neoprism: add vibe-kanban service

Lassulus · Lassulus · commit 95691a1dd317 · 2026-03-09T08:02:16.000+01:00
- systemd service running as dedicated kanban user on SSD (zroot)
- nginx reverse proxy at kanban.lassul.us with basic auth via clan vars
- DNS record for kanban.lassul.us
- binary-patch claude-code version for claude 4.6 support
- backup of vibe-kanban state
diff --git a/2configs/dns/lassul.us.zone b/2configs/dns/lassul.us.zone
@@ -1,4 +1,4 @@
-@ 3600 IN SOA lassul.us. ns1.lassul.us. 2026030700 7200 3600 86400 3600
+@ 3600 IN SOA lassul.us. ns1.lassul.us. 2026030800 7200 3600 86400 3600
 
 ;;@ 3600 IN NS ns1
 @ 3600 IN NS ns1
@@ -53,6 +53,7 @@ c IN CNAME neoprism
 hass IN CNAME neoprism
 vault IN CNAME neoprism
 cal IN CNAME neoprism
+kanban IN CNAME neoprism
 
 ;; Mail
 @ IN MX 3 mail
diff --git a/2configs/vibe-kanban.nix b/2configs/vibe-kanban.nix
@@ -0,0 +1,100 @@
+{
+  self,
+  config,
+  pkgs,
+  ...
+}:
+let
+  vibe-kanban-base = self.inputs.llm-agents.packages.${pkgs.system}.vibe-kanban;
+  # HACK: binary-patch pinned claude-code version for claude 4.6 support
+  # TODO: fork upstream and bump properly, then submit PR
+  vibe-kanban = vibe-kanban-base.overrideAttrs (old: {
+    postInstall = (old.postInstall or "") + ''
+      ${pkgs.gnused}/bin/sed -i 's|@anthropic-ai/claude-code@2\.1\.45|@anthropic-ai/claude-code@2.1.71|g' $out/bin/vibe-kanban
+    '';
+  });
+  port = 4242;
+in
+{
+  users.users.kanban = {
+    isNormalUser = true;
+    home = "/var/lib/vibe-kanban";
+    createHome = true;
+    group = "users";
+    useDefaultShell = true;
+    openssh.authorizedKeys.keys = [
+      self.keys.ssh.barnacle.public
+      self.keys.ssh.yubi_pgp.public
+      self.keys.ssh.yubi1.public
+      self.keys.ssh.yubi2.public
+      self.keys.ssh.solo2.public
+      self.keys.ssh.xerxes.public
+      self.keys.ssh.massulus.public
+    ];
+  };
+
+  clan.core.vars.generators.vibe-kanban = {
+    files."htpasswd" = {
+      owner = "root";
+      group = "nginx";
+      mode = "0640";
+    };
+    files."password" = { };
+    runtimeInputs = with pkgs; [
+      apacheHttpd
+      coreutils
+    ];
+    script = ''
+      password=$(head -c 32 /dev/urandom | base64 | tr -dc 'a-zA-Z0-9' | head -c 24)
+      echo "$password" > "$out/password"
+      htpasswd -nbB kanban "$password" > "$out/htpasswd"
+    '';
+  };
+
+  systemd.services.vibe-kanban = {
+    description = "Vibe Kanban Board";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "network-online.target" ];
+    wants = [ "network-online.target" ];
+
+    path = [
+      pkgs.nodejs
+      pkgs.git
+      pkgs.bash
+      pkgs.coreutils
+      pkgs.nix
+    ];
+
+    environment = {
+      HOST = "127.0.0.1";
+      PORT = toString port;
+    };
+
+    serviceConfig = {
+      ExecStart = "${vibe-kanban}/bin/vibe-kanban";
+      Restart = "on-failure";
+      RestartSec = 10;
+      User = "kanban";
+      Group = "users";
+      WorkingDirectory = "/var/lib/vibe-kanban";
+    };
+  };
+
+  services.nginx.virtualHosts."kanban.lassul.us" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+      proxyWebsockets = true;
+      extraConfig = ''
+        auth_basic "Vibe Kanban";
+        auth_basic_user_file ${config.clan.core.vars.generators.vibe-kanban.files."htpasswd".path};
+        proxy_set_header Host $host;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_read_timeout 300s;
+        proxy_send_timeout 300s;
+      '';
+    };
+  };
+}
diff --git a/machines/neoprism/backup.nix b/machines/neoprism/backup.nix
@@ -31,6 +31,7 @@
       "/var/lib/matrix-synapse/media_store/local_content"
       "/var/lib/radicale"
       "/home/bot"
+      "/var/lib/vibe-kanban"
       "/var/vmail"
       "/var/dkim"
       "/var/sieve"
@@ -40,6 +41,8 @@
       "/home/bot/.cache"
       "/home/bot/.nix-defexpr"
       "/home/bot/.nix-profile"
+      "/var/lib/vibe-kanban/.cache"
+      "/var/lib/vibe-kanban/.npm"
     ];
     repo = "u550643@u550643.your-storagebox.de:/./neoprism";
     encryption.mode = "none";
diff --git a/machines/neoprism/config.nix b/machines/neoprism/config.nix
@@ -68,6 +68,9 @@
     # opencrow matrix bot
     ../../2configs/opencrow.nix
 
+    # vibe kanban
+    ../../2configs/vibe-kanban.nix
+
     # backups
     ./backup.nix
   ];
