jet/noisebell
jet/noisebell
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
noisebell/remote/README.md

2.5 KiB
Raw Blame History

Remote Services

Cargo workspace with the server-side pieces of Noisebell. Runs on any Linux box.

Service Port What it does
cache-service/ 3000 Polls the Pi, stores the latest state in SQLite, fans out webhooks
discord-bot/ 3001 Posts door status to a Discord channel
noisebell-common/ Shared types and helpers

See each service's README for configuration and API docs.

Building

cargo build --release

Or with Nix:

nix build .#noisebell-cache
nix build .#noisebell-discord

NixOS deployment

The flake exports a NixOS module for the hosted remote machine. It imports agenix, declares the Noisebell secrets from secrets/*.age, and wires the cache and Discord services together with sensible defaults. Each service runs as a hardened systemd unit behind Caddy.

{
  inputs.noisebell.url = "git+https://git.extremist.software/jet/noisebell";

  outputs = { self, nixpkgs, noisebell, ... }: {
    nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
      system = "x86_64-linux";
      modules = [
        noisebell.nixosModules.default
        ({ ... }: {
          services.noisebell-cache = {
            enable = true;
            domain = "cache.noisebell.example.com";
            piAddress = "http://noisebell-pi:80";
          };
          services.noisebell-discord = {
            enable = true;
            domain = "discord.noisebell.example.com";
            channelId = "123456789012345678";
          };
        })
      ];
    };
  };
}

nixosModules.default handles these secrets automatically:

Secret file Deployed on Used for
secrets/pi-to-cache-key.age Pi + remote Pi authenticates to cache /webhook
secrets/cache-to-pi-key.age Pi + remote cache authenticates to Pi GET endpoints
secrets/discord-webhook-secret.age remote cache authenticates to Discord bot /webhook
secrets/discord-token.age remote Discord bot login

When extremist-software builds a system using the Noisebell flake input, Nix uses the checked-out flake source for that input. The module points agenix at encrypted files inside that Noisebell source tree, such as ${inputs.noisebell}/secrets/discord-token.age. At activation time agenix decrypts them locally on the target host into runtime paths like /run/agenix/noisebell-discord-token. The service modules then read those local decrypted files when systemd starts them.