From 700b505de49cc159db3b80ef8fe077b567832b43 Mon Sep 17 00:00:00 2001 From: Jakob Lechner Date: Fri, 14 Jul 2023 12:18:27 +0000 Subject: [PATCH] Add Wekan --- machines/raven/services/default.nix | 1 + machines/raven/services/wekan.nix | 95 +++++++++++++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 machines/raven/services/wekan.nix diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix index 0a789d0..a26ab2d 100644 --- a/machines/raven/services/default.nix +++ b/machines/raven/services/default.nix @@ -7,5 +7,6 @@ ./freeradius.nix ./labsync ./unifi-controller.nix + ./wekan.nix ]; } diff --git a/machines/raven/services/wekan.nix b/machines/raven/services/wekan.nix new file mode 100644 index 0000000..d137f2e --- /dev/null +++ b/machines/raven/services/wekan.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, ... }: +let + databaseName = "wekandb"; + port = 8001; + domain = "wekan.fablab-nea.de"; + url = "https://${domain}"; + + directories = { + db = "/var/lib/wekan/db"; + dbDump = "/var/lib/wekan/db-dump"; + data = "/var/lib/wekan/data"; + }; +in +{ + virtualisation.oci-containers = { + backend = "podman"; + containers = { + wekan = { + autoStart = true; + image = "ghcr.io/wekan/wekan:latest"; + environment = { + WRITABLE_PATH = "/data"; + MONGO_URL = "mongodb://${databaseName}:27017/wekan"; + ROOT_URL = url; + #WITH_API = "true"; + RICHER_CARD_COMMENT_EDITOR = "false"; + CARD_OPENED_WEBHOOK_ENABLED = "false"; + BIGEVENTS_PATTERN = "NONE"; + BROWSER_POLICY_ENABLED = "true"; + }; + ports = [ + "127.0.0.1:${toString port}:8080" + ]; + dependsOn = [ databaseName ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + "${directories.data}:/data:rw" + ]; + extraOptions = [ "--network=wekan-tier" ]; + }; + "${databaseName}" = { + autoStart = true; + image = "mongo:6"; + cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ]; + volumes = [ + "/etc/localtime:/etc/localtime:ro" + #"/etc/timezone:/etc/timezone:ro" + "${directories.db}:/data/db" + "${directories.dbDump}:/dump" + ]; + extraOptions = [ "--network=wekan-tier" ]; + }; + }; + }; + + # Create the wekan-tier netowrk + systemd.services.init-filerun-network-and-files = { + description = "Create the network bridge wekan-tier for WeKan."; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + + serviceConfig.Type = "oneshot"; + script = + let podmancli = "${pkgs.podman}/bin/podman"; + in '' + check=$(${podmancli} network ls | grep "wekan-tier" || true) + if [ -z "$check" ]; then + ${podmancli} network create wekan-tier + else + echo "wekan-tier already exists" + fi + ''; + }; + + system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] '' + mkdir -p "${directories.db}" + mkdir -p "${directories.dbDump}" + mkdir -p "${directories.data}" + chown 999:999 "${directories.data}" + ''; + + services.nginx.virtualHosts."${domain}" = { + enableACME = true; + forceSSL = true; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-XSS-Protection "1; mode=block"; + add_header X-Content-Type-Options "nosniff"; + ''; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString port}"; + }; + }; +}