olat baby

newinfra/nix/apps/openolat/default.nix

@@ -0,0 +1,72 @@
+{ config, lib, pkgs, ... }:
+let
+  dockerLogin = {
+    registry = "docker.noratrieb.dev";
+    username = "nils";
+    passwordFile = config.age.secrets.docker_registry_password.path;
+  };
+in
+{
+  age.secrets.openolat_db_password.file = ../../secrets/openolat_db_password.age;
+
+  virtualisation.oci-containers.containers = {
+    openolat = {
+      image = "docker.noratrieb.dev/openolat:69b3c8b6";
+      volumes = [
+        "/var/lib/openolat/files:/home/openolat/olatdata"
+        "${./extra-properties.properties}:/home/openolat/extra-properties.properties"
+      ];
+      ports = [ "127.0.0.1:5011:8088" ];
+      environment = {
+        # DB_PASSWORD = from openolat_db_password
+        DB_URL = "jdbc:postgresql://openolat-db:5432/oodb";
+        EXTRA_PROPERTIES = "/home/openolat/extra-properties.properties";
+        OLAT_HOST = "olat.noratrieb.dev";
+      };
+      environmentFiles = [ config.age.secrets.openolat_db_password.path ];
+      extraOptions = [ "--network=openolat" ];
+
+      dependsOn = [ "openolat-db" ];
+      login = dockerLogin;
+    };
+
+    openolat-db = {
+      image = "postgres:15";
+      volumes = [ "/var/lib/openolat/db:/var/lib/postgresql/data" ];
+      environment = {
+        POSTGRES_DB = "oodb";
+        POSTGRES_USER = "oodbu";
+        # POSTGRES_PASSWORD = from openolat_db_password
+        PGDATA = "/var/lib/postgresql/data/pgdata";
+      };
+      extraOptions = [ "--network=openolat" ];
+      environmentFiles = [ config.age.secrets.openolat_db_password.path ];
+    };
+  };
+
+  services.custom-backup.jobs = [
+    {
+      app = "openolat-db";
+      pgDump = {
+        containerName = "openolat-db";
+        dbName = "oodb";
+        userName = "oodbu";
+      };
+    }
+  ];
+
+  # https://www.reddit.com/r/NixOS/comments/13e5w6b/does_anyone_have_a_working_nixos_ocicontainers/
+  systemd.services.init-openolat-podman-network = {
+    description = "Create the network bridge for openolat.";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig.Type = "oneshot";
+    script = ''
+      	${lib.getExe pkgs.podman} network create openolat || true
+      	'';
+  };
+  system.activationScripts.makeOpenolatDir = lib.stringAfter [ "var" ] ''
+    mkdir -p /var/lib/openolat/db
+    mkdir -p /var/lib/openolat/files
+  '';
+}

newinfra/nix/apps/openolat/extra-properties.properties

@@ -0,0 +1 @@
+enforce.utf8.filesystem=false

newinfra/nix/hive.nix

@@ -178,6 +178,7 @@
       ./apps/cargo-bisect-rustc-service
       ./apps/killua
       ./apps/forgejo
+      ./apps/openolat
     ];
 
     deployment.tags = [ "caddy" "eu" "apps" "website" ];

newinfra/nix/modules/caddy/vps1.Caddyfile

@@ -65,6 +65,19 @@ git.noratrieb.dev {
 	reverse_proxy * localhost:5015
 }
 
+olat.noratrieb.dev {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5011
+}
+
+# unsure if necessary... something was misconfigured in the past here...
+olat.noratrieb.dev:8088 {
+	log
+	encode zstd gzip
+	reverse_proxy * localhost:5011
+}
+
 ################################################################
 # redirects
 

newinfra/nix/modules/dns/noratrieb.dev.nix

@@ -70,6 +70,7 @@ let
         uptime = vps1;
         does-it-build = vps4;
         git = vps1;
+        olat = vps1;
 
         # --- fun shit
         localhost.A = [ (a "127.0.0.1") ];

newinfra/nix/secrets/garage_secrets.age

@@ -1,13 +1,12 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg SovdMEtsuAN3HnwyoGcQsVtcpYObyh1N/VKbw4rN/B4
+-> ssh-ed25519 qM6TYg dSNo/WHtuVibuLghfNnznYw6+zsMJOWvi7LitHSn3AY
-neYvPr3H7Z0n42eXSacdJ2syK2tX4ZG8dVzdXYKMC3E
+pfZti2of1OZVOgVR+wXZrhGggtZ2W3jyUADDWVxQHfs
--> ssh-ed25519 XzACZQ O2zwX8G4Ladh+jlPtzvGKBJUCZwRdzEFBZMjQ6utlic
+-> ssh-ed25519 XzACZQ d5+ZaKmyb1yTZJ0mvPYl6On9XaOp8Z59zNQXVtEj6F8
-EuxJbsnCtMU3iPGL+rtNPiA+r6h9IBHQGOo1krTSGMs
++Ku4GwagVLPZHzOpkaFPZ1i5NoB9Z+Eyd0tuY28yS5Y
--> ssh-ed25519 51bcvA +ytU9agDEYXwSkjGXqTuGJFNX0H4gVg3NrSq+irpqR4
+-> ssh-ed25519 51bcvA PxNLpJLMnUrlyzKUairI6Y+f6BYn7N9e/OURoiHcWQk
-WqB9xcniSoq+7MPZkeujE+Z5Et8q3u+/yEULeSU7Ka8
+FsXdpP0pM+Xvst93kHIG+KsDlwrRRks4jxl+Q487Msc
--> ssh-ed25519 vT7ExA NHrhD8lzaN2QUvnU5obIGFsFdC1tvADd7cfNONcvdGE
+-> ssh-ed25519 vT7ExA PE9zzE4bKcexXg6LuoQnUOJbvNlqQF//qm1fgB6sM0M
-egoyBBL9r0XV0bGOq+686PoOPICvYnE/erlZvQMJ4ps
+YSzgtZ+zGoTljLHrxeIY7MQV7xmLNDPFEeVrSq37QHA
---- j+CR0XGs/Z0D/f8PJVUu5m8ksetR0X9UgX2uLgRFGtY
+--- VGV6MkGwLwYmCq73bDzIJaRRTESJ9a1fieP1AJNiAUs
-ëqÇRKS¢<EFBFBD>DE**²™”ѸWû´67½2ªZý(¦¨³“
}v¨ÐÊÒ·+¢ýG<C3BD>¡®jÜì|'?´º_o¡¼(uÖͨ!õ‚ðº +ƒ\äg¯ûg`dIr¾{#ÝÏdÒùƒ
³©‘;Í(UŸ¬ùýö´¸(ÿM(hkrí6áQ<C3A1>óþn÷Ê!râ¦ÝBŠ_2)<10>à
+
‹j\ËČ_I9Îd±UK÷ Ë ďF1^Ň<08>ođ±uŔÍJŰŰo
-^–è¹bš²8R°\ÒÝó<1C>·a
+<EFBFBD>ąŁÄÉP"šltÖ±v%čőÚan›«©EëZX2’’ש«S;¤’	JĄ›$~žjcgŠ\«~5$Ö„ü*Ď	]§"˛·«
Ů ţńjS˛+qΗ@w編˚Ą‡ôNÁ’<C381>ż1€F@ľ’k©•×$_ýaÎÂ…;Zö|ĂX‡LżKhˇ0Ŕó6®±ěż"Ń<Ů‘
-“»›]jB‚û›D½Ó%2`×=HÆÔz

newinfra/nix/secrets/grafana_admin_password.age

@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ rfGZDBIu3I6xLw/ZZXAaXNtcIdxhH8hIDzbvZ0co9T4
+-> ssh-ed25519 XzACZQ gikrlnVBvWOpWLhDy6eZ+BM/DMwerHQ5xl1KuXuRHCc
-FElMCSmBpJTt559GQwgwg1ojjaYVUB6AU4abWBDaG2E
+epErSJOxYqbjXuCZL2gF1iBiAuS6pf5JHtJCPCCDkUg
---- thNXco05W/7JETn5LsK+38orUQY3dOA9+/9/2Y2p/+E
+--- CnSLl0Mg5FGSf8G1N/LkX/xygMvCguiE2NGaL7TwGTk
-(D€Já`&ôMqïNe#
+|w‚†8çÓÒ‘,ûE`ô¼PÄr#~¦Bb{h<>QÀ‘Â["“ìÐy_þðO„ì™ì#<23>¹EJêü>
Æ”¢–oð	^Õ#(š˜U<CB9C>ž<EFBFBD>d­^¯çbÞ©H·ó\<5C>ßßÁ%6NJú
-…VÉ`)þ)Ë«ÕÅ4wi<é;/áü´ò–/Pæ»dÌ<64>šþ^öÊroâFÐ4è¥%
™*`á©€Hi0¥N§¹ñ"ÐR9-½<0C>¹ÏP›Ž´ŒÍNWnç

newinfra/nix/secrets/loki_env.age

@@ -1,6 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ eBMqugfTB9wfhD2TgF2svakZ0tDdXjfIlurhXBf0+TM
+-> ssh-ed25519 XzACZQ LZJxX7aRBk26DYdfkd3vC2OLvIVBiZrvCroihjzka2c
-vJoHbSZT6BdvWfwcQVtjBUBa0x3b+Va6SyOuSL4soKY
+xze/qJWOJXXJaoUjS2Bd8Rfk3SOkN1HXRN3U0hmiKPQ
---- eQQWdfE5bnx0EOu+4IzdlGwPLBEN6AAC8xA0u6/wXhE
+--- NgSxh6hohM1C5hiAafFHWifJrb5mY87cTQgLzX9lVe8
-’Ö}2T‡?á	
;Âì1ít7©k¹š˜Áî—J”O¾»Í{Ǹ$ó„³
+S´>ÜgßÔ>¦·Ù±ïg?}‹€ù=è<IÕÉ>þ³FaaÀT(ö¨¯# Rñ©€á‰VåÙdB<>3Åü]m™`´³t7–á?}´Y´Ñ/MøÁK™‘beŒsr<<3C>CÜ‘*¯ßÚéôýã.‘A³½±¢ãR½ìúŽP‡ú
³oÝ=|V(òA*m–«	el¸ öŸÃ
-3uóBAœ°d>Œt»íôf¯râX‰_=jØõŠ¿R>^!QÁÆà;`[»öF!šŸ¥VÑÛír©Î ®ŠÍÊ<>M_SÝDç„ð‰ÜÖG‹vaT;†’ÞP«‡·éñ¦hiÍ¿]O<ƒ·¶

newinfra/nix/secrets/openolat_db_password.age

@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 qM6TYg yvo9tUxGgQETQ0w1qgr2wMp1Fu1FtryEnSq3CCcHIk8
+tVCZg826Pus5LtguOV22XIzvyQ/vlZFb0rYSyJhg0iE
+--- mkZIfeMIepMwEp47GeFo1wiYr66W9nBPP2vfvlzOF2o
+qnuâ†Č6çCŘżĺzu·ź–=~îüŽË¬6Qň”¬›ôž’˘ë™˛?
Wm%ë`’ZĽăáU_X®¶]®Tu!äĐş<1B>߀ęć˝`Gbuľuf<âž^ĘőÁĽŁ/i8˛üN(r<>SmĽŔřřkÚ`d…ăx})”tšgHЇDÉ`Ľ*VE,`’i

newinfra/nix/secrets/registry_htpasswd.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg EJWWxPHa5Rww9uwiEwHPKKBcc5SiwFlpiLjDRXrnfyA
+-> ssh-ed25519 qM6TYg 0Y1d6GtpFGUUtfldl4+CKq8e0bWvcPGnR8I/N6L1XSM
-5DGTo4fsFuT8Vsutc4nSXq1NDoljSnUVlmviJcZFVKQ
+8HwFO3zIWh7+3J/rhFQCgty1k1FYU3SS9cF4ekbwZfI
---- Ha/ILA1plnnAwr3FdjeKicWHKwfHxjxUp9zhwihkgkI
+--- a7x+V3pI9cekGbdl6SfR3B7MOUxnNGOf+MJsPLDq/r4
-ˆ«ÌóûÂõ^HH22üVë®o«ŒPÐÛ¯<8s‘§-MPFäMEîÜrö]nž3ió‘áuñŒ-˜‹¶ßY'ˆ#æ@°ëœFXclV¢ûÁxiÞáF‘–à
+áYþU†…Š×¨N’ñ®¨9î×xÿ<1F>às¸â˜üÃÎ@
4.òœßËGƒ2žB;잶Wzˆ†3‰#Qi–4®þ¯§ÒÂ<C392>foµÑ˜åXEìcÿ·ªv³]×ÅÉšî7Éþºç

newinfra/nix/secrets/secrets.nix

@@ -11,6 +11,7 @@ in
   "widetom_config_toml.age".publicKeys = [ vps1 ];
   "docker_registry_password.age".publicKeys = [ vps1 ];
   "hugochat_db_password.age".publicKeys = [ vps1 ];
+  "openolat_db_password.age".publicKeys = [ vps1 ];
   "minio_env_file.age".publicKeys = [ vps1 vps3 ];
   "garage_secrets.age".publicKeys = [ vps1 vps3 vps4 vps5 ];
   "caddy_s3_key_secret.age".publicKeys = [ vps1 vps3 vps4 vps5 ];

newinfra/nix/secrets/wg_private_vps1.age

@@ -1,5 +1,6 @@
 age-encryption.org/v1
--> ssh-ed25519 qM6TYg wMMdxXZc1yZiD9oS6ne/7Ne29uz+Q97kYYjZtyhR9Qs
+-> ssh-ed25519 qM6TYg vC8XBZQGff/q/SEsiIb+pyhfE/2MCWbo1m+suXpzyhY
-hNwS16RMdvb7hNfjRdUow/sYtUcta4YPoe4qh0jAEOE
+r2R02FSzrpiPyoAeiPqWNdXc0Jqd6v2rv4hxo89LqD8
---- 30m6ILfUyjxm/nindgNcujh4bGOUvMbrcArSLEd2NuI
+--- NBCfTZYGNmAHQOABVhlcsgbJmKpmeUM15FdKLQjVazw
-Ì¢×î0ÍÃÉfÌÜÍ-1TØ‘à_s>?f·I[L•À…•ÇÏ<C387>mL4¯á«#ÛÑ,qwÔÂåPY-[’‰n$áò<C3A1>Á¦ ­µ4
+,t¬}˜ <20>¨¾“­| &¦“-À^uüÊU6Z_ì&Ú—Úuôe[wá—™–Ó	_ë²¢°
+£^£®\Ý(뜆gP‚y-j‹éš;ýùD

newinfra/nix/secrets/wg_private_vps3.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 XzACZQ k5WVMoS1WD1Jb+RfV0OOW5umLFfEdfIqDodBViQFvzc
+-> ssh-ed25519 XzACZQ FnGfRDdT9kQXeYzv7yzwI+1fVXmeseC6YVCCzeoeLCQ
-kypBLkD32beBsTtEoCyH0b9L4GAxorTFhqH3nhkO72w
+HydL6WRBzLmqAKNmf0kzBmZiFRQ8KM3dHEdx2676Nx0
---- aUbimoG2VppL5CPG3tES+zp/cINt6ZjNnthvCcpt0ww
+--- E7+8BYiNPPm3fI6FiEii2txlbsesfSXuE2Nxvb7Zlx4
-‹kð…éÈ~iÃ"ÃßB˜÷V¸M‘DEù´–QöBŠu<C5A0>òK
P§ñâàuä×h¦GCÞ±épT‰±íØé)t¤l€Çnö
+™m»5q®÷ÞÁ~ú>R-­¡<C2AD>·ôeŒ~ÿ+$¦˜•TÌ5öPäõr´nH:$4ðj¦kþB÷$CqRuóïˆM˜mªF`‹þA4<41>·Ñe

newinfra/nix/secrets/wg_private_vps4.age

@@ -1,5 +1,5 @@
 age-encryption.org/v1
--> ssh-ed25519 51bcvA A5RlnDQ8XJQK5KqxwrvVsrfJKVzb22/c/J/EPvfhtRA
+-> ssh-ed25519 51bcvA IVcXj0PQpO6Rj7ovi4GgoQF77sRDdumHNavSVdQXcHI
-ByXVkK+QIuGV9bCgcqYOAj54k/O6SrYBLrJIQMec0nA
+O7j/05HqbjLvIYh9cT/iT8p6GMDn14vDOqU3Jh6tUIc
---- S+1ZbskI6F3pIT8Pm9qjoHpHu0BmihvC1c9D77sghVY
+--- wt0viOUTFWu9ze3CcQ4i1xMrb+RLTOg2hcVsDwbzMzA
-·Ë{ŤX‡ă¶w°ő˙<ńp‘äśřé“’ĘZ¶SŻ><3E>G*KD_r;Ĺć9«ÄşO"s<áÓ™Cb6ú#lűQ“Éa¸<<3C>j)ťĎu
+Çâ<C387>iÍ-_ñŒrË£Æ*=Öî@Ÿ“|D3éÕeå%ö´näÈ­YÈò'í×RŠ°h3î‡VËü%-=¡à¾W¸Óî‹;
¼icS

vps2/Caddyfile

@@ -45,11 +45,3 @@ api.cors-school.nilstrieb.dev {
 cors-school.nilstrieb.dev {
 	reverse_proxy * localhost:5004
 }
-
-olat.nilstrieb.dev {
-	reverse_proxy * localhost:5011
-}
-
-olat.nilstrieb.dev:8088 {
-	reverse_proxy * localhost:5011
-}

vps2/backup.sh

@@ -66,7 +66,6 @@ function upload_directory {
 }
 
 upload_pg_dump "cors-school" "cors-school-db" "davinci" "postgres"
-upload_pg_dump "openolat" "openolat-db" "oodb" "oodbu"
 
 # shellcheck disable=SC1091
 source "karin-bot/.env"

vps2/docker-compose.yml

@@ -103,39 +103,7 @@ services:
   #     - "25565:25565"
   #   volumes:
   #     - /apps/minecraft/server:/data
-  ##### openolat
-  openolat_db:
-    container_name: openolat-db
-    image: "postgres:latest"
-    restart: always
-    volumes:
-      - "/apps/openolat/data:/var/lib/postgresql/data"
-    environment:
-      POSTGRES_DB: oodb
-      POSTGRES_USER: oodbu
-      POSTGRES_PASSWORD: "${OPENOLAT_DB_PASSWORD}"
-      PGDATA: "/var/lib/postgresql/data/pgdata"
-    networks:
-      - openolat-network
-  openolat:
-    container_name: openolat
-    image: "docker.noratrieb.dev/openolat:69b3c8b6"
-    restart: always
-    volumes:
-      - "/apps/openolat/olatdata:/home/openolat/olatdata"
-      - "/apps/openolat/extra-properties.properties:/home/openolat/extra-properties.properties"
-    ports:
-      - "5011:8088"
-    environment:
-      DB_PASSWORD: "${OPENOLAT_DB_PASSWORD}"
-      DB_URL: "jdbc:postgresql://openolat-db:5432/oodb"
-      EXTRA_PROPERTIES: "/home/openolat/extra-properties.properties"
-      OLAT_HOST: olat.nilstrieb.dev
-    networks:
-      - openolat-network
 
 networks:
   cors-school:
   karin-bot:
-  openolat-network:
-  prometheus: