modules: services: add vikunja

modules/services/default.nix

@@ -32,6 +32,7 @@
     ./ssh-server
     ./tlp
     ./transmission
+    ./vikunja
     ./wireguard
     ./woodpecker
   ];

modules/services/vikunja/default.nix

@@ -0,0 +1,123 @@
+# Todo and kanban app
+{ config, lib, ... }:
+let
+  cfg = config.my.services.vikunja;
+  subdomain = "todo";
+  vikunjaDomain = "${subdomain}.${config.networking.domain}";
+  socketPath = "/run/vikunja/vikunja.socket";
+in
+{
+  options.my.services.vikunja = with lib; {
+    enable = mkEnableOption "Vikunja todo app";
+
+    mail = {
+      enable = mkEnableOption {
+        description = "mailer configuration";
+      };
+
+      configFile = mkOption {
+        type = types.str;
+        example = "/run/secrets/vikunja-mail-config.env";
+        description = "Configuration for the mailer connection, using environment variables.";
+      };
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.vikunja = {
+      enable = true;
+
+      frontendScheme = "https";
+      frontendHostname = vikunjaDomain;
+
+      setupNginx = false;
+
+      database = {
+        type = "postgres";
+        user = "vikunja";
+        database = "vikunja";
+        host = "/run/postgresql";
+      };
+
+      settings = {
+        service = {
+          # Only allow registration of users through the CLI
+          enableregistration = false;
+          # Ues the host's timezone
+          timezone = config.time.timeZone;
+          # Use UNIX socket for serving the API
+          unixsocket = socketPath;
+          unixsocketmode = "0o660";
+        };
+
+        mailer = {
+          enabled = cfg.mail.enable;
+        };
+      };
+
+      environmentFiles = lib.optional cfg.mail.enable cfg.mail.configFile;
+    };
+
+    # This is a weird setup
+    my.services.nginx.virtualHosts = [
+      {
+        inherit subdomain;
+        # Serve the root for the web-ui
+        root = config.services.vikunja.package-frontend;
+
+        extraConfig = {
+          locations = {
+            "/" = {
+              tryFiles = "try_files $uri $uri/ /";
+            };
+
+            # Serve the API through a UNIX socket
+            "~* ^/(api|dav|\\.well-known)/" = {
+              proxyPass = "http://unix:${socketPath}";
+              extraConfig = ''
+                client_max_body_size 20M;
+              '';
+            };
+          };
+        };
+      }
+    ];
+
+    systemd.services.vikunja-api = {
+      serviceConfig = {
+        # Use a system user to simplify using the CLI
+        DynamicUser = lib.mkForce false;
+        # Set the user for postgres authentication
+        User = "vikunja";
+        # Create /run/vikunja/ to serve the UNIX socket
+        RuntimeDirectory = "vikunja";
+      };
+    };
+
+    users.users.vikunja = {
+      description = "Vikunja Service";
+      group = "vikunja";
+      isSystemUser = true;
+    };
+    users.groups.vikunja = { };
+
+    # Allow nginx to access the UNIX socket
+    users.users.nginx.extraGroups = [ "vikunja" ];
+
+    services.postgresql = {
+      ensureDatabases = [ "vikunja" ];
+      ensureUsers = [
+        {
+          name = "vikunja";
+          ensurePermissions = { "DATABASE vikunja" = "ALL PRIVILEGES"; };
+        }
+      ];
+    };
+
+    my.services.backup = {
+      paths = [
+        config.services.vikunja.settings.files.basepath
+      ];
+    };
+  };
+}