fricloud/server-configs
2
0
Fork 0
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity Actions
server-configs/machines/gerd/services/rallly/default.nix
eyjhb 8e5f22a87e
authelia: update stopped providing claims in response 
This adds the default claim policy, which can be used to provide the
past behaviour for this. Services that require this still needs to be identified.
2025-05-29 16:22:28 +02:00

148 lines
4.6 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
svc_name = "rallly";
svc_domain = "${svc_name}.${config.mine.shared.settings.domain}";
psqlSocket = "/run/postgresql";
user = "rallly";
port = 7384;
ralllyPkgsOrig = pkgs.callPackage ./../../../../shared/pkgs/rallly {};
ralllyPkgs = ralllyPkgsOrig.overrideAttrs (old: {
patches = (old.patches or []) ++ [
./patches/remove-login-register.patch
];
});
in {
# setup rallly service
systemd.services.rallly = {
description = "rallly";
wantedBy = [ "multi-user.target" ];
after = [ "networking.target" ];
# configuration
environment = let
rallly-prisma-engines = ralllyPkgs.passthru.rallly-prisma-engines;
in rec {
HOSTNAME = "localhost";
PORT = builtins.toString port;
DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}";
NEXT_PUBLIC_BASE_URL = "https://${svc_domain}";
NEXTAUTH_URL = NEXT_PUBLIC_BASE_URL;
# SECRET_PASSWORD = "specified-in-env";
# limit signup even further
ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}";
# email
SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}";
SMTP_HOST = config.mine.shared.settings.mail.domain_smtp;
SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;
SMTP_SECURE = "true";
SMTP_USER = svc_name;
# SMTP_PWD = "specified-in-env";
# OIDC
OIDC_NAME = "Authelia";
OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration";
OIDC_CLIENT_ID = "rallly";
# OIDC_CLIENT_SECRET = "specified-in-env";
# prisma things (database will not work without, needs to match version in rallly deps as well)
PRISMA_SCHEMA_ENGINE_BINARY = "${rallly-prisma-engines}/bin/schema-engine";
PRISMA_QUERY_ENGINE_BINARY = "${rallly-prisma-engines}/bin/query-engine";
PRISMA_QUERY_ENGINE_LIBRARY = "${rallly-prisma-engines}/lib/libquery_engine.node";
PRISMA_INTROSPECTION_ENGINE_BINARY = "${rallly-prisma-engines}/bin/introspection-engine";
PRISMA_FMT_BINARY = "${rallly-prisma-engines}/bin/prisma-fmt";
};
# add, otherwise we get warnings
path = [ pkgs.openssl ];
serviceConfig = {
ExecStartPre = [
# clear cache on each boot, otherwise we might have
# issues when updating it.
"${pkgs.findutils}/bin/find -L /var/cache/${svc_name} -mindepth 1 -delete"
# run db migration each boot
"${ralllyPkgs}/bin/rallly-prisma migrate deploy"
];
ExecStart = "${ralllyPkgs}/bin/rallly";
# secret configurations
EnvironmentFile = [ config.age.secrets.rallly-env.path ];
CacheDirectory = svc_name;
CacheDirectoryMode = "0750";
User = user;
DynamicUser = true;
Restart = "always";
};
};
# setup postgresql
services.postgresql = {
ensureDatabases = [ user ];
ensureUsers = [{
name = user;
ensureDBOwnership = true;
}];
};
# setup ldap user for email
services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
"${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path;
});
# authelia
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
client_id = "rallly";
client_name = "Rallly";
client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
consent_mode = "implicit";
redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
claims_policy = "default";
scopes = [
"openid"
"email"
"profile"
];
}];
# nginx
services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${builtins.toString port}";
};
# try to disable registration
locations."/api/trpc/auth.requestRegistration" = {
root = pkgs.writeTextDir "index.html" ''
NO REGISTRATION!!
'';
};
};
# meta information!
mine.shared.meta.rallly = {
name = "Rallly";
description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. '';
url = "https://${svc_domain}";
package = let
pkg = ralllyPkgs;
in {
name = pkg.pname;
version = pkg.version;
meta = pkg.meta;
};
};
}
Reference in a new issue View git blame Copy permalink