feat(compute01): Deploy outline on docs.dgnum.eu

hive.nix

@@ -20,6 +20,9 @@ let
     # Set NIX_PATH to the patched version of nixpkgs
     nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ];
 
+    # Allow unfree packages
+    nixpkgs.config.allowUnfree = true;
+
     # Use the stateVersion declared in the metadata
     system = { inherit (metadata.nodes.${node}) stateVersion; };
   };

machines/compute01/_configuration.nix

@@ -17,6 +17,7 @@ let
     "kanidm"
     "mastodon"
     "nextcloud"
+    "outline"
   ];
 in
 

machines/compute01/outline.nix

@@ -0,0 +1,64 @@
+{ config, lib, dgn-lib, ... }:
+
+let
+  inherit (dgn-lib) setDefault;
+
+  host = "docs.dgnum.eu";
+in {
+  services.outline = {
+    enable = true;
+
+    storage = {
+      region = "garage";
+      uploadBucketUrl = "https://s3.dgnum.eu";
+
+      uploadBucketName = "outline-dgnum";
+      accessKey = "GKb3aa6f6d6627204e8e53729c";
+      secretKeyFile = config.age.secrets."outline-storage_secret_key_file".path;
+    };
+
+    smtp = {
+      username = "web-services@infra.dgnum.eu";
+      port = 465;
+      host = "kurisu.lahfa.xyz";
+
+      fromEmail = "docs@infra.dgnum.eu";
+      replyEmail = "web-services@infra.dgnum.eu";
+      passwordFile = config.age.secrets."outline-smtp_password_file".path;
+    };
+
+    redisUrl = "local";
+    publicUrl = "https://${host}";
+
+    oidcAuthentication = {
+      clientId = "outline_dgn";
+      authUrl = "https://sso.dgnum.eu/ui/oauth2";
+      tokenUrl = "https://sso.dgnum.eu/oauth2/token";
+      userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/outline_dgn/userinfo";
+      displayName = "DGNum SSO";
+
+      clientSecretFile =
+        config.age.secrets."outline-oidc_client_secret_file".path;
+    };
+
+    defaultLanguage = "fr_FR";
+
+    forceHttps = false;
+    port = 3003;
+  };
+
+  services.nginx.virtualHosts.${host} = {
+    enableACME = true;
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "http://localhost:3003";
+      proxyWebsockets = true;
+    };
+  };
+
+  dgn-secrets.options = [
+    (setDefault { owner = "outline"; }
+      (builtins.filter (lib.hasPrefix "outline-") config.dgn-secrets.names))
+  ];
+}

machines/compute01/secrets/outline-oidc_client_secret_file

@@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 tDqJRg AVv0vGbKDOtg9/9hCgShq3DA28lTB6kHp0k8ge4Hf3Q
+Nr7eHDfrbddYDbW8Zcn+Hv6hvci+gmynz0OdpOjNprw
+-> ssh-ed25519 jIXfPA IsQ5TtcSdQ25SbsQsXAnRliu9T9l7+7H7tcZk2AgkEc
++SdK5KiGdPo2LLGmJhOVG2du1/c4GpuHpu7SSYz2+Yw
+-> ssh-ed25519 QlRB9Q YeFY9jbPOxks4KhHneQFYZY/0/QVB30YXwgQTfTL6yY
+AadG1HEfSj8koG2IVJ75KtJ8QQgEidA66jsKVQiNAA4
+-> ssh-ed25519 r+nK/Q 73waGcipRsP0v3TmOrvp0jDUpi2lcmMf81JITiu/BUQ
+d7wqTZxfZK1n5LetGyYTdfqcJsYJHa2IP6rBAftFUdk
+-> ssh-rsa krWCLQ
+dtcNdYyCEu+yOwZHmkx6VoZzF4RvbSVmt+OtfJaQKetA423II1/O2lrMGJKwRJaB
+9RtoHO96wGn2DyuVE79G2XuW7eos6ama1kCv9vDhcNaw6vV2cjZvBZrIp3HtxvGO
+R5m8xZ+u/qS65FIss6CLaomzRY8qaYYs3ZO4UGcSHpYRUmjfTiOhVa83dp3m6llJ
+kcSLn9ZtAFiSeFgql+i0ao8PhXYy5GBG8GOzuB54kbUMkZEJQ2O5TKj9bQGecC6t
+oQeyxfFqGkIRiX51J6CfkIu7rL2XcIABXdPQm+ficujgtH0rutgvXsTddd/+DFii
+3PsWwdae/m/oOPPF641ktg
+-> ssh-ed25519 /vwQcQ Z0a+s0N/S/jk/ckgQV7NomgjbGV1icNt/WmsxPfUlHo
+qJBzJoHKzemuzNRLpN7MlFPuCLWsYLX2RRMpgxdVszE
+-> ssh-ed25519 0R97PA MlwV6Zwq6cUcnGi7pyPp9KIsVqPMarkx4ftpmAk7bmE
+XlwfjAZKk4Kp+g1YE4Yf4LEe1XdKlR+xbWsMKvpNi+M
+-> XxeEZ--grease mz
+p7B8S8a07ZJXiLBPUXY87J9kog8Yk3Exuj7hoSiHIHHxw8y7JIU7wMYJ
+--- Pc3pgxkLnwGdDkVaOeONDkI0/kO1Dt09XP65yaw0iAE
+ÞÆ<EFBFBD>…£e‹‡.F|1Rz‚×ÔE´Ç¬"ÅÄ;ø¥qÊÿpʸ£s¯h <20>îL¤sìøÀŠquT_p´ì;\ÍÖÁø6õó@~ã;}o

machines/compute01/secrets/outline-smtp_password_file

@@ -0,0 +1,25 @@
+age-encryption.org/v1
+-> ssh-ed25519 tDqJRg 9WAIktIsZEHMOXYl1e/aZnZv7eeOJ++hMu0x4//qDAI
+ymJfRtQmnzEfJbsK+KSePeV/DFDH+32doemzLMFOJWc
+-> ssh-ed25519 jIXfPA IBvTDhdX55RTpnqcOkHvr2XBe6EBs1EX3OfFCRjYMCI
+kIzzu8FG9e6tRljWPONAaMSSvMLKl/W6IEDOyFF7OkM
+-> ssh-ed25519 QlRB9Q n6qVc0/3t0Tl+jHCJlwaCwA/8vLG9iHqWYIhubxB8WA
+eoi6bqgfXPDmxxz6wBjJYZQgLb65NHseMkzE16J2yuo
+-> ssh-ed25519 r+nK/Q hwhs4tVIi1V34yHbpNsos+xDE+ExwdT06mn7VHS7KHE
+BLf1uJmHF1aA0EH0ACjvVZiTh9u1sgVw6uyWgX5ipKU
+-> ssh-rsa krWCLQ
+rqv74qhjmZUvQHXb0Qn1o2Q/vAqH3DoamBH5y7L0KiE6iUPy2AuBqcPf6mCq8xIe
+J/rIY1YpzIbXAbvgEPpXcAsvFDTa9u7w/PNAxTsWnFRnxQGGZ8rFJuovjGpwrMtN
+b7pluBg0AReaIHRrZ0NfBBuq+oBpa2szMMs5M7K6XuCmZiA5om6AeGD8xO/hEyK7
+wSASRjVPoEq9US6rzVQ1/HF7VGtAUm0pwa5BSdcQSt8Wetk2VHWOk/affzViRQMY
+Qa0RO08NjC8bipoKslAfOgQBG0Qkz4W30qo/TM/aXQD0LFVzO8xNGZ+fsMlZHVDd
+8fUmdr6YdedeM6sK1lSbmQ
+-> ssh-ed25519 /vwQcQ IIHpbKYRwc4l17JTSnlC27uOW9BCPpct6e4t9c6Gm1w
+r1YpYRzp9oKzB7K7TfSjVJ5/u8MgQUsBCwX33eufk8c
+-> ssh-ed25519 0R97PA qKxNGLm68wijV0MVwPDgHfEBS1QrjaPbCUAzyXDzTD8
+xTd7eSGhUTTg8DNZvXlXVJn9qR4QNTWAEZEpvZtp8eQ
+-> F3[qO-grease >
++nxdwvSJfb2jUmfvHo4NdrF5zMKs/7UKDdfdR/Nq0ixKldOc38t/fsQT/nO7Sc0X
+YUfcwPlm0A
+--- XFCl0I2MfdkSIPZn+qYuUbrrYT4hFyS+J9oIcDOpCog
+‰âÓ‹¦rPŽþÜuìϖч܉„CšZÜGÕÁñ¯62«\g'½oï$ŠcÔšî«Þ{Ïô
c‡½©âÙ

machines/compute01/secrets/outline-storage_secret_key_file

@@ -0,0 +1,25 @@
+age-encryption.org/v1
+-> ssh-ed25519 tDqJRg 5j5AMbEgiJVrZPe/1cKw5pRZAq7Q5cDPYYiGq1P14zo
+CqKy45yH2agjoiVrNq12gHTrMtAIYfQpczGAAIAQKz4
+-> ssh-ed25519 jIXfPA E/2hcFg1L2QOwi0KiImfQr2PyXlSGEaThjXbduZ3tVM
+de9WpiLuu6vLvXUBEPytKYEtlGRPLCR/xZ21zUuJ6M4
+-> ssh-ed25519 QlRB9Q v5bKs2O+wI9S7OWUdQxZ5NFrHqoCY5TOktzcEow5ykE
+TCv3AZHETGED0mHm+VSZpCounNYmYjOF3CpnwWkOvzA
+-> ssh-ed25519 r+nK/Q ST1yzmBl2GPU4gOPnOP1k/JsE6mlmPgY8I4SVI8BlG4
+CLFXWyY1dDFW67fpOghefAyGFTWsKPe4WrbpyIWgl7c
+-> ssh-rsa krWCLQ
+DymuVdMYvmXesAgXxIguJ69qZt2FbejjM51zsdtMP2Si6KN66+iWDqxs/TqqoGt2
+MOTm0sZsKhCR5UtWTDtCnpSgxgIDkyjQGn6hYWLISWkXrxwqu98bzUzsEojoftns
+4vFmMTaAgj/thebGX/0aVlw3AoXLjk/noe+vV6MzdS+MEn2cMK3ptYl8o03SJE48
+Pd+kCCHE0ZTw4A6cu8kAdIcfLD504+rv7UMyF+N51awc4U/wNb0e//NyqTCwu8lu
+NUmpijmihbmg0Jfzygpb/AOmPd7tWZ6edlMKMTgqcmRUGlBy255vo/1aJ4013wES
+oVrLuKxFhFFa/MltC25Fag
+-> ssh-ed25519 /vwQcQ fVeNhIbP0fJhEjP6+D1V3hzbu4O0Qphu8m3NbM6sLw0
+FkOkl8VouaA6aPpKo3N0sOrRfFUOno4Dss6wQ29HbIk
+-> ssh-ed25519 0R97PA CQPcshNi8+1UXyIfobDdOgds2DhmW7AqGVtgc89B6GY
+RaB00hjXE5YJYPNcc/vDKPDb61YmZOF6ag/dPHfCcAo
+-> N%i-grease I% : c'3
+Cnk2LzKDFMF2kDPHleKJTtY2NoC0nOIA4fUoe5NLhiJRqaWJWV0tYFIxzSu68TWb
+nnB01VeEeyYYdz/LK3SakmI7D7OI40SS
+--- 3GObimibJjJjx0ML8Dg29fcgI1AFdvi4tpEQwkHyKBA
+Ôi¯Ì¸Z=£haC6Àêw"¯ÃlÕG|­‰š6ž§:×?‚#bxM}šê;’µ±<C2B5>™Íòä%ˆíEY/œ6J=ÄD¨ˆÕi‡ðrLþ¼; ¦8³¸Xhl¾ÁäpK

machines/compute01/secrets/secrets.nix

@@ -8,4 +8,7 @@ lib.setDefault { inherit publicKeys; } [
   "mastodon-extra_env_file"
   "nextcloud-adminpass_file"
   "nextcloud-s3_secret_file"
+  "outline-oidc_client_secret_file"
+  "outline-smtp_password_file"
+  "outline-storage_secret_key_file"
 ]

patches/default.nix

@@ -63,7 +63,32 @@
     # garage: add environmentFile
     {
       id = 257043;
-      hash = "sha256-etzGZRFgFZra5KmL2pUQnIFBFiAudePDmNTVA4VDiBs=";
+      hash = "sha256-Z+WmDPuDoV1Ex+XzvUhvMPn8U+aw0tCRH3O5oR2qQrM=";
+    }
+
+    # outline: 0.68.1 -> 0.69.2
+    {
+      id = 232235;
+      hash = "sha256-f+upHsuuYyLqd9Wv+9JHhB3HnP+mXWer6L/xi5eFpwE=";
+    }
+
+    # outline: 0.69.2 -> 0.70.2
+    {
+      id = 241667;
+      excludes = [ "nixos/doc/manual/*" ];
+      hash = "sha256-9bOjwaXN/4/ASpNfyhaby+nuIz23gDLDIqgTdApdj1U=";
+    }
+
+    # outline 0.70.2 -> 0.71.0
+    {
+      id = 252126;
+      hash = "sha256-lH8xp5zG2fAaXS2gLF7UxqvuPlAigJ297hvlks0CG/U=";
+    }
+
+    # outline: use fetchYarnDeps
+    {
+      id = 253567;
+      hash = "sha256-aR62vOuTfmJ7MIr3plDcBonQQH2+o2F6z/LAAgcKVHU=";
     }
   ];
 }