From 1cf3c7d8dd1d98c12d323d62fb101f4c7b106664 Mon Sep 17 00:00:00 2001
From: Joakim Repomaa <joakim@repomaa.com>
Date: Thu, 13 Feb 2025 16:03:10 +0200
Subject: [PATCH] add dnote

---
 flake.lock                   |  17 +++++
 flake.nix                    |   4 ++
 home/common/default.nix      |   3 +-
 home/common/dnote.nix        |  35 ++++++++++
 hosts/freun.dev/secrets.nix  |   1 +
 hosts/freun.dev/services.nix |  12 ++++
 modules/services/default.nix |   1 +
 modules/services/dnote.nix   | 129 +++++++++++++++++++++++++++++++++++
 secrets/dnote.age            |   9 +++
 secrets/secrets.nix          |   1 +
 10 files changed, 211 insertions(+), 1 deletion(-)
 create mode 100644 home/common/dnote.nix
 create mode 100644 modules/services/dnote.nix
 create mode 100644 secrets/dnote.age

diff --git a/flake.lock b/flake.lock
index 12bdf25..b2ff408 100644
--- a/flake.lock
+++ b/flake.lock
@@ -96,6 +96,22 @@
         "type": "github"
       }
     },
+    "dnote": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1719733391,
+        "narHash": "sha256-MRUkFWeL9aOtqWVLLbYvQXANUF/00BXo7H/szvfybdE=",
+        "owner": "dnote",
+        "repo": "dnote",
+        "rev": "895dcaa59f1c649f0a5d5703e08ae6a96304d03d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "dnote",
+        "repo": "dnote",
+        "type": "github"
+      }
+    },
     "flake-compat": {
       "flake": false,
       "locked": {
@@ -714,6 +730,7 @@
         "agenix": "agenix",
         "auto-cpufreq": "auto-cpufreq",
         "commander-nvim": "commander-nvim",
+        "dnote": "dnote",
         "flake-parts": "flake-parts",
         "gen-nvim": "gen-nvim",
         "gtrackmap": "gtrackmap",
diff --git a/flake.nix b/flake.nix
index 0d90054..6c53e75 100644
--- a/flake.nix
+++ b/flake.nix
@@ -56,6 +56,10 @@
       url = "github:ryantm/agenix";
       inputs.nixpkgs.follows = "nixpkgs";
     };
+    dnote = {
+      url = "github:dnote/dnote";
+      flake = false;
+    };
   };
   outputs = { flake-parts, agenix, nixpkgs, ... }@inputs:
     flake-parts.lib.mkFlake { inherit inputs; } (
diff --git a/home/common/default.nix b/home/common/default.nix
index cf57a2c..5b334e5 100644
--- a/home/common/default.nix
+++ b/home/common/default.nix
@@ -1,7 +1,7 @@
 { config, lib, pkgs, inputs, ... }:
 {
   nixpkgs.config.allowUnfree = true;
-  imports = [ ../gnome ../custom-programs ./neovim ];
+  imports = [ ../gnome ../custom-programs ./neovim ./dnote.nix ];
 
   # This value determines the Home Manager release that your configuration is
   # compatible with. This helps avoid breakage when a new Home Manager release
@@ -72,6 +72,7 @@
       enable = true;
       flake = "/etc/nixos";
     };
+    dnote.enable = true;
     home-manager.enable = true;
     bat = {
       enable = true;
diff --git a/home/common/dnote.nix b/home/common/dnote.nix
new file mode 100644
index 0000000..f5d5e63
--- /dev/null
+++ b/home/common/dnote.nix
@@ -0,0 +1,35 @@
+{ inputs, lib, pkgs, config, ... }:
+let
+  completion = pkgs.stdenv.mkDerivation {
+    name = "dnote-completion";
+    phases = [ "unpackPhase" "installPhase" ];
+    src = inputs.dnote;
+    installPhase = ''
+      mkdir -p $out/lib/dnote/zsh-completion/completions
+      cp pkg/cli/dnote-completion.zsh $out/lib/dnote/zsh-completion/completions/_dnote
+    '';
+  };
+  client = pkgs.stdenv.mkDerivation {
+    name = "dnote-client";
+    phases = [ "installPhase" ];
+    installPhase = ''
+      mkdir -p $out/bin
+      cp ${unstablePkgs.dnote}/bin/dnote-cli $out/bin/dnote
+    '';
+  };
+  cfg = config.programs.dnote;
+  unstablePkgs = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system};
+in
+{
+  options.programs.dnote = {
+    enable = pkgs.lib.mkEnableOption "Enable dnote";
+  };
+
+  config = lib.mkIf cfg.enable {
+    home.packages = [ client ];
+    home.shellAliases.dn = "dnote";
+    programs.zsh.initExtra = ''
+      fpath=(${completion}/lib/dnote/zsh-completion/completions $fpath)
+    '';
+  };
+}
diff --git a/hosts/freun.dev/secrets.nix b/hosts/freun.dev/secrets.nix
index 0c7f4ab..428b4db 100644
--- a/hosts/freun.dev/secrets.nix
+++ b/hosts/freun.dev/secrets.nix
@@ -10,6 +10,7 @@
         "storage-box-credentials"
         "vaultwarden"
         "donetick"
+        "dnote"
       ]
     ) // {
     smtp-password = {
diff --git a/hosts/freun.dev/services.nix b/hosts/freun.dev/services.nix
index cb58b7e..b2ee18c 100644
--- a/hosts/freun.dev/services.nix
+++ b/hosts/freun.dev/services.nix
@@ -9,6 +9,7 @@ let
     from = "noreply@${config.networking.domain}";
     heloName = config.networking.domain;
   };
+  secrets = config.age.secrets;
 in
 {
   services.postgresql.package = pkgs.postgresql_16;
@@ -149,5 +150,16 @@ in
         videoConversion.concurrency = 2;
       };
     };
+
+    dnote = {
+      enable = true;
+      subdomain = "note";
+      environment = {
+        SmtpHost = smtp.host;
+        SmtpPort = smtp.port;
+        SmtpUsername = smtp.username;
+      };
+      environmentFile = secrets.dnote.path;
+    };
   };
 }
diff --git a/modules/services/default.nix b/modules/services/default.nix
index 7329b3a..a5d5d3d 100644
--- a/modules/services/default.nix
+++ b/modules/services/default.nix
@@ -16,5 +16,6 @@
     ./workout-sync.nix
     ./readeck.nix
     ./donetick.nix
+    ./dnote.nix
   ];
 }
diff --git a/modules/services/dnote.nix b/modules/services/dnote.nix
new file mode 100644
index 0000000..ea7031b
--- /dev/null
+++ b/modules/services/dnote.nix
@@ -0,0 +1,129 @@
+{ lib, inputs, config, pkgs, ... }:
+let
+  cfg = config.services.dnote;
+  fqdn = "${cfg.subdomain}.${config.networking.domain}";
+  pkgsUnstable = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system};
+
+  types = {
+    environment = lib.types.submodule {
+      options = {
+        DBName = lib.mkOption {
+          type = lib.types.str;
+          default = "dnote";
+        };
+        SmtpHost = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+        SmtpPort = lib.mkOption {
+          type = lib.types.nullOr lib.types.int;
+          default = null;
+        };
+        SmtpUsername = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+        SmtpPassword = lib.mkOption {
+          type = lib.types.nullOr lib.types.str;
+          default = null;
+        };
+      };
+    };
+  };
+
+  immutableEnvironment = {
+    GO_ENV = "PRODUCTION";
+    OnPremises = true;
+    DBHost = "/var/run/postgresql";
+    DBPort = config.services.postgresql.settings.port;
+    DBUser = cfg.user;
+    WebURL = "https://${fqdn}";
+  };
+
+  serializeEnvVar = value:
+    if (lib.isBool value)
+    then if value then "true" else "false"
+    else toString value;
+in
+{
+  options.services.dnote = {
+    enable = lib.mkEnableOption "Enable dnote server";
+    subdomain = lib.mkOption {
+      type = lib.types.str;
+    };
+    user = lib.mkOption {
+      type = lib.types.str;
+      default = "dnote";
+    };
+    port = lib.mkOption {
+      type = lib.types.int;
+      default = 3040;
+    };
+    environment = lib.mkOption {
+      type = types.environment;
+      default = { };
+    };
+    environmentFile = lib.mkOption {
+      type = lib.types.nullOr lib.types.path;
+      default = null;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    users = {
+      users.${cfg.user} = {
+        isSystemUser = true;
+        group = cfg.user;
+      };
+      groups.${cfg.user} = { };
+    };
+
+    systemd.services.dnote = {
+      enable = true;
+      description = "Dnote server";
+      environment = lib.mapAttrs (_: value: serializeEnvVar value) (cfg.environment // immutableEnvironment);
+      serviceConfig = {
+        ExecStart = "${pkgsUnstable.dnote}/bin/dnote-server -port ${toString cfg.port} start";
+        EnvironmentFile = lib.mkIf (cfg.environmentFile != null) cfg.environmentFile;
+        User = cfg.user;
+        BindPaths = [
+          "/var/run/postgresql"
+        ];
+        BindReadOnlyPaths = [
+          /run/systemd/resolve/stub-resolv.conf
+          /etc/ssl
+          /etc/static/ssl
+          /etc/resolv.conf
+          /etc/static/resolv.conf
+          /etc/nsswitch.conf
+          /etc/static/nsswitch.conf
+          /etc/hosts
+        ];
+      };
+      confinement = {
+        enable = true;
+        packages = [ pkgs.cacert ];
+      };
+      wantedBy = [ "multi-user.target" ];
+    };
+
+    services = {
+      postgresql = {
+        enable = lib.mkDefault true;
+        ensureDatabases = [ cfg.environment.DBName ];
+        ensureUsers = [{
+          name = cfg.user;
+          ensureDBOwnership = true;
+        }];
+      };
+
+      webserver = {
+        enable = lib.mkDefault true;
+        vHosts.${fqdn} = {
+          proxyBuffering = false;
+          locations."/".proxyPort = cfg.port;
+        };
+      };
+    };
+  };
+}
diff --git a/secrets/dnote.age b/secrets/dnote.age
new file mode 100644
index 0000000..49dab8b
--- /dev/null
+++ b/secrets/dnote.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 osOCZA UCilO75OGmYABIVNjQ7JKdObSSC882S6blT35S8XXBE
+CEhIzJeE0Xa9jY1uboPVM1uK+U8N77e6pGsK3SCNBqY
+-> ssh-ed25519 DFiohQ aKyq1IPwKvgQniPEDt9tIw6KLeQePctFPY8wnSmcREk
+3OQH5iOGFbnJaUXn8JmMDItPfPjXUmuO1OFYw31ftGA
+-> ssh-ed25519 PT7ffg 1XzR+XsNLJgf0itst++aN4GWpiUjPvlCPR/KcZzLNT4
+Na1BKsjIoFgFbQI4LVppxW53yAQgxQfz5r31HrTNRLI
+--- U8B89Fp3JNPBX18P5p3lVLYIz5CsbxldkvnjZ2Cx4+8
+���3z�#<�K�*�w
�Ms!��2�ʝbqz>�&�~u����i𧾘tYv�����t���v��2�d)gf���Ԑ
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bdd1cf0..94ce235 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,4 +18,5 @@ in
   "smtp-password.age".publicKeys = users ++ [ freun-dev ];
   "readeck.age".publicKeys = users ++ [ freun-dev ];
   "donetick.age".publicKeys = users ++ [ freun-dev ];
+  "dnote.age".publicKeys = users ++ [ freun-dev ];
 }