feat: add meilisearch profile

Deployed on athena.
diogotcorreia · Nov 7, 2024 · 5623ab8 · 5623ab8
1 parent d716648
commit 5623ab8
Show file tree

Hide file tree

Showing 4 changed files with 66 additions and 0 deletions.
diff --git a/hosts/athena/default.nix b/hosts/athena/default.nix
@@ -11,6 +11,7 @@
     security.acme.cloudflare
     security.fail2ban
     services.caddy.common
+    services.meilisearch
     services.ssh
     services.stalwart-mail
     services.umami

diff --git a/profiles/services/meilisearch.nix b/profiles/services/meilisearch.nix
@@ -0,0 +1,59 @@
+# Meilisearch configuration
+{
+  config,
+  lib,
+  secrets,
+  ...
+}: let
+  dataDir = "/var/lib/meilisearch";
+  port = 3449;
+
+  domain = "meilisearch.diogotc.com";
+
+  user = "meilisearch";
+  group = "meilisearch";
+in {
+  age.secrets = {
+    meilisearchEnv.file = secrets.host.meilisearchEnv;
+  };
+
+  services.meilisearch = {
+    enable = true;
+    listenPort = port;
+    environment = "production";
+    # Contains:
+    # - MEILI_MASTER_KEY
+    masterKeyEnvironmentFile = config.age.secrets.meilisearchEnv.path;
+  };
+
+  services.caddy.virtualHosts = {
+    ${domain} = {
+      enableACME = true;
+      extraConfig = ''
+        reverse_proxy localhost:${toString port} {
+          import CLOUDFLARE_PROXY
+        }
+      '';
+    };
+  };
+
+  users = {
+    groups.${group} = {};
+    users.${user} = {
+      isSystemUser = true;
+      inherit group;
+    };
+  };
+
+  systemd.services.meilisearch = {
+    serviceConfig = {
+      # Don't use dynamic user since it doesn't work correctly with impermanence
+      User = user;
+      Group = group;
+      DynamicUser = lib.mkForce false;
+    };
+  };
+
+  modules.impermanence.directories = [dataDir];
+  modules.services.restic.paths = [dataDir];
+}
diff --git a/secrets/athena/meilisearchEnv.age b/secrets/athena/meilisearchEnv.age
@@ -0,0 +1,5 @@
+age-encryption.org/v1
+-> ssh-ed25519 x+PS/Q 8OgRRrWH0BAEv+MQ9HYbIeC7Rmu4LclfBdfrOF12IC8
+x4OfrEIXGRl3PxacxVRlKcYGftztcTMh4xWnLXGIkEQ
+--- Ez4ndlz/ugyIWkGF5ZDSK5yxhI+zyEsiiofy0TFEsfI
+<}Q���^ѷF@z�X�W�)��+[6@e�`����)�Ș�R�FH�zg�4�T-��"�|�Y{i�R���o�T4��^�S\�6i_��K��oLkE�DJ�!2�������Ί��a��)_>J�I��ӌ��e������I�b�_iS,�>8�$ܒ@�Se~ ��?E��:��Ľ�
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
@@ -55,6 +55,7 @@ in
       "autoUpgradeHealthchecksUrl"
       "cloudflareToken"
       "healthchecksUrl"
+      "meilisearchEnv"
       "nebulaCert"
       "nebulaKey"
       "resticHealthchecksUrl"