Stefan Junker
ea7caae226
nix/os/devices/sj-vps-htz0: bump versions nix/os/devices/elias-e525: bump versions nix/os/devices/steveej-t14: bump versions nix/os/devices/justyna-p300: bump versions
149 lines
3.4 KiB
Nix
149 lines
3.4 KiB
Nix
{
|
|
repoFlake,
|
|
hostAddress,
|
|
localAddress,
|
|
httpPort ? 80,
|
|
httpsPort ? 443,
|
|
autoStart ? false,
|
|
}: {
|
|
config = {
|
|
config,
|
|
pkgs,
|
|
lib,
|
|
...
|
|
}: {
|
|
system.stateVersion = "22.05"; # Did you read the comment?
|
|
|
|
imports = [
|
|
../profiles/containers/configuration.nix
|
|
|
|
repoFlake.inputs.sops-nix.nixosModules.sops
|
|
];
|
|
|
|
networking.firewall.enable = false;
|
|
|
|
services.ddclientovh = {
|
|
enable = true;
|
|
domain = "www.stefanjunker.de";
|
|
};
|
|
|
|
security.acme = {
|
|
acceptTerms = true;
|
|
certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
|
|
preliminarySelfsigned = true;
|
|
|
|
# can be used for debugging
|
|
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
|
|
};
|
|
|
|
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
|
|
sops.secrets.hedgedoc_environment_file = {
|
|
sopsFile = ./webserver_secrets.yaml;
|
|
owner = config.users.users.hedgedoc.name;
|
|
};
|
|
|
|
services.nginx.enable = true;
|
|
services.nginx.recommendedProxySettings = true;
|
|
services.nginx.virtualHosts."www.stefanjunker.de" = {
|
|
default = true;
|
|
addSSL = true;
|
|
listen = [
|
|
{
|
|
addr = "0.0.0.0";
|
|
port = httpPort;
|
|
ssl = false;
|
|
}
|
|
{
|
|
addr = "0.0.0.0";
|
|
port = httpsPort;
|
|
ssl = true;
|
|
}
|
|
];
|
|
|
|
root = "/var/www/stefanjunker.de/htdocs";
|
|
|
|
enableACME = true;
|
|
|
|
locations."/hedgedoc/" = {proxyPass = "http://[::1]:3000/";};
|
|
|
|
locations."/hedgedoc/socket.io/" = {
|
|
proxyPass = "http://[::1]:3000/socket.io/";
|
|
proxyWebsockets = true;
|
|
};
|
|
};
|
|
|
|
services.hedgedoc = {
|
|
enable = true;
|
|
settings = {
|
|
domain = "www.stefanjunker.de";
|
|
urlPath = "hedgedoc";
|
|
protocolUseSSL = true;
|
|
db = {
|
|
dialect = "sqlite";
|
|
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
|
|
};
|
|
|
|
allowAnonymous = false;
|
|
allowAnonymousEdits = false;
|
|
allowGravatar = false;
|
|
allowFreeURL = false;
|
|
defaultPermission = "private";
|
|
allowEmailRegister = false;
|
|
|
|
# these are set via the `environmentFile`
|
|
dropbox = {
|
|
appKey = "$DROPBOX_APPKEY";
|
|
clientID = "$DROPBOX_CLIENTID";
|
|
clientSecret = "$DROPBOX_CLIENTSECRET";
|
|
};
|
|
|
|
uploadsPath = "/var/lib/hedgedoc/uploads";
|
|
};
|
|
|
|
environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
|
|
};
|
|
};
|
|
|
|
inherit autoStart;
|
|
|
|
bindMounts = {
|
|
# FIXME/REMINDER: this is used so that the container can decrypt the secrets that are deployed to the host
|
|
"/etc/ssh/ssh_host_ed25519_key".isReadOnly = true;
|
|
"/etc/ssh/ssh_host_ed25519_key.pub".isReadOnly = true;
|
|
|
|
"/var/www" = {
|
|
hostPath = "/var/lib/container-volumes/webserver/var-www";
|
|
isReadOnly = false;
|
|
};
|
|
|
|
"/var/lib/mysql" = {
|
|
hostPath = "/var/lib/container-volumes/webserver/var-lib-mysql";
|
|
isReadOnly = false;
|
|
};
|
|
|
|
"/var/lib/hedgedoc" = {
|
|
hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc";
|
|
isReadOnly = false;
|
|
};
|
|
};
|
|
|
|
extraFlags = ["--resolv-conf=bind-host"];
|
|
|
|
privateNetwork = true;
|
|
forwardPorts = [
|
|
{
|
|
# http
|
|
containerPort = 80;
|
|
hostPort = httpPort;
|
|
protocol = "tcp";
|
|
}
|
|
{
|
|
# https
|
|
containerPort = 443;
|
|
hostPort = httpsPort;
|
|
protocol = "tcp";
|
|
}
|
|
];
|
|
|
|
inherit hostAddress localAddress;
|
|
}
|