feat(amy): add configs for zulip

2024-07-08 00:11:06 +01:00 · 2024-07-08 00:11:06 +01:00 · 6216c95200
commit 6216c95200
parent 1acf766012
9 changed files with 121 additions and 1 deletions
--- a/flake.nix
+++ b/flake.nix
@ -152,6 +152,7 @@
        ./roles/keycloak.nix
        ./roles/podman.nix
        ./roles/postgres.nix
+        ./roles/zulip.nix
        home-manager-stable.nixosModules.home-manager
        {
          home-manager.useGlobalPkgs = true;
--- a/roles/iceshrimp.nix
+++ b/roles/iceshrimp.nix
@ -2,7 +2,7 @@
  services.redis.servers.iceshrimp = {
    enable = true;
    port = 6380;
-    bind = "100.93.214.57";
+    bind = "0.0.0.0";
    settings.protected-mode = "no";
  };

--- a/roles/podman.nix
+++ b/roles/podman.nix
@ -4,4 +4,5 @@
  environment.systemPackages = with pkgs; [
    podman-compose
  ];
+  networking.firewall.trustedInterfaces = ["podman0"];
 }
--- a/roles/postgres.nix
+++ b/roles/postgres.nix
@ -31,6 +31,7 @@
      # ipv4
      host  all      all     127.0.0.1/32   scram-sha-256
      host  all      all     100.64.0.0/10  scram-sha-256
+      host  all      all     10.0.0.0/8     scram-sha-256
      # ipv6
      host all       all     ::1/128        scram-sha-256
    '';
--- a/roles/zulip-db.nix
+++ b/roles/zulip-db.nix
@ -0,0 +1,30 @@
+{ config, pkgs, ... }: {
+  services.postgresql = {
+    extraPlugins = ps: with ps; [
+      pgroonga
+      (pkgs.stdenv.mkDerivation {
+        name = "zulip-dicts";
+        phases = "installPhase";
+        src = pkgs.fetchurl {
+          url = "https://raw.githubusercontent.com/zulip/zulip/dd678465aed915101f9a74054e28535bbdd88ba3/puppet/zulip/files/postgresql/zulip_english.stop";
+          hash = "sha256-F3CmCRkkPURN9Uo7KIFxkajSJsiTYQg1wubKCF2+bAs=";
+        };
+        installPhase = ''
+        mkdir -p $out/share/postgresql/tsearch_data/
+        ln -s ${pkgs.hunspellDicts.en_US}/share/hunspell/en_US.dic $out/share/postgresql/tsearch_data/en_us.dict
+        ln -s ${pkgs.hunspellDicts.en_US}/share/hunspell/en_US.aff $out/share/postgresql/tsearch_data/en_us.affix
+        cp $src $out/share/postgresql/tsearch_data/zulip_english.stop
+        '';
+      })
+    ];
+
+    ensureDatabases = [ "zulip" ];
+    ensureUsers = [
+      {
+        name = "zulip";
+        ensureDBOwnership = true;
+        ensureClauses.login = true;
+      }
+    ];
+  };
+}
--- a/roles/zulip.nix
+++ b/roles/zulip.nix
@ -0,0 +1,77 @@
+{ config, pkgs, ... }: {
+  imports = [ ./zulip-db.nix ];
+
+  age.secrets.zulip-env.file = ../secrets/zulip-env.age;
+  age.secrets.zulip-redis.file = ../secrets/zulip-redis.age;
+
+  services.memcached = {
+    enable = true;
+    listen = "0.0.0.0";
+  };
+
+  services.rabbitmq = {
+    enable = true;
+    listenAddress = "::";
+  };
+
+  services.redis.servers.zulip = {
+    enable = true;
+    port = 6381;
+    bind = "0.0.0.0";
+    # TODO: move to agenix secret
+    requirePassFile = config.age.secrets.zulip-redis.path;
+  };
+
+  virtualisation.oci-containers.containers.zulip = {
+    image = "zulip/docker-zulip:8.4-0";
+    autoStart = false;
+    environment = {
+      DB_HOST = "host.containers.internal";
+      DB_HOST_PORT = "5432";
+      DB_USER = "zulip";
+
+      SETTING_MEMCACHED_LOCATION = "host.containers.internal:11211";
+      SETTING_RABBITMQ_HOST = "host.containers.internal";
+      SETTING_RABBITMQ_USERNAME = "zulip";
+      SETTING_REDIS_HOST = "host.containers.internal";
+      SETTING_REDIS_PORT = "6381";
+
+      SETTING_EXTERNAL_HOST = "chat.shorks.gay";
+      SETTING_ZULIP_ADMINISTRATOR = "zulip@shorks.gay";
+
+      DISABLE_HTTPS = "true";
+      SSL_CERTIFICATE_GENERATION = "self-signed";
+      LOADBALANCER_IPS = "100.64.0.0/10,10.0.0.0/8";
+      QUEUE_WORKERS_MULTIPROCESS = "false";
+
+      SETTING_EMAIL_HOST = "smtp.migadu.com";
+      SETTING_EMAIL_HOST_USER = "shorks@shorks.gay";
+      SETTING_EMAIL_USE_TLS = "True";
+      SETTING_EMAIL_PORT = "465";
+      SETTING_ADD_TOKENS_TO_NOREPLY_ADDRESS = "True";
+      SETTING_TOKENIZED_NOREPLY_EMAIL_ADDRESS = "chat+{token}@shorks.gay";
+      SETTING_NOREPLY_EMAIL_ADDRESS = "chat@shorks.gay";
+      SETTING_INSTALLATION_NAME = "shorks.gay zulip";
+      SETTING_SOCIAL_AUTH_OIDC_ENABLED_IDPS = ''{
+  "keycloak": {
+    "oidc_url": "https://account.shorks.gay/realms/shorks/",
+    "display_name": "shorks.gay account",
+    "display_icon": None,
+    "client_id": "zulip",
+    "secret": get_secret("social_auth_oidc_secret"),
+  }
+}'';
+
+      ZULIP_AUTH_BACKENDS = "GenericOpenIdConnectBackend";
+    };
+    environmentFiles = [
+      config.age.secrets.zulip-env.path
+    ];
+    ports = [
+      "8080:80"
+    ];
+    volumes = [
+      "/var/lib/zulip:/data"
+    ];
+  };
+}
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -8,4 +8,6 @@ let
 in
 {
  "keycloakPostgres.age".publicKeys = users ++ systems;
+  "zulip-redis.age".publicKeys = users ++ systems;
+  "zulip-env.age".publicKeys = users ++ systems;
 }
--- a/secrets/zulip-env.age
+++ b/secrets/zulip-env.age
--- a/secrets/zulip-redis.age
+++ b/secrets/zulip-redis.age
@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 CEw3Tw 8WPerIwjvZEtJuC4m1cUqHgIiTGjTZfV1k3ohZn9ni0
+bj6iQvWtO2gP79DrHYECA0Pl8tzN/ArGT/dbe1pM9Hc
+-> ssh-ed25519 8o9woQ FtOzkNfHgBL/RA63DrSMd9ZJPoBjdY691ISrwgXnLUw
+rXo7ofH9ZG1Nx5H4p+xBQhmUUh4Dz0wzGftRw58zCas
+--- NjD1Cw5pZK+fnhWT6TCF0TbiRN79brRwzP9GkU3wC9U
+búñpbÿÅßöµ<EFBFBD>(½‹¡ð·;³ÇpþîÒß·\è)ÚëüÄþûb)/ÐcœJ\¿„ü½ÐX):.<2E>DŠr,N
+‚@h¼°öÇ.µx×d=iÆiÁ½
B	ùú:’úÁþ