diff --git a/nki-personal-do/configuration.nix b/nki-personal-do/configuration.nix index 4ce1e55..81dc64c 100644 --- a/nki-personal-do/configuration.nix +++ b/nki-personal-do/configuration.nix @@ -26,6 +26,7 @@ ./peertube.nix ./outline.nix ./vikunja.nix + ./n8n.nix ]; system.stateVersion = "21.11"; @@ -153,7 +154,7 @@ }; # Mail - sops.secrets.mail-users = { owner = "maddy"; }; + sops.secrets.mail-users = { owner = "maddy"; reloadUnits = [ "maddy.service" ]; }; cloud.mail = { enable = true; debug = true; diff --git a/nki-personal-do/n8n.nix b/nki-personal-do/n8n.nix new file mode 100644 index 0000000..6da581e --- /dev/null +++ b/nki-personal-do/n8n.nix @@ -0,0 +1,71 @@ +{ config, lib, ... }: +let + secrets = config.sops.secrets; + + host = "n8n.dtth.ch"; + db = "n8n"; + user = db; + port = 23412; + + dataFolder = "/mnt/data/n8n"; +in +{ + sops.secrets."n8n/env" = { reloadUnits = [ "n8n.service" ]; }; + cloud.postgresql.databases = [ db ]; + cloud.traefik.hosts.n8n = { + inherit port host; + }; + + # users + users.users."${user}" = { + group = "${user}"; + isSystemUser = true; + }; + users.groups."${user}" = { }; + + services.n8n = { + enable = true; + webhookUrl = "https://${host}"; + }; + + systemd.services.n8n = { + environment = { + # Database + DB_TYPE = "postgresdb"; + DB_POSTGRESDB_DATABASE = db; + DB_POSTGRESDB_HOST = "/var/run/postgresql"; + DB_POSTGRESDB_USER = db; + # Deployment + N8N_EDITOR_BASE_URL = "https://${host}"; + N8N_ENFORCE_SETTINGS_FILE_PERMISSIONS = "true"; + N8N_USER_FOLDER = lib.mkForce dataFolder; + HOME = lib.mkForce dataFolder; + N8N_HOST = host; + N8N_PORT = toString port; + N8N_LISTEN_ADDRESS = "127.0.0.1"; + N8N_HIRING_BANNER_ENABLED = "false"; + N8N_PROXY_HOPS = "1"; + # Logs + N8N_LOG_LEVEL = "debug"; + # License + N8N_HIDE_USAGE_PAGE = "true"; + # Security + N8N_BLOCK_ENV_ACCESS_IN_NODE = "true"; + # Timezone + GENERIC_TIMEZONE = "Europe/Berlin"; + }; + serviceConfig = { + EnvironmentFile = [ secrets."n8n/env".path ]; + User = user; + DynamicUser = lib.mkForce false; + ReadWritePaths = [ dataFolder ]; + # ReadOnlyPaths = [ "/var/run/postgresql" ]; + }; + unitConfig.RequiresMountsFor = [ dataFolder ]; + }; + systemd.tmpfiles.settings."10-n8n".${dataFolder}.d = { + user = user; + group = user; + mode = "0700"; + }; +} diff --git a/nki-personal-do/secrets/secrets.yaml b/nki-personal-do/secrets/secrets.yaml index 04f977b..b72c7e1 100644 --- a/nki-personal-do/secrets/secrets.yaml +++ b/nki-personal-do/secrets/secrets.yaml @@ -5,7 +5,7 @@ authentik-oidc-client-secret: ENC[AES256_GCM,data:lD/xyU87nik68JX+T2H3Gw5ZqsSGzX cloudflare-dns-api-token: ENC[AES256_GCM,data:2ny3JehpK30fTUDKrbzHv1QOczriChRyMQn6kNPULpUJ+eVwdptLvg==,iv:8wNAn3oawzLez7sO4ZvhFXcaZIpFVKgKCvTBlszFHn8=,tag:fRaO+u/5MtAWnTiy2Zwh0Q==,type:str] #ENC[AES256_GCM,data:KWrVRQg+cLm5MUdfsYrh7hkI4CWkl4Z0sDj0769eebeXDy+veixrQrxh1ZW+ro3WLwoIdU/IH5DPM4TWYn2qoM5aDHjGX764pr1x,iv:uZHBsGvSHv9vd/Wragl1dYNJ+8vCcMit2K3SrMFlz7s=,tag:7z4LyADfQvXsM2vvtWru8w==,type:comment] traefik-dashboard-users: ENC[AES256_GCM,data:kviapOq+xzxhjryse+5DaZbXRS/LEYyjqqFbHymXAZVEkWlu0T5pZ2bxSNCbXN+tXnb0u+6YPgGCaRNPLW74AF1hO8W8QqlLDA==,iv:41bwPyFQcuOLILTjLWUu5Kcnct/MaIIJsMbllc+n7Y0=,tag:17HyUjfRUcLGb0FrUm1O2A==,type:str] -mail-users: ENC[AES256_GCM,data:/Ca14QPfdmVS8U/MpPgApi9FTfgE3PMojNBmJaOtGxf7RYrq0AjCqIq5d5Byzp7K92xrUdIKWSr+lTAxK7TnMbM9y8EdGJ1v+ZIgAW9dVEFVxZ+wm3dwaFZ5jLn+f6dwB9JdTVFvHuOyxf+abMiGAVxCJIxdV9JreEnS3tMJPIFdl97WFuBFG6DJlT9hjwvAmscXYQFioCHtmnvp/E4r+gMxOs04TLVj+vrhP/JbTgIJ2uTiaB9lYJbVMqeaz9W64LyQlPLeh1cdZHFtYN8vMR8UfkQIAVKRREEu0+/wjH5ZTEQsktjw2j1jNbz+mmcPnJLpfVWzZoAW7Dt+azQ+V4X1GP510q9JpfYZUuy6DtstIrbn3+CSqPm4oFmCD77ASwqOtKRvP0qbx8SC3Bn/s6zFHakxzTPLA5HtrDDhnqm3xl+PYdEW1wlINaVyvGtwK5SYUwVFJVGBdeiof2Zn9Zz2T417JAVN9C7qZ3BY2Ur8Fx9DDqZGclwJNhHC5HLaqWG4ajAJIeSzmtu8Bn5wmuF8c1AobkoljCunRjaXGfMt0+FVDnxkppXeONOiuLCw44Ii+ejZ3gxtz+xebYiLQhhYx2vOX1vJJfG0T8FDawTn32jlakmt1Nb9IzwgTWE/0yQAKJTjWztEahEcUUxmslISKPUlLtvCyUOf31Wq4Eg+iC0qMoKFTejp+DjLVwPhEMpNdMRA1JC8Wg==,iv:agQUE9UstOv/QYYamKWU6ouw9aSmrvl8HEYc8eTM25A=,tag:Qf+FuSpvfea9POljQ3UweQ==,type:str] +mail-users: ENC[AES256_GCM,data:4ugvUKK1Hxlnt/bTrAe7pEt5Ehla6yfCzeeZkwaXGN0rlYO3zIFz2paajuFDVoZ1UOntxgdoL/bmS55SkvinQybzQqK+1HUb5N4esODZyJkf8qhacBjjUnDq2sK0GXmoWRoR36ny4haRTbfzTxoVph+Y81P6+T7etnMuARM55i/kWCTcKyin9WKkllLF8vEi6MdbvDj5fwVSxKYQZk2Ti4xY+hCGkEUFL3S2l4Hgbzt2irV0ccjU4+GXSrRepFWSakvDl0fuQf0N3oXMQWCYkRqsoPdtV/n1+C1all9HWtA4XNcnNHlPk7bbi51gO3fSQwmayrgsqO4QAIKY2oJMCrMOabvSjRF8pjR/WFqEMN6fLOCByPYTtej2JEDZ0mg/uQIuIh+Us+QIO/ulMSK+Cq4WTBsmN0V9tYucp1vNv2xzuLUN4GkHc0tRZ6jIVPFUCIGEgw9x7qVPNqFPgr4RFzGGP12746+UwHqDuBIz4od47aQMNrXJOD9xbX7mp54bqwkdASIP/5iBAsnzRDhg/9hHMkJrhPjzrGC4feVNYzI9yo+v0cOPworKYuSfk6KYX5SGu2HgcgCG7zGRL4/NoytNwDGoqBKWA81Xuyp9+vMFF//nm5bKQH6Zt2gVaMViyqKZrTkITrOZMaMKVkOeiJdQQpsM1jqU5ygsrHIq9jc8BJ2MbK8WW2wlfovAo2MNtSN68LknoWiMbEuRXIcC8rhvdVX9C++XT/JQH+kHwg==,iv:059jHrKniQmw2H45FDz/5DJqeTzKdsg9a51pX3FxvHE=,tag:aCMJOFv8PWtz80ouUqUCGA==,type:str] youmubot-env: ENC[AES256_GCM,data:EQ9e6lmCrjofHiHyN5Qe4b2oplP9/3JKl0vuFp54Hw9aYIS7j3nqzWLCvV54ZK7j1PcQ+CQorjeCVMV0TUy1f1Pf3qjrLkdOdV7ICq540gdfXOeXuhAx2EILpGkwIYOdKmTMSO3l2QkOlM02RNOn1lq/DogAydkEq7gJ7qSWnUEr45oNCa1+LamH8vcbDmIyzUWWXyA5EQ==,iv:fnNGZ6OaZ4D71SvWPRynsMpO1IsvxjQ3XtrswNSY+Wo=,tag:cN/ZnKrjSfD6AbU9pYNl+Q==,type:str] outline: smtp-password: ENC[AES256_GCM,data:zpIi6jVB2Y7ksBOR8SGFgjOD1x3aS6dKa6taLKB8v2l9p92iWDti75qgB1puglmmq8mCzz8KXLrM0Bv7W8GWRg==,iv:6tKINzQcApmNuIbNn0kSzFJtwn3rky/uFG2Ff3lazUk=,tag:kjB6qB87tRQVpy32Pt3D5A==,type:str] @@ -45,6 +45,8 @@ nix-build-farm: vikunja: env: ENC[AES256_GCM,data:wHwLaX7z31Ogee0fSIJ4EpP/FUHOmj8lESqPacmrgokf9+2NpG8OKt99csDiYM9EEq2S3P70N6r+Dhzxob53lmQhNK8JuvZqrZ1HxgvMXirjnkXl0LGqVHBM4QdMvxVkICRNc1GMrG6ZY4OBQkn5did1ZZiCuXFC/ByuNTqBNHXoZmZMrewF9MFY+wfGx7+gIYzZ5JF1sgkTqtBdnAiUT2t9AaYNc8qjoZvNj3sgMb35/tKG0CYpt0vz6QuMQwOBJNrRkh2lV7YgTcr1tOkTc2FvRoLLyDykl8fjUf9KDcJLz672E90D0rRA5oHp/Lk28sSThh9WAM0skJofjXMOpq9ScsljWovUuizXUVCg5O/79EyhI7zPX6M3C/415sWdmGLYcRYRq7Ww1IoRgi2j9nCDLstHSMgF1igRWnsBEIFISCmSURMHOZNMkxWsxJ+0HJoMX9bmoZLLMrkjCqyPi/1r0X90aforkmA2xB+pC8rvYBKSxXYt8Nfu6KOK1JsmKTMmmC1R1dswuXvt/qCCH0yf0tl7GrGACKkDerDXVDZj4+SygkXM2bQF/L/KjQI7UspSdmGUmAvjhX31Zt1qZoYa2E2gabBWSGgXDuNixgbL/twaUA1CcA+ZPVBH0oAlOCc0dLXy0OZSn2U4IV1NH//66s1cmWEQQs4GKxhXzABiBvYaSj45LQtnEo2/HaifKhBWPxkjY9fW85Hy4Bgock4ReHYKsCF0LbsgKZhZ+WQp9mjTGLKxmRJJskwSEgxLmjK+AC2FK8zq2COMQ/eOxHe9OxEwjiQs5xCwnYXt2wOMHcxg3yoBCkTxoqMLs11kWORqcXzyoW1rV5W5DHk8K+7a4N385arHyg9+9S2FtfFUL46/GPcqf7lw5qgCDP/An5lPQZxA7/ItLzxFkviSx+e/cNl3UMTdx2aX4dn4L2cv54GuXDMHVHw++onJJnqn97aczK4O5y0=,iv:4T7vftUcSOS84MpZUOM9ODA36GSrKeW5TClQM3GN2mk=,tag:5mzK4NsmmrYERRn+Vb01Eg==,type:str] provider-clientsecret: ENC[AES256_GCM,data:/fN1rH2CKoaivhespd+/KamERjBQOdwR7QQ+hoB+pQ3ZSrBVIKbLMWyOJe8f7rVwXAByqDxQIZJEVPjcjhWSU1eicwpu57FBx+/xJLFazspTVZ+5XKyAwR+UxTHDGAgtFV00QHN53l7ygg4joWWko4IPN1JIpNIASaIWWzpsrIo=,iv:NLsZcmE1kKlzV7B/XPVfENMWlpQtOpESH0ByX1KQ8IQ=,tag:P+ZmsKq0KJAeRTTbvbduMg==,type:str] +n8n: + env: ENC[AES256_GCM,data:LA/6tMfGgX0cDNfhIZ+n2Ay+6OW5gPPebcXQnfO3qQJSjMjf9vwauF2+W3KpIvM1Dsg3hyNEwqLNRn/28bgWC/qpBpgU2/gVI2n5oxcQaYGgnS/jB0nZWXvORVTnXjH0R+HBFCWgMJe7v+o0EeBH6kni/Nc9geb8paRkxZOGVKeJQy9K4OB2CN6FVO9KeR7gpeQpsh5V5SVW1MoND2tpCOiIK7d0uM6OHF/7p2RFrEEAarvJssj/dZRHjA/jALuqbQ6UDAaAppqlkEgIdZdFEfgebfCWR4e4aWjznW1DGOQQYtg4k/Kj8J/df8CWXX+lUO+9nTo/lhhcH395w+CRE8GUwze15yxQppUwqyLKdYwgmpK1tFnLP/W/As2f97c1fBB9rXrZYOUEIq4GspHOTPgjzcRfWOxX8cMKG69EmeZ3mWPsIDaC1ZvkVQjjcH/o9aC7QeFCwPfcy+mgI+9RjAaCw7qdig1CwgQabAaCd2hzQ4FTXBFJoZRfYZ1v3Rdwe8zqMivIcw2AHv6kYx6c9A==,iv:KmyJ/CLAGrYfzHjSWygtgA/+am9fUrKnOsGRPgV9QfU=,tag:G3LhfdSujcaC9ZZFUse0DQ==,type:str] sops: kms: [] gcp_kms: [] @@ -78,8 +80,8 @@ sops: by9kZFlTRVdCZFkxYTVVb0RIRk8zUlkKCqMw9oL9RaYBV5Hhy3o8Nm5xmGrPH8Sd hv36sxRFFNZT/DCKaHaSRbT3mfpBZSTXJt1dgl4nZe6whH54t/1KmA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-07T15:58:00Z" - mac: ENC[AES256_GCM,data:ugW/IqGYYblO7GAM/W1PePKOJr5iJM42/SCHL8ew/QwXuOibhWWGkxObFeZ83u0DCmhH2fPqK/rI3seA6QLaWFeB2wrkyy4u13D5PISrObVtmQVD50kogObqd2CVdlQFIGQypw3/EB8oWNPcBRCvlAPPhZaB9a3SWS4CaTu+lPg=,iv:6IW7xOO9hBqK65WSLYnk7ViGs9xhoaMpsCeITbWNgHs=,tag:zXtnRBQemAT3cN1+QM7OHA==,type:str] + lastmodified: "2024-12-07T23:38:16Z" + mac: ENC[AES256_GCM,data:GKCMZJVKj5Fq7Ak4wQgI/pAl8JKDdzAYCBRwnxHlg0Z10AstbchAYm+LLwCaE85ebl6m/JexmfJeutJo0yGXuOIQKcEgfyNq9O/i/y34ISc4looQ6cyH5Hcxsd9JXgrmgQzVPquBXQzDHz4rj93VhNrvqmw+SgDPZVwcUznvCBI=,iv:HtUmf0qjvbYW7ngocISpqycX7ceNv0YsILgZhOMTSMg=,tag:kJ7EFOLL8o/2OFkn5PhvJw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/nki-personal-do/vikunja.nix b/nki-personal-do/vikunja.nix index 2e25ec2..10afe17 100644 --- a/nki-personal-do/vikunja.nix +++ b/nki-personal-do/vikunja.nix @@ -81,8 +81,8 @@ in }; systemd.services.vikunja = { - serviceConfig.User = user; serviceConfig.LoadCredential = [ "VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE:${secrets."vikunja/provider-clientsecret".path}" ]; + serviceConfig.User = user; serviceConfig.DynamicUser = lib.mkForce false; serviceConfig.ReadWritePaths = [ storageMount ]; environment.VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE = "%d/VIKUNJA_AUTH_OPENID_PROVIDERS_AUTHENTIK_CLIENTSECRET_FILE";