olat baby

2026-01-14 16:55:00 +01:00 · 2025-04-19 14:07:44 +02:00 · 2025-04-19 14:07:44 +02:00 · 44abe7ca44
commit 44abe7ca44
parent d02f3fb4b0
33 changed files with 130 additions and 79 deletions
--- a/newinfra/nix/apps/openolat/default.nix
+++ b/newinfra/nix/apps/openolat/default.nix
@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+let
+  dockerLogin = {
+    registry = "docker.noratrieb.dev";
+    username = "nils";
+    passwordFile = config.age.secrets.docker_registry_password.path;
+  };
+in
+{
+  age.secrets.openolat_db_password.file = ../../secrets/openolat_db_password.age;
+
+  virtualisation.oci-containers.containers = {
+    openolat = {
+      image = "docker.noratrieb.dev/openolat:69b3c8b6";
+      volumes = [
+        "/var/lib/openolat/files:/home/openolat/olatdata"
+        "${./extra-properties.properties}:/home/openolat/extra-properties.properties"
+      ];
+      ports = [ "127.0.0.1:5011:8088" ];
+      environment = {
+        # DB_PASSWORD = from openolat_db_password
+        DB_URL = "jdbc:postgresql://openolat-db:5432/oodb";
+        EXTRA_PROPERTIES = "/home/openolat/extra-properties.properties";
+        OLAT_HOST = "olat.noratrieb.dev";
+      };
+      environmentFiles = [ config.age.secrets.openolat_db_password.path ];
+      extraOptions = [ "--network=openolat" ];
+
+      dependsOn = [ "openolat-db" ];
+      login = dockerLogin;
+    };
+
+    openolat-db = {
+      image = "postgres:15";
+      volumes = [ "/var/lib/openolat/db:/var/lib/postgresql/data" ];
+      environment = {
+        POSTGRES_DB = "oodb";
+        POSTGRES_USER = "oodbu";
+        # POSTGRES_PASSWORD = from openolat_db_password
+        PGDATA = "/var/lib/postgresql/data/pgdata";
+      };
+      extraOptions = [ "--network=openolat" ];
+      environmentFiles = [ config.age.secrets.openolat_db_password.path ];
+    };
+  };
+
+  services.custom-backup.jobs = [
+    {
+      app = "openolat-db";
+      pgDump = {
+        containerName = "openolat-db";
+        dbName = "oodb";
+        userName = "oodbu";
+      };
+    }
+  ];
+
+  # https://www.reddit.com/r/NixOS/comments/13e5w6b/does_anyone_have_a_working_nixos_ocicontainers/
+  systemd.services.init-openolat-podman-network = {
+    description = "Create the network bridge for openolat.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      	${lib.getExe pkgs.podman} network create openolat || true
+      	'';
+  };
+  system.activationScripts.makeOpenolatDir = lib.stringAfter [ "var" ] ''
+    mkdir -p /var/lib/openolat/db
+    mkdir -p /var/lib/openolat/files
+  '';
+}
--- a/newinfra/nix/apps/openolat/extra-properties.properties
+++ b/newinfra/nix/apps/openolat/extra-properties.properties
@ -0,0 +1 @@
+enforce.utf8.filesystem=false
--- a/newinfra/nix/hive.nix
+++ b/newinfra/nix/hive.nix
@ -178,6 +178,7 @@
      ./apps/cargo-bisect-rustc-service
      ./apps/killua
      ./apps/forgejo
+      ./apps/openolat
    ];

    deployment.tags = [ "caddy" "eu" "apps" "website" ];
--- a/newinfra/nix/modules/caddy/vps1.Caddyfile
+++ b/newinfra/nix/modules/caddy/vps1.Caddyfile
@ -65,6 +65,19 @@ git.noratrieb.dev {
 	reverse_proxy * localhost:5015
 }

+olat.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5011
+}
+
+# unsure if necessary... something was misconfigured in the past here...
+olat.noratrieb.dev:8088 {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5011
+}
+
 ################################################################
 # redirects

--- a/newinfra/nix/modules/dns/noratrieb.dev.nix
+++ b/newinfra/nix/modules/dns/noratrieb.dev.nix
@ -70,6 +70,7 @@ let
        uptime = vps1;
        does-it-build = vps4;
        git = vps1;
+        olat = vps1;

        # --- fun shit
        localhost.A = [ (a "127.0.0.1") ];
--- a/newinfra/nix/secrets/backup_s3_secret.age
+++ b/newinfra/nix/secrets/backup_s3_secret.age
--- a/newinfra/nix/secrets/caddy_s3_key_secret.age
+++ b/newinfra/nix/secrets/caddy_s3_key_secret.age
--- a/newinfra/nix/secrets/docker_registry_password.age
+++ b/newinfra/nix/secrets/docker_registry_password.age
--- a/newinfra/nix/secrets/forgejo_s3_key_secret.age
+++ b/newinfra/nix/secrets/forgejo_s3_key_secret.age
--- a/newinfra/nix/secrets/garage_secrets.age
+++ b/newinfra/nix/secrets/garage_secrets.age
@ -1,13 +1,12 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg SovdMEtsuAN3HnwyoGcQsVtcpYObyh1N/VKbw4rN/B4
-neYvPr3H7Z0n42eXSacdJ2syK2tX4ZG8dVzdXYKMC3E
-> ssh-ed25519 XzACZQ O2zwX8G4Ladh+jlPtzvGKBJUCZwRdzEFBZMjQ6utlic
-EuxJbsnCtMU3iPGL+rtNPiA+r6h9IBHQGOo1krTSGMs
-> ssh-ed25519 51bcvA +ytU9agDEYXwSkjGXqTuGJFNX0H4gVg3NrSq+irpqR4
-WqB9xcniSoq+7MPZkeujE+Z5Et8q3u+/yEULeSU7Ka8
-> ssh-ed25519 vT7ExA NHrhD8lzaN2QUvnU5obIGFsFdC1tvADd7cfNONcvdGE
-egoyBBL9r0XV0bGOq+686PoOPICvYnE/erlZvQMJ4ps
--- j+CR0XGs/Z0D/f8PJVUu5m8ksetR0X9UgX2uLgRFGtY
-ëqÇRKS¢<EFBFBD>DE**²™”Ñ¸Wû´67½2ªZý(¦¨³“}v¨ÐÊÒ·+¢ýG<C3BD>¡®jÜì|'?´º_o¡¼(uÖÍ¨!õ‚ðº +ƒ\äg¯ûg`dIr¾{#ÝÏdÒùƒ³©‘;Í(UŸ¬ùýö´¸(ÿM(hkrí6áQ<C3A1>óþn÷Ê!râ¦ÝBŠ_2)<10>à
-^–è¹bš²8R°\ÒÝó<1C>Â·a
-“»›]jB‚û›D½Ó%2`×=HÆÔz
+-> ssh-ed25519 qM6TYg dSNo/WHtuVibuLghfNnznYw6+zsMJOWvi7LitHSn3AY
+pfZti2of1OZVOgVR+wXZrhGggtZ2W3jyUADDWVxQHfs
+-> ssh-ed25519 XzACZQ d5+ZaKmyb1yTZJ0mvPYl6On9XaOp8Z59zNQXVtEj6F8
+Ku4GwagVLPZHzOpkaFPZ1i5NoB9Z+Eyd0tuY28yS5Y
+-> ssh-ed25519 51bcvA PxNLpJLMnUrlyzKUairI6Y+f6BYn7N9e/OURoiHcWQk
+FsXdpP0pM+Xvst93kHIG+KsDlwrRRks4jxl+Q487Msc
+-> ssh-ed25519 vT7ExA PE9zzE4bKcexXg6LuoQnUOJbvNlqQF//qm1fgB6sM0M
+YSzgtZ+zGoTljLHrxeIY7MQV7xmLNDPFEeVrSq37QHA
+--- VGV6MkGwLwYmCq73bDzIJaRRTESJ9a1fieP1AJNiAUs
+‹j\ËČ_I9Îd±UK÷ Ë ďF1^Ň<08>ođ±uŔÍJŰŰo
+<EFBFBD>ąŁÄÉP"šltÖ±v%čőÚan›«©EëZX2’’×©«S;¤’	JĄ›$~žjcgŠ\«~5$Ö„ü*Ď	]§"˛·«
Ů ţńjS˛+qÎ—@wç·¨ËšĄ‡ôNÁ’<C381>ż1€F@ľ’k©•×$_ýaÎÂ…;Zö|ĂX‡LżKhˇ0Ŕó6®±ěż"Ń<Ů‘
--- a/newinfra/nix/secrets/grafana_admin_password.age
+++ b/newinfra/nix/secrets/grafana_admin_password.age
@ -1,6 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 XzACZQ rfGZDBIu3I6xLw/ZZXAaXNtcIdxhH8hIDzbvZ0co9T4
-FElMCSmBpJTt559GQwgwg1ojjaYVUB6AU4abWBDaG2E
--- thNXco05W/7JETn5LsK+38orUQY3dOA9+/9/2Y2p/+E
-(D€Já`&ôMqïNe#
-…VÉ`)þ)Ë«ÕÅ4wi<é;/áü´ò–/Pæ»dÌ<64>šþ^öÊroâFÐ4è¥%™*`á©€Hi0¥N§¹ñ"ÐR9-½<0C>¹ÏP›Ž´ŒÍNWnç
+-> ssh-ed25519 XzACZQ gikrlnVBvWOpWLhDy6eZ+BM/DMwerHQ5xl1KuXuRHCc
+epErSJOxYqbjXuCZL2gF1iBiAuS6pf5JHtJCPCCDkUg
+--- CnSLl0Mg5FGSf8G1N/LkX/xygMvCguiE2NGaL7TwGTk
+|w‚†8çÓÒ‘,ûE`ô¼PÄr#~¦Bb{h<>QÀ‘Â["“ìÐy_þðO„ì™ì#<23>¹EJêü>
Æ”¢–oð	^Õ#(š˜U<CB9C>ž<EFBFBD>d^¯çbÞ©H·ó\<5C>ßßÁ%6NJú
--- a/newinfra/nix/secrets/hugochat_db_password.age
+++ b/newinfra/nix/secrets/hugochat_db_password.age
--- a/newinfra/nix/secrets/killua_env.age
+++ b/newinfra/nix/secrets/killua_env.age
--- a/newinfra/nix/secrets/loki_env.age
+++ b/newinfra/nix/secrets/loki_env.age
@ -1,6 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 XzACZQ eBMqugfTB9wfhD2TgF2svakZ0tDdXjfIlurhXBf0+TM
-vJoHbSZT6BdvWfwcQVtjBUBa0x3b+Va6SyOuSL4soKY
--- eQQWdfE5bnx0EOu+4IzdlGwPLBEN6AAC8xA0u6/wXhE
-’Ö}2T‡?á	
;Âì1ít7©k¹š˜Áî—J”O¾»Í{Ç¸$ó„³
-3uóBAœ°d>Œt»íôf¯râX‰_=jØõŠ¿R>^!QÁÆà;`[»öF!šŸ¥VÑÛír©Î ®ŠÍÊ<>M_SÝDç„ð‰ÜÖG‹vaT;†’ÞP«‡·éñ¦hiÍ¿]O<ƒ·¶
+-> ssh-ed25519 XzACZQ LZJxX7aRBk26DYdfkd3vC2OLvIVBiZrvCroihjzka2c
+xze/qJWOJXXJaoUjS2Bd8Rfk3SOkN1HXRN3U0hmiKPQ
+--- NgSxh6hohM1C5hiAafFHWifJrb5mY87cTQgLzX9lVe8
+S´>ÜgßÔ>¦·Ù±ïg?}‹€ù=è<IÕÉ>þ³FaaÀT(ö¨¯# Rñ©€á‰VåÙdB<>3Åü]m™`´³t7–á?}´Y´Ñ/MøÁK™‘beŒsr<<3C>CÜ‘*¯ßÚéôýã.‘A³½±¢ãR½ìúŽP‡ú
³oÝ=|V(òA*m–«	el¸ öŸÃ
--- a/newinfra/nix/secrets/minio_env_file.age
+++ b/newinfra/nix/secrets/minio_env_file.age
--- a/newinfra/nix/secrets/openolat_db_password.age
+++ b/newinfra/nix/secrets/openolat_db_password.age
@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg yvo9tUxGgQETQ0w1qgr2wMp1Fu1FtryEnSq3CCcHIk8
+tVCZg826Pus5LtguOV22XIzvyQ/vlZFb0rYSyJhg0iE
+--- mkZIfeMIepMwEp47GeFo1wiYr66W9nBPP2vfvlzOF2o
+qnuâ†Č6çCŘżĺzu·ź–=~îüŽË¬6Qň”¬›ôž’˘ë™˛?Wm%ë`’ZĽăáU_X®¶]®Tu!äĐş<1B>ß€ęć˝`Gbuľuf<âž^ĘőÁĽŁ/i8˛üN(r<>SmĽŔřřkÚ`d…ăx})”tšgHĐ‡DÉ`Ľ*VE,`’i
--- a/newinfra/nix/secrets/registry_htpasswd.age
+++ b/newinfra/nix/secrets/registry_htpasswd.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg EJWWxPHa5Rww9uwiEwHPKKBcc5SiwFlpiLjDRXrnfyA
-5DGTo4fsFuT8Vsutc4nSXq1NDoljSnUVlmviJcZFVKQ
--- Ha/ILA1plnnAwr3FdjeKicWHKwfHxjxUp9zhwihkgkI
-ˆ«ÌóûÂõ^HH22üVÃ«®o«ŒPÐÛ¯<8s‘§-MPFäMEîÜrö]nž3ió‘áuñŒ-Â˜‹¶ßY'ˆ#æ@°ëœFXclV¢ûÁxiÞáF‘–à
+-> ssh-ed25519 qM6TYg 0Y1d6GtpFGUUtfldl4+CKq8e0bWvcPGnR8I/N6L1XSM
+8HwFO3zIWh7+3J/rhFQCgty1k1FYU3SS9cF4ekbwZfI
+--- a7x+V3pI9cekGbdl6SfR3B7MOUxnNGOf+MJsPLDq/r4
+áYþU†…Š×¨N’ñ®¨9î×xÿ<1F>às¸â˜üÃÎ@4.òœßËGƒ2žB;ìž¶Wzˆ†3‰#Qi–4®þ¯§ÒÂ<C392>foµÑÂ˜åXEìcÿ·ªv³]×ÅÉšî7Éþºç
--- a/newinfra/nix/secrets/registry_s3_key_secret.age
+++ b/newinfra/nix/secrets/registry_s3_key_secret.age
--- a/newinfra/nix/secrets/s3_mc_admin_client.age
+++ b/newinfra/nix/secrets/s3_mc_admin_client.age
--- a/newinfra/nix/secrets/secrets.nix
+++ b/newinfra/nix/secrets/secrets.nix
@ -11,6 +11,7 @@ in
  "widetom_config_toml.age".publicKeys = [ vps1 ];
  "docker_registry_password.age".publicKeys = [ vps1 ];
  "hugochat_db_password.age".publicKeys = [ vps1 ];
+  "openolat_db_password.age".publicKeys = [ vps1 ];
  "minio_env_file.age".publicKeys = [ vps1 vps3 ];
  "garage_secrets.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
  "caddy_s3_key_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
--- a/newinfra/nix/secrets/wg_private_dns1.age
+++ b/newinfra/nix/secrets/wg_private_dns1.age
--- a/newinfra/nix/secrets/wg_private_dns2.age
+++ b/newinfra/nix/secrets/wg_private_dns2.age
--- a/newinfra/nix/secrets/wg_private_vps1.age
+++ b/newinfra/nix/secrets/wg_private_vps1.age
@ -1,5 +1,6 @@
 age-encryption.org/v1
-> ssh-ed25519 qM6TYg wMMdxXZc1yZiD9oS6ne/7Ne29uz+Q97kYYjZtyhR9Qs
-hNwS16RMdvb7hNfjRdUow/sYtUcta4YPoe4qh0jAEOE
--- 30m6ILfUyjxm/nindgNcujh4bGOUvMbrcArSLEd2NuI
-Ì¢×î0ÍÃÉfÌÜÍ-1TØ‘à_s>?f·I[L•À…•ÇÏ<C387>mL4¯á«#ÛÑ,qwÔÂåPY-[’‰n$áò<C3A1>Á¦ µ4
+-> ssh-ed25519 qM6TYg vC8XBZQGff/q/SEsiIb+pyhfE/2MCWbo1m+suXpzyhY
+r2R02FSzrpiPyoAeiPqWNdXc0Jqd6v2rv4hxo89LqD8
+--- NBCfTZYGNmAHQOABVhlcsgbJmKpmeUM15FdKLQjVazw
+,t¬}˜ <20>¨¾“| &¦“-À^uüÊU6Z_ì&Ú—Úuôe[wá—™–Ó	_ë²¢°
+£^£®\Ý(ëœ†gP‚y-j‹éš;ýùD
--- a/newinfra/nix/secrets/wg_private_vps3.age
+++ b/newinfra/nix/secrets/wg_private_vps3.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 XzACZQ k5WVMoS1WD1Jb+RfV0OOW5umLFfEdfIqDodBViQFvzc
-kypBLkD32beBsTtEoCyH0b9L4GAxorTFhqH3nhkO72w
--- aUbimoG2VppL5CPG3tES+zp/cINt6ZjNnthvCcpt0ww
-‹kð…éÈ~iÃ"ÃßB˜÷V¸M‘DEù´–QöBŠu<C5A0>òK
P§ñâàuä×h¦GCÞ±épT‰±íØé)t¤l€Çnö
+-> ssh-ed25519 XzACZQ FnGfRDdT9kQXeYzv7yzwI+1fVXmeseC6YVCCzeoeLCQ
+HydL6WRBzLmqAKNmf0kzBmZiFRQ8KM3dHEdx2676Nx0
+--- E7+8BYiNPPm3fI6FiEii2txlbsesfSXuE2Nxvb7Zlx4
+™m»5q®÷ÞÁ~ú>R-¡<C2AD>·ôeŒ~ÿ+$¦˜•TÌ5öPäõr´nH:$4ðj¦kþB÷$CqRuóïˆM˜mªF`‹þA4<41>·Ñe
--- a/newinfra/nix/secrets/wg_private_vps4.age
+++ b/newinfra/nix/secrets/wg_private_vps4.age
@ -1,5 +1,5 @@
 age-encryption.org/v1
-> ssh-ed25519 51bcvA A5RlnDQ8XJQK5KqxwrvVsrfJKVzb22/c/J/EPvfhtRA
-ByXVkK+QIuGV9bCgcqYOAj54k/O6SrYBLrJIQMec0nA
--- S+1ZbskI6F3pIT8Pm9qjoHpHu0BmihvC1c9D77sghVY
-·Ë{ŤX‡ă¶w°ő˙<ńp‘äśřé“’ĘZ¶SŻ><3E>G*KD_r;Ĺć9«ÄşO"s<áÓ™Cb6ú#lűQ“Éa¸<<3C>j)ťĎu
+-> ssh-ed25519 51bcvA IVcXj0PQpO6Rj7ovi4GgoQF77sRDdumHNavSVdQXcHI
+O7j/05HqbjLvIYh9cT/iT8p6GMDn14vDOqU3Jh6tUIc
+--- wt0viOUTFWu9ze3CcQ4i1xMrb+RLTOg2hcVsDwbzMzA
+Çâ<C387>iÍ-_ñŒrË£Æ*=Öî@Ÿ“|D3éÕeå%ö´näÈYÈò'í×RŠ°h3î‡VËü%-=¡à¾W¸Óî‹;
¼icS
--- a/newinfra/nix/secrets/wg_private_vps5.age
+++ b/newinfra/nix/secrets/wg_private_vps5.age
--- a/newinfra/nix/secrets/widetom_bot_token.age
+++ b/newinfra/nix/secrets/widetom_bot_token.age
--- a/newinfra/nix/secrets/widetom_config_toml.age
+++ b/newinfra/nix/secrets/widetom_config_toml.age
--- a/newinfra/secrets-git-crypt/openolat_db_password
+++ b/newinfra/secrets-git-crypt/openolat_db_password