feat(access): taskchampion

nixos/access/taskchampion.nix

@@ -0,0 +1,50 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  inherit (lib.modules) mkIf mkDefault;
+  inherit (config.services) taskchampion-sync-server;
+  name.shortServer = mkDefault "task";
+  upstreamName = "taskchampion'access";
+in {
+  config.services.nginx = {
+    upstreams'.${upstreamName}.servers = {
+      local = {
+        enable = mkDefault taskchampion-sync-server.enable;
+        addr = mkDefault "localhost";
+        port = mkIf taskchampion-sync-server.enable (mkDefault taskchampion-sync-server.port);
+      };
+      service = {upstream, ...}: {
+        enable = mkIf upstream.servers.local.enable (mkDefault false);
+        accessService = {
+          name = "taskchampion";
+        };
+      };
+    };
+    virtualHosts = let
+      copyFromVhost = mkDefault "taskchampion";
+      locations = {
+        "/" = {
+          proxy.enable = true;
+        };
+      };
+    in {
+      taskchampion = {
+        inherit name locations;
+        proxy.upstream = mkDefault upstreamName;
+        vouch.enable = mkDefault true;
+      };
+      taskchampion'local = {
+        inherit name locations;
+        ssl.cert = {
+          inherit copyFromVhost;
+        };
+        proxy = {
+          inherit copyFromVhost;
+        };
+        local.enable = mkDefault true;
+      };
+    };
+  };
+}

systems/hakurei/nixos.nix

@@ -48,6 +48,7 @@ in {
     nixos.access.nextjs-ollama
     nixos.access.openwebrx
     nixos.access.deluge
+    nixos.access.taskchampion
     nixos.access.home-assistant
     nixos.access.zigbee2mqtt
     nixos.access.grocy
@@ -132,6 +133,14 @@ in {
         virtualHosts.vaultwarden'local.allServerNames
       ];
     };
+    task = {
+      inherit (nginx) group;
+      domain = virtualHosts.taskchampion.serverName;
+      extraDomainNames = mkMerge [
+        virtualHosts.taskchampion.otherServerNames
+        virtualHosts.taskchampion'local.allServerNames
+      ];
+    };
     home = {
       inherit (nginx) group;
       domain = virtualHosts.home-assistant.serverName;
@@ -380,6 +389,11 @@ in {
         local.denyGlobal = true;
         ssl.cert.enable = true;
       };
+      taskchampion = {
+        # not the real task record-holder, so don't respond globally..
+        local.denyGlobal = true;
+        ssl.cert.enable = true;
+      };
       home-assistant = {
         # not the real hass record-holder, so don't respond globally..
         local.denyGlobal = true;

systems/tei/cloudflared.nix

@@ -19,6 +19,7 @@ in {
           (nginx.virtualHosts.grocy.proxied.cloudflared.getIngress {})
           (nginx.virtualHosts.barcodebuddy.proxied.cloudflared.getIngress {})
           (nginx.virtualHosts.home-assistant.proxied.cloudflared.getIngress {})
+          (nginx.virtualHosts.taskchampion.proxied.cloudflared.getIngress {})
         ];
       };
     };

systems/tei/nixos.nix

@@ -16,6 +16,7 @@ in {
     nixos.postgres
     nixos.nginx
     nixos.adb
+    nixos.access.taskchampion
     nixos.access.home-assistant
     nixos.access.zigbee2mqtt
     nixos.access.grocy
@@ -39,6 +40,7 @@ in {
         proxied.enable = "cloudflared";
         vouch.enable = mkIf hassVouch true;
       };
+      taskchampion.proxied.enable = "cloudflared";
     };
   };
   services.home-assistant = {

tf/cloudflare_records.tf

@@ -33,6 +33,7 @@ module "hakurei_system_records" {
     "lm",
     "webrx",
     "deluge",
+    "task",
     "home",
     "z2m",
     "grocy",

tf/cloudflare_tunnels.tf

@@ -106,6 +106,7 @@ module "tewi" {
   account_id = var.cloudflare_account_id
   zone_id    = cloudflare_zone.gensokyo-zone_zone.id
   subdomains = [
+    "task",
     "home",
     "z2m",
     "grocy",