From 27c9efa48891a7bb69ba0ef642e18cf5884a9e23 Mon Sep 17 00:00:00 2001 From: Emile Date: Mon, 25 Mar 2024 15:32:47 +0100 Subject: authelia --- nix/hosts/corrino/www/md.emile.space.nix | 102 +++++++++++++++++++++++++++++++ 1 file changed, 102 insertions(+) create mode 100644 nix/hosts/corrino/www/md.emile.space.nix (limited to 'nix/hosts/corrino/www/md.emile.space.nix') diff --git a/nix/hosts/corrino/www/md.emile.space.nix b/nix/hosts/corrino/www/md.emile.space.nix new file mode 100644 index 0000000..a983729 --- /dev/null +++ b/nix/hosts/corrino/www/md.emile.space.nix @@ -0,0 +1,102 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."md.emile.space" = { + forceSSL = true; + enableACME = true; + + # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia + # extraConfig = authelia-location; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:3003"; + + # TODO(emile): figure out why this doesn't work when enabled, has to do with authelia + # extraConfig = authelia-authrequest; + }; + }; + }; + + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "HedgeDoc"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://md.emile.space/auth/oauth2/callback" + ]; + scopes = [ + "openid" + "email" + "profile" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ + "code" + ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + } + ]; + + services.hedgedoc = { + enable = true; + package = pkgs.hedgedoc; + + environmentFile = config.age.secrets.hedgedoc_environment_variables.path; + + settings = { + host = "127.0.0.1"; + port = 3003; + + domain = "md.emile.space"; + + urlPath = null; # we're hosting on the root of the subdomain and not a subpath + allowGravatar = true; + + # we're terminating tls at the reverse proxy + useSSL = false; + + # Use https:// for all links. + # This is useful if you are trying to run hedgedoc behind a reverse proxy. + # Only applied if domain is set. + protocolUseSSL = true; + + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.sqlite"; + }; + + uploadsPath = "/var/lib/hedgedoc/uploads"; + + path = null; # we want to use HTTP and not UNIX domain sockets... + + allowOrigin = with config.services.hedgedoc.settings; [ host domain ]; + }; + }; + + # backups + services.restic.backups = { + storagebox = { + user = "u331921"; + repository = "stfp:u331921@u331921.your-storagebox-de:23/restic"; + initialize = true; # initializes the repo, don't set if you want manual control + passwordFile = config.age.secrets.restic_password.path; + paths = [ + "/var/lib/hedgedoc/" + ]; + }; + }; + +} -- cgit 1.4.1