Add Wekan

2023-07-14 12:18:27 +00:00 · 2023-07-14 12:18:27 +00:00 · 700b505de4
commit 700b505de4
parent fbca9cf7e0
2 changed files with 96 additions and 0 deletions
--- a/machines/raven/services/default.nix
+++ b/machines/raven/services/default.nix
@ -7,5 +7,6 @@
    ./freeradius.nix
    ./labsync
    ./unifi-controller.nix
+    ./wekan.nix
  ];
 }
--- a/machines/raven/services/wekan.nix
+++ b/machines/raven/services/wekan.nix
@ -0,0 +1,95 @@
+{ config, lib, pkgs, ... }:
+let
+  databaseName = "wekandb";
+  port = 8001;
+  domain = "wekan.fablab-nea.de";
+  url = "https://${domain}";
+
+  directories = {
+    db = "/var/lib/wekan/db";
+    dbDump = "/var/lib/wekan/db-dump";
+    data = "/var/lib/wekan/data";
+  };
+in
+{
+  virtualisation.oci-containers = {
+    backend = "podman";
+    containers = {
+      wekan = {
+        autoStart = true;
+        image = "ghcr.io/wekan/wekan:latest";
+        environment = {
+          WRITABLE_PATH = "/data";
+          MONGO_URL = "mongodb://${databaseName}:27017/wekan";
+          ROOT_URL = url;
+          #WITH_API = "true";
+          RICHER_CARD_COMMENT_EDITOR = "false";
+          CARD_OPENED_WEBHOOK_ENABLED = "false";
+          BIGEVENTS_PATTERN = "NONE";
+          BROWSER_POLICY_ENABLED = "true";
+        };
+        ports = [
+          "127.0.0.1:${toString port}:8080"
+        ];
+        dependsOn = [ databaseName ];
+        volumes = [
+          "/etc/localtime:/etc/localtime:ro"
+          "${directories.data}:/data:rw"
+        ];
+        extraOptions = [ "--network=wekan-tier" ];
+      };
+      "${databaseName}" = {
+        autoStart = true;
+        image = "mongo:6";
+        cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ];
+        volumes = [
+          "/etc/localtime:/etc/localtime:ro"
+          #"/etc/timezone:/etc/timezone:ro"
+          "${directories.db}:/data/db"
+          "${directories.dbDump}:/dump"
+        ];
+        extraOptions = [ "--network=wekan-tier" ];
+      };
+    };
+  };
+
+  # Create the wekan-tier netowrk
+  systemd.services.init-filerun-network-and-files = {
+    description = "Create the network bridge wekan-tier for WeKan.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+
+    serviceConfig.Type = "oneshot";
+    script =
+      let podmancli = "${pkgs.podman}/bin/podman";
+      in ''
+        check=$(${podmancli} network ls | grep "wekan-tier" || true)
+        if [ -z "$check" ]; then
+          ${podmancli} network create wekan-tier
+        else
+          echo "wekan-tier already exists"
+        fi
+      '';
+  };
+
+  system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] ''
+    mkdir -p "${directories.db}"
+    mkdir -p "${directories.dbDump}"
+    mkdir -p "${directories.data}"
+    chown 999:999 "${directories.data}"
+  '';
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+      add_header X-Frame-Options "SAMEORIGIN";
+      add_header X-XSS-Protection "1; mode=block";
+      add_header X-Content-Type-Options "nosniff";
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+    };
+  };
+}