5paDUTvfoYmInBV7mjqe7PwT5dtg01W2ANZJYl+SN/cdI3eEvAdJvwYR6FK+7g1LPwn6G1coE68a/XwzsWM5WpSemmDfTykoUiguEUfRCZ0Q3M7YqV0/jDWrKMaH0iKqKqvlv7nEy6VXB5SZBX+aN18KvPVygw5FixQ/kD3XFI2HTTST4vqlMma3CTsjnK6Uwf1421JOIe3JR32qd0V7IfhFvL0mErMIRhLnITO9uJ//t1HJoeaOV7FEY4K6Ohacng1c68fkUjVX5wYBTd6X657nFqevvLiMRDiQnASOJrAJUAeq4Kwf5R7C/I/MeVh+1Hq/U+z4ZQKh/DViEE8+TkJwDMBAWarzlyOz7xDF8O+fj4iH5jTX8H3FmJLU/TVU0QXqnwjcAAVs/YNARNVt0wGdWTb9iyvD7vEIZE57wIp+TIGE8XFjOO11/DRC/0kC8HFkvoXke9IRrTIj1pCP1VIrv31v7aIyphWa5hBuBHfVb0f8g5eaqyKumM03Rge+Fo+jtM/NP7H2gao6uaZM/K4a625nVx+M1lUpW+1c0sIAME2SlDjSyuhTkMknOPGAAYXMwVQGazoOJna6sEBl6jYcgn31w3dHtJXGKyAB0eqELxjt5b0tzcBfJ4pXi7HO7w2yhKrqyL7GuE5LtLp5mkguC5eZbiX+VlGTLX6V2z1kDRUdYDDZMMh3cYGBIrGVoJhWx8xLWrLGm7TrvifiwYJq5Mq13tt2hS7HpY8T8YGBD2x3IdPAHtikZUYgv5cQxs7drSJi8zFQAwDUKofxhJQUvqrnmvNf+eiGkfgI7lQ0//NLg9o4t+5g+T3mV8IUkW4nbJsP46k6azQGBt3udYAVhgrFy/jTE++KrA==,iv:+5NBUUC1QhPjN+6E8nWhzd2SNuH9mLbhsFwDTm8Hy+U=,tag:RtSO5Rmb0wNR9ovtpwJIIg==,type:str]
 radicaleUsers: ENC[AES256_GCM,data:kH5XW/Gr2xMJWm68unKtZ+L19S74gOf1YXw5QtPcBnp8jJrQsc3mHX5GPOJafuNa23Tnt9BHTFmuO3e5bEzhBcVm8GdoMR/Wz4B0y0W5,iv:Frc4ukXwdWZuWNgauLUyz4ErFKFUvoYoTMN9eZNWAGg=,tag:PLVaetT3syVGR4Ox3AYhUA==,type:str]
 gotosocialEnv: ENC[AES256_GCM,data:5hvURqX+EqN8zpjirBmh5TIWWgaCga9QxnAfyW1rwOXELnM9ZBJAmqwLdxUa2j2DGrXsqw==,iv:nhVyiAoOJY0HtjB13FnmnQyLB+BWSRwDVrwUiFHBrE4=,tag:P207zPou7yXJKJBf+pxlHg==,type:str]

@@ -32,8 +33,8 @@ sops:
             bDRhUEtDdmlZa0ZENFhSVnNqVjFCR1UKEIkSg3tKFkwlnNXFFqCBtdZBGz1bEmWl
             wghkTtqTl++759zZAAmjdnFFQWs/AoCZ5g/GUidz6HHcFdxMpGVmiA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-26T21:10:47Z"
-    mac: ENC[AES256_GCM,data:6GhLwMiR2kSg8VW9S4YXkoH/8zRQjf94U4kxvV9D9s3bLPUX3oSI3nOw8DfDWPKwk7Lt/MblWwfZ8BX00+7Py8JFi2c3S+Zy8QRDUQC9RdI+HNMb28v4YScKj6d8UFl5QXzMIeYnbuXtzCS9Ac2kowTlTGKXTI22veqiA795r48=,iv:yI1rK+kZT5ddp/HrlGUT9R8+uFaNSDmLTB7v3CsBqUQ=,tag:wZHvCDRuz6WWVm06lS06SQ==,type:str]
+    lastmodified: "2025-05-27T13:41:11Z"
+    mac: ENC[AES256_GCM,data:1ixAYQynSIRCfYlnKXmjEvnIUYG+dscSH41xO3WEaKxiZVqguFCWe492IUREkQkr4TXHOresLjoFnq09Pc4T1ns18LT3v14decm14gJoTlXEIteZj2PzCvf95kvxSDksVR68W5IpSBXLHLmI/ptc1S0h9kRRjWeh/Nf6wGksI1A=,iv:MujhHj3ywnac4CIO1N1IH7uGrEiVqXo3g0hAVWsGOKI=,tag:g0y+BaF3S1RCBoR5RRWtMQ==,type:str]
     pgp:
         - created_at: "2025-05-21T08:09:28Z"
           enc: |-