DEVELOPMENT ENVIRONMENT

~liljamo/nix-arta

ref: a22e83c2f7767e495137af48c138689b98f3c8a3 nix-arta/systems/hosts/cloud/vikunja.nix -rw-r--r-- 2.4 KiB
a22e83c2Jonni Liljamo feat: nix-diff in devshell 9 days ago 
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106

{
  config,
  lib,
  pkgs,
  ...
}: let
  port = 3456;
  user = "vikunja";
  db = "vikunja";

  redisPort = 3279;
in {
  sops.secrets."vikunja/jwtSecret" = {
    owner = user;
    group = user;
  };
  sops.secrets."vikunja/oidcSecret" = {
    owner = user;
    group = user;
  };

  sops.templates."vikunja/config" = {
    owner = user;
    file = (pkgs.formats.yaml {}).generate "config.yaml" {
      database = {
        type = "postgres";
        host = "/run/postgresql";
        user = user;
        database = db;
      };
      files.basepath = "/var/lib/vikunja/files";

      service = {
        jwtsecret = "${config.sops.placeholder."vikunja/jwtSecret"}";
        interface = ":${toString port}";
        publicurl = "https://todo.liljamo.com";
        enableregistration = false;
        timezone = "Europe/Helsinki";
      };
      redis = {
        enabled = true;
        host = "127.0.0.1:${toString redisPort}";
      };
      keyvalue.type = "redis";
      auth = {
        local.enabled = false;
        openid = {
          enabled = true;
          providers = [
            {
              name = "Liljamo Auth";
              authurl = "https://auth.liljamo.com";
              clientid = "vikunja";
              clientsecret = "${config.sops.placeholder."vikunja/oidcSecret"}";
            }
          ];
        };
      };
      #metrics.enabled = true; # TODO: https://vikunja.io/docs/config-options/#0--metrics
      #       also same as jellyfin and miniflux, make this not available via haproxy
      defaultsettings = {
        week_start = 1; # Monday
      };
    };
  };

  networking.firewall.allowedTCPPorts = [port];

  services.vikunja = {
    enable = true;
    # NOTE: These are not actually used, they're here just to make the module happy.
    frontendHostname = "todo.liljamo.com";
    frontendScheme = "https";
  };

  environment.etc."vikunja/config.yaml".source = lib.mkForce config.sops.templates."vikunja/config".path;

  services.postgresql = {
    ensureDatabases = [db];
    ensureUsers = [
      {
        name = user;
        ensureDBOwnership = true;
      }
    ];
  };

  services.redis.servers.vikunja = {
    enable = true;
    bind = "127.0.0.1";
    port = redisPort;
  };

  users.users.${user} = {
    createHome = false;
    group = user;
    isSystemUser = true;
  };
  users.groups.${user} = {};

  systemd.services.vikunja.serviceConfig = {
    DynamicUser = lib.mkForce false;
    User = user;
    Group = user;
  };
}