From 5c7a68e74fa30af62b7115b89bce4e5399dc4693 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Fri, 18 Apr 2025 02:01:27 +0200
Subject: [PATCH] Add tandoor

---
 hosts/magnesium/persistence.nix      |  6 +++++
 hosts/magnesium/ports.nix            |  1 +
 hosts/magnesium/secrets.yaml         |  6 +++--
 hosts/magnesium/services/default.nix |  1 +
 hosts/magnesium/services/tandoor.nix | 37 ++++++++++++++++++++++++++++
 5 files changed, 49 insertions(+), 2 deletions(-)
 create mode 100644 hosts/magnesium/services/tandoor.nix

diff --git a/hosts/magnesium/persistence.nix b/hosts/magnesium/persistence.nix
index 5dbd5fc..9d8ef4a 100644
--- a/hosts/magnesium/persistence.nix
+++ b/hosts/magnesium/persistence.nix
@@ -34,6 +34,12 @@
       "/var/lib/nixos"
       "/var/lib/private/mealie"
       "/var/lib/private/ntfy-sh"
+      {
+        directory = "/var/lib/private/tandoor-recipes";
+        user = "tandoor_recipes";
+        group = "tandoor_recipes";
+        mode = "u=rwx,g=rx,o=";
+      }
       {
         directory = "/var/lib/trilium";
         user = "trilium";
diff --git a/hosts/magnesium/ports.nix b/hosts/magnesium/ports.nix
index ee689c4..fd74f41 100644
--- a/hosts/magnesium/ports.nix
+++ b/hosts/magnesium/ports.nix
@@ -12,6 +12,7 @@
     nginx-http.tcp = 80;
     nginx-https.tcp = 443;
     ntfy.tcp = 12474;
+    tandoor.tcp = 9001;
     trilium.tcp = 12783;
     wireguard-public-ip-tunnel.udp = 51000;
   };
diff --git a/hosts/magnesium/secrets.yaml b/hosts/magnesium/secrets.yaml
index 1187ccd..92851b1 100644
--- a/hosts/magnesium/secrets.yaml
+++ b/hosts/magnesium/secrets.yaml
@@ -4,6 +4,8 @@ gitlab-runner_fablab-nea-hcloud-labsync: ENC[AES256_GCM,data:+znVO8cQxjDdhch7oUA
 forgejo-mail: ENC[AES256_GCM,data:eZv9dM0a06wFJaDUZjo=,iv:L32ab5k/AX8HqSACJA5w+WbzLlBijA5++Gcr2SrnYIU=,tag:ddyTXikWTMnxq86IijgyYg==,type:str]
 hedgedoc-session-secret: ENC[AES256_GCM,data:AYUiUF7R+5C3F5kNRL0R95e1l3Y59tIP388uY0IYCskBhR0H0XMVvyrX/gIM33Twwkc5it+fQtNPNXsbrAnoKQ==,iv:Q6pDEdFplp845/DCHutwni/g7Ch39pTCvfNs4Eh28CQ=,tag:aqVGs3iThmepT7iJusLOMA==,type:str]
 mealie: ENC[AES256_GCM,data:4LlxJjDstTPZCD7Xyb+0CRkeDafP9a9oMuYDnXznINe+LrfkJGKwQIwP0B3VpeMmZ0Rwe7Tvje0ZWySFGADireb2r7TjDyASAoXJDyNNJ8byRc5Zt77zL2dp/W4xVt8WpQvwsXosjDv3NN6we831wWUrfNtp0g34YLqSU3F/9i7AaU7nVKnQ9QtJRVg5O57nhs/ZXopKOBUdiKAmxcl0hNNdQdaQX6xkDCWrV4432IOckqyqEQyd9KeCURuWeTUgPmTmnt9Cj8KkaQ39fd0LAGRjOBsKo4C4,iv:o5BPW4Wcg4KcFkJHc/mdrO4Rh+1nifxulYkF+iM3LEw=,tag:KXwDr3VHxjeHkyo23SPJgA==,type:str]
+tandoor:
+    secret_key: ENC[AES256_GCM,data:8aVuOBljF+vnEXOzi0r2xUtUGlZM50MuBXK70XW78Q9jNq4ZuRciGabnYwFfknb2/tA=,iv:KN7DwcMH5NN5BgWFgO/V1dfSyiHfAM2wS86atYcBdlQ=,tag:wQA7QL8VqP5d4uBSNQLsnQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -19,8 +21,8 @@ sops:
             elNwdVlJS2NCWUlXcEZvZWsvZ29FRnMK/qa6Qj1yQc91PWk9tMKSyFkMfYcHIKpQ
             jcPmGWbpi2NPL/F0Xz2X/zQQxWzs9uzlS1VH+y8JRe1EPMYJ78NXZw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-14T23:06:22Z"
-    mac: ENC[AES256_GCM,data:FSJSzA9xGKH9FBMWHPJwgbltkeRoumgpeFeftsgUWrMcc2O+sldNa/Gl1Pnmz5AwXNT5zRGv/zcnrt3lQMY+1vPrg3+DRrv5fn2OtHIZxN0cz+okqEoE40w7WLUZSyj9IESjlJKOL/nOdXf7EkXL64ZWDAZ6YKYe7JwD5oCGMOM=,iv:xKFdHYTqLCWtJFWIiZjtzJZpG1RZWPdeE1i6PQqYNsk=,tag:DfzN2iDjavGA/uEjLKZotw==,type:str]
+    lastmodified: "2025-04-17T23:26:44Z"
+    mac: ENC[AES256_GCM,data:Dl4/6wrIwOsCRK979O9lSKyi4LKAG0CfgTGS3RwNu23MvhhaBNru4P1gPWWu7/YC6ad63Ip/RuVB69A1kUmgrYimZcU6E3iPg7vsqskmTU0caMD54CHemj57EYS7r8tcloBEgkOvM6Vn/Bs1dV1/EKAv9Kr6r4x6xb3UOofDcwM=,iv:pzRSKp3EnUpgMdwLDKrExpEkm+uZbU6/pYkVLbcnjrY=,tag:Z6DIPVcNUa8QihV1lsmUMA==,type:str]
     pgp:
         - created_at: "2025-04-08T22:53:53Z"
           enc: |-
diff --git a/hosts/magnesium/services/default.nix b/hosts/magnesium/services/default.nix
index 813f30c..9372fbf 100644
--- a/hosts/magnesium/services/default.nix
+++ b/hosts/magnesium/services/default.nix
@@ -7,6 +7,7 @@
     ./mealie.nix
     ./ntfy.nix
     ./public-ip-tunnel.nix
+    ./tandoor.nix
     ./trilium.nix
     ./webserver.nix
   ];
diff --git a/hosts/magnesium/services/tandoor.nix b/hosts/magnesium/services/tandoor.nix
new file mode 100644
index 0000000..6577626
--- /dev/null
+++ b/hosts/magnesium/services/tandoor.nix
@@ -0,0 +1,37 @@
+{ config, ... }:
+
+let
+  domain = "tandoor.jalr.de";
+  cfg = config.services.tandoor-recipes;
+  inherit (config.networking) ports;
+in
+{
+  sops.secrets."tandoor/secret_key" = {
+    sopsFile = ../secrets.yaml;
+  };
+
+  services.tandoor-recipes = {
+    enable = true;
+    port = ports.tandoor.tcp;
+  };
+
+  systemd.services.tandoor-recipes = {
+    serviceConfig = {
+      LoadCredential = [
+        "secret_key:${config.sops.secrets."tandoor/secret_key".path}"
+      ];
+      Environment = [
+        "SECRET_KEY_FILE=%d/secret_key"
+      ];
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString cfg.port}";
+    };
+  };
+}