add privacy wiki

hosts/marvin/configuration.nix

@@ -29,6 +29,7 @@
     ./services/nix-serve.nix
     ./services/radicale.nix
     ./services/vaultwarden.nix
+    ./services/privacy-bookstack.nix
 
     # Load Agenix
     inputs.agenix.nixosModule

hosts/marvin/secrets/privacy-wiki-appkey.age

@@ -0,0 +1,19 @@
+age-encryption.org/v1
+-> ssh-ed25519 iqBxIA mUd3M2IjSiZegBnuioZgKENb6+A8oay4FKXUEt1p8nI
+2kkGCzmEBxNWAWwJKYIgHZ9TK7o7HBDyMBhW1OjKlWA
+-> ssh-rsa fFaiTA
+J0rsM6wibyetM4WEg4ClFW22YMN8z7WpHjzbmPNQmicKWoAKIrjE2aJNqQQsL3f7
+xtLPdTD6bQpBI6cS2hSQXKUUksINWCjbjDx/h5SmsIeTTKfvie6lf9lmXRmQSw3Q
+DLu44LGlaQXFySiC/morx3L9IgOyn2+y52VqM1c9NfbSAk/XCUCjC2ykmduTDsVk
+5qmGEYfpnlHKGewoRLYJh7BkITC0L9EBUngikSUOnCF0DFnMmSVRkqzDVGhlE9qf
+BNDRumRGHh9IMS+AysY9pRpSMZUSJf1pT0QvDn8n9aSsmUa2Gke51YsestyJvMcn
+ewk/LqHPUs18Ql227cWLLeHaURkYPViE2Fvi/u0qYEyKKJr6vvf/aQ2LrYTTjqWk
+dUbPNGYDoDEwUv+nTqjs061M3pCUrEcYfNctGb0l7WwoLL2zMcir9EttASDkqKD7
+ShVfiPPSbyaHoCT+6j0fNBscEMiU8GRmOfN9eMjT+edyfzGWKgeDMpUtZPJ3p16p
+vzrzFS2TKVWUbbZlsF4Z3EIzB/4WXHCczgvtuJ7LZcG7M8nnez4MZBHKTaH3IQOT
+jX39dHjGf4V10Mt3DzjgN2bTrS3E0wG92b27SC3D5E44C+AWYEB5JC/JqXhUfXZk
+CAygqoKujDblvf820mxXrWjb+u4r9cKDY5TCZQ0AbnE
+-> &dYLw>-grease ~^@ U^Aqw,k ut0C*A
+kPz6HotQcWOKhnnV
+--- 4YCwj3Oir73Rfai8tID+d38nguEs+psDFojUWVRILws
+¦ÐUmp$Ò¼0(6sÈ<73>¯àö¸ÑœÈI&%m$F<>ûÌÎrHÈ¢y['rtórP0Õß¿Õ)žž/"ð×dFP[ýí(ªô¥t%Ø

hosts/marvin/secrets/privacy-wiki-mailpass.age

@@ -0,0 +1,20 @@
+age-encryption.org/v1
+-> ssh-ed25519 iqBxIA PFfeyM7zYlP4lg8HR53hpIgUiAbnHgqMYlcTvHy9wks
+fga0jiuhoHkPbKa+8blW4Bz+gArwf4Tn36Wv2g27PB4
+-> ssh-rsa fFaiTA
+AqUKuU3lgfdqWO2S7NMQ7HB0K9yanL8JRqMdxsphrrCdkBI7ubgXSarSTBhfGSfI
+e4kNHUFRJMm8uZjC8ImF9YedMk7fQXsbi6GEC2FimJDCmc1SvYUPewy/RopVlO0G
+Bqqx5qVgi9zBXPRdXxMQgJJwsVL1fegMCoRYeyAVB9RdVsCVsesyMIfjoh2RJVP3
+/IpZdR1A62B/8FsqEg6VKUkZw7+/jlyv52TZHL5XCU/wvmYGZaO7HOohQJPBb5J5
+grddeepgoxkWxi4x+CI8X5G/MyP9XB+bEgAl9x0yWYe+6XdsrzGysoH4faHz7lkt
+OgsI6EGMXV+i7xBBQu9A5Z/KtFMlI9oU38sk/bJX6izdgpabGfoajiLm9eaj/g8b
+IdnWNAibc/ngik9NoeWjU6QwZVEggpx5GHJAiVIMRsKeD1nkneBIOD1zbazDoHGV
+XdRQA5CwcXgFdkoSkHHqiaLiDIiYy7kUU48p+clq419YdF5vbTNkET+M5LJCk8IC
+2KtgQOYol1Z9P9JTNaW5Usyz2fckeTN32k2o2VRbXmamzFb7LudydSTWgOEf2BlV
+NJlXlllWlf0dXUDg5WmBAg4gDGsK1Pta7eaQPT3wXhoossgTUIr1I1u/MxhvqkJX
+YAvJb31o1PDFtpOYMKJvzsnnEvcDuLwoLpPwcPujaME
+-> Q9*-grease
+uAijfdOsJ8zg
+--- +9STRTV/yYN+zOX7aOuhMCHehZH3QcnK9VWxcsfSBks
+qG–w±+žâá¨vªçÖìYjçˆíñÒSÅ¬H¾jÌ+`n¢’‰_ÆœÊ*­¬†·Ð>»=‰È:»cë
+Û¿ë#²

hosts/marvin/secrets/secrets.nix

@@ -11,4 +11,6 @@ in {
   "cloudflared-vars.age".publicKeys = [ marvin yubi ];
   "ory-hydra-secret-vars.age".publicKeys = [ marvin yubi ];
   "vaultwarden-vars.age".publicKeys = [ marvin yubi ];
+  "privacy-wiki-mailpass.age".publicKeys = [ marvin yubi ];
+  "privacy-wiki-appkey.age".publicKeys = [ marvin yubi ];
 }

hosts/marvin/services/caddy-secrets.nix

@@ -36,5 +36,17 @@
       owner = "vaultwarden";
       group = "vaultwarden";
     };
+    privacy-wiki-vars = {
+      file = ../secrets/privacy-wiki-mailpass.age;
+      path = "/run/agenix/privacy-wiki-mailpass";
+      owner = "bookstack";
+      group = "bookstack";
+    };
+    privacy-wiki-appkey = {
+      file = ../secrets/privacy-wiki-appkey.age;
+      path = "/run/agenix/privacy-wiki-appkey";
+      owner = "bookstack";
+      group = "bookstack";
+    };
   };
 }

hosts/marvin/services/privacy-bookstack.nix

@@ -0,0 +1,34 @@
+{
+  containers.privacy-bookstack = {
+    config =
+      {
+        services.bookstack = {
+          enable = true;
+          hostname = "privacy.thehedgehog.me";
+          appKeyFile = "/run/agenix/privacy-wiki-appkey";
+          appURL = "https://privacy.thehedgehog.me";
+          database.createLocally = true;
+          mail = {
+            user = "privacy-wiki@thehedgehog.me";
+            host = "smtp.migadu.com";
+            port = 465;
+            encryption = "tls";
+            from = "privacy-wiki@thehedgehog.me";
+            fromName = "The Privacy Wiki";
+            driver = "smtp";
+            passwordFile = "/run/agenix/privacy-wiki-mailpass";
+          };
+          nginx.listen = [{
+            addr = "127.0.0.1";
+            port = 6001;
+          }];
+        };
+      };
+  };
+  users.users.bookstack = {
+    isSystemUser = true;
+    description = "Bookstack User Account";
+    group = "bookstack";
+  };
+  users.groups.bookstack = {};
+}