wger: removed hardcoded constants

wger: adds a BUNCH of changes
secrets.wger: added secrets
2024-12-03 22:08:25 +01:00 · 2024-12-03 22:07:03 +01:00 · 2024-12-03 22:06:54 +01:00 · 2024-12-03 22:06:39 +01:00 · 2024-12-03 22:06:25 +01:00 · 2024-12-03 22:06:04 +01:00
8 changed files with 114 additions and 67 deletions
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@ -25,13 +25,6 @@
    ./gerd/services/matrix-synapse.nix
  ];
  # TODO: place this a better place
  zramSwap = {
    enable = true;
    memoryPercent = 75;
    algorithm = "lz4";
  };
  networking.hostName = "gerd";
  networking.hostId = "e1166ac9";
@ -64,6 +57,14 @@
    };
  };
  # setup zramswap (we are very ram limited)
  zramSwap = {
    enable = true;
    memoryPercent = 75;
    algorithm = "lz4";
  };
  # TMP FIX FOR https://github.com/nix-community/impermanence/issues/229
  boot.initrd.systemd.suppressedUnits = [ "systemd-machine-id-commit.service" ];
  systemd.suppressedSystemUnits = [ "systemd-machine-id-commit.service" ];
--- a/machines/gerd/services/authelia/authelia-nginx.nix
+++ b/machines/gerd/services/authelia/authelia-nginx.nix
@ -76,12 +76,8 @@ let
    error_page 401 =302 https://${config.mine.shared.settings.authelia.domain}/?rd=$target_url;
  '';
 in {
-  # TODO: fix this
+  mine.shared.lib.authelia.mkProtectedWebsite = websiteConfig: lib.recursiveUpdate websiteConfig {
-  mine.shared.lib.authelia.autheliaLocation = autheliaLocation;
+    extraConfig = (lib.attrByPath [ "extraConfig" ] "" websiteConfig) + "\n" + "include ${autheliaLocation};";
  mine.shared.lib.authelia.mkProtectedWebsite = { vhostConfig, endpoint ? "/" }: lib.recursiveUpdate vhostConfig {
    extraConfig = (lib.attrByPath [ "extraConfig" ] "" vhostConfig) + "\n" + "include ${autheliaLocation};";
    locations."${endpoint}" = config.mine.shared.lib.authelia.mkProtectedLocation (lib.attrByPath [ "locations" endpoint ] {} vhostConfig);
  };
  mine.shared.lib.authelia.mkProtectedLocation = vhostLocationConfig: lib.recursiveUpdate vhostLocationConfig {
--- a/machines/gerd/services/member-website/default.nix
+++ b/machines/gerd/services/member-website/default.nix
@ -18,9 +18,7 @@ in {
  };
  services.nginx.virtualHosts."${config.mine.shared.settings.domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
-    endpoint = urlpath;
+    locations."${urlpath}" = config.mine.shared.lib.authelia.mkProtectedLocation {
    vhostConfig.locations."${urlpath}" = {
      # extraConfig = "rewrite ^${urlpath}(.*)$ /$1 break;";
      proxyPass = "http://localhost:${builtins.toString port}";
    };
  };
--- a/machines/gerd/services/wger/default.nix
+++ b/machines/gerd/services/wger/default.nix
@ -8,15 +8,8 @@ let
  wgerpkgs = pkgs.callPackage ./wgerpkg/default.nix {};
 # # Application settings
 # WGER_SETTINGS['EMAIL_FROM'] = 'wger Workout Manager <wger@example.com>'
 # WGER_SETTINGS["ALLOW_REGISTRATION"] = True
 # WGER_SETTINGS["ALLOW_GUEST_USERS"] = True
 # WGER_SETTINGS["ALLOW_UPLOAD_VIDEOS"] = False
 # WGER_SETTINGS["MIN_ACCOUNT_AGE_TO_TRUST"] = 21  # in days
 # WGER_SETTINGS["EXERCISE_CACHE_TTL"] = 3600  # in seconds
  wger_settings = {
-    EMAIL_FROM = "wger Workout Manager <wger@example.com>";
+    EMAIL_FROM = "wger Workout Manager <wger@${config.mine.shared.settings.domain}>";
    ALLOW_REGISTRATION = true;
    ALLOW_GUEST_USERS = true;
    ALLOW_UPLOAD_VIDEOS = false;
@ -25,14 +18,8 @@ let
  };
  django_settings = rec {
-    DEBUG = true;
+    DEBUG = false;
    DATABASES.default = {
        # ENGINE = "django.db.backends.sqlite3";
        # NAME = "${statedir}/database.sqlite";
        # USER = "";
        # PASSWORD = "";
        # HOST = "";
        # PORT = "";
        ENGINE = "django.db.backends.postgresql";
        NAME = "wger";
        USER = "wger";
@ -41,31 +28,36 @@ let
        PORT = "";
    };
-    ADMINS = [["Your Name" "test@test.dk"]];
+    ADMINS = [["admin" "admin@${config.mine.shared.settings.domain}"]];
    MANAGERS = ADMINS;
-    TIME_ZONE = "Europe/Berlin";
+    TIME_ZONE = "Europe/Copenhagen";
-    SECRET_KEY = "2w!yl6ausb-$05#mjnec)g_h#nc9pzzw0c(kvaskocvyyg1oqc";
+    SECRET_KEY = "$SECRET_KEY";
    SITE_URL = "http://localhost:8100";
    SITE_URL = "https://${svc_domain}";
    MEDIA_ROOT = "${statedir}/media";
    MEDIA_URL = "/media/";
    EMAIL_BACKEND = "django.core.mail.backends.console.EmailBackend";
 # DEFAULT_FROM_EMAIL = WGER_SETTINGS['EMAIL_FROM']
    # EMAIL
    EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend";
    EMAIL_HOST = config.mine.shared.settings.mail.domain_smtp;
    EMAIL_PORT = config.mine.shared.settings.mail.ports.submissions;
    EMAIL_USE_SSL = true;
    EMAIL_HOST_USER = "wger";
    EMAIL_HOST_PASSWORD = "$EMAIL_HOST_PASSWORD";
    EMAIL_FROM_ADDRESS = wger_settings.EMAIL_FROM;
    EMAIL_PAGE_DOMAIN = SITE_URL;
    # setup allowed hosts
    CSRF_TRUSTED_ORIGINS = [ "https://${svc_domain}" ];
    ALLOWED_HOSTS = [ svc_domain ];
    # disable recaptcha
    RECAPTCHA_PUBLIC_KEY = "";
    RECAPTCHA_PRIVATE_KEY = "";
    USE_RECAPTCHA = false;
  };
  wger_settings_file = pkgs.writeText "settings.json" (builtins.toJSON wger_settings);
@ -73,50 +65,73 @@ let
  settingsFile = pkgs.writeText "settings.py" ''
    from wger.settings_global import *
    import json
    import os
    with open("${django_settings_file}") as f:
-        globals().update(json.load(f))
+        for k, v in json.load(f).items():
            if isinstance(v, str) and v.startswith("$"):
                v = os.environ[v[1:]]
            globals()[k] = v
    with open("${wger_settings_file}") as f:
-        WGER_SETTINGS.update(json.load(f))
+        for k, v in json.load(f).items():
            if isinstance(v, str) and v.startswith("$"):
                v = os.environ[v[1:]]
            WGER_SETTINGS[k] = v
  '';
 in {
  # main service
  systemd.services.wger = {
    description = "wger fitness";
    wantedBy = [ "multi-user.target" ];
    after = [ "networking.target" ];
    script = ''
      # general wger things
      ${wgerpkgs}/bin/wger migrate-db -s ${settingsFile} || true
      # ${wgerpkgs}/bin/wger load-fixtures -s ${settingsFile} || true
      # ${wgerpkgs}/bin/wger load-online-fixtures -s ${settingsFile} || true
-      # manage things
+    script = ''
-      # WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-images || true
+      # initial setup
-      # WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-videos || true
+      ${wgerpkgs}/bin/wger migrate-db -s ${settingsFile} || true
-      # WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-ingredient-images || true
+      ${wgerpkgs}/bin/wger load-fixtures -s ${settingsFile} || true
      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-exercises || true
      # WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-ingredients || true
      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage exercises-health-check || true
      # run server
      ${wgerpkgs}/bin/wger start -s ${settingsFile}
    '';
    serviceConfig = {
      EnvironmentFile = config.age.secrets.wger-env.path;
      User = "wger";
      Group = "wger";
    };
  };
-  users.users."${wger_user}"= {
+
-    uid = 738;
+  # periodic keep up-to-date
-    isSystemUser = true;
+  systemd.timers."wger-housekeeping" = {
-    group = wger_user;
+    wantedBy = [ "timers.target" ];
-    
+    timerConfig.OnCalendar = "daily";
  };
  systemd.services."wger-housekeeping" = {
    after = [ "wger.service" ];
    requires = [ "wger.service" ];
    script = ''
      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-exercises || true
      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-images || true
      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage download-exercise-videos || true
      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage sync-ingredients || true
      ${wgerpkgs}/bin/wger load-online-fixtures -s ${settingsFile} || true
      WGER_SETTINGS=${settingsFile} ${wgerpkgs}/bin/manage exercises-health-check || true
    '';
    serviceConfig = {
      EnvironmentFile = config.age.secrets.wger-env.path;
      # Type = "oneshot";
      User = "wger";
      Group = "wger";
    };
  };
  users.groups."${wger_user}".gid = 738;
  services.postgresql = {
    ensureDatabases = [ wger_user ];
@ -127,13 +142,18 @@ in {
  };
-  services.nginx.virtualHosts."${svc_domain}" = {
+  # setup users
  users.users."${wger_user}"= {
    uid = 738;
    isSystemUser = true;
    group = wger_user;
  };
  users.groups."${wger_user}".gid = 738;
  # nginx
  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
      include ${config.mine.shared.lib.authelia.autheliaLocation};
    '';
    locations."/" = config.mine.shared.lib.authelia.mkProtectedLocation {
      proxyPass = "http://localhost:${builtins.toString port}";
@ -146,4 +166,19 @@ in {
    locations."/media".proxyPass = "http://localhost:${builtins.toString port}";
    locations."/api".proxyPass = "http://localhost:${builtins.toString port}";
  };
  # metadata
  mine.shared.meta.wger = {
    name = "Wger";
    description = "We host Wger, which is a FLOSS fitness/workout/nutrition and weight tracker, with FLOSS apps, read more [here](https://wger.de/).";
    url = "https://${svc_domain}";
    package = let
      pkg = wgerpkgs;
    in {
      name = pkg.pname;
      version = pkg.version;
      meta = pkg.meta;
    };
  };
 }
--- a/machines/gerd/services/wger/wgerpkg/default.nix
+++ b/machines/gerd/services/wger/wgerpkg/default.nix
@ -9,7 +9,7 @@ let
  frontend = callPackage ./frontend.nix {};
 in python3.pkgs.buildPythonApplication rec {
  pname = "wger";
-  version = "unstable";
+  version = "unstable-2024-12-01";
  pyproject = true;
  src = fetchFromGitHub {
--- a/secrets/default.nix
+++ b/secrets/default.nix
@ -38,6 +38,9 @@
    # matrix-synapse
    matrix-synapse-config-authelia-secret.file = ./matrix-synapse/config-authelia-secret.age;
    # wger
    wger-env.file = ./wger/env.age;
  };
  users.groups.secrets-lldap-bind-user-pass = {};
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -48,4 +48,7 @@ in
  # matrix-synapse
  "matrix-synapse/config-authelia-secret.age".publicKeys = defaultAccess;
  # wger
  "wger/env.age".publicKeys = defaultAccess;
 }
--- a/secrets/wger/env.age
+++ b/secrets/wger/env.age
@ -0,0 +1,11 @@
 age-encryption.org/v1
 -> ssh-ed25519 QSDXqg KGoB/V0cCAZsfVmoLDmA5Xs2HOHqjg54TYqixYQduEw
 sqDb6QnEbwEncAbxKLRLkjCQIwMLBTNMVcejFOwhZWM
 -> X25519 o64XZRaiK7ZEquTMmXTyhpdArawiuXC+5W5seFrJclY
 qTLXrNGMTPAXs5EzMuCiQ07Ho2LT1KTku2f1AlCHPlk
 -> ssh-ed25519 n8n9DQ a8ESfbksuY++k52UJwTKJtb4/aiYzQqUgyYqfug5oyA
 bZygFOW6YSg83CmZRpsNDux+UgOxCfja1eQ/R4NyLXM
 -> ssh-ed25519 BTp6UA yFBZAlGtHV98t6UA8QbELjOW/Pu6KYVPjbXFvijl9m0
 +eobFp5YNBsr2+10Huimwypn3S4/lc7zoX5Ldko9mhA
 --- g7w825LgydJlmyZiqnIL0ofUsTn+e47rFmSG8ft6Qqg
 !lï•:^çÄÙƒ}R&X‚º^_ã213·-éŒË£0ÅnBþ–<C3BE>DK€æ&Ù©Dþ:¾^½ÒUwÃÌóŸ
8(£‡ä X‡¾QZsÖªŒ<C2AA>â^(CÂ!ÍìÊ$ ™Üöý×(‹wÎ8t“ô¾<C3B4>Ñ!Úç²±ÐÌˆït;¥ÃNgÚÛ§ˆ<C2A7>Ž[²f+Ù‚Q°
Author	SHA1	Message	Date
eyjhb	5da6057228	wger: removed hardcoded constants	2024-12-03 22:08:25 +01:00
eyjhb	913a4a0b26	wger: adds a BUNCH of changes	2024-12-03 22:07:03 +01:00
eyjhb	50fee64475	secrets.wger: added secrets	2024-12-03 22:06:54 +01:00
eyjhb	73597c4cdb	wgerpkgs: changed version	2024-12-03 22:06:39 +01:00
eyjhb	68779da243	gerd: changed zramswap comment	2024-12-03 22:06:25 +01:00
eyjhb	57a5740f6f	authelia-nginx: chnaged how to protect websites	2024-12-03 22:06:04 +01:00