From 0d60dd125ab6e03aef51c0a8a61c529ca1e62181 Mon Sep 17 00:00:00 2001 From: Alexander Sieg Date: Sat, 15 Jun 2024 15:49:42 +0200 Subject: [PATCH] setup grist --- .sops.yaml | 6 ++++++ hosts/carrot/default.nix | 1 + hosts/carrot/grist.nix | 39 +++++++++++++++++++++++++++++++++++++ secrets/services/grist.yaml | 32 ++++++++++++++++++++++++++++++ 4 files changed, 78 insertions(+) create mode 100644 hosts/carrot/grist.nix create mode 100644 secrets/services/grist.yaml diff --git a/.sops.yaml b/.sops.yaml index e73b7d6..5c6b64c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -90,3 +90,9 @@ creation_rules: - age: - *xanderio - *carrot + + - path_regex: secrets/services/grist.yaml + key_groups: + - age: + - *xanderio + - *carrot diff --git a/hosts/carrot/default.nix b/hosts/carrot/default.nix index 1cc32f5..2229bc7 100644 --- a/hosts/carrot/default.nix +++ b/hosts/carrot/default.nix @@ -11,6 +11,7 @@ ./matrix.nix ./outline.nix ./mail.nix + ./grist.nix ./disko-config.nix ]; diff --git a/hosts/carrot/grist.nix b/hosts/carrot/grist.nix new file mode 100644 index 0000000..14bad83 --- /dev/null +++ b/hosts/carrot/grist.nix @@ -0,0 +1,39 @@ +{ config, ... }: { + config = { + x.sops.secrets."services/grist/env" = { + group = "${config.virtualisation.oci-containers.backend}"; + mode = "0440"; + }; + + virtualisation.oci-containers.containers.grist = { + image = "gristlabs/grist"; + autoStart = true; + environment = { + APP_HOME_URL = "https://grist.xanderio.de"; + GRIST_OIDC_IDP_ISSUER = "https://sso.xanderio.de/application/o/grist/.well-known/openid-configuration"; + GRIST_OIDC_IDP_CLIENT_ID = "grist"; + GRIST_FORCE_LOGIN = "1"; + }; + environmentFiles = [ + config.sops.secrets."services/grist/env".path + ]; + + volumes = [ "/var/lib/grist:/persist" ]; + ports = [ "8484:8484" ]; + }; + + systemd.services."${config.virtualisation.oci-containers.backend}-grist".serviceConfig = { + StateDirectory = "grist"; + }; + + services.nginx.virtualHosts."grist.xanderio.de" = { + enableACME = true; + forceSSL = true; + kTLS = true; + locations."/" = { + proxyPass = "http://127.0.0.1:8484"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/secrets/services/grist.yaml b/secrets/services/grist.yaml new file mode 100644 index 0000000..4c78342 --- /dev/null +++ b/secrets/services/grist.yaml @@ -0,0 +1,32 @@ +services: + grist: + env: ENC[AES256_GCM,data:MPnRAdvUF8L0X2m3f8emPQR9Gy1jevnyZOXjig73FOKc1TI33URu0T8lMYi+Uekjt5vA9cxE/FYTBlYxsey7dPJvAVClDvTqoUsOtvL++foY6StON/t729zXYqGlWAHTiDtXSWu5EIh143zuXO3TQzy8fM7L9dwfyhVybSaree4esFhzYGGT1opojZdqbHr6DIGAGLJZMC6cogbevw==,iv:/iliMeKlUlSMblZ1GlqDr3qSKV3Wm+llYCKp8tesUNQ=,tag:aeFOtoM6aPz+9eD/MlxmoQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1ftsxs8qj86g6v28f69qalwg2a85rd0vxh8zm304k3p4uv63x5yesd44w56 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQ1JwUkRTajJsODJZM1NP + MkVUN3VhTnBaT1J6TW1XMUhSa1lhbzJJcVVRClg0dEJ1NjBRV2ZZb29aTXBIajlp + b0Fhc1RUUFNSMmNZcHl5TUtPZmkxMVUKLS0tIGZlVnF3V0Zrb2dmajhzMkNxZnph + RlE2TmVqbVBPS05qb1BZZFI0RzlZTzgK/bORTv9fsKIyTus7+vBrJJyEqL41VhrV + 2w196r6JE2tC5HeoyuDmw+zy+PkfxcYmSCZdb7CDrRT3g1R5ju3U6A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1vnu25nrzx8535t2x9exp8uger5x25tj4ak309rdjfw6mhetqeekqu6c0cc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBybFZnVE41SVZNYkpqSkJp + QWFTREx3NmRvZGZhOE9NdU5OeHM1RUtqREYwCjdGTm9KeG5DU01BNG5VMEJuazlp + c2VQTXk3ZUZBRE1COXZDT1c4eFJJS1EKLS0tIDg1aU52OEcyY2tJb1hid054ZVl6 + R1Fad1hIS092Q2ZFRVl1YmFISnNsd1EKxVPN/3LBgNW8VgvyM+KdKaESJsDhMAI4 + 2cZibB5kUUB+beNvROR/skSzMV9Y2cRr7ISNz9qiSMkDcyZWYKqtaw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-15T13:28:27Z" + mac: ENC[AES256_GCM,data:DQimCkADsZdJn5pFB9elRwgiKU7H57PyBWsU3eLc/a3RcW9zZ0cm3MHXEeDDbaIf893kwzWX+cwFeLWjCqKgVjbxuck0NYSNfvlR+5oq77ciFPAUC2bgK58daSTWOme8k8xtsXhuhbiba7Pj87KqB04wbFJ8nZB3zkGxwZykBR0=,iv:eEG/Q39VKWhEhpa9roHu31ThZCu/+ciF25AhjiVqL4s=,tag:qG6hUX7dyUPnqfFwTNvDNQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1