feat: self-host delta at delta.harivan.sh

Add delta systemd service on port 3300 with nginx reverse proxy,
ACME SSL, and WebAuthn/OAuth env config. Also update README with
current service list.

README.md

@@ -27,12 +27,14 @@ Global agent skills are installed declaratively using skills.sh and only resync
 Secrets live in Bitwarden and are rendered at activation time using cli
 Deployment is `just switch` for the laptop and `just switch-netty` for the server.
 
-All PRs auto-merge on creation if tests pass
+All PRs auto-merge
 
 The KVM has a declarative service bundle: 
 - netty exposes 3 tcp ports (22:ssh, 80:http, 443:https)
 - services only listen on 127.0.0.1 (runs behind nginx with ACME)
 - Self hosts Forgejo mirroring to GitHub (git.harivan.sh)
+- Diff-kit (diffs.harivan.sh)
 - Self hosts VaultWarden
 - betterNAS control-plane and node agent (api.betternas.com)
-- OpenClaw gateway behind nginx (netty.harivan.sh)
+- Hermes agent (netty.harivan.sh)
+- Delta (delta.harivan.sh)

hosts/netty/configuration.nix

@@ -18,6 +18,7 @@ in
     ./vaultwarden.nix
     ./forgejo.nix
     ./diffkit.nix
+    ./delta.nix
     ./betternas.nix
     ./hermes-gateway.nix
     ./forgejo-runner.nix

hosts/netty/delta.nix

@@ -0,0 +1,48 @@
+{
+  pkgs,
+  username,
+  ...
+}:
+let
+  deltaPort = "3300";
+  stateDir = "/var/lib/delta";
+  repoDir = "/home/${username}/Documents/GitHub/delta";
+  envFile = "${stateDir}/delta.env";
+  dbPath = "${stateDir}/data.db";
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${stateDir} 0750 ${username} users -"
+    "z ${envFile} 0600 ${username} users -"
+  ];
+
+  systemd.services.delta = {
+    description = "Delta - Self-hosted Todo Platform";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      NODE_ENV = "production";
+      HOSTNAME = "127.0.0.1";
+      PORT = deltaPort;
+      DATABASE_URL = dbPath;
+      OAUTH_REDIRECT_BASE_URL = "https://delta.harivan.sh";
+      WEBAUTHN_ORIGIN = "https://delta.harivan.sh";
+      WEBAUTHN_RP_ID = "delta.harivan.sh";
+    };
+
+    path = [ pkgs.nodejs_22 ];
+
+    serviceConfig = {
+      Type = "simple";
+      User = username;
+      Group = "users";
+      WorkingDirectory = repoDir;
+      ExecStart = "${repoDir}/node_modules/.bin/next start --port ${deltaPort} --hostname 127.0.0.1";
+      EnvironmentFile = "-${envFile}";
+      Restart = "on-failure";
+      RestartSec = 5;
+    };
+  };
+}

hosts/netty/nginx.nix

@@ -7,6 +7,7 @@ let
   vaultDomain = "vault.harivan.sh";
   betternasDomain = "api.betternas.com";
   diffkitDomain = "diffs.harivan.sh";
+  deltaDomain = "delta.harivan.sh";
 in
 {
   security.acme = {
@@ -53,6 +54,15 @@ in
       };
     };
 
+    virtualHosts.${deltaDomain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3300";
+        proxyWebsockets = true;
+      };
+    };
+
     virtualHosts.${betternasDomain} = {
       enableACME = true;
       forceSSL = true;