From 4f15e68808d288761d0aff3a0ee14bb7df53f511 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Benjamin=20Yule=20B=C3=A4dorf?= Date: Sat, 23 Mar 2024 11:01:56 +0100 Subject: [PATCH] loomio: init Adds a basic loomio config based on [loomio-deploy](https://github.com/loomio/loomio-deploy). TODO after this commit: * Add OAUTH config * Add SMTP config * Create postgres user on host --- .gitignore | 1 + flake.nix | 1 + hosts/nachtigall/apps/loomio.nix | 145 +++++++++++++++++++++++++++++++ hosts/nachtigall/default.nix | 1 + secrets/loomio-environment.age | Bin 0 -> 1890 bytes secrets/secrets.nix | 7 ++ terraform/dns.tf | 5 ++ 7 files changed, 160 insertions(+) create mode 100644 hosts/nachtigall/apps/loomio.nix create mode 100644 secrets/loomio-environment.age diff --git a/.gitignore b/.gitignore index 58b21b78..d147ab02 100644 --- a/.gitignore +++ b/.gitignore @@ -4,3 +4,4 @@ .terraform *.plan result +secrets/*.txt diff --git a/flake.nix b/flake.nix index e0c3b496..97e5a5a8 100644 --- a/flake.nix +++ b/flake.nix @@ -63,6 +63,7 @@ deploy-rs nixpkgs-fmt agenix + age-plugin-yubikey cachix editorconfig-checker nodePackages.prettier diff --git a/hosts/nachtigall/apps/loomio.nix b/hosts/nachtigall/apps/loomio.nix new file mode 100644 index 00000000..764de9c8 --- /dev/null +++ b/hosts/nachtigall/apps/loomio.nix @@ -0,0 +1,145 @@ +{ config +, lib +, pkgs +, self +, ... +}: let + uid = 980; + gid = 979; +in { + age.secrets.loomio-environment = { + file = "${flake.self}/secrets/loomio-environment.age"; + symlink = false; + mode = "440"; + owner = "loomio"; + group = "loomio"; + }; + + services.postgresql = { + authentication = '' + host loomio all 172.17.0.0/16 password + ''; + }; + + users.users.loomio = { + isSystemUser = true; + group = "loomio"; + inherit uid; + }; + users.groups.loomio = { inherit gid; }; + + services.nginx.virtualHosts."decide.pub.solar" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + proxy_pass http://127.0.0.1:3001; + proxy_set_header Host $host; + ''; + }; + }; + + services.nginx.virtualHosts."channels.decide.pub.solar" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + proxy_pass http://127.0.0.1:3001; + proxy_set_header Host $host; + ''; + }; + }; + + virtualisation = { + oci-containers = let + loomioConfig = { + image = "loomio/loomio:stable"; + + autoStart = true; + + volumes = [ + "/run/redis-loomio/redis.sock:/run/redis/redis.sock" + "/var/lib/loomio/uploads:/loomio/public/system" + "/var/lib/loomio/storage:/loomio/storage" + "/var/lib/loomio/files:/loomio/public/files" + "/var/lib/loomio/plugins:/loomio/plugins/docker" + "/var/lib/loomio/tmp:/loomio/tmp" + ]; + + extraOptions = [ + "--add-host=host.docker.internal:host-gateway" + "--pull=always" + ]; + + environmentFiles = [ config.age.secrets.loomio-environment.path ]; + + environment = { + CANONICAL_HOST = ""; + SUPPORT_EMAIL = ""; + SITE_NAME = ""; + REPLY_HOSTNAME = ""; + CHANNELS_URI = ""; + HELPER_BOT_EMAIL = "no-reply@"; + + SMTP_AUTH = "plain"; + SMTP_DOMAIN = ""; + SMTP_SERVER = "smtp.example.com"; + SMTP_PORT = "465"; + SMTP_USE_SSL = "1"; + + ACTIVE_STORAGE_SERVICE = "local"; + + ALLOW_ROBOTS = "0"; + + THEME_ICON_SRC = "/files/icon.png"; + THEME_APP_LOGO_SRC = "/files/logo.svg"; + THEME_EMAIL_HEADER_LOGO_SRC = "/files/logo_128h.png"; + THEME_EMAIL_FOOTER_LOGO_SRC = "/files/logo_64h.png"; + + # used in emails. use rgb or hsl values, not hex + THEME_PRIMARY_COLOR = "rgb(255,167,38)"; + THEME_ACCENT_COLOR = "rgb(0,188,212)"; + THEME_TEXT_ON_PRIMARY_COLOR = "rgb(255,255,255)"; + THEME_TEXT_ON_ACCENT_COLOR = "rgb(255,255,255)"; + + REDIS_URL = "unix:///run/redis/redis.sock"; + + CHANNELS_URI = "wss://channels."; + + RAILS_ENV = "production"; + }; + }; + in { + backend = "docker"; + + containers."loomio" = loomioConfig // { + ports = [ "127.0.0.1:3001:3000" ]; + volumes = [ "/var/lib/loomio/import:/import" ]; + }; + + containers."loomio-worker" = loomioConfig // { + environment = { + TASK = "worker"; + }; + volumes = [ "/var/lib/loomio/import:/import" ]; + }; + + containers."loomio-mailin" = { + image = "loomio/mailin-docker:latest"; + autoStart = true; + }; + + containers."loomio-channels" = { + image = "loomio/loomio_channel_server"; + autoStart = true; + environmentFiles = [ config.age.secrets.loomio-environment.path ]; + }; + }; + }; + + services.redis.servers.loomio.enable = true; +} diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 15f50a00..936a0be5 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -15,6 +15,7 @@ ./apps/coturn.nix ./apps/forgejo.nix ./apps/keycloak.nix + ./apps/loomio.nix ./apps/mailman.nix ./apps/mastodon.nix ./apps/mediawiki.nix diff --git a/secrets/loomio-environment.age b/secrets/loomio-environment.age new file mode 100644 index 0000000000000000000000000000000000000000..032c844257128910ad80682537333986049b9407 GIT binary patch literal 1890 zcmZY9?eE+K0SEA9Mi%QshG0Mw*dZ_6(*4$JuMgK57W#D8Uaxn3xIV^&^?JR#_O4IY z>s_yi#wS2c$YhX(ghiuldjkevD$^Ml1{W_aR`jko&YzeWv^`H)yh{_ja*fx zmQosNC$r(W)wb%Z#W3j_5azmNHWe$rbaB30wu=5(D*$~WOvqJ*%3#-+%R?7MWIxk0 zg4X7&0n+(oJjoWbMqm!r0g7*ul5{v*NfVpd%(=#}0=%N*W4ghR1=g1GY|)m6Oiblt zMZy9^OISq5W<6ts)fc!{k$sRQQ)V@tj-bjQa4Q-D4ZL6VJ6(L;N<~(6Z8ICM3MsS9 zEJ1`qXoYjEW1!5$nxms|mJbO=#Y2q5d%Z!?pc4)Vf(_@oRHx03X$M)wr7;Z|Q<%YX z#q_iL^PI#P{ga)DSVr1R>gQ8gdWkT zbE1i@T?ktavYrgu?27J81cE>|QqT6*vuqpzeq$QDP&6VMR)`MA(jv`DA;1}4;im{} z2`y07S5l&6N`(^+wCp7UN3n>&L?Hu@x*lL@?JCU^aVSGtQ_)FRPm79QH;9;wydbA% ziJ%P4j!fhBe|ww;tF08l@LH8+P_V917}lRb;*xh)VKV1Njl!t=^jyG@7P^!)vuwmu z4hDm^%?UtZC03}=Qs8HK+G=$IJ+SRjOF&hQ8P(@A4TFLLvlL|;v z3+1^!DpE}d*}gWk@(?PkUTaF(JOP3jF~gRM62lw7?L`{x$vit)Rbt&i*Ji4+JX$Tt zV3Q2S1cC@DI2iCEoZQ&wjqkBrT0fuEgy|aMMnS!)tnCb$wlmpuhatnaQCot+`2D1Y z2M3#Z7I?tY9h;oj8LD-KL)(*%!`Q_P3hVtvy)ot@deH^Ph=RD&zVbmW;0?S%)ojAR zTnl3v0<(pxARW;}ai4cZ5=53`kL|E+hzKSdjn@HE5Bv$jK_O=~5{gsJRO4`P(j0eL zd5YH?iP&TtY|Eg7|I=tA-wddlF=6lpgX!IBjE*9_>Xp%S(1R*`Bu+xatD-qPW6;9L z*E0a-NmxVVc7nwOSFTkOG3MraH8T;2aC~YQQ!RhE%Ii@`0b5&JwZ2s5xoC0?oznX} z0A96CV_BEQmXJuoXarMWHk|?LtFK@G(bXeY&YXcR#>bCtKMx(_?)%%0SDyMZ z%3;ADqVwnPy?X6y*{{mBwVgWru5!e>nm+q@t-pFG|I?{+%!Lb|$8P)7?&A;qncnu{ z#X2J)2lv1D+s-$+y>EQ`9IS!t8#^H``E~8!sW1HWkst1P{>`J$ z-u>{dmUrOoUFO-3?ET4iPTcaZGna4Pd35XF`>%Mf9Y1}~y@!we_{8hme$&3^ozGl* z`;O=S@%#S6+~b$OpZ~p#zxa@O^QmS!aonA??sQjx%bZ7Z$EVXofBU_ szh~d0?|$jjCl)98+NH~94{{r6_x|eQq3PN5%Byef`53zUrCpEy2N}7ShyVZp literal 0 HcmV?d00001 diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 12bebb9a..72923b1f 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,6 +2,8 @@ let # set ssh public keys here for your system and user axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix"; b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com"; + b12f-yubi485 = "age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q"; + b12f-yubi464 = "age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7"; hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb"; hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy"; teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; @@ -12,6 +14,8 @@ let baseKeys = [ axeman-1 b12f-bbcom + b12f-yubi485 + b12f-yubi464 hensoko-1 hensoko-2 teutat3s-1 @@ -52,6 +56,8 @@ in "searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys; + "loomio-environment.age".publicKeys = nachtigallKeys ++ baseKeys; + "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys; "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ baseKeys; @@ -72,3 +78,4 @@ in "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys; "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys; } + diff --git a/terraform/dns.tf b/terraform/dns.tf index 60226c09..fd1ee56a 100644 --- a/terraform/dns.tf +++ b/terraform/dns.tf @@ -105,6 +105,11 @@ resource "namecheap_domain_records" "pub-solar" { type = "CNAME" address = "nachtigall.pub.solar." } + record { + hostname = "decide" + type = "CNAME" + address = "decide.pub.solar." + } record { hostname = "mastodon" type = "CNAME"