From 4c5a9685db39c76362abcd9821b06075c07ecb8f Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 24 Sep 2023 15:47:29 +0200 Subject: [PATCH] feat(compute01): Deploy outline on docs.dgnum.eu --- hive.nix | 3 + machines/compute01/_configuration.nix | 1 + machines/compute01/outline.nix | 64 +++++++++++++++++++ .../secrets/outline-oidc_client_secret_file | 24 +++++++ .../secrets/outline-smtp_password_file | 25 ++++++++ .../secrets/outline-storage_secret_key_file | 25 ++++++++ machines/compute01/secrets/secrets.nix | 3 + patches/default.nix | 27 +++++++- 8 files changed, 171 insertions(+), 1 deletion(-) create mode 100644 machines/compute01/outline.nix create mode 100644 machines/compute01/secrets/outline-oidc_client_secret_file create mode 100644 machines/compute01/secrets/outline-smtp_password_file create mode 100644 machines/compute01/secrets/outline-storage_secret_key_file diff --git a/hive.nix b/hive.nix index 699f6a4..e1ec5da 100644 --- a/hive.nix +++ b/hive.nix @@ -20,6 +20,9 @@ let # Set NIX_PATH to the patched version of nixpkgs nix.nixPath = [ "nixpkgs=${mkNixpkgs node}" ]; + # Allow unfree packages + nixpkgs.config.allowUnfree = true; + # Use the stateVersion declared in the metadata system = { inherit (metadata.nodes.${node}) stateVersion; }; }; diff --git a/machines/compute01/_configuration.nix b/machines/compute01/_configuration.nix index f318fff..aa82b23 100644 --- a/machines/compute01/_configuration.nix +++ b/machines/compute01/_configuration.nix @@ -17,6 +17,7 @@ let "kanidm" "mastodon" "nextcloud" + "outline" ]; in diff --git a/machines/compute01/outline.nix b/machines/compute01/outline.nix new file mode 100644 index 0000000..68423c9 --- /dev/null +++ b/machines/compute01/outline.nix @@ -0,0 +1,64 @@ +{ config, lib, dgn-lib, ... }: + +let + inherit (dgn-lib) setDefault; + + host = "docs.dgnum.eu"; +in { + services.outline = { + enable = true; + + storage = { + region = "garage"; + uploadBucketUrl = "https://s3.dgnum.eu"; + + uploadBucketName = "outline-dgnum"; + accessKey = "GKb3aa6f6d6627204e8e53729c"; + secretKeyFile = config.age.secrets."outline-storage_secret_key_file".path; + }; + + smtp = { + username = "web-services@infra.dgnum.eu"; + port = 465; + host = "kurisu.lahfa.xyz"; + + fromEmail = "docs@infra.dgnum.eu"; + replyEmail = "web-services@infra.dgnum.eu"; + passwordFile = config.age.secrets."outline-smtp_password_file".path; + }; + + redisUrl = "local"; + publicUrl = "https://${host}"; + + oidcAuthentication = { + clientId = "outline_dgn"; + authUrl = "https://sso.dgnum.eu/ui/oauth2"; + tokenUrl = "https://sso.dgnum.eu/oauth2/token"; + userinfoUrl = "https://sso.dgnum.eu/oauth2/openid/outline_dgn/userinfo"; + displayName = "DGNum SSO"; + + clientSecretFile = + config.age.secrets."outline-oidc_client_secret_file".path; + }; + + defaultLanguage = "fr_FR"; + + forceHttps = false; + port = 3003; + }; + + services.nginx.virtualHosts.${host} = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://localhost:3003"; + proxyWebsockets = true; + }; + }; + + dgn-secrets.options = [ + (setDefault { owner = "outline"; } + (builtins.filter (lib.hasPrefix "outline-") config.dgn-secrets.names)) + ]; +} diff --git a/machines/compute01/secrets/outline-oidc_client_secret_file b/machines/compute01/secrets/outline-oidc_client_secret_file new file mode 100644 index 0000000..f7516e6 --- /dev/null +++ b/machines/compute01/secrets/outline-oidc_client_secret_file @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 tDqJRg AVv0vGbKDOtg9/9hCgShq3DA28lTB6kHp0k8ge4Hf3Q +Nr7eHDfrbddYDbW8Zcn+Hv6hvci+gmynz0OdpOjNprw +-> ssh-ed25519 jIXfPA IsQ5TtcSdQ25SbsQsXAnRliu9T9l7+7H7tcZk2AgkEc ++SdK5KiGdPo2LLGmJhOVG2du1/c4GpuHpu7SSYz2+Yw +-> ssh-ed25519 QlRB9Q YeFY9jbPOxks4KhHneQFYZY/0/QVB30YXwgQTfTL6yY +AadG1HEfSj8koG2IVJ75KtJ8QQgEidA66jsKVQiNAA4 +-> ssh-ed25519 r+nK/Q 73waGcipRsP0v3TmOrvp0jDUpi2lcmMf81JITiu/BUQ +d7wqTZxfZK1n5LetGyYTdfqcJsYJHa2IP6rBAftFUdk +-> ssh-rsa krWCLQ +dtcNdYyCEu+yOwZHmkx6VoZzF4RvbSVmt+OtfJaQKetA423II1/O2lrMGJKwRJaB +9RtoHO96wGn2DyuVE79G2XuW7eos6ama1kCv9vDhcNaw6vV2cjZvBZrIp3HtxvGO +R5m8xZ+u/qS65FIss6CLaomzRY8qaYYs3ZO4UGcSHpYRUmjfTiOhVa83dp3m6llJ +kcSLn9ZtAFiSeFgql+i0ao8PhXYy5GBG8GOzuB54kbUMkZEJQ2O5TKj9bQGecC6t +oQeyxfFqGkIRiX51J6CfkIu7rL2XcIABXdPQm+ficujgtH0rutgvXsTddd/+DFii +3PsWwdae/m/oOPPF641ktg +-> ssh-ed25519 /vwQcQ Z0a+s0N/S/jk/ckgQV7NomgjbGV1icNt/WmsxPfUlHo +qJBzJoHKzemuzNRLpN7MlFPuCLWsYLX2RRMpgxdVszE +-> ssh-ed25519 0R97PA MlwV6Zwq6cUcnGi7pyPp9KIsVqPMarkx4ftpmAk7bmE +XlwfjAZKk4Kp+g1YE4Yf4LEe1XdKlR+xbWsMKvpNi+M +-> XxeEZ--grease mz +p7B8S8a07ZJXiLBPUXY87J9kog8Yk3Exuj7hoSiHIHHxw8y7JIU7wMYJ +--- Pc3pgxkLnwGdDkVaOeONDkI0/kO1Dt09XP65yaw0iAE +Ɓe.F|1R zEǬ";q psh LsquT_p;\6@~;}o \ No newline at end of file diff --git a/machines/compute01/secrets/outline-smtp_password_file b/machines/compute01/secrets/outline-smtp_password_file new file mode 100644 index 0000000..59ee98a --- /dev/null +++ b/machines/compute01/secrets/outline-smtp_password_file @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-ed25519 tDqJRg 9WAIktIsZEHMOXYl1e/aZnZv7eeOJ++hMu0x4//qDAI +ymJfRtQmnzEfJbsK+KSePeV/DFDH+32doemzLMFOJWc +-> ssh-ed25519 jIXfPA IBvTDhdX55RTpnqcOkHvr2XBe6EBs1EX3OfFCRjYMCI +kIzzu8FG9e6tRljWPONAaMSSvMLKl/W6IEDOyFF7OkM +-> ssh-ed25519 QlRB9Q n6qVc0/3t0Tl+jHCJlwaCwA/8vLG9iHqWYIhubxB8WA +eoi6bqgfXPDmxxz6wBjJYZQgLb65NHseMkzE16J2yuo +-> ssh-ed25519 r+nK/Q hwhs4tVIi1V34yHbpNsos+xDE+ExwdT06mn7VHS7KHE +BLf1uJmHF1aA0EH0ACjvVZiTh9u1sgVw6uyWgX5ipKU +-> ssh-rsa krWCLQ +rqv74qhjmZUvQHXb0Qn1o2Q/vAqH3DoamBH5y7L0KiE6iUPy2AuBqcPf6mCq8xIe +J/rIY1YpzIbXAbvgEPpXcAsvFDTa9u7w/PNAxTsWnFRnxQGGZ8rFJuovjGpwrMtN +b7pluBg0AReaIHRrZ0NfBBuq+oBpa2szMMs5M7K6XuCmZiA5om6AeGD8xO/hEyK7 +wSASRjVPoEq9US6rzVQ1/HF7VGtAUm0pwa5BSdcQSt8Wetk2VHWOk/affzViRQMY +Qa0RO08NjC8bipoKslAfOgQBG0Qkz4W30qo/TM/aXQD0LFVzO8xNGZ+fsMlZHVDd +8fUmdr6YdedeM6sK1lSbmQ +-> ssh-ed25519 /vwQcQ IIHpbKYRwc4l17JTSnlC27uOW9BCPpct6e4t9c6Gm1w +r1YpYRzp9oKzB7K7TfSjVJ5/u8MgQUsBCwX33eufk8c +-> ssh-ed25519 0R97PA qKxNGLm68wijV0MVwPDgHfEBS1QrjaPbCUAzyXDzTD8 +xTd7eSGhUTTg8DNZvXlXVJn9qR4QNTWAEZEpvZtp8eQ +-> F3[qO-grease > ++nxdwvSJfb2jUmfvHo4NdrF5zMKs/7UKDdfdR/Nq0ixKldOc38t/fsQT/nO7Sc0X +YUfcwPlm0A +--- XFCl0I2MfdkSIPZn+qYuUbrrYT4hFyS+J9oIcDOpCog +ӋrPu ϖч܉CZG62\g'o$cԚ{ c \ No newline at end of file diff --git a/machines/compute01/secrets/outline-storage_secret_key_file b/machines/compute01/secrets/outline-storage_secret_key_file new file mode 100644 index 0000000..1f0eb7a --- /dev/null +++ b/machines/compute01/secrets/outline-storage_secret_key_file @@ -0,0 +1,25 @@ +age-encryption.org/v1 +-> ssh-ed25519 tDqJRg 5j5AMbEgiJVrZPe/1cKw5pRZAq7Q5cDPYYiGq1P14zo +CqKy45yH2agjoiVrNq12gHTrMtAIYfQpczGAAIAQKz4 +-> ssh-ed25519 jIXfPA E/2hcFg1L2QOwi0KiImfQr2PyXlSGEaThjXbduZ3tVM +de9WpiLuu6vLvXUBEPytKYEtlGRPLCR/xZ21zUuJ6M4 +-> ssh-ed25519 QlRB9Q v5bKs2O+wI9S7OWUdQxZ5NFrHqoCY5TOktzcEow5ykE +TCv3AZHETGED0mHm+VSZpCounNYmYjOF3CpnwWkOvzA +-> ssh-ed25519 r+nK/Q ST1yzmBl2GPU4gOPnOP1k/JsE6mlmPgY8I4SVI8BlG4 +CLFXWyY1dDFW67fpOghefAyGFTWsKPe4WrbpyIWgl7c +-> ssh-rsa krWCLQ +DymuVdMYvmXesAgXxIguJ69qZt2FbejjM51zsdtMP2Si6KN66+iWDqxs/TqqoGt2 +MOTm0sZsKhCR5UtWTDtCnpSgxgIDkyjQGn6hYWLISWkXrxwqu98bzUzsEojoftns +4vFmMTaAgj/thebGX/0aVlw3AoXLjk/noe+vV6MzdS+MEn2cMK3ptYl8o03SJE48 +Pd+kCCHE0ZTw4A6cu8kAdIcfLD504+rv7UMyF+N51awc4U/wNb0e//NyqTCwu8lu +NUmpijmihbmg0Jfzygpb/AOmPd7tWZ6edlMKMTgqcmRUGlBy255vo/1aJ4013wES +oVrLuKxFhFFa/MltC25Fag +-> ssh-ed25519 /vwQcQ fVeNhIbP0fJhEjP6+D1V3hzbu4O0Qphu8m3NbM6sLw0 +FkOkl8VouaA6aPpKo3N0sOrRfFUOno4Dss6wQ29HbIk +-> ssh-ed25519 0R97PA CQPcshNi8+1UXyIfobDdOgds2DhmW7AqGVtgc89B6GY +RaB00hjXE5YJYPNcc/vDKPDb61YmZOF6ag/dPHfCcAo +-> N%i-grease I% : c'3 +Cnk2LzKDFMF2kDPHleKJTtY2NoC0nOIA4fUoe5NLhiJRqaWJWV0tYFIxzSu68TWb +nnB01VeEeyYYdz/LK3SakmI7D7OI40SS +--- 3GObimibJjJjx0ML8Dg29fcgI1AFdvi4tpEQwkHyKBA +i̸Z=haC6w"lG|6:?# bxM};%EY/6J=DirL;8XhlpK \ No newline at end of file diff --git a/machines/compute01/secrets/secrets.nix b/machines/compute01/secrets/secrets.nix index 1e8b675..bd0c5ab 100644 --- a/machines/compute01/secrets/secrets.nix +++ b/machines/compute01/secrets/secrets.nix @@ -8,4 +8,7 @@ lib.setDefault { inherit publicKeys; } [ "mastodon-extra_env_file" "nextcloud-adminpass_file" "nextcloud-s3_secret_file" + "outline-oidc_client_secret_file" + "outline-smtp_password_file" + "outline-storage_secret_key_file" ] diff --git a/patches/default.nix b/patches/default.nix index 98a94d9..6093880 100644 --- a/patches/default.nix +++ b/patches/default.nix @@ -63,7 +63,32 @@ # garage: add environmentFile { id = 257043; - hash = "sha256-etzGZRFgFZra5KmL2pUQnIFBFiAudePDmNTVA4VDiBs="; + hash = "sha256-Z+WmDPuDoV1Ex+XzvUhvMPn8U+aw0tCRH3O5oR2qQrM="; + } + + # outline: 0.68.1 -> 0.69.2 + { + id = 232235; + hash = "sha256-f+upHsuuYyLqd9Wv+9JHhB3HnP+mXWer6L/xi5eFpwE="; + } + + # outline: 0.69.2 -> 0.70.2 + { + id = 241667; + excludes = [ "nixos/doc/manual/*" ]; + hash = "sha256-9bOjwaXN/4/ASpNfyhaby+nuIz23gDLDIqgTdApdj1U="; + } + + # outline 0.70.2 -> 0.71.0 + { + id = 252126; + hash = "sha256-lH8xp5zG2fAaXS2gLF7UxqvuPlAigJ297hvlks0CG/U="; + } + + # outline: use fetchYarnDeps + { + id = 253567; + hash = "sha256-aR62vOuTfmJ7MIr3plDcBonQQH2+o2F6z/LAAgcKVHU="; } ]; }