From ed54acc9aed46a63d54ca2006b9dddb0325cdc9f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= <dev@felschr.com>
Date: Fri, 30 Dec 2022 13:16:18 +0100
Subject: [PATCH] feat: add Focalboard

---
 home-server.nix                    |   2 +
 secrets/focalboard/.env.age        | Bin 0 -> 683 bytes
 secrets/focalboard/db-password.age |   9 ++++
 secrets/secrets.nix                |   2 +
 services/focalboard.nix            |  77 +++++++++++++++++++++++++++++
 5 files changed, 90 insertions(+)
 create mode 100644 secrets/focalboard/.env.age
 create mode 100644 secrets/focalboard/db-password.age
 create mode 100644 services/focalboard.nix

diff --git a/home-server.nix b/home-server.nix
index 707ded7..d49b1cc 100644
--- a/home-server.nix
+++ b/home-server.nix
@@ -29,6 +29,7 @@ in with builtins; {
     ./services/paperless.nix
     ./services/nextcloud.nix
     ./services/calibre-web.nix
+    ./services/focalboard.nix
   ];
 
   age.secrets.cloudflare.file = ./secrets/cloudflare.age;
@@ -89,6 +90,7 @@ in with builtins; {
       "news.felschr.com"
       "etebase.felschr.com"
       "paperless.felschr.com"
+      "boards.felschr.com"
     ];
     extraConfig = with pkgs; ''
       usev6=cmdv6, cmdv6=${
diff --git a/secrets/focalboard/.env.age b/secrets/focalboard/.env.age
new file mode 100644
index 0000000000000000000000000000000000000000..035df86e6a14376a0917570895519bd33aba36c4
GIT binary patch
literal 683
zcmZ9_-%As5008jHBAo~&MrKlnJ@l})+wHd7j%0DSpU(Z#?VLOGVcUIoyWMubcJ9X&
z_5*rIqrilU>LDnyAHJx8L0}LHQY*ylEvN|d!KjByAC#ikKL5Zc$pQlq(n?iQIZ-f*
z3JaGIoxuSWi&+C;%vLLcLt%pM$r6y8&^vL#W*?G)i&9y)9PK0BW(q|kdVt$|`nq!w
zuLp2aN^|R6OqB{N$ts5Q@@3%dQQ36H7l?@=)fpo-*oyaKYK1Ua3z+!-W;1g+TNx_!
z;4!`8$`rX0npT{wUJ;o}e>I8We9#8;JSWq6MkpwnkkAo1niqmX1nw$}Fp>z13D)nE
zLMbPUM9Yb6M)c=ln_o3?7V6(-bUKV~1FL{!5kQ1B7&<XPC7~1)b|&>Yt$@q2koKoB
z9<Fc%=rzSNeTdo5X#hn6b_(e>hxnXakb^!Nm!*VMaZ)Z)&Jq#E=8kDL9qlIJpnXWv
z$g<Mi@8z91iUB%X@=0Mo=>jZiv3rXkNhkbhB~L`%n6*raDG#bM7z|Ju2{2kIUNXTs
zK~?csUb4h-%teP_1&jMrVq7l@<qEEkmnhvivh`L%g#%riOse+0dt__=XnQ@nyUWnw
zYns@6JsYR!<v$zDkI7T1i6&V-IXPC(2L{qV;i+qL^V0Z*S1mQq$Nt$57O!Jr{9d}@
z+uTe3m<Pp{Q_2-E-P|5&Uf;FwaLu=LxAD<s%V<7)`r^i(k=1wi&m0y@w`;%8H#g20
zxv>FsrSsC)&%c%!)8gn^?QwK)dgaS?F-kAK9~K=Ca*K79?E{@#!wtE*H%)tYe1F0n
zjMN7At&!V9FK*nlthazWSJ$_B)9MlEc*kfovGc9*&`hDTE!6sS|FeRZZ(D6+KTSo)
F{sKck{{R30

literal 0
HcmV?d00001

diff --git a/secrets/focalboard/db-password.age b/secrets/focalboard/db-password.age
new file mode 100644
index 0000000..0db040f
--- /dev/null
+++ b/secrets/focalboard/db-password.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 OAZQhA dxA+WbNEn/S09SFxcocGPj2b1NhorC1/qmjpq5rtxh0
+qSMHnpKjYm/wFX2aspH8ciuZrDrY80GoUbb1+xnHwXg
+-> ssh-ed25519 72ij7w tW82g/+efG37VE2f5QW0k/oy0pWzUg5ZXBG/8OaRSW8
+PCNKgRF41kD+LpzeHq+QONwiSw7pvfMhqa+3iljRw98
+-> TM0[wD[-grease ] )A`15 < D
+hHJtcXJ+
+--- L78Bv0VeBpdNUDkDnp5Dm3RZlU1ywVo/IhXwL1d9Ol0
+©ÛJúÄ¬HZºP¸U_äiÅ0,í‰^41ÝÄh™D’"ÿò öpÿð_˜µ0¬+ÅcëÍ|/Ð-CçÎÇÉÀÂjJ8U¹
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index eca37ef..cd35cf6 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -31,4 +31,6 @@ in {
   "home-server/hostKey.age".publicKeys = [ felschr home-server ];
   "hass/secrets.age".publicKeys = [ felschr home-server ];
   "esphome/password.age".publicKeys = [ felschr home-server ];
+  "focalboard/.env.age".publicKeys = [ felschr home-server ];
+  "focalboard/db-password.age".publicKeys = [ felschr home-server ];
 }
diff --git a/services/focalboard.nix b/services/focalboard.nix
new file mode 100644
index 0000000..c01490c
--- /dev/null
+++ b/services/focalboard.nix
@@ -0,0 +1,77 @@
+{ config, lib, pkgs, ... }:
+
+let
+  dataDir = "/var/lib/focalboard";
+  ociBackend = config.virtualisation.oci-containers.backend;
+  containersHost = "localhost";
+  port = 8003;
+  domain = "boards.felschr.com";
+  dbHost = containersHost;
+  dbPort = toString config.services.postgresql.port;
+  dbUser = "focalboard";
+  dbName = "focalboard";
+  dbPasswordFile = config.age.secrets.focalboard-db-password.path;
+
+  pgSuperUser = config.services.postgresql.superUser;
+in {
+  age.secrets.focalboard-env.file = ../secrets/focalboard/.env.age;
+  age.secrets.focalboard-db-password.file =
+    ../secrets/focalboard/db-password.age;
+
+  services.postgresql = {
+    enable = true;
+    enableTCPIP = true;
+    ensureDatabases = [ dbName ];
+    ensureUsers = [{
+      name = dbUser;
+      ensurePermissions."DATABASE ${dbName}" = "ALL PRIVILEGES";
+    }];
+  };
+
+  systemd.services.focalboard-init = {
+    enable = true;
+    description = "Set up paths & database access for Focalboard";
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+    before = [ "${ociBackend}-focalboard.service" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "oneshot";
+      LoadCredential = [ "db_password:${dbPasswordFile}" ];
+    };
+    script = ''
+      mkdir -p ${dataDir}
+      echo "Set focalboard postgres user password"
+      db_password="$(<"$CREDENTIALS_DIRECTORY/db_password")"
+      ${pkgs.sudo}/bin/sudo -u ${pgSuperUser} ${pkgs.postgresql}/bin/psql postgres \
+        -c "alter user ${dbUser} with password '$db_password'"
+    '';
+  };
+
+  virtualisation.oci-containers.containers.focalboard = {
+    image = "mattermost/focalboard";
+    ports = [ "${toString port}:${toString port}" ];
+    volumes = [ "${dataDir}:/var/lib/focalboard" ];
+    environment = {
+      FOCALBOARD_PORT = toString port;
+      FOCALBOARD_DBTYPE = "postgres";
+    };
+    # only secrets need to be included, e.g. FOCALBOARD_DBCONFIG
+    environmentFiles = [ config.age.secrets.focalboard-env.path ];
+    extraOptions = [ "--network=host" ];
+  };
+
+  systemd.services."${ociBackend}-focalboard" = {
+    requires = [ "postgresql.service" ];
+    after = [ "postgresql.service" ];
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://localhost:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}