outline: move config to separate module

2023-06-09 23:17:04 +05:30 · 2023-06-09 23:17:04 +05:30 · d2ee858caa
commit d2ee858caa
parent a386973589
3 changed files with 168 additions and 144 deletions
--- a/flake.nix
+++ b/flake.nix
@ -84,6 +84,7 @@
            ./modules/monitoring/monitoring.nix
            ./modules/calibre.nix
            ./modules/wiki.nix
+            ./modules/outline.nix
            ./modules/vaultwarden.nix

            # Host-specific config
--- a/modules/outline.nix
+++ b/modules/outline.nix
@ -0,0 +1,167 @@
+{ config, pkgs, ... }:
+{
+  # Open paperless port, but only for local network
+  networking.firewall.extraCommands = ''
+    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 28981:28981 -j nixos-fw-accept
+    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 3000:3000 -j nixos-fw-accept
+    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 9909:9909 -j nixos-fw-accept
+    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 9910:9910 -j nixos-fw-accept
+    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 5556:5556 -j nixos-fw-accept
+  '';
+
+  systemd.services = {
+    dex.serviceConfig.StateDirectory = "dex";
+  };
+
+  systemd.tmpfiles.rules = [
+    "f /run/agenix/outline_gmail 0600 outline users -"
+  ];
+
+  services = {
+    minio = {
+      enable = true;
+      region = "ap-south-1";
+      listenAddress = "0.0.0.0:9909";
+      consoleAddress = "0.0.0.0:9910";
+      browser = true;
+      rootCredentialsFile = "/run/agenix/minio";
+    };
+
+    dex = {
+      enable = true;
+      settings = {
+        issuer = "https://dex.bhankas.org";
+        storage = {
+          type = "sqlite3";
+          config.file = "/var/lib/dex/db.sqlite3";
+        };
+        web.http = "127.0.0.1:5556";
+        staticClients = [
+          {
+            id = "outline";
+            name = "Outline Client";
+            redirectURIs = [
+              "https://outline.bhankas.org/auth/oidc.callback"
+            ];
+            secretFile = "${pkgs.writeText "outline-oidc-secret" "test123"}";
+          }
+        ];
+        connectors = [
+          {
+            type = "mockPassword";
+            id = "mock";
+            name = "example";
+            config = {
+              username = "bruce";
+              password = "wayne";
+            };
+          }
+        ];
+      };
+    };
+
+    outline = {
+      enable = true;
+      port = 3000;
+      publicUrl = "https://outline.bhankas.org";
+      enableUpdateCheck = false;
+      defaultLanguage = "en_US";
+      databaseUrl = "local";
+      redisUrl = "local";
+      concurrency = 4;
+      forceHttps = false;
+      rateLimiter = {
+        enable = true;
+        durationWindow = 60;
+        requests = 5000;
+      };
+      storage = {
+        region = config.services.minio.region;
+        accessKey = "lWdhw1nclwmJiR9j";
+        secretKeyFile = "/run/agenix/minio_secret_key";
+        uploadBucketUrl = "https://minio.bhankas.org";
+        uploadBucketName = "outline";
+      };
+      smtp = {
+        username = "gandalf@bhankas.org";
+        secure = true;
+        fromEmail = "gandalf@bhankas.org";
+        replyEmail = "gandalf@bhankas.org";
+        host = "smtp.purelymail.com";
+        port = 587;
+        passwordFile = "/run/agenix/outline_gmail";
+      };
+      oidcAuthentication = {
+        authUrl = "https://dex.bhankas.org/auth";
+        tokenUrl = "https://dex.bhankas.org/token";
+        userinfoUrl = "https://dex.bhankas.org/userinfo";
+        clientId = "outline";
+        clientSecretFile = (builtins.elemAt config.services.dex.settings.staticClients 0).secretFile;
+        scopes = [ "openid" "email" "profile" ];
+        usernameClaim = "preferred_username";
+        displayName = "Dex";
+      };
+    };
+
+    nginx = {
+      enable = true;
+      virtualHosts = {
+        "minio.bhankas.org" = {
+          addSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://${config.services.minio.consoleAddress}";
+            proxyWebsockets = false;
+            extraConfig =
+              "proxy_set_header Host $host;"
+            ;
+          };
+        };
+
+        "outline.bhankas.org" = {
+          addSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:3000";
+            proxyWebsockets = true;
+            extraConfig =
+              "proxy_set_header Host $host;"
+            ;
+          };
+        };
+
+        "dex.bhankas.org" = {
+          addSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:5556";
+            proxyWebsockets = false;
+            extraConfig =
+              "proxy_set_header Host $host;"
+            ;
+          };
+        };
+      };
+    };
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    certs = {
+      "minio.bhankas.org" = {
+        email = "admin@bhankas.org";
+        dnsResolver = "1.1.1.1:53";
+      };
+
+      "outline.bhankas.org" = {
+        email = "admin@bhankas.org";
+        dnsResolver = "1.1.1.1:53";
+      };
+
+      "dex.bhankas.org" = {
+        email = "admin@bhankas.org";
+        dnsResolver = "1.1.1.1:53";
+      };
+    };
+  };
+}
--- a/modules/wiki.nix
+++ b/modules/wiki.nix
@ -1,20 +1,13 @@
 { config, pkgs, ... }:
 {
-  # Open paperless port, but only for local network
  networking.firewall.extraCommands = ''
    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 28981:28981 -j nixos-fw-accept
-    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 3000:3000 -j nixos-fw-accept
-    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 9909:9909 -j nixos-fw-accept
-    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 9910:9910 -j nixos-fw-accept
-    iptables -A nixos-fw -p tcp --source 192.168.0.0/24 --dport 5556:5556 -j nixos-fw-accept
  '';

  systemd.services = {
    paperless-scheduler.after = [ "var-lib-paperless.mount" ];
    paperless-consumer.after = [ "var-lib-paperless.mount" ];
    paperless-web.after = [ "var-lib-paperless.mount" ];
-
-    dex.serviceConfig.StateDirectory = "dex";
  };

  systemd.tmpfiles.rules = [
@ -43,91 +36,6 @@
      };
    };

-    minio = {
-      enable = true;
-      region = "ap-south-1";
-      listenAddress = "0.0.0.0:9909";
-      consoleAddress = "0.0.0.0:9910";
-      browser = true;
-      rootCredentialsFile = "/run/agenix/minio";
-    };
-
-    dex = {
-      enable = true;
-      settings = {
-        issuer = "https://dex.bhankas.org";
-        storage = {
-          type = "sqlite3";
-          config.file = "/var/lib/dex/db.sqlite3";
-        };
-        web.http = "127.0.0.1:5556";
-        staticClients = [
-          {
-            id = "outline";
-            name = "Outline Client";
-            redirectURIs = [
-              "https://outline.bhankas.org/auth/oidc.callback"
-            ];
-            secretFile = "${pkgs.writeText "outline-oidc-secret" "test123"}";
-          }
-        ];
-        connectors = [
-          {
-            type = "mockPassword";
-            id = "mock";
-            name = "example";
-            config = {
-              username = "bruce";
-              password = "wayne";
-            };
-          }
-        ];
-      };
-    };
-
-    outline = {
-      enable = true;
-      port = 3000;
-      publicUrl = "https://outline.bhankas.org";
-      enableUpdateCheck = false;
-      defaultLanguage = "en_US";
-      databaseUrl = "local";
-      redisUrl = "local";
-      concurrency = 4;
-      forceHttps = false;
-      rateLimiter = {
-        enable = true;
-        durationWindow = 60;
-        requests = 5000;
-      };
-      storage = {
-        region = config.services.minio.region;
-        accessKey = "lWdhw1nclwmJiR9j";
-        secretKeyFile = "/run/agenix/minio_secret_key";
-        uploadBucketUrl = "https://minio.bhankas.org";
-        uploadBucketName = "outline";
-      };
-      smtp = {
-        username = "gandalf@bhankas.org";
-        secure = true;
-        fromEmail = "gandalf@bhankas.org";
-        replyEmail = "gandalf@bhankas.org";
-        host = "smtp.purelymail.com";
-        port = 587;
-        passwordFile = "/run/agenix/outline_gmail";
-      };
-      oidcAuthentication = {
-        authUrl = "https://dex.bhankas.org/auth";
-        tokenUrl = "https://dex.bhankas.org/token";
-        userinfoUrl = "https://dex.bhankas.org/userinfo";
-        clientId = "outline";
-        clientSecretFile = (builtins.elemAt config.services.dex.settings.staticClients 0).secretFile;
-        scopes = [ "openid" "email" "profile" ];
-        usernameClaim = "preferred_username";
-        displayName = "Dex";
-      };
-    };
-
    radicale = {
      enable = true;
      settings = {
@ -162,7 +70,6 @@

    # TODO: Split to their respective locations
    nginx = {
-      enable = true;
      virtualHosts = {
        "bebop.bhankas.org" = {
          addSSL = true;
@ -176,18 +83,6 @@
          };
        };

-        "minio.bhankas.org" = {
-          addSSL = true;
-          enableACME = true;
-          locations."/" = {
-            proxyPass = "http://${config.services.minio.consoleAddress}";
-            proxyWebsockets = false;
-            extraConfig =
-              "proxy_set_header Host $host;"
-            ;
-          };
-        };
-
        "paperless.bhankas.org" = {
          addSSL = true;
          enableACME = true;
@ -200,30 +95,6 @@
          };
        };

-        "outline.bhankas.org" = {
-          addSSL = true;
-          enableACME = true;
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:3000";
-            proxyWebsockets = true;
-            extraConfig =
-              "proxy_set_header Host $host;"
-            ;
-          };
-        };
-
-        "dex.bhankas.org" = {
-          addSSL = true;
-          enableACME = true;
-          locations."/" = {
-            proxyPass = "http://127.0.0.1:5556";
-            proxyWebsockets = false;
-            extraConfig =
-              "proxy_set_header Host $host;"
-            ;
-          };
-        };
-
        "radicale.bhankas.org" = {
          addSSL = true;
          enableACME = true;
@ -259,26 +130,11 @@
        dnsResolver = "1.1.1.1:53";
      };

-      "minio.bhankas.org" = {
-        email = "admin@bhankas.org";
-        dnsResolver = "1.1.1.1:53";
-      };
-
      "paperless.bhankas.org" = {
        email = "admin@bhankas.org";
        dnsResolver = "1.1.1.1:53";
      };

-      "outline.bhankas.org" = {
-        email = "admin@bhankas.org";
-        dnsResolver = "1.1.1.1:53";
-      };
-
-      "dex.bhankas.org" = {
-        email = "admin@bhankas.org";
-        dnsResolver = "1.1.1.1:53";
-      };
-
      "radicale.bhankas.org" = {
        email = "admin@bhankas.org";
        dnsResolver = "1.1.1.1:53";