about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/md.emile.space.nix
blob: 2fb2ee4ec74105857395ba796a71e0fe3a33c4c3 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
{ config, pkgs, ... }:

let
	ports = import ../ports.nix;
in {
	services.nginx.virtualHosts."md.emile.space" = {
		forceSSL = true;
		enableACME = true;

		# TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
		# extraConfig = authelia-location;

		locations = {
			"/" = {
				# proxyPass = "http://127.0.0.1:3003";
        proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";

				# TODO(emile): figure out why this doesn't work when enabled, has to do with authelia
				# extraConfig = authelia-authrequest;
			};
		};
	};

	# auth via authelia
	services.authelia.instances.main.settings.identity_providers.oidc.clients = [
		{
			id = "HedgeDoc";

			# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
			secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; 
			public = false;
			authorization_policy = "two_factor";
			redirect_uris = [
				"https://md.emile.space/auth/oauth2/callback"
			];
			scopes = [
				"openid"
				"email"
				"profile"
			];
			grant_types = [
				"refresh_token"
				"authorization_code"
			];
			response_types = [
				"code"
			];
			response_modes = [
				"form_post"
				"query"
				"fragment"
			];
		}
	];

	services.hedgedoc = {
    enable = true;
		package = pkgs.hedgedoc;

		environmentFile = config.age.secrets.hedgedoc_environment_variables.path;

		settings = {
			host = "127.0.0.1";
			port = ports.md;

			domain = "md.emile.space";

			urlPath = null; # we're hosting on the root of the subdomain and not a subpath
			allowGravatar = true;

			# we're terminating tls at the reverse proxy
			useSSL = false;

			# Use https:// for all links.
			# This is useful if you are trying to run hedgedoc behind a reverse proxy.
			# Only applied if domain is set.
			protocolUseSSL = true;

			# don't allow unauthenticated people to just write somewhere
			allowAnonymous = false;

			defaultPermission = "private";

			db = {
			  dialect = "sqlite";
			  storage = "/var/lib/hedgedoc/db.sqlite";
			};

			uploadsPath = "/var/lib/hedgedoc/uploads";

			path = null; # we want to use HTTP and not UNIX domain sockets...

			allowOrigin = with config.services.hedgedoc.settings; [ host domain ];
		};
  };

	# backups
	services.restic.backups = {
	  storagebox = {
			user = "u331921";
			repository = "stfp:u331921@u331921.your-storagebox-de:23/restic";
			initialize = true; # initializes the repo, don't set if you want manual control
			passwordFile = config.age.secrets.restic_password.path;
			paths = [
				"/var/lib/hedgedoc/"
			];
	  };
	};

}