fricloud/server-configs
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
server-configs/machines/gerd/services/rallly.nix
eyjhb bd0e3ff589
init rallly
2025-03-01 15:44:42 +01:00

141 lines
4.2 KiB
Nix
Raw Blame History

{ config, lib, pkgs, ... }:
let
svc_name = "rallly";
svc_domain = "${svc_name}.${config.mine.shared.settings.domain}";
psqlSocket = "/run/postgresql";
user = "rallly";
group = user;
port = 7384;
internal_port = port;
rally_version = "3.11";
in {
# setup container
virtualisation.oci-containers.containers.rallly = {
autoStart = true;
image = "lukevella/rallly:${rally_version}";
podman.user = user;
extraOptions = let
uid = config.users.users."${user}".uid;
gid = config.users.groups."${group}".gid;
in [
"--userns=keep-id:uid=${builtins.toString uid},gid=${builtins.toString gid}"
# TODO(eyJhb): required, otherwise rallly container cannot access authelia well-known openid configuration
"--network=host"
];
environmentFiles = [
config.age.secrets.rallly-env.path
];
environment = {
PORT = builtins.toString internal_port;
DATABASE_URL = "postgresql://${user}@localhost/${user}?host=${psqlSocket}";
NEXT_PUBLIC_BASE_URL = "https://${svc_domain}";
# SECRET_PASSWORD = "specified-in-env";
# limit signup even further
ALLOWED_EMAILS = "*@${config.mine.shared.settings.domain}";
# email
SUPPORT_EMAIL = "${svc_name}@${config.mine.shared.settings.domain}";
SMTP_HOST = config.mine.shared.settings.mail.domain_smtp;
SMTP_PORT = builtins.toString config.mine.shared.settings.mail.ports.submissions;
SMTP_SECURE = "true";
SMTP_USER = svc_name;
# SMTP_PWD = "specified-in-env";
# OIDC
OIDC_NAME = "Authelia";
OIDC_DISCOVERY_URL = "https://${config.mine.shared.settings.authelia.domain}/.well-known/openid-configuration";
OIDC_CLIENT_ID = "rallly";
# OIDC_CLIENT_SECRET = "specified-in-env";
};
volumes = [
"${psqlSocket}:${psqlSocket}"
];
# TODO(eyJhb): likely not needed, because of the tmp network=host
ports = [
"127.0.0.1:${builtins.toString port}:${builtins.toString internal_port}"
];
};
# setup postgresql
services.postgresql = {
ensureDatabases = [ user ];
ensureUsers = [{
name = user;
ensureDBOwnership = true;
}];
};
# setup ldap user for email
services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
"${svc_name}" = llib.mkProvisionUserSystem "${svc_name}" config.age.secrets.rallly-ldap-pass.path;
});
# give rallly user access to the secrets
age.secrets.rallly-env.owner = user;
# setup users
users.users."${user}" = {
isNormalUser = true;
group = group;
uid = 1001;
};
users.groups."${group}".gid = 974;
# authelia
services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
client_id = "rallly";
client_name = "Rallly";
client_secret = "$pbkdf2-sha512$310000$KB4UqeuVr86lEOoISSE92w$i2YGpz3wRwceiRfYnMUhZ0MboutkDPPYVWnXqiw6tUt./mgZ5kfV1ES.kcdsHhMdavhCrJfWvVTPQRJKImuUrQ";
redirect_uris = [ "https://${svc_domain}/api/auth/callback/oidc" ];
scopes = [
"openid"
"email"
"profile"
];
}];
# nginx
services.nginx.virtualHosts."${svc_domain}" = config.mine.shared.lib.authelia.mkProtectedWebsite {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:${builtins.toString port}";
};
# try to disable registration
locations."/api/trpc/auth.requestRegistration" = {
root = pkgs.writeTextDir "index.html" ''
NO REGISTRATION!!
'';
};
};
mine.shared.meta.rallly = {
name = "Rallly";
description = ''Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier. Please do not try to use the register or normal login, only try to sign in using the SSO method. '';
url = "https://${svc_domain}";
package = {
name = "rallly";
version = "v${rally_version}";
meta = with lib; {
description = "Rallly is an open-source scheduling and collaboration tool designed to make organizing events and meetings easier.";
license = licenses.agpl3Plus;
homepage = "https://git.fricloud.dk/fricloud/server-configs/src/branch/main/machines/gerd/services/member-website/app.py";
platforms = platforms.all;
};
};
};
}
Reference in a new issue View git blame Copy permalink