rallly: patch to remove other login methods

2025-03-02 17:05:43 +01:00 · 2025-03-02 17:05:43 +01:00 · 46f12e25b0
commit 46f12e25b0
parent 300efecc13
4 changed files with 110 additions and 10 deletions
--- a/machines/gerd/services/rallly/default.nix
+++ b/machines/gerd/services/rallly/default.nix
@ -0,0 +1,146 @@
+{ config, lib, pkgs, ... }:
+
+let
+  svc_name = "rallly";
+  svc_domain = "${svc_name}.${config.mine.shared.settings.domain}";
+
+  psqlSocket = "/run/postgresql";
+
+  user = "rallly";
+  port = 7384;
+
+  ralllyPkgsOrig = pkgs.callPackage ./../../../../shared/pkgs/rallly {};
+  ralllyPkgs = ralllyPkgsOrig.overrideAttrs (old: {
+    patches = (if old ? patches then old.patches else []) ++ [
+      ./patches/remove-login-register.patch
+    ];
+  });
+in {
+  # setup rallly service
+  systemd.services.rallly = {
+    description = "rallly";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "networking.target" ];
+
+    # configuration
+    environment = let
+      rallly-prisma-engines = ralllyPkgs.passthru.rallly-prisma-engines;
+    in rec {
+      HOSTNAME = "localhost";
+      PORT = builtins.toString port;
+      DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}";
+      NEXT_PUBLIC_BASE_URL = "https://${svc_domain}";
+      NEXTAUTH_URL = NEXT_PUBLIC_BASE_URL;
+      # SECRET_PASSWORD = "specified-in-env";
+
+      # limit signup even further
+      ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}";
+
+      # email
+      SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}";
+      SMTP_HOST = config.mine.shared.settings.mail.domain_smtp;
+      SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;
+      SMTP_SECURE = "true";
+      SMTP_USER = svc_name;
+      # SMTP_PWD = "specified-in-env";
+
+
+      # OIDC
+      OIDC_NAME = "Authelia";
+      OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration";
+      OIDC_CLIENT_ID = "rallly";
+      # OIDC_CLIENT_SECRET = "specified-in-env";
+
+      # prisma things (database will not work without, needs to match version in rallly deps as well)
+      PRISMA_SCHEMA_ENGINE_BINARY = "${rallly-prisma-engines}/bin/schema-engine";
+      PRISMA_QUERY_ENGINE_BINARY = "${rallly-prisma-engines}/bin/query-engine";
+      PRISMA_QUERY_ENGINE_LIBRARY = "${rallly-prisma-engines}/lib/libquery_engine.node";
+      PRISMA_INTROSPECTION_ENGINE_BINARY = "${rallly-prisma-engines}/bin/introspection-engine";
+      PRISMA_FMT_BINARY = "${rallly-prisma-engines}/bin/prisma-fmt";
+    };
+
+    # add, otherwise we get warnings
+    path = [ pkgs.openssl ];
+
+    serviceConfig = {
+      ExecStartPre = [
+        # clear cache on each boot, otherwise we might have 
+        # issues when updating it.
+        "${pkgs.findutils}/bin/find -L /var/cache/${svc_name} -mindepth 1 -delete"
+
+        # run db migration each boot
+        "${ralllyPkgs}/bin/rallly-prisma migrate deploy"
+      ];
+      ExecStart = "${ralllyPkgs}/bin/rallly";
+
+      # secret configurations
+      EnvironmentFile = [ config.age.secrets.rallly-env.path ];
+
+      CacheDirectory = svc_name;
+      CacheDirectoryMode = "0750";
+
+      User = user;
+      DynamicUser = true;
+      Restart = "always";
+    };
+  };
+
+  # setup postgresql
+  services.postgresql = {
+    ensureDatabases = [ user ];
+    ensureUsers = [{
+      name = user;
+      ensureDBOwnership = true;
+    }];
+  };
+
+  # setup ldap user for email
+  services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
+    "${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path;
+  });
+
+  # authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "rallly";
+    client_name = "Rallly";
+    client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
+    redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
+    scopes = [
+      "openid"
+      "email"
+      "profile"
+    ];
+  }];
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString port}";
+    };
+
+    # try to disable registration
+    locations."/api/trpc/auth.requestRegistration" = {
+      root = pkgs.writeTextDir "index.html" ''
+        NO REGISTRATION!!
+      '';
+    };
+  };
+
+  # meta information!
+  mine.shared.meta.rallly = {
+    name = "Rallly";
+    description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. '';
+    url = "https://${svc_domain}";
+
+    package = let
+      pkg = ralllyPkgs;
+    in {
+      name = pkg.pname;
+      version = pkg.version;
+      meta = pkg.meta;
+    };
+  };
+}