feat" diffkit self host" (#72)

hosts/netty/configuration.nix

@@ -17,6 +17,7 @@ in
     ./nginx.nix
     ./vaultwarden.nix
     ./forgejo.nix
+    ./diffkit.nix
     ./betternas.nix
     ./hermes-gateway.nix
     ./forgejo-runner.nix

hosts/netty/diffkit.nix

@@ -0,0 +1,71 @@
+{
+  pkgs,
+  username,
+  ...
+}:
+let
+  diffkitPort = "3200";
+  stateDir = "/var/lib/diffkit";
+  repoDir = "/home/${username}/Documents/GitHub/diffkit";
+  envFile = "${stateDir}/diffkit.env";
+  dbPath = "${stateDir}/diffkit.db";
+  migrationsDir = "${repoDir}/apps/dashboard/drizzle";
+
+  migrationScript = pkgs.writeShellScript "diffkit-migrate" ''
+    set -euo pipefail
+    DB="${dbPath}"
+    MIGRATIONS="${migrationsDir}"
+
+    ${pkgs.sqlite}/bin/sqlite3 "$DB" "SELECT 1;" > /dev/null 2>&1 || true
+    ${pkgs.sqlite}/bin/sqlite3 "$DB" \
+      "CREATE TABLE IF NOT EXISTS __drizzle_migrations (tag TEXT PRIMARY KEY, applied_at INTEGER NOT NULL);"
+
+    for sql_file in "$MIGRATIONS"/[0-9]*.sql; do
+      [ -f "$sql_file" ] || continue
+      tag=$(basename "$sql_file" .sql)
+      applied=$(${pkgs.sqlite}/bin/sqlite3 "$DB" "SELECT COUNT(*) FROM __drizzle_migrations WHERE tag='$tag';")
+      if [ "$applied" = "0" ]; then
+        echo "Applying migration: $tag"
+        ${pkgs.gnused}/bin/sed 's/--> statement-breakpoint/;/g' "$sql_file" \
+          | ${pkgs.sqlite}/bin/sqlite3 "$DB"
+        ${pkgs.sqlite}/bin/sqlite3 "$DB" \
+          "INSERT INTO __drizzle_migrations (tag, applied_at) VALUES ('$tag', strftime('%s','now'));"
+      fi
+    done
+    echo "Migrations complete."
+  '';
+in
+{
+  systemd.tmpfiles.rules = [
+    "d ${stateDir} 0750 ${username} users -"
+    "z ${envFile} 0600 ${username} users -"
+  ];
+
+  systemd.services.diffkit = {
+    description = "diffkit GitHub Diff Viewer";
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    environment = {
+      NODE_ENV = "production";
+      HOST = "127.0.0.1";
+      PORT = diffkitPort;
+      DATABASE_PATH = dbPath;
+      BETTER_AUTH_URL = "https://diffs.harivan.sh";
+      GITHUB_APP_PRIVATE_KEY_FILE = "${stateDir}/github-app-key.pem";
+    };
+
+    serviceConfig = {
+      Type = "simple";
+      User = username;
+      Group = "users";
+      WorkingDirectory = "${repoDir}/apps/dashboard";
+      ExecStartPre = migrationScript;
+      ExecStart = "${pkgs.nodejs_22}/bin/node node-server.mjs";
+      EnvironmentFile = "-${envFile}";
+      Restart = "on-failure";
+      RestartSec = 5;
+    };
+  };
+}

hosts/netty/nginx.nix

@@ -6,6 +6,7 @@ let
   forgejoDomain = "git.harivan.sh";
   vaultDomain = "vault.harivan.sh";
   betternasDomain = "api.betternas.com";
+  diffkitDomain = "diffs.harivan.sh";
 in
 {
   security.acme = {
@@ -43,6 +44,15 @@ in
       locations."/".proxyPass = "http://127.0.0.1:8222";
     };
 
+    virtualHosts.${diffkitDomain} = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3200";
+        proxyWebsockets = true;
+      };
+    };
+
     virtualHosts.${betternasDomain} = {
       enableACME = true;
       forceSSL = true;

modules/devshells.nix

@@ -11,7 +11,7 @@
           git
           just
           nixfmt-tree
-          nodePackages.prettier
+          prettier
           pre-commit
           selene
           shfmt