Compare commits

...

6 commits

Author SHA1 Message Date
eyjhb
5da6057228
wger: removed hardcoded constants 2024-12-03 22:08:25 +01:00
eyjhb
913a4a0b26
wger: adds a BUNCH of changes 2024-12-03 22:07:03 +01:00
eyjhb
50fee64475
secrets.wger: added secrets 2024-12-03 22:06:54 +01:00
eyjhb
73597c4cdb
wgerpkgs: changed version 2024-12-03 22:06:39 +01:00
eyjhb
68779da243
gerd: changed zramswap comment 2024-12-03 22:06:25 +01:00
eyjhb
57a5740f6f
authelia-nginx: chnaged how to protect websites 2024-12-03 22:06:04 +01:00
8 changed files with 114 additions and 67 deletions

View file

@ -25,13 +25,6 @@
./gerd/services/matrix-synapse.nix
];
# TODO: place this a better place
zramSwap = {
enable = true;
memoryPercent = 75;
algorithm = "lz4";
};
networking.hostName = "gerd";
networking.hostId = "e1166ac9";
@ -64,6 +57,14 @@
};
};
# setup zramswap (we are very ram limited)
zramSwap = {
enable = true;
memoryPercent = 75;
algorithm = "lz4";
};
# TMP FIX FOR https://github.com/nix-community/impermanence/issues/229
boot.initrd.systemd.suppressedUnits = [ "systemd-machine-id-commit.service" ];
systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ];

View file

@ -76,12 +76,8 @@ let
error_page 401 =302 https://${config.mine.shared.settings.authelia.domain}/?rd=$target_url;
'';
in {
# TODO: fix this
mine.shared.lib.authelia.autheliaLocation = autheliaLocation;
mine.shared.lib.authelia.mkProtectedWebsite = { vhostConfig, endpoint ? "/" }: lib.recursiveUpdate vhostConfig {
extraConfig = (lib.attrByPath [ "extraConfig" ] "" vhostConfig) + "\n" + "include ${autheliaLocation};";
locations."${endpoint}" = config.mine.shared.lib.authelia.mkProtectedLocation (lib.attrByPath [ "locations" endpoint ] {} vhostConfig);
mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
extraConfig = (lib.attrByPath [ "extraConfig" ] "" websiteConfig) + "\n" + "include ${autheliaLocation};";
};
mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {

View file

@ -18,9 +18,7 @@ in {
};
services.nginx.virtualHosts."${config.mine.shared.settings.domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
endpoint = urlpath;
vhostConfig.locations."${urlpath}" = {
# extraConfig = "rewrite ^${urlpath}(.*)$ /$1 break;";
locations."${urlpath}" = config.mine.shared.lib.authelia.mkProtectedLocation {
proxyPass = "http://localhost:${builtins.toString port}";
};
};

View file

@ -8,15 +8,8 @@ let
wgerpkgs = pkgs.callPackage ./wgerpkg/default.nix {};
# # Application settings
# WGER_SETTINGS['EMAIL_FROM'] = 'wger Workout Manager <wger@example.com>'
# WGER_SETTINGS["ALLOW_REGISTRATION"] = True
# WGER_SETTINGS["ALLOW_GUEST_USERS"] = True
# WGER_SETTINGS["ALLOW_UPLOAD_VIDEOS"] = False
# WGER_SETTINGS["MIN_ACCOUNT_AGE_TO_TRUST"] = 21 # in days
# WGER_SETTINGS["EXERCISE_CACHE_TTL"] = 3600 # in seconds
wger_settings = {
EMAIL_FROM = "wger Workout Manager <wger@example.com>";
EMAIL_FROM = "wger Workout Manager <wger@${config.mine.shared.settings.domain}>";
ALLOW_REGISTRATION = true;
ALLOW_GUEST_USERS = true;
ALLOW_UPLOAD_VIDEOS = false;
@ -25,14 +18,8 @@ let
};
django_settings = rec {
DEBUG = true;
DEBUG = false;
DATABASES.default = {
# ENGINE = "django.db.backends.sqlite3";
# NAME = "${statedir}/database.sqlite";
# USER = "";
# PASSWORD = "";
# HOST = "";
# PORT = "";
ENGINE = "django.db.backends.postgresql";
NAME = "wger";
USER = "wger";
@ -41,31 +28,36 @@ let
PORT = "";
};
ADMINS = [["Your Name" "test@test.dk"]];
ADMINS = [["admin" "admin@${config.mine.shared.settings.domain}"]];
MANAGERS = ADMINS;
TIME_ZONE = "Europe/Berlin";
TIME_ZONE = "Europe/Copenhagen";
SECRET_KEY = "2w!yl6ausb-$05#mjnec)g_h#nc9pzzw0c(kvaskocvyyg1oqc";
SITE_URL = "http://localhost:8100";
SECRET_KEY = "$SECRET_KEY";
SITE_URL = "https://${svc_domain}";
MEDIA_ROOT = "${statedir}/media";
MEDIA_URL = "/media/";
EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend";
# DEFAULT_FROM_EMAIL = WGER_SETTINGS['EMAIL_FROM']
# EMAIL
EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend";
EMAIL_HOST = config.mine.shared.settings.mail.domain_smtp;
EMAIL_PORT = config.mine.shared.settings.mail.ports.submissions;
EMAIL_USE_SSL = true;
EMAIL_HOST_USER = "wger";
EMAIL_HOST_PASSWORD = "$EMAIL_HOST_PASSWORD";
EMAIL_FROM_ADDRESS = wger_settings.EMAIL_FROM;
EMAIL_PAGE_DOMAIN = SITE_URL;
# setup allowed hosts
CSRF_TRUSTED_ORIGINS = [ "https://${svc_domain}" ];
ALLOWED_HOSTS = [ svc_domain ];
# disable recaptcha
RECAPTCHA_PUBLIC_KEY = "";
RECAPTCHA_PRIVATE_KEY = "";
USE_RECAPTCHA = false;
};
wger_settings_file = pkgs.writeText "settings.json" (builtins.toJSON wger_settings);
@ -73,50 +65,73 @@ let
settingsFile = pkgs.writeText "settings.py" ''
from wger.settings_global import *
import json
import os
with open("${django_settings_file}") as f:
globals().update(json.load(f))
for k, v in json.load(f).items():
if isinstance(v, str) and v.startswith("$"):
v = os.environ[v[1:]]
globals()[k] = v
with open("${wger_settings_file}") as f:
WGER_SETTINGS.update(json.load(f))
for k, v in json.load(f).items():
if isinstance(v, str) and v.startswith("$"):
v = os.environ[v[1:]]
WGER_SETTINGS[k] = v
'';
in {
# main service
systemd.services.wger = {
description = "wger fitness";
wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ];
script = ''
# general wger things
${wgerpkgs}/bin/wger migrate-db -s ${settingsFile} || true
# ${wgerpkgs}/bin/wger load-fixtures -s ${settingsFile} || true
# ${wgerpkgs}/bin/wger load-online-fixtures -s ${settingsFile} || true
# manage things
# WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-images || true
# WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-videos || true
# WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-ingredient-images || true
WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-exercises || true
# WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-ingredients || true
WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage exercises-health-check || true
script = ''
# initial setup
${wgerpkgs}/bin/wger migrate-db -s ${settingsFile} || true
${wgerpkgs}/bin/wger load-fixtures -s ${settingsFile} || true
# run server
${wgerpkgs}/bin/wger start -s ${settingsFile}
'';
serviceConfig = {
EnvironmentFile = config.age.secrets.wger-env.path;
User = "wger";
Group = "wger";
};
};
users.users."${wger_user}"= {
uid = 738;
isSystemUser = true;
group = wger_user;
# periodic keep up-to-date
systemd.timers."wger-housekeeping" = {
wantedBy = [ "timers.target" ];
timerConfig.OnCalendar = "daily";
};
systemd.services."wger-housekeeping" = {
after = [ "wger.service" ];
requires = [ "wger.service" ];
script = ''
WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-exercises || true
WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-images || true
WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-videos || true
WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-ingredients || true
${wgerpkgs}/bin/wger load-online-fixtures -s ${settingsFile} || true
WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage exercises-health-check || true
'';
serviceConfig = {
EnvironmentFile = config.age.secrets.wger-env.path;
# Type = "oneshot";
User = "wger";
Group = "wger";
};
};
users.groups."${wger_user}".gid = 738;
services.postgresql = {
ensureDatabases = [ wger_user ];
@ -127,14 +142,19 @@ in {
};
services.nginx.virtualHosts."${svc_domain}" = {
# setup users
users.users."${wger_user}"= {
uid = 738;
isSystemUser = true;
group = wger_user;
};
users.groups."${wger_user}".gid = 738;
# nginx
services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
forceSSL = true;
enableACME = true;
extraConfig = ''
include ${config.mine.shared.lib.authelia.autheliaLocation};
'';
locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
proxyPass = "http://localhost:${builtins.toString port}";
};
@ -146,4 +166,19 @@ in {
locations."/media".proxyPass = "http://localhost:${builtins.toString port}";
locations."/api".proxyPass = "http://localhost:${builtins.toString port}";
};
# metadata
mine.shared.meta.wger = {
name = "Wger";
description = "We host Wger, which is a FLOSS fitness/workout/nutrition and weight tracker, with FLOSS apps, read more [here](https://wger.de/).";
url = "https://${svc_domain}";
package = let
pkg = wgerpkgs;
in {
name = pkg.pname;
version = pkg.version;
meta = pkg.meta;
};
};
}

View file

@ -9,7 +9,7 @@ let
frontend = callPackage ./frontend.nix {};
in python3.pkgs.buildPythonApplication rec {
pname = "wger";
version = "unstable";
version = "unstable-2024-12-01";
pyproject = true;
src = fetchFromGitHub {

View file

@ -38,6 +38,9 @@
# matrix-synapse
matrix-synapse-config-authelia-secret.file = ./matrix-synapse/config-authelia-secret.age;
# wger
wger-env.file = ./wger/env.age;
};
users.groups.secrets-lldap-bind-user-pass = {};

View file

@ -48,4 +48,7 @@ in
# matrix-synapse
"matrix-synapse/config-authelia-secret.age".publicKeys = defaultAccess;
# wger
"wger/env.age".publicKeys = defaultAccess;
}

11
secrets/wger/env.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> ssh-ed25519 QSDXqg KGoB/V0cCAZsfVmoLDmA5Xs2HOHqjg54TYqixYQduEw
sqDb6QnEbwEncAbxKLRLkjCQIwMLBTNMVcejFOwhZWM
-> X25519 o64XZRaiK7ZEquTMmXTyhpdArawiuXC+5W5seFrJclY
qTLXrNGMTPAXs5EzMuCiQ07Ho2LT1KTku2f1AlCHPlk
-> ssh-ed25519 n8n9DQ a8ESfbksuY++k52UJwTKJtb4/aiYzQqUgyYqfug5oyA
bZygFOW6YSg83CmZRpsNDux+UgOxCfja1eQ/R4NyLXM
-> ssh-ed25519 BTp6UA yFBZAlGtHV98t6UA8QbELjOW/Pu6KYVPjbXFvijl9m0
+eobFp5YNBsr2+10Huimwypn3S4/lc7zoX5Ldko9mhA
--- g7w825LgydJlmyZiqnIL0ofUsTn+e47rFmSG8ft6Qqg
!lï•:^çÄÙƒ}R&Xº^_ã213·-éŒË£0Ån<C3BE>DK€­æ&Ù©Dþ:¾^½ÒUwÃÌóŸ 8(£‡ä X‡¾QZsÖªŒ<C2AA>â^(CÂ!ÍìÊ$ ™Üöý×(wÎ8t“ô¾<C3B4>Ñ!Úç²±Ð̈ït;¥ÃNgÚÛ§ˆ<C2A7>Ž[²f+Ù