Add comentario
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
@@ -0,0 +1,158 @@
|
||||
{ user, home }:
|
||||
{
|
||||
config,
|
||||
inputs,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
let
|
||||
hmConfig = config.home-manager.users.${user};
|
||||
inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
|
||||
autheliaClientId = "d16NArYYcTbDU0YTQEwmlvzWAzJKhbIbe4s8wGENSRTK40gvAwGbYO0fCSq4rh6pjNxI0ZuH1cM8XnADCgSV9SHRzgX9MqcFre5r";
|
||||
in
|
||||
{
|
||||
home-manager.users.${user} = {
|
||||
sops = {
|
||||
secrets = {
|
||||
"comentario/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"comentario/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"comentario/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
"comentario/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
|
||||
};
|
||||
|
||||
templates = {
|
||||
comentario-postgresql-env.content = ''
|
||||
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."comentario/postgresql"}
|
||||
'';
|
||||
|
||||
comentario.content = builtins.readFile (
|
||||
(pkgs.formats.yaml { }).generate "secrets.yaml" {
|
||||
postgres = {
|
||||
host = "comentario-postgresql";
|
||||
port = 5432;
|
||||
database = "comentario";
|
||||
username = "comentario";
|
||||
password = hmConfig.sops.placeholder."comentario/postgresql";
|
||||
};
|
||||
|
||||
smtpServer = {
|
||||
host = "smtp.protonmail.ch";
|
||||
port = 587;
|
||||
username = "jupiter@karaolidis.com";
|
||||
password = hmConfig.sops.placeholder."comentario/smtp";
|
||||
};
|
||||
|
||||
idp.oidc = [
|
||||
{
|
||||
id = "authelia";
|
||||
name = "Authelia";
|
||||
url = "https://id.karaolidis.com";
|
||||
scopes = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
"is_admin"
|
||||
];
|
||||
key = autheliaClientId;
|
||||
secret = hmConfig.sops.placeholder."comentario/authelia/password";
|
||||
}
|
||||
];
|
||||
}
|
||||
);
|
||||
|
||||
authelia-comentario.content = builtins.readFile (
|
||||
(pkgs.formats.yaml { }).generate "comentario.yaml" {
|
||||
identity_providers.oidc = {
|
||||
authorization_policies.comentario = {
|
||||
default_policy = "deny";
|
||||
rules = [
|
||||
{
|
||||
policy = "one_factor";
|
||||
subject = "group:comentario";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
clients = [
|
||||
{
|
||||
client_id = autheliaClientId;
|
||||
client_name = "Comentario";
|
||||
client_secret = hmConfig.sops.placeholder."comentario/authelia/digest";
|
||||
redirect_uris = [ "https://comments.karaolidis.com/api/oauth/oidc:authelia/callback" ];
|
||||
authorization_policy = "comentario";
|
||||
claims_policy = "is_admin";
|
||||
scopes = [
|
||||
"openid"
|
||||
"profile"
|
||||
"email"
|
||||
"is_admin"
|
||||
];
|
||||
}
|
||||
];
|
||||
};
|
||||
}
|
||||
);
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.quadlet = {
|
||||
networks.comentario = { };
|
||||
|
||||
volumes.comentario-postgresql = { };
|
||||
|
||||
containers = {
|
||||
comentario = {
|
||||
containerConfig = {
|
||||
image = "docker-archive:${pkgs.dockerImages.comentario}";
|
||||
networks = [
|
||||
networks.comentario.ref
|
||||
networks.traefik.ref
|
||||
];
|
||||
environments = {
|
||||
BASE_URL = "https://comments.karaolidis.com";
|
||||
NO_COLOR = "true";
|
||||
SUPERUSER_CLAIM = "is_admin";
|
||||
DYN_DEFAULT_AUTH_EMAILUPDATE_ENABLED = "true";
|
||||
DYN_DEFAULT_AUTH_SIGNUP_CONFIRM_COMMENTER = "false";
|
||||
DYN_DEFAULT_AUTH_SIGNUP_ENABLED = "false";
|
||||
DYN_DEFAULT_AUTH_SIGNUP_SSO_ENABLED = "true";
|
||||
};
|
||||
volumes = [ "${hmConfig.sops.templates.comentario.path}:/etc/comentario/secrets.yaml:ro" ];
|
||||
labels = [
|
||||
"traefik.enable=true"
|
||||
"traefik.http.routers.comentario.rule=Host(`comments.karaolidis.com`)"
|
||||
];
|
||||
};
|
||||
|
||||
unitConfig = {
|
||||
After = [
|
||||
"${containers.comentario-postgresql._serviceName}.service"
|
||||
"sops-nix.service"
|
||||
];
|
||||
Requires = [ "${containers.comentario-postgresql._serviceName}.service" ];
|
||||
};
|
||||
};
|
||||
|
||||
comentario-postgresql = {
|
||||
containerConfig = {
|
||||
image = "docker-archive:${pkgs.dockerImages.postgresql}";
|
||||
networks = [ networks.comentario.ref ];
|
||||
volumes = [ "${volumes.comentario-postgresql.ref}:/var/lib/postgresql/data" ];
|
||||
environments = {
|
||||
POSTGRES_DB = "comentario";
|
||||
POSTGRES_USER = "comentario";
|
||||
};
|
||||
environmentFiles = [ hmConfig.sops.templates.comentario-postgresql-env.path ];
|
||||
};
|
||||
|
||||
unitConfig.After = [ "sops-nix.service" ];
|
||||
};
|
||||
|
||||
authelia.containerConfig.volumes = [
|
||||
"${hmConfig.sops.templates.authelia-comentario.path}:/etc/authelia/conf.d/comentario.yaml:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
Reference in New Issue
Block a user