forked from hacc/haccfiles
91 lines
2.9 KiB
Nix
91 lines
2.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
|
|
{
|
|
containers.codimd = {
|
|
privateNetwork = true;
|
|
hostAddress = "192.168.100.1";
|
|
localAddress = "192.168.100.3";
|
|
autoStart = true;
|
|
config = { config, lib, pkgs, ... }: {
|
|
networking.firewall.enable = false;
|
|
services.coredns = {
|
|
enable = true;
|
|
config = ''
|
|
.:53 {
|
|
forward . 1.1.1.1
|
|
}
|
|
'';
|
|
};
|
|
services.hedgedoc = {
|
|
enable = true;
|
|
configuration = {
|
|
allowAnonymous = true;
|
|
allowFreeURL = true;
|
|
allowGravatar = false;
|
|
allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
|
|
dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
|
|
defaultPermission = "limited";
|
|
domain = "pad.hacc.space";
|
|
host = "0.0.0.0";
|
|
protocolUseSSL = true;
|
|
hsts.preload = false;
|
|
email = false;
|
|
oauth2 = {
|
|
authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
|
|
tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
|
|
clientID = "codimd";
|
|
clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
|
|
};
|
|
};
|
|
};
|
|
systemd.services.hedgedoc.environment = {
|
|
"CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
|
|
"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
|
|
"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
|
|
"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
|
|
"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
|
|
};
|
|
services.postgresql = {
|
|
enable = true;
|
|
ensureDatabases = [ "codimd" ];
|
|
ensureUsers = [{
|
|
name = "codimd";
|
|
ensurePermissions = {
|
|
"DATABASE codimd" = "ALL PRIVILEGES";
|
|
};
|
|
}];
|
|
};
|
|
services.postgresqlBackup = {
|
|
enable = true;
|
|
databases = [ "codimd" ];
|
|
startAt = "*-*-* 23:45:00";
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."pad.hacc.earth" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
globalRedirect = "pad.hacc.space";
|
|
};
|
|
|
|
services.nginx.virtualHosts."pad.hacc.space" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/" = {
|
|
proxyPass = "http://192.168.100.3:3000";
|
|
extraConfig = ''
|
|
proxy_pass_request_headers on;
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
proxy_set_header Connection $http_connection;
|
|
add_header Access-Control-Allow-Origin "*";
|
|
proxy_buffering off;
|
|
'';
|
|
};
|
|
};
|
|
}
|