blob: 8d9d1096dc248cf2cf9c13ff880c7152f372de85 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."md.emile.space" = {
forceSSL = true;
enableACME = true;
# TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
# extraConfig = authelia-location;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:3003";
# TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
# extraConfig = authelia-authrequest;
};
};
};
# auth via authelia
services.authelia.instances.main.settings.identity_providers.oidc.clients = [
{
id = "HedgeDoc";
# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ";
public = false;
authorization_policy = "two_factor";
redirect_uris = [
"https://md.emile.space/auth/oauth2/callback"
];
scopes = [
"openid"
"email"
"profile"
];
grant_types = [
"refresh_token"
"authorization_code"
];
response_types = [
"code"
];
response_modes = [
"form_post"
"query"
"fragment"
];
}
];
services.hedgedoc = {
enable = true;
package = pkgs.hedgedoc;
environmentFile = config.age.secrets.hedgedoc_environment_variables.path;
settings = {
host = "127.0.0.1";
port = 3003;
domain = "md.emile.space";
urlPath = null; # we're hosting on the root of the subdomain and not a subpath
allowGravatar = true;
# we're terminating tls at the reverse proxy
useSSL = false;
# Use https:// for all links.
# This is useful if you are trying to run hedgedoc behind a reverse proxy.
# Only applied if domain is set.
protocolUseSSL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.sqlite";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
path = null; # we want to use HTTP and not UNIX domain sockets...
allowOrigin = with config.services.hedgedoc.settings; [ host domain ];
};
};
# backups
services.restic.backups = {
storagebox = {
user = "u331921";
repository = "stfp:u331921@u331921.your-storagebox-de:23/restic";
initialize = true; # initializes the repo, don't set if you want manual control
passwordFile = config.age.secrets.restic_password.path;
paths = [
"/var/lib/hedgedoc/"
];
};
};
}
|