feat(koi): activepieces

hosts/koi/configuration.nix

@@ -41,6 +41,7 @@
     ./containers/outline
     ./containers/docmost
     ./containers/forgejo
+    ./containers/activepieces
     ./containers/teisu.nix
     ./containers/bots/pcre-sub-bot.nix
     ./containers/bots/channel-logger-bot.nix
@@ -112,6 +113,8 @@
   boot.kernelParams = [ "panic=5" "panic_on_oops=1" "mitigations=off" ];
   boot.kernelPackages = pkgs.linuxPackages_latest;
 
+  networking.firewall.allowedTCPPorts = [ 25565 ];
+
   services.desu-deploy = {
     enable = true;
     key = builtins.readFile (abs "ssh/desu-deploy.pub");

hosts/koi/containers/activepieces/default.nix

@@ -0,0 +1,67 @@
+{ pkgs, config, ... }:
+
+let 
+  UID = 1127;
+  context = pkgs.copyPathToStore ./image;
+in {
+  desu.secrets.activepieces-env.owner = "activepieces";
+
+  users.users.activepieces = {
+    isNormalUser = true;
+    uid = UID;
+  };
+
+  services.postgresql.ensureUsers = [
+    { name = "activepieces"; ensureDBOwnership = true; }
+  ];
+  services.postgresql.ensureDatabases = [ "activepieces" ];
+  desu.postgresql.ensurePasswords.activepieces = "activepieces";
+
+  virtualisation.oci-containers.containers.activepieces-redis = {
+    image = "docker.io/redis:7.0-alpine";
+    user = builtins.toString UID;
+    extraOptions = [
+      "--mount=type=bind,source=/srv/activepieces/redis,target=/data"
+    ];
+  };
+
+  systemd.tmpfiles.rules = [
+    "d /srv/activepieces/redis 0700 ${builtins.toString UID} ${builtins.toString UID} -"
+  ];
+
+  systemd.services.docker-activepieces.serviceConfig.ExecStartPre = [
+    (pkgs.writeShellScript "build-activepieces" ''
+      docker build -t local/activepieces ${context}
+    '')
+  ];
+  virtualisation.oci-containers.containers.activepieces = {
+    image = "local/activepieces";
+    dependsOn = [ "activepieces-redis" ];
+    environment = {
+      AP_EXECUTION_MODE = "SANDBOX_CODE_ONLY";
+      AP_FRONTEND_URL = "https://ap.stupid.fish";
+      AP_POSTGRES_URL = "postgres://activepieces:activepieces@172.17.0.1:5432/activepieces";
+      AP_TELEMETRY_ENABLED = "false";
+      AP_EDITION = "ee";
+      AP_QUEUE_MODE = "REDIS";
+      AP_REDIS_HOST = "activepieces-redis.docker";
+      AP_REDIS_PORT = "6379"; 
+    };
+    environmentFiles = [
+      # oidc related config + SECRET_KEY, UTILS_SECRET
+      config.desu.secrets.activepieces-env.path
+    ];
+    user = builtins.toString UID;
+  };
+  systemd.services.docker-activepieces.requires = [ "postgresql.service" ];
+
+  services.nginx.virtualHosts."ap.stupid.fish" = {
+    forceSSL = true;
+    useACMEHost = "stupid.fish";
+
+    locations."/" = {
+      proxyPass = "http://activepieces.docker$request_uri";
+      proxyWebsockets = true;
+    };
+  };
+}

hosts/koi/containers/activepieces/image/Dockerfile

@@ -0,0 +1,8 @@
+FROM ghcr.io/activepieces/activepieces:0.38.3
+
+RUN sed -i -E 's!https://secrets.activepieces.com/license-keys!https://license.stupid.fish/services/activepieces!' /usr/src/app/dist/packages/server/api/main.js && \
+    chmod -R 777 /var/log/nginx/ && \
+    chmod -R 777 /var/lib/nginx && \
+    chmod -R 777 /run/ && \
+    mkdir -p /usr/src/app/cache && \
+    chmod -R 777 /usr/src/app/cache

hosts/koi/containers/teisu.nix

@@ -11,7 +11,7 @@ in {
   };
 
   virtualisation.oci-containers.containers.teisu = {
-    image = "ghcr.io/teidesu/tei.su:latest";
+    image = "git.stupid.fish/teidesu/tei.su:latest";
     environmentFiles = [
       config.desu.secrets.teisu-env.path
     ];

secrets/license-servers-env.age

@@ -0,0 +1,6 @@
+age-encryption.org/v1
+-> ssh-ed25519 sj88Xw x8G6D56j1N7kjMuU9TXdKxpmCyPyDnkbRSAAjcmIXGc
+qzQbchvolZgSIWisyKg/eiNRh+826iz6WHu5HQOiBoU
+--- MnAF7KtGU97wxf2tCfRbitqRPV/Bfg/GftUCrZAjtuU
+YC¥`+Û¬¦k÷bt½b¥‰CGRÿoùUtMü5b<35>UäZ
+xN÷I(pÜž6ºjÏ]y°_›ÃP&ÎE…<45>ÒjSO‰¢ZŽÒCÜkñÇmCW¾4´4M°g¼ª’ÖtìÏvhÆHá