fricloud/server-configs
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
server-configs/machines/gerd/services/rallly/default.nix
eyjhb 39bc977cf6
authelia: set consent mode to implicit, we only use fricloud.dk anyways 
And rasmus is lazy
2025-03-14 17:13:47 +01:00

147 lines
4.6 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
svc_name = "rallly";
svc_domain = "${svc_name}.${config.mine.shared.settings.domain}";
psqlSocket = "/run/postgresql";
user = "rallly";
port = 7384;
ralllyPkgsOrig = pkgs.callPackage ./../../../../shared/pkgs/rallly {};
ralllyPkgs = ralllyPkgsOrig.overrideAttrs (old: {
patches = (old.patches or []) ++ [
./patches/remove-login-register.patch
];
});
in {
# setup rallly service
systemd.services.rallly = {
description = "rallly";
wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ];
# configuration
environment = let
rallly-prisma-engines = ralllyPkgs.passthru.rallly-prisma-engines;
in rec {
HOSTNAME = "localhost";
PORT = builtins.toString port;
DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}";
NEXT_PUBLIC_BASE_URL = "https://${svc_domain}";
NEXTAUTH_URL = NEXT_PUBLIC_BASE_URL;
# SECRET_PASSWORD = "specified-in-env";
# limit signup even further
ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}";
# email
SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}";
SMTP_HOST = config.mine.shared.settings.mail.domain_smtp;
SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;
SMTP_SECURE = "true";
SMTP_USER = svc_name;
# SMTP_PWD = "specified-in-env";
# OIDC
OIDC_NAME = "Authelia";
OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration";
OIDC_CLIENT_ID = "rallly";
# OIDC_CLIENT_SECRET = "specified-in-env";
# prisma things (database will not work without, needs to match version in rallly deps as well)
PRISMA_SCHEMA_ENGINE_BINARY = "${rallly-prisma-engines}/bin/schema-engine";
PRISMA_QUERY_ENGINE_BINARY = "${rallly-prisma-engines}/bin/query-engine";
PRISMA_QUERY_ENGINE_LIBRARY = "${rallly-prisma-engines}/lib/libquery_engine.node";
PRISMA_INTROSPECTION_ENGINE_BINARY = "${rallly-prisma-engines}/bin/introspection-engine";
PRISMA_FMT_BINARY = "${rallly-prisma-engines}/bin/prisma-fmt";
};
# add, otherwise we get warnings
path = [ pkgs.openssl ];
serviceConfig = {
ExecStartPre = [
# clear cache on each boot, otherwise we might have
# issues when updating it.
"${pkgs.findutils}/bin/find -L /var/cache/${svc_name} -mindepth 1 -delete"
# run db migration each boot
"${ralllyPkgs}/bin/rallly-prisma migrate deploy"
];
ExecStart = "${ralllyPkgs}/bin/rallly";
# secret configurations
EnvironmentFile = [ config.age.secrets.rallly-env.path ];
CacheDirectory = svc_name;
CacheDirectoryMode = "0750";
User = user;
DynamicUser = true;
Restart = "always";
};
};
# setup postgresql
services.postgresql = {
ensureDatabases = [ user ];
ensureUsers = [{
name = user;
ensureDBOwnership = true;
}];
};
# setup ldap user for email
services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
"${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path;
});
# authelia
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
client_id = "rallly";
client_name = "Rallly";
client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
consent_mode = "implicit";
redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
scopes = [
"openid"
"email"
"profile"
];
}];
# nginx
services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${builtins.toString port}";
};
# try to disable registration
locations."/api/trpc/auth.requestRegistration" = {
root = pkgs.writeTextDir "index.html" ''
NO REGISTRATION!!
'';
};
};
# meta information!
mine.shared.meta.rallly = {
name = "Rallly";
description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. '';
url = "https://${svc_domain}";
package = let
pkg = ralllyPkgs;
in {
name = pkg.pname;
version = pkg.version;
meta = pkg.meta;
};
};
}
Reference in a new issue View git blame Copy permalink