From 42ff53de0f5eac312aef07af756846c40eb1906a Mon Sep 17 00:00:00 2001
From: Henri Dohmen <henridohmen@posteo.com>
Date: Tue, 15 Jul 2025 20:58:17 +0200
Subject: [PATCH] firefox sync

---
 desktop/software/default.nix         |   1 +
 host/roam/default.nix                |   4 ++--
 host/roam/firefox-sync.nix           |  32 +++++++++++++++++++++++++++
 host/roam/services.nix               |  16 +++++++-------
 mod/nginx.nix                        |  24 +++++---------------
 secrets.nix                          |   1 +
 secrets/roam/firefox-sync-secret.age | Bin 0 -> 516 bytes
 var/lan-dns.nix                      |  14 +++++-------
 8 files changed, 54 insertions(+), 38 deletions(-)
 create mode 100644 host/roam/firefox-sync.nix
 create mode 100644 secrets/roam/firefox-sync-secret.age

diff --git a/desktop/software/default.nix b/desktop/software/default.nix
index 420cfc2..56d5bf0 100644
--- a/desktop/software/default.nix
+++ b/desktop/software/default.nix
@@ -49,6 +49,7 @@ in
         enable = true;
         settings = {
           "identity.fxaccounts.enabled" = true;
+          "identity.sync.tokenserver.uri" = "http://fx-sync.lan/1.0/sync/1.5";
           "webgl.disabled" = false;
           "privacy.resistFingerprinting" = false;
           "privacy.clearOnShutdown.history" = false;
diff --git a/host/roam/default.nix b/host/roam/default.nix
index 6db9704..ecc870c 100644
--- a/host/roam/default.nix
+++ b/host/roam/default.nix
@@ -1,5 +1,4 @@
-{ lib', ... }:
-{
+_: {
   networking.hostName = "roam";
 
   age.identityPaths = [
@@ -8,6 +7,7 @@
 
   imports = [
     ./backup.nix
+    ./firefox-sync.nix
     ./git.nix
     ./hardware-configuration.nix
     ./networking.nix
diff --git a/host/roam/firefox-sync.nix b/host/roam/firefox-sync.nix
new file mode 100644
index 0000000..eee8be3
--- /dev/null
+++ b/host/roam/firefox-sync.nix
@@ -0,0 +1,32 @@
+{
+  pkgs,
+  config,
+  secrets,
+  ...
+}:
+{
+  services.mysql.package = pkgs.mariadb;
+
+  age.secrets.roam-firefox-sync-secret = {
+    file = secrets.roam."firefox-sync-secret.age";
+    mode = "440";
+    owner = "root";
+    group = "root";
+  };
+
+  services.firefox-syncserver = {
+    enable = true;
+    secrets = config.age.secrets.roam-firefox-sync-secret.path;
+    singleNode = {
+      enable = true;
+      hostname = "fx-sync.lan";
+      enableTLS = false;
+    };
+  };
+  services.nginx.virtualHostsPriv."fx-sync.lan" = {
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString config.services.firefox-syncserver.settings.port}";
+      recommendedProxySettings = true;
+    };
+  };
+}
diff --git a/host/roam/services.nix b/host/roam/services.nix
index d6ad204..5424382 100644
--- a/host/roam/services.nix
+++ b/host/roam/services.nix
@@ -6,16 +6,16 @@
   services = {
     nginx = {
       enable = true;
-      defaultListen = [
-        {
-          addr = var.wg.ips.roam;
-          ssl = true;
-        }
-      ];
-      virtualHosts."roam.lan" = {
+      virtualHosts.default = {
+        serverName = "_";
+        default = true;
+        rejectSSL = true;
+        locations."/".return = "444";
+      };
+      virtualHostsPriv."roam.lan" = {
         locations."/" = { };
       };
-      virtualHostsPub."roam.hdohmen.de" = {
+      virtualHosts."roam.hdohmen.de" = {
         enableACME = true;
         locations."/" = { };
       };
diff --git a/mod/nginx.nix b/mod/nginx.nix
index 5c0d66d..1c0b935 100644
--- a/mod/nginx.nix
+++ b/mod/nginx.nix
@@ -2,14 +2,15 @@
   lib,
   options,
   config,
+  var,
   ...
 }:
 with lib;
 {
-  options.services.nginx.virtualHostsPub = mkOption {
+  options.services.nginx.virtualHostsPriv = mkOption {
     type = options.services.nginx.virtualHosts.type;
     default = { };
-    description = "Declarative vhost config listening to ::0 and 0.0.0.0";
+    description = "Declarative vhost config listening on onet";
   };
 
   config = {
@@ -17,28 +18,13 @@ with lib;
       _: v:
       v
       // {
-        addSSL = true;
         listen = [
           {
-            addr = "0.0.0.0";
-            port = 443;
-            ssl = true;
-          }
-          {
-            addr = "0.0.0.0";
-            port = 80;
-          }
-          {
-            addr = "[::0]";
-            port = 443;
-            ssl = true;
-          }
-          {
-            addr = "[::0]";
+            addr = var.wg.ips.roam;
             port = 80;
           }
         ];
       }
-    ) config.services.nginx.virtualHostsPub;
+    ) config.services.nginx.virtualHostsPriv;
   };
 }
diff --git a/secrets.nix b/secrets.nix
index 7e061e0..26351f3 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -4,6 +4,7 @@ let
   keys = (import ./var { inherit lib; }).ssh-keys.root;
   secrets = [
     "roam/rclone-conf"
+    "roam/firefox-sync-secret"
     "hd-password"
   ];
 in
diff --git a/secrets/roam/firefox-sync-secret.age b/secrets/roam/firefox-sync-secret.age
new file mode 100644
index 0000000000000000000000000000000000000000..b2d5137f456e43957e69ed6325e67af1840f1f33
GIT binary patch
literal 516
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCTyOsOac4pcDk)wl34
z^fN6<Pb*H0N-@X?@-OlA%y%(JDG77YFE#Qn$?-_b^)fQg4CTtOa4RVGG4%I!3^jCj
z%Fg%obvJU&Ew-qLDkw7w@-r|p3Nmpo$kI1VHbA#6J*n6tHC-XID&0fd%PGv<y*#4K
zxYW(p(I?4CJI}n*Gs7*#+}y*(A}piAr>rQ-Bc01N)Ze+R)YvgEKhf9R%Oxo@u_82C
z+uNzY#jz?hEZo$ow5+V$&(bxqARFB_w-Dc?vT_AqN2lVFvgB~XRR8pRC&x&C<H#KC
zLO&O;lnevMKwnQs=OD8{Pm9V*$8xT+LIbym$byi{T-RKE7Zc;)qVjTs;#8*+BfrR`
zWV6!T$VBgwGOvPwOiwOdU0ntJvaEnYC+{e~tkfu@>@+u1FHbLh{lu(rr_!?2q<r7t
z@_-WkNWUmkgGjD#3=QVRlTDgl9hlbjddK!C*;V&UKFX<V>MFL&+4hys_VyDV^Mwpt
zvY+D<p1MxB%Dn!}G8-L<s&!p6YQ-WBu5S6*$-OS**NvMV!S1ZrlnSSuQLy$pe1H9B
ihn$-SSBLY?__<gyf=}Ld$5f-+aWnU{Urb)^vjPAa`?!e!

literal 0
HcmV?d00001

diff --git a/var/lan-dns.nix b/var/lan-dns.nix
index 24f2891..8bb2d5e 100644
--- a/var/lan-dns.nix
+++ b/var/lan-dns.nix
@@ -1,18 +1,14 @@
 { lib, var, ... }:
 let
-  lan-tld = ".lan";
-  lan-base-domain = ".hdohmen.de";
   lan-hosts = lib.mapAttrs' (name: value: {
-    name = "${name}${lan-tld}";
+    name = "${name}.lan";
     inherit value;
   }) var.wg.ips;
+  custom-hosts = {
+    "fx-sync.lan" = var.wg.ips.roam;
+  };
 in
 rec {
   hostsFile = lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: "${v}\t${n}") hosts);
-  hosts =
-    lan-hosts
-    // lib.mapAttrs' (name: value: {
-      name = "${name}${lan-base-domain}";
-      inherit value;
-    }) lan-hosts;
+  hosts = lan-hosts // custom-hosts;
 }