setup grist

xanderio · Jun 15, 2024 · 0d60dd1 · 0d60dd1
1 parent 4e604e4
commit 0d60dd1
Show file tree

Hide file tree

Showing 4 changed files with 78 additions and 0 deletions.
diff --git a/.sops.yaml b/.sops.yaml
@@ -90,3 +90,9 @@ creation_rules:
       - age:
         - *xanderio
         - *carrot
+
+  - path_regex: secrets/services/grist.yaml
+    key_groups:
+      - age:
+        - *xanderio
+        - *carrot
diff --git a/hosts/carrot/default.nix b/hosts/carrot/default.nix
@@ -11,6 +11,7 @@
     ./matrix.nix
     ./outline.nix
     ./mail.nix
+    ./grist.nix
 
     ./disko-config.nix
   ];

diff --git a/hosts/carrot/grist.nix b/hosts/carrot/grist.nix
@@ -0,0 +1,39 @@
+{ config, ... }: {
+  config = {
+    x.sops.secrets."services/grist/env" = {
+      group = "${config.virtualisation.oci-containers.backend}";
+      mode = "0440";
+    };
+
+    virtualisation.oci-containers.containers.grist = {
+      image = "gristlabs/grist";
+      autoStart = true;
+      environment = {
+        APP_HOME_URL = "https://grist.xanderio.de";
+        GRIST_OIDC_IDP_ISSUER = "https://sso.xanderio.de/application/o/grist/.well-known/openid-configuration";
+        GRIST_OIDC_IDP_CLIENT_ID = "grist";
+        GRIST_FORCE_LOGIN = "1";
+      };
+      environmentFiles = [
+        config.sops.secrets."services/grist/env".path
+      ];
+
+      volumes = [ "/var/lib/grist:/persist" ];
+      ports = [ "8484:8484" ];
+    };
+
+    systemd.services."${config.virtualisation.oci-containers.backend}-grist".serviceConfig = {
+      StateDirectory = "grist";
+    };
+
+    services.nginx.virtualHosts."grist.xanderio.de" = {
+      enableACME = true;
+      forceSSL = true;
+      kTLS = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:8484";
+        proxyWebsockets = true;
+      };
+    };
+  };
+}
diff --git a/secrets/services/grist.yaml b/secrets/services/grist.yaml
@@ -0,0 +1,32 @@
+services:
+    grist:
+        env: ENC[AES256_GCM,data:MPnRAdvUF8L0X2m3f8emPQR9Gy1jevnyZOXjig73FOKc1TI33URu0T8lMYi+Uekjt5vA9cxE/FYTBlYxsey7dPJvAVClDvTqoUsOtvL++foY6StON/t729zXYqGlWAHTiDtXSWu5EIh143zuXO3TQzy8fM7L9dwfyhVybSaree4esFhzYGGT1opojZdqbHr6DIGAGLJZMC6cogbevw==,iv:/iliMeKlUlSMblZ1GlqDr3qSKV3Wm+llYCKp8tesUNQ=,tag:aeFOtoM6aPz+9eD/MlxmoQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1ftsxs8qj86g6v28f69qalwg2a85rd0vxh8zm304k3p4uv63x5yesd44w56
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQ1JwUkRTajJsODJZM1NP
+            MkVUN3VhTnBaT1J6TW1XMUhSa1lhbzJJcVVRClg0dEJ1NjBRV2ZZb29aTXBIajlp
+            b0Fhc1RUUFNSMmNZcHl5TUtPZmkxMVUKLS0tIGZlVnF3V0Zrb2dmajhzMkNxZnph
+            RlE2TmVqbVBPS05qb1BZZFI0RzlZTzgK/bORTv9fsKIyTus7+vBrJJyEqL41VhrV
+            2w196r6JE2tC5HeoyuDmw+zy+PkfxcYmSCZdb7CDrRT3g1R5ju3U6A==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1vnu25nrzx8535t2x9exp8uger5x25tj4ak309rdjfw6mhetqeekqu6c0cc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybFZnVE41SVZNYkpqSkJp
+            QWFTREx3NmRvZGZhOE9NdU5OeHM1RUtqREYwCjdGTm9KeG5DU01BNG5VMEJuazlp
+            c2VQTXk3ZUZBRE1COXZDT1c4eFJJS1EKLS0tIDg1aU52OEcyY2tJb1hid054ZVl6
+            R1Fad1hIS092Q2ZFRVl1YmFISnNsd1EKxVPN/3LBgNW8VgvyM+KdKaESJsDhMAI4
+            2cZibB5kUUB+beNvROR/skSzMV9Y2cRr7ISNz9qiSMkDcyZWYKqtaw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-06-15T13:28:27Z"
+    mac: ENC[AES256_GCM,data:DQimCkADsZdJn5pFB9elRwgiKU7H57PyBWsU3eLc/a3RcW9zZ0cm3MHXEeDDbaIf893kwzWX+cwFeLWjCqKgVjbxuck0NYSNfvlR+5oq77ciFPAUC2bgK58daSTWOme8k8xtsXhuhbiba7Pj87KqB04wbFJ8nZB3zkGxwZykBR0=,iv:eEG/Q39VKWhEhpa9roHu31ThZCu/+ciF25AhjiVqL4s=,tag:qG6hUX7dyUPnqfFwTNvDNQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1