about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/talks.emile.space.nix
blob: b64fb958750c6c578e2326e0a9c45a3e82351390 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
{ config, pkgs, ... }:

# TODO(emile): use the 24.05 nix module

let
  ports = import ../ports.nix;
  pretalx_config = pkgs.writeText "/etc/pretalx.cfg" ''
    [filesystem]
    media = /public/media
    data = /public/data
    static = /pretalx/src/static.dist

    [site]
    ; never run debug in production
    debug = False
    url = https://talks.emile.space
    csp=https://talks.emile.space,http://localhost:8080,'self'

    [database]
    backend=sqlite3

    [mail]
    from = pretalx@emile.space
    host = mail.emile.space
    port = 1025
    user = mail
    password=${config.age.secrets.mail_password.path}
    tls = True
    ssl = False

    [celery]
    backend=redis+socket:///pretalx/redis.sock?virtual_host=1
    broker=redis+socket:///pretalx/redis.sock?virtual_host=2

    [redis]
    location=unix:///pretalx/redis.sock?db=0
    ; Remove the following line if you are unsure about your redis' security
    ; to reduce impact if redis gets compromised.
    sessions=true    
  ''; 
in {
  services.nginx.virtualHosts."talks.emile.space" = {
    forceSSL = true;
    enableACME = true;

    locations = {
      "/" = {
        extraConfig = ''
          proxy_pass http://127.0.0.1:${toString ports.talks};

          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header Host $host;
        '';
      };
      "/media/" = {
        root = "/var/pretalx-public/";
      };
      "/static/" = {
        root = "/var/pretalx-public/";
      };
    };
  };

  virtualisation.oci-containers.containers = {
    pretalx = {
      image = "pretalx/standalone:latest";
      ports = [
        "127.0.0.1:${toString ports.talks}:80"
      ];
      volumes = [
        "/var/pretalx-data:/data" # {static, media}
        "/var/pretalx-public:/public"
        "/var/pretalx-public/static:/pretalx/src/static.dist"

        # "/var/pretalx-public-media:/public/media"
        "${pretalx_config}:/etc/pretalx/pretalx.cfg:ro"
        "/run/redis-pretalx/redis.sock:/pretalx/redis.sock"
      ];
    };
  };

  services.redis.vmOverCommit = true;
  services.redis.servers."pretalx" = {
    enable = true;
    port = 0;
    unixSocketPerm = 666;
    user = "pretalxuser";
  };

  users = {
    groups."pretalxuser" = {};
    users."pretalxuser" = {
      #isNormalUser = true; # we're setting the uid manually, nix should detect this, but whatever...
      uid = 999;
      group = "pretalxuser";
      description = "The user for pretalx. Created, as we need a user to set the permissions for the redis unix socket";
    };
  };

  # 15,45 * * * * docker exec pretalx-app pretalx runperiodic
}