From 98d52df2e230cd3783b771537ff81ebe7d10d5f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=E2=9C=BF=20corey?= Date: Fri, 3 Apr 2026 14:32:43 -0700 Subject: [PATCH] feat(glyph): add Windmill workflow automation with PostgreSQL Set up Windmill on glyph with createLocally for DB provisioning, patched initdb to include upstream table grants that the NixOS module omits. Reverse proxy on spore at windmill.zx.dev. Next step: update windmill package to get Pocket ID SSO support (merged upstream in v1.640+, nixpkgs has v1.601.1). Co-Authored-By: Claude Opus 4.6 --- hosts/glyph/services/db.nix | 2 +- hosts/glyph/services/default.nix | 1 + hosts/glyph/services/windmill.nix | 47 ++++++++++++++++++++++++++++ hosts/spore/services/web/default.nix | 8 +++++ 4 files changed, 57 insertions(+), 1 deletion(-) create mode 100644 hosts/glyph/services/windmill.nix diff --git a/hosts/glyph/services/db.nix b/hosts/glyph/services/db.nix index bc35dfb5..5da67060 100644 --- a/hosts/glyph/services/db.nix +++ b/hosts/glyph/services/db.nix @@ -39,6 +39,6 @@ services.postgresqlBackup = { enable = true; - databases = ["atticd" "grafana" "open-webui" "pocketid"]; + databases = ["atticd" "grafana" "open-webui" "pocketid" "windmill"]; }; } diff --git a/hosts/glyph/services/default.nix b/hosts/glyph/services/default.nix index 5bcb18f5..ac1081b7 100644 --- a/hosts/glyph/services/default.nix +++ b/hosts/glyph/services/default.nix @@ -18,6 +18,7 @@ ./prometheus.nix ./samba.nix ./torrents.nix + ./windmill.nix ]; users.groups.media = {}; users.users.mu.extraGroups = ["media"]; diff --git a/hosts/glyph/services/windmill.nix b/hosts/glyph/services/windmill.nix new file mode 100644 index 00000000..50071be7 --- /dev/null +++ b/hosts/glyph/services/windmill.nix @@ -0,0 +1,47 @@ +{ + config, + pkgs, + ... +}: { + services.windmill = { + enable = true; + serverPort = 8100; + baseUrl = "https://windmill.zx.dev"; + database.createLocally = true; + }; + + # The NixOS module's initdb omits table grants from the upstream + # init-db-as-superuser.sql, causing permission errors at runtime. + # Patch the initdb service to include them. + systemd.services.windmill-initdb.script = let + cfg = config.services.windmill; + psql = "${config.services.postgresql.package}/bin/psql"; + in '' + ${psql} -tA <<"EOF" + DO $$ + BEGIN + IF NOT EXISTS ( + SELECT FROM pg_catalog.pg_roles + WHERE rolname = 'windmill_user' + ) THEN + CREATE ROLE windmill_user; + END IF; + IF NOT EXISTS ( + SELECT FROM pg_catalog.pg_roles + WHERE rolname = 'windmill_admin' + ) THEN + CREATE ROLE windmill_admin WITH BYPASSRLS; + GRANT windmill_user TO windmill_admin; + END IF; + GRANT windmill_admin TO ${cfg.database.user}; + END + $$; + + GRANT ALL PRIVILEGES ON DATABASE ${cfg.database.name} TO windmill_user; + GRANT ALL ON ALL TABLES IN SCHEMA public TO windmill_user; + GRANT ALL ON ALL SEQUENCES IN SCHEMA public TO windmill_user; + ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO windmill_user; + ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO windmill_user; + EOF + ''; +} diff --git a/hosts/spore/services/web/default.nix b/hosts/spore/services/web/default.nix index aa91a528..334a76cb 100644 --- a/hosts/spore/services/web/default.nix +++ b/hosts/spore/services/web/default.nix @@ -45,6 +45,14 @@ "/pgp".return = "302 https://keyoxide.org/hkp/413d1a0152bcb08d2e3ddacaf88c08579051ab48"; }; }; + "windmill.zx.dev" = { + forceSSL = true; + useACMEHost = "zx.dev"; + locations."/" = { + proxyPass = "http://glyph.rove-duck.ts.net:8100"; + proxyWebsockets = true; + }; + }; "torrents.zx.dev" = { forceSSL = true; useACMEHost = "zx.dev";