From db877b3dc8bd29c2bd18fcc8263713a0f09c2a25 Mon Sep 17 00:00:00 2001 From: Emile Date: Tue, 11 Jun 2024 23:26:04 +0200 Subject: using the nix modules for hosting pretalx --- nix/hosts/corrino/www/talks.emile.space.nix | 130 ++++++++-------------------- 1 file changed, 36 insertions(+), 94 deletions(-) (limited to 'nix/hosts/corrino/www/talks.emile.space.nix') diff --git a/nix/hosts/corrino/www/talks.emile.space.nix b/nix/hosts/corrino/www/talks.emile.space.nix index b64fb95..ae01237 100644 --- a/nix/hosts/corrino/www/talks.emile.space.nix +++ b/nix/hosts/corrino/www/talks.emile.space.nix @@ -1,101 +1,43 @@ { config, pkgs, ... }: -# TODO(emile): use the 24.05 nix module - -let - ports = import ../ports.nix; - pretalx_config = pkgs.writeText "/etc/pretalx.cfg" '' - [filesystem] - media = /public/media - data = /public/data - static = /pretalx/src/static.dist - - [site] - ; never run debug in production - debug = False - url = https://talks.emile.space - csp=https://talks.emile.space,http://localhost:8080,'self' - - [database] - backend=sqlite3 - - [mail] - from = pretalx@emile.space - host = mail.emile.space - port = 1025 - user = mail - password=${config.age.secrets.mail_password.path} - tls = True - ssl = False - - [celery] - backend=redis+socket:///pretalx/redis.sock?virtual_host=1 - broker=redis+socket:///pretalx/redis.sock?virtual_host=2 - - [redis] - location=unix:///pretalx/redis.sock?db=0 - ; Remove the following line if you are unsure about your redis' security - ; to reduce impact if redis gets compromised. - sessions=true - ''; -in { - services.nginx.virtualHosts."talks.emile.space" = { - forceSSL = true; - enableACME = true; - - locations = { - "/" = { - extraConfig = '' - proxy_pass http://127.0.0.1:${toString ports.talks}; - - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header Host $host; - ''; - }; - "/media/" = { - root = "/var/pretalx-public/"; - }; - "/static/" = { - root = "/var/pretalx-public/"; - }; +{ + services = { + # so the default pretalx module doesn't allow TLS foo by default, don't ask + # me why... + nginx.virtualHosts."talks.emile.space" = { + forceSSL = true; + enableACME = true; }; - }; - - virtualisation.oci-containers.containers = { pretalx = { - image = "pretalx/standalone:latest"; - ports = [ - "127.0.0.1:${toString ports.talks}:80" - ]; - volumes = [ - "/var/pretalx-data:/data" # {static, media} - "/var/pretalx-public:/public" - "/var/pretalx-public/static:/pretalx/src/static.dist" - - # "/var/pretalx-public-media:/public/media" - "${pretalx_config}:/etc/pretalx/pretalx.cfg:ro" - "/run/redis-pretalx/redis.sock:/pretalx/redis.sock" - ]; - }; - }; - - services.redis.vmOverCommit = true; - services.redis.servers."pretalx" = { - enable = true; - port = 0; - unixSocketPerm = 666; - user = "pretalxuser"; - }; - - users = { - groups."pretalxuser" = {}; - users."pretalxuser" = { - #isNormalUser = true; # we're setting the uid manually, nix should detect this, but whatever... - uid = 999; - group = "pretalxuser"; - description = "The user for pretalx. Created, as we need a user to set the permissions for the redis unix socket"; + package = pkgs.pretalx; + enable = true; + plugins = with config.services.pretalx.package.plugins; [ pages ]; + user = "pretalx"; + group = "pretalx"; + nginx = { + enable = true; + domain = "talks.emile.space"; + }; + settings = { + site = { + url = "https://talks.emile.space"; + debug = false; + csp = "https://talks.emile.space,http://localhost:8080,'self'"; + }; + mail = { + from = "tickets@emile.space"; + host = "mail.emile.space"; + user = "mail"; + password = "${config.age.secrets.mail_password.path}"; + port = 1025; + tls = "on"; + ssl = "off"; + }; + redis = { + session = true; + location = "unix://${config.services.redis.servers.pretalx.unixSocket}?db=0"; + }; + }; }; }; - - # 15,45 * * * * docker exec pretalx-app pretalx runperiodic } -- cgit 1.4.1