diff --git a/flake.nix b/flake.nix index c31e135..b2a07d3 100644 --- a/flake.nix +++ b/flake.nix @@ -152,6 +152,7 @@ ./roles/keycloak.nix ./roles/podman.nix ./roles/postgres.nix + ./roles/zulip.nix home-manager-stable.nixosModules.home-manager { home-manager.useGlobalPkgs = true; diff --git a/roles/iceshrimp.nix b/roles/iceshrimp.nix index 1e07afd..43be589 100644 --- a/roles/iceshrimp.nix +++ b/roles/iceshrimp.nix @@ -2,7 +2,7 @@ services.redis.servers.iceshrimp = { enable = true; port = 6380; - bind = "100.93.214.57"; + bind = "0.0.0.0"; settings.protected-mode = "no"; }; diff --git a/roles/podman.nix b/roles/podman.nix index 0273fde..aee0621 100644 --- a/roles/podman.nix +++ b/roles/podman.nix @@ -4,4 +4,5 @@ environment.systemPackages = with pkgs; [ podman-compose ]; + networking.firewall.trustedInterfaces = ["podman0"]; } diff --git a/roles/postgres.nix b/roles/postgres.nix index 464a7b1..5ea1c8f 100644 --- a/roles/postgres.nix +++ b/roles/postgres.nix @@ -31,6 +31,7 @@ # ipv4 host all all 127.0.0.1/32 scram-sha-256 host all all 100.64.0.0/10 scram-sha-256 + host all all 10.0.0.0/8 scram-sha-256 # ipv6 host all all ::1/128 scram-sha-256 ''; diff --git a/roles/zulip-db.nix b/roles/zulip-db.nix new file mode 100644 index 0000000..80e75cd --- /dev/null +++ b/roles/zulip-db.nix @@ -0,0 +1,30 @@ +{ config, pkgs, ... }: { + services.postgresql = { + extraPlugins = ps: with ps; [ + pgroonga + (pkgs.stdenv.mkDerivation { + name = "zulip-dicts"; + phases = "installPhase"; + src = pkgs.fetchurl { + url = "https://raw.githubusercontent.com/zulip/zulip/dd678465aed915101f9a74054e28535bbdd88ba3/puppet/zulip/files/postgresql/zulip_english.stop"; + hash = "sha256-F3CmCRkkPURN9Uo7KIFxkajSJsiTYQg1wubKCF2+bAs="; + }; + installPhase = '' + mkdir -p $out/share/postgresql/tsearch_data/ + ln -s ${pkgs.hunspellDicts.en_US}/share/hunspell/en_US.dic $out/share/postgresql/tsearch_data/en_us.dict + ln -s ${pkgs.hunspellDicts.en_US}/share/hunspell/en_US.aff $out/share/postgresql/tsearch_data/en_us.affix + cp $src $out/share/postgresql/tsearch_data/zulip_english.stop + ''; + }) + ]; + + ensureDatabases = [ "zulip" ]; + ensureUsers = [ + { + name = "zulip"; + ensureDBOwnership = true; + ensureClauses.login = true; + } + ]; + }; +} diff --git a/roles/zulip.nix b/roles/zulip.nix new file mode 100644 index 0000000..2234121 --- /dev/null +++ b/roles/zulip.nix @@ -0,0 +1,77 @@ +{ config, pkgs, ... }: { + imports = [ ./zulip-db.nix ]; + + age.secrets.zulip-env.file = ../secrets/zulip-env.age; + age.secrets.zulip-redis.file = ../secrets/zulip-redis.age; + + services.memcached = { + enable = true; + listen = "0.0.0.0"; + }; + + services.rabbitmq = { + enable = true; + listenAddress = "::"; + }; + + services.redis.servers.zulip = { + enable = true; + port = 6381; + bind = "0.0.0.0"; + # TODO: move to agenix secret + requirePassFile = config.age.secrets.zulip-redis.path; + }; + + virtualisation.oci-containers.containers.zulip = { + image = "zulip/docker-zulip:8.4-0"; + autoStart = false; + environment = { + DB_HOST = "host.containers.internal"; + DB_HOST_PORT = "5432"; + DB_USER = "zulip"; + + SETTING_MEMCACHED_LOCATION = "host.containers.internal:11211"; + SETTING_RABBITMQ_HOST = "host.containers.internal"; + SETTING_RABBITMQ_USERNAME = "zulip"; + SETTING_REDIS_HOST = "host.containers.internal"; + SETTING_REDIS_PORT = "6381"; + + SETTING_EXTERNAL_HOST = "chat.shorks.gay"; + SETTING_ZULIP_ADMINISTRATOR = "zulip@shorks.gay"; + + DISABLE_HTTPS = "true"; + SSL_CERTIFICATE_GENERATION = "self-signed"; + LOADBALANCER_IPS = "100.64.0.0/10,10.0.0.0/8"; + QUEUE_WORKERS_MULTIPROCESS = "false"; + + SETTING_EMAIL_HOST = "smtp.migadu.com"; + SETTING_EMAIL_HOST_USER = "shorks@shorks.gay"; + SETTING_EMAIL_USE_TLS = "True"; + SETTING_EMAIL_PORT = "465"; + SETTING_ADD_TOKENS_TO_NOREPLY_ADDRESS = "True"; + SETTING_TOKENIZED_NOREPLY_EMAIL_ADDRESS = "chat+{token}@shorks.gay"; + SETTING_NOREPLY_EMAIL_ADDRESS = "chat@shorks.gay"; + SETTING_INSTALLATION_NAME = "shorks.gay zulip"; + SETTING_SOCIAL_AUTH_OIDC_ENABLED_IDPS = ''{ + "keycloak": { + "oidc_url": "https://account.shorks.gay/realms/shorks/", + "display_name": "shorks.gay account", + "display_icon": None, + "client_id": "zulip", + "secret": get_secret("social_auth_oidc_secret"), + } +}''; + + ZULIP_AUTH_BACKENDS = "GenericOpenIdConnectBackend"; + }; + environmentFiles = [ + config.age.secrets.zulip-env.path + ]; + ports = [ + "8080:80" + ]; + volumes = [ + "/var/lib/zulip:/data" + ]; + }; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix index a973486..73b09ea 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -8,4 +8,6 @@ let in { "keycloakPostgres.age".publicKeys = users ++ systems; + "zulip-redis.age".publicKeys = users ++ systems; + "zulip-env.age".publicKeys = users ++ systems; } diff --git a/secrets/zulip-env.age b/secrets/zulip-env.age new file mode 100644 index 0000000..d0065ac Binary files /dev/null and b/secrets/zulip-env.age differ diff --git a/secrets/zulip-redis.age b/secrets/zulip-redis.age new file mode 100644 index 0000000..e8b7890 --- /dev/null +++ b/secrets/zulip-redis.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 CEw3Tw 8WPerIwjvZEtJuC4m1cUqHgIiTGjTZfV1k3ohZn9ni0 +bj6iQvWtO2gP79DrHYECA0Pl8tzN/ArGT/dbe1pM9Hc +-> ssh-ed25519 8o9woQ FtOzkNfHgBL/RA63DrSMd9ZJPoBjdY691ISrwgXnLUw +rXo7ofH9ZG1Nx5H4p+xBQhmUUh4Dz0wzGftRw58zCas +--- NjD1Cw5pZK+fnhWT6TCF0TbiRN79brRwzP9GkU3wC9U +bpb(;p߷\)b)/cJ\X):.Dr,N +@h.xd=ii B : \ No newline at end of file