From 3b3476c1100e9c29d90303b9b319431f7a016cb0 Mon Sep 17 00:00:00 2001
From: lightly-toasted <tooast@duck.com>
Date: Sun, 7 Dec 2025 15:19:44 +0900
Subject: [PATCH 1/2] feat(y2q): add opengist

- Add environment and environmentFile options to runit module to support environment variables
- Add opengist runit service that uses these options
---
 home/modules/runit/default.nix           |  62 ++++++++++++++++++-----
 home/modules/runit/services/glances.nix  |   3 +-
 home/modules/runit/services/opengist.nix |  20 ++++++++
 secrets/gitcrypt/opengist.env            | Bin 0 -> 83 bytes
 secrets/gitcrypt/runit/env               | Bin 56 -> 0 bytes
 5 files changed, 69 insertions(+), 16 deletions(-)
 create mode 100644 home/modules/runit/services/opengist.nix
 create mode 100644 secrets/gitcrypt/opengist.env
 delete mode 100644 secrets/gitcrypt/runit/env

diff --git a/home/modules/runit/default.nix b/home/modules/runit/default.nix
index eb12c04..314d107 100644
--- a/home/modules/runit/default.nix
+++ b/home/modules/runit/default.nix
@@ -18,6 +18,16 @@
             description = "Shell commands executed as the service's main process";
           };
           log.enable = lib.mkEnableOption "Enable logging";
+          environment = lib.mkOption {
+            type = lib.types.attrsOf lib.types.str;
+            default = {};
+            description = "Environment variables passed to the service's processes";
+          };
+          environmentFile = lib.mkOption {
+            type = lib.types.nullOr lib.types.path;
+            default = null;
+            description = "Environment file passed to the service";
+          };
         };
       }));
     };
@@ -28,21 +38,45 @@
   config = {
     home.file = lib.mkMerge (
       lib.mapAttrsToList (serviceName: sCfg:
-        {
-          # run script
-          "runit/services/${serviceName}/run" = {
-            text = sCfg.script;
-            executable = true;
+        let
+          envExports = lib.concatStringsSep "\n" (
+            lib.mapAttrsToList (k: v: "export ${k}='${v}'") sCfg.environment
+          );
+          envFile = lib.mkIf (sCfg.environmentFile != null) {
+            "runit/services/${serviceName}/.env" = {
+              source = sCfg.environmentFile;
+            };
           };
-          
-          # logging
-          "runit/services/${serviceName}/log/run" = lib.mkIf sCfg.log.enable {
-            text = ''
-              #!/bin/sh
-              exec svlogd -t ./main
-            '';
-          };
-        }
+          envFileSetup = if sCfg.environmentFile != null then ''
+            set -a
+            source .env
+            set +a
+          '' else "";
+        in
+        lib.mkMerge [
+          {
+            # run script
+            "runit/services/${serviceName}/run" = {
+              text = ''
+                #!/usr/bin/env bash
+                ${envExports}
+                ${envFileSetup}
+                ${sCfg.script}
+              '';
+              executable = true;
+            };
+
+            # logging
+            "runit/services/${serviceName}/log/run" = lib.mkIf sCfg.log.enable {
+              text = ''
+                #!/bin/sh
+                exec svlogd -t ./main
+              '';
+              executable = true;
+            };
+          }
+          envFile
+        ]
       ) config.runit.services
     );
   };
diff --git a/home/modules/runit/services/glances.nix b/home/modules/runit/services/glances.nix
index 4a7079f..94db540 100644
--- a/home/modules/runit/services/glances.nix
+++ b/home/modules/runit/services/glances.nix
@@ -3,8 +3,7 @@
 {
   runit.services.glances = {
     script = ''
-      #!/bin/bash
-      ${pkgs.glances}/bin/glances -w
+      exec ${pkgs.glances}/bin/glances -w
     '';
   };
 }
diff --git a/home/modules/runit/services/opengist.nix b/home/modules/runit/services/opengist.nix
new file mode 100644
index 0000000..d7929c7
--- /dev/null
+++ b/home/modules/runit/services/opengist.nix
@@ -0,0 +1,20 @@
+{ pkgs, rootPath, ... }:
+
+{
+  runit.services.opengist = {
+    script = ''
+      exec ${pkgs.opengist}/bin/opengist start
+    '';
+    
+    environment = {
+      OG_HTTP_HOST = "127.0.0.1";
+      OG_HTTP_PORT = "6157";
+      OG_SSH_HOST = "127.0.0.1";
+      OG_SSH_PORT = "6522";
+    };
+
+    environmentFile = rootPath + /secrets/gitcrypt/opengist.env;
+
+    log.enable = true;
+  };
+}
diff --git a/secrets/gitcrypt/opengist.env b/secrets/gitcrypt/opengist.env
new file mode 100644
index 0000000000000000000000000000000000000000..275e5fc48442865fc37cb5db8a5ea5d10d91975c
GIT binary patch
literal 83
zcmZQ@_Y83kiVO&0P!QXuxAoHED;qA_JXy&W&=9zF#%XzxV@helt{;`M)n;cU)Lz{Y
qmvG>m`;u*wiX?k|Dvj2Bv*BpH;JfCP+o=$9%Ri6b`$wMbJ_Z2XT_+d-

literal 0
HcmV?d00001

diff --git a/secrets/gitcrypt/runit/env b/secrets/gitcrypt/runit/env
deleted file mode 100644
index 15a44d86880dcf2bb41653f2c6fd0997aa2b8b1f..0000000000000000000000000000000000000000
GIT binary patch
literal 0
HcmV?d00001

literal 56
zcmZQ@_Y83kiVO&0nA!6;{O>nC7v17RQyQfzOhdhHME>Bg)bI3Gk-OEGwryq8rkY5e
NXMVSmx*yHs0sxPt7^naM


From fb9b981a1dea623eb9d68d67484534d4ee15612b Mon Sep 17 00:00:00 2001
From: lightly-toasted <tooast@duck.com>
Date: Sun, 7 Dec 2025 16:12:40 +0900
Subject: [PATCH 2/2] feat(y2q): add cloudflared

- Add cloudflared runit service
- Serve opengist via Cloudflare tunnel
---
 home/modules/runit/services/cloudflared.nix   |  25 ++++++++++++++++++
 .../cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json | Bin 0 -> 198 bytes
 secrets/gitcrypt/cloudflared/cert.pem         | Bin 0 -> 288 bytes
 3 files changed, 25 insertions(+)
 create mode 100644 home/modules/runit/services/cloudflared.nix
 create mode 100644 secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json
 create mode 100644 secrets/gitcrypt/cloudflared/cert.pem

diff --git a/home/modules/runit/services/cloudflared.nix b/home/modules/runit/services/cloudflared.nix
new file mode 100644
index 0000000..7cdd0b2
--- /dev/null
+++ b/home/modules/runit/services/cloudflared.nix
@@ -0,0 +1,25 @@
+{ pkgs, config, rootPath, ... }:
+
+let
+  tunnel = "cb0d9c2c-48f9-4bca-9e81-ef92423c5afa";
+in
+{
+  home.file.".cloudflared/${tunnel}.json".source = rootPath + /secrets/gitcrypt/cloudflared/${tunnel}.json;
+  home.file.".cloudflared/cert.pem".source = rootPath + /secrets/gitcrypt/cloudflared/cert.pem;
+  home.file.".cloudflared/config.yml".text = ''
+    tunnel: ${tunnel}
+    credentials-file: ${config.home.homeDirectory}/.cloudflared/${tunnel}.json
+
+    ingress:
+      - hostname: gist.toast.name
+        service: http://${config.runit.services.opengist.environment.OG_HTTP_HOST}:${config.runit.services.opengist.environment.OG_HTTP_PORT}
+      - service: http_status:404
+  '';
+
+  runit.services.cloudflared = {
+    script = ''
+      exec ${pkgs.cloudflared}/bin/cloudflared tunnel run
+    '';
+    log.enable = true;
+  };
+}
diff --git a/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json b/secrets/gitcrypt/cloudflared/cb0d9c2c-48f9-4bca-9e81-ef92423c5afa.json
new file mode 100644
index 0000000000000000000000000000000000000000..46cd7b1d2b235737b24cdf7da596094fc6644694
GIT binary patch
literal 198
zcmZQ@_Y83kiVO&0kTL(~`|{12dbO#BbvN&1FMN|<u*&_f;+bdX|F@@<O*3@4$G+~y
zvr}@*`^D$|X=!9`Qdiz%cIms^237fGPOty$FUd<zxbnF2VdTFD(kX?)n@hdU)hKXt
zdCIQa&Uhp&nTg5y?viA!?fwP@_m>)NeBH^ES3B>?-0$VR<=VG)Rn0M7RCi{<WXFxI
znwuw`zB)(j{Np}>r!hZ&WFLrWdn&YpJL-2*fYST4Jqx20d)4x{E2i$W=Dyaw*>R86
HxqU_eBZFf(

literal 0
HcmV?d00001

diff --git a/secrets/gitcrypt/cloudflared/cert.pem b/secrets/gitcrypt/cloudflared/cert.pem
new file mode 100644
index 0000000000000000000000000000000000000000..230ea5494bc2ef924081269e77fc4ff1278dce7d
GIT binary patch
literal 288
zcmZQ@_Y83kiVO&0sB~m0SQ%)y`DBY){H(RXFU^Yu57ktxnRM^MqKe61SMIT0^NcUx
zL0OmK^YYgW8EXwT==AeNE403dNYpC6>vZNni*eO{*Ax{Fiw_LbBdS+Vl9F^`cgxu9
zKc$Sb(*IIp+6xv9MFw}7i8Fc@{Z01kzNWE~e}2Hzlbde+6w33y>Lb7LZhX1Z`|3AO
z4phro7N1%2QrDPi>mrM%23}Ra3$p9pS<TWFIo?*TV!0sk?S0|5lj9k=s;`vD*$LeV
z@l?xLG_{!jYR*N+@JR)UxzBIk+Rv6$r$24lj|&NlyxDtq-@LnYPeE*J^`W(K`)YiB
xVsbNOCvWO{V8(EHPs^tJo4(jg;kdE0(QK+-m2aw)**>i+or{{kJ?v?B1OUDni9!GX

literal 0
HcmV?d00001