From a194fc64b5928661304499541dbe442637c163e6 Mon Sep 17 00:00:00 2001
From: teidesu <alina@tei.su>
Date: Sat, 3 Aug 2024 09:36:05 +0300
Subject: [PATCH] feat(koi): tei.su deployment

---
 hosts/koi/configuration.nix           |   1 +
 hosts/koi/containers/teisu.nix        |  50 ++++++++++++++++++++++++++
 hosts/koi/containers/zond/default.nix |   1 +
 hosts/koi/services/phpfront.nix       |   2 +-
 secrets/teisu-env.age                 | Bin 0 -> 1172 bytes
 5 files changed, 53 insertions(+), 1 deletion(-)
 create mode 100644 hosts/koi/containers/teisu.nix
 create mode 100644 secrets/teisu-env.age

diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix
index e20b9fe..bd668bc 100755
--- a/hosts/koi/configuration.nix
+++ b/hosts/koi/configuration.nix
@@ -28,6 +28,7 @@
     ./containers/pds
     ./containers/navidrome
     ./containers/zond
+    ./containers/teisu.nix
     ./containers/bots/pcre-sub-bot.nix
     ./vms/hass.nix
     ./vms/bnuuy.nix
diff --git a/hosts/koi/containers/teisu.nix b/hosts/koi/containers/teisu.nix
new file mode 100644
index 0000000..e7575a3
--- /dev/null
+++ b/hosts/koi/containers/teisu.nix
@@ -0,0 +1,50 @@
+{ abs, config, ... } @ inputs:
+
+let 
+  secrets = import (abs "lib/secrets.nix");
+
+  UID = 1103;
+in {
+  imports = [
+    (secrets.declare [{
+      name = "teisu-env";
+      owner = "teisu";
+    }])
+  ];
+
+  users.users.teisu = {
+    isNormalUser = true;
+    uid = UID;
+  };
+
+  virtualisation.oci-containers.containers.teisu = {
+    image = "ghcr.io/teidesu/tei.su:sha-e6a632c@sha256:1f6da149f278d05136155ff9faa858565dcb5ab66c429cba6839f731879fcf71";
+    volumes = [
+      "/srv/teisu:/app/.runtime"
+    ];
+    environmentFiles = [
+      (secrets.file config "teisu-env")
+    ];
+    user = builtins.toString UID;
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/teisu 0755 teisu teisu -"
+  ];
+
+  services.nginx.virtualHosts."tei.su" = {
+    forceSSL = true;
+    useACMEHost = "tei.su";
+
+    locations."/" = {
+      proxyPass = "http://teisu.docker:4321/";
+    };
+
+    locations."/.well-known/" = {
+      proxyPass = "http://teisu.docker:4321/.well-known/";
+      extraConfig = ''
+        add_header 'Access-Control-Allow-Origin' '*';
+      '';
+    };
+  };
+}
\ No newline at end of file
diff --git a/hosts/koi/containers/zond/default.nix b/hosts/koi/containers/zond/default.nix
index 85473d0..60ab5f9 100644
--- a/hosts/koi/containers/zond/default.nix
+++ b/hosts/koi/containers/zond/default.nix
@@ -2,6 +2,7 @@
 
 {
   # todo - move this from an ad-hoc docker compose to a proper service
+  # todo 2: update UMAMI_HOST in teisu-env
   services.nginx.virtualHosts."zond.tei.su" = {
     forceSSL = true;
     useACMEHost = "tei.su";
diff --git a/hosts/koi/services/phpfront.nix b/hosts/koi/services/phpfront.nix
index fb6f0d3..0490fbc 100644
--- a/hosts/koi/services/phpfront.nix
+++ b/hosts/koi/services/phpfront.nix
@@ -21,7 +21,7 @@
     phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
   };
 
-  services.nginx.virtualHosts."tei.su" = {
+  services.nginx.virtualHosts."legacy.tei.su" = {
     forceSSL = true;
     useACMEHost = "tei.su";
 
diff --git a/secrets/teisu-env.age b/secrets/teisu-env.age
new file mode 100644
index 0000000000000000000000000000000000000000..08cb2793175054271344d644a24841bf6236bb8b
GIT binary patch
literal 1172
zcmV;F1Z(?YXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9Lb80v^Sa%>e
zOLk{dMr~z!b4YS)S7UWcG-pj&S29jEL1{rsLt{%(Z7*+cb~0LQF)#{tR5N5qGi^<1
zRbgo~cr!tDSU7SqY*=YiK`}^qOgLj&O;0drX>LhwM`H>tEiE8aWGie{VOMBZY+`jw
zS#(-QXHsoyGDA@`Ohs!~W@IpAW=2_7V>wB1Su_ec1K;QeFXr~%Gezhy!anq^HHefz
zrfw&R0k1fE*t))~&Hs<hIv7UG>Sn#(Wzv7viP~nK?j?O8mu7}-L%@4D(oW6;xJ<?!
zuV2`ts5`V>s_qZ#B735Pe(nzsvtmtE6kLv=u(#reza##`lM_9W!QT*ZaoMg!*sMRu
z{=I6jH?r#c!Y4ufzf=s*I3M`(Xnh+Pmsr`w4=*(Bg}*dqaCFR4MBj9c$60n;7Uw}g
zxRxi${>kc~sk$~`Yg+UR&*C!cjQI4fUW1xwi`Nd?w3x?z;WUwQ0;CVnk%9aOJs@kF
zJ2*3~;K8AZI>6Cdp0jNKPwB!nbu8y9_Wt$K1doR++Gf?<Y0d?5%e+!_gp+*(*<(8q
zrP<|ma+O+=Uu0K#$dXP7OB^`x>}uzP{P$?*!s~tFLRQ!y`TLx2phFP&e`3SVpwyaF
z)6in^RvKEv&Shcil^8A+p-(3+B?NAuzGtF?6pBPP%?EK3dlnVw9>Eh02Zhq;Ep1Cn
zY+1M}uh1vIp?Kn#|KQ<+0tqwK5|+g+6iNht(HmOIu(&SR`Vq}ZKHJV{u2U<4=8Dr#
zLuEXr@Byh4JiYBN4!;=r^mGf6G@wI)k&<u5S<NKvg~$)VdUi=0iW`@OUAfncC9o-;
zhrNhR-P%X32|BemT+lzzZq^y1_xR4;GT??x=-c$`_K=Nl*EH@g`$7Au36R6e1G37D
zMrVD}(|GtqX(LjxMinB6*Rpr9PA@WMLOSi}CB=jp7UIY*bzSv=ZHQ0!AA<eYj7ZEw
zmfZSc@|q_AhH|`2V^-%VxGgAIZor7{!Bp#kD+77WU1nmHypitw`umfqLWJT7*QlrG
zK1Qr$&z7(P&%Ssmy7&pWY3{1O9LY7d=;K%{U%d|8boIP8{bgv$T&@rH{<f2fpPt#P
zT))+xq0h)`RjY#?_zFx@ZHwyVYzQ<&Y$iLzoSqElT}Nb&|K#~0IH=#6>!e758l+kW
zN}{_%W|fkED_;-QU!4I$I+_-fLUmnz%Ln@#k~Jq`eh&Ny$qOpR-BH=>T1d>Xi+9Ko
z=Zd4kRXI>9rMwqNw~WvYHCXW1)3vTPu8<_Li#h*Vy~$Zy?deugYwC%?^MZ%|Ib3~f
zRI3lz7N%rjZBVzRBn6f!GCikUu=OKfNPV2~Nlr$13|&kU49_%t4h<`RNx`+q0K&H7
zQ2033oIAE_+j~G#{51A-9=261tWLrnX;qL!1Pe*?Ez}H-K{0?q>_h*uojq;WVv6xy
mxVM5ouJTAWg2exoC7^hM#}?e)@c@Vd7C+L@?vxccZtKLh|2Ve*

literal 0
HcmV?d00001