diff --git a/hosts/nachtigall/apps/obs-portal.nix b/hosts/nachtigall/apps/obs-portal.nix new file mode 100644 index 0000000..0fd680d --- /dev/null +++ b/hosts/nachtigall/apps/obs-portal.nix @@ -0,0 +1,140 @@ +{ config +, lib +, pkgs +, self +, flake +, ... +}: let + configPy = pkgs.writeText "obs-portal-config.py" '' +DEBUG = False +VERBOSE = DEBUG +AUTO_RESTART = DEBUG +LEAN_MODE = False +FRONTEND_URL = None +FRONTEND_HTTPS = True +FRONTEND_DIR = "../frontend/build/" +FRONTEND_CONFIG = { + "imprintUrl": "https://pub.solar/about", + "privacyPolicyUrl": "https://pub.solar/privacy", + "mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97}, + "banner": { + "text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.", + "style": "info" + }, +} +TILES_FILE = None +ADDITIONAL_CORS_ORIGINS = None + ''; + + env = { + OBS_KEYCLOAK_URI = "auth.pub.solar"; + OBS_PORTAL_URI = "obs-portal.pub.solar"; + + OBS_POSTGRES_MAX_OVERFLOW = "20"; + OBS_POSTGRES_POOL_SIZE = "40"; + + OBS_HOST = "0.0.0.0"; + OBS_PORT = "3000"; + OBS_KEYCLOAK_URL = "https://auth.pub.solar/realms/pub.solar/"; + OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal"; + OBS_DEDICATED_WORKER = "True"; + OBS_DATA_DIR = "/data"; + OBS_PROXIES_COUNT = "1"; + }; +in { + age.secrets.obs-portal-env = { + file = "${flake.self}/secrets/obs-portal-env.age"; + mode = "600"; + }; + + age.secrets.obs-portal-database-env = { + file = "${flake.self}/secrets/obs-portal-database-env.age"; + mode = "600"; + }; + + systemd.services."docker-network-obs-portal" = + let + docker = config.virtualisation.oci-containers.backend; + dockerBin = "${pkgs.${docker}}/bin/${docker}"; + in + { + serviceConfig.Type = "oneshot"; + before = [ "docker-obs-portal.service" ]; + script = '' + ${dockerBin} network inspect obs-portal-net >/dev/null 2>&1 || ${dockerBin} network create obs-portal-net --subnet 172.20.0.0/24 + ''; + }; + + services.nginx.virtualHosts."obs-portal.pub.solar" = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + proxy_pass http://127.0.0.1:3001; + proxy_set_header Host $host; + ''; + }; + }; + + virtualisation = { + oci-containers = { + backend = "docker"; + + containers."obs-portal" = { + image = "git.pub.solar/pub-solar/obs-portal:latest"; + autoStart = true; + ports = [ "localhost:3001:${env.OBS_PORT}" ]; + + environment = env; + environmentFiles = [ config.age.secrets.obs-portal-env.path ]; + + volumes = [ + "${configPy}:/opt/obs/api/config.py" + "/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}" + "/var/lib/obs-portal/tiles/:/tiles" + "/var/lib/obs-portal/pbf/:/pbf" + ]; + + extraOptions = [ + "--network=obs-portal-net" + ]; + }; + + containers."obs-portal-worker" = { + image = "git.pub.solar/pub-solar/obs-portal:latest"; + autoStart = true; + + cmd = [ "python" "tools/process_track.py" ]; + + environment = env; + environmentFiles = [ config.age.secrets.obs-portal-env.path ]; + + volumes = [ + "${configPy}:/opt/obs/api/config.py" + "/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}" + ]; + + extraOptions = [ + "--network=obs-portal-net" + ]; + }; + + containers."obs-portal-db" = { + image = "openmaptiles/postgis:7.0"; + autoStart = true; + + environmentFiles = [ config.age.secrets.obs-portal-database-env.path ]; + + volumes = [ + "/var/lib/postgres-obs-portal/data:/var/lib/postgresql/data" + ]; + + extraOptions = [ + "--network=obs-portal-net" + ]; + }; + }; + }; +} diff --git a/hosts/nachtigall/default.nix b/hosts/nachtigall/default.nix index 69428bf..8e1455e 100644 --- a/hosts/nachtigall/default.nix +++ b/hosts/nachtigall/default.nix @@ -32,6 +32,7 @@ ./apps/promtail.nix ./apps/searx.nix ./apps/tmate.nix + ./apps/obs-portal.nix ./apps/matrix/irc.nix ./apps/matrix/mautrix-telegram.nix diff --git a/secrets/obs-portal-database-env.age b/secrets/obs-portal-database-env.age new file mode 100644 index 0000000..0286690 --- /dev/null +++ b/secrets/obs-portal-database-env.age @@ -0,0 +1,27 @@ +age-encryption.org/v1 +-> ssh-ed25519 iDKjwg hAoEiOaK1U0HImALePEYHiE6xebOOqtVujaBWgNBZF8 +ecf/ykqYPihRJxI/Y7Oh6QhWSyncwevlzEZoRqm3aGM +-> ssh-ed25519 uYcDNw NcIttsTn6wPCmoOYGtZ66IYhthjLDI3sYFe4pbW6cB4 +9hv4dEYoXXWSZ2pG1hy68vmTf++v+g3q7wVhT6cAog0 +-> ssh-rsa kFDS0A +KoW3J2Tw90chM6Oy17umOQN0WFI4je7CBk3IgdImsd4Mz5q17/nXlhVlFFhx4ZEk +Or9LaqytVk1NA6J4+suMRlx4Pd6oberXu1KBkFQMr1B3LKhNOaOZ+W1mrbQLGG9U +YUTyOpkHxVkw0IOsvxB/0reMCHtjKHo661zFjim1YFmEk0WRt4hU1XqsMNiE4wbc +GF0t9EWMN2pU2p7DpX/DzVTqu8yk8SQhCZc9kfzWcuawwf0rcjwUJ/Rk1MH5tMpK +odRXXl1slPPwQinE+KJqeyrfuRDHqwqmxnOfOWG6KQwWkVSE1btiHEvfuuLOjSjl +3wO+veRC9hW5sSCPANoFbuSQ1dprmoyaZnOyeRTbgw91ks/ogLBezF/KSkaMQeHx +XRnfcceBmeeqHl9L3Z+3EmBjwIqu2Og0pvhDU8G/ZeA0cHS/22QYGzeD/gOqaEW7 +d1VyA6LZd8PxIjoBamdipIpY0TqZ8+cA/yaUKNnYXXRSlKQ5ggPxh7ZXfvRbGg+m +WbNiHxBPcTK7/Bpzes4LJVcx0Ar4XeDxVQe1MITLpFWh+FDEQZEA3630JngZ153J +vBvw+VFedPSr6Ov+/33/J3LKC0XRatGnc++AWfo4rWPLCE6qovEDyY+wmct8gv0j +rMEK7OaNfyy+Z21mjrkwcEUbyoGt9ksEplaRblE0Lsk +-> ssh-ed25519 YFSOsg LmLRtBYMSzjid3VkUgAQvDOS9r0imWSKE7fm0t/x41Y +0mae0vsNmaS5aVOKezXit7KV44JKLpU+GWpuA++dCVo +-> ssh-ed25519 iHV63A Tc2z2JciftAikoj4Hv9IBgkcYWAcyGuPJTNA3Yw2K1w +cO5o/pbaZAtTvXUskOah9vWP/Tuvyi3QDM7g4AQ+b8s +-> ssh-ed25519 BVsyTA mk6n6ytaI4V9JVoUZFtwfFOgaLYc6gvVOcSZXQj/FVI +etqbUCqe0eY81qaVco7pMJjhfM+sA/bXLMW0bEsCLxI +--- CmNq6ZPxFoFTsySVfr7BTHV0tm9cbRYGG6IR7DNgbEY +!烈} +SꝟSlDs;!jrZR"#~!6AwEn ?kAcx~GV&M, +aU \ No newline at end of file diff --git a/secrets/obs-portal-env.age b/secrets/obs-portal-env.age new file mode 100644 index 0000000..c23caae Binary files /dev/null and b/secrets/obs-portal-env.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 117ebdf..32090c2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,4 +1,5 @@ let +<<<<<<< HEAD admins = import ../logins/admins.nix; nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall"; @@ -64,4 +65,7 @@ in "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys; "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys; + + "obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys; + "obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys; }