server-configs/machines/gerd/services/rallly.nix

{ config, lib, pkgs, ... }:

let
  svc_name = "rallly";
  svc_domain = "${svc_name}.${config.mine.shared.settings.domain}";

  psqlSocket = "/run/postgresql";

  user = "rallly";
  group = user;
  port = 7384;
  internal_port = port;

  rally_version = "3.11";

  ralllyPkgs = pkgs.callPackage ./../../../shared/pkgs/rallly {};
in {
  systemd.services.rallly = {
    description = "rallly";
    wantedBy = [ "multi-user.target" ];
    after = [ "networking.target" ];

    environment = let
      rallly-prisma-engines = ralllyPkgs.passthru.rallly-prisma-engines;
    in rec {
      PORT = builtins.toString internal_port;
      DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}";
      NEXT_PUBLIC_BASE_URL = "https://${svc_domain}";
      NEXTAUTH_URL = NEXT_PUBLIC_BASE_URL;
      # SECRET_PASSWORD = "specified-in-env";

      # limit signup even further
      ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}";

      # email
      SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}";
      SMTP_HOST = config.mine.shared.settings.mail.domain_smtp;
      SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;
      SMTP_SECURE = "true";
      SMTP_USER = svc_name;
      # SMTP_PWD = "specified-in-env";


      # OIDC
      OIDC_NAME = "Authelia";
      OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration";
      OIDC_CLIENT_ID = "rallly";
      # OIDC_CLIENT_SECRET = "specified-in-env";

      # prisma things
      PRISMA_SCHEMA_ENGINE_BINARY = "${rallly-prisma-engines}/bin/schema-engine";
      PRISMA_QUERY_ENGINE_BINARY = "${rallly-prisma-engines}/bin/query-engine";
      PRISMA_QUERY_ENGINE_LIBRARY = "${rallly-prisma-engines}/lib/libquery_engine.node";
      PRISMA_INTROSPECTION_ENGINE_BINARY = "${rallly-prisma-engines}/bin/introspection-engine";
      PRISMA_FMT_BINARY = "${rallly-prisma-engines}/bin/prisma-fmt";
    };

    path = [ pkgs.openssl ];

    serviceConfig = {
      ExecStartPre = "${ralllyPkgs}/bin/rallly-prisma migrate deploy";
      ExecStart = "${ralllyPkgs}/bin/rallly";

      EnvironmentFile = [ config.age.secrets.rallly-env.path ];

      CacheDirectory = "rallly";
      CacheDirectoryMode = "0750";

      DynamicUser = true;
      Restart = "always";
    };
  };

  # setup postgresql
  services.postgresql = {
    ensureDatabases = [ user ];
    ensureUsers = [{
      name = user;
      ensureDBOwnership = true;
    }];
  };

  # setup ldap user for email
  services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
    "${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path;
  });

  # authelia
  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
    client_id = "rallly";
    client_name = "Rallly";
    client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
    redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
    scopes = [
      "openid"
      "email"
      "profile"
    ];
  }];

  # nginx
  services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
    forceSSL = true;
    enableACME = true;
    
    locations."/" = {
      proxyPass = "http://localhost:${builtins.toString port}";
    };

    # try to disable registration
    locations."/api/trpc/auth.requestRegistration" = {
      root = pkgs.writeTextDir "index.html" ''
        NO REGISTRATION!!
      '';
    };
  };

  # meta information!
  mine.shared.meta.rallly = {
    name = "Rallly";
    description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. '';
    url = "https://${svc_domain}";

    package = let
      pkg = ralllyPkgs;
    in {
      name = pkg.pname;
      version = pkg.version;
      meta = pkg.meta;
    };
  };
}