add obsidian livesync

use relative path

rename dockerfile and change build arg

try systemd tmpfiles

add docker entrypoint

use more systemd tmpfiles

whoops i was missing a file

remove home.files and move to systemd.tmpfiles

dont use root

make immutable

make immutable v2

whoops

remove +i

needs to be executable

.sops.yaml

@@ -4,6 +4,13 @@ keys:
   - &win10 age1cz006hex596lmj88kkhrkvq89luqk59hxuq83q4kvhz82ltwpe4ss8gm3t
   - &serverpc age1sn4uu6r6wrylpznx75jcw7ww58r9cut35n40gu4scpt9xy79rgrq2d7wga
 creation_rules:
+  - path_regex: .ini
+    key_groups:
+    - age:
+        - *desktop
+        - *laptop
+        - *win10
+        - *serverpc
   - path_regex: .conf
     key_groups:
     - age:

common/users/docker/obsidian/10-docker-default.ini

@@ -0,0 +1,9 @@
+; CouchDB Configuration Settings
+
+; Custom settings should be made in this file. They will override settings
+; in default.ini, but unlike changes made to default.ini, this file won't be
+; overwritten on server upgrade.
+
+[chttpd]
+bind_address = any
+

common/users/docker/obsidian/Dockerfile

@@ -0,0 +1,104 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+FROM debian:bookworm-slim
+
+LABEL maintainer="CouchDB Developers dev@couchdb.apache.org"
+
+# Add CouchDB user account to make sure the IDs are assigned consistently
+RUN groupadd -g 1000 -r couchdb && useradd -u 1000 -d /opt/couchdb -g couchdb couchdb
+
+# be sure GPG and apt-transport-https are available and functional
+RUN set -ex; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends \
+        apt-transport-https \
+        ca-certificates \
+        dirmngr \
+        gnupg \
+     ; \
+    rm -rf /var/lib/apt/lists/*
+
+# grab tini for signal handling and zombie reaping
+# see https://github.com/apache/couchdb-docker/pull/28#discussion_r141112407
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y --no-install-recommends tini; \
+    rm -rf /var/lib/apt/lists/*; \
+    tini --version
+
+# http://docs.couchdb.org/en/latest/install/unix.html#installing-the-apache-couchdb-packages
+ENV GPG_COUCH_KEY \
+# gpg: rsa8192 205-01-19 The Apache Software Foundation (Package repository signing key) <root@apache.org>
+    390EF70BB1EA12B2773962950EE62FB37A00258D
+RUN set -eux; \
+    apt-get update; \
+    apt-get install -y curl; \
+    export GNUPGHOME="$(mktemp -d)"; \
+    curl -fL -o keys.asc https://couchdb.apache.org/repo/keys.asc; \
+    gpg --batch --import keys.asc; \
+    gpg --batch --export "${GPG_COUCH_KEY}" > /usr/share/keyrings/couchdb-archive-keyring.gpg; \
+    command -v gpgconf && gpgconf --kill all || :; \
+    rm -rf "$GNUPGHOME"; \
+    apt-key list; \
+    apt purge -y --autoremove curl; \
+    rm -rf /var/lib/apt/lists/*
+
+ENV COUCHDB_VERSION 3.4.2
+
+RUN . /etc/os-release; \
+    echo "deb [signed-by=/usr/share/keyrings/couchdb-archive-keyring.gpg] https://apache.jfrog.io/artifactory/couchdb-deb/ ${VERSION_CODENAME} main" | \
+        tee /etc/apt/sources.list.d/couchdb.list >/dev/null
+
+# https://github.com/apache/couchdb-pkg/blob/master/debian/README.Debian
+RUN set -eux; \
+    apt-get update; \
+    \
+    echo "couchdb couchdb/mode select none" | debconf-set-selections; \
+# we DO want recommends this time
+    DEBIAN_FRONTEND=noninteractive apt-get install -y --allow-downgrades --allow-remove-essential --allow-change-held-packages \
+            couchdb="$COUCHDB_VERSION"~bookworm \
+    ; \
+# Undo symlinks to /var/log and /var/lib
+    rmdir /var/lib/couchdb /var/log/couchdb; \
+    rm /opt/couchdb/data /opt/couchdb/var/log; \
+    mkdir -p /opt/couchdb/data /opt/couchdb/var/log; \
+    chown couchdb:couchdb /opt/couchdb/data /opt/couchdb/var/log; \
+    chmod 777 /opt/couchdb/data /opt/couchdb/var/log; \
+# Remove file that sets logging to a file
+    rm /opt/couchdb/etc/default.d/10-filelog.ini; \
+# Check we own everything in /opt/couchdb. Matches the command in dockerfile_entrypoint.sh
+    find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +; \
+# Setup directories and permissions for config. Technically these could be 555 and 444 respectively
+# but we keep them as 755 and 644 for consistency with CouchDB defaults and the dockerfile_entrypoint.sh.
+    find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +; \
+    find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +; \
+# only local.d needs to be writable for the docker_entrypoint.sh
+    chmod -f 0777 /opt/couchdb/etc/local.d; \
+# apt clean-up
+    rm -rf /var/lib/apt/lists/*;
+
+# Add configuration
+COPY --chown=couchdb:couchdb 10-docker-default.ini /opt/couchdb/etc/default.d/
+COPY --chown=couchdb:couchdb vm.args /opt/couchdb/etc/
+
+COPY docker-entrypoint.sh /usr/local/bin
+RUN ln -s usr/local/bin/docker-entrypoint.sh /docker-entrypoint.sh # backwards compat
+ENTRYPOINT ["tini", "--", "/docker-entrypoint.sh"]
+
+VOLUME /opt/couchdb/data
+
+# 5984: Main CouchDB endpoint
+# 4369: Erlang portmap daemon (epmd)
+# 9100: CouchDB cluster communication port
+EXPOSE 5984 4369 9100
+CMD ["/opt/couchdb/bin/couchdb"]

common/users/docker/obsidian/couchdb.env

@@ -0,0 +1,15 @@
+#ENC[AES256_GCM,data:hm2MQZYAw3rIWhppfVYDw9s/Qs8Rh0shBg==,iv:K0tartVnSGL8J+G3SWqttw57wUC5H+uFNOoaU2q4zsY=,tag:StumcmqqmfKo6UB88WgxVg==,type:comment]
+COUCHDB_USER=ENC[AES256_GCM,data:8+tX+H4=,iv:2KLlcssU+4qvgx4W6IwHlODwOwY5aYKDIbfytcRivdA=,tag:Oj6WaALVZJH0KuZtGimvrw==,type:str]
+COUCHDB_PASSWORD=ENC[AES256_GCM,data:46ditI0rY1+yjcNK9hHkNWQVKzoIr+1h+g/1gI+I7wscGVH3LtAnBSHAL/jWcobNSxcnuIsRsWoIGjl+f6xcrkuXfZ4Ad07OpR/9,iv:uLEjreLcG9waKRoGnTYmtt//178hDElZfpyTKPebPNs=,tag:s5dKaVYDxePKTIP+sVQUyA==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2MUh6SFR5cS8vUHRUWWs1\nUitSWjVZNkVHR1k1REdhSWI4cGNZdDVzZ2t3Ck5wdjEraUdDbTdNek5GSytjem50\nb1JpdkJHN0RiSnl6UWltVTdBR0l2d0EKLS0tIEhRWnFlNGJwWG9iUEtpd3lHQ3p5\nWXg4N09udGN0NjJ0QVUxT2gyczdOcDgKo5x8yuB3aUeFNyy20VJAAo/WZAvC0OQV\n6E+AjmElwO6zwn8ks6j4iji/APiKzzius3D0Uji5APbFqnsnKgE+6A==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1xsuyaeehzv4ar4f6xpc6tfp9pttzjf7qdyl3x2tj42vjc8szlqpq834e3d
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWckRheml2bVJEK0dnTjB2\najB6YUJGOWdKVVFxNnRBZ0hILzIvanFQcHpBCm9LbXN0TVo0WnFHbThybmpPVEFt\nZ25HakQwdC9pOHRMZU1LR3MvT1I2REkKLS0tIDlQOFE1UE5pS2dzTWowWEJVbVhw\nYnl0MVROYmNBU3lmLzNoWG9xdWFNUnMKrSIp/vE1aH9Se9EEd0SHRmE3iGrhcvey\nIk6Wg9JI4FXyrsSSGdjcxW+Om9CXzxgfx75Ld5H47bEyJS53cwkOjg==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1tq8zaaqe8t4u2jgyf7usngtzyql0ymyxq6hntmu04vt5ypwhxensmzynhl
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OVpWVjNOU1ZTRDR5ZmlM\nTHFrWThTc2QvS0pwNFhmOW1wdTUvTXJwS2trCldGOUVFb3F3bExkUWR2RnZyN0tp\nckRlbmZLSjJsVE9Eb2tRSVVmVlh2OEkKLS0tIG52ZGpXak1XeTA1NlR4cTZ4RzBU\nNEdLTVI3UDlxNHNqT1ZEZkkzbng0MHcKt6dncWpg1IW9njqveiLlnzAu1tU3yre7\nFXnAxQqTpxvSG8dPcg9cswNx8ajWDHVJIbGOkPMjgT0OmypRXBkKuA==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1cz006hex596lmj88kkhrkvq89luqk59hxuq83q4kvhz82ltwpe4ss8gm3t
+sops_age__list_3__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpMnZuanBBRnprVEpONVVS\nYUxvVk5PWi9QTFArcWlDRzFkcUpTbWl5RmpNCnpGMHd5UURPZjBQbTM4ZmRMMzZv\nOUhOdVRoTmJLMkV5dUt6SitqNUFBNUkKLS0tIHZiSVlMYUl5RERGR2xZOGtRMC9a\nK1hueGR3UG9mSDNhdDVMZ1poWGJMK1kKttOlAxt5pWVp0fbDoKbAhvpXOeEeje9I\nmsHHhocPpJIpgbBeL+LQX51Nr+THCK1vK25tthIOIxN0klgNfcXmpw==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_3__map_recipient=age1sn4uu6r6wrylpznx75jcw7ww58r9cut35n40gu4scpt9xy79rgrq2d7wga
+sops_lastmodified=2025-02-25T03:53:58Z
+sops_mac=ENC[AES256_GCM,data:ivVfYWydmc8kNyD7rfxxFT44UTEOP9SGBuc+H6bQ6dJs0QI74PmQAru9qgwILWgrnYRQfuI6R+G2xwzhJdzxVjy2oON1SY517ocONwbUdNjCye7gYmUXJdW9T4qRJY0W8QiQIBECoW0RT7P34EfaOCGv1IUpLVIYRaSFrtlddjQ=,iv:BfOelwJPmzUU40kapf1twHXLx26pEKon4opd/iA7pt8=,tag:BJz88QUUCPrAj0fBIwjuaQ==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.9.4

common/users/docker/obsidian/default.nix

@@ -0,0 +1,64 @@
+{ config, ... }:
+{
+  imports = [
+    ../../homeModules/sops.nix
+  ];
+  home = {
+    file = {
+      couchdb_compose = {
+        source = ./docker-compose.yaml;
+        target = "./src/obsidian/docker-compose.yaml";
+      };
+      # Docker is stupid and wont read a symlinked Dockerfile
+      # couchdb_dockerfile = {
+      #   source = ./Dockerfile;
+      #   target = "./src/obsidian/Dockerfile";
+      # };
+      # not only will it not load a symlinked dockerfile, it refuses to copy any symlinked file
+      # couchdb_vm-args = {
+      #   source = ./vm.args;
+      #   target = "./src/obsidian/vm.args";
+      # };
+      # couchdb_docker-default = {
+      #   source = ./10-docker-default.ini;
+      #   target = "./src/obsidian/10-docker-default.ini";
+      # };
+      # couchdb_docker-entrypoint-sh = {
+      #   source = ./docker-entrypoint.sh;
+      #   target = "./src/obsidian/docker-entrypoint.sh";
+      # };
+    };
+  };
+  systemd = {
+    user = {
+      tmpfiles = {
+        rules = [
+          "C /home/${config.home.username}/src/obsidian/Dockerfile 0444 - - - ${./Dockerfile}"
+          "C /home/${config.home.username}/src/obsidian/docker-entrypoint.sh 0555 - - - ${./docker-entrypoint.sh}"
+          "C /home/${config.home.username}/src/obsidian/10-docker-default.ini 0444 - - - ${./10-docker-default.ini}"
+          "C /home/${config.home.username}/src/obsidian/vm.args 0444 - - - ${./vm.args}"
+          # root is needed to +i
+          # "h /home/${config.home.username}/src/obsidian/Dockerfile - - - - i"
+          # "h /home/${config.home.username}/src/obsidian/docker-entrypoint.sh - - - - i"
+          # "h /home/${config.home.username}/src/obsidian/10-docker-default.ini - - - - i"
+          # "h /home/${config.home.username}/src/obsidian/vm.args - - - - i"
+        ];
+      };
+    };
+  };
+  sops = {
+    secrets = {
+      couchdb_env = {
+        format = "dotenv";
+        sopsFile = ./couchdb.env;
+        path = "/home/${config.home.username}/src/obsidian/couchdb.env";
+      };
+      # encrypted because it has a hashed password
+      couchdb_docker-ini = {
+        format = "ini";
+        sopsFile = ./docker.ini;
+        path = "/home/${config.home.username}/src/obsidian/docker.ini";
+      };
+    };
+  };
+}

common/users/docker/obsidian/docker-compose.yaml

@@ -0,0 +1,15 @@
+version: '2.1'
+services:
+  couchdb:
+    build: .
+    container_name: obsidian_livesync
+    env_file: ./couchdb.env
+    restart: unless-stopped
+    volumes:
+      # state, create an empty dir
+      - ./data:/opt/couchdb/data
+      # config, encrypted because it has a hashed password
+      - ./docker.ini:/opt/couchdb/etc/local.d/docker.ini
+    ports:
+      - "5984:5984"
+

common/users/docker/obsidian/docker-entrypoint.sh

@@ -0,0 +1,122 @@
+#!/bin/bash
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+set -e
+
+# first arg is `-something` or `+something`
+if [ "${1#-}" != "$1" ] || [ "${1#+}" != "$1" ]; then
+	set -- /opt/couchdb/bin/couchdb "$@"
+fi
+
+# first arg is the bare word `couchdb`
+if [ "$1" = 'couchdb' ]; then
+	shift
+	set -- /opt/couchdb/bin/couchdb "$@"
+fi
+
+if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
+	# this is where runtime configuration changes will be written.
+	# we need to explicitly touch it here in case /opt/couchdb/etc has
+	# been mounted as an external volume, in which case it won't exist.
+	# If running as the couchdb user (i.e. container starts as root),
+	# write permissions will be granted below.
+	touch /opt/couchdb/etc/local.d/docker.ini
+
+	# if user is root, assume running under the couchdb user (default)
+	# and ensure it is able to access files and directories that may be mounted externally
+	if [ "$(id -u)" = '0' ]; then
+		# Check that we own everything in /opt/couchdb and fix if necessary. We also
+		# add the `-f` flag in all the following invocations because there may be
+		# cases where some of these ownership and permissions issues are non-fatal
+		# (e.g. a config file owned by root with o+r is actually fine), and we don't
+		# to be too aggressive about crashing here ...
+		find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown -f couchdb:couchdb '{}' +
+
+		# Ensure that data files have the correct permissions. We were previously
+		# preventing any access to these files outside of couchdb:couchdb, but it
+		# turns out that CouchDB itself does not set such restrictive permissions
+		# when it creates the files. The approach taken here ensures that the
+		# contents of the datadir have the same permissions as they had when they
+		# were initially created. This should minimize any startup delay.
+		find /opt/couchdb/data -type d ! -perm 0755 -exec chmod -f 0755 '{}' +
+		find /opt/couchdb/data -type f ! -perm 0644 -exec chmod -f 0644 '{}' +
+
+		# Do the same thing for configuration files and directories. Technically
+		# CouchDB only needs read access to the configuration files as all online
+		# changes will be applied to the "docker.ini" file below, but we set 644
+		# for the sake of consistency.
+		find /opt/couchdb/etc -type d ! -perm 0755 -exec chmod -f 0755 '{}' +
+		find /opt/couchdb/etc -type f ! -perm 0644 -exec chmod -f 0644 '{}' +
+	fi
+
+	if [ ! -z "$NODENAME" ] && ! grep "couchdb@" /opt/couchdb/etc/vm.args; then
+		echo "-name couchdb@$NODENAME" >> /opt/couchdb/etc/vm.args
+	fi
+
+	if [ "$COUCHDB_USER" ] && [ "$COUCHDB_PASSWORD" ]; then
+		# Create admin only if not already present
+		if ! grep -Pzoqr "\[admins\]\n$COUCHDB_USER =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then
+			printf "\n[admins]\n%s = %s\n" "$COUCHDB_USER" "$COUCHDB_PASSWORD" >> /opt/couchdb/etc/local.d/docker.ini
+		fi
+	fi
+
+	if [ "$COUCHDB_SECRET" ]; then
+		# Set secret only if not already present
+		if ! grep -Pzoqr "\[chttpd_auth\]\nsecret =" /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then
+			printf "\n[chttpd_auth]\nsecret = %s\n" "$COUCHDB_SECRET" >> /opt/couchdb/etc/local.d/docker.ini
+		fi
+	fi
+
+	if [ "$COUCHDB_ERLANG_COOKIE" ]; then
+		cookieFile='/opt/couchdb/.erlang.cookie'
+		if [ -e "$cookieFile" ]; then
+			if [ "$(cat "$cookieFile" 2>/dev/null)" != "$COUCHDB_ERLANG_COOKIE" ]; then
+				echo >&2
+				echo >&2 "warning: $cookieFile contents do not match COUCHDB_ERLANG_COOKIE"
+				echo >&2
+			fi
+		else
+			echo "$COUCHDB_ERLANG_COOKIE" > "$cookieFile"
+		fi
+		chown couchdb:couchdb "$cookieFile"
+		chmod 600 "$cookieFile"
+	fi
+
+	if [ "$(id -u)" = '0' ]; then
+		chown -f couchdb:couchdb /opt/couchdb/etc/local.d/docker.ini || true
+	fi
+
+	# if we don't find an [admins] section followed by a non-comment, display a warning
+        if ! grep -Pzoqr '\[admins\]\n[^;]\w+' /opt/couchdb/etc/default.d/*.ini /opt/couchdb/etc/local.d/*.ini /opt/couchdb/etc/local.ini; then
+		# The - option suppresses leading tabs but *not* spaces. :)
+		cat >&2 <<-'EOWARN'
+*************************************************************
+ERROR: CouchDB 3.0+ will no longer run in "Admin Party"
+       mode. You *MUST* specify an admin user and
+       password, either via your own .ini file mapped
+       into the container at /opt/couchdb/etc/local.ini
+       or inside /opt/couchdb/etc/local.d, or with
+       "-e COUCHDB_USER=admin -e COUCHDB_PASSWORD=password"
+       to set it via "docker run".
+*************************************************************
+EOWARN
+		exit 1
+	fi
+
+	if [ "$(id -u)" = '0' ]; then
+		export HOME=$(echo ~couchdb)
+		exec setpriv --reuid=couchdb --regid=couchdb --clear-groups "$@"
+	fi
+fi
+
+exec "$@"

common/users/docker/obsidian/docker.ini

@@ -0,0 +1,42 @@
+; ENC[AES256_GCM,data:7/U91GyWZp4UVdf9Juj6OmpqWsSeSht+,iv:Qcp5764/ctFyFbURjDEJyr24+YHmdJ0DYWY02MM/amk=,tag:x3aQXiiu2XypJLhC5a64Iw==,type:comment]
+[admins]
+sadan = ENC[AES256_GCM,data:EFzrBXBT5huxlYHw+GV5Mf9eGc3vMkwqNjvefoBbezS2nJVCvQT0//IuHj2g2/+uftg6MIbkte/UJIHVS7Yb4mgp8PylKESGVruJWO6zYRc56eUnZ/VGgA+QVDjuI+fkExtDtCE9/izxjZXjB95pOF4NpDKW50Y=,iv:JjjWbMRbYNmmeu9yqIVVv0KI7nz3qZm2oMvtw2yqbAc=,tag:WTiwN+mBDx6WXGaSDsadig==,type:str]
+
+[chttpd]
+bind_address          = ENC[AES256_GCM,data:7pXoGByMPg==,iv:KXWYlS1VDgEzp0p6InO2Rk1IVt5JeGXAQXz+i1YbpRg=,tag:6stdVETor2Em5N+DbpJ1yA==,type:str]
+port                  = ENC[AES256_GCM,data:gYArrA==,iv:UqSaQOR3LJrKWYgNCdzVGOgSjV+IriFg8N4RAdkj91w=,tag:YQ6A31508NAljgE0pM2C3A==,type:str]
+require_valid_user    = ENC[AES256_GCM,data:bzopMw==,iv:IXuVyFLFvJGUm+Yuet8B34hhpPRuAXkFynvTgvZAfjI=,tag:uFJty0X087SsHX8TqyfcVQ==,type:str]
+enable_cors           = ENC[AES256_GCM,data:ytit6g==,iv:Dn/wl5E8d5dk/qasddKjjr5mggtooiTwzS03nEoAk60=,tag:aW7ip/YFwzpRog5kBb7jug==,type:str]
+max_http_request_size = ENC[AES256_GCM,data:2mX4kLrO2ZBaUg==,iv:4v46gx5X2Cg/UkgT8Wugl0hwhEJhUUla/ustmQg5l6s=,tag:EVWVf3f4l6Zc/4NxBJa6Ww==,type:str]
+
+[cluster]
+n = ENC[AES256_GCM,data:Jw==,iv:tgvecx016ZrQkGwTlEdGL/HNYv0Ivxu7tbkhFfL3SSU=,tag:jckZoDZXzvU6aIx6KprAkQ==,type:str]
+
+[chttpd_auth]
+require_valid_user = ENC[AES256_GCM,data:O8/KBQ==,iv:FJiEprcZK+cqfoubacPFzCcgUoddUYhJNPCXbWx8/ls=,tag:BqbP8csJoB41wfICkjWwfg==,type:str]
+
+[httpd]
+WWW-Authenticate = ENC[AES256_GCM,data:RIAjMFSfqQFuiYLm1ptjliOr+fgQ,iv:gSlb5MFBeVtqzmLc3jjJkWfqgxXH3OFKKY7o9RTqzB8=,tag:91H3OBQf8gs4gXFUfqEXiw==,type:str]
+enable_cors      = ENC[AES256_GCM,data:IbfvIg==,iv:sT2y2/FnaJoPA7eJ7PDH2liO2gpu//gxkne6gkmLAVk=,tag:0hLVVjJ9qUsV5CBEhwHMgQ==,type:str]
+
+[couchdb]
+max_document_size = ENC[AES256_GCM,data:kS+1OJYdAJQ=,iv:/FrMXbJsuwybBbkZHsyJLspW62RdcjgBE+6NnCs76ZI=,tag:+3wbGyT7rByLW/fHBTfc5Q==,type:str]
+uuid              = ENC[AES256_GCM,data:69L+pMSVRPZ8hiToVgNMocxOS0JjJ2sXXAgYzNbEOB8=,iv:CIYwYtf2hJeVn8JoQCqhHOtyFIO7r0GFM7lTnqp9zC4=,tag:HXtX91NukJDw8gIrFQV/qA==,type:str]
+
+[cors]
+credentials = ENC[AES256_GCM,data:8/SoBg==,iv:KOF4qbjG1MA0mdkHnizFdlrGEIV0KLS8AEGB/CdhBss=,tag:JnxcmB84XYrPtk+EPqQpbw==,type:str]
+origins     = ENC[AES256_GCM,data:8l7EKGjzq0cvgnf3LnktW7trUDYuTvZAMJzRWeQkt5Y62rZRWJhld8PRQPRRpTWi8T2u4Rbj5kc=,iv:QXryXqYQoISg1Fk9HYZ8B4jUVJopKKCLi8d1cZZ9eIw=,tag:8gMS8fqmll9Kv1BJvNRRFw==,type:str]
+
+[sops]
+age__list_3__map_enc       = -----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrOUVTUEplcVJYSzIzdjlW\nNThydVNqQnJBc3NtcVpmOTNHU0hJd3FhTTMwClNRY2x5ZzBXSEJxdFgyVURtbEFv\nckFRUW85UDl2U2lrNXA5dEExaEZvWGsKLS0tIFFESVVISmQyZDEvMjNqdzk5R0FS\nYU5IeUd1bmtLTFlpWTBxZjg1cmRtMkUK/JriXS125Z11qf+uDygH3wFLHwm5tKvA\nu8d04UZS4Zryw9MFN9SCpgx91/NYhSySjbFary09O6p0+KEznRgkFQ==\n-----END AGE ENCRYPTED FILE-----\n
+age__list_2__map_enc       = -----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3azVBN1Bhdk9qTVowV0gr\nZDR1TWlGdHZWaFFjeFBwTHhodFJmQ21SczBzCmIwbmdQWGR0L3h4TXRlaFo0KzlM\ndDJIcnpLMDEzRlBLbU05ZFNzYjRYcGMKLS0tIGt3Q1BCb0NyTmRvWTVnNU90NXZ1\nSFNydHo4KzZ3enQ4WGtlZ1pkSHExV0kKmJcYEwEk1YhDIiX/R0HqdY1C6FbeaYmJ\nyiEk49utYLQVU8ciwRYxAR0RYkPVZx0ltiJg5+Ccz5Qmgn+OAhrDRw==\n-----END AGE ENCRYPTED FILE-----\n
+mac                        = ENC[AES256_GCM,data:VhVs/HazGKk3n948kNfthtjowLBetW+RMrnPO0PWgegYnhGUsro8ugAHW+zwdTG7ZdK6M+pEFMEZgPVuDYqH1eVSt0pemHFA++2/Qi2ijqY7Y4B0FFYFpkCISMzG+CKfECyTLYIi5rIv/FdmiCCsu96zIJ5BdgnDa6t2NELk8bc=,iv:hzeOl6XLgsblMtXH5PlAGvGEPikq/bUBEslqGvfcgQc=,tag:ejtGtVbtB0vGFYbeFvPzBg==,type:str]
+unencrypted_suffix         = _unencrypted
+age__list_3__map_recipient = age1sn4uu6r6wrylpznx75jcw7ww58r9cut35n40gu4scpt9xy79rgrq2d7wga
+age__list_0__map_enc       = -----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRSGl5S29LaWhQa0NwUUFo\nekJmbzZySzNBOVlod0gvNnZIS3hsQ0dBK2hjCit1REVzWWhTdlY0Z0REY2trU3FI\nWkQvNVB5dHh3M2pzWGJDSHRUV0kwOXMKLS0tIDJtL0NTcStRMjZ3eTFZL1BsekZr\nUHNlUjF2ZllCcHZ4TXAyQUVkV20yUWMK8LWX0Fe/b5BrCnkiRZ0h8EFNS1X/pgoj\ngMb89e8DfNHborA6cKY/KxQ2aWrfts44fWae8I50FhW29+cRFHlhiQ==\n-----END AGE ENCRYPTED FILE-----\n
+lastmodified               = 2025-02-25T04:04:21Z
+age__list_0__map_recipient = age1xsuyaeehzv4ar4f6xpc6tfp9pttzjf7qdyl3x2tj42vjc8szlqpq834e3d
+version                    = 3.9.4
+age__list_2__map_recipient = age1cz006hex596lmj88kkhrkvq89luqk59hxuq83q4kvhz82ltwpe4ss8gm3t
+age__list_1__map_enc       = -----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXTG12enU3MWZoVCtTdUs2\nbUNpMllHTTBIeDNYbnM4aWJyejIxWkV6ZEZ3CkpSaW1qN2c3T1VTdUNBUTJKWFFX\nekFoRUxuMDZlRXhaRUVCenlLaWpVT0EKLS0tIFJKNklONmJ2dFhLMXVnNDRoVlRB\nTnJJU3B6Y1B2Q0VGYk9qaFFmVUF0aUEKSA5t7QxmND2HkuXh5Wr9+kkJP2V7Loxl\n+vzMdF19stBE/TQllBw8of0L+hxy11MMhyxP0JpmOXRurv03cH/sTQ==\n-----END AGE ENCRYPTED FILE-----\n
+age__list_1__map_recipient = age1tq8zaaqe8t4u2jgyf7usngtzyql0ymyxq6hntmu04vt5ypwhxensmzynhl

common/users/docker/obsidian/nginx.nix

@@ -0,0 +1,19 @@
+
+{ ... }:
+{
+  services = {
+    nginx = {
+      virtualHosts = {
+        "obsidian.sadan.zip" = {
+          forceSSL = true;
+          useACMEHost = "sadan.zip";
+          locations = {
+            "/" = {
+              proxyPass = "http://localhost:5984";
+            };
+          };
+        };
+      };
+    };
+  };
+}

common/users/docker/obsidian/vm.args

@@ -0,0 +1,47 @@
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not
+# use this file except in compliance with the License. You may obtain a copy of
+# the License at
+#
+#   http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
+# License for the specific language governing permissions and limitations under
+# the License.
+
+# Ensure that the Erlang VM listens on a known port
+-kernel inet_dist_listen_min 9100
+-kernel inet_dist_listen_max 9100
+
+# Tell kernel and SASL not to log anything
+-kernel error_logger silent
+-sasl sasl_error_logger false
+
+# This will toggle to true in Erlang 25+. However since we don't use global
+# any longer, and have our own auto-connection module, we can keep the
+# existing global behavior to avoid surprises. See
+# https://github.com/erlang/otp/issues/6470#issuecomment-1337421210 for more
+# information about possible increased coordination and messages being sent on
+# disconnections when this setting is enabled.
+#
+-kernel prevent_overlapping_partitions false
+
+# Increase the pool of dirty IO schedulers from 10 to 16
+# Dirty IO schedulers are used for file IO.
++SDio 16
+
+# Increase distribution buffer size from default of 1MB to 32MB. The default is
+# usually a bit low on busy clusters. Has no effect for single-node setups.
+# The unit is in kilobytes.
++zdbbl 32768
+
+# When running on Docker, Kubernetes or an OS using CFS (Completely Fair
+# Scheduler) with CPU quota limits set, disable busy waiting for schedulers to
+# avoid busy waiting consuming too much of Erlang VM's CPU time-slice shares.
++sbwt none
++sbwtdcpu none
++sbwtdio none
+
+# Comment this line out to enable the interactive Erlang shell on startup
++Bd -noinput

common/users/meyer-server/default.nix

@@ -19,6 +19,7 @@ in
     ]
     ++ [
       ../docker/vw/nginx.nix
+      ../docker/obsidian/nginx.nix
     ];
   users = {
     users = {
@@ -47,6 +48,7 @@ in
         {
           imports = [
             ../docker/vw
+            ../docker/obsidian
             ./home.nix
           ];
         }