feat: add outline

deedee-ops · Nov 11, 2024 · 5f136b4 · 5f136b4
1 parent 56eafa9
commit 5f136b4
Show file tree

Hide file tree

Showing 4 changed files with 175 additions and 2 deletions.
diff --git a/machines/deedee/secrets.sops.yaml b/machines/deedee/secrets.sops.yaml
@@ -115,6 +115,15 @@ system:
                 ADMIN_USERNAME: ENC[AES256_GCM,data:7dJuqX0=,iv:3+QR4jWD5xQoJKhYx++JlOWEERzRRy0VKYkEN8Wbze4=,tag:t6nT3otCm8unu1eGcEc7bA==,type:str]
                 HOMEPAGE_API_KEY: ENC[AES256_GCM,data:W+EMaZoB8edgv+PtgiCYbSeZTFSddplr51qHZqD2lsEnLl1goQBtp5cPJuo=,iv:a/UgKGBp2zYSAludSv+KNfzX2sXaLAVQasol24Nuf5E=,tag:RWu3sAva1MNbyRLgs7/n5A==,type:str]
                 MINIFLUX__POSTGRES_PASSWORD: ENC[AES256_GCM,data:80m7hK4wowmL2VwxlOMjnwDSJRw1c6FgOO/WwX3ZLkdX0TabpcJUTQ==,iv:7GF9skSt5hS8puIx2Cun68g0JXiRR1tONErjIIY7QAk=,tag:APZ+XBu3Vx1bNjbNmJMhcg==,type:str]
+        outline:
+            env:
+                OUTLINE_DB_PASSWORD: ENC[AES256_GCM,data:ahg3xbWajsfVYFwvnyGYOW5bK5FzZm4zGAab5H3TcvdXlEQteflq4A==,iv:Md9AE02TftnkyQFlWRSVjP0O+h1rD1ChsEKUdtvczmM=,tag:dz6r7oLzpdwkaf2IG7Fw2Q==,type:str]
+                DATABASE_URL: ENC[AES256_GCM,data:FUdfI59PhkbCCmzK+mVBSvPwy8hPS3FodDORl9Iw6WhVcvXdZHkpXjW1MSHGIv5udiVOfYTOjDm+2eYIdORKMymR9D8oZqwx5qC2IKLn5calL/JQS7DBFOwCRH1F,iv:ntBh9MZCmwUdqq/gdj/qonqDZXPPd+yfU+y0HOc0+JI=,tag:Gci5IY52Y1FM74s2uXwXbw==,type:str]
+                OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:YjnERZ3ftFKMYpe5otOB3D2gCmEHZfSwIiCS60iwX0KzZhMfA11mI0I6b7D44JE/nuH5yT4OkPhgvD5c3d8IB10X93ih3BHa,iv:OMzCtve3jaMjZvQnFY4Wt9mPKEAEZK/z0v6vmdrD64w=,tag:jv2bcV6RwXRWw289QIvDXQ==,type:str]
+                OIDC_CLIENT_SECRET_ENCRYPTED: ENC[AES256_GCM,data:AFTpRNG3jQBB1RlE4oSkzY4Gu/HG/qyLt+qcgP1Gx2/1iBFeXZ9hwx/wVnBAwfiMDF6f1YCjL1OIE5Osbi9UvdRME+QgdIZLxIr9kgjSYx2yMZBy0ZoEVdYPk4dBk8iuFfoPFvDhX5hJ00el24KcvbzJZehZ7T8CXOF53DDKpwpU1qY=,iv:ukZXoU19LBr+zUsfi5YDRp9A/cMj4o1/B7ywD5LEMgg=,tag:OASkY1ecFcvnPgEe4+mLdg==,type:str]
+                REDIS_URL: ENC[AES256_GCM,data:MiEbw22aA80ZFUyC3Gg4W2wO24KPV7C/jgq3p0e38ghNK/MZL9vjKhMIkEmJ4DzqwPeoPxLaN1CG9NQZcEaclCXIC5OAZqAfarZR,iv:FjKWTr4UEykxBNGUe2l1uSwYigNApnESOWG8UIGKXzw=,tag:gIF8oNNeEZ8qYwzlKaz4Zw==,type:str]
+                SECRET_KEY: ENC[AES256_GCM,data:tNy6Mg8zBs5urW+w1sdCA+94b7LZ6T38uwX90PVx3LDjtSZ8hens++ZJ6cUCyvRipuW+lliKrwngJUIHIUzOSw==,iv:J5Qu8UznXcsLj37PcNx7NryXzKPvKflAkP6Ayu5AM50=,tag:u8zzLz5ENzA8hWWyml4HCQ==,type:str]
+                UTILS_SECRET: ENC[AES256_GCM,data:Vjz3cXfnM9m/Xl58DNd2wPhrznQJD1fTcpON9NFH3lgooil/xkC9Sd9DxWdIuxzx5YF0FL2CzrgqtPB5nCLBnA==,iv:85+DW8JBN5L2MZ1PDAnQrFrF1lGg0WOhT2k4nF/NTeM=,tag:DCEGrGnTDmjImzmAWPM0iQ==,type:str]
         paperless-ngx:
             env:
                 HOMEPAGE_API_KEY: ENC[AES256_GCM,data:9a92OwwPXKu25Gk+QuBCHGxD4KjbNgVXgQLgWC93q9UJ8NlKa9cTXw==,iv:ZwCqMzMSmii+zol12zuPZNvLFC0bOGBzSDJe5U+8eZ8=,tag:HEKDhSg2mzU2OorvrKHNVA==,type:str]
@@ -181,8 +190,8 @@ sops:
             c3FoaFNzbjJubzlBckdDb2lNOUZtOGMKRbHxa1B3QAdredBMTd7W7g3kRz6l8uyV
             bBclsA8Gm7p+6ndV39sN+Daqm5MyggY1Prwv/Ukdd5Q+1C+XsEW6OQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-11T17:45:33Z"
-    mac: ENC[AES256_GCM,data:VJTzqlyQtiEIhRPFes8gDkzp/aH0eKO+v82UHTI6OW+nDQZ1L1gvhIHblNSMMCFwhprmWSQv+8LnKeM0sCNh04BgZ1v60RIc44onxFOpcYL6o+TzNzMp6Ln5+xESrZwF+NkdxlhfWw7ll89S40pNmGBBs7enW7pEGWwzRFzDp9A=,iv:jCDwH3OLoJzW961GbUC2AxIsKpYMKMV/PRyaUg7Zp1c=,tag:gigyVME9KMjDo4RFifzmxQ==,type:str]
+    lastmodified: "2024-11-11T19:20:59Z"
+    mac: ENC[AES256_GCM,data:VPrwWX+Rwk0pTGHhKTfjvrpWcARJCg3N3vbmGEXHCLzT5yLI2mDsKK7cluQPJOceX9u02A1fCqSU+QCLKjRNDWwnL53xXj+UQtUUhECqkmR+8dxtg/15RhWBbDwykzC39nrNrr3DXgRKBcHQ1Q9kTjnsYrPWdovuunYr6LUBS+4=,iv:l5XC1o4ogva0YEnD8wS6eoaPPiNwHAsBK2ej7TMmisM=,tag:oi8kVvZJ6ZvXmdXkTFIamw==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1
diff --git a/modules/system/containers/default.nix b/modules/system/containers/default.nix
@@ -18,6 +18,7 @@ _: {
     ./memos
     ./miniflux
     ./navidrome
+    ./outline
     ./paperless-ngx
     ./piped
     ./prowlarr

diff --git a/modules/system/containers/outline/default.nix b/modules/system/containers/outline/default.nix
@@ -0,0 +1,147 @@
+{
+  config,
+  lib,
+  svc,
+  ...
+}:
+let
+  cfg = config.mySystemApps.outline;
+  secretEnvs = [
+    "DATABASE_URL"
+    "OIDC_CLIENT_SECRET"
+    "OUTLINE_DB_PASSWORD"
+    "REDIS_URL"
+    "SECRET_KEY"
+    "UTILS_SECRET"
+  ];
+in
+{
+  options.mySystemApps.outline = {
+    enable = lib.mkEnableOption "outline container";
+    backup = lib.mkEnableOption "postgresql and data backup" // {
+      default = true;
+    };
+    dataDir = lib.mkOption {
+      type = lib.types.str;
+      description = "Path to directory containing data.";
+      default = "/var/lib/outline";
+    };
+    sopsSecretPrefix = lib.mkOption {
+      type = lib.types.str;
+      description = "Prefix for sops secret, under which all ENVs will be appended.";
+      default = "system/apps/outline/env";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    warnings = [ (lib.mkIf (!cfg.backup) "WARNING: Backups for outline are disabled!") ];
+
+    sops.secrets = svc.mkContainerSecretsSops {
+      inherit (cfg) sopsSecretPrefix;
+      inherit secretEnvs;
+
+      containerName = "outline";
+    };
+
+    mySystemApps = {
+      postgresql.userDatabases = [
+        {
+          username = "outline";
+          passwordFile = config.sops.secrets."${cfg.sopsSecretPrefix}/OUTLINE_DB_PASSWORD".path;
+          databases = [ "outline" ];
+        }
+      ];
+
+      authelia.oidcClients = [
+        {
+          client_id = "outline";
+          client_name = "outline";
+          client_secret = "$pbkdf2-sha512$310000$0GLChtY56K3phnc1oEL.0w$YTZ0C8iMbM/acCu0gLzciwxIRk29YGaf1QuypLHBZ2foBj08fnwjgDiTMG9ptR9x2OvSsbj/0W9HGY7eQ3skcA"; # unencrypted version in SOPS
+          consent_mode = "implicit";
+          public = false;
+          authorization_policy = "two_factor";
+          redirect_uris = [
+            "https://outline.${config.mySystem.rootDomain}/auth/oidc.callback"
+          ];
+          scopes = [
+            "email"
+            "openid"
+            "profile"
+          ];
+          token_endpoint_auth_method = "client_secret_post";
+        }
+      ];
+    };
+
+    virtualisation.oci-containers.containers.outline = svc.mkContainer {
+      cfg = {
+        image = "docker.getoutline.com/outlinewiki/outline:0.81.0@sha256:d16010b73e0bfdb70a8339beb048d0703d04c48c05f474287f8d483e0d987bfe";
+        environment = {
+          ENABLE_UPDATES = "false";
+          FILE_STORAGE = "local";
+          FILE_STORAGE_LOCAL_ROOT_DIR = "/var/lib/outline/data";
+          FORCE_HTTPS = "true";
+          OIDC_AUTH_URI = "https://authelia.${config.mySystem.rootDomain}/api/oidc/authorization";
+          OIDC_CLIENT_ID = "outline";
+          OIDC_DISPLAY_NAME = "Authelia";
+          OIDC_SCOPES = "openid profile email";
+          OIDC_TOKEN_URI = "https://authelia.${config.mySystem.rootDomain}/api/oidc/token";
+          OIDC_USERINFO_URI = "https://authelia.${config.mySystem.rootDomain}/api/oidc/userinfo";
+          OIDC_USERNAME_CLAIM = "preferred_username";
+          PGSSLMODE = "disable";
+          SMTP_FROM_EMAIL = config.mySystem.notificationSender;
+          SMTP_HOST = "maddy";
+          SMTP_PORT = "25";
+          SMTP_SECURE = "false";
+          URL = "https://outline.${config.mySystem.rootDomain}";
+        };
+        environmentFiles = [ "/run/outline/env" ];
+        volumes = [ "${cfg.dataDir}/data:/var/lib/outline/data" ];
+        extraOptions = [
+          "--mount"
+          "type=tmpfs,destination=/tmp,tmpfs-mode=1777"
+          "--add-host=authelia.${config.mySystem.rootDomain}:${config.mySystemApps.docker.network.private.hostIP}"
+        ];
+      };
+    };
+
+    services = {
+      nginx.virtualHosts.outline = svc.mkNginxVHost {
+        host = "outline";
+        proxyPass = "http://outline.docker:3000";
+      };
+      postgresqlBackup = lib.mkIf cfg.backup { databases = [ "outline" ]; };
+      restic.backups = lib.mkIf cfg.backup (
+        svc.mkRestic {
+          name = "outline";
+          paths = [ cfg.dataDir ];
+        }
+      );
+    };
+
+    systemd.services.docker-outline = {
+      preStart = lib.mkAfter (
+        ''
+          mkdir -p "${cfg.dataDir}/data" "/run/outline"
+          chown 1001:1001 "${cfg.dataDir}" "${cfg.dataDir}/data"
+        ''
+        + (svc.mkSecretEnvFile {
+          inherit secretEnvs;
+          inherit (cfg) sopsSecretPrefix;
+          dest = "/run/outline/env";
+        })
+      );
+    };
+
+    environment.persistence."${config.mySystem.impermanence.persistPath}" =
+      lib.mkIf config.mySystem.impermanence.enable
+        { directories = [ cfg.dataDir ]; };
+
+    mySystemApps.homepage = {
+      services.Apps.Outline = svc.mkHomepage "outline" // {
+        icon = "outline.png";
+        description = "Notetaking system";
+      };
+    };
+  };
+}
diff --git a/modules/system/lib.nix b/modules/system/lib.nix
@@ -193,6 +193,22 @@
         env: "${config.sops.secrets."${sopsSecretPrefix}/${env}".path}:/secrets/${env}:ro"
       ) secretEnvs;
 
+    mkSecretEnvFile =
+      {
+        dest,
+        sopsSecretPrefix,
+        secretEnvs,
+      }:
+      ''
+        echo -n > ${dest}
+        chmod 600 ${dest}
+      ''
+      + builtins.concatStringsSep "\n" (
+        builtins.map (
+          env: "echo \"${env}=$(cat ${config.sops.secrets."${sopsSecretPrefix}/${env}".path})\" >> ${dest}"
+        ) secretEnvs
+      );
+
     mkRestic =
       {
         name,