commit 1a95edd257a4d51ae44cae8df9077279e6692e1e · ptr.pet/ark

+28 -74

hosts/wolumonde/modules/perses.nix/default.nix

···

       1
       1
        
       {

     

       2
       2
        
         pkgs,

     

       3
       3
       -
         terra,

     

       4
       3
        
         config,

     

       5
       4
        
         ...

     

       6
       5
        
       }:

     
···

       10
       9
        
         user = "perses";

     

       11
       10
        
       

     

       12
       11
        
         provisionFolder = "provisioning";

     

       12
       12
       +
         provisioningFolder = "${config.users.users.${user}.home}/${provisionFolder}";

     

       13
       13
        
       

     

       14
       14
        
         persesConfig = {

     

       15
       15
        
           database.file = {

     

       16
       16
       -
             folder = "/perses";

     

       16
       16
       +
             folder = config.users.users.${user}.home;

     

       17
       17
        
             extension = "json";

     

       18
       18
        
           };

     

       19
       19
       -
           provisioning.folders = [ "/perses/${provisionFolder}" ];

     

       19
       19
       +
           provisioning.folders = [ provisioningFolder ];

     

       20
       20
        
           security = {

     

       21
       21
        
             enable_auth = true;

     

       22
       22
        
             authentication = {

     

       23
       23
       -
               providers.oidc = [

     

       24
       24
       -
                 {

     

       25
       25
       -
                   slug_id = "pocketid";

     

       26
       26
       -
                   name = "Pocket ID";

     

       27
       27
       -
                   client_id = "aa583db6-e03c-4490-853a-7f2b3e089fbe";

     

       28
       28
       -
                   issuer = config.services.pocket-id.settings.APP_URL;

     

       29
       29
       -
                   scopes = [ "openid profile email" ];

     

       30
       30
       -
                 }

     

       31
       31
       -
               ];

     

       32
       32
       -
               disable_sign_up = true;

     

       23
       23
       +
               providers = {

     

       24
       24
       +
                 enable_native = false;

     

       25
       25
       +
                 oidc = [

     

       26
       26
       +
                   {

     

       27
       27
       +
                     slug_id = "pocketid";

     

       28
       28
       +
                     name = "Pocket ID";

     

       29
       29
       +
                     client_id = "aa583db6-e03c-4490-853a-7f2b3e089fbe";

     

       30
       30
       +
                     issuer = config.services.pocket-id.settings.APP_URL;

     

       31
       31
       +
                     scopes = [ "openid profile email" ];

     

       32
       32
       +
                   }

     

       33
       33
       +
                 ];

     

       34
       34
       +
               };

     

       35
       35
       +
               disable_sign_up = false;

     

       33
       36
        
             };

     

       34
       37
        
             cookie = {

     

       35
       38
        
               same_site = "strict";

     
···

       39
       42
        
         };

     

       40
       43
        
         persesConfigYaml = pkgs.writers.writeYAML "config.yaml" persesConfig;

     

       41
       44
        
       

     

       42
       42
       -
         persesImage = pkgs.dockerTools.pullImage {

     

       43
       43
       -
           imageName = "docker.io/persesdev/perses";

     

       44
       44
       -
           imageDigest = "sha256:7d4647ce31841f67c2361bd10ea344de1edd7fbf65711c75805a5aacdc7735d0";

     

       45
       45
       -
           sha256 = "sha256-oOQYJzGEEEkjfqlVkEGLOH3e4iywd8QnptY9UxPd1iw=";

     

       46
       46
       -
         };

     

       47
       47
       -
         persesHealthcheckImage = pkgs.dockerTools.streamLayeredImage {

     

       48
       48
       -
           name = "perses";

     

       49
       49
       -
           tag = "latest";

     

       50
       50
       -
           fromImage = persesImage;

     

       51
       51
       -
           contents = [ pkgs.curl ];

     

       52
       52
       -
           config.Entrypoint = [ "/bin/perses" ];

     

       53
       53
       -
           config.Cmd = [

     

       54
       54
       -
             "--config=${persesConfigYaml}"

     

       55
       55
       -
             "--log.level=info"

     

       56
       56
       -
             "--web.listen-address=:${toString port}"

     

       57
       57
       -
             # "--log.method-trace"

     

       58
       58
       -
           ];

     

       59
       59
       -
           config.Healthcheck = {

     

       60
       60
       -
             Test = [

     

       61
       61
       -
               "/bin/curl"

     

       62
       62
       -
               "http://localhost:${toString port}/api/v1/health"

     

       63
       63
       -
             ];

     

       64
       64
       -
             Retries = 3;

     

       65
       65
       -
           };

     

       66
       66
       -
         };

     

       67
       67
       -
       

     

       68
       68
       -
         # persesEnv = config.virtualisation.oci-containers.containers.perses.environment;

     

       69
       45
        
         secrets = config.age.secrets;

     

       70
       46
        
       in

     

       71
       47
        
       {

     

       72
       72
       -
         environment.systemPackages = [ terra.percli ];

     

       48
       48
       +
         environment.systemPackages = [ pkgs.perses ];

     

       73
       49
        
       

     

       74
       50
        
         users.users.${user} = {

     

       75
       51
        
           isNormalUser = true;

     

       76
       52
        
           group = user;

     

       77
       53
        
           home = "/var/lib/${user}";

     

       78
       54
        
           createHome = true;

     

       79
       79
       -
           linger = true;

     

       80
       80
       -
           autoSubUidGidRange = true;

     

       81
       55
        
           uid = 1001;

     

       82
       56
        
         };

     

       83
       57
        
         users.groups.${user} = {

     
···

       89
       63
        
           owner = user;

     

       90
       64
        
           group = user;

     

       91
       65
        
         };

     

       92
       92
       -
         age.secrets.persesAdminUser = {

     

       93
       93
       -
           file = ../../../../secrets/persesAdminUser.age;

     

       94
       94
       -
           owner = user;

     

       95
       95
       -
           group = user;

     

       96
       96
       -
         };

     

       97
       66
        
       

     

       98
       98
       -
         systemd.services.perses.preStart =

     

       99
       99
       -
           let

     

       100
       100
       -
             provisioningFolder = "${config.users.users.${user}.home}/${provisionFolder}";

     

       101
       101
       -
           in

     

       102
       102
       -
           ''

     

       103
       103
       -
             rm -rf ${provisioningFolder} && mkdir -p ${provisioningFolder}

     

       104
       104
       -
             cp -f ${secrets.persesAdminUser.path} ${provisioningFolder}/1-admin-user.json

     

       105
       105
       -
             cp -f ${./provision}/* ${provisioningFolder}

     

       106
       106
       -
           '';

     

       107
       107
       -
       

     

       108
       108
       -
         virtualisation.oci-containers.containers.perses = {

     

       109
       109
       -
           serviceName = "perses";

     

       110
       110
       -
           image = "perses:latest";

     

       111
       111
       -
           imageStream = persesHealthcheckImage;

     

       112
       112
       -
           autoStart = true;

     

       113
       113
       -
           # workdir = config.users.users.${user}.home;

     

       114
       114
       -
           podman = {

     

       115
       115
       -
             inherit user;

     

       116
       116
       -
             sdnotify = "healthy";

     

       67
       67
       +
         systemd.services.perses = {

     

       68
       68
       +
           description = "perses";

     

       69
       69
       +
           after = ["network.target"];

     

       70
       70
       +
           serviceConfig = {

     

       71
       71
       +
             ExecStart = "${pkgs.perses}/bin/perses --config=${persesConfigYaml} --web.listen-address=:${toString port} --log.level=info";

     

       72
       72
       +
             EnvironmentFile = secrets.persesSecret.path;

     

       73
       73
       +
             WorkingDirectory = config.users.users.${user}.home;

     

       117
       74
        
           };

     

       118
       118
       -
           environmentFiles = [ secrets.persesSecret.path ];

     

       119
       119
       -
           volumes = [

     

       120
       120
       -
             "/var/lib/perses:${persesConfig.database.file.folder}"

     

       121
       121
       -
           ];

     

       122
       122
       -
           extraOptions = [

     

       123
       123
       -
             "--network=host"

     

       124
       124
       -
           ];

     

       125
       75
        
         };

     

       76
       76
       +
         systemd.services.perses.preStart = ''

     

       77
       77
       +
           rm -rf ${provisioningFolder} && mkdir -p ${provisioningFolder}

     

       78
       78
       +
           cp -f ${./provision}/* ${provisioningFolder}

     

       79
       79
       +
         '';

     

       126
       80
        
       

     

       127
       81
        
         services.nginx.virtualHosts.${domain} = {

     

       128
       82
        
           useACMEHost = "gaze.systems"; # TODO: write a module to define vhosts for subdomains

-11

hosts/wolumonde/modules/perses.nix/provision/5-funny.yaml

···

       1
       1
       -
       {

     

       2
       2
       -
         "kind": "User",

     

       3
       3
       -
         "metadata": {

     

       4
       4
       -
           "name": "cat"

     

       5
       5
       -
         },

     

       6
       6
       -
         "spec": {

     

       7
       7
       -
           "nativeProvider": {

     

       8
       8
       -
             "password": "ziplocballs"

     

       9
       9
       -
           }

     

       10
       10
       -
         }

     

       11
       11
       -
       }

-8

hosts/wolumonde/modules/perses.nix/provision/7-funny-bind-role.yaml

···

       1
       1
       -
       - kind: GlobalRoleBinding

     

       2
       2
       -
         metadata:

     

       3
       3
       -
           name: cat

     

       4
       4
       -
         spec:

     

       5
       5
       -
           role: guest

     

       6
       6
       -
           subjects:

     

       7
       7
       -
           - kind: User

     

       8
       8
       -
             name: cat

secrets/persesAdminUser.age

This is a binary file and will not be displayed.

-4

secrets/secrets.nix

···

       38
       38
        
           yusdacra

     

       39
       39
        
           wolumonde

     

       40
       40
        
         ];

     

       41
       41
       -
         "persesAdminUser.age".publicKeys = [

     

       42
       42
       -
           yusdacra

     

       43
       43
       -
           wolumonde

     

       44
       44
       -
         ];

     

       45
       41
        
         "ratholeCreds.age".publicKeys = [

     

       46
       42
        
           yusdacra

     

       47
       43
        
           wolumonde