feat(octoprint): init on logistics

modules/system/exports/octoprint.nix

@@ -0,0 +1,36 @@
+{
+  lib,
+  gensokyo-zone,
+  ...
+}: let
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
+  inherit (lib.modules) mkIf;
+in {
+  config.exports.services.octoprint = {config, ...}: {
+    displayName = mkAlmostOptionDefault "OctoPrint";
+    id = mkAlmostOptionDefault "print";
+    nixos = {
+      serviceAttr = "octoprint";
+      assertions = let
+        mkAssertion = f: nixosConfig: let
+          cfg = nixosConfig.services.octoprint;
+        in
+          f nixosConfig cfg;
+      in
+        mkIf config.enable [
+          (mkAssertion (nixosConfig: cfg: {
+            assertion = config.ports.default.port == cfg.port;
+            message = "port mismatch";
+          }))
+        ];
+    };
+    defaults.port.listen = mkAlmostOptionDefault "lan";
+    ports = {
+      default = {
+        port = mkAlmostOptionDefault 5000;
+        protocol = "http";
+        status.enable = mkAlmostOptionDefault true;
+      };
+    };
+  };
+}

modules/system/exports/openwebrx.nix

@@ -3,9 +3,8 @@
   gensokyo-zone,
   ...
 }: let
-  inherit (gensokyo-zone.lib) mapAlmostOptionDefaults mkAlmostOptionDefault;
+  inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
   inherit (lib.modules) mkIf;
-  inherit (lib.attrsets) mapAttrs;
 in {
   config.exports.services.openwebrx = {config, ...}: {
     displayName = mkAlmostOptionDefault "OpenWebRX";

nixos/access/octoprint.nix

@@ -0,0 +1,58 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.services) octoprint;
+  name.shortServer = mkDefault "print";
+  upstreamName = "octoprint'access";
+in {
+  config.services.nginx = {
+    upstreams'.${upstreamName}.servers = {
+      local = {
+        enable = mkDefault octoprint.enable;
+        addr = mkDefault "localhost";
+        port = mkIf octoprint.enable (mkDefault octoprint.port);
+      };
+      service = {upstream, ...}: {
+        enable = mkIf upstream.servers.local.enable (mkDefault false);
+        accessService = {
+          name = "octoprint";
+          # XXX: logistics doesn't listen on v6
+          getAddressFor = "getAddress4For";
+        };
+      };
+    };
+    virtualHosts = let
+      copyFromVhost = mkDefault "octoprint";
+      locations = {
+        "/" = {
+          proxy.enable = true;
+        };
+        "/sockjs/" = {
+          proxy = {
+            enable = true;
+            websocket.enable = true;
+          };
+        };
+      };
+    in {
+      octoprint = {
+        inherit name locations;
+        proxy.upstream = mkDefault upstreamName;
+        vouch.enable = mkDefault true;
+      };
+      octoprint'local = {
+        inherit name locations;
+        ssl.cert = {
+          inherit copyFromVhost;
+        };
+        proxy = {
+          inherit copyFromVhost;
+        };
+        local.enable = mkDefault true;
+      };
+    };
+  };
+}

nixos/octoprint.nix

@@ -0,0 +1,53 @@
+{
+  config,
+  access,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkMerge mkDefault;
+  inherit (config.services) motion;
+  cfg = config.services.octoprint;
+  behindVouch = false;
+in {
+  services.octoprint = {
+    enable = mkDefault true;
+    # host = mkIf config.networking.enableIPv6 "::";
+    extraConfig = mkMerge [
+      # https://docs.octoprint.org/en/master/configuration/config_yaml.html
+      {
+        # TODO: api.key = sops?
+        server = {
+          # TODO: secretKey = sops?
+          reverseProxy = {
+            schemeHeader = "X-Forwarded-Proto";
+            trustedDownstream = access.cidrForNetwork.allLan.all;
+          };
+        };
+        webcam = mkIf motion.enable {
+          # TODO
+        };
+        plugins = {
+          _disabled = [
+            "softwareupdate"
+          ];
+        };
+      }
+      (mkIf (!behindVouch) {
+        autologinLocal = true;
+        autologinAs = "guest";
+        localNetworks = access.cidrForNetwork.allLocal.all;
+      })
+      (mkIf behindVouch {
+        trustRemoteUser = true;
+        addRemoteUsers = true;
+        remoteUserHeader = "X-Vouch-User";
+      })
+    ];
+  };
+
+  networking.firewall = mkIf cfg.enable {
+    interfaces.lan.allowedTCPPorts = [
+      cfg.port
+    ];
+  };
+}

systems/hakurei/nixos.nix

@@ -42,6 +42,7 @@ in {
     nixos.access.grafana
     nixos.access.loki
     nixos.access.kitchencam
+    nixos.access.octoprint
     nixos.access.openwebrx
     nixos.access.deluge
     nixos.access.home-assistant
@@ -266,6 +267,14 @@ in {
         virtualHosts.kitchencam'local.allServerNames
       ];
     };
+    print = {
+      inherit (nginx) group;
+      domain = virtualHosts.octoprint.serverName;
+      extraDomainNames = mkMerge [
+        virtualHosts.octoprint.otherServerNames
+        virtualHosts.octoprint'local.allServerNames
+      ];
+    };
     webrx = {
       inherit (nginx) group;
       domain = virtualHosts.openwebrx.serverName;
@@ -396,6 +405,7 @@ in {
         };
       };
       kitchencam.ssl.cert.enable = true;
+      octoprint.ssl.cert.enable = true;
       openwebrx.ssl.cert.enable = true;
       deluge.ssl.cert.enable = true;
       invidious = {

systems/logistics/default.nix

@@ -11,6 +11,7 @@ _: {
         enable = true;
         ports.stream.port = 41081;
       };
+      octoprint.enable = true;
     };
   };
   network.networks = {

systems/logistics/nixos.nix

@@ -14,6 +14,7 @@ in {
     nixos.base
     nixos.barcodebuddy-scanner
     nixos.kitchencam
+    nixos.octoprint
     ./hardware-configuration.nix
   ];
 

tf/cloudflare_records.tf

@@ -28,6 +28,7 @@ module "hakurei_system_records" {
     "smb",
     "mqtt",
     "kitchen",
+    "print",
     "webrx",
     "deluge",
     "home",
@@ -46,6 +47,7 @@ module "hakurei_system_records" {
     "smb",
     "mqtt",
     "kitchen",
+    "print",
     "webrx",
     "syncplay",
     "yt",