Drift/pvv-nixos-config
17
6
Fork 1
Code Issues Pull Requests 7 Actions Wiki Activity

feat: add radicle to bekkalokk #141

Merged
adriangl merged 1 commits from radicle into main 2026-05-31 02:05:12 +02:00
Conversation 2 Commits 1 Files Changed 2
+44
2 changed files with 44 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
hosts/bekkalokk/configuration.nix
+1
View File
@@ -7,6 +7,7 @@
./services/alps.nix
./services/bluemap.nix
./services/radicle.nix
./services/idp-simplesamlphp
./services/kerberos.nix
./services/mediawiki
hosts/bekkalokk/services/radicle.nix
+43
View File
@@ -0,0 +1,43 @@
{ config, lib, ... }:
let
domain = "dav.pvv.ntnu.no";
radicalePort = 5232;
in {
services.radicale = {
enable = true;
settings = {
server = {
hosts = [ "127.0.0.1:${toString radicalePort}" ];
};
auth = {
type = "imap";
imap_host = "imap.pvv.ntnu.no";
imap_security = "tls";
};
storage = {
filesystem_folder = "/var/lib/radicale/collections";
};
};
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
felixalb commented 2026-05-31 12:13:37 +02:00
Review
Copy Link
Copy Source

acme-order-renew-dav.pvv.ntnu.no.service failed because LE failed to resolve the DNS pointer;

During secondary validation: DNS problem: NXDOMAIN looking up A for dav.pvv.ntnu.no - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for dav.pvv.ntnu.no - check that a DNS record exists for this domain

Therefore, we are still using a self signed cert:

[nix-shell:~]$ sudo openssl x509 -in /var/lib/acme/dav.pvv.ntnu.no/fullchain.pem -text | grep -i issuer
        Issuer: CN=minica root ca 769d0f
`acme-order-renew-dav.pvv.ntnu.no.service` failed because LE failed to resolve the DNS pointer; > During secondary validation: DNS problem: NXDOMAIN looking up A for dav.pvv.ntnu.no - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for dav.pvv.ntnu.no - check that a DNS record exists for this domain Therefore, we are still using a self signed cert: ``` [nix-shell:~]$ sudo openssl x509 -in /var/lib/acme/dav.pvv.ntnu.no/fullchain.pem -text | grep -i issuer Issuer: CN=minica root ca 769d0f ```
kTLS = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString radicalePort}";
extraConfig = ''
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
felixalb commented 2026-05-31 11:11:39 +02:00
Review
Copy Link
Copy Source

I think we can use https://github.com/NixOS/nixpkgs/blob/83801da137050a7c1b0242976c06a4d5e36f4402/nixos/modules/services/web-servers/nginx/default.nix#L59 instead, and only add the Authorization-header with extraConfig.

I think we can use https://github.com/NixOS/nixpkgs/blob/83801da137050a7c1b0242976c06a4d5e36f4402/nixos/modules/services/web-servers/nginx/default.nix#L59 instead, and only add the Authorization-header with extraConfig.
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_pass_header Authorization;
'';
};
};
networking.firewall.allowedTCPPorts = [ radicalePort ];
}