nix/hosts/corrino/www/md.emile.space.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107

{ config, pkgs, ... }:

{
  services.nginx.virtualHosts."md.emile.space" = {
    forceSSL = true;
    enableACME = true;
    locations = {
      "/" = {
        proxyPass = "http://[${config.services.hedgedoc.settings.host}]:${toString config.services.hedgedoc.settings.port}";
      };
    };
  };

  age.secrets.hedgedoc_oidc_client_secret.owner = "authelia-main";
  age.secrets.hedgedoc_oidc_client_secret.group = "authelia-main";
  
  # auth via authelia
  services.authelia.instances.main.settings.identity_providers.oidc.clients = [
    {
      client_id = "HedgeDoc";

      # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
      client_secret = "{{ secret \"${config.age.secrets.hedgedoc_oidc_client_secret.path}\" }}";
      public = false;
      authorization_policy = "two_factor";
      redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ];
      scopes = [
        "openid"
        "email"
        "profile"
      ];
      grant_types = [
        "refresh_token"
        "authorization_code"
      ];
      response_types = [ "code" ];
      response_modes = [
        "form_post"
        "query"
        "fragment"
      ];
      token_endpoint_auth_method = "client_secret_post";
    }
  ];

  services.hedgedoc = {
    enable = true;
    package = pkgs.hedgedoc;

    environmentFile = config.age.secrets.hedgedoc_environment_variables.path;

    settings = {
      host = "::1";
      port = config.emile.ports.md;

      domain = "md.emile.space";

      urlPath = null; # we're hosting on the root of the subdomain and not a subpath
      allowGravatar = true;

      # we're terminating tls at the reverse proxy
      useSSL = false;

      # Use https:// for all links.
      # This is useful if you are trying to run hedgedoc behind a reverse proxy.
      # Only applied if domain is set.
      protocolUseSSL = true;

      # don't allow unauthenticated people to just write somewhere
      allowAnonymous = false;
      allowAnonymousEdits = true; # This allows us to set pads "freely"

      defaultPermission = "private";

      db = {
        dialect = "sqlite";
        storage = "/var/lib/hedgedoc/db.sqlite";
      };

      uploadsPath = "/var/lib/hedgedoc/uploads";

      path = null; # we want to use HTTP and not UNIX domain sockets...

      allowOrigin = with config.services.hedgedoc.settings; [
        host
        domain
      ];
    };
  };

  services.restic.backups."corrino" = {
    paths = [ "/var/lib/hedgedoc" ];
  };

  services.restic.backups."hedgedoc" = {
    repository = "/mnt/storagebox-bx11/hedgedoc";
    paths = [ "/var/lib/hedgedoc" ];
    passwordFile = config.age.secrets.restic_password.path;
    initialize = true;
    pruneOpts = [
      "--keep-daily 7"
      "--keep-weekly 5"
      "--keep-monthly 12"
      "--keep-yearly 75"
    ];
  };
}