From 857650d645a6e61be5287072c1ea1ea4695e685e Mon Sep 17 00:00:00 2001
From: Astro <astro@spaceboyz.net>
Date: Fri, 24 Dec 2021 03:18:20 +0100
Subject: [PATCH] blogs: init

---
 flake.lock                         |  8 +--
 flake.nix                          | 10 +++
 hosts/containers/blogs/default.nix | 28 +++++++++
 lib/plume.nix                      | 97 ++++++++++++++++++++++++++++++
 4 files changed, 139 insertions(+), 4 deletions(-)
 create mode 100644 hosts/containers/blogs/default.nix
 create mode 100644 lib/plume.nix

diff --git a/flake.lock b/flake.lock
index c2552d20..f6980b8d 100644
--- a/flake.lock
+++ b/flake.lock
@@ -449,11 +449,11 @@
         "openwrt": "openwrt"
       },
       "locked": {
-        "lastModified": 1639064862,
-        "narHash": "sha256-LzgF4/oECoYJ/FGvum1dZBnnaUh5zUXySfm9SJ1Sbec=",
+        "lastModified": 1640299473,
+        "narHash": "sha256-+NmnIgQZw9G6rRjNVlX8f0wR+4BfusxajhvyW8lIGKA=",
         "ref": "master",
-        "rev": "531df7e5948c112ceaa327d3145b5e5f12e00770",
-        "revCount": 1294,
+        "rev": "cffdd7bbd7272384c809331641d6b2553ad50feb",
+        "revCount": 1297,
         "type": "git",
         "url": "https://gitea.c3d2.de/zentralwerk/network.git"
       },
diff --git a/flake.nix b/flake.nix
index 28d0d2be..16e1ba1a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -517,10 +517,20 @@
           system = "x86_64-linux";
         };
 
+        blogs = nixosSystem' {
+          modules = [
+            self.nixosModules.plume
+            ./lib/lxc-container.nix
+            ./hosts/containers/blogs
+          ];
+          system = "x86_64-linux";
+        };
+
       };
 
       nixosModule = import ./lib;
       nixosModules.c3d2 = self.nixosModule;
+      nixosModules.plume = import ./lib/plume.nix { inherit self; };
 
       hydraJobs = forAllSystems (system:
         nixpkgs.lib.filterAttrs (_: nixosSystem:
diff --git a/hosts/containers/blogs/default.nix b/hosts/containers/blogs/default.nix
new file mode 100644
index 00000000..ba10031f
--- /dev/null
+++ b/hosts/containers/blogs/default.nix
@@ -0,0 +1,28 @@
+{ hostRegistry, zentralwerk, config, ... }:
+{
+  networking = {
+    hostName = "blogs";
+    useNetworkd = true;
+    interfaces.eth0.ipv4.addresses = [{
+      address = hostRegistry.hosts."${config.networking.hostName}".ip4;
+      prefixLength = zentralwerk.lib.config.site.net.serv.subnet4Len;
+    }];
+    defaultGateway = "172.20.73.1";
+    firewall.allowedTCPPorts = [
+      80 443
+    ];
+  };
+
+  services.plume = {
+    enable = true;
+    config.BASE_URL = "blogs.c3d2.de";
+    config.ROCKET_SECRET_KEY = "OIZiemtQLDG2wcVnKgHAJ2kMB0UJpa5Uuoei7C57N5o=";
+  };
+
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."blogs.c3d2.de" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:7878";
+  };
+}
diff --git a/lib/plume.nix b/lib/plume.nix
new file mode 100644
index 00000000..a0587653
--- /dev/null
+++ b/lib/plume.nix
@@ -0,0 +1,97 @@
+{ self }:
+
+{ config, lib, pkgs, ... }:
+let
+  defaultConfig = {
+    DATABASE_URL = "postgres://plume:plume@localhost/plume";
+    MIGRATION_DIRECTORY = "migrations/postgres";
+  };
+  mergedConfig = defaultConfig // cfg.config;
+  configFile = builtins.toFile "plume-env" (
+    lib.concatMapStrings (key: ''
+      ${key}=${mergedConfig.${key}}
+    '') (builtins.attrNames mergedConfig)
+  );
+
+  plume = self.packages.${pkgs.system}.plume;
+  cfg = config.services.plume;
+in
+{
+  options.services.plume = with lib; {
+    enable = mkEnableOption "Plume";
+    user = mkOption {
+      type = types.str;
+      default = "plume";
+      description = "System user to run Plume";
+    };
+
+    group = mkOption {
+      type = types.str;
+      default = "plume";
+      description = "System group to run Plume";
+    };
+
+    config = mkOption {
+      type = with types; attrsOf str;
+      default = {};
+      description = "Configuration for Plume";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    systemd.tmpfiles.rules = [
+      "d ${config.users.users.${cfg.user}.home} 0700 ${cfg.user} ${cfg.group} -"
+      "L ${config.users.users.${cfg.user}.home}/.env - - - - ${configFile}"
+      "L ${config.users.users.${cfg.user}.home}/static - - - - ${plume}/share/plume/static"
+    ];
+
+    ids.uids.plume = 499;
+    users.users.${cfg.user} = {
+      uid = config.ids.uids.plume;
+      group = cfg.group;
+      home = "/var/lib/plume";
+    };
+    users.groups.${cfg.group} = {};
+
+    services.postgresql = {
+      enable = true;
+      initialScript = pkgs.writeText "plume-initScript" ''
+        CREATE ROLE plume WITH LOGIN PASSWORD 'plume' CREATEDB;
+        CREATE DATABASE plume;
+        GRANT ALL PRIVILEGES ON DATABASE plume TO plume;
+      '';
+    };
+
+    systemd.services.plume = {
+      description = "Plume";
+      after = [ "postgresql.service" ];
+      requires = [ "postgresql.service" ];
+      wantedBy = [ "multi-user.target" ];
+      path = [ plume ];
+      script = ''
+        plm migration run
+        plm search init
+        exec plume
+      '';
+      serviceConfig = {
+        User = cfg.user;
+        Group = cfg.group;
+        WorkingDirectory = config.users.users.${cfg.user}.home;
+      };
+    };
+
+    environment.systemPackages = [ (pkgs.writeScriptBin "plume-setup" ''
+      #! ${pkgs.runtimeShell} -e
+
+      plm() {
+        sudo -u ${config.services.plume.user} -- ${plume}/bin/plm $@
+      }
+
+      plm migration run
+      plm instance new
+      plm users new --admin
+
+      systemctl start plume.service
+    '') ];
+  };
+}