penpot: configure penpot host using oci-containers

2024-08-10 22:38:05 +02:00 · 2024-08-10 22:38:05 +02:00 · 178777007f
commit 178777007f
parent faffcb7d54
10 changed files with 570 additions and 0 deletions
--- a/config/hosts/penpot/penpot.nix
+++ b/config/hosts/penpot/penpot.nix
@ -0,0 +1,198 @@
+# Sources used for this configuration:
+# - https://github.com/penpot/penpot/blob/2.1.0/docker/images/docker-compose.yaml
+# - https://raw.githubusercontent.com/penpot/penpot/2.1.0/docker/images/docker-compose.yaml
+# - https://help.penpot.app/technical-guide/configuration/
+# - https://medium.com/@social.iodols/managing-docker-containers-in-nixos-fbda0f666dd1
+# - https://madison-technologies.com/take-your-nixos-container-config-and-shove-it/
+
+{ config, pkgs, ... }:
+
+let
+  # Flags for both frontend and backend.
+  # https://help.penpot.app/technical-guide/configuration/#common
+  # https://github.com/penpot/penpot/commit/ea7ad2aaa096f8d190d740f693f22f3ed1f05088
+  commonPenpotFlags = "disable-registration enable-oidc-registration disable-login-with-password enable-login-with-oidc";
+  penpotVersion = "2.1.2";
+in
+{
+  virtualisation.docker.enable = true;
+  virtualisation.oci-containers = {
+    backend = "docker";
+    containers = {
+      "penpot-frontend" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/frontend:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        ports = [ "9001:80" ];
+        volumes = [ "penpot_assets:/opt/data/assets" ];
+        dependsOn = [
+          "penpot-backend"
+          "penpot-exporter"
+        ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#frontend
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L78
+
+          PENPOT_FLAGS = "${commonPenpotFlags} disable-onboarding";
+        };
+      };
+
+      "penpot-backend" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/backend:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        volumes = [ "penpot_assets:/opt/data/assets" ];
+        dependsOn = [
+          "penpot-postgres"
+          "penpot-redis"
+        ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#backend
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L112
+
+          PENPOT_FLAGS = "${commonPenpotFlags} enable-smtp";
+
+          # PENPOT_SECRET_KEY st via environmentFile.
+          PENPOT_TELEMETRY_ENABLED = "false";
+
+          # OpenID Connect configuration.
+          # https://help.penpot.app/technical-guide/configuration/#openid-connect
+          PENPOT_OIDC_CLIENT_ID = "penpot";
+          PENPOT_OIDC_BASE_URI = "https://id.hamburg.ccc.de/realms/ccchh/";
+          # PENPOT_OIDC_CLIENT_SECRET set via environmentFile.
+          PENPOT_OIDC_ROLES = "user";
+          PENPOT_OIDC_ROLES_ATTR = "roles";
+
+          # Database configuration.
+          # https://help.penpot.app/technical-guide/configuration/#database
+          PENPOT_DATABASE_USERNAME = "penpot";
+          # PENPOT_DATABASE_PASSWORD set via environmentFile.
+          PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
+
+          # Email configuration.
+          # https://help.penpot.app/technical-guide/configuration/#email-(smtp)
+          PENPOT_SMTP_HOST = "cow.hamburg.ccc.de";
+          PENPOT_SMTP_PORT = "465";
+          PENPOT_SMTP_USERNAME = "no-reply@design.hamburg.ccc.de";
+          # PENPOT_SMTP_PASSWORD set via environmentFile.
+          PENPOT_SMTP_SSL = "true";
+          PENPOT_SMTP_DEFAULT_REPLY_TO = "Penpot <no-reply@design.hamburg.ccc.de>";
+          PENPOT_SMTP_DEFAULT_FROM = "Penpot <no-reply@design.hamburg.ccc.de>";
+
+          # Storage
+          # https://help.penpot.app/technical-guide/configuration/#storage
+          PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
+          PENPOT_STORAGE_ASSETS_FS_DIRECTORY = "/opt/data/assets";
+
+          # Redis
+          # https://help.penpot.app/technical-guide/configuration/#redis
+          PENPOT_REDIS_URI = "redis://penpot-redis/0";
+
+          PENPOT_PUBLIC_URI = "https://design.hamburg.ccc.de";
+        };
+        environmentFiles = [ "/run/secrets/penpot_backend_environment_file" ];
+      };
+
+      "penpot-exporter" = {
+        autoStart = true;
+        image = "git.hamburg.ccc.de/ccchh/oci-images/penpot/exporter:${penpotVersion}";
+        extraOptions = [ "--network=penpot" ];
+        environment = {
+          # https://help.penpot.app/technical-guide/configuration/#exporter
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L221
+          PENPOT_PUBLIC_URI = "http://penpot-frontend";
+          PENPOT_REDIS_URI = "redis://penpot-redis/0";
+        };
+      };
+
+      "penpot-postgres" = {
+        autoStart = true;
+        image = "docker.io/library/postgres:15";
+        extraOptions = [ "--stop-signal=SIGINT" "--network=penpot" ];
+        volumes = [ "penpot_postgres_v15:/var/lib/postgresql/data" ];
+        environment = {
+          # https://github.com/penpot/penpot/blob/develop/docker/images/docker-compose.yaml#L240
+
+          POSTGRES_INITDB_ARGS = "--data-checksums";
+          POSTGRES_DB = "penpot";
+          POSTGRES_USER = "penpot";
+          # POSTGRES_PASSWORD set via environmentFile.
+        };
+        environmentFiles = [ "/run/secrets/penpot_postgres_environment_file" ];
+      };
+
+      "penpot-redis" = {
+        autoStart = true;
+        image = "docker.io/library/redis:7";
+        extraOptions = [ "--network=penpot" ];
+      };
+    };
+  };
+
+  # Docker networks.
+  systemd.services."docker-network-penpot" = {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+      ExecStop = "${pkgs.docker}/bin/docker network rm -f penpot";
+    };
+    script = "${pkgs.docker}/bin/docker network inspect penpot || ${pkgs.docker}/bin/docker network create penpot";
+    requiredBy = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+    before = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+  };
+
+  # Pull docker images prior to starting container services, so that a container
+  # service isn't considered up, if it actually is still just pulling the
+  # relevant image.
+  systemd.services."docker-images-penpot" = {
+    serviceConfig = {
+      Type = "oneshot";
+      RemainAfterExit = true;
+    };
+    script = ''
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-frontend".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-backend".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-exporter".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-postgres".image}
+      ${pkgs.docker}/bin/docker pull ${config.virtualisation.oci-containers.containers."penpot-redis".image}
+    '';
+    requiredBy = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+    before = [
+      "docker-penpot-frontend.service"
+      "docker-penpot-backend.service"
+      "docker-penpot-exporter.service"
+      "docker-penpot-postgres.service"
+      "docker-penpot-redis.service"
+    ];
+  };
+
+  sops.secrets."penpot_backend_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+
+  sops.secrets."penpot_postgres_environment_file" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+  };
+}