diff --git a/flake.nix b/flake.nix index 96f4d3b..3ef1297 100644 --- a/flake.nix +++ b/flake.nix @@ -118,7 +118,7 @@ default = colmena.packages.${system}.colmena; proxmox-lxc = nixos-generators.nixosGenerate { - inherit system pkgs specialArgs; + inherit system specialArgs; format = "proxmox-lxc"; modules = util.base_imports ++ [ (import ./nixos/templates/proxmox-lxc.nix) ]; diff --git a/flux/olympus/apps/services/grist/external-secret.yaml b/flux/olympus/apps/services/grist/external-secret.yaml deleted file mode 100644 index 21a84e7..0000000 --- a/flux/olympus/apps/services/grist/external-secret.yaml +++ /dev/null @@ -1,17 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: grist - namespace: services -spec: - refreshInterval: "5m" - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: grist - data: - - secretKey: GRIST_SESSION_SECRET - remoteRef: - key: services/grist - property: grist_session_secret diff --git a/flux/olympus/apps/services/grist/grist.yaml b/flux/olympus/apps/services/grist/grist.yaml deleted file mode 100644 index b2ce844..0000000 --- a/flux/olympus/apps/services/grist/grist.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: grist - namespace: services - labels: - app: grist -spec: - replicas: 1 - selector: - matchLabels: - app: grist - template: - metadata: - labels: - app: grist - spec: - volumes: - - name: persist - persistentVolumeClaim: - claimName: grist - containers: - - name: grist-core - image: gristlabs/grist:1.1.7 - volumeMounts: - - name: persist - mountPath: /persist - env: - - name: APP_HOME_URL - value: "https://grist.0x76.dev" - - name: GRIST_SINGLE_ORG - value: "" - - name: GRIST_SUPPORT_ANON - value: false - - name: PYTHON_VERSION - value: 3 - - name: PYTHON_VERSION_ON_CREATION - value: 3 - - name: GRIST_FORWARD_AUTH_HEADER - value: X-Forwarded-User - - name: GRIST_FORWARD_AUTH_LOGOUT_PATH - value: /_oauth/logout - envFrom: - - secretRef: - name: grist - ports: - - containerPort: 8484 diff --git a/flux/olympus/apps/services/grist/ingress.yaml b/flux/olympus/apps/services/grist/ingress.yaml deleted file mode 100644 index c648f4e..0000000 --- a/flux/olympus/apps/services/grist/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: grist - namespace: services -spec: - selector: - app: grist - ports: - - protocol: TCP - port: 8484 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: grist - namespace: services -spec: - rules: - - host: "grist.0x76.dev" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: grist - port: - number: 8484 diff --git a/flux/olympus/apps/services/grist/kustomization.yaml b/flux/olympus/apps/services/grist/kustomization.yaml deleted file mode 100644 index 2bb88f3..0000000 --- a/flux/olympus/apps/services/grist/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - external-secret.yaml - - pvc.yaml - - grist.yaml - - ingress.yaml diff --git a/flux/olympus/apps/services/grist/pvc.yaml b/flux/olympus/apps/services/grist/pvc.yaml deleted file mode 100644 index eefaa64..0000000 --- a/flux/olympus/apps/services/grist/pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: grist - namespace: services -spec: - accessModes: - - ReadWriteOnce - storageClassName: local-path - resources: - requests: - storage: 2Gi diff --git a/flux/olympus/apps/services/kustomization.yaml b/flux/olympus/apps/services/kustomization.yaml index c3536ca..4ddab70 100644 --- a/flux/olympus/apps/services/kustomization.yaml +++ b/flux/olympus/apps/services/kustomization.yaml @@ -2,4 +2,3 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - renovate - - oauth2-proxy diff --git a/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml b/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml deleted file mode 100644 index c127b72..0000000 --- a/flux/olympus/apps/services/oauth2-proxy/external-secret.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: oauth2-proxy - namespace: services -spec: - refreshInterval: "5m" - secretStoreRef: - name: vault - kind: ClusterSecretStore - target: - name: oauth2-proxy - data: - - secretKey: OAUTH2_PROXY_CLIENT_ID - remoteRef: - key: services/oauth2-proxy - property: client_id - - secretKey: OAUTH2_PROXY_CLIENT_SECRET - remoteRef: - key: services/oauth2-proxy - property: client_secret - - secretKey: OAUTH2_PROXY_COOKIE_SECRET - remoteRef: - key: services/oauth2-proxy - property: cookie_secret diff --git a/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml b/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml deleted file mode 100644 index fb4e8cd..0000000 --- a/flux/olympus/apps/services/oauth2-proxy/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - external-secret.yaml - - oauth2-proxy.yaml diff --git a/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml b/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml deleted file mode 100644 index 68fc287..0000000 --- a/flux/olympus/apps/services/oauth2-proxy/oauth2-proxy.yaml +++ /dev/null @@ -1,67 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - k8s-app: oauth2-proxy - name: oauth2-proxy - namespace: services -spec: - replicas: 1 - selector: - matchLabels: - k8s-app: oauth2-proxy - template: - metadata: - labels: - k8s-app: oauth2-proxy - spec: - containers: - - args: - - --provider=oidc - - --provider-display2-name="Dex" - - --oidc-issuer-url=https://dex.0x76.dev/dex - - --redirect-url=https://o2p.0x76.dev/oauth2/callback - - --cookie-secure=false - - --http-address=0.0.0.0:4180 - image: quay.io/oauth2-proxy/oauth2-proxy:v7.5.1 - envFrom: - - secretRef: - name: oauth2-proxy - name: oauth2-proxy - ports: - - containerPort: 4180 - protocol: TCP ---- -apiVersion: v1 -kind: Service -metadata: - labels: - k8s-app: oauth2-proxy - name: oauth2-proxy - namespace: services -spec: - ports: - - name: http - port: 4180 - protocol: TCP - targetPort: 4180 - selector: - k8s-app: oauth2-proxy ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: oauth2-proxy - namespace: services -spec: - rules: - - host: "o2p.0x76.dev" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: oauth2-proxy - port: - number: 4180 diff --git a/nixos/hosts/olympus/default.nix b/nixos/hosts/olympus/default.nix index d50a25a..58b6d7e 100644 --- a/nixos/hosts/olympus/default.nix +++ b/nixos/hosts/olympus/default.nix @@ -53,7 +53,6 @@ exposes = { www.domain = "0x76.dev"; flux.domain = "flux.0x76.dev"; - o2p.domain = "o2p.0x76.dev"; internal.domain = "internal.xirion.net"; blog.domain = "blog.xirion.net"; }; @@ -61,9 +60,15 @@ "dex" = { ip = "10.42.42.11"; mac = "AE:66:7B:FA:15:72"; - exposes.dex = { - domain = "dex.0x76.dev"; - port = 5556; + exposes = { + dex = { + domain = "dex.0x76.dev"; + port = 5556; + }; + o2p_proxy = { + domain = "o2p.0x76.dev"; + port = 8484; + }; }; }; "WoolooTV" = { @@ -151,7 +156,14 @@ ip = "10.42.42.25"; mac = "1E:ED:97:2C:C3:9D"; }; - # 10.42.42.26 + "grist" = { + ip = "10.42.42.26"; + mac = "B2:AA:AB:5D:2F:22"; + exposes.grist = { + domain = "grist.0x76.dev"; + port = 8484; + }; + }; "bookwyrm" = { ip = "10.42.42.27"; mac = "9E:8A:6C:39:27:DE"; diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix index 3105b95..4bcbf5b 100644 --- a/nixos/hosts/olympus/dex/configuration.nix +++ b/nixos/hosts/olympus/dex/configuration.nix @@ -23,6 +23,8 @@ in { networking.firewall.allowedTCPPorts = [ port metricsPort ]; vault-secrets.secrets.dex = { }; + vault-secrets.secrets.oauth2_proxy = { }; + services = { postgresql = { @@ -91,24 +93,15 @@ in { secretEnv = "FLUX_CLIENT_SECRET"; } { - id = "oauth2-proxy"; - name = "OAuth2 Proxy"; - redirectURIs = [ "https://o2p.0x76.dev/oauth2/callback" ]; - secretEnv = "O2P_CLIENT_SECRET"; + id = "grist"; + name = "grist"; + redirectURIs = [ "https://grist.0x76.dev/oauth2/callback" ]; + secretEnv = "GRIST_CLIENT_SECRET"; } ]; }; environmentFile = "${vs.dex}/environment"; }; - - oauth2_proxy = { - enable = true; - provider = "oidc"; - redirectURL = "https://o2p.0x76.dev/oauth2/callback"; - cookie.secure = false; - httpAddress = "0.0.0.0:4180"; - keyFile = ""; - }; }; } diff --git a/nixos/hosts/olympus/grist/configuration.nix b/nixos/hosts/olympus/grist/configuration.nix new file mode 100644 index 0000000..c097f5d --- /dev/null +++ b/nixos/hosts/olympus/grist/configuration.nix @@ -0,0 +1,42 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, ... }: +let vs = config.vault-secrets.secrets; +in { + imports = [ ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.11"; # Did you read the comment? + networking.firewall.allowedTCPPorts = [ 8484 ]; + + virtualisation.podman.enable = true; + virtualisation.oci-containers.backend = "podman"; + + vault-secrets.secrets.grist = { + quoteEnvironmentValues = false; # Needed for docker + services = [ "podman-grist" ]; + }; + + virtualisation.oci-containers.containers.grist = { + image = "gristlabs/grist:latest"; + environment = { + APP_HOME_URL = "https://grist.0x76.dev"; + GRIST_SUPPORT_ANON = "false"; + PYTHON_VERSION = "3"; + PYTHON_VERSION_ON_CREATION = "3"; + + # Beta OIDC support + GRIST_OIDC_IDP_ISSUER = "https://dex.0x76.dev"; + }; + environmentFiles = [ "${vs.grist}/environment" ]; + ports = [ "8484:8484" ]; + volumes = [ "/var/lib/grist:/persist" ]; + }; +}