about summary refs log tree commit diff
path: root/nix
diff options
context:
space:
mode:
authorEmile <git@emile.space>2024-09-19 10:38:56 +0200
committerEmile <git@emile.space>2024-09-19 10:38:56 +0200
commitdcde3882d5460368e3c0499a54330f84a6995d62 (patch)
tree52fb8d307d96b795e5a5796afd6b3237e004820d /nix
parentb8484f55d0056bf1a681459b01cf6b713bf4a01c (diff)
formatted
Diffstat (limited to 'nix')
-rw-r--r--nix/hosts/corrino/www/md.emile.space.nix181
1 files changed, 89 insertions, 92 deletions
diff --git a/nix/hosts/corrino/www/md.emile.space.nix b/nix/hosts/corrino/www/md.emile.space.nix
index 52b4a53..029c54f 100644
--- a/nix/hosts/corrino/www/md.emile.space.nix
+++ b/nix/hosts/corrino/www/md.emile.space.nix
@@ -1,114 +1,111 @@
 { config, pkgs, ... }:
 
 {
-	services.nginx.virtualHosts."md.emile.space" = {
-		forceSSL = true;
-		enableACME = true;
-		locations = {
-			"/" = {
+  services.nginx.virtualHosts."md.emile.space" = {
+    forceSSL = true;
+    enableACME = true;
+    locations = {
+      "/" = {
         proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
-			};
-		};
-	};
-
-	# auth via authelia
-	services.authelia.instances.main.settings.identity_providers.oidc.clients = [
-		{
-			id = "HedgeDoc";
-
-			# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
-			secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; 
-			public = false;
-			authorization_policy = "two_factor";
-			redirect_uris = [
-				"https://md.emile.space/auth/oauth2/callback"
-			];
-			scopes = [
-				"openid"
-				"email"
-				"profile"
-			];
-			grant_types = [
-				"refresh_token"
-				"authorization_code"
-			];
-			response_types = [
-				"code"
-			];
-			response_modes = [
-				"form_post"
-				"query"
-				"fragment"
-			];
-		}
-	];
-
-	services.hedgedoc = {
+      };
+    };
+  };
+
+  # auth via authelia
+  services.authelia.instances.main.settings.identity_providers.oidc.clients = [
+    {
+      id = "HedgeDoc";
+
+      # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+      secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ";
+      public = false;
+      authorization_policy = "two_factor";
+      redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ];
+      scopes = [
+        "openid"
+        "email"
+        "profile"
+      ];
+      grant_types = [
+        "refresh_token"
+        "authorization_code"
+      ];
+      response_types = [ "code" ];
+      response_modes = [
+        "form_post"
+        "query"
+        "fragment"
+      ];
+    }
+  ];
+
+  services.hedgedoc = {
     enable = true;
-		package = pkgs.hedgedoc;
+    package = pkgs.hedgedoc;
 
-		environmentFile = config.age.secrets.hedgedoc_environment_variables.path;
+    environmentFile = config.age.secrets.hedgedoc_environment_variables.path;
 
-		settings = {
-			host = "127.0.0.1";
-			port = config.emile.ports.md;
+    settings = {
+      host = "127.0.0.1";
+      port = config.emile.ports.md;
 
-			domain = "md.emile.space";
+      domain = "md.emile.space";
 
-			urlPath = null; # we're hosting on the root of the subdomain and not a subpath
-			allowGravatar = true;
+      urlPath = null; # we're hosting on the root of the subdomain and not a subpath
+      allowGravatar = true;
 
-			# we're terminating tls at the reverse proxy
-			useSSL = false;
+      # we're terminating tls at the reverse proxy
+      useSSL = false;
 
-			# Use https:// for all links.
-			# This is useful if you are trying to run hedgedoc behind a reverse proxy.
-			# Only applied if domain is set.
-			protocolUseSSL = true;
+      # Use https:// for all links.
+      # This is useful if you are trying to run hedgedoc behind a reverse proxy.
+      # Only applied if domain is set.
+      protocolUseSSL = true;
 
-			# don't allow unauthenticated people to just write somewhere
-			allowAnonymous = false;
-			allowAnonymousEdits = true; # This allows us to set pads "freely"
+      # don't allow unauthenticated people to just write somewhere
+      allowAnonymous = false;
+      allowAnonymousEdits = true; # This allows us to set pads "freely"
 
-			defaultPermission = "private";
+      defaultPermission = "private";
 
-			db = {
-			  dialect = "sqlite";
-			  storage = "/var/lib/hedgedoc/db.sqlite";
-			};
+      db = {
+        dialect = "sqlite";
+        storage = "/var/lib/hedgedoc/db.sqlite";
+      };
 
-			uploadsPath = "/var/lib/hedgedoc/uploads";
+      uploadsPath = "/var/lib/hedgedoc/uploads";
 
-			path = null; # we want to use HTTP and not UNIX domain sockets...
+      path = null; # we want to use HTTP and not UNIX domain sockets...
 
-			allowOrigin = with config.services.hedgedoc.settings; [ host domain ];
-		};
+      allowOrigin = with config.services.hedgedoc.settings; [
+        host
+        domain
+      ];
+    };
   };
 
-	# backups
-	services.restic.backups."hedgedoc" = {
-		user = "u331921";
-		timerConfig = {
-		  OnCalendar = "daily";
-		  Persistent = true;
-		};
-		# repository = "stfp:u331921@u331921.your-storagebox-de:23/restic";
-		repository = "/mnt/storagebox-bx11/backup/hedgedoc";
-		initialize = true; # initializes the repo, don't set if you want manual control
-		passwordFile = config.age.secrets.restic_password.path;
-		paths = [
-			"/var/lib/hedgedoc/"
-		];
-		pruneOpts = [
-		  "--keep-daily 7"
-		  "--keep-weekly 5"
-		  "--keep-monthly 12"
-		  "--keep-yearly 75"
-		];
-
-		# extraOpts = [
-		#   "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'"
-		# ];
+  # backups
+  services.restic.backups."hedgedoc" = {
+    user = "u331921";
+    timerConfig = {
+      OnCalendar = "daily";
+      Persistent = true;
+    };
+    # repository = "stfp:u331921@u331921.your-storagebox-de:23/restic";
+    repository = "/mnt/storagebox-bx11/backup/hedgedoc";
+    initialize = true; # initializes the repo, don't set if you want manual control
+    passwordFile = config.age.secrets.restic_password.path;
+    paths = [ "/var/lib/hedgedoc/" ];
+    pruneOpts = [
+      "--keep-daily 7"
+      "--keep-weekly 5"
+      "--keep-monthly 12"
+      "--keep-yearly 75"
+    ];
+
+    # extraOpts = [
+    #   "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'"
+    # ];
   };
 
 }