Add comentario

Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
2025-09-10 21:56:15 +01:00
parent bab9115537
commit ada4b522a6
6 changed files with 441 additions and 74 deletions
--- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
@@ -136,6 +136,7 @@ in
                "gitea"
                "outline"
                "shlink"
+                "comentario"
              ];
            };
          }
--- a/hosts/jupiter/users/storm/configs/console/podman/comentario/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/comentario/default.nix
@@ -0,0 +1,159 @@
+{ user, home }:
+{
+  config,
+  inputs,
+  pkgs,
+  lib,
+  ...
+}:
+let
+  hmConfig = config.home-manager.users.${user};
+  inherit (hmConfig.virtualisation.quadlet) containers volumes networks;
+  autheliaClientId = "d16NArYYcTbDU0YTQEwmlvzWAzJKhbIbe4s8wGENSRTK40gvAwGbYO0fCSq4rh6pjNxI0ZuH1cM8XnADCgSV9SHRzgX9MqcFre5r";
+in
+{
+  home-manager.users.${user} = {
+    sops = {
+      secrets = {
+        "comentario/postgresql".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "comentario/authelia/password".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "comentario/authelia/digest".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+        "comentario/smtp".sopsFile = "${inputs.secrets}/hosts/jupiter/secrets.yaml";
+      };
+
+      templates = {
+        comentario-postgresql-env.content = ''
+          POSTGRES_PASSWORD=${hmConfig.sops.placeholder."comentario/postgresql"}
+        '';
+
+        comentario.content = builtins.readFile (
+          (pkgs.formats.yaml { }).generate "secrets.yaml" {
+            postgres = {
+              host = "comentario-postgresql";
+              port = 5432;
+              database = "comentario";
+              username = "comentario";
+              password = hmConfig.sops.placeholder."comentario/postgresql";
+            };
+
+            smtpServer = {
+              host = "smtp.protonmail.ch";
+              port = 587;
+              username = "jupiter@karaolidis.com";
+              password = hmConfig.sops.placeholder."comentario/smtp";
+            };
+
+            idp.oidc = [
+              {
+                id = "authelia";
+                name = "Authelia";
+                url = "https://id.karaolidis.com";
+                scopes = [
+                  "openid"
+                  "profile"
+                  "email"
+                  "is_admin"
+                ];
+                key = autheliaClientId;
+                secret = hmConfig.sops.placeholder."comentario/authelia/password";
+              }
+            ];
+          }
+        );
+
+        authelia-comentario.content = builtins.readFile (
+          (pkgs.formats.yaml { }).generate "comentario.yaml" {
+            identity_providers.oidc = {
+              authorization_policies.comentario = {
+                default_policy = "deny";
+                rules = [
+                  {
+                    policy = "one_factor";
+                    subject = "group:comentario";
+                  }
+                ];
+              };
+
+              clients = [
+                {
+                  client_id = autheliaClientId;
+                  client_name = "Comentario";
+                  client_secret = hmConfig.sops.placeholder."comentario/authelia/digest";
+                  redirect_uris = [ "https://comments.karaolidis.com/api/oauth/oidc:authelia/callback" ];
+                  authorization_policy = "comentario";
+                  claims_policy = "is_admin";
+                  scopes = [
+                    "openid"
+                    "profile"
+                    "email"
+                    "is_admin"
+                  ];
+                  pre_configured_consent_duration = "1 month";
+                }
+              ];
+            };
+          }
+        );
+      };
+    };
+
+    virtualisation.quadlet = {
+      networks.comentario = { };
+
+      volumes.comentario-postgresql = { };
+
+      containers = {
+        comentario = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.comentario}";
+            networks = [
+              networks.comentario.ref
+              networks.traefik.ref
+            ];
+            environments = {
+              BASE_URL = "https://comments.karaolidis.com";
+              NO_COLOR = "true";
+              SUPERUSER_CLAIM = "is_admin";
+              DYN_DEFAULT_AUTH_EMAILUPDATE_ENABLED = "true";
+              DYN_DEFAULT_AUTH_SIGNUP_CONFIRM_COMMENTER = "false";
+              DYN_DEFAULT_AUTH_SIGNUP_ENABLED = "false";
+              DYN_DEFAULT_AUTH_SIGNUP_SSO_ENABLED = "true";
+            };
+            volumes = [ "${hmConfig.sops.templates.comentario.path}:/etc/comentario/secrets.yaml:ro" ];
+            labels = [
+              "traefik.enable=true"
+              "traefik.http.routers.comentario.rule=Host(`comments.karaolidis.com`)"
+            ];
+          };
+
+          unitConfig = {
+            After = [
+              "${containers.comentario-postgresql._serviceName}.service"
+              "sops-nix.service"
+            ];
+            Requires = [ "${containers.comentario-postgresql._serviceName}.service" ];
+          };
+        };
+
+        comentario-postgresql = {
+          containerConfig = {
+            image = "docker-archive:${pkgs.dockerImages.postgresql}";
+            networks = [ networks.comentario.ref ];
+            volumes = [ "${volumes.comentario-postgresql.ref}:/var/lib/postgresql/data" ];
+            environments = {
+              POSTGRES_DB = "comentario";
+              POSTGRES_USER = "comentario";
+            };
+            environmentFiles = [ hmConfig.sops.templates.comentario-postgresql-env.path ];
+          };
+
+          unitConfig.After = [ "sops-nix.service" ];
+        };
+
+        authelia.containerConfig.volumes = [
+          "${hmConfig.sops.templates.authelia-comentario.path}:/etc/authelia/conf.d/comentario.yaml:ro"
+        ];
+      };
+    };
+  };
+}
--- a/hosts/jupiter/users/storm/configs/console/podman/default.nix
+++ b/hosts/jupiter/users/storm/configs/console/podman/default.nix
@@ -12,6 +12,7 @@ in
  imports = [
    (import ./attic { inherit user home; })
    (import ./authelia { inherit user home; })
+    (import ./comentario { inherit user home; })
    (import ./gitea { inherit user home; })
    (import ./grafana { inherit user home; })
    (import ./littlelink { inherit user home; })