diff --git a/README.md b/README.md index 4805dcf..5e6a302 100644 --- a/README.md +++ b/README.md @@ -16,7 +16,7 @@ This is a work-in-progress and currently is not production ready. Please check b - [x] Configure Traefik & its dashboard - [x] Configure Caddy for internal service port forwarding (difficult!) - [ ] Install Tailscale - - [ ] Install Portainer for other servers & basic admin tasks + - [x] Install Portainer for other servers & basic admin tasks - [x] Install Forgejo - [x] Install Personal Website - [x] Install mCaptcha diff --git a/hosts/andromeda/configuration.nix b/hosts/andromeda/configuration.nix index 708db1a..c478b4b 100755 --- a/hosts/andromeda/configuration.nix +++ b/hosts/andromeda/configuration.nix @@ -19,8 +19,9 @@ ./stacks/traefik/docker-compose.nix ./stacks/caddy/docker-compose.nix ./stacks/portainer/docker-compose.nix - ./stacks/forgejo/docker-compose.nix + ./stacks/passbolt/docker-compose.nix ./stacks/mcaptcha/docker-compose.nix + ./stacks/forgejo/docker-compose.nix ./stacks/terah.dev/docker-compose.nix ]; diff --git a/hosts/andromeda/stacks/passbolt/docker-compose.nix b/hosts/andromeda/stacks/passbolt/docker-compose.nix new file mode 100644 index 0000000..42aaa51 --- /dev/null +++ b/hosts/andromeda/stacks/passbolt/docker-compose.nix @@ -0,0 +1,167 @@ +# Auto-generated using compose2nix v0.3.1. +{ config, pkgs, lib, ... }: + +{ + imports = [ + ../../../../system/sops.nix + ]; + + # Containers + virtualisation.oci-containers.containers."passbolt-db" = { + image = "mariadb:10.11"; + environmentFiles = [ config.sops.secrets.passbolt_db_docker_env.path ]; + environment = { + "MYSQL_DATABASE" = "passbolt"; + "MYSQL_RANDOM_ROOT_PASSWORD" = "true"; + "MYSQL_USER" = "passbolt"; + }; + volumes = [ + "passbolt_db:/var/lib/mysql:rw" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=db" + "--network=passbolt_default" + ]; + }; + + systemd.services."docker-passbolt-db" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ + "docker-network-passbolt_default.service" + "docker-volume-passbolt_db.service" + ]; + requires = [ + "docker-network-passbolt_default.service" + "docker-volume-passbolt_db.service" + ]; + partOf = [ + "docker-compose-passbolt-root.target" + ]; + wantedBy = [ + "docker-compose-passbolt-root.target" + ]; + }; + + virtualisation.oci-containers.containers."passbolt-passbolt" = { + image = "passbolt/passbolt:latest-ce"; + environmentFiles = [ config.sops.secrets.passbolt_passbolt_docker_env.path ]; + environment = { + "APP_FULL_BASE_URL" = "https://passbolt.hofers.cloud"; + "DATASOURCES_DEFAULT_DATABASE" = "passbolt"; + "DATASOURCES_DEFAULT_HOST" = "db"; + "DATASOURCES_DEFAULT_USERNAME" = "passbolt"; + }; + volumes = [ + "passbolt_gpg:/etc/passbolt/gpg:rw" + "passbolt_jwt:/etc/passbolt/jwt:rw" + ]; + cmd = [ "/usr/bin/wait-for.sh" "-t" "0" "db:3306" "--" "/docker-entrypoint.sh" ]; + labels = { + "traefik.http.routers.passbolthoferscloud.rule" = "Host(`passbolt.hofers.cloud`)"; + }; + dependsOn = [ + "passbolt-db" + ]; + log-driver = "journald"; + extraOptions = [ + "--network-alias=passbolt" + "--network=passbolt_default" + ]; + }; + + systemd.services."docker-passbolt-passbolt" = { + serviceConfig = { + Restart = lib.mkOverride 90 "always"; + RestartMaxDelaySec = lib.mkOverride 90 "1m"; + RestartSec = lib.mkOverride 90 "100ms"; + RestartSteps = lib.mkOverride 90 9; + }; + after = [ + "docker-network-passbolt_default.service" + "docker-volume-passbolt_gpg.service" + "docker-volume-passbolt_jwt.service" + ]; + requires = [ + "docker-network-passbolt_default.service" + "docker-volume-passbolt_gpg.service" + "docker-volume-passbolt_jwt.service" + ]; + partOf = [ + "docker-compose-passbolt-root.target" + ]; + wantedBy = [ + "docker-compose-passbolt-root.target" + ]; + }; + + # Networks + systemd.services."docker-network-passbolt_default" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + ExecStop = "docker network rm -f passbolt_default"; + }; + script = '' + docker network inspect passbolt_default || docker network create passbolt_default + ''; + partOf = [ "docker-compose-passbolt-root.target" ]; + wantedBy = [ "docker-compose-passbolt-root.target" ]; + }; + + # Volumes + systemd.services."docker-volume-passbolt_db" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + docker volume inspect passbolt_db || docker volume create passbolt_db + ''; + partOf = [ "docker-compose-passbolt-root.target" ]; + wantedBy = [ "docker-compose-passbolt-root.target" ]; + }; + + systemd.services."docker-volume-passbolt_gpg" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + docker volume inspect passbolt_gpg || docker volume create passbolt_gpg + ''; + partOf = [ "docker-compose-passbolt-root.target" ]; + wantedBy = [ "docker-compose-passbolt-root.target" ]; + }; + + systemd.services."docker-volume-passbolt_jwt" = { + path = [ pkgs.docker ]; + serviceConfig = { + Type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + docker volume inspect passbolt_jwt || docker volume create passbolt_jwt + ''; + partOf = [ "docker-compose-passbolt-root.target" ]; + wantedBy = [ "docker-compose-passbolt-root.target" ]; + }; + + # Root service + # When started, this will automatically create all resources and start + # the containers. When stopped, this will teardown all resources. + systemd.targets."docker-compose-passbolt-root" = { + unitConfig = { + Description = "Root target generated by compose2nix."; + }; + wantedBy = [ "multi-user.target" ]; + }; +} diff --git a/secrets b/secrets index fb03516..31517aa 160000 --- a/secrets +++ b/secrets @@ -1 +1 @@ -Subproject commit fb03516cae9a47fa26a88af5eb5a158d2f37d1df +Subproject commit 31517aa2bc11a5756da029137f8685ac16333975 diff --git a/system/sops.nix b/system/sops.nix index 7b29c20..b47ef53 100755 --- a/system/sops.nix +++ b/system/sops.nix @@ -27,6 +27,8 @@ in forgejo_server_docker_env = {}; mcaptcha_db_docker_env = {}; mcaptcha_mcaptcha_docker_env = {}; + passbolt_db_docker_env = {}; + passbolt_passbolt_docker_env = {}; }; }; }