From 0989b8ae4687fd915a258901f2db60a8ebb10c4f Mon Sep 17 00:00:00 2001
From: Harald Hoyer <harald@hoyer.xyz>
Date: Sun, 3 May 2026 14:49:44 +0200
Subject: [PATCH] feat(sgx): add opencode web server

---
 systems/x86_64-linux/sgx/acme.nix     |  1 +
 systems/x86_64-linux/sgx/default.nix  |  1 +
 systems/x86_64-linux/sgx/nginx.nix    | 12 +++++++
 systems/x86_64-linux/sgx/opencode.nix | 46 +++++++++++++++++++++++++++
 4 files changed, 60 insertions(+)
 create mode 100644 systems/x86_64-linux/sgx/opencode.nix

diff --git a/systems/x86_64-linux/sgx/acme.nix b/systems/x86_64-linux/sgx/acme.nix
index da5d5cc..e82c9d2 100644
--- a/systems/x86_64-linux/sgx/acme.nix
+++ b/systems/x86_64-linux/sgx/acme.nix
@@ -18,6 +18,7 @@
         "status.hoyer.world"
         "firefly.hoyer.world"
         "firefly-import.hoyer.world"
+        "opencode.sgx.hoyer.world"
       ];
     };
   };
diff --git a/systems/x86_64-linux/sgx/default.nix b/systems/x86_64-linux/sgx/default.nix
index 5d20468..2e7e6e7 100644
--- a/systems/x86_64-linux/sgx/default.nix
+++ b/systems/x86_64-linux/sgx/default.nix
@@ -13,6 +13,7 @@
     ./searx.nix
     ./uptime-kuma.nix
     ./firefly.nix
+    ./opencode.nix
   ];
 
   boot.tmp.useTmpfs = false;
diff --git a/systems/x86_64-linux/sgx/nginx.nix b/systems/x86_64-linux/sgx/nginx.nix
index 26eeedf..64a38a7 100644
--- a/systems/x86_64-linux/sgx/nginx.nix
+++ b/systems/x86_64-linux/sgx/nginx.nix
@@ -41,5 +41,17 @@
         proxyWebsockets = true;
       };
     };
+    "opencode.sgx.hoyer.world" = {
+      enableACME = false;
+      useACMEHost = "internal.hoyer.world";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:4196";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+    };
   };
 }
diff --git a/systems/x86_64-linux/sgx/opencode.nix b/systems/x86_64-linux/sgx/opencode.nix
new file mode 100644
index 0000000..10b2913
--- /dev/null
+++ b/systems/x86_64-linux/sgx/opencode.nix
@@ -0,0 +1,46 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  port = 4196;
+  user = "harald";
+  homeDir = "/home/harald";
+in
+{
+  systemd.services.opencode-serve = {
+    description = "OpenCode Web Server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      HOME = homeDir;
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      User = user;
+      Group = "users";
+      WorkingDirectory = homeDir;
+      ExecStart = "${pkgs.opencode}/bin/opencode serve --hostname 127.0.0.1 --port ${toString port}";
+      Restart = "always";
+      RestartSec = 5;
+      EnvironmentFile = config.sops.secrets.opencode-web-password.path;
+
+      # Security hardening
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = false;
+      NoNewPrivileges = true;
+      ReadWritePaths = [ homeDir ];
+    };
+  };
+
+  sops.secrets.opencode-web-password = {
+    sopsFile = ../../../.secrets/sgx/opencode-web.yaml;
+    owner = user;
+  };
+}