diff options
| author | Emile <git@emile.space> | 2024-09-19 10:38:56 +0200 |
|---|---|---|
| committer | Emile <git@emile.space> | 2024-09-19 10:38:56 +0200 |
| commit | dcde3882d5460368e3c0499a54330f84a6995d62 (patch) | |
| tree | 52fb8d307d96b795e5a5796afd6b3237e004820d | |
| parent | b8484f55d0056bf1a681459b01cf6b713bf4a01c (diff) | |
formatted
| -rw-r--r-- | nix/hosts/corrino/www/md.emile.space.nix | 181 |
1 files changed, 89 insertions, 92 deletions
diff --git a/nix/hosts/corrino/www/md.emile.space.nix b/nix/hosts/corrino/www/md.emile.space.nix index 52b4a53..029c54f 100644 --- a/nix/hosts/corrino/www/md.emile.space.nix +++ b/nix/hosts/corrino/www/md.emile.space.nix @@ -1,114 +1,111 @@ { config, pkgs, ... }: { - services.nginx.virtualHosts."md.emile.space" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { + services.nginx.virtualHosts."md.emile.space" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}"; - }; - }; - }; - - # auth via authelia - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "HedgeDoc"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ - "https://md.emile.space/auth/oauth2/callback" - ]; - scopes = [ - "openid" - "email" - "profile" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ - "code" - ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - } - ]; - - services.hedgedoc = { + }; + }; + }; + + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "HedgeDoc"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ]; + scopes = [ + "openid" + "email" + "profile" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + } + ]; + + services.hedgedoc = { enable = true; - package = pkgs.hedgedoc; + package = pkgs.hedgedoc; - environmentFile = config.age.secrets.hedgedoc_environment_variables.path; + environmentFile = config.age.secrets.hedgedoc_environment_variables.path; - settings = { - host = "127.0.0.1"; - port = config.emile.ports.md; + settings = { + host = "127.0.0.1"; + port = config.emile.ports.md; - domain = "md.emile.space"; + domain = "md.emile.space"; - urlPath = null; # we're hosting on the root of the subdomain and not a subpath - allowGravatar = true; + urlPath = null; # we're hosting on the root of the subdomain and not a subpath + allowGravatar = true; - # we're terminating tls at the reverse proxy - useSSL = false; + # we're terminating tls at the reverse proxy + useSSL = false; - # Use https:// for all links. - # This is useful if you are trying to run hedgedoc behind a reverse proxy. - # Only applied if domain is set. - protocolUseSSL = true; + # Use https:// for all links. + # This is useful if you are trying to run hedgedoc behind a reverse proxy. + # Only applied if domain is set. + protocolUseSSL = true; - # don't allow unauthenticated people to just write somewhere - allowAnonymous = false; - allowAnonymousEdits = true; # This allows us to set pads "freely" + # don't allow unauthenticated people to just write somewhere + allowAnonymous = false; + allowAnonymousEdits = true; # This allows us to set pads "freely" - defaultPermission = "private"; + defaultPermission = "private"; - db = { - dialect = "sqlite"; - storage = "/var/lib/hedgedoc/db.sqlite"; - }; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.sqlite"; + }; - uploadsPath = "/var/lib/hedgedoc/uploads"; + uploadsPath = "/var/lib/hedgedoc/uploads"; - path = null; # we want to use HTTP and not UNIX domain sockets... + path = null; # we want to use HTTP and not UNIX domain sockets... - allowOrigin = with config.services.hedgedoc.settings; [ host domain ]; - }; + allowOrigin = with config.services.hedgedoc.settings; [ + host + domain + ]; + }; }; - # backups - services.restic.backups."hedgedoc" = { - user = "u331921"; - timerConfig = { - OnCalendar = "daily"; - Persistent = true; - }; - # repository = "stfp:u331921@u331921.your-storagebox-de:23/restic"; - repository = "/mnt/storagebox-bx11/backup/hedgedoc"; - initialize = true; # initializes the repo, don't set if you want manual control - passwordFile = config.age.secrets.restic_password.path; - paths = [ - "/var/lib/hedgedoc/" - ]; - pruneOpts = [ - "--keep-daily 7" - "--keep-weekly 5" - "--keep-monthly 12" - "--keep-yearly 75" - ]; - - # extraOpts = [ - # "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" - # ]; + # backups + services.restic.backups."hedgedoc" = { + user = "u331921"; + timerConfig = { + OnCalendar = "daily"; + Persistent = true; + }; + # repository = "stfp:u331921@u331921.your-storagebox-de:23/restic"; + repository = "/mnt/storagebox-bx11/backup/hedgedoc"; + initialize = true; # initializes the repo, don't set if you want manual control + passwordFile = config.age.secrets.restic_password.path; + paths = [ "/var/lib/hedgedoc/" ]; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + + # extraOpts = [ + # "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'" + # ]; }; } |
