about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/md.emile.space.nix
blob: 7ad7a941213ba3995be28e3f41e7c9085eee7368 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
{ config, pkgs, ... }:

{
	services.nginx.virtualHosts."md.emile.space" = {
		forceSSL = true;
		enableACME = true;

		# TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
		# extraConfig = authelia-location;

		locations = {
			"/" = {
				# proxyPass = "http://127.0.0.1:3003";
        proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";

				# TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
				# extraConfig = authelia-authrequest;
			};
		};
	};

	# auth via authelia
	services.authelia.instances.main.settings.identity_providers.oidc.clients = [
		{
			id = "HedgeDoc";

			# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
			secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; 
			public = false;
			authorization_policy = "two_factor";
			redirect_uris = [
				"https://md.emile.space/auth/oauth2/callback"
			];
			scopes = [
				"openid"
				"email"
				"profile"
			];
			grant_types = [
				"refresh_token"
				"authorization_code"
			];
			response_types = [
				"code"
			];
			response_modes = [
				"form_post"
				"query"
				"fragment"
			];
		}
	];

	services.hedgedoc = {
    enable = true;
		package = pkgs.hedgedoc;

		environmentFile = config.age.secrets.hedgedoc_environment_variables.path;

		settings = {
			host = "127.0.0.1";
			port = config.emile.ports.md;

			domain = "md.emile.space";

			urlPath = null; # we're hosting on the root of the subdomain and not a subpath
			allowGravatar = true;

			# we're terminating tls at the reverse proxy
			useSSL = false;

			# Use https:// for all links.
			# This is useful if you are trying to run hedgedoc behind a reverse proxy.
			# Only applied if domain is set.
			protocolUseSSL = true;

			# don't allow unauthenticated people to just write somewhere
			allowAnonymous = false;
			allowAnonymousEdits = true; # This allows us to set pads "freely"

			defaultPermission = "private";

			db = {
			  dialect = "sqlite";
			  storage = "/var/lib/hedgedoc/db.sqlite";
			};

			uploadsPath = "/var/lib/hedgedoc/uploads";

			path = null; # we want to use HTTP and not UNIX domain sockets...

			allowOrigin = with config.services.hedgedoc.settings; [ host domain ];
		};
  };

	# backups
	services.restic.backups."hedgedoc" = {
		user = "u331921";
		timerConfig = {
		  OnCalendar = "daily";
		  Persistent = true;
		};
		# repository = "stfp:u331921@u331921.your-storagebox-de:23/restic";
		repository = "/mnt/storagebox-bx11/backup/hedgedoc";
		initialize = true; # initializes the repo, don't set if you want manual control
		passwordFile = config.age.secrets.restic_password.path;
		paths = [
			"/var/lib/hedgedoc/"
		];
		pruneOpts = [
		  "--keep-daily 7"
		  "--keep-weekly 5"
		  "--keep-monthly 12"
		  "--keep-yearly 75"
		];

		# extraOpts = [
		#   "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'"
		# ];
  };

}