Gitiles
Code Review Sign In
git.clicks.codes / Infra / NixFiles / 180ff19acc19834f902b57d2d08cd81e68046987 / . / modules / common / taiga.nix
blob: 0f64fb3854986102bfd1334de2b2bd9f19c77aaa [file] [log] [blame]
Samuel Shuert45489982023-11-29 15:29:36 -0500[diff] [blame]1{ config, pkgs, ... }: let
2 openid_environment = {
3 ENABLE_OPENID = "True";
4 OPENID_USER_URL = "https://login.clicks.codes/realms/master/protocol/openid-connect/userinfo";
5 OPENID_TOKEN_URL = "https://login.clicks.codes/realms/master/protocol/openid-connect/token";
6 OPENID_CLIENT_ID = "taiga";
7 OPENID_NAME = "Clicks Keycloak";
8
9 # PUBLIC_REGISTER_ENABLED = "True";
10
11 OPENID_ID_FIELD = "sub";
12 OPENID_USERNAME_FIELD = "preferred_username";
13 OPENID_FULLNAME_FIELD = "name";
14 OPENID_EMAIL_FIELD = "email";
15 OPENID_SCOPE="openid email";
16
17 OPENID_FILTER = "enabled";
18 OPENID_FILTER_FIELD = "taiga_access";
19 };
20 backend_environment = openid_environment // {
21 POSTGRES_DB = "taiga";
22 POSTGRES_USER = "taiga";
23 POSTGRES_HOST = "172.20.0.1";
24
25 TAIGA_SCHEME = "https";
26 TAIGA_DOMAIN = "taiga.clicks.codes";
27 TAIGA_SUBPATH = "";
28
29 EMAIL_BACKEND = "django.core.mail.backends.smtp.EmailBackend";
30 DEFAULT_FROM_EMAIL = "taiga@clicks.codes";
31 EMAIL_USE_TLS = "True";
32 EMAIL_USE_SSL = "False"; # not needed when using TLS
33 EMAIL_HOST = "mail.clicks.codes";
34 EMAIL_PORT = "587";
35 EMAIL_HOST_USER = "taiga@clicks.codes";
36
37 RABBITMQ_USER = "taiga";
38
39 ENABLE_TELEMETRY = "False";
40 };
41 credential_environment_files = [
42 config.sops.secrets.taiga_credentials_env.path
43 # TODO: OPENID_CLIENT_SECRET
44 ];
45
46 backend_volumes = [
47 "/var/taiga/back/static:/taiga-back/static"
48 "/var/taiga/back/media:/taiga-back/media"
49 ];
50
51 taiga_version = "latest";
52 taiga_base_version = "latest"; # events, etc. only have X.X.0 versions
53in {
54 sops.secrets.taiga_credentials_env = {
55 mode = "0660";
56 owner = config.users.users.root.name;
57 group = config.users.users.root.group;
58 sopsFile = ../../secrets/taiga.env.bin;
59 format = "binary";
60 };
61
62 networking.firewall.interfaces.taiga.allowedTCPPorts = [ 5432 ];
63
64 systemd.services = {
65 "docker-network-taiga" = {
66 serviceConfig.Type = "oneshot";
67 wantedBy = [
68 "docker-taiga-back.service"
69 "docker-taiga-async.service"
70 "docker-taiga-async-rabbitmq.service"
71 "docker-taiga-front.service"
72 "docker-taiga-events.service"
73 "docker-taiga-events-rabbitmq.service"
74 "docker-taiga-protected.service"
75 "docker-taiga-gateway.service"
76 ];
77 script = ''
78 ${pkgs.docker}/bin/docker network inspect taiga > /dev/null 2>&1 || ${pkgs.docker}/bin/docker network create taiga --gateway 172.20.0.1 --subnet 172.20.0.0/16 --opt com.docker.network.bridge.name=taiga
79 '';
80 };
81 docker-taiga-back.requires = [
82 "docker-taiga-events-rabbitmq.service"
83 "docker-taiga-async-rabbitmq.service"
84 "postgresql.service"
85 ];
86 docker-taiga-async.requires = [
87 "docker-taiga-events-rabbitmq.service"
88 "docker-taiga-async-rabbitmq.service"
89 "postgresql.service"
90 ];
91 docker-taiga-gateway.requires = [
92 "docker-taiga-front.service"
93 "docker-taiga-back.service"
94 "docker-taiga-events.service"
95 ];
96 docker-taiga-events.requires = [
97 "docker-taiga-events-rabbitmq.service"
98 ];
99 };
100 virtualisation.oci-containers.containers = {
101 taiga-back = {
102 image = "taigaio/taiga-back:${taiga_version}";
103 environment = backend_environment;
104 environmentFiles = credential_environment_files;
105 volumes = backend_volumes;
106 extraOptions = [ "--network=taiga" ];
107 };
108 taiga-async = {
109 image = "taigaio/taiga-back:${taiga_version}";
110 environment = backend_environment;
111 environmentFiles = credential_environment_files;
112 volumes = backend_volumes;
113 extraOptions = [ "--network=taiga" ];
114 };
115 taiga-async-rabbitmq = {
116 image = "rabbitmq:3.8-management-alpine";
117 environment = {
118 RABBITMQ_DEFAULT_USER = "taiga";
119 RABBITMQ_DEFAULT_VHOST = "taiga";
120 };
121 environmentFiles = credential_environment_files;
122 volumes = [ "/var/taiga/rabbitmq/async:/var/lib/rabbitmq" ];
123 extraOptions = [ "--network=taiga" ];
124 };
125 taiga-front = {
126 image = "taigaio/taiga-front:${taiga_version}";
127 environment = openid_environment // {
128 TAIGA_URL = "https://taiga.clicks.codes";
129 TAIGA_WEBSOCKETS_URL = "wss://taiga.clicks.codes";
130 TAIGA_SUBPATH = "";
131 };
132 extraOptions = [ "--network=taiga" ];
133 };
134 taiga-events = {
135 image = "taigaio/taiga-events:${taiga_base_version}";
136 environment = {
137 RABBITMQ_USER = "taiga";
138 };
139 environmentFiles = credential_environment_files;
140 extraOptions = [ "--network=taiga" ];
141 };
142 taiga-events-rabbitmq = {
143 image = "rabbitmq:3.8-management-alpine";
144 environment = {
145 RABBITMQ_DEFAULT_USER = "taiga";
146 RABBITMQ_DEFAULT_VHOST = "taiga";
147 };
148 environmentFiles = credential_environment_files;
149 volumes = [ "/var/taiga/rabbitmq/events:/var/lib/rabbitmq" ];
150 extraOptions = [ "--network=taiga" ];
151 };
152 taiga-protected = {
153 image = "taigaio/taiga-protected:${taiga_base_version}";
154 environment = {
155 MAX_AGE = "600";
156 };
157 environmentFiles = credential_environment_files;
158 extraOptions = [ "--network=taiga" ];
159 };
160 taiga-gateway = {
161 image = "nginx:1.19-alpine";
162 ports = [ "127.0.0.255:1029:80/tcp" ];
163 volumes = [
164 "${./taiga/taiga-gateway.conf}:/etc/nginx/conf.d/default.conf"
165 ] ++ backend_volumes;
166 extraOptions = [ "--network=taiga" ];
167 };
168 };
169}