about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/talks.emile.space.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nix/hosts/corrino/www/talks.emile.space.nix')
-rw-r--r--nix/hosts/corrino/www/talks.emile.space.nix97
1 files changed, 97 insertions, 0 deletions
diff --git a/nix/hosts/corrino/www/talks.emile.space.nix b/nix/hosts/corrino/www/talks.emile.space.nix
new file mode 100644
index 0000000..4833fa7
--- /dev/null
+++ b/nix/hosts/corrino/www/talks.emile.space.nix
@@ -0,0 +1,97 @@
+{ config, pkgs, ... }:
+
+let
+  pretalx_config = pkgs.writeText "/etc/pretalx.cfg" ''
+    [filesystem]
+    media = /public/media
+    data = /public/data
+    static = /pretalx/src/static.dist
+
+    [site]
+    ; never run debug in production
+    debug = True
+    url = https://talks.emile.space
+
+    [database]
+    backend=sqlite3
+
+    [mail]
+    from = pretalx@emile.space
+    host = mail.emile.space
+    port = 1025
+    user = mail
+    password=${config.age.secrets.mail_password.path}
+    tls = True
+    ssl = False
+
+    [celery]
+    backend=redis+socket:///pretalx/redis.sock?virtual_host=1
+    broker=redis+socket:///pretalx/redis.sock?virtual_host=2
+
+    [redis]
+    location=unix:///pretalx/redis.sock?db=0
+    ; Remove the following line if you are unsure about your redis' security
+    ; to reduce impact if redis gets compromised.
+    sessions=true    
+  ''; 
+in {
+  services.nginx.virtualHosts."talks.emile.space" = {
+    forceSSL = true;
+    enableACME = true;
+
+    locations = {
+      "/" = {
+        extraConfig = ''
+          proxy_pass http://127.0.0.1:8350;
+
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header Host $host;
+        '';
+      };
+      "/media/" = {
+        root = "/var/pretalx-public/";
+      };
+      "/static/" = {
+        root = "/var/pretalx-public/";
+      };
+    };
+  };
+
+  virtualisation.oci-containers.containers = {
+    pretalx = {
+      image = "pretalx/standalone:latest";
+      ports = [
+        "127.0.0.1:8350:80"
+      ];
+      volumes = [
+        "/var/pretalx-data:/data" # {static, media}
+        "/var/pretalx-public:/public"
+        "/var/pretalx-public/static:/pretalx/src/static.dist"
+
+        # "/var/pretalx-public-media:/public/media"
+        "${pretalx_config}:/etc/pretalx/pretalx.cfg:ro"
+        "/run/redis-pretalx/redis.sock:/pretalx/redis.sock"
+      ];
+    };
+  };
+
+  services.redis.vmOverCommit = true;
+  services.redis.servers."pretalx" = {
+    enable = true;
+    port = 0;
+    unixSocketPerm = 666;
+    user = "pretalxuser";
+  };
+
+  users = {
+    groups."pretalxuser" = {};
+    users."pretalxuser" = {
+      #isNormalUser = true; # we're setting the uid manually, nix should detect this, but whatever...
+      uid = 999;
+      group = "pretalxuser";
+      description = "The user for pretalx. Created, as we need a user to set the permissions for the redis unix socket";
+    };
+  };
+
+  # 15,45 * * * * docker exec pretalx-app pretalx runperiodic
+}