ash/forest
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(amy): add configs for zulip

Browse source
This commit is contained in:
Ashhhleyyy 2024-07-08 00:11:06 +01:00
parent 1acf766012
commit 6216c95200
Signed by: ash
GPG key ID: 83B789081A0878FB
9 changed files with 121 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -152,6 +152,7 @@
./roles/keycloak.nix ./roles/keycloak.nix
./roles/podman.nix ./roles/podman.nix
./roles/postgres.nix ./roles/postgres.nix
./roles/zulip.nix
home-manager-stable.nixosModules.home-manager home-manager-stable.nixosModules.home-manager
{ {
home-manager.useGlobalPkgs = true; home-manager.useGlobalPkgs = true;

2
roles/iceshrimp.nix
View file

@ -2,7 +2,7 @@
services.redis.servers.iceshrimp = { services.redis.servers.iceshrimp = {
enable = true; enable = true;
port = 6380; port = 6380;
bind = "100.93.214.57"; bind = "0.0.0.0";
settings.protected-mode = "no"; settings.protected-mode = "no";
}; };

1
roles/podman.nix
View file

@ -4,4 +4,5 @@
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
podman-compose podman-compose
]; ];
networking.firewall.trustedInterfaces = ["podman0"];
} }

1
roles/postgres.nix
View file

@ -31,6 +31,7 @@
# ipv4 # ipv4
host all all 127.0.0.1/32 scram-sha-256 host all all 127.0.0.1/32 scram-sha-256
host all all 100.64.0.0/10 scram-sha-256 host all all 100.64.0.0/10 scram-sha-256
host all all 10.0.0.0/8 scram-sha-256
# ipv6 # ipv6
host all all ::1/128 scram-sha-256 host all all ::1/128 scram-sha-256
''; '';

30
roles/zulip-db.nix Normal file
View file

@ -0,0 +1,30 @@
{ config, pkgs, ... }: {
services.postgresql = {
extraPlugins = ps: with ps; [
pgroonga
(pkgs.stdenv.mkDerivation {
name = "zulip-dicts";
phases = "installPhase";
src = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/zulip/zulip/dd678465aed915101f9a74054e28535bbdd88ba3/puppet/zulip/files/postgresql/zulip_english.stop";
hash = "sha256-F3CmCRkkPURN9Uo7KIFxkajSJsiTYQg1wubKCF2+bAs=";
};
installPhase = ''
mkdir -p $out/share/postgresql/tsearch_data/
ln -s ${pkgs.hunspellDicts.en_US}/share/hunspell/en_US.dic $out/share/postgresql/tsearch_data/en_us.dict
ln -s ${pkgs.hunspellDicts.en_US}/share/hunspell/en_US.aff $out/share/postgresql/tsearch_data/en_us.affix
cp $src $out/share/postgresql/tsearch_data/zulip_english.stop
'';
})
];
ensureDatabases = [ "zulip" ];
ensureUsers = [
{
name = "zulip";
ensureDBOwnership = true;
ensureClauses.login = true;
}
];
};
}

77
roles/zulip.nix Normal file
View file

@ -0,0 +1,77 @@
{ config, pkgs, ... }: {
imports = [ ./zulip-db.nix ];
age.secrets.zulip-env.file = ../secrets/zulip-env.age;
age.secrets.zulip-redis.file = ../secrets/zulip-redis.age;
services.memcached = {
enable = true;
listen = "0.0.0.0";
};
services.rabbitmq = {
enable = true;
listenAddress = "::";
};
services.redis.servers.zulip = {
enable = true;
port = 6381;
bind = "0.0.0.0";
# TODO: move to agenix secret
requirePassFile = config.age.secrets.zulip-redis.path;
};
virtualisation.oci-containers.containers.zulip = {
image = "zulip/docker-zulip:8.4-0";
autoStart = false;
environment = {
DB_HOST = "host.containers.internal";
DB_HOST_PORT = "5432";
DB_USER = "zulip";
SETTING_MEMCACHED_LOCATION = "host.containers.internal:11211";
SETTING_RABBITMQ_HOST = "host.containers.internal";
SETTING_RABBITMQ_USERNAME = "zulip";
SETTING_REDIS_HOST = "host.containers.internal";
SETTING_REDIS_PORT = "6381";
SETTING_EXTERNAL_HOST = "chat.shorks.gay";
SETTING_ZULIP_ADMINISTRATOR = "zulip@shorks.gay";
DISABLE_HTTPS = "true";
SSL_CERTIFICATE_GENERATION = "self-signed";
LOADBALANCER_IPS = "100.64.0.0/10,10.0.0.0/8";
QUEUE_WORKERS_MULTIPROCESS = "false";
SETTING_EMAIL_HOST = "smtp.migadu.com";
SETTING_EMAIL_HOST_USER = "shorks@shorks.gay";
SETTING_EMAIL_USE_TLS = "True";
SETTING_EMAIL_PORT = "465";
SETTING_ADD_TOKENS_TO_NOREPLY_ADDRESS = "True";
SETTING_TOKENIZED_NOREPLY_EMAIL_ADDRESS = "chat+{token}@shorks.gay";
SETTING_NOREPLY_EMAIL_ADDRESS = "chat@shorks.gay";
SETTING_INSTALLATION_NAME = "shorks.gay zulip";
SETTING_SOCIAL_AUTH_OIDC_ENABLED_IDPS = ''{
"keycloak": {
"oidc_url": "https://account.shorks.gay/realms/shorks/",
"display_name": "shorks.gay account",
"display_icon": None,
"client_id": "zulip",
"secret": get_secret("social_auth_oidc_secret"),
}
}'';
ZULIP_AUTH_BACKENDS = "GenericOpenIdConnectBackend";
};
environmentFiles = [
config.age.secrets.zulip-env.path
];
ports = [
"8080:80"
];
volumes = [
"/var/lib/zulip:/data"
];
};
}

2
secrets/secrets.nix
View file

@ -8,4 +8,6 @@ let
in in
{ {
"keycloakPostgres.age".publicKeys = users ++ systems; "keycloakPostgres.age".publicKeys = users ++ systems;
"zulip-redis.age".publicKeys = users ++ systems;
"zulip-env.age".publicKeys = users ++ systems;
} }

BIN
secrets/zulip-env.age Normal file
View file

Binary file not shown.

8
secrets/zulip-redis.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 CEw3Tw 8WPerIwjvZEtJuC4m1cUqHgIiTGjTZfV1k3ohZn9ni0
bj6iQvWtO2gP79DrHYECA0Pl8tzN/ArGT/dbe1pM9Hc
-> ssh-ed25519 8o9woQ FtOzkNfHgBL/RA63DrSMd9ZJPoBjdY691ISrwgXnLUw
rXo7ofH9ZG1Nx5H4p+xBQhmUUh4Dz0wzGftRw58zCas
--- NjD1Cw5pZK+fnhWT6TCF0TbiRN79brRwzP9GkU3wC9U
búñpbÿÅßöµ<EFBFBD>(½‹¡ð·;³ÇpþîÒß·\è)ÚëüÄþûb)/ÐcœJ\¿„ü½ÐX):.<2E>DŠr,N
@h¼°öÇx×d=iÆiÁ½ B ùú:’úÁþ