server-configs/machines/gerd/services/vikunja.nix

{ config, pkgs, lib, ... }:

let
  svc_domain = "vikunja.${config.mine.shared.settings.domain}";
  vikunjaOIDCName = "authelia";
in {
  services.vikunja = {
    enable = true;

    package = pkgs.vikunja.overrideAttrs (old: {
      # TODO(eyJhb): remove once vikunja updates past 0.24.6
      # https://github.com/go-vikunja/vikunja/issues/623
      patches = (old.patches or []) ++ [
        (pkgs.writeText "vikunja-clientsecret-envvar.patch" ''
          diff --git a/pkg/modules/auth/openid/providers.go b/pkg/modules/auth/openid/providers.go
          index 5e14c1b31..d9a5215c1 100644
          --- a/pkg/modules/auth/openid/providers.go
          +++ b/pkg/modules/auth/openid/providers.go
          @@ -17,6 +17,8 @@
           package openid
           
           import (
          +	"fmt"
          +	"os"
           	"regexp"
           	"strconv"
           	"strings"
          @@ -139,6 +141,10 @@ func getProviderFromMap(pi map[string]interface{}) (provider *Provider, err erro
           		Scope:           scope,
           	}
           
          +	if clientSecret, ok := os.LookupEnv(fmt.Sprintf("VIKUNJA_AUTH_OPENID_PROVIDERS_%s_CLIENTSECRET", strings.ToUpper(provider.Name))); ok {
          +		provider.ClientSecret = clientSecret
          +	}
          +
           	cl, is := pi["clientid"].(int)
           	if is {
           		provider.ClientID = strconv.Itoa(cl)
        '')
      ];
    });

    frontendScheme = "https";
    frontendHostname = svc_domain;

    database = {
      type = "postgres";
      host = "/run/postgresql";
    };

    environmentFiles = [
      config.age.secrets.vikunja-env.path
    ];

    settings = {
      service.enableregistration = false;
      auth.local.enabled = false;

      auth.openid = {
        enabled = true;
        providers = [{
          key = "authelia";
          name = vikunjaOIDCName;
          clientid = "vikunja";
          authurl = "https://${config.mine.shared.settings.authelia.domain}";
          clientsecret = "not-used-but-needs-to-be-set";
        }];
      };
    };
  };

  # setup for oidc
  services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
    client_id = "vikunja";
    client_name = "Vikunja";
    client_secret = "$pbkdf2-sha512$310000$GjslCZ8GAperXUFzmFGslA$QsQHK.HbuvMIiH5Q2vnM1cYR5N.yNjc6RDNU0RBnqVpJjySvjZBQa1dteceTNtvgQz7hXPlnSpRzKTGYj/k.Hw";
    consent_mode = "implicit";
    redirect_uris = [ "https://${svc_domain}/auth/openid/${vikunjaOIDCName}" ];
    scopes = [
      "openid"
      "profile"
      "email"
    ];
  }];

  # persistence
  environment.persistence.root.directories = [
    { directory = "/var/lib/private/vikunja"; mode = "0700"; }
  ];
    
  # setup postgresql
  services.postgresql = let
    user = config.services.vikunja.database.user;
  in {
    ensureDatabases = [ user ];
    ensureUsers = [{
      name = user;
      ensureDBOwnership = true;
    }];
  };

  # nginx
  services.nginx.virtualHosts."${svc_domain}" = {
    forceSSL = true;
    enableACME = true;
    
    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.vikunja.port}";
  };

  # meta
  mine.shared.meta.vikunja = rec {
    name = "Vikunja";
    description = ''
      The to-do app to organize your life. 
    '';
    url = "https://${svc_domain}";

    package = let
      pkg = config.services.vikunja.package;
    in {
      name = pkg.pname;
      version = pkg.version;
      meta = pkg.meta;
    };
  };
}