diff --git a/hosts/franz/arion/default.nix b/hosts/franz/arion/default.nix index 651a833..22e7c46 100644 --- a/hosts/franz/arion/default.nix +++ b/hosts/franz/arion/default.nix @@ -22,6 +22,7 @@ ./auth ./minio ./stats + ./wiki ]; environment.systemPackages = with pkgs; [arion]; diff --git a/hosts/franz/arion/wiki/arion-compose.nix b/hosts/franz/arion/wiki/arion-compose.nix new file mode 100644 index 0000000..02a7269 --- /dev/null +++ b/hosts/franz/arion/wiki/arion-compose.nix @@ -0,0 +1,82 @@ +{ + project.name = "wiki"; + + networks.dmz = { + name = "dmz"; + external = true; + }; + networks.internal = {}; + + services = { + outline.service = { + image = "docker.getoutline.com/outlinewiki/outline:0.77.2"; + container_name = "outline"; + labels = { + "traefik.enable" = "true"; + + "traefik.http.services.outline.loadbalancer.server.port" = "3000"; + "traefik.http.routers.outline.service" = "outline"; + "traefik.http.routers.outline.rule" = "Host(`wiki.ghoscht.com`)"; + "traefik.http.routers.outline.entrypoints" = "websecure"; + "traefik.http.routers.outline.tls" = "true"; + "traefik.http.routers.outline.tls.certresolver" = "letsencrypt"; + }; + environment = { + NODE_ENV = "production"; + + PGSSLMODE = "disable"; + REDIS_URL = "redis://redis:6379"; + + URL = "https://wiki.ghoscht.com"; + PORT = 3000; + + OIDC_AUTH_URI = "https://auth.ghoscht.com/application/o/authorize/"; + OIDC_TOKEN_URI = "https://auth.ghoscht.com/application/o/token/"; + OIDC_USERINFO_URI = "https://auth.ghoscht.com/application/o/userinfo/"; + + AWS_REGION = "local"; + AWS_S3_UPLOAD_BUCKET_URL = "https://files.ghoscht.com"; + AWS_S3_UPLOAD_BUCKET_NAME = "outline"; + AWS_S3_UPLOAD_MAX_SIZE = 26214400; + AWS_S3_FORCE_PATH_STYLE = "true"; + AWS_S3_ACL = "private"; + }; + env_file = [ + "/home/ghoscht/.docker/wiki/outline.env" + ]; + restart = "always"; + depends_on = { + redis = {condition = "service_healthy";}; + postgres = {condition = "service_healthy";}; + }; + networks = [ + "dmz" + "internal" + ]; + }; + redis.service = { + image = "redis:7.2.4"; + command = "--save 60 1 --loglevel warning"; + restart = "always"; + volumes = [ + "/storage/dataset/docker/wiki/redis_data:/data" + ]; + networks = [ + "internal" + ]; + }; + postgres.service = { + image = "postgres:12.18"; + restart = "always"; + volumes = [ + "/storage/dataset/docker/wiki/postgres_data:/var/lib/postgresql/data" + ]; + networks = [ + "internal" + ]; + env_file = [ + "/home/ghoscht/.docker/wiki/postgres.env" + ]; + }; + }; +} diff --git a/hosts/franz/arion/wiki/arion-pkgs.nix b/hosts/franz/arion/wiki/arion-pkgs.nix new file mode 100644 index 0000000..69aad13 --- /dev/null +++ b/hosts/franz/arion/wiki/arion-pkgs.nix @@ -0,0 +1,6 @@ +# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH +import { + # We specify the architecture explicitly. Use a Linux remote builder when + # calling arion from other platforms. + system = "x86_64-linux"; +} diff --git a/hosts/franz/arion/wiki/default.nix b/hosts/franz/arion/wiki/default.nix new file mode 100644 index 0000000..80002e3 --- /dev/null +++ b/hosts/franz/arion/wiki/default.nix @@ -0,0 +1,67 @@ +{config, ...}: let + vars = import ../../../../vars.nix; +in { + virtualisation.arion = { + projects.wiki.settings = { + imports = [./arion-compose.nix]; + }; + }; + + sops.secrets."wiki/aws_access_key_id" = { + owner = vars.user; + }; + sops.secrets."wiki/aws_secret_access_key" = { + owner = vars.user; + }; + sops.secrets."wiki/oidc_client_id" = { + owner = vars.user; + }; + sops.secrets."wiki/oidc_client_secret" = { + owner = vars.user; + }; + sops.secrets."wiki/secret_key" = { + owner = vars.user; + }; + sops.secrets."wiki/utils_secret" = { + owner = vars.user; + }; + sops.secrets."wiki/db_user" = { + owner = vars.user; + }; + sops.secrets."wiki/db_pass" = { + owner = vars.user; + }; + sops.secrets."wiki/db_name" = { + owner = vars.user; + }; + + sops.templates."wiki-postgres.env" = { + path = "/home/${vars.user}/.docker/wiki/postgres.env"; + owner = vars.user; + mode = "0775"; + content = '' + POSTGRES_PASSWORD="${config.sops.placeholder."wiki/db_pass"}" + POSTGRES_USER="${config.sops.placeholder."wiki/db_user"}" + POSTGRES_DB="${config.sops.placeholder."wiki/db_name"}" + ''; + }; + + sops.templates."wiki-outline.env" = { + path = "/home/${vars.user}/.docker/wiki/outline.env"; + owner = vars.user; + mode = "0775"; + content = '' + SECRET_KEY="${config.sops.placeholder."wiki/secret_key"}" + UTILS_SECRET="${config.sops.placeholder."wiki/utils_secret"}" + + OIDC_CLIENT_ID="${config.sops.placeholder."wiki/oidc_client_id"}" + OIDC_CLIENT_SECRET="${config.sops.placeholder."wiki/oidc_client_secret"}" + + AWS_ACCESS_KEY_ID="${config.sops.placeholder."wiki/aws_access_key_id"}" + AWS_SECRET_ACCESS_KEY="${config.sops.placeholder."wiki/aws_secret_access_key"}" + + DATABASE_URL="postgres://${config.sops.placeholder."wiki/db_user"}:${config.sops.placeholder."wiki/db_pass"}@postgres:5432/${config.sops.placeholder."wiki/db_name"}" + DATABASE_URL_TEST="postgres://${config.sops.placeholder."wiki/db_user"}:${config.sops.placeholder."wiki/db_pass"}@postgres:5432/${config.sops.placeholder."wiki/db_name"}" + ''; + }; +} diff --git a/secrets/franz.yaml b/secrets/franz.yaml index 7bc90fe..f6ce0bd 100644 --- a/secrets/franz.yaml +++ b/secrets/franz.yaml @@ -51,6 +51,16 @@ minio: root_password: ENC[AES256_GCM,data:0//dfGYkV80=,iv:h1b0R2QRpN/RI9kUBU0fiKLOI3PUYmisa7RH1ibSF4c=,tag:ln1cv5LQpb76vK5+eTvSuA==,type:str] diun: ntfy_access_token: ENC[AES256_GCM,data:37UYgaMlmpoMW74LqtxkuMqGQmCvLpVdJAgEmVxSULY=,iv:tZPlfIgo1vWvMPlQzCBPXj5xYDiTWJOsVwkxBjGNMDk=,tag:882g2UxFfg5VSKqAtEMk2Q==,type:str] +wiki: + aws_access_key_id: ENC[AES256_GCM,data:Fqfa6XcDDpQ0l+/entQh6sxobBM=,iv:gbfHxTy0Oj9xYlucpN98CjNIURDrx9BuFF4Pfo90V0M=,tag:df8Z3J2ovO1MHPnzOsCtpg==,type:str] + aws_secret_access_key: ENC[AES256_GCM,data:sbgzvlN5dP4jZIGKtDsMn5o2RqWTl+XNi80ydnOgrQkgnQ/HxluWWA==,iv:xyCKfbf/UF9cFunCYHwVBw4eVvOeZQtfPtrz2s6zIII=,tag:S0wzL8d5iEn20VbOVfrZBw==,type:str] + oidc_client_id: ENC[AES256_GCM,data:SSuRQJfgzeb641U2eeVE8wYZAbEWHYSSx0b8n4687FHLslFPGCAWeA==,iv:khCwIE50KVEtHJoDJBdCBJIDVZiDjkCS2D4yUt3AEOQ=,tag:JjVil9C2HHdTH1fDzDAJkg==,type:str] + oidc_client_secret: ENC[AES256_GCM,data:6TgTZsfaBdsismhK/lAiayMU8uIFOCmumV9tzmqNSocbqQgKAuEwgXTisMtndsk64JA2NYCS2DXhe+NSBO++aBscZ/hbqxBNWqw7c84YugqXMRFeqidb+RSJKdJ6WDmwGBfGm6/kjGJ+FSGuiu1S4sfOlfp2bXM5mhvgAXUygfg=,iv:Q9QoWp2V6uwFJidsL7QzB67TO4uFsqmun8zdZgRXbNI=,tag:wphiixaGZgsmk4sQFyvqbg==,type:str] + secret_key: ENC[AES256_GCM,data:Xr4iRj2oYJYVBBzIOsT6d4LjQo/M+qy7XVoNoM9vQWeWZuZlCnrdy7cfsa6VfHVnPNfdMIccmvBk3VzdDH1ukA==,iv:62LiqANdqrSMGzgaxL3uxgwyZtZd1XrsYEMF/ixt+lM=,tag:OH4xth89KDKONnbniM3itg==,type:str] + utils_secret: ENC[AES256_GCM,data:M062FvE0kFVyjkxIlolLtR/NwIya1Si7r/im1SDLvGNIHn4kDgat5KTHitjjMFMOKeSKT7ipgHc/lWCQYbi6IA==,iv:LWLOt+vZF0xK68LJTw1xWIWG65pkGiMnx/oMRBzeyyQ=,tag:SXKu3UO6IKupBVfvAwCtHw==,type:str] + db_user: ENC[AES256_GCM,data:g2+KPA==,iv:0I7EoGNlnnKf5H0UnmJ++9XDHEqZpXgZkyaW9flxN8c=,tag:b3WrfHGkxIJ1nNFp3FHAjA==,type:str] + db_pass: ENC[AES256_GCM,data:rYmNXQ==,iv:ZnImkMdIkp92jkojLVBSGSN06my3xFwr3AFfENNXgfQ=,tag:AZHqXRLfJ0lFrGyut+Sdug==,type:str] + db_name: ENC[AES256_GCM,data:Ns7vKJxeTw==,iv:GREMMRicS+1n/uk+KOeplqHn/ZdjjOjQ4d0qV5FICy8=,tag:CSeDTNjBiJ4G2VnytpNXiw==,type:str] sops: kms: [] gcp_kms: []