helm/hosts/profiles/opencode-server/default.nix

{
  self,
  config,
  pkgs,
  inputs,
  ...
}:

let
  opencode = inputs.llm-agents.packages.${pkgs.system}.opencode;
in
{
  systemd.services.opencode-server = {
    description = "OpenCode HTTP Server";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];

    # Read the API key from the agenix secret file and export it
    script = ''
      export ANTHROPIC_API_KEY="$(cat /run/agenix/anthropicToken)"
      exec ${opencode}/bin/opencode serve --port 4096 --hostname 0.0.0.0
    '';

    serviceConfig = {
      Type = "simple";
      WorkingDirectory = "/home/anish/usr";
      User = "anish";
      Restart = "on-failure";
      RestartSec = "10";

      # Hardening
      NoNewPrivileges = true;
      PrivateTmp = true;
    };
  };

  # Open firewall port for LAN access
  networking.firewall.allowedTCPPorts = [ 4096 ];

  services.nginx = {
    enable = true;
    virtualHosts = {
      "opencode.mossnet.lan" = {
        forceSSL = false;
        enableACME = false;
        locations."/".proxyPass = "http://localhost:4096/";
      };
    };
  };
}