stuebinm
f654b33a56
this started with emily pointing out to me that it's possible to generate IP addresses for containers in Nix (hence no need to worry about ever having collisions, as we had before), but then I thought, hey, while I'm at it, I can also write a little container module so we have a little less repetition in our configs in general (and a more reasonable place for our custom evalConfig than just keeping it around in flake.nix). See the option descriptions in modules/containers.nix for further details. Apart from giving all containers a new IP address (and also shiny new IPv6 addresses), this should be a no-op for the actual built system.
91 lines
2.7 KiB
Nix
91 lines
2.7 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
|
|
sops.secrets = {
|
|
"hedgedoc-hacc/env" = {};
|
|
};
|
|
|
|
containers.pad-hacc.bindMounts = {
|
|
"/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
|
|
};
|
|
hacc.containers.pad-hacc = {
|
|
config = { config, lib, ... }: {
|
|
services.hedgedoc = {
|
|
enable = true;
|
|
settings = {
|
|
allowAnonymous = true;
|
|
allowFreeURL = true;
|
|
allowGravatar = false;
|
|
allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
|
|
db = {
|
|
host = "/run/postgresql";
|
|
username = "codimd";
|
|
dialect = "postgres";
|
|
database = "codimd";
|
|
};
|
|
defaultPermission = "limited";
|
|
domain = "pad.hacc.space";
|
|
host = "0.0.0.0";
|
|
protocolUseSSL = true;
|
|
hsts.preload = false;
|
|
email = false;
|
|
oauth2 = {
|
|
authorizationURL = "https://login.infra4future.de/oauth2/authorize";
|
|
tokenURL = "https://login.infra4future.de/oauth2/token";
|
|
clientID = "hedgedoc";
|
|
# must be set to make the NixOS module happy, but env var takes precedence
|
|
clientSecret = "lol nope";
|
|
};
|
|
};
|
|
environmentFile = "/secrets/env";
|
|
};
|
|
systemd.services.hedgedoc.environment = {
|
|
"CMD_LOGLEVEL" = "warn";
|
|
"CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
|
|
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
|
|
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
|
|
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
|
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
|
};
|
|
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [ "codimd" ];
|
|
ensureUsers = [{
|
|
name = "codimd";
|
|
ensureDBOwnership = true;
|
|
}];
|
|
authentication = ''
|
|
local all all trust
|
|
host codimd codimd 127.0.0.1/32 trust
|
|
'';
|
|
package = pkgs.postgresql_15;
|
|
};
|
|
services.postgresqlBackup = {
|
|
enable = true;
|
|
databases = [ "codimd" ];
|
|
startAt = "*-*-* 23:45:00";
|
|
location = "/persist/backups/postgres";
|
|
};
|
|
hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
|
|
};
|
|
};
|
|
services.nginx.virtualHosts."pad.hacc.earth" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
globalRedirect = "pad.hacc.space";
|
|
};
|
|
|
|
services.nginx.virtualHosts."pad.hacc.space" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
|
|
extraConfig = ''
|
|
add_header Access-Control-Allow-Origin "*";
|
|
proxy_buffering off;
|
|
'';
|
|
};
|
|
};
|
|
}
|