init rallly

2025-03-01 15:42:13 +01:00 · 2025-03-01 15:42:13 +01:00 · bd0e3ff589
commit bd0e3ff589
parent aeb1866415
8 changed files with 161 additions and 3 deletions
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@ -6,6 +6,7 @@
    ./../shared/applications/server/nginx.nix
    ./../shared/applications/server/postgresql.nix # INCLUDES DATABASE BACKUPS
    ./../shared/applications/server/restic.nix # EXTERNAL BACKUP
+    ./../shared/applications/server/podman.nix
    ./../shared/applications/state/postgresql.nix
    ./../shared/applications/state/ssh.nix

@ -28,6 +29,8 @@
    ./gerd/services/matrix-synapse.nix

    ./gerd/services/uptime-kuma.nix
+
+    ./gerd/services/rallly.nix
  ];

  networking.hostName = "gerd";
--- a/machines/gerd/services/rallly.nix
+++ b/machines/gerd/services/rallly.nix
@ -0,0 +1,141 @@
+{ config, lib, pkgs, ... }:
+
+let
+  svc_name = "rallly";
+  svc_domain = "${svc_name}.${config.mine.shared.settings.domain}";
+
+  psqlSocket = "/run/postgresql";
+
+  user = "rallly";
+  group = user;
+  port = 7384;
+  internal_port = port;
+
+  rally_version = "3.11";
+in {
+  # setup container
+  virtualisation.oci-containers.containers.rallly = {
+    autoStart = true;
+    image = "lukevella/rallly:${rally_version}";
+
+    podman.user = user;
+
+    extraOptions = let
+      uid = config.users.users."${user}".uid;
+      gid = config.users.groups."${group}".gid;
+    in [
+      "--userns=keep-id:uid=${builtins.toString uid},gid=${builtins.toString gid}"
+      # TODO(eyJhb): required, otherwise rallly container cannot access authelia well-known openid configuration
+      "--network=host"
+    ];
+
+    environmentFiles = [
+      config.age.secrets.rallly-env.path
+    ];
+    environment = {
+      PORT = builtins.toString internal_port;
+      DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}";
+      NEXT_PUBLIC_BASE_URL = "https://${svc_domain}";
+      # SECRET_PASSWORD = "specified-in-env";
+
+      # limit signup even further
+      ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}";
+
+      # email
+      SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}";
+      SMTP_HOST = config.mine.shared.settings.mail.domain_smtp;
+      SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;
+      SMTP_SECURE = "true";
+      SMTP_USER = svc_name;
+      # SMTP_PWD = "specified-in-env";
+
+
+      # OIDC
+      OIDC_NAME = "Authelia";
+      OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration";
+      OIDC_CLIENT_ID = "rallly";
+      # OIDC_CLIENT_SECRET = "specified-in-env";
+    };
+
+    volumes = [
+      "${psqlSocket}:${psqlSocket}"
+    ];
+
+    # TODO(eyJhb): likely not needed, because of the tmp network=host
+    ports = [
+      "127.0.0.1:${builtins.toString port}:${builtins.toString internal_port}"
+    ];
+  };
+
+  # setup postgresql
+  services.postgresql = {
+    ensureDatabases = [ user ];
+    ensureUsers = [{
+      name = user;
+      ensureDBOwnership = true;
+    }];
+  };
+
+  # setup ldap user for email
+  services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
+    "${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path;
+  });
+
+  # give rallly user access to the secrets
+  age.secrets.rallly-env.owner = user;
+
+  # setup users
+  users.users."${user}" = {
+    isNormalUser = true;
+    group = group;
+    uid = 1001;
+  };
+  users.groups."${group}".gid = 974;
+
+  # authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "rallly";
+    client_name = "Rallly";
+    client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
+    redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
+    scopes = [
+      "openid"
+      "email"
+      "profile"
+    ];
+  }];
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString port}";
+    };
+
+    # try to disable registration
+    locations."/api/trpc/auth.requestRegistration" = {
+      root = pkgs.writeTextDir "index.html" ''
+        NO REGISTRATION!!
+      '';
+    };
+  };
+
+  mine.shared.meta.rallly = {
+    name = "Rallly";
+    description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. '';
+    url = "https://${svc_domain}";
+
+    package = {
+      name = "rallly";
+      version = "v${rally_version}";
+      meta = with lib; {
+        description = "Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier.";
+        license = licenses.agpl3Plus;
+        homepage = "https://git.fricloud.dk/fricloud/server-configs/src/branch/main/machines/gerd/services/member-website/app.py";
+        platforms = platforms.all;
+      };
+    };
+  };
+}
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -54,6 +54,10 @@

    # uptime-kuma
    uptime-kuma-ldap-pass.file = ./uptime-kuma/ldap-pass.age;
+
+    # rallly
+    rallly-ldap-pass.file = ./rallly/ldap-pass.age;
+    rallly-env.file = ./rallly/env.age;
  };

  users.groups.secrets-lldap-bind-user-pass = {};
--- a/secrets/rallly/env.age
+++ b/secrets/rallly/env.age
--- a/secrets/rallly/ldap-pass.age
+++ b/secrets/rallly/ldap-pass.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -64,4 +64,8 @@ in

  # uptime-kuma
  "uptime-kuma/ldap-pass.age".publicKeys = defaultAccess;
+
+  # rallly
+  "rallly/ldap-pass.age".publicKeys = defaultAccess;
+  "rallly/env.age".publicKeys = defaultAccess;
 }
--- a/shared/applications/server/podman.nix
+++ b/shared/applications/server/podman.nix
@ -0,0 +1,6 @@
+{
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+}
--- a/shared/sources/sources.json
+++ b/shared/sources/sources.json
@ -41,10 +41,10 @@
        "homepage": null,
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5135c59491985879812717f4c9fea69604e7f26f",
-        "sha256": "09qy7zv80bkd9ighsw0bdxjq70dw3qjnyvg7il1fycrsgs5x1gan",
+        "rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4",
+        "sha256": "0fxw15gia9cc72spsqf1870bggp8gx694cr2g8hspm3jbj87xr0g",
        "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5135c59491985879812717f4c9fea69604e7f26f.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/6313551cd05425cd5b3e63fe47dbc324eabb15e4.tar.gz",
        "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
    }
 }