Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 77897517f1c68c7dab878e0f66b1ba082c7ca1de / . / modules / common / taiga.nix
blob: 85fc4e35ee98a89bcabd30f8cd29620c4651cdad [file] [log] [blame]
{ config, pkgs, ... }: let
openid_environment = {
ENABLE_OPENID = "True";
OPENID_USER_URL = "https://login.clicks.codes/realms/master/protocol/openid-connect/userinfo";
OPENID_TOKEN_URL = "https://login.clicks.codes/realms/master/protocol/openid-connect/token";
OPENID_CLIENT_ID = "taiga";
OPENID_NAME = "Clicks Keycloak";
# PUBLIC_REGISTER_ENABLED = "True";
OPENID_ID_FIELD = "sub";
OPENID_USERNAME_FIELD = "preferred_username";
OPENID_FULLNAME_FIELD = "name";
OPENID_EMAIL_FIELD = "email";
OPENID_SCOPE="openid email";
OPENID_FILTER = "enabled";
OPENID_FILTER_FIELD = "taiga_access";
};
backend_environment = openid_environment // {
POSTGRES_DB = "taiga";
POSTGRES_USER = "taiga";
POSTGRES_HOST = "172.20.0.1";
TAIGA_SITES_SCHEME = "https";
TAIGA_SITES_DOMAIN = "taiga.clicks.codes";
TAIGA_SUBPATH = "";
EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend";
DEFAULT_FROM_EMAIL = "taiga@clicks.codes";
EMAIL_USE_TLS = "True";
EMAIL_USE_SSL = "False"; # not needed when using TLS
EMAIL_HOST = "mail.clicks.codes";
EMAIL_PORT = "587";
EMAIL_HOST_USER = "taiga@clicks.codes";
RABBITMQ_USER = "taiga";
ENABLE_TELEMETRY = "False";
};
credential_environment_files = [
config.sops.secrets.taiga_credentials_env.path
# TODO: OPENID_CLIENT_SECRET
];
host_static_folder = "/var/taiga/back/static";
host_media_folder = "/var/taiga/back/media";
backend_volumes = [
"${host_static_folder}:/taiga-back/static"
"${host_media_folder}:/taiga-back/media"
];
taiga_version = "latest";
taiga_base_version = "latest"; # events, etc. only have X.X.0 versions
in {
sops.secrets.taiga_credentials_env = {
mode = "0660";
owner = config.users.users.root.name;
group = config.users.users.root.group;
sopsFile = ../../secrets/taiga.env.bin;
format = "binary";
};
networking.firewall.interfaces.taiga.allowedTCPPorts = [ 5432 ];
systemd.services = {
"docker-network-taiga" = {
serviceConfig.Type = "oneshot";
wantedBy = [
"docker-taiga-back.service"
"docker-taiga-async.service"
"docker-taiga-async-rabbitmq.service"
"docker-taiga-front.service"
"docker-taiga-events.service"
"docker-taiga-events-rabbitmq.service"
"docker-taiga-protected.service"
"docker-taiga-gateway.service"
];
script = ''
${pkgs.docker}/bin/docker network inspect taiga > /dev/null 2>&1 || ${pkgs.docker}/bin/docker network create taiga --gateway 172.20.0.1 --subnet 172.20.0.0/16 --opt com.docker.network.bridge.name=taiga
'';
};
docker-taiga-back.requires = [
"docker-taiga-events-rabbitmq.service"
"docker-taiga-async-rabbitmq.service"
"postgresql.service"
];
docker-taiga-async.requires = [
"docker-taiga-events-rabbitmq.service"
"docker-taiga-async-rabbitmq.service"
"postgresql.service"
];
docker-taiga-gateway.requires = [
"docker-taiga-front.service"
"docker-taiga-back.service"
"docker-taiga-events.service"
];
docker-taiga-events.requires = [
"docker-taiga-events-rabbitmq.service"
];
};
virtualisation.oci-containers.containers = {
taiga-back = {
image = "taigaio/taiga-back:${taiga_version}";
environment = backend_environment;
environmentFiles = credential_environment_files;
volumes = backend_volumes;
extraOptions = [ "--network=taiga" ];
};
taiga-async = {
image = "taigaio/taiga-back:${taiga_version}";
environment = backend_environment;
environmentFiles = credential_environment_files;
volumes = backend_volumes;
extraOptions = [ "--network=taiga" ];
};
taiga-async-rabbitmq = {
image = "rabbitmq:3.8-management-alpine";
environment = {
RABBITMQ_DEFAULT_USER = "taiga";
RABBITMQ_DEFAULT_VHOST = "taiga";
};
environmentFiles = credential_environment_files;
volumes = [ "/var/taiga/rabbitmq/async:/var/lib/rabbitmq" ];
extraOptions = [ "--network=taiga" ];
};
taiga-front = {
image = "taigaio/taiga-front:${taiga_version}";
environment = openid_environment // {
TAIGA_URL = "https://taiga.clicks.codes";
TAIGA_WEBSOCKETS_URL = "wss://taiga.clicks.codes";
TAIGA_SUBPATH = "";
};
extraOptions = [ "--network=taiga" ];
};
taiga-events = {
image = "taigaio/taiga-events:${taiga_base_version}";
environment = {
RABBITMQ_USER = "taiga";
};
environmentFiles = credential_environment_files;
extraOptions = [ "--network=taiga" ];
};
taiga-events-rabbitmq = {
image = "rabbitmq:3.8-management-alpine";
environment = {
RABBITMQ_DEFAULT_USER = "taiga";
RABBITMQ_DEFAULT_VHOST = "taiga";
};
environmentFiles = credential_environment_files;
volumes = [ "/var/taiga/rabbitmq/events:/var/lib/rabbitmq" ];
extraOptions = [ "--network=taiga" ];
};
taiga-protected = {
image = "taigaio/taiga-protected:${taiga_base_version}";
environment = {
MAX_AGE = "600";
};
environmentFiles = credential_environment_files;
extraOptions = [ "--network=taiga" ];
};
taiga-gateway = {
image = "nginx:1.19-alpine";
ports = [ "127.0.0.255:1029:80/tcp" ];
volumes = [
"${./taiga/taiga-gateway.conf}:/etc/nginx/conf.d/default.conf"
"${host_static_folder}:/taiga/static"
"${host_media_folder}:/taiga/media"
];
extraOptions = [ "--network=taiga" ];
};
};
}