Merge pull request 'Update element-web, matrix-synapse' (#121) from chore/flake-updates into main

Reviewed-on: #121
Reviewed-by: b12f <b12f@noreply.git.pub.solar>

flake.lock

@@ -224,11 +224,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1709554374,
-        "narHash": "sha256-1yYgwxBzia+QrOaQaZ6YKqGFfiQcSBwYLzd9XRsRLQY=",
+        "lastModified": 1710717205,
+        "narHash": "sha256-Wf3gHh5uV6W1TV/A8X8QJf99a5ypDSugY4sNtdJDe0A=",
         "owner": "lnl7",
         "repo": "nix-darwin",
-        "rev": "daa03606dfb5296a22e842acb02b46c1c4e9f5e7",
+        "rev": "bcc8afd06e237df060c85bad6af7128e05fd61a3",
         "type": "github"
       },
       "original": {
@@ -240,11 +240,11 @@
     },
     "nixos-flake": {
       "locked": {
-        "lastModified": 1708785992,
-        "narHash": "sha256-0gEsD/EpKrbLuLcYT9CXIVEY6ChmVvVTZJDAsqBXDhg=",
+        "lastModified": 1710867744,
+        "narHash": "sha256-wtAZ+zhW5kMkiOomEA27p+T3M5ZNgY6U4zB+03/EJDs=",
         "owner": "srid",
         "repo": "nixos-flake",
-        "rev": "50203d68b305abff2f29e555992eb55ddeffbcd5",
+        "rev": "05f9464e282dee5a706273f50344a8201d8980b5",
         "type": "github"
       },
       "original": {
@@ -255,11 +255,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1709569716,
-        "narHash": "sha256-iOR44RU4jQ+YPGrn+uQeYAp7Xo7Z/+gT+wXJoGxxLTY=",
+        "lastModified": 1710838473,
+        "narHash": "sha256-RLvwdQSENKOaLdKhNie8XqHmTXzNm00/M/THj6zplQo=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "617579a787259b9a6419492eaac670a5f7663917",
+        "rev": "fa9f817df522ac294016af3d40ccff82f5fd3a63",
         "type": "github"
       },
       "original": {
@@ -405,11 +405,11 @@
     },
     "unstable": {
       "locked": {
-        "lastModified": 1709479366,
-        "narHash": "sha256-n6F0n8UV6lnTZbYPl1A9q1BS0p4hduAv1mGAP17CVd0=",
+        "lastModified": 1710806803,
+        "narHash": "sha256-qrxvLS888pNJFwJdK+hf1wpRCSQcqA6W5+Ox202NDa0=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "b8697e57f10292a6165a20f03d2f42920dfaf973",
+        "rev": "b06025f1533a1e07b6db3e75151caa155d1c7eb3",
         "type": "github"
       },
       "original": {

flake.nix

@@ -63,6 +63,7 @@
             deploy-rs
             nixpkgs-fmt
             agenix
+            age-plugin-yubikey
             cachix
             editorconfig-checker
             nodePackages.prettier

hosts/flora-6/apps/drone.nix

@@ -72,7 +72,7 @@
         autoStart = true;
         user = "994";
         ports = [
-          "4000:80"
+          "127.0.0.1:4000:80"
         ];
         dependsOn = [ "drone-db" ];
         extraOptions = [

hosts/nachtigall/apps/loomio.nix

@@ -0,0 +1,145 @@
+{ config
+, lib
+, pkgs
+, self
+, ...
+}: let
+  uid = 980;
+  gid = 979;
+in {
+  age.secrets.loomio-environment = {
+    file = "${flake.self}/secrets/loomio-environment.age";
+    symlink = false;
+    mode = "440";
+    owner = "loomio";
+    group = "loomio";
+  };
+
+  services.postgresql = {
+    authentication = ''
+      host loomio all 172.17.0.0/16 password
+    '';
+  };
+
+  users.users.loomio = {
+    isSystemUser = true;
+    group = "loomio";
+    inherit uid;
+  };
+  users.groups.loomio = { inherit gid; };
+
+  services.nginx.virtualHosts."decide.pub.solar" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_pass http://127.0.0.1:3001;
+        proxy_set_header Host $host;
+      '';
+    };
+  };
+
+  services.nginx.virtualHosts."channels.decide.pub.solar" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_pass http://127.0.0.1:3001;
+        proxy_set_header Host $host;
+      '';
+    };
+  };
+
+  virtualisation = {
+    oci-containers = let 
+      loomioConfig = {
+        image = "loomio/loomio:stable";
+
+        autoStart = true;
+
+        volumes = [
+          "/run/redis-loomio/redis.sock:/run/redis/redis.sock"
+          "/var/lib/loomio/uploads:/loomio/public/system"
+          "/var/lib/loomio/storage:/loomio/storage"
+          "/var/lib/loomio/files:/loomio/public/files"
+          "/var/lib/loomio/plugins:/loomio/plugins/docker"
+          "/var/lib/loomio/tmp:/loomio/tmp"
+        ];
+
+        extraOptions = [
+          "--add-host=host.docker.internal:host-gateway"
+          "--pull=always"
+        ];
+
+        environmentFiles = [ config.age.secrets.loomio-environment.path ];
+
+        environment = {
+          CANONICAL_HOST = "";
+          SUPPORT_EMAIL = "";
+          SITE_NAME = "";
+          REPLY_HOSTNAME = "";
+          CHANNELS_URI = "";
+          HELPER_BOT_EMAIL = "no-reply@";
+
+          SMTP_AUTH = "plain";
+          SMTP_DOMAIN = "";
+          SMTP_SERVER = "smtp.example.com";
+          SMTP_PORT = "465";
+          SMTP_USE_SSL = "1";
+
+          ACTIVE_STORAGE_SERVICE = "local";
+
+          ALLOW_ROBOTS = "0";
+
+          THEME_ICON_SRC = "/files/icon.png";
+          THEME_APP_LOGO_SRC = "/files/logo.svg";
+          THEME_EMAIL_HEADER_LOGO_SRC = "/files/logo_128h.png";
+          THEME_EMAIL_FOOTER_LOGO_SRC = "/files/logo_64h.png";
+
+          # used in emails. use rgb or hsl values, not hex
+          THEME_PRIMARY_COLOR = "rgb(255,167,38)";
+          THEME_ACCENT_COLOR = "rgb(0,188,212)";
+          THEME_TEXT_ON_PRIMARY_COLOR = "rgb(255,255,255)";
+          THEME_TEXT_ON_ACCENT_COLOR = "rgb(255,255,255)";
+
+          REDIS_URL = "unix:///run/redis/redis.sock";
+
+          CHANNELS_URI = "wss://channels.";
+
+          RAILS_ENV = "production";
+        };
+      };
+    in {
+      backend = "docker";
+
+      containers."loomio" = loomioConfig // {
+        ports = [ "127.0.0.1:3001:3000" ];
+        volumes = [ "/var/lib/loomio/import:/import" ];
+      };
+
+      containers."loomio-worker" = loomioConfig // {
+        environment = {
+          TASK = "worker";
+        };
+        volumes = [ "/var/lib/loomio/import:/import" ];
+      };
+
+      containers."loomio-mailin" = {
+        image = "loomio/mailin-docker:latest";
+        autoStart = true;
+      };
+
+      containers."loomio-channels" = {
+        image = "loomio/loomio_channel_server";
+        autoStart = true;
+        environmentFiles = [ config.age.secrets.loomio-environment.path ];
+      };
+    };
+  };
+
+  services.redis.servers.loomio.enable = true;
+}

hosts/nachtigall/default.nix

@@ -15,6 +15,7 @@
       ./apps/coturn.nix
       ./apps/forgejo.nix
       ./apps/keycloak.nix
+      ./apps/loomio.nix
       ./apps/mailman.nix
       ./apps/mastodon.nix
       ./apps/mediawiki.nix

secrets/secrets.nix

@@ -2,6 +2,8 @@ let
   # set ssh public keys here for your system and user
   axeman-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU axeman@tuxnix";
   b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw== hello@benjaminbaedorf.com";
+  b12f-yubi485 = "age1yubikey1qgxuu2x3uzw7k5pg5sp2dv43edhwdz3xuhj7kjqrnw0p8t0l67c5yz9nm6q";
+  b12f-yubi464 = "age1yubikey1qd7szmr9ux2znl4x4hzykkwaru60nr4ufu6kdd88sm7657gjz4x5w0jy4y7";
   hensoko-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb";
   hensoko-2 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy";
   teutat3s-1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms";
@@ -12,6 +14,8 @@ let
   baseKeys = [
     axeman-1
     b12f-bbcom
+    b12f-yubi485
+    b12f-yubi464
     hensoko-1
     hensoko-2
     teutat3s-1
@@ -52,6 +56,8 @@ in
 
   "searx-environment.age".publicKeys = nachtigallKeys ++ baseKeys;
 
+  "loomio-environment.age".publicKeys = nachtigallKeys ++ baseKeys;
+
   "restic-repo-droppie.age".publicKeys = nachtigallKeys ++ baseKeys;
   "restic-repo-storagebox.age".publicKeys = nachtigallKeys ++ baseKeys;
 
@@ -72,3 +78,4 @@ in
   "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ baseKeys;
   "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ baseKeys;
 }
+

terraform/dns.tf

@@ -105,6 +105,11 @@ resource "namecheap_domain_records" "pub-solar" {
     type = "CNAME"
     address = "nachtigall.pub.solar."
   }
+  record {
+    hostname = "decide"
+    type = "CNAME"
+    address = "decide.pub.solar."
+  }
   record {
     hostname = "mastodon"
     type = "CNAME"