Arion: Add outline wiki

2024-08-09 15:59:15 +02:00 · 2024-08-09 15:59:15 +02:00 · 4545dd5efe
commit 4545dd5efe
parent b5b149474b
5 changed files with 166 additions and 0 deletions
--- a/hosts/franz/arion/default.nix
+++ b/hosts/franz/arion/default.nix
@ -22,6 +22,7 @@
    ./auth
    ./minio
    ./stats
+    ./wiki
  ];

  environment.systemPackages = with pkgs; [arion];
--- a/hosts/franz/arion/wiki/arion-compose.nix
+++ b/hosts/franz/arion/wiki/arion-compose.nix
@ -0,0 +1,82 @@
+{
+  project.name = "wiki";
+
+  networks.dmz = {
+    name = "dmz";
+    external = true;
+  };
+  networks.internal = {};
+
+  services = {
+    outline.service = {
+      image = "docker.getoutline.com/outlinewiki/outline:0.77.2";
+      container_name = "outline";
+      labels = {
+        "traefik.enable" = "true";
+
+        "traefik.http.services.outline.loadbalancer.server.port" = "3000";
+        "traefik.http.routers.outline.service" = "outline";
+        "traefik.http.routers.outline.rule" = "Host(`wiki.ghoscht.com`)";
+        "traefik.http.routers.outline.entrypoints" = "websecure";
+        "traefik.http.routers.outline.tls" = "true";
+        "traefik.http.routers.outline.tls.certresolver" = "letsencrypt";
+      };
+      environment = {
+        NODE_ENV = "production";
+
+        PGSSLMODE = "disable";
+        REDIS_URL = "redis://redis:6379";
+
+        URL = "https://wiki.ghoscht.com";
+        PORT = 3000;
+
+        OIDC_AUTH_URI = "https://auth.ghoscht.com/application/o/authorize/";
+        OIDC_TOKEN_URI = "https://auth.ghoscht.com/application/o/token/";
+        OIDC_USERINFO_URI = "https://auth.ghoscht.com/application/o/userinfo/";
+
+        AWS_REGION = "local";
+        AWS_S3_UPLOAD_BUCKET_URL = "https://files.ghoscht.com";
+        AWS_S3_UPLOAD_BUCKET_NAME = "outline";
+        AWS_S3_UPLOAD_MAX_SIZE = 26214400;
+        AWS_S3_FORCE_PATH_STYLE = "true";
+        AWS_S3_ACL = "private";
+      };
+      env_file = [
+        "/home/ghoscht/.docker/wiki/outline.env"
+      ];
+      restart = "always";
+      depends_on = {
+        redis = {condition = "service_healthy";};
+        postgres = {condition = "service_healthy";};
+      };
+      networks = [
+        "dmz"
+        "internal"
+      ];
+    };
+    redis.service = {
+      image = "redis:7.2.4";
+      command = "--save 60 1 --loglevel warning";
+      restart = "always";
+      volumes = [
+        "/storage/dataset/docker/wiki/redis_data:/data"
+      ];
+      networks = [
+        "internal"
+      ];
+    };
+    postgres.service = {
+      image = "postgres:12.18";
+      restart = "always";
+      volumes = [
+        "/storage/dataset/docker/wiki/postgres_data:/var/lib/postgresql/data"
+      ];
+      networks = [
+        "internal"
+      ];
+      env_file = [
+        "/home/ghoscht/.docker/wiki/postgres.env"
+      ];
+    };
+  };
+}
--- a/hosts/franz/arion/wiki/arion-pkgs.nix
+++ b/hosts/franz/arion/wiki/arion-pkgs.nix
@ -0,0 +1,6 @@
+# Instead of pinning Nixpkgs, we can opt to use the one in NIX_PATH
+import <nixpkgs> {
+  # We specify the architecture explicitly. Use a Linux remote builder when
+  # calling arion from other platforms.
+  system = "x86_64-linux";
+}
--- a/hosts/franz/arion/wiki/default.nix
+++ b/hosts/franz/arion/wiki/default.nix
@ -0,0 +1,67 @@
+{config, ...}: let
+  vars = import ../../../../vars.nix;
+in {
+  virtualisation.arion = {
+    projects.wiki.settings = {
+      imports = [./arion-compose.nix];
+    };
+  };
+
+  sops.secrets."wiki/aws_access_key_id" = {
+    owner = vars.user;
+  };
+  sops.secrets."wiki/aws_secret_access_key" = {
+    owner = vars.user;
+  };
+  sops.secrets."wiki/oidc_client_id" = {
+    owner = vars.user;
+  };
+  sops.secrets."wiki/oidc_client_secret" = {
+    owner = vars.user;
+  };
+  sops.secrets."wiki/secret_key" = {
+    owner = vars.user;
+  };
+  sops.secrets."wiki/utils_secret" = {
+    owner = vars.user;
+  };
+  sops.secrets."wiki/db_user" = {
+    owner = vars.user;
+  };
+  sops.secrets."wiki/db_pass" = {
+    owner = vars.user;
+  };
+  sops.secrets."wiki/db_name" = {
+    owner = vars.user;
+  };
+
+  sops.templates."wiki-postgres.env" = {
+    path = "/home/${vars.user}/.docker/wiki/postgres.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      POSTGRES_PASSWORD="${config.sops.placeholder."wiki/db_pass"}"
+      POSTGRES_USER="${config.sops.placeholder."wiki/db_user"}"
+      POSTGRES_DB="${config.sops.placeholder."wiki/db_name"}"
+    '';
+  };
+
+  sops.templates."wiki-outline.env" = {
+    path = "/home/${vars.user}/.docker/wiki/outline.env";
+    owner = vars.user;
+    mode = "0775";
+    content = ''
+      SECRET_KEY="${config.sops.placeholder."wiki/secret_key"}"
+      UTILS_SECRET="${config.sops.placeholder."wiki/utils_secret"}"
+
+      OIDC_CLIENT_ID="${config.sops.placeholder."wiki/oidc_client_id"}"
+      OIDC_CLIENT_SECRET="${config.sops.placeholder."wiki/oidc_client_secret"}"
+
+      AWS_ACCESS_KEY_ID="${config.sops.placeholder."wiki/aws_access_key_id"}"
+      AWS_SECRET_ACCESS_KEY="${config.sops.placeholder."wiki/aws_secret_access_key"}"
+
+      DATABASE_URL="postgres://${config.sops.placeholder."wiki/db_user"}:${config.sops.placeholder."wiki/db_pass"}@postgres:5432/${config.sops.placeholder."wiki/db_name"}"
+      DATABASE_URL_TEST="postgres://${config.sops.placeholder."wiki/db_user"}:${config.sops.placeholder."wiki/db_pass"}@postgres:5432/${config.sops.placeholder."wiki/db_name"}"
+    '';
+  };
+}
--- a/secrets/franz.yaml
+++ b/secrets/franz.yaml
@ -51,6 +51,16 @@ minio:
    root_password: ENC[AES256_GCM,data:0//dfGYkV80=,iv:h1b0R2QRpN/RI9kUBU0fiKLOI3PUYmisa7RH1ibSF4c=,tag:ln1cv5LQpb76vK5+eTvSuA==,type:str]
 diun:
    ntfy_access_token: ENC[AES256_GCM,data:37UYgaMlmpoMW74LqtxkuMqGQmCvLpVdJAgEmVxSULY=,iv:tZPlfIgo1vWvMPlQzCBPXj5xYDiTWJOsVwkxBjGNMDk=,tag:882g2UxFfg5VSKqAtEMk2Q==,type:str]
+wiki:
+    aws_access_key_id: ENC[AES256_GCM,data:Fqfa6XcDDpQ0l+/entQh6sxobBM=,iv:gbfHxTy0Oj9xYlucpN98CjNIURDrx9BuFF4Pfo90V0M=,tag:df8Z3J2ovO1MHPnzOsCtpg==,type:str]
+    aws_secret_access_key: ENC[AES256_GCM,data:sbgzvlN5dP4jZIGKtDsMn5o2RqWTl+XNi80ydnOgrQkgnQ/HxluWWA==,iv:xyCKfbf/UF9cFunCYHwVBw4eVvOeZQtfPtrz2s6zIII=,tag:S0wzL8d5iEn20VbOVfrZBw==,type:str]
+    oidc_client_id: ENC[AES256_GCM,data:SSuRQJfgzeb641U2eeVE8wYZAbEWHYSSx0b8n4687FHLslFPGCAWeA==,iv:khCwIE50KVEtHJoDJBdCBJIDVZiDjkCS2D4yUt3AEOQ=,tag:JjVil9C2HHdTH1fDzDAJkg==,type:str]
+    oidc_client_secret: ENC[AES256_GCM,data:6TgTZsfaBdsismhK/lAiayMU8uIFOCmumV9tzmqNSocbqQgKAuEwgXTisMtndsk64JA2NYCS2DXhe+NSBO++aBscZ/hbqxBNWqw7c84YugqXMRFeqidb+RSJKdJ6WDmwGBfGm6/kjGJ+FSGuiu1S4sfOlfp2bXM5mhvgAXUygfg=,iv:Q9QoWp2V6uwFJidsL7QzB67TO4uFsqmun8zdZgRXbNI=,tag:wphiixaGZgsmk4sQFyvqbg==,type:str]
+    secret_key: ENC[AES256_GCM,data:Xr4iRj2oYJYVBBzIOsT6d4LjQo/M+qy7XVoNoM9vQWeWZuZlCnrdy7cfsa6VfHVnPNfdMIccmvBk3VzdDH1ukA==,iv:62LiqANdqrSMGzgaxL3uxgwyZtZd1XrsYEMF/ixt+lM=,tag:OH4xth89KDKONnbniM3itg==,type:str]
+    utils_secret: ENC[AES256_GCM,data:M062FvE0kFVyjkxIlolLtR/NwIya1Si7r/im1SDLvGNIHn4kDgat5KTHitjjMFMOKeSKT7ipgHc/lWCQYbi6IA==,iv:LWLOt+vZF0xK68LJTw1xWIWG65pkGiMnx/oMRBzeyyQ=,tag:SXKu3UO6IKupBVfvAwCtHw==,type:str]
+    db_user: ENC[AES256_GCM,data:g2+KPA==,iv:0I7EoGNlnnKf5H0UnmJ++9XDHEqZpXgZkyaW9flxN8c=,tag:b3WrfHGkxIJ1nNFp3FHAjA==,type:str]
+    db_pass: ENC[AES256_GCM,data:rYmNXQ==,iv:ZnImkMdIkp92jkojLVBSGSN06my3xFwr3AFfENNXgfQ=,tag:AZHqXRLfJ0lFrGyut+Sdug==,type:str]
+    db_name: ENC[AES256_GCM,data:Ns7vKJxeTw==,iv:GREMMRicS+1n/uk+KOeplqHn/ZdjjOjQ4d0qV5FICy8=,tag:CSeDTNjBiJ4G2VnytpNXiw==,type:str]
 sops:
    kms: []
    gcp_kms: []