{ config, lib, pkgs, ... }: let svc_name = "rallly"; svc_domain = "${svc_name}.${config.mine.shared.settings.domain}"; psqlSocket = "/run/postgresql"; user = "rallly"; group = user; port = 7384; internal_port = port; rally_version = "3.11"; in { # setup container virtualisation.oci-containers.containers.rallly = { autoStart = true; image = "lukevella/rallly:${rally_version}"; podman.user = user; extraOptions = let uid = config.users.users."${user}".uid; gid = config.users.groups."${group}".gid; in [ "--userns=keep-id:uid=${builtins.toString uid},gid=${builtins.toString gid}" # TODO(eyJhb): required, otherwise rallly container cannot access authelia well-known openid configuration "--network=host" ]; environmentFiles = [ config.age.secrets.rallly-env.path ]; environment = { PORT = builtins.toString internal_port; DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}"; NEXT_PUBLIC_BASE_URL = "https://${svc_domain}"; # SECRET_PASSWORD = "specified-in-env"; # limit signup even further ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}"; # email SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}"; SMTP_HOST = config.mine.shared.settings.mail.domain_smtp; SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions; SMTP_SECURE = "true"; SMTP_USER = svc_name; # SMTP_PWD = "specified-in-env"; # OIDC OIDC_NAME = "Authelia"; OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration"; OIDC_CLIENT_ID = "rallly"; # OIDC_CLIENT_SECRET = "specified-in-env"; }; volumes = [ "${psqlSocket}:${psqlSocket}" ]; # TODO(eyJhb): likely not needed, because of the tmp network=host ports = [ "127.0.0.1:${builtins.toString port}:${builtins.toString internal_port}" ]; }; # setup postgresql services.postgresql = { ensureDatabases = [ user ]; ensureUsers = [{ name = user; ensureDBOwnership = true; }]; }; # setup ldap user for email services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: { "${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path; }); # give rallly user access to the secrets age.secrets.rallly-env.owner = user; # setup users users.users."${user}" = { isNormalUser = true; group = group; uid = 1001; }; users.groups."${group}".gid = 974; # authelia services.authelia.instances.main.settings.identity_providers.oidc.clients = [{ client_id = "rallly"; client_name = "Rallly"; client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ"; redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ]; scopes = [ "openid" "email" "profile" ]; }]; # nginx services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:${builtins.toString port}"; }; # try to disable registration locations."/api/trpc/auth.requestRegistration" = { root = pkgs.writeTextDir "index.html" '' NO REGISTRATION!! ''; }; }; mine.shared.meta.rallly = { name = "Rallly"; description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. ''; url = "https://${svc_domain}"; package = { name = "rallly"; version = "v${rally_version}"; meta = with lib; { description = "Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier."; license = licenses.agpl3Plus; homepage = "https://git.fricloud.dk/fricloud/server-configs/src/branch/main/machines/gerd/services/member-website/app.py"; platforms = platforms.all; }; }; }; }