feat(compute01): Deploy zammad on support.dgnum.eu

Also remove the firewall config as it is now centralized.

machines/compute01/_configuration.nix

@@ -9,6 +9,7 @@ let
   # List of modules to enable
   enabledModules = [
     "dgn-dns"
+    "dgn-web"
   ];
 
   # List of services to enable
@@ -19,6 +20,7 @@ let
     "nextcloud"
     "outline"
     "satosa"
+    "zammad"
   ];
 in
 

machines/compute01/nextcloud.nix

@@ -75,6 +75,4 @@ in {
     (setDefault { owner = "nextcloud"; }
       (builtins.filter (lib.hasPrefix "nextcloud-") config.dgn-secrets.names))
   ];
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

machines/compute01/secrets/secrets.nix

@@ -12,4 +12,5 @@ lib.setDefault { inherit publicKeys; } [
   "outline-smtp_password_file"
   "outline-storage_secret_key_file"
   "satosa-env_file"
+  "zammad-secret_key_base_file"
 ]

machines/compute01/secrets/zammad-secret_key_base_file

@@ -0,0 +1,25 @@
+age-encryption.org/v1
+-> ssh-ed25519 tDqJRg Or0mrhIqaAIwF/XmRaMiih1LE/HbEXeQ1qQOxbQuRjk
+E/OXPSPDDzco0duh8nFK/CvUkR7ioR+H5KELzhA0OIM
+-> ssh-ed25519 jIXfPA 3CXEUG3fOwAtbFRY2Y6Sio3OPoW2ZMbrsj4IhK6lTBU
+pFJkPT10zAjGOHcjSI+zaCC5+7iN9B3Kv3AVOGuHzP4
+-> ssh-ed25519 QlRB9Q vXOLgEZmDL520H6DJ6YJT35K3g38MQyQ/Q37dF6rHm4
+8OGw8zjxABTHhK3Krt1Ut1ZtOYTv+Vquztt7KbBfu5E
+-> ssh-ed25519 r+nK/Q kXCb4Vr9GP3MuccFL6KuFWc9ka92IsjWKZ8loefAZyU
+ZB+fJjHtLmxeNTE3/kE7wVyYEfYPgJZteCPPGuUQnwg
+-> ssh-rsa krWCLQ
+Lw17n86Jq9JAzXvbNBK1kxhdVsy24pVJw9t8X6tImcvroeT+NZ6TWLcF9CpqaUTI
+Fzrs495PSsqk5olsJ5inAiz3Zq9KMs/XXB3po67yGuU50XANdp6aTCNZS0ml+ggz
+ezPUmDmf/m33HTjzr09vltJxHEeLXhEJfeswmpRa1331C1FJKoj6pNXrVK+/wRvl
+sQQb099AD1rnPCRaBW8CCV6ZUso+HjxctIdoKk+GA9vjmmoF+3nmNlXNJvqNSGqx
+L2igVyd822TYl25wqSORW13SFBSBKhtX+Lt7dW65YPi3mhCQzZEJwxXOqIdSiFOT
++ibjMthYgIvZYEFVn3xEDA
+-> ssh-ed25519 /vwQcQ JJMXvRIpMy4xFJK/gOPyTsbYEyFYTTrDT6/MfJeFTxs
+KaKjsbYVHD6Oi+ItalcICsZiStAGnLsyqtK0jMl+hvE
+-> ssh-ed25519 0R97PA yj/QsFvoB7Cr+vOkbuiDcghD42bkLQSavPhB3kx7xQk
+3NRXzr/AyaNcZhUNPeRWxfxqYlzcWdfYG4JjpdIhYTc
+-> /g1|-R-grease '4R5VG( J`dDW io
+quE
+--- 8JHXRRriy7D5w8b6CAcgkEegK+24ZLR44oo0TArL0/Y
+¡×È_®údð‡„OksΩ—á<E28094>à,çLÝ>”ˆ¸"û,$‘Ô¬bò©jþ[Fº©ñ}3ƒVmˆX³zZÕsËIôbëJK¡C“<43>ràÑ–ÔiÚˆ/€Æ÷»¿ z8kŸQ¥µµátäuãdÆ—ýîÞæq©üœü7IZoÖùq|x-ýÛù~
+Ð’¬x>ª<5À5“qêÑ­D÷õÝMµE

machines/compute01/zammad.nix

@@ -0,0 +1,55 @@
+{ config, ... }:
+
+let
+  host = "support.dgnum.eu";
+
+  port = 3005;
+  websocketPort = 6902;
+in {
+  services.zammad = {
+    enable = true;
+
+    inherit port websocketPort;
+
+    host = "127.0.0.1";
+
+    secretKeyBaseFile = config.age.secrets."zammad-secret_key_base_file".path;
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts.${host} = {
+      enableACME = true;
+      forceSSL = true;
+
+      root = "/var/lib/zammad/public";
+
+      locations = {
+        "/".proxyPass = "http://127.0.0.1:${builtins.toString port}";
+
+        "/ws" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString websocketPort}";
+          proxyWebsockets = true;
+        };
+
+        "/cable" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString port}";
+          proxyWebsockets = true;
+        };
+
+        "~ ^/(assets/|robots.txt|humans.txt|favicon.ico|apple-touch-icon.png)".extraConfig =
+          ''
+            expires max;
+          '';
+      };
+
+      extraConfig = ''
+        server_tokens off;
+        client_max_body_size 50M;
+      '';
+    };
+  };
+
+  dgn-secrets.options = [{ zammad-secret_key_base_file.owner = "zammad"; }];
+}

machines/storage01/_configuration.nix

@@ -8,6 +8,7 @@ let
 
   # List of modules to enable
   enabledModules = [
+    "dgn-web"
   ];
 
   # List of services to enable

machines/storage01/forgejo.nix

@@ -94,6 +94,4 @@ in {
     (setDefault { owner = "git"; }
       (builtins.filter (lib.hasPrefix "forgejo-") config.dgn-secrets.names))
   ];
-
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

machines/web01/_configuration.nix

@@ -8,6 +8,7 @@ let
 
   # List of modules to enable
   enabledModules = [
+    "dgn-web"
   ];
 
   # List of services to enable

machines/web01/metis/default.nix

@@ -25,6 +25,10 @@ let
           }/remote.php/dav/public-calendars/;
         '';
       }) providers;
+
+    extraConfig = ''
+      rewrite ^/calendrier(.*)$ $1 permanent;
+    '';
   };
 
 in {

machines/web01/plausible.nix

@@ -52,8 +52,4 @@ in
       };
     };
   };
-
-  # dgn-secrets.options."_smtp-password-file".owner = "plausible";
-  #
-  networking.firewall.allowedTCPPorts = [ 80 443 ];
 }

modules/default.nix

@@ -43,6 +43,7 @@
     "dgn-network"
     "dgn-secrets"
     "dgn-ssh"
+    "dgn-web"
   ]) ++ [
     "${sources.agenix}/modules/age.nix"
     "${sources.attic}/nixos/atticd.nix"

modules/dgn-web.nix

@@ -0,0 +1,26 @@
+{ config, lib, ... }:
+
+let
+  inherit (lib) mkEnableOption mkIf;
+
+  cfg = config.dgn-web;
+in {
+  options.dgn-web = {
+    enable = mkEnableOption "sane defaults for web services.";
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enable = true;
+
+      recommendedBrotliSettings = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+      recommendedZstdSettings = true;
+    };
+
+    networking.firewall.allowedTCPPorts = [ 80 443 ];
+  };
+}