public-cof: deploy completely Outline and Garage

machines/public-cof/configuration.nix

@@ -11,6 +11,7 @@
       ./monitoring.nix
       ./garage.nix
       ./nextcloud.nix
+      ./outline.nix
       ./minecraft.nix
       # ./rstudio-server
       ./nur.nix
@@ -27,6 +28,7 @@
   nixpkgs.config.allowUnfreePredicate = pkg: builtins.elem (lib.getName pkg) [
     "minecraft-server"
     "factorio-headless"
+    "outline"
   ];
 
   boot.loader.systemd-boot.enable = true;

machines/public-cof/garage.nix

@@ -1,5 +1,25 @@
 { pkgs, ... }:
 {
+  security.acme.certs."cdn.rz.ens.wtf" = {
+    dnsProvider = "acme-dns";
+    credentialsFile = pkgs.writeText "acme-dns-env" ''
+      ACME_DNS_API_BASE=https://acme.rz.ens.wtf
+      ACME_DNS_STORAGE_PATH=/var/lib/acme/lego-acme-dns-accounts.json
+    '';
+    extraDomainNames = [ "*.cdn.rz.ens.wtf" ];
+    group = "nginx";
+  };
+  services.nginx.virtualHosts."s3.rz.ens.wtf" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://[::1]:3900";
+  };
+  services.nginx.virtualHosts."cdn.rz.ens.wtf" = {
+    serverAliases = [ "*.cdn.rz.ens.wtf" ];
+    useACMEHost = "cdn.rz.ens.wtf";
+    forceSSL = true;
+    locations."/".proxyPass = "http://[::1]:3902";
+  };
   services.garage = {
     enable = true;
     settings = {

machines/public-cof/outline.nix

@@ -0,0 +1,31 @@
+{ pkgs, lib, config, ... }:
+{
+  services.nginx.virtualHosts."notion.rz.ens.wtf" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:3000";
+      proxyWebsockets = true;
+    };
+  };
+  services.outline = {
+    enable = true;
+    publicUrl = "https://notion.rz.ens.wtf";
+    defaultLanguage = "fr_FR";
+    storage = {
+      accessKey = "GK8b32d276b2eafb999a53188a";
+      secretKeyFile = config.age.secrets.outlineS3Secrets.path;
+      uploadBucketUrl = "https://s3.rz.ens.wtf";
+      uploadBucketName = "outline";
+      region = "ens";
+    };
+    oidcAuthentication = {
+      userinfoUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/userinfo";
+      tokenUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/token";
+      authUrl = "https://auth.rz.ens.wtf/auth/realms/ClubReseau/protocol/openid-connect/auth";
+      clientSecretFile = config.age.secrets.outline-oidc-client-secret.path;
+      displayName = "Club réseau";
+      clientId = "outline";
+    };
+  };
+}

machines/public-cof/secrets/default.nix

@@ -16,4 +16,16 @@
     group = "kanboard";
     file = ./kanboard-secrets.age;
   };
+
+  age.secrets.outlineS3Secrets = {
+    owner = "outline";
+    group = "outline";
+    file = ./outlineS3Secrets.age;
+  };
+
+  age.secrets.outline-oidc-client-secret = {
+    owner = "outline";
+    group = "outline";
+    file = ./outline-oidc-client-secret.age;
+  };
 }

machines/public-cof/secrets/outline-oidc-client-secret.age

@@ -0,0 +1,26 @@
+age-encryption.org/v1
+-> ssh-rsa krWCLQ
+HeTVcJxU2zRewuzQVknnxAYjlCU8+GJjBz9joGPo2j934uiM3A6PBsFmoz6I1ZfJ
+pg68benaKfV+VI1sN8fMDWoEO0QrFzHYULXT9JCyQTClUzUZSlMpzmDgCmHjLPEc
+qB23sbwKzgyFO9SKHsPvOqxZrEyTwAKiNYa33QuSyRxN3S4/9PxVjgJTTqLbTVqf
+hhnujxviU3iHV2ACqLAV5jYSbAleiAh53vnBc0k326vXbrumQqFvQtgwcqDn4vDR
+2QYzEwsj+yV9BlRrGSBZSnoHZjWtsE/ntrEaIZiItT3Ots1CCVswd7LGb3LspYbf
+NheRvY7zUXppGiB0+mjZJg
+-> ssh-ed25519 85WiGg tGvDzYdpKP8lql3murRlp95w7jQUhhuodIgVxDk4Lgs
+aVV4b71w/nU3nBaYKdzzYjXVaxgN2EpyQiKsjO33GcI
+-> ssh-ed25519 reTIKw LJJF7K8fRsSoAFDyndWP9nA5FV4w7cWSqUgGnvdB42I
+wI22cL/GuyVou1robDUHzNMfCR7L6NA4UWFSeV73d88
+-> ssh-ed25519 /vwQcQ KZQSME50r4yrnyFfH6nwbmCn0UmVUMIBhhfqoicrKVY
+xDdBu7/K8ZxGT2BnffAR8UsQIAVlLpSfEvo1m4k87ng
+-> ssh-ed25519 cvTB5g HjLQQhFwEekFYHV5sko/x8RwcAsgvl/cCoKakX4B6yE
+Ub5TWpDPYA3DSwfRT2hmgPcwoMIhsOhgdhckFuZxQ8s
+-> ssh-ed25519 Wu8JLQ L0bnDPmv3Chemi/BKhux9GYXDMMLUjO6H8MQe1REpBA
+qtN6IH8M8kLYAQ8a64kYCCaAPhg6VjrojTONdY4MVyA
+-> ssh-ed25519 xbfJnw 94xx8KL0EWqs3HIsdY9RFvC6aRsk7cemZxciLIkVCDM
+WZnyqSwpCBA8GNnu6VEJSLIRtv8rzOpGFH6e387ohpQ
+-> TS-grease
+D32P8/tpegDSy/xsspwpuq8EVqwDyZUzJF2Ose+3cqHAx8db4DPWnmt4z4Ch5bXw
+KtmO+2eEYTmPyYUZxI+uzr93CQhVq7aFlch6cWLEaqg
+--- 6kPR6tdczt01UaY4ps38dncSMFCupa9uZmSWBjm85ps
+<18>LnŸÖ4¦K¬z>­Ê(³Ù†°=f¼õ´ˆÊ·œ®PG<50>Þ<hÒçº×ø±uÓÖV’³Ø#–¸P
+ÑÑ&¶
qý

machines/public-cof/secrets/outlineS3Secrets.age

@@ -0,0 +1,25 @@
+age-encryption.org/v1
+-> ssh-rsa krWCLQ
+nxiY5l98JhWEwLYN7sWtsgN4faDTIpgo1fiPScxXB8/ljnxIyd1vhMVRt0WCTOQV
+CFTQ9MOoTAk90Zj4wjxDjoJjjsXLUBVnjqLdQy76kgR5vAvVrHzuYTYO4Y4k0/qh
+S6BEFN655P0n4Gxf9kJtKxi3ipN6B46ydACAjFeyeuOPMkMdBBZq1BOLPEOC9I+O
+87p+8BdL+zxkYfaWfEggYgabrE7y91EjiB1VCuT0GFm8T8iBojvThxWQlHQAybBc
+gvgTlyGf8YmY82uGhGQR39okrA914mJUkr11JZ9457qL+/t5Au/dha1x6QlwcUoz
+Tp5OQJAfXZc02LsICq2I7A
+-> ssh-ed25519 85WiGg c6vyT96h0eVL+xZpR0Zk06l5ApUsqENY9ESeYuOG0zY
+dJbQVgH41Ti/AM7WAlXCCA501h8wgx2os5yiZt+jxp8
+-> ssh-ed25519 reTIKw rVhKDqm51EMuOQnTcsdWmqoBDI/LLnFpkJW93EfcdB0
+AAOEQp0tux1vJ0bPIcB1HtLodig/J4poeu6j/Hk8KiA
+-> ssh-ed25519 /vwQcQ jGLr83VDSxYd3v42ECOiTpSTDRB5TVSqx3QHRbMgfEk
+k2hBCGntsqP0czKV2JvMbf8lAqpjVvnJqSxfdr00A7w
+-> ssh-ed25519 cvTB5g BqVT8ytcjINNKrGAtttAtxRMpLs4LJg1Uy3zvDxTvwk
+DRDEl+CNZnuT+KE1txjHgaWIYmiSeUTsesnXYq89YNQ
+-> ssh-ed25519 Wu8JLQ 731ytp+gu36OvH0QbkeDUwMHj3J4u0JujJnfTUQ2C1A
+KPGEKLoV9K1PPdIyla5D1lsmhRt/XUHLrCTeApbqR6c
+-> ssh-ed25519 xbfJnw Ojf4cuctALx+Q/qWqSarRcnxvwrHjbAK5r4pnhKUzmo
+WHp4Op3N3SeniWS7XhPmvRkTyjDIPDBBGviDaiCNbOc
+-> 3P-h|3ru-grease
+5icFsPwzKpnImSlgICy/wDq6YJLTcIML3EoDUOgvGOFSs+efH4bWExmd2ktGtqYd
+ewEKHYlnpIFNTMtlRs7U7sR3qnLHadq3McnhR/8OlQ
+--- iwVp/AYpQfFOIg/OI85nNTgdY/HKlEsCHWiBO0lOtJg
+Z=eBÒbÀ£›â[3‹$”Ôk‘â„
(õ®²2Èöx%0ž—£+18T•,;ÅÛóFÕ¬"EÏKe³•¶óÃZø*’Òè$}ýœCp Ão9æ+À¡‡›|CJ’¹-¼

machines/public-cof/secrets/secrets.nix

@@ -10,5 +10,7 @@ in
     "nextcloudAdminPasswordFile.age".publicKeys = superadmins ++ systems;
     "nextcloudDatabasePasswordFile.age".publicKeys = superadmins ++ systems;
     "kanboard-secrets.age".publicKeys = superadmins ++ systems;
+    "outlineS3Secrets.age".publicKeys = superadmins ++ systems;
+    "outline-oidc-client-secret.age".publicKeys = superadmins ++ systems;
   }