feat: shlink addition

hosts/lab/default.nix

@@ -11,6 +11,7 @@
     ./fail2ban.nix
     ./uptime-kuma.nix
     ./tinyauth.nix
+    ./shlink.nix
   ];
 
   networking.hostName = "lab";

hosts/lab/shlink.nix

@@ -0,0 +1,92 @@
+{ config, lib, ... }:
+{
+  sops.secrets.shlink-db-password = {
+    sopsFile = ../../secrets/shlink.yaml;
+    owner = "postgres";
+  };
+
+  sops.secrets.shlink-api-key = {
+    sopsFile = ../../secrets/shlink.yaml;
+  };
+
+  sops.templates.shlink-env = {
+    content = ''
+    INITIAL_API_KEY=${config.sops.placeholder.shlink-api-key}
+    DB_PASSWORD=${config.sops.placeholder.shlink-db-password}
+    '';
+    owner = "podman";
+  };
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "shlink" ];
+    ensureUsers = [{
+      name = "shlink";
+      ensureDBOwnership = true;
+    }];
+    authentication = ''
+      host shlink shlink 127.0.0.1/32 md5
+      host shlink shlink ::1/128 md5
+    '';
+  };
+
+  systemd.services.postgresql.postStart = lib.mkAfter ''
+    $PSQL -tA <<'EOF'
+      DO $$
+      DECLARE pw TEXT;
+      BEGIN
+        pw := trim(both from pg_read_file('${config.sops.secrets.shlink-db-password.path}'));
+        EXECUTE format('ALTER USER shlink PASSWORD %L', pw);
+      END
+      $$;
+    EOF
+  '';
+
+  services.caddy.virtualHosts."ily.rs" = {
+    extraConfig = ''
+      redir / https://wynne.rs permanent
+      reverse_proxy localhost:8080
+      encode zstd gzip
+    '';
+  };
+
+  services.caddy.virtualHosts."links.ily.rs" = {
+    extraConfig = ''
+      import tinyauth
+      reverse_proxy localhost:8081
+      encode zstd gzip
+    '';
+  };
+
+  virtualisation.oci-containers.containers.shlink = {
+    image = "shlinkio/shlink:4.4.0";
+    podman.user = "podman";
+    ports = [ "127.0.0.1:8080:8080" ];
+    environment = {
+      DEFAULT_DOMAIN = "ily.rs";
+      IS_HTTPS_ENABLED = "true";
+      DB_DRIVER = "postgres";
+      DB_HOST = "host.containers.internal";
+      DB_NAME = "shlink";
+      DB_USER = "shlink";
+      PORT = "8080";
+    };
+    environmentFiles = [ config.sops.templates.shlink-env.path ];
+  };
+
+  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
+  systemd.services.podman-shlink = {
+    after = [ "postgresql.service" ];
+    requires = [ "postgresql.service" ];
+    serviceConfig.Delegate = true;
+  };
+
+  virtualisation.oci-containers.containers.shlink-web-client = {
+    image = "shlinkio/shlink-web-client:4.3.1";
+    podman.user = "podman";
+    ports = [ "127.0.0.1:8081:8080" ];
+  };
+
+  # Workaround for NixOS/nixpkgs#410857 until backport of #475089 lands
+  systemd.services.podman-shlink-web-client.serviceConfig.Delegate = true;
+}

hosts/lab/sites.nix

@@ -34,7 +34,6 @@ in
   services.site.website = {
     enable = true;
     domain = "wynne.rs";
-    redirectDomains = [ "ily.rs" ];
     repo = "https://git.ily.rs/lew/website";
     branch = "master";
     port = 4322;

secrets/shlink.yaml

@@ -0,0 +1,26 @@
+shlink-db-password: ENC[AES256_GCM,data:v3zQf/7P3dmvXAVAmd8UgJAd7mU5ecO2SXgzenxLPpk=,iv:ru3Az6XVyogDTtew4HUiZr64/ZMdoCxLFsGsSh4yjp8=,tag:agIfLJZANciGKJXqIAIiJQ==,type:str]
+shlink-api-key: ENC[AES256_GCM,data:YL/zuRwR8GqYKlkuiL+Kod8OIrMNaiTWIlvHtwjW54Q=,iv:LtKY3GwqJl4NL+plG49tO0vrFB85tSWUqlLX3d9tVuw=,tag:prJ39Vdqe2Q6yxDyFpre7g==,type:str]
+sops:
+    age:
+        - recipient: age1r8h6gy2f4mu8xvx609qeadl82v2hua74xaevsp982zyfh4tm9qlsu80s0f
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSWjF1ajVhSUUvTkpCTlZx
+            YndLZG5oc0hpSlY1ZXliSTdXdVdjVk93WXg0Cm9wTVNYU3RMaGxwSnVhdFc2K2dI
+            R2NNY1RpMi9wU05hMG5peWQ5aFZYU0UKLS0tIGVnU1lOR0ptR2ZrQWM5bDFpbXo2
+            TFBMNXYzRllCcENNb2Q2K0J5Y2plOTQKQDo15IpycmzU40zx+BVfdy4rxmjCGbHD
+            lDBMznEXS4IKPkSlNZT0MPe8gUrmgpcXzaAnJm1iFK4Q54eSTdP62g==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1nq4z2ms4vruhces2f8e7tvgsr0pfg5ha92w0hrmde3n2ulxe4qhqxv05xl
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZFllZ0wwa1JLWnNyOElq
+            UGVLRWZRNVF3QU1aOU5rT3Z1cWo2TVJyUVhVCnBkN1FRTmozU2xacnhhSis0UDN1
+            SVhKOFdxQmExM21DQitRNDVXL2NGd2cKLS0tIGtFeUx3Wm5jSytmUlhUZGF6WnVR
+            YnNwVkh4UGEzaStLcTRtZ2NuNm45Z0UK+Klu+SW/xcdj/HDmIM9eMIpZhzBj+A6O
+            sZHUze9G1/n6w3is5/t24VaDvYkJQTJKlnH1iN/DYv7laTmzkAQCZg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-04-07T22:45:51Z"
+    mac: ENC[AES256_GCM,data:p4HJKWaQLkOHW3AbFSheIB4m3ET1cLnxCEnL0sQjQurIUwjcDuiXN8cbRS5No2JyPXA6dFylwKOH3TLHW1HNwOJFjviGozVUZItInxTNumfxDNJUzhIEdp39wf7SWEsQKzNo/EGdbFmpK/WR53RtbniYfLdOf6IesH6e9D7fPH0=,iv:twMMYVMbQg80lzxU4wgov+BAyB3LCCGE8hO8+3kV1lE=,tag:H91CXVoiLr4C/F/ci7QkoA==,type:str]
+    unencrypted_suffix: _unencrypted
+    version: 3.12.2