mobilizon: fix ldap login, configure vapid and geo services

2023-09-25 00:25:08 +02:00 · 2023-09-25 00:25:08 +02:00 · fa9b8c9696
parent b88911211a
commit fa9b8c9696
2 changed files with 87 additions and 24 deletions
--- a/hosts/mobilizon/default.nix
+++ b/hosts/mobilizon/default.nix
@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 {
  c3d2.deployment.server = "server10";

@ -9,27 +9,61 @@
  services = {
    mobilizon = {
      enable = true;
-      settings = {
-        ":mobilizon".":instance" = {
-          name = "C3D2 Mobilizon";
-          hostname = "mobilizon.c3d2.de";
-          registrations_open = false;
-          default_language = "de";
+      settings = let
+        # copied from nixos/modules/services/web-apps/mobilizon.nix
+        settingsFormat = pkgs.formats.elixirConf { elixir = pkgs.elixir_1_14; };
+      in {
+        ":mobilizon" = {
+          ":instance" = {
+            default_language = "de";
+            email_from = "mobilizon@c3d2.de";
+            email_reply_to = "noreply@c3d2.de";
+            name = "C3D2 Mobilizon";
+            hostname = "mobilizon.c3d2.de";
+            registrations_open = false;
+            # registration_email_allowlist = [ "c3d2.de" ]; # we use ldpa login instead :)
+          };
+          # TODO: move to nixos-modules
+          ":ldap" = let
+            inherit (config.security) ldap;
+          in {
+            enabled = true;
+            base = ldap.userBaseDN;
+            bind_uid = ldap.searchUID;
+            bind_password = settingsFormat.lib.mkGetEnv { envVariable = "MOBILIZON_LDAP_BIND_PASSWORD"; };
+            group = true;
+            host = ldap.domainName;
+            port = ldap.port;
+            require_bind_for_search = true;
+            ssl = true;
+            sslopts = [ { cacertfile = "/etc/ssl/certs/ca-certificates.crt"; } ];
+            uid = ldap.userField;
+          };
+          ":logger" = {
+            # level = { value = ":notice"; _elixirType = "atom"; };
+            level = { value = ":debug"; _elixirType = "atom"; };
+          };
+          "Mobilizon.Service.Auth.Authenticator" = { value = "Mobilizon.Service.Auth.LDAPAuthenticator"; _elixirType = "raw"; };
+          # https://docs.joinmobilizon.org/administration/configure/geocoders/#photon
+          # TOS: You can use the API for your project, but please be fair - extensive usage will be throttled. We do not guarantee for the availability and usage might be subject of change in the future.
+          "Mobilizon.Service.Geospatial.Photon".endpoint = "https://photon.komoot.io";
+          "Mobilizon.Web.Email.Mailer" = {
+            adapter = { value = "Bamboo.SMTPAdapter"; _elixirType = "raw"; };
+            server = "mail.c3d2.de";
+            hostname = config.networking.hostName;
+            auth = false;
+            port = 587;
+            ssl = false;
+            tls = { value = ":if_available"; _elixirType = "atom"; };
+            allowed_tls_versions = { value = ''[:"tlsv1.1", :"tlsv1.2"]''; _elixirType = "raw"; };
+            retries = 1;
+            no_mx_lookups = true;
+          };
        };
-        ":mobilizon"."Mobilizon.Web.Email.Mailer" = {
-          adapter = { value = "Bamboo.SMTPAdapter"; _elixirType = "raw"; };
-          server = "mail.c3d2.de";
-          hostname = config.networking.hostName;
-          auth = false;
-          port = 587;
-          ssl = false;
-          tls = { value = ":if_available"; _elixirType = "atom"; };
-          allowed_tls_versions = { value = ''[:"tlsv1.1", :"tlsv1.2"]''; _elixirType = "raw"; };
-          retries = 1;
-          no_mx_lookups = true;
-        };
-        ":mobilizon".":logger" = {
-          level = { value = ":info"; _elixirType = "atom"; };
+        ":web_push_encryption".":vapid_details" = {
+          private_key = settingsFormat.lib.mkGetEnv { envVariable = "MOBILIZON_VAPID_PRIVAT_KEY"; };
+          public_key = settingsFormat.lib.mkGetEnv { envVariable = "MOBILIZON_VAPID_PUBLIC_KEY"; };
+          subject = "mailto:mail@c3d2.de";
        };
      };
    };
@ -43,6 +77,8 @@
      };
    };

+    portunus.addToHosts = true;
+
    postgresql = {
      extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
      package = pkgs.postgresql_15;
@ -53,10 +89,35 @@
  sops = {
    defaultSopsFile = ./secrets.yaml;
    secrets = {
+      "mobilizon/enviroment" = { };
      "restic/password".owner = "root";
      "restic/repositories/server8".owner = "root";
    };
  };

+  systemd = {
+    services = {
+      mobilizon.serviceConfig.EnviromentFile = config.sops.secrets."mobilizon/enviroment".path;
+
+      mobilizon-download-geoip = {
+        description = "Download GeoIP DB for mobilizon";
+        # https://framagit.org/framasoft/mobilizon/-/blob/main/docker/tests/Dockerfile#L11
+        script = ''
+          mkdir -p /var/lib/mobilizon/geo/
+          ${lib.getExe pkgs.curl} -s https://dbip.mirror.framasoft.org/files/dbip-city-lite-latest.mmdb --output /var/lib/mobilizon/geo/GeoLite2-City.mmdb
+        '';
+        wantedBy = [ "timers.target" ];
+      };
+    };
+
+    timers.mobilizon-download-geoip = {
+      timerConfig = {
+        OnCalendar = "daily";
+        Peristent = true;
+      };
+      wantedBy = [ "timers.target" ];
+    };
+  };
+
  system.stateVersion = "22.05";
 }
--- a/hosts/mobilizon/secrets.yaml
+++ b/hosts/mobilizon/secrets.yaml
@ -1,3 +1,5 @@
+mobilizon:
+    enviroment: ENC[AES256_GCM,data:Dp+xD2bMDxSui8O0mt3oSdi17L4Ly5qy6Aa0tFyz993xhURdV+lmpg2Av4O4iPcAsMVYQsva9Q60l7VfwkcT/wdsKtdEY5wdnKJFNaNkTIE5d+PoWM0732/UOCTtvsHqGo78PPXyditu3qGxk6I9OTgtTHjNkfQxvMC8piy0Jjxvuc2TfACFmGc9LtaUGrehzBWMxg87gxL53+73Ddcd6QtWPJRQKnR/VW1mfX7lnng2GDhEXDOLMr9fSVbqwRqwkaBQo8qDXBgymjCqec+avjv4jkeLsASBDnG6oUkxGQBg1kzPoLbj13QowIUXme0agae8xSremsU=,iv:zi09v9dUtFS5QCVyW5BQUzaGIqYjd3gC8tO410csHZ8=,tag:PcXEE8lcyhie3GXdmG5jYQ==,type:str]
 restic:
    password: ENC[AES256_GCM,data:VzlrvaX6A/TIPZHrFqQokAIB6nMWTJ1fvlANg+RkNjs=,iv:xcczjX3rDpJAmnOjQ4jvcmuAYAfoR4qRhhOVNZBn8qE=,tag:sI3hpyWOqjKi92oscWBTaw==,type:str]
    repositories:
@ -26,8 +28,8 @@ sops:
            eE5NV1Y5a3p3c2MrNTlJL3NrMXRDM00KIhiEJ1DZHXF5A1bJUFLvCpH9H93d2sFS
            nyDtlZuMKkC8V6cOJmD4lb0HPcsTBlad6oThZmvnn15vqdFAtK+8Yw==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-08-08T22:27:02Z"
-    mac: ENC[AES256_GCM,data:tbfRE5x2gZYqP9EVUru1CXDq/sDCVfR4hamcJGN4gUj1o165yNhU7k6j61urExQMPpy2+KdYClPgrLyk3Bf4J1TP1N3cZnuGj52HiEL6zcKu+iuyYsp4AGtxp13R/a5T7x9M8kVLTgolnSJfWl/juEx6i0Z3tRWSBDmdHzutiBA=,iv:LBrF/IcmHemM9XbMxwtPJXHSMx6A5LtM4JCbdijG3ps=,tag:nYZLbUhpkTj3GhFZsdrtpw==,type:str]
+    lastmodified: "2023-09-24T22:17:38Z"
+    mac: ENC[AES256_GCM,data:bohaXHYU0pNytdr8GB1re/KcMa9wt/CMp4BggnTjo1CgZeHZzjhx68QWx6+AJPJN1RL2ViFkwYPjBGL0eoE8TnB2HMq84SnvSfkt2h2CGLy3Af0HBz1bFcjfY15mwWBZc/HkAeBOUBtG0j78esLdVN5D8tmdxvJlFKZVr5GnbPc=,iv:MF27FyRQMax/Cuo5lRZt03TtJVwdHrfc/gOj6wW4Jsc=,tag:1qwSJXVpXr3ay/5yZdTvYA==,type:str]
    pgp:
        - created_at: "2023-08-08T22:43:42Z"
          enc: |
@ -167,4 +169,4 @@ sops:
            -----END PGP MESSAGE-----
          fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.0