nix-gscheits/machines/raven/services/wekan.nix

{ config, lib, pkgs, ... }:
let
  serviceName = "wekan";
  databaseName = "wekandb";
  networkName = "wekan-tier";
  port = 8001;
  domain = "wekan.fablab-nea.de";
  url = "https://${domain}";

  directories = {
    db = "/var/lib/wekan/db";
    dbDump = "/var/lib/wekan/db-dump";
    data = "/var/lib/wekan/data";
  };
in
{
  virtualisation.oci-containers = {
    backend = "podman";
    containers = {
      "${serviceName}" = {
        autoStart = true;
        image = "ghcr.io/wekan/wekan:latest";
        environment = {
          WRITABLE_PATH = "/data";
          MONGO_URL = "mongodb://${databaseName}:27017/wekan";
          ROOT_URL = url;
          #WITH_API = "true";
          RICHER_CARD_COMMENT_EDITOR = "false";
          CARD_OPENED_WEBHOOK_ENABLED = "false";
          BIGEVENTS_PATTERN = "NONE";
          BROWSER_POLICY_ENABLED = "true";
        };
        ports = [
          "127.0.0.1:${toString port}:8080"
        ];
        dependsOn = [ databaseName ];
        volumes = [
          "/etc/localtime:/etc/localtime:ro"
          "${directories.data}:/data:rw"
        ];
        extraOptions = [
          "--network=${networkName}"
        ];
      };
      "${databaseName}" = {
        autoStart = true;
        image = "mongo:6";
        cmd = [ "mongod" "--logpath" "/dev/null" "--oplogSize" "128" "--quiet" ];
        volumes = [
          "/etc/localtime:/etc/localtime:ro"
          #"/etc/timezone:/etc/timezone:ro"
          "${directories.db}:/data/db"
          "${directories.dbDump}:/dump"
        ];
        extraOptions = [
          "--network=${networkName}"
        ];
      };
    };
  };

  # Create the netowrk
  systemd.services.init-filerun-network-and-files = {
    description = "Create the network bridge ${networkName} for WeKan.";
    after = [ "network.target" ];
    wantedBy = [ "multi-user.target" ];

    serviceConfig.Type = "oneshot";
    script =
      let podmancli = "${pkgs.podman}/bin/podman";
      in ''
        if ! ${podmancli} network ls --format '{{ .Name }}' | grep -qFx -- "${networkName}"; then
          ${podmancli} network create "${networkName}"
        else
          echo "network already exists"
        fi
      '';
  };

  system.activationScripts.makeWekanDirectories = lib.stringAfter [ "var" ] ''
    mkdir -p "${directories.db}"
    mkdir -p "${directories.dbDump}"
    mkdir -p "${directories.data}"
    chown 999:999 "${directories.data}"
  '';

  services.nginx.virtualHosts."${domain}" = {
    enableACME = true;
    forceSSL = true;
    extraConfig = ''
      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
      add_header X-Frame-Options "SAMEORIGIN";
      add_header X-XSS-Protection "1; mode=block";
      add_header X-Content-Type-Options "nosniff";
    '';
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString port}";
    };
  };
}