Skip to content

Commit

Permalink
setup tandoor
Browse files Browse the repository at this point in the history
  • Loading branch information
xanderio committed May 24, 2024
1 parent 1c74c24 commit 963abbe
Show file tree
Hide file tree
Showing 4 changed files with 181 additions and 0 deletions.
9 changes: 9 additions & 0 deletions .sops.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -71,3 +71,12 @@ creation_rules:
- *admin_evlli_pgp
- *admin_jcgruenhage_pgp
- *admin_transcaffeine_pgp

- path_regex: secrets/services/tandoor.yaml
key_groups:
- age:
- *admin_xanderio_age
- *host_recipes_age
pgp:
- *admin_jcgruenhage_pgp
- *admin_transcaffeine_pgp
1 change: 1 addition & 0 deletions hosts/recipes/default.nix
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@
./disko.nix
inputs.disko.nixosModules.disko
../../profiles/entropia-cluster-vm
./tandoor.nix
];

networking.hostName = "recipes";
Expand Down
108 changes: 108 additions & 0 deletions hosts/recipes/tandoor.nix
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
{ config, lib, pkgs, ... }: {
config = {
x.sops.secrets = {
"services/tandoor/oidc_secret" = { };
};

sops.templates."tandoor-socialaccount-providers" = {
content = builtins.toJSON {
openid_connect = {
OAUTH_PKCE_ENABLED = "True";
APPS = [
{
provider_id = "keycloak";
name = "Entropia SSO";
client_id = "recipes.entropia.de";
secret = config.sops.placeholder."services/tandoor/oidc_secret";
settings.server_url = "https://sso.entropia.de/realms/entropia/.well-known/openid-configuration";
}
];
};
};
};

services.postgresql = {
enable = true;
ensureUsers = [{
name = "tandoor_recipes";
ensureDBOwnership = true;
}];
ensureDatabases = [
"tandoor_recipes"
];
};

services.nginx = {
enable = true;
virtualHosts."recipes.entropia.de" = {
enableACME = true;
forceSSL = true;
kTLS = true;
locations."/" = {
proxyPass = "http://${config.services.tandoor-recipes.address}:${toString config.services.tandoor-recipes.port}";
};
locations."= /metrics" = {
return = "404";
};
};
};

services.tandoor-recipes = {
enable = true;
extraConfig = {
SOCIAL_PROVIDERS = "allauth.socialaccount.providers.openid_connect";
SOCIALACCOUNT_ONLY = true;

PRIVACY_URL = "https://entropia.de/Entropia:Datenschutz";
IMPRINT_URL = "https://entropia.de/Impressum";

DB_ENGINE = "django.db.backends.postgresql";
POSTGRES_DB = "tandoor_recipes";

ENABLE_METRICS = true;

SORT_TREE_BY_NAME = true;

# Space with ID 1 is public (entropia space)
SOCIAL_DEFAULT_ACCESS = true;
SOCIAL_DEFAULT_GROUP = "user";

GUNICORN_MEDIA = true;
};
};

systemd.services.tandoor-recipes = {
serviceConfig = {
ExecStart =
let
secretKeyFile = "/var/lib/tandoor-recipes/nixos-secret-key";

startScript = pkgs.writeShellScript "start" ''
export SOCIALACCOUNT_PROVIDERS=$(< ''${CREDENTIALS_DIRECTORY}/socialaccount-providers)
if [[ ! -f '${secretKeyFile}' ]]; then
(
umask 0377
tr -dc A-Za-z0-9 < /dev/urandom | head -c64 | ${pkgs.moreutils}/bin/sponge '${secretKeyFile}'
)
fi
export SECRET_KEY=$(< '${secretKeyFile}')
if [[ ! $SECRET_KEY ]]; then
echo "SECRET_KEY is empty, refusing to start."
exit 1
fi
${config.services.tandoor-recipes.package.python.pkgs.gunicorn}/bin/gunicorn recipes.wsgi
'';
in
lib.mkForce startScript;
LoadCredential = [
"socialaccount-providers:${config.sops.templates.tandoor-socialaccount-providers.path}"
];
BindReadOnlyPaths = [
config.sops.templates.tandoor-socialaccount-providers.path
];
};
};
};
}
63 changes: 63 additions & 0 deletions secrets/services/tandoor.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
services:
tandoor:
oidc_secret: ENC[AES256_GCM,data:ZlZMO2yL1fCkQRcCvKwmzo3rVFxm01Ic9eVW404TzwE=,iv:2tXWLyOf4HgrpJD5tfFNWl/JMgl1Snou1GZN25FtV1Q=,tag:cp4g84CPHQ8vWB/onmMZ8g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1e9yparaev0gxwmherrjpxmfzgqga5eqdw53lrnv05s3ppjgzyceqftnwpx
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2dTN5OEowZDRoNlY3L2ly
UXpuNEx0REI1eUdhZXYzRVV3OFFqYWZzSlRVCitJMXRwTDkvVmdQb05oUitSLytI
b1dnMit0KzhsVG9COGJBSWNTem50ZEUKLS0tIHhkVlFWUm8zRUJyMnppN2ZLTGJk
V3l6MmEycDhPd05FazZDbWgzOUt6UGsKwltRXlNAg6eT9hzhebr4kL3vBCRzxGK6
/o/gANqKCqJ/xMUeAgJHaVEdnf8s5yo9X6tFk8BdLbyNbDUjsqeMSg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zngzchzzy46gyn99awcw2fgn97wuv35afyqrat9442sakgv0ugls606zlr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLVmRRd3dxWE8zeFVoT1lJ
UFViUC9LVXVnbGxNekxFc05Kd3NFRTdQWmtFCmpyRmk4NzZEQytmR0U1ZHF0RWts
ald6TytIOXA0SWVCb09IenMzR2lrcHcKLS0tIHZpTks4dWZaQ2RUN1JVb1NNK1Ra
ZldiVkdNTkk4OUhadXZGczJGdWhzMG8KaFJWAVOPOeZqlrohlH1EY6Y79MCF1WLd
cbpPDxt08u5gCvlzKes1UIL3/Da0evaOv3WfycQPLxaPwZzkuQnwiw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-23T15:42:22Z"
mac: ENC[AES256_GCM,data:BYYKyQfof8m10Baszg8zrQI3cFIHYbtYXhYiiBJrRokCEUe23/OWCG2igt8N/2rJkzuFx/VKPkAoQ1vwrHTRrXno98yTuZ1Dok3Nhqr6Ryk3cvs2rcG7kHRUj06hXSJtfcwFAYn6ytv96oV/lP8GQ1ag/NOVVCbJgmHlmJ21p00=,iv:eIVeoW1vZRTSUlvPcBoO+e00bVMwas6HXTISJEc5VZg=,tag:ZQQwnH5DKr2+vPk7QEkRQg==,type:str]
pgp:
- created_at: "2024-05-21T19:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQJGoFMUUQaUSAQdAe5AxV6rKOXuC1IhZlmA0p1/88Dyo/nMDtsWNgimhfRkw
C3DGddkB4AtfkqLtuFJyHYwNypNNF2xcJfRWr0f1hv4FgpGb8x6CFb7d3lqe6RSv
0l4BXGadNK865LbUFAZllPRQckMe3NEp2bqqdbulJ/hCbBnUzhUNXtT8myfmO0lc
1o5nHgDlnYrBg0NFgBHA7Cz8YBRqyFcQD+SPbpdiwmUHSCSdE/Lx2V8GukYpkGxc
=SzFT
-----END PGP MESSAGE-----
fp: 09E8418B46B53B0F825DE4BE018ACF465280F466
- created_at: "2024-05-21T19:07:39Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxEs7W/4x4lxAQ/9Gy4kBEvrSlTYFUlcGiQvzkyhupWgcAVOgcMPRfXZcL1O
ueZs3h7iugWZVO+jkvHGeCM0TO4IWsxoiJ9LAaa50AE6h7umKqi7h3UwFe9Fw2A0
1B1CApqFZ8z6/xxrUMVl/jX6dp3YwjBGGvuD4lrpf9nlUXVw3QGBeFVfJxat48Vt
zXW/5/EXvqSk8cHQtsWMD5BSR1kHYh5hUXvrc9Jhtz3QGuNdSRRQvRmGaN8teTWC
RNrFcPOThcs6wOd4RijXWVZ5o9OmuGx6O5pSaYnVGdE0IHPn49+k9Jd1Vce5xy5y
LlxJ88bXp3bN42U7pddBJ9I9r8vW6xhcYuX46sICwvPhQF6sa3hiTxnemnWI+B6m
ivQh/IamoFs1KTXGG8NVtLT29k91pB3ighZqkeR6tG1Kh5w3inVfzU909G/VtmQ9
qiPQyCG7R4GaETWLLoGFi96N4WT06L66T1CyPnnm0ee/TBegr6yqDQj5fh72qF9L
tt4FUY96DgKoQ2s3M2oYiWKp96nTNiH4PUFWrL+Srp+NCurdRSkuWkGepbz2pjxo
x0B9t9TVut8lCiqJncPb0+NdLWm4zG/ILR3vdyXfNqt6MCZ1oW7QCOvlI5ahWJOG
uN6kLFVMiip+3C75tLSfW/j7XV9VN3uxZw2ULvkGr76mcMQVH90EhGlq04ZNZ2fS
XgFzt0EEdm2iCs94M2Ck0BJ6Lpbd0uvY1daM4r7+A/4V+AcrY8UP19QLGSnWHH7P
/5G7BhwM0fS8/z9bV5wcpSzZOiQhk9Tz9gXBzCyJhZb1NTpl9zHWlzE0N4tfc28=
=P2w7
-----END PGP MESSAGE-----
fp: 5E0A9CB3980657CB9AB94AE6790EAEC8F99AB41F
unencrypted_suffix: _unencrypted
version: 3.8.1

0 comments on commit 963abbe

Please sign in to comment.