From 55ee036fd7ebed24097c8da1ca8a0b0829264670 Mon Sep 17 00:00:00 2001 From: Emile Date: Sat, 9 Mar 2024 22:56:01 +0100 Subject: big bang --- nix/hosts/corrino/www/talks.emile.space.nix | 97 +++++++++++++++++++++++++++++ 1 file changed, 97 insertions(+) create mode 100644 nix/hosts/corrino/www/talks.emile.space.nix (limited to 'nix/hosts/corrino/www/talks.emile.space.nix') diff --git a/nix/hosts/corrino/www/talks.emile.space.nix b/nix/hosts/corrino/www/talks.emile.space.nix new file mode 100644 index 0000000..4833fa7 --- /dev/null +++ b/nix/hosts/corrino/www/talks.emile.space.nix @@ -0,0 +1,97 @@ +{ config, pkgs, ... }: + +let + pretalx_config = pkgs.writeText "/etc/pretalx.cfg" '' + [filesystem] + media = /public/media + data = /public/data + static = /pretalx/src/static.dist + + [site] + ; never run debug in production + debug = True + url = https://talks.emile.space + + [database] + backend=sqlite3 + + [mail] + from = pretalx@emile.space + host = mail.emile.space + port = 1025 + user = mail + password=${config.age.secrets.mail_password.path} + tls = True + ssl = False + + [celery] + backend=redis+socket:///pretalx/redis.sock?virtual_host=1 + broker=redis+socket:///pretalx/redis.sock?virtual_host=2 + + [redis] + location=unix:///pretalx/redis.sock?db=0 + ; Remove the following line if you are unsure about your redis' security + ; to reduce impact if redis gets compromised. + sessions=true + ''; +in { + services.nginx.virtualHosts."talks.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + extraConfig = '' + proxy_pass http://127.0.0.1:8350; + + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header Host $host; + ''; + }; + "/media/" = { + root = "/var/pretalx-public/"; + }; + "/static/" = { + root = "/var/pretalx-public/"; + }; + }; + }; + + virtualisation.oci-containers.containers = { + pretalx = { + image = "pretalx/standalone:latest"; + ports = [ + "127.0.0.1:8350:80" + ]; + volumes = [ + "/var/pretalx-data:/data" # {static, media} + "/var/pretalx-public:/public" + "/var/pretalx-public/static:/pretalx/src/static.dist" + + # "/var/pretalx-public-media:/public/media" + "${pretalx_config}:/etc/pretalx/pretalx.cfg:ro" + "/run/redis-pretalx/redis.sock:/pretalx/redis.sock" + ]; + }; + }; + + services.redis.vmOverCommit = true; + services.redis.servers."pretalx" = { + enable = true; + port = 0; + unixSocketPerm = 666; + user = "pretalxuser"; + }; + + users = { + groups."pretalxuser" = {}; + users."pretalxuser" = { + #isNormalUser = true; # we're setting the uid manually, nix should detect this, but whatever... + uid = 999; + group = "pretalxuser"; + description = "The user for pretalx. Created, as we need a user to set the permissions for the redis unix socket"; + }; + }; + + # 15,45 * * * * docker exec pretalx-app pretalx runperiodic +} -- cgit 1.4.1