chore: update secrets

config/hosts/imxyy-nix-server/default.nix

@@ -24,5 +24,6 @@
     ./immich.nix
 
     ./efl.nix
+    ./plant.nix
   ];
 }

config/hosts/imxyy-nix-server/matrix.nix

@@ -33,6 +33,8 @@
       allow_registration = true;
       registration_token_file = config.sops.secrets.tuwunel-reg-token.path;
 
+      suppress_push_when_active = true;
+
       turn_uris = [
         "turn:hk.vkvm.imxyy.top?transport=udp"
         "turn:hk.vkvm.imxyy.top?transport=tcp"

config/hosts/imxyy-nix-server/minio.nix

@@ -16,11 +16,4 @@
     ];
     rootCredentialsFile = config.sops.secrets.minio-env.path;
   };
-  services.caddy.virtualHosts."minio.imxyy.top" = {
-    extraConfig = ''
-      handle_path /* {
-          reverse_proxy :9000
-      }
-    '';
-  };
 }

config/hosts/imxyy-nix-server/net.nix

@@ -208,20 +208,6 @@
           localPort = 443;
           customDomains = [ "oidc.imxyy.top" ];
         }
-        {
-          name = "headscale-http";
-          type = "http";
-          localIP = "127.0.0.1";
-          localPort = 80;
-          customDomains = [ "headscale.imxyy.top" ];
-        }
-        {
-          name = "headscale-https";
-          type = "https";
-          localIP = "127.0.0.1";
-          localPort = 443;
-          customDomains = [ "headscale.imxyy.top" ];
-        }
 
         {
           name = "mail-http";
@@ -441,45 +427,6 @@
     };
   };
 
-  services.tailscale = {
-    enable = true;
-    useRoutingFeatures = "both";
-    extraSetFlags = [ "--accept-dns=false" ];
-  };
-  services.headscale = {
-    enable = true;
-    address = "0.0.0.0";
-    port = 8080;
-    settings = {
-      logtail.enabled = false;
-      server_url = "https://headscale.imxyy.top";
-      dns.magic_dns = false;
-      dns.override_local_dns = false;
-      ip_prefixes = "100.64.0.0/10";
-
-      oidc = {
-        only_start_if_oidc_is_available = true;
-        issuer = "https://oidc.imxyy.top";
-        client_id = "https://headscale.imxyy.top";
-        allowed_domains = [
-          "imxyy.top"
-          "*.imxyy.top"
-        ];
-        client_secret = "";
-        expiry = 0;
-        extra_params.domain_hint = "imxyy.top";
-      };
-    };
-  };
-  systemd.services."headscale" = {
-    after = [
-      "podman-obligator.service"
-    ];
-    requires = [
-      "podman-obligator.service"
-    ];
-  };
-
   sops.secrets.et-imxyy-nix-server = {
     sopsFile = secrets.et-imxyy-nix-server;
     format = "binary";
@@ -518,13 +465,6 @@
       "1616"
     ];
   };
-  services.caddy.virtualHosts."headscale.imxyy.top" = {
-    extraConfig = ''
-      reverse_proxy :8080 {
-        header_up X-Real-IP {remote_host}
-      }
-    '';
-  };
   services.caddy.virtualHosts."oidc.imxyy.top" = {
     extraConfig = ''
       reverse_proxy :8081 {
@@ -573,7 +513,6 @@
         "git"
         "vault"
         "coder"
-        "headscale"
         "grafana"
         "matrix"
         "note"

config/hosts/imxyy-nix-server/plant.nix

@@ -0,0 +1,74 @@
+{
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  app = pkgs.buildNpmPackage (finalAttrs: {
+    pname = "HF-plant";
+    version = "unstable-2025-09-21";
+
+    src = inputs.plant;
+
+    buildPhase = ''
+      runHook preBuild
+
+      npm run build
+      npm run build:proxy
+
+      runHook postBuild
+    '';
+    installPhase = ''
+      runHook preInstall
+
+      mkdir $out
+      mv dist $out
+      cp .env proxy-server-bundled.js $out
+
+      runHook postInstall
+    '';
+
+    npmDepsHash = "sha256-ret4BtjrEt8L1nlvJmFiejAKmbz89Z7NSiKs+qlB51w=";
+  });
+in
+{
+  systemd.services.HF-plant-proxy = {
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      ExecStart = "${lib.getExe pkgs.bash} -c 'source ${app}/.env; export FEISHU_APP_ID FEISHU_APP_SECRET AMAP_JSCODE; ${lib.getExe pkgs.nodejs} ${app}/proxy-server-bundled.js'";
+      Restart = "always";
+      RestartSec = 120;
+    };
+  };
+  services.caddy.virtualHosts."plant.imxyy.top" = {
+    extraConfig = ''
+      handle /api/* {
+        reverse_proxy localhost:3001
+      }
+
+      handle /* {
+        root * ${app}/dist
+        try_files {path} /index.html
+        file_server
+      }
+    '';
+  };
+  services.frp.settings.proxies = [
+    {
+      name = "plant-http";
+      type = "http";
+      localIP = "127.0.0.1";
+      localPort = 80;
+      customDomains = [ "plant.imxyy.top" ];
+    }
+    {
+      name = "plant-https";
+      type = "https";
+      localIP = "127.0.0.1";
+      localPort = 443;
+      customDomains = [ "plant.imxyy.top" ];
+    }
+  ];
+}

flake.lock

@@ -993,6 +993,23 @@
         "type": "github"
       }
     },
+    "plant": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1758423341,
+        "narHash": "sha256-dHcKh7T8I70bKPwgqO5MxZ9bWHINwzRPhFp5waQy2r8=",
+        "ref": "refs/heads/master",
+        "rev": "08dc0b3889797eb3618c7475c3c367ec0e5fdf40",
+        "revCount": 6,
+        "type": "git",
+        "url": "ssh://git@git.imxyy.top:2222/imxyy1soope1/HF-plant.git"
+      },
+      "original": {
+        "rev": "08dc0b3889797eb3618c7475c3c367ec0e5fdf40",
+        "type": "git",
+        "url": "ssh://git@git.imxyy.top:2222/imxyy1soope1/HF-plant.git"
+      }
+    },
     "root": {
       "inputs": {
         "catppuccin": "catppuccin",
@@ -1012,6 +1029,7 @@
         "nixpkgs-master": "nixpkgs-master",
         "nixpkgs-stable": "nixpkgs-stable_2",
         "nixpkgs-unstable": "nixpkgs-unstable",
+        "plant": "plant",
         "sops-nix": "sops-nix",
         "stylix": "stylix",
         "zen": "zen"

flake.nix

@@ -48,6 +48,9 @@
     zen.url = "github:0xc000022070/zen-browser-flake";
     zen.inputs.nixpkgs.follows = "nixpkgs";
 
+    plant.url = "git+ssh://git@git.imxyy.top:2222/imxyy1soope1/HF-plant.git?rev=08dc0b3889797eb3618c7475c3c367ec0e5fdf40";
+    plant.flake = false;
+
     catppuccin.url = "github:catppuccin/nix";
     catppuccin.inputs.nixpkgs.follows = "nixpkgs";