5 files changed, 194 insertions, 3 deletions

diff --git a/chaski/configuration.nix b/chaski/configuration.nix
index da8fdaf..94b89df 100644
--- a/chaski/configuration.nix
+++ b/chaski/configuration.nix
@@ -12,13 +12,14 @@
       ./services/chat.nix
       ./services/bahnhof-name.nix
       ./services/conduit.nix
+      # ./services/headscale.nix
+      ./services/tracktrain.nix
     ];
 
   sops.defaultSopsFile = ../secrets/chaski.yaml;
   # This will automatically import SSH keys as age keys
   sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
 
-  environment.noXlibs = true;
   services.nginx.enable = true;
   services.nginx.package = pkgs.nginx.override { gd = null; };
 
diff --git a/chaski/services/bahnhof-name.nix b/chaski/services/bahnhof-name.nix
index 7360372..69d54cc 100644
--- a/chaski/services/bahnhof-name.nix
+++ b/chaski/services/bahnhof-name.nix
@@ -19,8 +19,13 @@
       enableACME = true;
       forceSSL = true;
       locations."/".proxyPass = "http://localhost:8080";
+      extraConfig = ''
+        proxy_set_header X-Forwarded-Host $host;
+      '';
     }; in builtins.listToAttrs
     (map (name: { inherit name; value = vhost; })
       ["bahnhof.name" "ril100.bahnhof.name"
-       "ds100.bahnhof.name" "leitpunkt.bahnhof.name"]);
+       "ds100.bahnhof.name" "leitpunkt.bahnhof.name"
+       "rnv.bahnhof.name"
+      ]);
 }
diff --git a/chaski/services/chat.nix b/chaski/services/chat.nix
index 6d26ada..484a3b9 100644
--- a/chaski/services/chat.nix
+++ b/chaski/services/chat.nix
@@ -4,7 +4,7 @@
 # (and not deal with having an irc relay)
 {
 
-  imports = [ inputs.home-manager.nixosModule ];
+  imports = [ inputs.home-manager.nixosModules.default ];
 
   programs.mosh.enable = true;
   programs.fish.enable = true;
diff --git a/chaski/services/headscale.nix b/chaski/services/headscale.nix
new file mode 100644
index 0000000..80153e4
--- /dev/null
+++ b/chaski/services/headscale.nix
@@ -0,0 +1,40 @@
+{ config, lib, pkgs, ... }:
+
+{
+  # services.headscale = {
+  #   enable = true;
+  #   settings = {
+  #     server_url = "https://headscale.noms.ing";
+  #     listen_addr = "127.0.0.1:8323";
+
+  #     # oidc = {
+  #     #   only_start_if_oidc_is_available = true;
+  #     #   issuer = "https://idm.cuties.network/oauth2/openid/headscale";
+  #     #   client_id = "headscale";
+  #     #   client_secret_path = "/run/secrets/headscale_oidc_secret";
+  #     #   strip_email_domain = true;
+  #     # };
+
+  #     # dns_config.magic_dns = true;
+  #     # dns_config.domains = [ "nodes.headscale.noms.ing" ];
+  #     # dns_config.base_domain = "ts.cuties.network";
+  #   };
+  # };
+
+  # users.users.headscale.extraGroups = [ config.users.groups.keys.name ];
+  # sops.secrets.headscale_oidc_secret = {
+  #   owner = config.users.users.headscale.name;
+  #   sopsFile = ./headscale.sops.yaml;
+  # };
+
+  services.nginx.virtualHosts."headscale.noms.ing" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:8323";
+      proxyWebsockets = true;
+    };
+  };
+
+  # services.tailscale.enable = true;
+}
diff --git a/chaski/services/tracktrain.nix b/chaski/services/tracktrain.nix
new file mode 100644
index 0000000..77a1ab7
--- /dev/null
+++ b/chaski/services/tracktrain.nix
@@ -0,0 +1,145 @@
+{ config, lib, pkgs, inputs, ... }:
+
+let
+  tracktrain-config = ''
+    dbstring: "dbname=tracktrain user=tracktrain"
+    gtfs: ${pkgs.copyPathToStore ./gtfs.zip}
+    assets: ${pkgs.tracktrain}/assets
+
+    warp:
+      port: 4000
+  '';
+in
+{
+  sops.secrets = {
+    "tracktrain/env" = {};
+    "nginx/tracktrain-auth" = {
+      owner = "nginx";
+    };
+  };
+
+  services.nginx.recommendedProxySettings = true;
+  services.nginx.virtualHosts."tracktrain.stuebinm.eu" = {
+    serverAliases = [ "tracktrain.ilztalbahn.eu" "ilztalbahn.infra4future.de" ];
+    locations."/" = {
+      proxyPass = "http://192.168.42.41:4000";
+      proxyWebsockets = true;
+      basicAuthFile = "/run/secrets/nginx/tracktrain-auth";
+    };
+    locations."/api" = {
+      proxyPass = "http://192.168.42.41:4000";
+      proxyWebsockets = true;
+      extraConfig = ''
+        add_header 'Access-Control-Allow-Origin' '*' always;
+      '';
+    };
+    locations."/metrics/" = {
+      proxyPass = "http://localhost:2342";
+      proxyWebsockets = true;
+      extraConfig = ''
+        rewrite  ^/metrics/(.*)  /$1 break;
+      '';
+    };
+    enableACME = true;
+    forceSSL = true;
+  };
+
+
+  # services.prometheus = {
+  #   enable = true;
+  #   port = 9001;
+  #   scrapeConfigs = [ {
+  #     job_name = "tracktrain";
+  #     static_configs = [{
+  #       targets = [  "192.168.42.41:4000" ];
+  #     }];
+  #   } ];
+  # };
+
+  # services.grafana = {
+  #   enable = true;
+  #   settings.server = {
+  #     serve_from_sub_path = true;
+  #     domain = "tracktrain.ilztalbahn.eu";
+  #     root_url = "%(protocol)s://%(domain)s:/metrics/";
+  #     http_port = 2342;
+  #     http_addr = "0.0.0.0";
+  #   };
+
+  #   provision = {
+  #     enable = true;
+  #     datasources.settings.datasources = [ {
+  #       url = "http://localhost:9001";
+  #       type = "prometheus";
+  #       name = "prometheus";
+  #     } ];
+  #   };
+  # };
+
+  networking.firewall.allowedTCPPorts = [ 443 ];
+
+  containers.tracktrain = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress6 = "fd00::42:40";
+    localAddress6 = "fd00::42:41";
+    hostAddress = "192.168.42.40";
+    localAddress = "192.168.42.41";
+
+    config = { config, ... }: {
+
+      systemd.services.tracktrain = {
+        enable = true;
+
+        description = "tracks trains, hopefully";
+        wantedBy = [ "multi-user.target" ];
+        after = [ "network.target" ];
+        serviceConfig = {
+          Type = "simple";
+          # EnvironmentFile = "/secrets/env";
+          DynamicUser = true;
+        };
+        path = [ pkgs.wget pkgs.ntfy-sh ];
+        script = ''
+          cd /tmp
+          ln -sf ${pkgs.writeText "config.yaml" tracktrain-config} "config.yaml"
+          sleep 3
+          ${pkgs.tracktrain}/bin/tracktrain +RTS -T
+        '';
+      };
+
+      systemd.services.postgresql.wantedBy = [ "tracktrain.service" ];
+
+      services.postgresql = {
+        enable = true;
+        ensureDatabases = [ "tracktrain" ];
+        ensureUsers = [ {
+          name = "tracktrain";
+          ensureDBOwnership = true;
+        } ];
+        authentication = ''
+          local all all trust
+        '';
+      };
+
+      networking.firewall.enable = false;
+      system.stateVersion = "25.11";
+
+      services.coredns = {
+        enable = true;
+        config = ''
+          .:53 {
+          forward . 1.1.1.1
+          }
+        '';
+      };
+    };
+  };
+
+  networking.nat = {
+    enable = true;
+    internalInterfaces = [ "ve-tracktrain" ];
+    externalInterface = "ens3";
+  };
+
+}