{ config, lib, pkgs, ... }: let svc_name = "rallly"; svc_domain = "${svc_name}.${config.mine.shared.settings.domain}"; psqlSocket = "/run/postgresql"; user = "rallly"; group = user; port = 7384; internal_port = port; rally_version = "3.11"; ralllyPkgs = pkgs.callPackage ./../../../shared/pkgs/rallly {}; in { systemd.services.rallly = { description = "rallly"; wantedBy = [ "multi-user.target" ]; after = [ "networking.target" ]; environment = let rallly-prisma-engines = ralllyPkgs.passthru.rallly-prisma-engines; in rec { PORT = builtins.toString internal_port; DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}"; NEXT_PUBLIC_BASE_URL = "https://${svc_domain}"; NEXTAUTH_URL = NEXT_PUBLIC_BASE_URL; # SECRET_PASSWORD = "specified-in-env"; # limit signup even further ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}"; # email SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}"; SMTP_HOST = config.mine.shared.settings.mail.domain_smtp; SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions; SMTP_SECURE = "true"; SMTP_USER = svc_name; # SMTP_PWD = "specified-in-env"; # OIDC OIDC_NAME = "Authelia"; OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration"; OIDC_CLIENT_ID = "rallly"; # OIDC_CLIENT_SECRET = "specified-in-env"; # prisma things PRISMA_SCHEMA_ENGINE_BINARY = "${rallly-prisma-engines}/bin/schema-engine"; PRISMA_QUERY_ENGINE_BINARY = "${rallly-prisma-engines}/bin/query-engine"; PRISMA_QUERY_ENGINE_LIBRARY = "${rallly-prisma-engines}/lib/libquery_engine.node"; PRISMA_INTROSPECTION_ENGINE_BINARY = "${rallly-prisma-engines}/bin/introspection-engine"; PRISMA_FMT_BINARY = "${rallly-prisma-engines}/bin/prisma-fmt"; }; path = [ pkgs.openssl ]; serviceConfig = { ExecStartPre = "${ralllyPkgs}/bin/rallly-prisma migrate deploy"; ExecStart = "${ralllyPkgs}/bin/rallly"; EnvironmentFile = [ config.age.secrets.rallly-env.path ]; CacheDirectory = "rallly"; CacheDirectoryMode = "0750"; DynamicUser = true; Restart = "always"; }; }; # setup postgresql services.postgresql = { ensureDatabases = [ user ]; ensureUsers = [{ name = user; ensureDBOwnership = true; }]; }; # setup ldap user for email services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: { "${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path; }); # authelia services.authelia.instances.main.settings.identity_providers.oidc.clients = [{ client_id = "rallly"; client_name = "Rallly"; client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ"; redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ]; scopes = [ "openid" "email" "profile" ]; }]; # nginx services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://localhost:${builtins.toString port}"; }; # try to disable registration locations."/api/trpc/auth.requestRegistration" = { root = pkgs.writeTextDir "index.html" '' NO REGISTRATION!! ''; }; }; # meta information! mine.shared.meta.rallly = { name = "Rallly"; description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. ''; url = "https://${svc_domain}"; package = let pkg = ralllyPkgs; in { name = pkg.pname; version = pkg.version; meta = pkg.meta; }; }; }