From 9184fd7136d7eaa91fea5a53023fd66bb93541fa Mon Sep 17 00:00:00 2001
From: Chris Cochrun <chris@cochrun.xyz>
Date: Sat, 17 May 2025 07:35:44 -0500
Subject: [PATCH] try to add grist with docker and oidc

---
 modules/grist.nix             | 57 +++++++++++++++++++++++++++++++++++
 system/shen/configuration.nix |  3 +-
 2 files changed, 59 insertions(+), 1 deletion(-)
 create mode 100644 modules/grist.nix

diff --git a/modules/grist.nix b/modules/grist.nix
new file mode 100644
index 0000000..d7a737e
--- /dev/null
+++ b/modules/grist.nix
@@ -0,0 +1,57 @@
+{ config, lib, pkgs, ... }:
+
+let
+  dn = "table.tfcconnection.org";
+  auth_dn = "staff.tfcconnection.org/index.php/apps/oidc/"
+in 
+with lib;
+{
+  services.nginx.virtualHosts.${dn} = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:8484";
+      proxyWebsockets = true;
+    };
+  };
+  virtualisation = {
+    podman = {
+      enable = true;
+    };
+    oci-containers = {
+      # backend = "podman";
+      containers = {
+        grist = {
+          image = "docker.io/gristlabs/grist:latest";
+          environment = {
+            # The URL of given OIDC provider. Used for redirects, among other things.
+            GRIST_OIDC_IDP_ISSUER = "https://${auth_dn}";
+            # Client ID, as configured with the OIDC provider.
+            GRIST_OIDC_IDP_CLIENT_ID = "LtgrHHZmKucQAZtYNZGrirxdEru5pWByaJQcEfiufcitd0kfi2qVjuU6gPZE4haz";
+            # Client secret, as provided by the OIDC provider.
+            GRIST_OIDC_IDP_CLIENT_SECRET = "V70dywtpkRSvk0RbK6KFxcOxATP0URHhn36tztYDZipz9Y8v6GBFwj4JmxcSvR3H";
+            # The URL to redirect to with the OIDC provider to log out.
+            # Some OIDC providers will automatically configure this.
+            GRIST_OIDC_IDP_END_SESSION_ENDPOINT = "https://${auth_dn}/logout";
+            # Allow self-signed certificates so this example behaves correctly.
+            # REMOVE THIS IF HOSTING ON THE INTERNET.
+            NODE_TLS_REJECT_UNAUTHORIZED = 0;
+
+            # Forces Grist to only use a single team called 'Example'
+            # GRIST_SINGLE_ORG: my-grist-team   # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation
+            # Force users to login (disable anonymous access)
+            # GRIST_FORCE_LOGIN: true
+            # Base URL Grist redirects to when navigating. Change this to your domain.
+            APP_HOME_URL = "https://${dn}";
+            # Default email for the "Admin" account
+            GRIST_DEFAULT_EMAIL = "chris@tfcconnection.org";
+            TZ = "America/Chicago";
+          };
+          restart = always;
+          autoStart = true;
+          volumes = [ "/storge/grist:/persist" ];
+        };
+      };
+    };
+  };
+}
diff --git a/system/shen/configuration.nix b/system/shen/configuration.nix
index a551ae2..7e5978f 100644
--- a/system/shen/configuration.nix
+++ b/system/shen/configuration.nix
@@ -19,7 +19,8 @@ in
       ../../modules/searx.nix
       ../../modules/mail.nix
       ../../modules/vaultwarden.nix
-      ../../modules/nocodb.nix
+      # ../../modules/nocodb.nix
+      ../../modules/grist.nix
       # ../../modules/comfyui.nix
       # ../../pkgs/server.nix
       # ../../pkgs/nextcloud.nix