From bd0e3ff5891778d4127b9c27769385d65108cf93 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Sat, 1 Mar 2025 15:42:13 +0100
Subject: [PATCH] init rallly

---
 machines/gerd.nix                     |   3 +
 machines/gerd/services/rallly.nix     | 141 ++++++++++++++++++++++++++
 secrets/default.nix                   |   4 +
 secrets/rallly/env.age                | Bin 0 -> 725 bytes
 secrets/rallly/ldap-pass.age          | Bin 0 -> 563 bytes
 secrets/secrets.nix                   |   4 +
 shared/applications/server/podman.nix |   6 ++
 shared/sources/sources.json           |   6 +-
 8 files changed, 161 insertions(+), 3 deletions(-)
 create mode 100644 machines/gerd/services/rallly.nix
 create mode 100644 secrets/rallly/env.age
 create mode 100644 secrets/rallly/ldap-pass.age
 create mode 100644 shared/applications/server/podman.nix

diff --git a/machines/gerd.nix b/machines/gerd.nix
index c1d5e14..b727eb1 100644
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@@ -6,6 +6,7 @@
     ./../shared/applications/server/nginx.nix
     ./../shared/applications/server/postgresql.nix # INCLUDES DATABASE BACKUPS
     ./../shared/applications/server/restic.nix # EXTERNAL BACKUP
+    ./../shared/applications/server/podman.nix
     ./../shared/applications/state/postgresql.nix
     ./../shared/applications/state/ssh.nix
 
@@ -28,6 +29,8 @@
     ./gerd/services/matrix-synapse.nix
 
     ./gerd/services/uptime-kuma.nix
+
+    ./gerd/services/rallly.nix
   ];
 
   networking.hostName = "gerd";
diff --git a/machines/gerd/services/rallly.nix b/machines/gerd/services/rallly.nix
new file mode 100644
index 0000000..d1f27b9
--- /dev/null
+++ b/machines/gerd/services/rallly.nix
@@ -0,0 +1,141 @@
+{ config, lib, pkgs, ... }:
+
+let
+  svc_name = "rallly";
+  svc_domain = "${svc_name}.${config.mine.shared.settings.domain}";
+
+  psqlSocket = "/run/postgresql";
+
+  user = "rallly";
+  group = user;
+  port = 7384;
+  internal_port = port;
+
+  rally_version = "3.11";
+in {
+  # setup container
+  virtualisation.oci-containers.containers.rallly = {
+    autoStart = true;
+    image = "lukevella/rallly:${rally_version}";
+
+    podman.user = user;
+
+    extraOptions = let
+      uid = config.users.users."${user}".uid;
+      gid = config.users.groups."${group}".gid;
+    in [
+      "--userns=keep-id:uid=${builtins.toString uid},gid=${builtins.toString gid}"
+      # TODO(eyJhb): required, otherwise rallly container cannot access authelia well-known openid configuration
+      "--network=host"
+    ];
+
+    environmentFiles = [
+      config.age.secrets.rallly-env.path
+    ];
+    environment = {
+      PORT = builtins.toString internal_port;
+      DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}";
+      NEXT_PUBLIC_BASE_URL = "https://${svc_domain}";
+      # SECRET_PASSWORD = "specified-in-env";
+
+      # limit signup even further
+      ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}";
+
+      # email
+      SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}";
+      SMTP_HOST = config.mine.shared.settings.mail.domain_smtp;
+      SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;
+      SMTP_SECURE = "true";
+      SMTP_USER = svc_name;
+      # SMTP_PWD = "specified-in-env";
+
+
+      # OIDC
+      OIDC_NAME = "Authelia";
+      OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration";
+      OIDC_CLIENT_ID = "rallly";
+      # OIDC_CLIENT_SECRET = "specified-in-env";
+    };
+
+    volumes = [
+      "${psqlSocket}:${psqlSocket}"
+    ];
+
+    # TODO(eyJhb): likely not needed, because of the tmp network=host
+    ports = [
+      "127.0.0.1:${builtins.toString port}:${builtins.toString internal_port}"
+    ];
+  };
+
+  # setup postgresql
+  services.postgresql = {
+    ensureDatabases = [ user ];
+    ensureUsers = [{
+      name = user;
+      ensureDBOwnership = true;
+    }];
+  };
+
+  # setup ldap user for email
+  services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
+    "${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path;
+  });
+
+  # give rallly user access to the secrets
+  age.secrets.rallly-env.owner = user;
+
+  # setup users
+  users.users."${user}" = {
+    isNormalUser = true;
+    group = group;
+    uid = 1001;
+  };
+  users.groups."${group}".gid = 974;
+
+  # authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
+    client_id = "rallly";
+    client_name = "Rallly";
+    client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
+    redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
+    scopes = [
+      "openid"
+      "email"
+      "profile"
+    ];
+  }];
+
+  # nginx
+  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
+    forceSSL = true;
+    enableACME = true;
+    
+    locations."/" = {
+      proxyPass = "http://localhost:${builtins.toString port}";
+    };
+
+    # try to disable registration
+    locations."/api/trpc/auth.requestRegistration" = {
+      root = pkgs.writeTextDir "index.html" ''
+        NO REGISTRATION!!
+      '';
+    };
+  };
+
+  mine.shared.meta.rallly = {
+    name = "Rallly";
+    description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. '';
+    url = "https://${svc_domain}";
+
+    package = {
+      name = "rallly";
+      version = "v${rally_version}";
+      meta = with lib; {
+        description = "Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier.";
+        license = licenses.agpl3Plus;
+        homepage = "https://git.fricloud.dk/fricloud/server-configs/src/branch/main/machines/gerd/services/member-website/app.py";
+        platforms = platforms.all;
+      };
+    };
+  };
+}
diff --git a/secrets/default.nix b/secrets/default.nix
index 312fecd..037c8cb 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -54,6 +54,10 @@
 
     # uptime-kuma
     uptime-kuma-ldap-pass.file = ./uptime-kuma/ldap-pass.age;
+
+    # rallly
+    rallly-ldap-pass.file = ./rallly/ldap-pass.age;
+    rallly-env.file = ./rallly/env.age;
   };
 
   users.groups.secrets-lldap-bind-user-pass = {};
diff --git a/secrets/rallly/env.age b/secrets/rallly/env.age
new file mode 100644
index 0000000000000000000000000000000000000000..01d9b0d6d570f5eaad5d44c13a861ddde471ee5f
GIT binary patch
literal 725
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+40eeqOjn4E2=&Tx
zcMnPqNplOea5oCcjB+%|jf`*#E(tJCbu;m)$W0AO4h`@#Oy_b=G|Dj7_RDZJchWEO
z%F7Kl3`tHZObc>#HBPq7H7Tkx$~3PuEzmA>^90!z0kOy{HQmc2IUvx`(6lVavoze$
zE!)!ErMM)*$vG^zz%s?Z!XivR)F`JS!;>pC!z08nQQtT-GaxL;xg^`Xz&pe;HzLhH
zAW=K5IK{}(GutgsyV%1wG#_LGvVZa{@+@5f6{;+fvJ8E^+<o1>-L!)Z^0ZU6ouZ0^
zQuG57%`**BN_;AOd@V~NjQk=zxpIrbQq7Z!y<H-rjD!5rjLnRK9RtkVLXCo*^TLxd
z0>abWD|5ZeD-80${z10QDWt$G)KQ@*-z3n@w9>~jw941tsWLd<+tZ^kEhx&>*T|_n
zB+n<^)gsc&&m=J*$CoRzAg9#b$;~my!`(mJJS*S3A}~8F%CMrK(lpE1EYQU#!_6tc
z&CH;pAd*X0S63l3Ft9j3J=r59%dD^>F+8v$(l4;oAiJWXG$%bz-!(JM$)Zx<T-z@-
z!jVhRU4i{C`})-;Eh`oZ{-1hbZSd#+@wfgySk{^#C*{!cOCvaJnYx0{>y~}-oV(cO
z6rTPfBPH7*U@mZ8&1LaMbCwi~C4#^ACY=)xy>0pIYvr>`2Xl?$K1`XPv8%Bw*!b64
z8A)MAE3=|?4DroY)n5&Z-bX}z<9y%0Ea-%sj3k%If-=QBzVol1&wp3&XY-Nx2<0kS
zIX}ll&v&Pz9v+-H#re?QpIu_B-6B|;uk^8`o11!nEcQ-z`+fC`@rEti+ogJVo^3x>
mdT{6ScbDGJN=)7Mod5L({p#Cm*XKWfoT%;Wbog9miwppCS`0-1

literal 0
HcmV?d00001

diff --git a/secrets/rallly/ldap-pass.age b/secrets/rallly/ldap-pass.age
new file mode 100644
index 0000000000000000000000000000000000000000..d40f5da7235bd0cf3e96a28d02bca00190feef17
GIT binary patch
literal 563
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+40eeqOjk$`^392I
z3ouDc4~Q&{sLXQr4)XOX^osB)E6Oo7^U29H@iT~w%uFs1GvG4HbBrhq3J9!pGck2>
z3^#WT)OPdo@ym!Z_el;YayBz@39CpCNOegGiUipf0kJ62#Vx?wIIkqwJk>ib+tDa6
z-#H`K$;>svCo8Wi(mgdbGS58G$;`LX-I2?&!Z<0#)YH?gD8e*6Br(I-D<{O+wAjzU
zIZ59zC^gUDD<Ca2sVFJ{Vgs^&@+|T!T>=$Kw1fP#{j1DV6SXr#T)p%?oDKCu3&RRc
zEi1FbEmM7qbG%$Fy>kN1D+9Tz@`9Z5yaJr_stl`q!h8dA4E2k>l1sh(Lo%EKLfxD_
zT(e!Zo%0N<%=1D1LAK2)q`)lHQ6VSF)WyunJ2D_3%F-e%J;cW?F~r<5)WxMRJ+L$|
zs4~<f#nmLl$*jcLlglIABiAo2FC-*0y)esIKgBSsGAuLD%e$~DKTAJ2yCf;myx7Yv
z)7LQ6giBXfS3x@`*eRqu%(I}}qqI0Vpdz>=IkluXTe~tRt=Kr&D>$rBKPRIiGsD2h
zg6qtebAs(AJF+%0yt;h)RzRhTiQ;}S#~Tv@3=J=wvzip8ELSISn}I82&YxJH!_KVr
W2K(0(Ru@k*-ea~q!SQYs??V8ma=Kvv

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index c6a3edd..344d5d0 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -64,4 +64,8 @@ in
 
   # uptime-kuma
   "uptime-kuma/ldap-pass.age".publicKeys = defaultAccess;
+
+  # rallly
+  "rallly/ldap-pass.age".publicKeys = defaultAccess;
+  "rallly/env.age".publicKeys = defaultAccess;
 }
diff --git a/shared/applications/server/podman.nix b/shared/applications/server/podman.nix
new file mode 100644
index 0000000..c982261
--- /dev/null
+++ b/shared/applications/server/podman.nix
@@ -0,0 +1,6 @@
+{
+  virtualisation.podman = {
+    enable = true;
+    dockerCompat = true;
+  };
+}
diff --git a/shared/sources/sources.json b/shared/sources/sources.json
index b069312..a3f3b7f 100644
--- a/shared/sources/sources.json
+++ b/shared/sources/sources.json
@@ -41,10 +41,10 @@
         "homepage": null,
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "5135c59491985879812717f4c9fea69604e7f26f",
-        "sha256": "09qy7zv80bkd9ighsw0bdxjq70dw3qjnyvg7il1fycrsgs5x1gan",
+        "rev": "6313551cd05425cd5b3e63fe47dbc324eabb15e4",
+        "sha256": "0fxw15gia9cc72spsqf1870bggp8gx694cr2g8hspm3jbj87xr0g",
         "type": "tarball",
-        "url": "https://github.com/NixOS/nixpkgs/archive/5135c59491985879812717f4c9fea69604e7f26f.tar.gz",
+        "url": "https://github.com/NixOS/nixpkgs/archive/6313551cd05425cd5b3e63fe47dbc324eabb15e4.tar.gz",
         "url_template": "https://github.com/<owner>/<repo>/archive/<rev>.tar.gz"
     }
 }