From a18a985d9b926275fcae88b15592a273b5d4510e Mon Sep 17 00:00:00 2001
From: teidesu <alina@tei.su>
Date: Wed, 1 Jan 2025 22:38:23 +0300
Subject: [PATCH] feat(koi): docmost

---
 hosts/koi/configuration.nix                   |   1 +
 hosts/koi/containers/docmost/default.nix      |  74 ++++++++++++++++++
 hosts/koi/containers/docmost/image/Dockerfile |   4 +
 secrets/docmost-env.age                       | Bin 0 -> 488 bytes
 4 files changed, 79 insertions(+)
 create mode 100644 hosts/koi/containers/docmost/default.nix
 create mode 100644 hosts/koi/containers/docmost/image/Dockerfile
 create mode 100644 secrets/docmost-env.age

diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix
index d0ae2c6..023dec6 100755
--- a/hosts/koi/configuration.nix
+++ b/hosts/koi/configuration.nix
@@ -39,6 +39,7 @@
     ./containers/memos
     ./containers/wakapi
     ./containers/outline
+    ./containers/docmost
     ./containers/teisu.nix
     ./containers/bots/pcre-sub-bot.nix
     ./containers/bots/channel-logger-bot.nix
diff --git a/hosts/koi/containers/docmost/default.nix b/hosts/koi/containers/docmost/default.nix
new file mode 100644
index 0000000..0dffc6a
--- /dev/null
+++ b/hosts/koi/containers/docmost/default.nix
@@ -0,0 +1,74 @@
+{ pkgs, config, ... }:
+
+let 
+  UID = 1124;
+  context = pkgs.copyPathToStore ./image;
+in {
+  desu.secrets.docmost-env.owner = "docmost";
+
+  users.users.docmost = {
+    isNormalUser = true;
+    uid = UID;
+  };
+
+  services.postgresql.ensureUsers = [
+    { name = "docmost"; ensureDBOwnership = true; }
+  ];
+  services.postgresql.ensureDatabases = [ "docmost" ];
+  desu.postgresql.ensurePasswords.docmost = "docmost";
+
+  virtualisation.oci-containers.containers.docmost-redis = {
+    image = "docker.io/redis:7.0-alpine";
+    user = builtins.toString UID;
+    extraOptions = [
+      "--mount=type=bind,source=/srv/docmost/redis,target=/data"
+    ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/docmost/redis 0700 ${builtins.toString UID} ${builtins.toString UID} -"
+  ];
+
+  systemd.services.docker-docmost.serviceConfig.ExecStartPre = [
+    (pkgs.writeShellScript "build-docmost" ''
+      docker build -t local/docmost ${context}
+    '')
+  ];
+  virtualisation.oci-containers.containers.docmost = {
+    dependsOn = [ "docmost-redis" ];
+    image = "local/docmost";
+    environment = {
+      APP_URL = "https://docmost.stupid.fish";
+      PORT = "80";
+      DATABASE_URL = "postgres://docmost:docmost@172.17.0.1:5432/docmost?sslmode=disable";
+      REDIS_URL = "redis://docmost-redis.docker:6379";
+      STORAGE_DRIVER = "local";
+      FILE_UPLOAD_SIZE_LIMIT = "100mb";
+      MAIL_DRIVER = "smtp";
+    };
+    environmentFiles = [
+      # oidc related config + SECRET_KEY, UTILS_SECRET
+      config.desu.secrets.docmost-env.path
+    ];
+    user = builtins.toString UID;
+    extraOptions = [
+      "--group-add=${builtins.toString config.users.groups.geesefs.gid}"
+      "--mount=type=bind,source=/mnt/s3-desu-priv-encrypted/docmost,target=/app/data/storage"
+    ];
+  };
+  systemd.services.docker-docmost.requires = [ "postgresql.service" "gocryptfs.service" ];
+
+  services.nginx.virtualHosts."docmost.stupid.fish" = {
+    forceSSL = true;
+    useACMEHost = "stupid.fish";
+
+    locations."/" = {
+      proxyPass = "http://docmost.docker$request_uri";
+      proxyWebsockets = true;
+
+      extraConfig = ''
+        proxy_buffering off;
+      '';
+    };
+  };
+}
\ No newline at end of file
diff --git a/hosts/koi/containers/docmost/image/Dockerfile b/hosts/koi/containers/docmost/image/Dockerfile
new file mode 100644
index 0000000..450d508
--- /dev/null
+++ b/hosts/koi/containers/docmost/image/Dockerfile
@@ -0,0 +1,4 @@
+FROM docmost/docmost:0.6.2
+
+# for whatever reason docmost needs to be able to write to this dir at runtime
+RUN chmod -R 777 /app/apps/client/dist
\ No newline at end of file
diff --git a/secrets/docmost-env.age b/secrets/docmost-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..af44db709fa69aa32e21d2a177d01a258ab180f3
GIT binary patch
literal 488
zcmV<E0T=#ZXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9Lb80v^Sa%?7
zXJL9|ZC6T2M=v>ZK~QfqWLR@za!O%&aB6u&d30emP<CundQWFgcU1~vRAX*wVRLP7
zdNO)KV{tN0Wj01=QE^IcL{@WjbvI9JH8@3LD@8d(Mso@+EiE8VQCdlBZg+QfRb*~8
zWK3c*Fmq#Lb4z1#W_D^YH!w6dM>K77R!3_@Z8!=R?nbK+IG}C#PQysyyBbo6UI}kY
z#&2vWGyn`~ySlFWzi6S(v2Z_mWc)F~H#|w=%L4%YTVQt1Ge|NqwAtygErXEUW@C8y
zw0jx0`rp(Val{+!ooZ^!W*}bt9ic=oY8v9S)<-T3!9gTjO)psW?B8)JYaZ@;gc5?@
z)EX=Wp?exz_mI@M#UP7jT*5r~l4JwjOQG>UojNZa6tH}{Zbq=^#_rOJ)JmjU;M;a-
z+*b8S_rAX_&ffOelC5)3x73%~n*55KHsv`1Ea=7o*HVho{1(_Sp)Wxc{h8G%z>c{O
z4}}_-jlD)tZmFXa3QTgX<?fXtfgvFw%_tHuQ&$K*mKl<sbIZMq%>^%Xnk&rpik9WO
ea)_uY!6OjbN<YeP9RkV@-K?x2wWH`LmuB&o=GE)~

literal 0
HcmV?d00001