mobilizon: fix ldap login, configure vapid and geo services
This commit is contained in:
parent
b88911211a
commit
fa9b8c9696
|
@ -1,4 +1,4 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, lib, pkgs, ... }:
|
||||
{
|
||||
c3d2.deployment.server = "server10";
|
||||
|
||||
|
@ -9,27 +9,61 @@
|
|||
services = {
|
||||
mobilizon = {
|
||||
enable = true;
|
||||
settings = {
|
||||
":mobilizon".":instance" = {
|
||||
name = "C3D2 Mobilizon";
|
||||
hostname = "mobilizon.c3d2.de";
|
||||
registrations_open = false;
|
||||
default_language = "de";
|
||||
settings = let
|
||||
# copied from nixos/modules/services/web-apps/mobilizon.nix
|
||||
settingsFormat = pkgs.formats.elixirConf { elixir = pkgs.elixir_1_14; };
|
||||
in {
|
||||
":mobilizon" = {
|
||||
":instance" = {
|
||||
default_language = "de";
|
||||
email_from = "mobilizon@c3d2.de";
|
||||
email_reply_to = "noreply@c3d2.de";
|
||||
name = "C3D2 Mobilizon";
|
||||
hostname = "mobilizon.c3d2.de";
|
||||
registrations_open = false;
|
||||
# registration_email_allowlist = [ "c3d2.de" ]; # we use ldpa login instead :)
|
||||
};
|
||||
# TODO: move to nixos-modules
|
||||
":ldap" = let
|
||||
inherit (config.security) ldap;
|
||||
in {
|
||||
enabled = true;
|
||||
base = ldap.userBaseDN;
|
||||
bind_uid = ldap.searchUID;
|
||||
bind_password = settingsFormat.lib.mkGetEnv { envVariable = "MOBILIZON_LDAP_BIND_PASSWORD"; };
|
||||
group = true;
|
||||
host = ldap.domainName;
|
||||
port = ldap.port;
|
||||
require_bind_for_search = true;
|
||||
ssl = true;
|
||||
sslopts = [ { cacertfile = "/etc/ssl/certs/ca-certificates.crt"; } ];
|
||||
uid = ldap.userField;
|
||||
};
|
||||
":logger" = {
|
||||
# level = { value = ":notice"; _elixirType = "atom"; };
|
||||
level = { value = ":debug"; _elixirType = "atom"; };
|
||||
};
|
||||
"Mobilizon.Service.Auth.Authenticator" = { value = "Mobilizon.Service.Auth.LDAPAuthenticator"; _elixirType = "raw"; };
|
||||
# https://docs.joinmobilizon.org/administration/configure/geocoders/#photon
|
||||
# TOS: You can use the API for your project, but please be fair - extensive usage will be throttled. We do not guarantee for the availability and usage might be subject of change in the future.
|
||||
"Mobilizon.Service.Geospatial.Photon".endpoint = "https://photon.komoot.io";
|
||||
"Mobilizon.Web.Email.Mailer" = {
|
||||
adapter = { value = "Bamboo.SMTPAdapter"; _elixirType = "raw"; };
|
||||
server = "mail.c3d2.de";
|
||||
hostname = config.networking.hostName;
|
||||
auth = false;
|
||||
port = 587;
|
||||
ssl = false;
|
||||
tls = { value = ":if_available"; _elixirType = "atom"; };
|
||||
allowed_tls_versions = { value = ''[:"tlsv1.1", :"tlsv1.2"]''; _elixirType = "raw"; };
|
||||
retries = 1;
|
||||
no_mx_lookups = true;
|
||||
};
|
||||
};
|
||||
":mobilizon"."Mobilizon.Web.Email.Mailer" = {
|
||||
adapter = { value = "Bamboo.SMTPAdapter"; _elixirType = "raw"; };
|
||||
server = "mail.c3d2.de";
|
||||
hostname = config.networking.hostName;
|
||||
auth = false;
|
||||
port = 587;
|
||||
ssl = false;
|
||||
tls = { value = ":if_available"; _elixirType = "atom"; };
|
||||
allowed_tls_versions = { value = ''[:"tlsv1.1", :"tlsv1.2"]''; _elixirType = "raw"; };
|
||||
retries = 1;
|
||||
no_mx_lookups = true;
|
||||
};
|
||||
":mobilizon".":logger" = {
|
||||
level = { value = ":info"; _elixirType = "atom"; };
|
||||
":web_push_encryption".":vapid_details" = {
|
||||
private_key = settingsFormat.lib.mkGetEnv { envVariable = "MOBILIZON_VAPID_PRIVAT_KEY"; };
|
||||
public_key = settingsFormat.lib.mkGetEnv { envVariable = "MOBILIZON_VAPID_PUBLIC_KEY"; };
|
||||
subject = "mailto:mail@c3d2.de";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -43,6 +77,8 @@
|
|||
};
|
||||
};
|
||||
|
||||
portunus.addToHosts = true;
|
||||
|
||||
postgresql = {
|
||||
extraPlugins = with config.services.postgresql.package.pkgs; [ postgis ];
|
||||
package = pkgs.postgresql_15;
|
||||
|
@ -53,10 +89,35 @@
|
|||
sops = {
|
||||
defaultSopsFile = ./secrets.yaml;
|
||||
secrets = {
|
||||
"mobilizon/enviroment" = { };
|
||||
"restic/password".owner = "root";
|
||||
"restic/repositories/server8".owner = "root";
|
||||
};
|
||||
};
|
||||
|
||||
systemd = {
|
||||
services = {
|
||||
mobilizon.serviceConfig.EnviromentFile = config.sops.secrets."mobilizon/enviroment".path;
|
||||
|
||||
mobilizon-download-geoip = {
|
||||
description = "Download GeoIP DB for mobilizon";
|
||||
# https://framagit.org/framasoft/mobilizon/-/blob/main/docker/tests/Dockerfile#L11
|
||||
script = ''
|
||||
mkdir -p /var/lib/mobilizon/geo/
|
||||
${lib.getExe pkgs.curl} -s https://dbip.mirror.framasoft.org/files/dbip-city-lite-latest.mmdb --output /var/lib/mobilizon/geo/GeoLite2-City.mmdb
|
||||
'';
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
};
|
||||
|
||||
timers.mobilizon-download-geoip = {
|
||||
timerConfig = {
|
||||
OnCalendar = "daily";
|
||||
Peristent = true;
|
||||
};
|
||||
wantedBy = [ "timers.target" ];
|
||||
};
|
||||
};
|
||||
|
||||
system.stateVersion = "22.05";
|
||||
}
|
||||
|
|
|
@ -1,3 +1,5 @@
|
|||
mobilizon:
|
||||
enviroment: ENC[AES256_GCM,data:Dp+xD2bMDxSui8O0mt3oSdi17L4Ly5qy6Aa0tFyz993xhURdV+lmpg2Av4O4iPcAsMVYQsva9Q60l7VfwkcT/wdsKtdEY5wdnKJFNaNkTIE5d+PoWM0732/UOCTtvsHqGo78PPXyditu3qGxk6I9OTgtTHjNkfQxvMC8piy0Jjxvuc2TfACFmGc9LtaUGrehzBWMxg87gxL53+73Ddcd6QtWPJRQKnR/VW1mfX7lnng2GDhEXDOLMr9fSVbqwRqwkaBQo8qDXBgymjCqec+avjv4jkeLsASBDnG6oUkxGQBg1kzPoLbj13QowIUXme0agae8xSremsU=,iv:zi09v9dUtFS5QCVyW5BQUzaGIqYjd3gC8tO410csHZ8=,tag:PcXEE8lcyhie3GXdmG5jYQ==,type:str]
|
||||
restic:
|
||||
password: ENC[AES256_GCM,data:VzlrvaX6A/TIPZHrFqQokAIB6nMWTJ1fvlANg+RkNjs=,iv:xcczjX3rDpJAmnOjQ4jvcmuAYAfoR4qRhhOVNZBn8qE=,tag:sI3hpyWOqjKi92oscWBTaw==,type:str]
|
||||
repositories:
|
||||
|
@ -26,8 +28,8 @@ sops:
|
|||
eE5NV1Y5a3p3c2MrNTlJL3NrMXRDM00KIhiEJ1DZHXF5A1bJUFLvCpH9H93d2sFS
|
||||
nyDtlZuMKkC8V6cOJmD4lb0HPcsTBlad6oThZmvnn15vqdFAtK+8Yw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-08-08T22:27:02Z"
|
||||
mac: ENC[AES256_GCM,data:tbfRE5x2gZYqP9EVUru1CXDq/sDCVfR4hamcJGN4gUj1o165yNhU7k6j61urExQMPpy2+KdYClPgrLyk3Bf4J1TP1N3cZnuGj52HiEL6zcKu+iuyYsp4AGtxp13R/a5T7x9M8kVLTgolnSJfWl/juEx6i0Z3tRWSBDmdHzutiBA=,iv:LBrF/IcmHemM9XbMxwtPJXHSMx6A5LtM4JCbdijG3ps=,tag:nYZLbUhpkTj3GhFZsdrtpw==,type:str]
|
||||
lastmodified: "2023-09-24T22:17:38Z"
|
||||
mac: ENC[AES256_GCM,data:bohaXHYU0pNytdr8GB1re/KcMa9wt/CMp4BggnTjo1CgZeHZzjhx68QWx6+AJPJN1RL2ViFkwYPjBGL0eoE8TnB2HMq84SnvSfkt2h2CGLy3Af0HBz1bFcjfY15mwWBZc/HkAeBOUBtG0j78esLdVN5D8tmdxvJlFKZVr5GnbPc=,iv:MF27FyRQMax/Cuo5lRZt03TtJVwdHrfc/gOj6wW4Jsc=,tag:1qwSJXVpXr3ay/5yZdTvYA==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-08-08T22:43:42Z"
|
||||
enc: |
|
||||
|
@ -167,4 +169,4 @@ sops:
|
|||
-----END PGP MESSAGE-----
|
||||
fp: DD0998E6CDF294537FC604F991FA5E5BF9AA901C
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.7.3
|
||||
version: 3.8.0
|
||||
|
|
Loading…
Reference in New Issue