76 lines
3.1 KiB
Markdown
76 lines
3.1 KiB
Markdown
# Remote Services
|
|
|
|
Cargo workspace with the server-side pieces of Noisebell. Runs on any Linux box.
|
|
|
|
| Service | Port | What it does |
|
|
|---------|------|--------------|
|
|
| [`cache-service/`](cache-service/) | 3000 | Polls the Pi, stores the latest state in SQLite, fans out webhooks |
|
|
| [`rss-service/`](rss-service/) | 3002 | Fetches current status from cache and serves RSS/Atom feeds |
|
|
| [`discord-bot/`](discord-bot/) | 3001 | Posts door status to a Discord channel |
|
|
| [`zulip-bot/`](zulip-bot/) | 3003 | Posts door status to a Zulip stream |
|
|
| [`noisebell-common/`](noisebell-common/) | — | Shared types and helpers |
|
|
|
|
See each service's README for configuration and API docs.
|
|
|
|
## Building
|
|
|
|
```sh
|
|
cargo build --release
|
|
```
|
|
|
|
Or with Nix:
|
|
|
|
```sh
|
|
nix build .#noisebell-cache
|
|
nix build .#noisebell-rss
|
|
nix build .#noisebell-discord
|
|
nix build .#noisebell-zulip
|
|
```
|
|
|
|
## NixOS deployment
|
|
|
|
The flake exports a NixOS module for the hosted remote machine. It imports `agenix`, declares the Noisebell secrets from `secrets/*.age`, and wires the cache and Discord services together with sensible defaults. Each service runs as a hardened systemd unit behind Caddy.
|
|
|
|
```nix
|
|
{
|
|
inputs.noisebell.url = "git+https://git.extremist.software/jet/noisebell";
|
|
|
|
outputs = { self, nixpkgs, noisebell, ... }: {
|
|
nixosConfigurations.myhost = nixpkgs.lib.nixosSystem {
|
|
system = "x86_64-linux";
|
|
modules = [
|
|
noisebell.nixosModules.default
|
|
({ ... }: {
|
|
services.noisebell-cache = {
|
|
enable = true;
|
|
domain = "cache.noisebell.example.com";
|
|
piAddress = "http://noisebell-pi:80";
|
|
};
|
|
services.noisebell-rss = {
|
|
enable = true;
|
|
domain = "rss.noisebell.example.com";
|
|
};
|
|
services.noisebell-discord = {
|
|
enable = true;
|
|
domain = "discord.noisebell.example.com";
|
|
channelId = "123456789012345678";
|
|
};
|
|
})
|
|
];
|
|
};
|
|
};
|
|
}
|
|
```
|
|
|
|
`nixosModules.default` handles these secrets automatically:
|
|
|
|
| Secret file | Deployed on | Used for |
|
|
|-------------|-------------|----------|
|
|
| `secrets/pi-to-cache-key.age` | Pi + remote | Pi authenticates to cache `/webhook` |
|
|
| `secrets/cache-to-pi-key.age` | Pi + remote | cache authenticates to Pi GET endpoints |
|
|
| `secrets/discord-webhook-secret.age` | remote | cache authenticates to Discord bot `/webhook` |
|
|
| `secrets/zulip-webhook-secret.age` | remote | cache authenticates to Zulip bridge `/webhook` |
|
|
| `secrets/discord-token.age` | remote | Discord bot login |
|
|
| `secrets/zulip-api-key.age` | remote | Zulip bot API authentication |
|
|
|
|
When `extremist-software` builds a system using the Noisebell flake input, Nix uses the checked-out flake source for that input. The module points `agenix` at encrypted files inside that Noisebell source tree, such as `${inputs.noisebell}/secrets/discord-token.age`. At activation time `agenix` decrypts them locally on the target host into runtime paths like `/run/agenix/noisebell-discord-token`. The service modules then read those local decrypted files when systemd starts them.
|