From 024dae4226622b1b5463ecc09b645b415bd76b4f Mon Sep 17 00:00:00 2001
From: h7x4 <h7x4@nani.wtf>
Date: Thu, 15 Jan 2026 15:39:20 +0900
Subject: [PATCH] journald-{remote,upload}: init

---
 base/default.nix                           |  1 +
 base/services/journald-upload.nix          | 25 +++++++++++
 hosts/ildkule/configuration.nix            |  1 +
 hosts/ildkule/services/journald-remote.nix | 52 ++++++++++++++++++++++
 4 files changed, 79 insertions(+)
 create mode 100644 base/services/journald-upload.nix
 create mode 100644 hosts/ildkule/services/journald-remote.nix

diff --git a/base/default.nix b/base/default.nix
index 1abc654..b2baf8b 100644
--- a/base/default.nix
+++ b/base/default.nix
@@ -20,6 +20,7 @@
     ./services/dbus.nix
     ./services/fwupd.nix
     ./services/irqbalance.nix
+    ./services/journald-upload.nix
     ./services/logrotate.nix
     ./services/nginx.nix
     ./services/openssh.nix
diff --git a/base/services/journald-upload.nix b/base/services/journald-upload.nix
new file mode 100644
index 0000000..cf2c07d
--- /dev/null
+++ b/base/services/journald-upload.nix
@@ -0,0 +1,25 @@
+{ config, lib, values, ... }:
+let
+  cfg = config.services.journald.upload;
+in
+{
+  services.journald.upload = {
+    enable = lib.mkDefault true;
+    settings.Upload = {
+      URL = "https://journald.pvv.ntnu.no:${toString config.services.journald.remote.port}";
+      ServerKeyFile = "-";
+      ServerCertificateFile = "-";
+      TrustedCertificateFile = "-";
+    };
+  };
+
+  systemd.services."systemd-journal-upload".serviceConfig = lib.mkIf cfg.enable {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.ipv4-space
+      values.ipv6-space
+    ];
+  };
+}
diff --git a/hosts/ildkule/configuration.nix b/hosts/ildkule/configuration.nix
index fae804e..298af44 100644
--- a/hosts/ildkule/configuration.nix
+++ b/hosts/ildkule/configuration.nix
@@ -7,6 +7,7 @@
 
       ./services/monitoring
       ./services/nginx
+      ./services/journald-remote.nix
     ];
 
   sops.defaultSopsFile = fp /secrets/ildkule/ildkule.yaml;
diff --git a/hosts/ildkule/services/journald-remote.nix b/hosts/ildkule/services/journald-remote.nix
new file mode 100644
index 0000000..6e78c53
--- /dev/null
+++ b/hosts/ildkule/services/journald-remote.nix
@@ -0,0 +1,52 @@
+{ config, lib, values, ... }:
+let
+  cfg = config.services.journald.remote;
+  domainName = "journald.pvv.ntnu.no";
+in
+{
+  security.acme.certs.${domainName} = {
+    webroot = "/var/lib/acme/acme-challenge/";
+    group = config.services.nginx.group;
+  };
+
+  services.nginx = {
+    enable = true;
+    virtualHosts.${domainName} = {
+      forceSSL = true;
+      useACMEHost = "${domainName}";
+      locations."/.well-known/".root = "/var/lib/acme/acme-challenge/";
+    };
+  };
+
+  services.journald.upload.enable = lib.mkForce false;
+
+  services.journald.remote = {
+    enable = true;
+    settings.Remote = let
+      inherit (config.security.acme.certs.${domainName}) directory;
+    in {
+      ServerKeyFile = "/run/credentials/systemd-journal-remote.service/key.pem";
+      ServerCertificateFile = "/run/credentials/systemd-journal-remote.service/cert.pem";
+      TrustedCertificateFile = "-";
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ cfg.port ];
+
+  systemd.sockets."systemd-journal-remote".socketConfig = {
+    IPAddressDeny = "any";
+    IPAddressAllow = [
+      "127.0.0.1"
+      "::1"
+      values.ipv4-space
+      values.ipv6-space
+    ];
+
+    LoadCredential = let
+      inherit (config.security.acme.certs.${domainName}) directory;
+    in [
+      "key.pem:${directory}/key.pem"
+      "cert.pem:${directory}/cert.pem"
+    ];
+  };
+}