blob: b64fb958750c6c578e2326e0a9c45a3e82351390 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
|
{ config, pkgs, ... }:
# TODO(emile): use the 24.05 nix module
let
ports = import ../ports.nix;
pretalx_config = pkgs.writeText "/etc/pretalx.cfg" ''
[filesystem]
media = /public/media
data = /public/data
static = /pretalx/src/static.dist
[site]
; never run debug in production
debug = False
url = https://talks.emile.space
csp=https://talks.emile.space,http://localhost:8080,'self'
[database]
backend=sqlite3
[mail]
from = pretalx@emile.space
host = mail.emile.space
port = 1025
user = mail
password=${config.age.secrets.mail_password.path}
tls = True
ssl = False
[celery]
backend=redis+socket:///pretalx/redis.sock?virtual_host=1
broker=redis+socket:///pretalx/redis.sock?virtual_host=2
[redis]
location=unix:///pretalx/redis.sock?db=0
; Remove the following line if you are unsure about your redis' security
; to reduce impact if redis gets compromised.
sessions=true
'';
in {
services.nginx.virtualHosts."talks.emile.space" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
extraConfig = ''
proxy_pass http://127.0.0.1:${toString ports.talks};
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $host;
'';
};
"/media/" = {
root = "/var/pretalx-public/";
};
"/static/" = {
root = "/var/pretalx-public/";
};
};
};
virtualisation.oci-containers.containers = {
pretalx = {
image = "pretalx/standalone:latest";
ports = [
"127.0.0.1:${toString ports.talks}:80"
];
volumes = [
"/var/pretalx-data:/data" # {static, media}
"/var/pretalx-public:/public"
"/var/pretalx-public/static:/pretalx/src/static.dist"
# "/var/pretalx-public-media:/public/media"
"${pretalx_config}:/etc/pretalx/pretalx.cfg:ro"
"/run/redis-pretalx/redis.sock:/pretalx/redis.sock"
];
};
};
services.redis.vmOverCommit = true;
services.redis.servers."pretalx" = {
enable = true;
port = 0;
unixSocketPerm = 666;
user = "pretalxuser";
};
users = {
groups."pretalxuser" = {};
users."pretalxuser" = {
#isNormalUser = true; # we're setting the uid manually, nix should detect this, but whatever...
uid = 999;
group = "pretalxuser";
description = "The user for pretalx. Created, as we need a user to set the permissions for the redis unix socket";
};
};
# 15,45 * * * * docker exec pretalx-app pretalx runperiodic
}
|