From 60a932a144fe7378c57723eb5bc4a94250c386d4 Mon Sep 17 00:00:00 2001 From: Gabriel Arazas Date: Mon, 9 Dec 2024 19:21:23 +0800 Subject: [PATCH] hosts/ni/services/penpot: init --- configs/nixos/ni/modules/default.nix | 1 + .../ni/modules/services/penpot/default.nix | 109 ++++++++++++++++++ .../ni/modules/services/penpot/secrets.yaml | 22 ++++ 3 files changed, 132 insertions(+) create mode 100644 configs/nixos/ni/modules/services/penpot/default.nix create mode 100644 configs/nixos/ni/modules/services/penpot/secrets.yaml diff --git a/configs/nixos/ni/modules/default.nix b/configs/nixos/ni/modules/default.nix index e6a53956..78bc7def 100644 --- a/configs/nixos/ni/modules/default.nix +++ b/configs/nixos/ni/modules/default.nix @@ -7,6 +7,7 @@ ./services/backup ./services/monitoring.nix ./services/download-media + ./services/penpot ./setups/desktop.nix ./setups/development.nix ./setups/gaming.nix diff --git a/configs/nixos/ni/modules/services/penpot/default.nix b/configs/nixos/ni/modules/services/penpot/default.nix new file mode 100644 index 00000000..2034c93a --- /dev/null +++ b/configs/nixos/ni/modules/services/penpot/default.nix @@ -0,0 +1,109 @@ +{ config, lib, pkgs, foodogsquaredLib, ... }: + +let + hostCfg = config.hosts.ni; + cfg = hostCfg.services.penpot; + + port = builtins.toString config.state.ports.penpot-frontend.value; +in +{ + options.hosts.ni.services.penpot.enable = + lib.mkEnableOption "self-hosted Penpot design tool"; + + config = lib.mkIf cfg.enable { + state.ports = { + penpot-frontend.value = 9001; + }; + + sops.secrets = foodogsquaredLib.sops-nix.getSecrets ./secrets.yaml { + "penpot/env" = { }; + }; + + virtualisation.oci-containers.networks.penpot = { }; + virtualisation.oci-containers.volumes.penpot_assets = { }; + virtualisation.oci-containers.volumes.penpot_postgres_v15 = { }; + + virtualisation.oci-containers.containers.penpot-frontend = { + image = "docker.io/penpotapp/frontend:latest"; + dependsOn = [ + "penpot-backend" + "penpot-exporter" + ]; + ports = lib.singleton "127.0.0.1:${port}:${port}"; + extraOptions = [ + "--network=penpot" + ]; + volumes = [ + "penpot_assets:/opt/data/assets" + ]; + environment.PENPOT_FLAGS = lib.concatStringsSep " " [ + "enable-login-with-password" + "enable-webhooks" + "enable-login-with-github" + "enable-login-with-oidc" + "disable-registration" + ]; + }; + + virtualisation.oci-containers.containers.penpot-backend = { + image = "docker.io/penpotapp/backend:latest"; + volumes = [ + "penpot_assets:/opt/data/assets" + ]; + extraOptions = [ + "--network=penpot" + ]; + dependsOn = [ + "penpot-postgres" + "penpot-redis" + ]; + environmentFiles = [ + config.sops.secrets."penpot/env".path + ]; + environment = { + PENPOT_FLAGS = lib.concatStringsSep " " [ + "enable-registration" + "enable-login-with-password" + ]; + PENPOT_PUBLIC_URI = "http://localhost:${port}"; + PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot"; + PENPOT_REDIS_URI = "redis://penpot-redis/0"; + PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs"; + PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets"; + PENPOT_TELEMETRY_ENABLED = "true"; + }; + }; + + virtualisation.oci-containers.containers.penpot-exporter = { + image = "docker.io/penpotapp/exporter:latest"; + extraOptions = [ + "--network=penpot" + ]; + environment = { + PENPOT_PUBLIC_URI = "http://penpot-frontend"; + PENPOT_REDIS_URI = "redis://penpot-redis/0"; + }; + }; + + virtualisation.oci-containers.containers.penpot-redis = { + image = "docker.io/redis:7"; + extraOptions = [ + "--network=penpot" + ]; + }; + + virtualisation.oci-containers.containers.penpot-postgres = { + image = "docker.io/postgres:15"; + volumes = [ + "penpot_postgres_v15:/var/lib/postgresql/data" + ]; + extraOptions = [ "--network=penpot" ]; + environment = { + POSTGRES_INITDB_ARGS = lib.concatStringsSep " " [ + "--data-checksums" + ]; + POSTGRES_DB = "penpot"; + }; + }; + }; +} diff --git a/configs/nixos/ni/modules/services/penpot/secrets.yaml b/configs/nixos/ni/modules/services/penpot/secrets.yaml new file mode 100644 index 00000000..4a173d94 --- /dev/null +++ b/configs/nixos/ni/modules/services/penpot/secrets.yaml @@ -0,0 +1,22 @@ +penpot: + env: ENC[AES256_GCM,data:WMwX6jeuAkjb2uynJes0avCcbWM0yrmQ6q3OfQMxbrAzmXsOtfaVXO0O8cY4fU0WMYhCLh1nZt0b5VDNjH5IBogM8SZ5/HL4lUaK6y16wZw0jIeyjOrcoQWIrcuFkuEixk1hJU8u1KIx9xry6OKWAHa8AcLyww58Zqiis+V+nOZkGxpflFA/xDWv8v0Q4qDYrsfjzsZn3biBQPUQcNfHSouRHo9QQ8EZQjVjo3nDAXDbKTaa4Aj/sSm/zJ26RDeK9/kGAD/lx1YqKgLCvGPN7Y8aVFCzlqeLU3JRyqbi9qYajLSrvxHkWGvJGruWAEWHAMnQ+j8Zo7xWJoSTMTHtA2U7KJXfN/BjijQhbYlKp0VXQz6B9hPKyTlU6nZL6ivZ9w==,iv:eHNzD13Gr4L+wBrYdBTCOb+8yhtmFqwKjVl8BBAiKFg=,tag:+ivt+HihWrygiu9EWjXreA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jxna9vm7nx4g69s84qgjptxvuzszcypf2rfk4ss2lyhnpe3yxdnqusu6jp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwQ21La1p3R3pYbkI0Mkl2 + N0d5ekwvQkdLWFlSSFZlNzZEek5rSUpXQlM0Cld4bUd1MCtIRm9pZDRQVll2eWhE + NkdGTmcrS1pqZndXMzFMTUlhbGwwQ3MKLS0tIGVENTRpVmMxbW5CL2FRbFhBd3pV + VHAyQStoallxZXkwcWt3Y2VPeVZiWXMKvsGVPPFHYeTmpqyY63MI6aaDdvWC3OEE + ONka99YLasKLNkGqdEptDMTmo66nQ66pz0BG+NZuwoxkjJzvViektw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-09T10:47:53Z" + mac: ENC[AES256_GCM,data:FClAXi7GmaTm8oCHjwI9KTYJysmqAOFHM31zPvfnsaLwZKrIKBoYmI/EnHOS5lOVOrWzlxB07B+A5ZVoMYIcR7NbJZJ6WL8ULhtEheSd29XCwvqvvwZmNfriIa0uT3mBzW3W7bzeh9BuwUK6yiOlW6UBmzMh/P1ssQ92SVgg9LA=,iv:l+E6h7fCVsgY6OvuJFMnq5veGaj1vGXkwfCrutP4wfo=,tag:AptwpWdXZ4g/fmonuEWYwQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1