From f1b929c8f2b7b4278e949a1301267bab7e5be5ea Mon Sep 17 00:00:00 2001 From: Jonni Liljamo Date: Sun, 29 Sep 2024 14:29:20 +0300 Subject: [PATCH] feat: new miniflux and vikunja --- secrets/auth/secrets.yaml | 6 +- secrets/cloud/secrets.yaml | 9 +- systems/hosts/cloud/default.nix | 5 + systems/hosts/cloud/miniflux.nix | 60 ++++++++++++ systems/hosts/cloud/vikunja.nix | 106 ++++++++++++++++++++++ systems/hosts/proxy/domainstobackends.map | 1 + systems/hosts/proxy/haproxy.conf | 9 +- 7 files changed, 188 insertions(+), 8 deletions(-) create mode 100644 systems/hosts/cloud/miniflux.nix create mode 100644 systems/hosts/cloud/vikunja.nix diff --git a/secrets/auth/secrets.yaml b/secrets/auth/secrets.yaml index 33f961e..703dc43 100644 --- a/secrets/auth/secrets.yaml +++ b/secrets/auth/secrets.yaml @@ -16,7 +16,7 @@ authelia-main: users: ENC[AES256_GCM,data:aIJfSlEzvnI0M8eyPc/Ea0fU0C9g+vuBCOIzfpvkE+HPleYfIqVgc2G8/wIA6zDV9714trq5ePLrwl4FNmOSgMS1/2BO/P0VuMYbHDZlMOaug1WUxrrKY2d1OAz7hYLySyZEXT+/3MfS7NkodoAKGv4P23IjLIUDAkKEYjbW/NEltj72fR/NZEuikIK31GMDOfQsqY2Ll28YDtOAWOaCi/fcPu6SB45c+hI0cYc58WcqgA/rBu43VvV/hLP6xcIblMzI60x2Z8BqpJPuuGLx9N35cTGKU99FhFFUcurVOweCkGXxLLG1j1TCJqhRGOSHeQqF2uhi9DU3BHnbyKEfOtl4VNEUALOC/tS2cXcOPyitNRAdyQwHr6MgfOZ50PfdTSs=,iv:mbuKhpUbQPH73bH3Hb7VOkUGhQFtDsCg9vQOcwwv2NI=,tag:mWfoaizmOrbYNqAj8gB4QQ==,type:str] acl: ENC[AES256_GCM,data:9etsF4GCj9OBjDjEDfqQPMiU0NhSsfw6ATnwlFiWFiJcj7T9XDpPuLZ57ycZopbzUHeeDcxiBKN+5ZKSSRsgjomh7EVvodRFGDEP6nPW659PfCAbTW9Nzdiw4iNRKT9e0fcq3q4lZA6WjOj5F5zGAh8yN75hJ5tn4J/wkq81Ie707GWXOSXl/Zq5bBbH/InB0WlnY16tKseld3Xj+DK1XjYy/g/jA3LscQMhz8TT0z2hfERBZBIzRFg3RiuxOgCCVWxadHJDPRxi7O2vAQVEVLuOLI3NnFDy/17ASbgSA6XTIyCUePmTZ/wfdJ1B9puq9VHi03UUhTkXxdfIvSB5HrptH3rFXhlH6HmbwMsQi3fyf16EfBMa8KDY+QeZaLk=,iv:Y+Bs84dDcDDT3RbH/xWTPHgaSq/RcevY5N5LXvfEIqk=,tag:5DGUuhQsoGPhRS22Yd5fRg==,type:str] notifier: ENC[AES256_GCM,data:Dyl7KTCC3M3tAs8vwuvnstUmiqufq1diuhcQmzZd7j/tJuTHNWQK8cqYg7hsUFWwLumZseM7pw73eBAARqu1x9Ebodx9MKO2erMYMDLTo+iUYD8dG00knnIJ12+23/JZvemdI0tfN2cuX3lPK/4JSWvrF1T4RzhM1bZpQinjzNXE2LV3Gj/IKyW20ExpuHjzI0JUwFk6CgBHiMOcPu1BUumUQEHykbnoNCXtHc89B5A0tsV6GloFJsK+YIWMwaCWIcgFXHA0ebBhbMPpdfeBqiRiIBwXZwa+2ezqsHzygjNxjIKnYUwAevit5pZzfn7aI0uTTfNmIGQbeNIlN63n0NdLi416Ky08ivrWnrXoBjGi7+PCxqaEbJ1oJ3ZN1fV+0Sx47cEFQN4gHa9ipcERIYXGgKwwvTp3Xp2RrQlhzndb5ikz5foxvgAkpY8toK6QjeeuBOSNxXtRiNfADQCWdYU9CAhg/nwh+qpHln5+ry+iPenybsFAASLIRaDlKJVt03r/9+CE6GrgHvdf6Uu7qlI3Eo10dIvKUXHNQdpRMtBrHJAhFfUVoVywF/ReN92WPtDFYk3wtJXzwXEIlmuPk8PeuTXuuA==,iv:a4CYoYFgqlIw+ZDBP5W1lAbQ+PqRvqCPeQH9qXIeqN4=,tag:BR1b36rd82Tiv8U/hI3QMw==,type:str] - oidc: ENC[AES256_GCM,data:YqxIoBwNusb/QuJ2/FCevmlO5Dak82iepLMgd0DlB2tCV2oMH+GhAJZkDF2mLISL1xmq2bFMzwGHWv6lZDBMh1DQw+uxfdUmCxhk6Qwx/fXnextehywEVSEvxeOaK1i/dIrSIc+xG4Y/HCj9eqyEDWHoHLQx5zTsgzzI3Cuf0hF+50fP9PjdD/wVjgN//gR3eGWVxxBZRMO1FwRoNxMNTQSlErvuCCfHacxJzzIkIwlPYOEORWpw59cL7+PRQp2EkFqdKePLzhoC+PlLa3053kghQRhrs0thbmE843x7pQK88CmLJp4+WBuaGV2otSOBi7puqZTfmIQKPyoQkziscrOHozNAEfZg+cCkzFbC2MkyuBCV7tXbiXrZto4fX38iPBknWkWVhkn62eOqyXt97aJV4z/aLLAl666GC9Ve09V19fmrD0QzIsiMghQ4GWEQA0yJ/cFGBgReD4Ixank222YilJFm3yoFMxMRBXnaIvJod1sKygwy5Vhr2ERk1hnkU5hVGJ+2hCuLjQSUb3wRsoWbNXI8MxJpNdmu0m3di+D2wv5fzQGX6ST/qzQSBmxZvdhAO+F2WQmPKgSosy5SmWB8v6K9/AyN4dTC3TG2GCRvAPcZncah+c0sVlpHHTseLKqLYXVK97mSlWRzGmTGoMUtq0q1z87J2e3xB17gU97Uw+mgYs5epMMtAtxSTGdXfgl2SRTnQOO5X/uwjLv8NaP7+FfbFcTLCnwoitAvr60Pm7KGut3qm/qBCB42Jz8pLSin5ZMG7S+bNyuXyM3dpPMr7Lrx8S08gc8anazN9iDXwUwKHNqTHseQnuVQNb4RHhXsdXUGhumZq3Jn3pleRvBh9SIB6MdVLouQ2w0uRAO5Ma36bueUsPiWTOz0Mn90HDBE5JhqH/C39qR0Ty1tDfm+0aPHhoBUTf8ohaFaIVQKuALQ3owYdFsDptWY/yz5SWmFYNXMV1tNDzdfFcjoJZie/lZlNG/NGNV+OmG7++DfCey7CYHlHm02pbA/MnrXnoshHZSuO8vtKgDbh6Ov9+Nl2Etn9o/JLHPAVqfSe3jQzmUSRjiL4KKRi8beCOsMrDvbFBFwvyYqGJdD3zFf2tawFBjkvSCXzw5O+nmbo4OyDiGIkezOwsrjBE5iZzsqh3oeijTAVu03qgsS/c8Mljl3BXVglz7xoDh5vJb74z1zgfbOQHqryuw5Nd6ewzAVC/lKNt0DO2TD9cFV92glcCHAXW/+9VAgVwIpOtTJrhhPQGghHTQf63BYmGcLA/YTPDAysIEfV/guR0dG8SiBBNPgrdOwMPcdQaSVNZsZ6ny15zWgtMWZ4BTDK+sAMQgQgNoxUDS06No5AEQzY1BVqf8/LAjy/mnuPL37VPH6UkDk5mYWvqoscxe7PNOnm+7fOvbDmtEZEXy2OX8qxk6PIwWemEC/JlJPfDZs320HV3ZZ0KH+lFZixvEDPs0ADPn89rS8FLu7ozBkDuFEzqW9qxQE17veq/COA3dmtgIG/O7L7gYEXEDA/Nr92GQRDTUIvU9rIbXMO7AOEJi7dQbPFEmIDJjvcgu3G5iRQVbA4V+3MvRFRtfrQwDJyEtGOkmwfVtfoVIoVenKOdg4nmIR8E7Z5zqj+irD0QMIMKBxp+jLKy6teyiM1/EGNTBBF8hgGPE14vqopT+vE5u3Y+xQoZJ40cuDmbqQuKS0wf7QYZU3IBRo+07E9zrUqvIKKS1VSFWaIisGB1fP1T65aABOrwrj2kIu6d5Mo24w0SxOdKTqN2eXZSVjicZntlALo3ht2WTN5rd4bgpQ,iv:xRM/DtHDNfA3gI5lT8m7ujN+cIq8DLlL4ONWSngVw9U=,tag:IZzf3ophi+Amx44Ov+gvUQ==,type:str] + oidc: ENC[AES256_GCM,data:DyqHHusz3sXKY/t1uLC3f+0DQFtELNJXHPvx8IH8hZW+trMpwG5CElqsAOlDa6Kruz2HnSnv1X1PjV9EqbdgukU0c9vW9NoEQfKBcEhQyR5WCsJd6A58gaKoVUP/ItFd0jTOI94/ApuP62jfE0cFQfM6P+93IOoW4z1HHwRMe7hgVbkbKg2K7kriZ9PUP8yl8jdpwQoQXuaP+iXECcZCqD6nXtyDmwMtH8hSMyKBJL885pxM6wnXKzt7iQ70vYPawMsEnPvdxeIHjuMTNehhchEmIsdHTXq723BiD8W5msfDMshmGYmFuItLKNPkMRImVmydTyoXDwc1S+ggn13LgH0r5n+ksEmEAJRhz8IF9KrFzL4gcnSDo6KE7zshKCb5p7LD3IQcVdSnn81qeHy+KCfBk7v30g5oHONuaLnhHvDirdZ1xZZDGrS4DXKadYqT+rexq/EudpzHy9Noq7kDV4q4ETh/Er9tVGVM68ek1vlu3a6Wzlhlc/r6+A2RViprrEu7+HbrG9ORnS9/b71f712JssG7Hbo5okfKqsyNcIjUSU1bgK9DKd+2Nv3hv9xYnv548WiOYZTWgUDPLs2phdRrjcnFJvKufeRodjwyFuTLgUgYBkAdb+CIFOdknm5A0QDjyrqawX2uMyXLUmZpiscfzW2u8qpgRrv8CKsD2j23ePiVN1fwKvWo5Dgu0s8ngJLV1m5xspE0/7rTU6tWmI38sXXZbRrk8HrSahEVpHNkROLo+EP1Dm33Tn+mutJJRrdr7H/KIgYNcIMR6z7uQC+UzmN9v9d85ghnb4X94hbzHGoWnaaXvAwZi6s+3e2Ia4t52KHRCnhRhvU4MY1xNnhDe+Aeot56NSmZ3X+juPoaimsBba76daB96jFeJFruA850Xvy6AB+fv+EU9/fxO9guoQYEg2c0d5zrux9kv1iOCn84bpUXnBYva5hKTCggbN6NvUYPxHzd6BKDJMEPEMppBTByUojAb5WCKed4o9RUcOZJ6cgd7geWOxfBUNvXeWfDP+1Sjo/HuCsrTZrxNCwm+BeUSVFhVAXXRYk0CixwUwh6oN5ece894VGL3NDE0cvT0KjVxPQuhXf+o3HDk8cWWwn/sCN5nQTsjYYZuEkbctQoucjLDAtGf3ZrgdLsRaAjrYqJs1RZt8j5oNR/ehBfmG+Sm5K9UndYqIv0ehrzHDwWFPrqKmS4TeY9ybMBI/KQoXbtV0GlK4g8PVcltO283DJq7dvQuDlhWTYl4QcccYHYiwjW0dyY/RhQpD+dagUJ7p2uFiAlss3viVUbpzOhzctT8AtDffojmcnt2gt9vxGFxgbti95U2lqnvIZSAvef2rSCad0y5Ki0Tn4pJT8zpBYd3h3aYKWIzbZDgfv47BhkqENWiD9oVn23VDcOC50hG9uvcxeh3ytUyKEV9vop3V6PN8JmHLKj5C6O5TdXzUpJ0pzILxudUjAtwvsFeQ3ybBQXqVXFFiNWgu9xW8ODjrZGu5Uy5mCrqPydEv31moEdssnhIvtNFNhHWzHCR2zJCkQfRcHvRpcHzEywxU2YjqHIJzVqufSssBjyXxlQ5FloxYkca1FKjV+WOD9AtN1a3IGVx4Xn7WbarTUQKnRazVE5RPkNDB5GSRXcX7AXd1sRHm+vmpslmhim8Q2f9VJ0mUwf4E059nOpkLTyL9PsQqsgfhw01LcxXcNYdyEBpNIuYUCqhSIf+CJu8qh0lrJIkbkW8NnjSxe29zY0Tx/YroLZ5ud5Z890OYJHDcSIg7gkEvFKGtGgIiGUg/pla/YB3VuL2Ccg8XfgkIEfZpIBidp0wlX9GjZqOQATVPE/eOeBsDttUhQY7KGaA/Mx8dW34ysPDrJI/oCWnTlGsqyz27Zj9BoFZRjz7IwLwbUhwHtpEZz2CfA3ixZcFs5YRuim8lUcj9FGO6eAOzW0C3JvfXHkoxJa9oY/ttQ0f9sMk2T6kYcBrxa4Tn75AcZO3zAeEtAjyoWjmlEeMiyEjuK3AUC9xSrbDy2VqpahipexwSGsYxUJE62YKZSRCLK9+fPMApwGjUi9Sh9RuhAtwJnuUpL9IoHaaxYEddNFwrdWBxYchlDlevSWpkEkOb/czGR/sLPqIwls+46jsGkQlWivzkTD08d2dvVY6SgdWpeaD/oQGnmm8K3Xh7AXIrOa1T/HJAZd1fOcFO/pgUATrnuu3s1oUP+LoO9yF3HxHmfqMHrgtt5PYhc56KEhWrpM4SeIvFdnvVEKjofzeI86u3id635IfG5OYr88KQyeyFJuSwRKxEVEzz3vvbJnhtU57tNIP8+MTH9/L6KRyDa8GmbPDUU7BFp9Vre82zjQ2BPqbT/PtGIuDnXGdrlXycN7yliN3+ofjlQKQYvtVeZXZSSEzj4pV0LRmRyn0GHVkwml3D0iruOjW6OFvDf3wIRzAPyug/Il+UFLl2BqQs4q2u9fW8x8ncjbDotsQmmemfYMkWkFo5vQvbyXlrQ0Cuph+OewJPX4w9gszL9D/BgIy/O5B8aRW4mgsTey5dbd8Cql9O7w9p59hgyeElumUd9AZevadUir1EqQqLZQgHklQHYtlg5Gl+xmfWbiuKS8Wxftyhb3umV2hIXhM6Cex+QKvEuZgPEOXeyMJE28obxjsuBeXt+gNDogohUyGg3mpnm+DCV+o3sgtOn7XvYt4y+GNyO9isBSvgH60COrYmEStAz0xhshegdmq7EG1KL0qChdhwhnnwMtmWGGB2ORUk0etkIPCn73sf4KoG0dJNvh8BRpnTP+jmfj/mHjcE/za2G2yutqjN7I1C4GX5rOb8l89QwSInyCCHjEYcK22MH/yT3Gv7Yb/tNcG+0BUS8yG9nrHRMLBzqRhCA3M8x+X4yfMAnzFXB/j7Ra+ByB+u3yhvD2ppCbz2OukhkeNKOKVSyzmDHDS64HgtCymt3K2i0Iu6TqNPX4hk2PO9hN7lpjLFu3V07xiO+Rih9BD7BiuwKULGq+fAsIEi4H4ofLOwYpVrTt2AT/jXAAAJOfm/qEc8eZ7JzyW+PqXpUahZX10CKinNdkwiAwOdzy/7r0Rg7XmkAvSX/llCvmxwJn8l9pH5sZtA6dGNwQm2fn29bK22ewIZ3filrX+NYZkCm2mFAZEx17p0w8YajL66A=,iv:uRrUe8UUCqNLHKH1X7BuSLM74UBZzeFFWiB8DTz5734=,tag:pKstst585qsrgcVQFjM3hw==,type:str] sops: kms: [] gcp_kms: [] @@ -32,8 +32,8 @@ sops: TXlpbGtKdWdZWnBpNmhUSVBnTUdUa3MKsUaVRhGuwXjGHoEbfA8II6mPUuCAM1SP D3VhdiJF0DgxN6jBpmUQSfVXE4COzfABoq25QRnVcWvxCzYzEoBGAg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-03T16:33:05Z" - mac: ENC[AES256_GCM,data:ZAPrmU5zrk7C8J8gHSlorTCInGK6n6zG559WxYbZWM9Qk5swKzsjuEGq9GLeYRHJBX30ObUYVUehzGUzlEzhmIc49MGtAlGKvboSlp5V17TqBw7thqtts2CQuBjk6TivwqsqJ93b5Y5//wuiV6WcxI4yQQdlHtiLBGP+joxviTc=,iv:dTqZYaWSOrKe9j8RSq3xqCQUarivzUBKNEVyY8DQrNY=,tag:SgnZe1JCWtOR54TEWnNYGg==,type:str] + lastmodified: "2024-09-28T16:56:37Z" + mac: ENC[AES256_GCM,data:Xly2YoTK2TPphz57y9QUT4XVVRJqJQaEhAYU8rulfFuXwOygQI2qCrNzam06O9xGx6H07D/CYT2uqKm/KDnSteQmm7XXgF891PoA20d5GeXRRj5oLNFI2k89tBE3k2rVWKkticny6DPRrIcVkV/0bl6OiPe7hR0ZtahhcdPOfD0=,iv:oRBnlLEIIh1asroWuwrkVk98A172WZGExEHh/2CxfaI=,tag:yV/p2cOMrXXqvHPRH2fG2w==,type:str] pgp: - created_at: "2024-09-03T16:24:42Z" enc: |- diff --git a/secrets/cloud/secrets.yaml b/secrets/cloud/secrets.yaml index 454ec9a..247ea77 100644 --- a/secrets/cloud/secrets.yaml +++ b/secrets/cloud/secrets.yaml @@ -8,6 +8,11 @@ outline: nextcloud: adminpass: ENC[AES256_GCM,data:DrjQXb0ua9dfemyRaoRhZ+jgiZRvH8xa7sIcj9O22O8Nmz0DvYe6sHaaIbnJKNr4vttAZSIXIZ8Z2EopxPlwlaTjsyI2/CQmW4VJq5R5GqyQdfdcLFsO/Yjc9LLGaaMqM2LEgtBPZ8MsCzIrAxOuSRPl6EGL+CUfMfsxdl4Iv8E=,iv:lEvKJ8HxcTUs1mylhqOMHs9V/KGkv5YOdHyZMnIyc78=,tag:DqK101a3idk40+MmjKOrnA==,type:str] dbpass: ENC[AES256_GCM,data:JFjdXW1K8HwW,iv:TJQuf1uftrNs6oXi6zxquu7w7iwwKrL7ljCjVLwbVUo=,tag:7kgtyJilrO0pG1avxielKQ==,type:str] +vikunja: + jwtSecret: ENC[AES256_GCM,data:AtS8S1/L4w6t1mPWnRV3TlTWnfHB6UrKaaThlAQb9vt/gEH+j0HtvwM1JjmoWF+pTrAM8nqCnse6B/Bd7UmsqA==,iv:GGk3duFzOufUlRs+5yuenqwkLftzes9lcoMO1vxFsts=,tag:xgTZrxUphUEzJh+bi2Eqbg==,type:str] + oidcSecret: ENC[AES256_GCM,data:o20FK6xl4UpPRdnOE4IbqTMq/wHN2QkXL0Td33gMLq2S2VEFkZyCG1jxOfvO3R+cV4pUuZJoumG8HOey33KuWw==,iv:K7uar7dPz2tzXKuuoI6SBq6zxCqBk6q3niiMqJj2eks=,tag:Idvl2wb3LxIK5363xfnxSA==,type:str] +miniflux: + oidcSecret: ENC[AES256_GCM,data:1QfgSCNtSg3iJ/r6nJGP2yer4TVtrbPhvEIsTsyXHumUOuq1Rhmvv8bWl7N6rBh06BNGIbW84UcCbaNMG5iV7Q==,iv:4qnwhcvXM3n1xSMTd7+2JBVptx6SP2h4Kf26mk4XQB0=,tag:PDcw0Js//jw/hN8UWxQpVQ==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +28,8 @@ sops: TjduMkxMazUveTlUdStwRGJaRDlpaTAKW7P6B3W1tih2S81TRY7m/Me9Gr6CwZLi Wymq21dT+Or2FR8F2LZDHG8WiUOu/8bvSZ0ZYZpfs5mCvufdRhPFaA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-09T17:30:36Z" - mac: ENC[AES256_GCM,data:Vhz/eGr3oC9eIil13kDrct3o1SyUB85ZQ+Ho8HSLeDyj6cgqPLqM5GoZlzE/ttR9VZN0FXJpULWMq/0jyiJbpTMh24jj0+iPTBHzagAyjeXSboOh3FQ04FIoDB20+o4gmmHhPjk1F9HuWwzc0dcO4WgHCC7QWPBL0I0uX3Vmpuw=,iv:bbohTgOSzgo4M6eeG17VSy0Tf84vI9svFnrsvKALdok=,tag:mo9MQuVgtuaDfyw7vfKz7Q==,type:str] + lastmodified: "2024-09-28T15:18:05Z" + mac: ENC[AES256_GCM,data:KXEj88VPXYLbM0v4bTkAFaIuEMI9/FPu/yS0QRoORq2c71Sm3uSsfZLRRYzfxQm1Q+6hjnyYiqRbpxjYDGDmUn7Oyfo3hESpAJguhUPi4Xbw60rB2ZryKhc/+DmGu4uR391grovlbgYXorfjlo0n0QpVlCyO0OlAiM1qqNhGPl0=,iv:/HuVsqL8J1WOFv22tQb+0NSp2VdmPkgFs4GFfF8DaVU=,tag:lzgxj4IPhTtOSWviefI81A==,type:str] pgp: - created_at: "2024-09-09T17:25:01Z" enc: |- diff --git a/systems/hosts/cloud/default.nix b/systems/hosts/cloud/default.nix index b4ea6ca..51e48b9 100644 --- a/systems/hosts/cloud/default.nix +++ b/systems/hosts/cloud/default.nix @@ -6,6 +6,11 @@ }: let outlinePort = 3000; in { + imports = [ + ./miniflux.nix + ./vikunja.nix + ]; + networking.firewall.allowedTCPPorts = [80 config.services.outline.port]; sops.secrets."outline/secretKey" = { diff --git a/systems/hosts/cloud/miniflux.nix b/systems/hosts/cloud/miniflux.nix new file mode 100644 index 0000000..2c04022 --- /dev/null +++ b/systems/hosts/cloud/miniflux.nix @@ -0,0 +1,60 @@ +{ + config, + pkgs, + lib, + ... +}: let + port = 8080; + user = "miniflux"; + db = "miniflux"; +in { + sops.secrets."miniflux/oidcSecret" = { + owner = user; + group = user; + }; + + networking.firewall.allowedTCPPorts = [port]; + + services.miniflux = { + enable = true; + adminCredentialsFile = pkgs.writeText "minifluxDummyAdminCredentialsFile" ''''; + createDatabaseLocally = false; + config = { + DATABASE_URL = "host=/run/postgresql dbname=${db} sslmode=disable"; + LISTEN_ADDR = "0.0.0.0:${toString port}"; + BASE_URL = "https://rss.liljamo.com/"; + DISABLE_LOCAL_AUTH = 1; + #METRICS_COLLECTOR = 1; # TODO: metrics, disable /metrics path on haproxy like jellyfin + + OAUTH2_PROVIDER = "oidc"; + OAUTH2_CLIENT_ID = "miniflux"; + OAUTH2_CLIENT_SECRET_FILE = config.sops.secrets."miniflux/oidcSecret".path; + OAUTH2_REDIRECT_URL = "https://rss.liljamo.com/oauth2/oidc/callback"; + # .well-known/openid-configuration is appended to this by the oidc library used by miniflux + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.liljamo.com"; + OAUTH2_USER_CREATION = 1; + + RUN_MIGRATIONS = 1; + CREATE_ADMIN = lib.mkForce 0; + + FORCE_REFRESH_INTERVAL = 5; + }; + }; + + services.postgresql = { + ensureDatabases = [db]; + ensureUsers = [ + { + name = user; + ensureDBOwnership = true; + } + ]; + }; + + users.users.${user} = { + createHome = false; + group = user; + isSystemUser = true; + }; + users.groups.${user} = {}; +} diff --git a/systems/hosts/cloud/vikunja.nix b/systems/hosts/cloud/vikunja.nix new file mode 100644 index 0000000..aabe902 --- /dev/null +++ b/systems/hosts/cloud/vikunja.nix @@ -0,0 +1,106 @@ +{ + config, + lib, + pkgs, + ... +}: let + port = 3456; + user = "vikunja"; + db = "vikunja"; + + redisPort = 3279; +in { + sops.secrets."vikunja/jwtSecret" = { + owner = user; + group = user; + }; + sops.secrets."vikunja/oidcSecret" = { + owner = user; + group = user; + }; + + sops.templates."vikunja/config" = { + owner = user; + file = (pkgs.formats.yaml {}).generate "config.yaml" { + database = { + type = "postgres"; + host = "/run/postgresql"; + user = user; + database = db; + }; + files.basepath = "/var/lib/vikunja/files"; + + service = { + jwtsecret = "${config.sops.placeholder."vikunja/jwtSecret"}"; + interface = ":${toString port}"; + publicurl = "https://todo.liljamo.com"; + enableregistration = false; + timezone = "Europe/Helsinki"; + }; + redis = { + enabled = true; + host = "127.0.0.1:${toString redisPort}"; + }; + keyvalue.type = "redis"; + auth = { + local.enabled = false; + openid = { + enabled = true; + providers = [ + { + name = "Liljamo Auth"; + authurl = "https://auth.liljamo.com"; + clientid = "vikunja"; + clientsecret = "${config.sops.placeholder."vikunja/oidcSecret"}"; + } + ]; + }; + }; + #metrics.enabled = true; # TODO: https://vikunja.io/docs/config-options/#0--metrics + # also same as jellyfin and miniflux, make this not available via haproxy + defaultsettings = { + week_start = 1; # Monday + }; + }; + }; + + networking.firewall.allowedTCPPorts = [port]; + + services.vikunja = { + enable = true; + # NOTE: These are not actually used, they're here just to make the module happy. + frontendHostname = "todo.liljamo.com"; + frontendScheme = "https"; + }; + + environment.etc."vikunja/config.yaml".source = lib.mkForce config.sops.templates."vikunja/config".path; + + services.postgresql = { + ensureDatabases = [db]; + ensureUsers = [ + { + name = user; + ensureDBOwnership = true; + } + ]; + }; + + services.redis.servers.vikunja = { + enable = true; + bind = "127.0.0.1"; + port = redisPort; + }; + + users.users.${user} = { + createHome = false; + group = user; + isSystemUser = true; + }; + users.groups.${user} = {}; + + systemd.services.vikunja.serviceConfig = { + DynamicUser = lib.mkForce false; + User = user; + Group = user; + }; +} diff --git a/systems/hosts/proxy/domainstobackends.map b/systems/hosts/proxy/domainstobackends.map index 7ff765f..0dbf07f 100644 --- a/systems/hosts/proxy/domainstobackends.map +++ b/systems/hosts/proxy/domainstobackends.map @@ -2,6 +2,7 @@ auth.liljamo.com autheliamain cloud.liljamo.com nextcloud docs.liljamo.com outline rss.liljamo.com miniflux +todo.liljamo.com vikunja liljamo.dev liljamodev umami.liljamo.dev umami diff --git a/systems/hosts/proxy/haproxy.conf b/systems/hosts/proxy/haproxy.conf index e29fd5c..ae4e69f 100644 --- a/systems/hosts/proxy/haproxy.conf +++ b/systems/hosts/proxy/haproxy.conf @@ -71,12 +71,15 @@ backend be_autheliamain backend be_outline server outline 10.1.2.15:3000 -backend be_miniflux - server miniflux 10.1.1.10:8600 - backend be_nextcloud server nextcloud 10.1.2.15:80 +backend be_miniflux + server miniflux 10.1.2.15:8080 + +backend be_vikunja + server vikunja 10.1.2.15:3456 + backend be_jellyfin option httpchk option forwardfor -- 2.44.1