From 9e5e3cd4fa9ddae4ede2ba6c83f3c734a33f27b4 Mon Sep 17 00:00:00 2001
From: Joshua Bell <abc@joshuabell.xyz>
Date: Sun, 8 Feb 2026 23:11:04 -0600
Subject: [PATCH] Add PostGIS init service for Dawarich and enable ACME/SSL for
 Immich

---
 hosts/h001/containers/dawarich.nix | 26 +++++++++++++++++---------
 hosts/h001/containers/immich.nix   | 26 ++++++++++++--------------
 2 files changed, 29 insertions(+), 23 deletions(-)

diff --git a/hosts/h001/containers/dawarich.nix b/hosts/h001/containers/dawarich.nix
index 5398d5d3..acfcc476 100644
--- a/hosts/h001/containers/dawarich.nix
+++ b/hosts/h001/containers/dawarich.nix
@@ -237,15 +237,23 @@ in
               };
             };
 
-            systemd.services.dawarich = {
-              requires = [
-                "postgresql.service"
-                "redis-dawarich.service"
-              ];
-              after = [
-                "postgresql.service"
-                "redis-dawarich.service"
-              ];
+            # Ensure postgis extension exists before dawarich-init-db runs
+            # (initialScript only runs on first cluster creation)
+            systemd.services.dawarich-postgis-init = {
+              description = "Initialize PostGIS extension for Dawarich";
+              requires = [ "postgresql.service" ];
+              after = [ "postgresql.service" ];
+              before = [ "dawarich-init-db.service" ];
+              requiredBy = [ "dawarich-init-db.service" ];
+              serviceConfig = {
+                Type = "oneshot";
+                RemainAfterExit = true;
+                User = "postgres";
+                Group = "postgres";
+                ExecStart = pkgs.writeShellScript "dawarich-postgis-init" ''
+                  ${config.services.postgresql.package}/bin/psql -d dawarich -c "CREATE EXTENSION IF NOT EXISTS postgis;"
+                '';
+              };
             };
           };
         };
diff --git a/hosts/h001/containers/immich.nix b/hosts/h001/containers/immich.nix
index 16481028..4bd25d94 100644
--- a/hosts/h001/containers/immich.nix
+++ b/hosts/h001/containers/immich.nix
@@ -91,20 +91,18 @@ in
 {
   options = { };
   config = {
-    services.nginx.virtualHosts."photos.joshuabell.xyz" = {
-      addSSL = true;
-      sslCertificate = "/var/lib/acme/joshuabell.xyz/fullchain.pem";
-      sslCertificateKey = "/var/lib/acme/joshuabell.xyz/key.pem";
-      locations = {
-        "/" = {
-          proxyWebsockets = true;
-          recommendedProxySettings = true;
-          proxyPass = "http://${containerAddress}:2283";
-          extraConfig = ''
-            proxy_set_header X-Forwarded-Proto https;
-            client_max_body_size 50G;
-          '';
-        };
+    services.nginx.virtualHosts."photos.joshuabell.xyz" = lib.mkIf (hasSecret "linode_rw_domains") {
+      forceSSL = true;
+      useACMEHost = "joshuabell.xyz";
+      extraConfig = ''
+        client_max_body_size 50G;
+        proxy_read_timeout 600s;
+        proxy_send_timeout 600s;
+        send_timeout 600s;
+      '';
+      locations."/" = {
+        proxyWebsockets = true;
+        proxyPass = "http://${containerAddress}:2283";
       };
     };