freun.dev add snips

hosts/freun.dev/services.nix

@@ -41,5 +41,6 @@
     ./tailscale.nix
     ./workout-tracker.nix
     ./gotosocial.nix
+    ./snips.nix
   ];
 }

hosts/freun.dev/snips.nix

@@ -0,0 +1,50 @@
+{ pkgs, bin, ... }:
+let
+  fqdn = "bin.freun.dev";
+  port = 3600;
+  sshPort = bin.sshPort;
+  authorizedKeys = pkgs.writeTextFile {
+    name = "authorized_keys";
+    text = ''
+      ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLIUkESu5NnBi1M0+ZjYrkp6/rIFuwc3aguspf98jmOydNce6l65cnS3GRzc9oWx4lu11ahi87ZuE+pYV+gaHm4=
+    '';
+  };
+in
+{
+  nixpkgs.config.snips-sh.withTensorflow = true;
+
+  systemd.services.snips = {
+    enable = true;
+    description = "Snips pastebin";
+    environment = {
+      SNIPS_HTTP_INTERNAL = "http://127.0.0.1:${toString port}";
+      SNIPS_HTTP_EXTERNAL = "https://${fqdn}";
+      SNIPS_SSH_INTERNAL = "ssh://0.0.0.0:${toString sshPort}";
+      SNIPS_SSH_EXTERNAL = "ssh://${fqdn}:${toString sshPort}";
+      SNIPS_HOST_KEY_PATH = "/var/lib/snips/keys/snips";
+      SNIPS_DB_FILEPATH = "/var/lib/snips/snips.db";
+      SNIPS_SSH_AUTHORIZEDKEYSPATH = authorizedKeys;
+    };
+    serviceConfig = {
+      EnvironmentFile = "/var/secrets/snips.env";
+      StateDirectory = "snips";
+      ExecStart = "${pkgs.snips-sh}/bin/snips.sh";
+      WorkingDirectory = "/var/lib/snips";
+      ConfigurationDirectory = "snips";
+      DynamicUser = true;
+    };
+    wantedBy = [ "multi-user.target" ];
+    confinement = {
+      enable = true;
+      packages = [ authorizedKeys ];
+    };
+  };
+
+  services.caddy.virtualHosts = {
+    "${fqdn}".extraConfig = ''
+      reverse_proxy localhost:${toString port}
+    '';
+  };
+
+  networking.firewall.allowedTCPPorts = [ sshPort ];
+}