obs-portal: init obs-portal on nachtigall

This follows the official installation instructions at https://github.com/openbikesensor/portal/blob/main/docs/production-deployment.md

Unfortunately, the postgres database needs to have postgis enabled, so
we'll have to start a second instance. To stay close to the official
deployment instructions, this is running in docker.

The secrets were taken from the old installation instance. During
initial installation, we'll need to import data from the old instance
into this one, which might take a while.

.forgejo/workflows/check.yml

@@ -24,26 +24,48 @@ jobs:
           echo "hash=$(md5sum flake.lock | awk '{print $1}')" >> $GITHUB_OUTPUT
 
       - name: Restore and cache Nix store
-        uses: https://github.com/nix-community/cache-nix-action@v5
+        uses: https://github.com/nix-community/cache-nix-action@v4.0.3
         id: nix-store-cache
         with:
-          primary-key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }}
-          restore-prefixes-first-match: |
+          key: cache-${{ runner.os }}-nix-store-${{ steps.flake-lock-hash.outputs.hash }}
+          restore-keys: |
             cache-${{ runner.os }}-nix-store-
 
           gc-linux: true
           gc-max-store-size-linux: 10000000000
 
-          purge: true
-          purge-prefixes: cache-${{ runner.os }}-nix-store-
-          purge-created: 42
+          purge-caches: true
+          purge-key: cache-${{ runner.os }}-nix-store-
+          purge-created: true
+          purge-created-max-age: 42
 
       - name: Prepare cachix
         uses: https://github.com/cachix/cachix-action@v14
         with:
           name: pub-solar
           authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
+          useDaemon: false
 
       - name: Run flake checks
         run: |
+          # Prevent cache garbage collection by creating GC roots
+          for target in $(nix flake show --json --all-systems | jq '
+            .["nixosConfigurations"] |
+            to_entries[] |
+            .key
+            ' | tr -d '"'
+          ); do
+            nix --print-build-logs --verbose --accept-flake-config --access-tokens '' \
+              build --out-link ./result-$target ".#nixosConfigurations.${target}.config.system.build.toplevel"
+          done
+
           nix --print-build-logs --verbose --accept-flake-config --access-tokens '' flake check
+
+          # Add GC roots for flake inputs, too
+          # https://github.com/NixOS/nix/issues/4250#issuecomment-1146878407
+          mkdir --parents "$NIX_USER_PROFILE_DIR"
+          gc_root_prefix="$NIX_USER_PROFILE_DIR"/infra-flake-
+          echo "Adding gcroots flake inputs with prefix $gc_root_prefix ..."
+          nix flake archive --json 2>/dev/null | jq --raw-output '.inputs | to_entries[] | "ln --force --symbolic --no-target-directory "+.value.path+" \"'"$gc_root_prefix"'"+.key+"\""' | while read -r line; do
+            eval "$line"
+          done

hosts/flora-6/apps/forgejo-actions-runner.nix

@@ -13,16 +13,43 @@
   # Needed for the docker runner to communicate with the act_runner cache
   networking.firewall.trustedInterfaces = [ "br-+" ];
 
+  users.users.gitea-runner = {
+    home = "/var/lib/gitea-runner/flora-6";
+    useDefaultShell = true;
+    group = "gitea-runner";
+    isSystemUser = true;
+  };
+
+  users.groups.gitea-runner = {};
+
+  systemd.services."gitea-runner-flora\\x2d6".serviceConfig = {
+    DynamicUser = lib.mkForce false;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d '/data/gitea-actions-runner' 0750 gitea-runner gitea-runner - -"
+    "d '/var/lib/gitea-runner' 0750 gitea-runner gitea-runner - -"
+  ];
+
   # forgejo actions runner
   # https://forgejo.org/docs/latest/admin/actions/
   # https://docs.gitea.com/usage/actions/quickstart
   services.gitea-actions-runner = {
-    package = pkgs.forgejo-actions-runner;
+    package = pkgs.forgejo-runner;
     instances."flora-6" = {
       enable = true;
       name = config.networking.hostName;
       url = "https://git.pub.solar";
       tokenFile = config.age.secrets.forgejo-actions-runner-token.path;
+      settings = {
+        cache = {
+          enabled = true;
+          dir = "/data/gitea-actions-runner/actcache";
+          host = "";
+          port = 0;
+          external_server = "";
+        };
+      };
       labels = [
         # provide a debian 12 bookworm base with Node.js for actions
         "debian-latest:docker://git.pub.solar/pub-solar/actions-base-image:20-bookworm"

hosts/nachtigall/apps/obs-portal.nix

@@ -0,0 +1,140 @@
+{ config
+, lib
+, pkgs
+, self
+, flake
+, ...
+}: let 
+  configPy = pkgs.writeText "obs-portal-config.py" ''
+DEBUG = False
+VERBOSE = DEBUG
+AUTO_RESTART = DEBUG
+LEAN_MODE = False
+FRONTEND_URL = None
+FRONTEND_HTTPS = True
+FRONTEND_DIR = "../frontend/build/"
+FRONTEND_CONFIG = {
+    "imprintUrl": "https://pub.solar/about",
+    "privacyPolicyUrl": "https://pub.solar/privacy",
+    "mapHome": {"zoom": 12, "latitude": 50.93, "longitude": 6.97},
+    "banner": {
+        "text": "This is an installation serving the Cologne/Bonn region run for Team OBSKöln by pub.solar n.e.V.",
+        "style": "info"
+    },
+}
+TILES_FILE = None
+ADDITIONAL_CORS_ORIGINS = None
+  '';
+
+  env = {
+    OBS_KEYCLOAK_URI = "auth.pub.solar";
+    OBS_PORTAL_URI = "obs-portal.pub.solar";
+
+    OBS_POSTGRES_MAX_OVERFLOW = "20";
+    OBS_POSTGRES_POOL_SIZE = "40";
+
+    OBS_HOST = "0.0.0.0";
+    OBS_PORT = "3000";
+    OBS_KEYCLOAK_URL = "https://auth.pub.solar/realms/pub.solar/";
+    OBS_KEYCLOAK_CLIENT_ID = "openbikesensor-portal";
+    OBS_DEDICATED_WORKER = "True";
+    OBS_DATA_DIR = "/data";
+    OBS_PROXIES_COUNT = "1";
+  };
+in {
+  age.secrets.obs-portal-env = {
+    file = "${flake.self}/secrets/obs-portal-env.age";
+    mode = "600";
+  };
+
+  age.secrets.obs-portal-database-env = {
+    file = "${flake.self}/secrets/obs-portal-database-env.age";
+    mode = "600";
+  };
+
+  systemd.services."docker-network-obs-portal" =
+    let
+      docker = config.virtualisation.oci-containers.backend;
+      dockerBin = "${pkgs.${docker}}/bin/${docker}";
+    in
+    {
+      serviceConfig.Type = "oneshot";
+      before = [ "docker-obs-portal.service" ];
+      script = ''
+        ${dockerBin} network inspect obs-portal-net >/dev/null 2>&1 || ${dockerBin} network create obs-portal-net --subnet 172.20.0.0/24
+      '';
+    };
+
+  services.nginx.virtualHosts."obs-portal.pub.solar" = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyWebsockets = true;
+      extraConfig = ''
+        proxy_pass http://127.0.0.1:3001;
+        proxy_set_header Host $host;
+      '';
+    };
+  };
+
+  virtualisation = {
+    oci-containers = {
+      backend = "docker";
+
+      containers."obs-portal" = {
+        image = "git.pub.solar/pub-solar/obs-portal:latest";
+        autoStart = true;
+        ports = [ "localhost:3001:${env.OBS_PORT}" ];
+
+        environment = env;
+        environmentFiles = [ config.age.secrets.obs-portal-env.path ];
+
+        volumes = [
+          "${configPy}:/opt/obs/api/config.py"
+          "/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}"
+          "/var/lib/obs-portal/tiles/:/tiles"
+          "/var/lib/obs-portal/pbf/:/pbf"
+        ];
+
+        extraOptions = [
+          "--network=obs-portal-net"
+        ];
+      };
+
+      containers."obs-portal-worker" = {
+        image = "git.pub.solar/pub-solar/obs-portal:latest";
+        autoStart = true;
+
+        cmd = [ "python" "tools/process_track.py" ];
+
+        environment = env;
+        environmentFiles = [ config.age.secrets.obs-portal-env.path ];
+
+        volumes = [
+          "${configPy}:/opt/obs/api/config.py"
+          "/var/lib/obs-portal${env.OBS_DATA_DIR}:${env.OBS_DATA_DIR}"
+        ];
+
+        extraOptions = [
+          "--network=obs-portal-net"
+        ];
+      };
+
+      containers."obs-portal-db" = {
+        image = "openmaptiles/postgis:7.0";
+        autoStart = true;
+
+        environmentFiles = [ config.age.secrets.obs-portal-database-env.path ];
+
+        volumes = [
+          "/var/lib/postgres-obs-portal/data:/var/lib/postgresql/data"
+        ];
+
+        extraOptions = [
+          "--network=obs-portal-net"
+        ];
+      };
+    };
+  };
+}

hosts/nachtigall/default.nix

@@ -32,6 +32,7 @@
       ./apps/promtail.nix
       ./apps/searx.nix
       ./apps/tmate.nix
+      ./apps/obs-portal.nix
 
       ./apps/matrix/irc.nix
       ./apps/matrix/mautrix-telegram.nix

overlays/default.nix

@@ -13,6 +13,7 @@
               };
             in
             {
+              forgejo-runner = unstable.forgejo-runner;
               element-themes = prev.callPackage ./pkgs/element-themes { inherit (inputs) element-themes; };
             })
         ];

secrets/obs-portal-database-env.age

@@ -0,0 +1,27 @@
+age-encryption.org/v1
+-> ssh-ed25519 iDKjwg hAoEiOaK1U0HImALePEYHiE6xebOOqtVujaBWgNBZF8
+ecf/ykqYPihRJxI/Y7Oh6QhWSyncwevlzEZoRqm3aGM
+-> ssh-ed25519 uYcDNw NcIttsTn6wPCmoOYGtZ66IYhthjLDI3sYFe4pbW6cB4
+9hv4dEYoXXWSZ2pG1hy68vmTf++v+g3q7wVhT6cAog0
+-> ssh-rsa kFDS0A
+KoW3J2Tw90chM6Oy17umOQN0WFI4je7CBk3IgdImsd4Mz5q17/nXlhVlFFhx4ZEk
+Or9LaqytVk1NA6J4+suMRlx4Pd6oberXu1KBkFQMr1B3LKhNOaOZ+W1mrbQLGG9U
+YUTyOpkHxVkw0IOsvxB/0reMCHtjKHo661zFjim1YFmEk0WRt4hU1XqsMNiE4wbc
+GF0t9EWMN2pU2p7DpX/DzVTqu8yk8SQhCZc9kfzWcuawwf0rcjwUJ/Rk1MH5tMpK
+odRXXl1slPPwQinE+KJqeyrfuRDHqwqmxnOfOWG6KQwWkVSE1btiHEvfuuLOjSjl
+3wO+veRC9hW5sSCPANoFbuSQ1dprmoyaZnOyeRTbgw91ks/ogLBezF/KSkaMQeHx
+XRnfcceBmeeqHl9L3Z+3EmBjwIqu2Og0pvhDU8G/ZeA0cHS/22QYGzeD/gOqaEW7
+d1VyA6LZd8PxIjoBamdipIpY0TqZ8+cA/yaUKNnYXXRSlKQ5ggPxh7ZXfvRbGg+m
+WbNiHxBPcTK7/Bpzes4LJVcx0Ar4XeDxVQe1MITLpFWh+FDEQZEA3630JngZ153J
+vBvw+VFedPSr6Ov+/33/J3LKC0XRatGnc++AWfo4rWPLCE6qovEDyY+wmct8gv0j
+rMEK7OaNfyy+Z21mjrkwcEUbyoGt9ksEplaRblE0Lsk
+-> ssh-ed25519 YFSOsg LmLRtBYMSzjid3VkUgAQvDOS9r0imWSKE7fm0t/x41Y
+0mae0vsNmaS5aVOKezXit7KV44JKLpU+GWpuA++dCVo
+-> ssh-ed25519 iHV63A Tc2z2JciftAikoj4Hv9IBgkcYWAcyGuPJTNA3Yw2K1w
+cO5o/pbaZAtTvXUskOah9vWP/Tuvyi3QDM7g4AQ+b8s
+-> ssh-ed25519 BVsyTA mk6n6ytaI4V9JVoUZFtwfFOgaLYc6gvVOcSZXQj/FVI
+etqbUCqe0eY81qaVco7pMJjhfM+sA/bXLMW0bEsCLxI
+--- CmNq6ZPxFoFTsySVfr7BTHV0tm9cbRYGG6IR7DNgbEY
+!è烈í}
+ùSê<>ŸSl®Ds;!ÁjršZçR"—ë#ž­¿»ÙÅ~!›Ÿ¤6AùwEn ? kËAcx~—ŽÜGVæ&M¯ý¾ä,
+a›U

secrets/secrets.nix

@@ -1,4 +1,5 @@
 let
+<<<<<<< HEAD
   admins = import ../logins/admins.nix;
 
   nachtigall-host = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP7G0ufi+MNvaAZLDgpieHrABPGN7e/kD5kMFwSk4ABj root@nachtigall";
@@ -64,4 +65,7 @@ in
 
   "nachtigall-metrics-nginx-basic-auth.age".publicKeys = nachtigallKeys ++ adminKeys;
   "nachtigall-metrics-prometheus-basic-auth-password.age".publicKeys = flora6Keys ++ nachtigallKeys ++ adminKeys;
+
+  "obs-portal-env.age".publicKeys = nachtigallKeys ++ adminKeys;
+  "obs-portal-database-env.age".publicKeys = nachtigallKeys ++ adminKeys;
 }