blob: d7bdd006dc7760c386ea536a3e4822cea07fbb2e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
|
{ config, pkgs, ... }:
let
ports = import ../ports.nix;
in {
services.nginx.virtualHosts."md.emile.space" = {
forceSSL = true;
enableACME = true;
# TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
# extraConfig = authelia-location;
locations = {
"/" = {
# proxyPass = "http://127.0.0.1:3003";
proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
# TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
# extraConfig = authelia-authrequest;
};
};
};
# auth via authelia
services.authelia.instances.main.settings.identity_providers.oidc.clients = [
{
id = "HedgeDoc";
# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ";
public = false;
authorization_policy = "two_factor";
redirect_uris = [
"https://md.emile.space/auth/oauth2/callback"
];
scopes = [
"openid"
"email"
"profile"
];
grant_types = [
"refresh_token"
"authorization_code"
];
response_types = [
"code"
];
response_modes = [
"form_post"
"query"
"fragment"
];
}
];
services.hedgedoc = {
enable = true;
package = pkgs.hedgedoc;
environmentFile = config.age.secrets.hedgedoc_environment_variables.path;
settings = {
host = "127.0.0.1";
port = ports.md;
domain = "md.emile.space";
urlPath = null; # we're hosting on the root of the subdomain and not a subpath
allowGravatar = true;
# we're terminating tls at the reverse proxy
useSSL = false;
# Use https:// for all links.
# This is useful if you are trying to run hedgedoc behind a reverse proxy.
# Only applied if domain is set.
protocolUseSSL = true;
# don't allow unauthenticated people to just write somewhere
allowAnonymous = false;
allowAnonymousEdits = true; # This allows us to set pads "freely"
defaultPermission = "private";
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.sqlite";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
path = null; # we want to use HTTP and not UNIX domain sockets...
allowOrigin = with config.services.hedgedoc.settings; [ host domain ];
};
};
# backups
services.restic.backups."hedgedoc" = {
user = "u331921";
timerConfig = {
OnCalendar = "daily";
Persistent = true;
};
# repository = "stfp:u331921@u331921.your-storagebox-de:23/restic";
repository = "/mnt/storagebox-bx11/backup/hedgedoc";
initialize = true; # initializes the repo, don't set if you want manual control
passwordFile = config.age.secrets.restic_password.path;
paths = [
"/var/lib/hedgedoc/"
];
pruneOpts = [
"--keep-daily 7"
"--keep-weekly 5"
"--keep-monthly 12"
"--keep-yearly 75"
];
# extraOpts = [
# "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'"
# ];
};
}
|