lab-infra/machines/docs01/docs.nix

{
  sources,
  config,
  ...
}:
let
  domain = "docs.lab.dgnum.eu";
in
{
  imports = [ "${sources.docs}/nix/module.nix" ];

  nixpkgs.overlays = [
    (import "${sources.docs}/nix/overlay.nix")
    (self: prev: {
      docs-frontend = prev.docs-frontend.overrideAttrs {
        src = self.fetchFromGitHub {
          owner = "suitenumerique";
          repo = "docs";
          rev = "d150e4d7b8d3d37c8a0915a5c235706782e56949";
          hash = "sha256-NniYe0wwxgh4biAWFGKEw8DQFq3ztxZkteJNwEyH2sI=";
        };
      };
    })
  ];

  networking.firewall.allowedTCPPorts = [
    80
    443
  ];

  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
    forceSSL = true;
  };

  services.docs = {
    enable = true;
    enableNginx = true;
    database.createLocally = true;
    redis.createLocally = true;
    s3 = {
      url = "https://s3.dgnum.eu";
      accessKeyIDPath = config.age.secrets."docs-s3_app_key".path;
      secretAccessKeyPath = config.age.secrets."docs-s3_secret_key".path;
    };
    oidc.clientSecretPath = config.age.secrets."docs-oidc_secret_key".path;
    collaborationServer = {
      serverSecretPath = config.age.secrets."docs-collaboration_key".path;
      yproviderApiKeyPath = config.age.secrets."docs-yprovider_key".path;
    };
    secretKeyPath = config.age.secrets."docs-key".path;

    inherit domain;

    config = {
      DJANGO_ALLOWED_HOSTS = "127.0.0.1,localhost,${domain}";
      OIDC_OP_JWKS_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/dgn_docs/public_key.jwk";
      OIDC_OP_AUTHORIZATION_ENDPOINT = "https://sso.dgnum.eu/ui/oauth2";
      OIDC_OP_TOKEN_ENDPOINT = "https://sso.dgnum.eu/oauth2/token";
      OIDC_OP_USER_ENDPOINT = "https://sso.dgnum.eu/oauth2/openid/dgn_docs/userinfo";
      OIDC_RP_CLIENT_ID = "dgn_docs";
      OIDC_RP_SIGN_ALGO = "ES256";
      OIDC_RP_SCOPES = "openid email profile";

      LOGIN_REDIRECT_URL = "https://${domain}";
      LOGIN_REDIRECT_URL_FAILURE = "https://${domain}";
      LOGOUT_REDIRECT_URL = "https://${domain}";
      LOGIN_URL = "https://sso.dgnum.eu";

      AWS_S3_ENDPOINT_URL = "https://s3.dgnum.eu";
      AWS_STORAGE_BUCKET_NAME = "docs";
      MEDIA_BASE_URL = "https://${domain}";
    };

    collaborationServer.config = {
      COLLABORATION_SERVER_ORIGIN = "https://${domain}";
    };
  };

  age.secrets = {
    "docs-s3_app_key".owner = "docs";
    "docs-s3_secret_key".owner = "docs";
    "docs-oidc_secret_key".owner = "docs";
    "docs-collaboration_key".owner = "docs";
    "docs-yprovider_key".owner = "docs";
    "docs-key".owner = "docs";
  };
}