feat(amd): add opencode web server at opencode.amd.hoyer.world

Mirror of the sgx opencode setup: systemd service on port 4196 fronted by nginx with a per-host ACME cert (DNS-01 via internetbs). Adds amd key + path rule to .sops.yaml so secrets under .secrets/amd/ encrypt for the host.
2026-05-03 15:55:15 +02:00 · 2026-05-03 15:55:15 +02:00 · 0e723e2da8
commit 0e723e2da8
parent 01f42c0851
7 changed files with 158 additions and 0 deletions
--- a/systems/x86_64-linux/amd/acme.nix
+++ b/systems/x86_64-linux/amd/acme.nix
@ -0,0 +1,11 @@
+{
+  config,
+  ...
+}:
+{
+  sops.secrets.internetbs = {
+    sopsFile = ../../../.secrets/amd/internetbs.yaml;
+  };
+
+  metacfg.services.acmeBase.credentialsFile = config.sops.secrets.internetbs.path;
+}
--- a/systems/x86_64-linux/amd/default.nix
+++ b/systems/x86_64-linux/amd/default.nix
@ -10,12 +10,17 @@ with lib.metacfg;
    ./hardware-configuration.nix
    ./xremap.nix
    ./sound.nix
+    ./acme.nix
+    ./nginx.nix
+    ./opencode.nix
  ];

  powerManagement.cpuFreqGovernor = "performance";

  services.rustdesk-server.signal.enable = false;
  networking.firewall.allowedTCPPorts = [
+    80
+    443
    22000
  ];

@ -29,6 +34,8 @@ with lib.metacfg;
  services.resolved.enable = true;

  metacfg = {
+    services.nginxBase.enable = true;
+    services.acmeBase.enable = true;
    hardware.wooting.enable = true;
    base.enable = true;
    gui.enable = true;
--- a/systems/x86_64-linux/amd/nginx.nix
+++ b/systems/x86_64-linux/amd/nginx.nix
@ -0,0 +1,18 @@
+{
+  ...
+}:
+{
+  services.nginx.virtualHosts = {
+    "opencode.amd.hoyer.world" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:4196";
+        proxyWebsockets = true;
+        extraConfig = ''
+          proxy_buffering off;
+        '';
+      };
+    };
+  };
+}
--- a/systems/x86_64-linux/amd/opencode.nix
+++ b/systems/x86_64-linux/amd/opencode.nix
@ -0,0 +1,47 @@
+{
+  config,
+  pkgs,
+  lib,
+  ...
+}:
+
+let
+  port = 4196;
+  user = "harald";
+  homeDir = "/home/harald";
+in
+{
+  systemd.services.opencode-serve = {
+    description = "OpenCode Web Server";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      HOME = homeDir;
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      User = user;
+      Group = "users";
+      WorkingDirectory = homeDir;
+      ExecStart = "${pkgs.opencode}/bin/opencode serve --hostname 127.0.0.1 --port ${toString port}";
+      Restart = "always";
+      RestartSec = 5;
+      EnvironmentFile = config.sops.secrets.opencode-web-password.path;
+
+      # Security hardening
+      PrivateTmp = true;
+      ProtectSystem = "strict";
+      ProtectHome = false;
+      NoNewPrivileges = true;
+      ReadWritePaths = [ homeDir ];
+    };
+  };
+
+  sops.secrets.opencode-web-password = {
+    sopsFile = ../../../.secrets/amd/opencode-web.yaml;
+    owner = user;
+    restartUnits = [ "opencode-serve.service" ];
+  };
+}