feat: Added affine server

nixos/tako/services/affine.nix

@@ -0,0 +1,89 @@
+{config, ...}: let
+  domain = "notes.darksailor.dev";
+in {
+  imports = [
+    ../../../modules/nixos/affine.nix
+  ];
+
+  # SOPS secrets
+  sops = {
+    secrets = {
+      "affine/db_password" = {};
+      "authelia/oidc/affine/client_id" = {
+        owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
+        mode = "0440";
+        restartUnits = ["authelia-darksailor.service"];
+      };
+      "authelia/oidc/affine/client_secret" = {
+        owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
+        mode = "0440";
+        restartUnits = ["authelia-darksailor.service"];
+      };
+    };
+    templates."affine.env".content = ''
+      AFFINE_DB_PASSWORD=${config.sops.placeholder."affine/db_password"}
+      POSTGRES_PASSWORD=${config.sops.placeholder."affine/db_password"}
+      AFFINE_SERVER_EXTERNAL_URL=https://${domain}
+    '';
+  };
+
+  # Enable AFFiNE service
+  services.affine = {
+    enable = true;
+    inherit domain;
+    environmentFiles = [
+      config.sops.templates."affine.env".path
+    ];
+  };
+
+  # Caddy reverse proxy with SSO forward auth
+  services.caddy.virtualHosts."${domain}".extraConfig = ''
+    reverse_proxy localhost:${toString config.services.affine.port}
+  '';
+
+  # Authelia access control rules
+  services.authelia.instances.darksailor.settings = {
+    access_control.rules = [
+      {
+        inherit domain;
+        policy = "bypass";
+        resources = [
+          "^/api/(sync|awareness)([/?].*)?$"
+          "^/socket\\.io([/?].*)?$"
+        ];
+      }
+      {
+        inherit domain;
+        policy = "one_factor";
+      }
+    ];
+    # OIDC client for AFFiNE
+    identity_providers.oidc.clients = [
+      {
+        client_name = "AFFiNE: Darksailor";
+        client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/affine/client_id".path}" }}'';
+        client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/affine/client_secret".path}" }}'';
+        public = false;
+        authorization_policy = "one_factor";
+        require_pkce = false;
+        redirect_uris = [
+          "https://${domain}/oauth/callback"
+        ];
+        scopes = [
+          "openid"
+          "email"
+          "profile"
+        ];
+        response_types = ["code"];
+        grant_types = ["authorization_code"];
+        userinfo_signed_response_alg = "none";
+        token_endpoint_auth_method = "client_secret_post";
+      }
+    ];
+  };
+
+  # Ensure containers start after secrets are available
+  systemd.services.docker-affine.after = ["sops-install-secrets.service"];
+  systemd.services.docker-affine-migration.after = ["sops-install-secrets.service"];
+  systemd.services.docker-affine-postgres.after = ["sops-install-secrets.service"];
+}