From b4b74227c32ea5f9f356488411b0fdaee5d5439c Mon Sep 17 00:00:00 2001
From: Felix Albrigtsen <felix@albrigtsen.it>
Date: Sun, 1 Dec 2024 11:21:55 +0100
Subject: [PATCH] defiant: Add koillection

---
 hosts/defiant/configuration.nix        |  1 +
 hosts/defiant/services/koillection.nix | 59 ++++++++++++++++++++++++++
 hosts/defiant/services/postgresql.nix  |  9 +++-
 secrets/defiant/defiant.yaml           |  6 ++-
 4 files changed, 72 insertions(+), 3 deletions(-)
 create mode 100644 hosts/defiant/services/koillection.nix

diff --git a/hosts/defiant/configuration.nix b/hosts/defiant/configuration.nix
index 5d3cb5f..6f7e67d 100644
--- a/hosts/defiant/configuration.nix
+++ b/hosts/defiant/configuration.nix
@@ -23,6 +23,7 @@
       ./services/hedgedoc.nix
       ./services/home-assistant.nix
       ./services/keycloak.nix
+      ./services/koillection.nix
       ./services/matrix
       ./services/microbin.nix
       # ./services/minecraft.nix
diff --git a/hosts/defiant/services/koillection.nix b/hosts/defiant/services/koillection.nix
new file mode 100644
index 0000000..0ba4c8c
--- /dev/null
+++ b/hosts/defiant/services/koillection.nix
@@ -0,0 +1,59 @@
+{ config, pkgs, lib, ... }:
+let
+  domain = "koillection.home.feal.no";
+  port = 5023;
+in {
+  virtualisation.oci-containers.containers = {
+    koillection = {
+      image = "koillection/koillection";
+
+      ports = [
+        "127.0.1.2:${toString port}:80"
+      ];
+
+      environment = {
+        APP_DEBUG = "0";
+        APP_ENV = "prod";
+        HTTPS_ENABLED = "0";
+        UPLOAD_MAX_FILESIZE = "512M";
+        PHP_MEMORY_LIMIT = "512M";
+        PHP_TZ = "Europe/Oslo";
+
+        CORS_ALLOW_ORIGIN = "https?://(localhost|koillection\\.home\\.feal\\.no)(:[0-9]+)?$";
+        JWT_SECRET_KEY = "%kernel.project_dir%/config/jwt/private.pem";
+        JWT_PUBLIC_KEY = "%kernel.project_dir%/config/jwt/public.pem";
+
+        DB_DRIVER = "pdo_pgsql";
+        DB_NAME = "koillection";
+        DB_HOST = "host.docker.internal";
+        DB_USER = "koillection";
+        # DB_PASSWORD = "koillection"; # Set in sops envfile
+        DB_PORT = "5432";
+        DB_VERSION = "16";
+      };
+
+      environmentFiles = [
+        config.sops.secrets."koillection/envfile".path
+      ];
+
+      extraOptions = [
+        "--add-host=host.docker.internal:host-gateway"
+      ];
+    };
+  };
+
+  sops.secrets."koillection/envfile" = { };
+
+  services.postgresql = {
+    ensureDatabases = [ "koillection" ];
+    ensureUsers = [ {
+      name = "koillection";
+      ensureDBOwnership = true;
+    } ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    locations."/".proxyPass = "http://127.0.1.2:${toString port}";
+  };
+}
+
diff --git a/hosts/defiant/services/postgresql.nix b/hosts/defiant/services/postgresql.nix
index 9a0d3f7..f1eeaba 100644
--- a/hosts/defiant/services/postgresql.nix
+++ b/hosts/defiant/services/postgresql.nix
@@ -2,7 +2,11 @@
 {
   services.postgresql = {
     enable = true;
-    enableTCPIP = false;
+    enableTCPIP = true;
+
+    authentication = ''
+      host all all 172.16.0.0/12 md5
+    '';
   };
 
   services.postgresqlBackup = {
@@ -14,5 +18,8 @@
     databases = [ ];
   };
 
+  # Docker containers on this host can reach postgres
+  networking.firewall.extraCommands = "iptables -A INPUT -p tcp --destination-port 5432 -s 172.16.0.0/12 -j ACCEPT";
+
   environment.systemPackages = [ config.services.postgresql.package ];
 }
diff --git a/secrets/defiant/defiant.yaml b/secrets/defiant/defiant.yaml
index 4a0594a..6e2e1b3 100644
--- a/secrets/defiant/defiant.yaml
+++ b/secrets/defiant/defiant.yaml
@@ -18,6 +18,8 @@ restic:
     vaultwarden: ENC[AES256_GCM,data:tZKf1jeQPBASruDP67NrVfwFoAZ20whQIHf1SWIQz0s=,iv:kyfqvEf/DiAGHAU99HVGri15kluewijkSPOCGKjxIaQ=,tag:tmDQPH2IjjUV5wLegXXybg==,type:str]
 keycloak:
     postgres: ENC[AES256_GCM,data:OYvpSyBAQfAJg4/syz1r,iv:Ge6m63YPl+gJPepIRmBz747bXqUo65MHQaRn1S/8m2I=,tag:18bFwYtmcslXlgflfYqM8w==,type:str]
+koillection:
+    envfile: ENC[AES256_GCM,data:3wq6xiULzELDxtDsBfPbKrnEsAEoG9oQREyaEoe0AVpJziVMrhEQruLCl1F/,iv:IscSmKD8nwQ2HmNnC+54rZrWMimdYPLCArmt/ToTdNM=,tag:J3QYTUtJhpn+R8hpqkA9zg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -42,8 +44,8 @@ sops:
             RXcvQU1JYnl0bUtocTZuNkRxcGQwR2MKnyAYtF2y7XBmNuIYi6RzqEJEPPg7B22A
             fQVeDfIhiNSVva784KTU+y4TU1UPxumriRrLRFPF3h42ZEq2zQAgrQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-05T08:43:32Z"
-    mac: ENC[AES256_GCM,data:UMaxVqcS9SK/OclUe5k547zScx5BhAJt4f87Sfw2Ctdx6ZJRbju4310TeZUygzge4/OrCywD+9R09FzR65OBvIDxvUIqOblqzrYiHK6xRUSkUtLJEb8gzD7ycsccHaHpLYom0zbSixmMUDSthn2rexQixin9gUGVq+x9I3Z/sPk=,iv:oZAcTHjeFQjxZrNmQmJS3kJiXs1IcDbYJOo44kI3f5Y=,tag:7GINKR+6WMhlDAzeDOyrog==,type:str]
+    lastmodified: "2024-12-01T10:13:16Z"
+    mac: ENC[AES256_GCM,data:SFZz05/9Wb5o9X0ieNxrk4LJkCniliQ7ykWR+ocLw+At9Ye620JQTYFHfpzT/h+aRdborgkRtldw0c5+UOzx9+F3HtoWsrK04uQ1qso8YjO87qEqlVenVPuOVUuvyVtPQOWyLrHOOPkLSrj0a1NQdPSsfxcC04DhSkiW4RTNWXw=,iv:zp6HP14YZYt8BNj7jPPM+cb5cBZThijfcaqDZ6rH5Hg=,tag:W+/XKoj61yUXL+PC5YXQlg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1