parent
b880388efb
commit
5130e39ab7
|
@ -66,8 +66,9 @@
|
||||||
* [ ] transgui config
|
* [ ] transgui config
|
||||||
* [x] secrets - nix-sops ?
|
* [x] secrets - nix-sops ?
|
||||||
* [x] flexget
|
* [x] flexget
|
||||||
|
* [ ] microbin
|
||||||
* [ ] transmission
|
* [ ] transmission
|
||||||
* [ ] transmission remote gui
|
* [ ] transmission remote gui (requires sops in home-manager)
|
||||||
* [x] domeneshop
|
* [x] domeneshop
|
||||||
* [ ] webdav
|
* [ ] webdav
|
||||||
* [ ] code-remote
|
* [ ] code-remote
|
||||||
|
|
|
@ -53,7 +53,7 @@
|
||||||
#../../profiles/web/services/cryptpad.nix
|
#../../profiles/web/services/cryptpad.nix
|
||||||
#../../profiles/web/services/galene.nix
|
#../../profiles/web/services/galene.nix
|
||||||
#../../profiles/web/services/graphana.nix
|
#../../profiles/web/services/graphana.nix
|
||||||
#../../profiles/web/services/hedgedoc.nix
|
../../profiles/web/services/hedgedoc.nix
|
||||||
#../../profiles/web/services/home-assistant.nix
|
#../../profiles/web/services/home-assistant.nix
|
||||||
#../../profiles/web/services/jitsi-meet.nix
|
#../../profiles/web/services/jitsi-meet.nix
|
||||||
#../../profiles/web/services/kukkee
|
#../../profiles/web/services/kukkee
|
||||||
|
|
|
@ -9,6 +9,7 @@ in
|
||||||
|
|
||||||
sops.secrets.flexget.owner = "flexget";
|
sops.secrets.flexget.owner = "flexget";
|
||||||
sops.secrets.flexget.group = "flexget";
|
sops.secrets.flexget.group = "flexget";
|
||||||
|
sops.secrets.flexget.restartUnits = [ "flexget.service" ];
|
||||||
|
|
||||||
services.flexget = {
|
services.flexget = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
|
@ -3,19 +3,42 @@
|
||||||
# hedgedoc
|
# hedgedoc
|
||||||
# Realtime collaborative markdown notes on all platforms
|
# Realtime collaborative markdown notes on all platforms
|
||||||
|
|
||||||
|
sops.secrets."hedgedoc/htpasswd".owner = config.services.nginx.user;
|
||||||
|
sops.secrets."hedgedoc/env-file".owner = "hedgedoc";
|
||||||
|
sops.secrets."hedgedoc/env-file".restartUnits = [ "hedgedoc.service" ];
|
||||||
|
|
||||||
services.hedgedoc = {
|
services.hedgedoc = {
|
||||||
#enable = true; # FIXME: make it load
|
enable = true; # FIXME: make it load
|
||||||
settings.host = "127.0.0.1";
|
environmentFile = config.sops.secrets."hedgedoc/env-file".path;
|
||||||
|
|
||||||
|
settings.host = "localhost";
|
||||||
settings.port = 44776;
|
settings.port = 44776;
|
||||||
settings.db.dialect = "sqlite";
|
|
||||||
settings.db.storage = "${config.services.hedgedoc.workDir}/db.hedgedoc.sqlite";
|
# reverse proxy
|
||||||
settings.domain = mkDomain "hedgedoc";
|
settings.domain = mkDomain "hedgedoc";
|
||||||
settings.allowAnonymous = true;
|
settings.hsts.enale = true;
|
||||||
|
settings.useSSL = false; # we terminate ssl with nginx
|
||||||
|
settings.protocolUseSSL = true; # https:// prefix
|
||||||
|
settings.urlAddPort = false;
|
||||||
|
|
||||||
|
settings.db.dialect = "sqlite";
|
||||||
|
settings.db.storage = "${config.services.hedgedoc.workDir}/db.sqlite";
|
||||||
|
|
||||||
|
settings.email = false; # email sign-in
|
||||||
|
settings.allowFreeURL = true; # allow note creation by accessing a nonexistent note URL.
|
||||||
|
#settings.allowAnonymous = false; # default is true
|
||||||
settings.allowEmailRegister = false; # default is true
|
settings.allowEmailRegister = false; # default is true
|
||||||
settings.allowAnonymousEdits = false; # default is false
|
settings.allowAnonymousEdits = false; # default is false
|
||||||
settings.protocolUseSSL = true; # https prefix
|
#settings.uploadsPath
|
||||||
settings.useSSL = false; # nginx terminates ssl
|
|
||||||
#settings.csp = {TODO}; # content security policy
|
# content security policy
|
||||||
|
#settings.csp = {
|
||||||
|
# enable = true;
|
||||||
|
# addDefaults = true;
|
||||||
|
# upgradeInsecureRequest = "auto";
|
||||||
|
# #directives.scriptSrc = "trustworthy.scripts.example.com";
|
||||||
|
#};
|
||||||
|
|
||||||
#settings.useCDN = true;
|
#settings.useCDN = true;
|
||||||
#settings.debug = true;
|
#settings.debug = true;
|
||||||
# there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
|
# there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
|
||||||
|
@ -25,10 +48,24 @@
|
||||||
forceSSL = true; # addSSL = true;
|
forceSSL = true; # addSSL = true;
|
||||||
enableACME = true; #useACMEHost = acmeDomain;
|
enableACME = true; #useACMEHost = acmeDomain;
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
|
proxyPass = "http://localhost:${toString config.services.hedgedoc.settings.port}";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
# TODO: proxy headers:
|
# TODO: proxy headers:
|
||||||
# https://docs.hedgedoc.org/guides/reverse-proxy/
|
# https://docs.hedgedoc.org/guides/reverse-proxy/
|
||||||
|
extraConfig = ''
|
||||||
|
auth_basic "Ke 'e e u vill?!?";
|
||||||
|
auth_basic_user_file ${config.sops.secrets."hedgedoc/htpasswd".path};
|
||||||
|
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Real-IP $remote_addr;
|
||||||
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||||
|
proxy_set_header X-Forwarded-Proto $scheme;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
|
extraConfig= ''
|
||||||
|
add_header X-Frame-Options SAMEORIGIN;
|
||||||
|
add_header X-Content-Type-Options nosniff;
|
||||||
|
add_header Referrer-Policy strict-origin-when-cross-origin;
|
||||||
|
'';
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@ in
|
||||||
];
|
];
|
||||||
|
|
||||||
# https://github.com/szabodanika/microbin/issues/106
|
# https://github.com/szabodanika/microbin/issues/106
|
||||||
#EnvironmentFile = "/var/lib/secrets/microbin.env"; # TODO: sops
|
#EnvironmentFile = "/run/secrets/microbin-env"; # TODO: sops
|
||||||
#Environment.MICROBIN_AUTH_USERNAME="foo";
|
#Environment.MICROBIN_AUTH_USERNAME="foo";
|
||||||
#Environment.MICROBIN_AUTH_PASSWORD="bar";
|
#Environment.MICROBIN_AUTH_PASSWORD="bar";
|
||||||
|
|
||||||
|
|
|
@ -1,4 +1,7 @@
|
||||||
flexget: ENC[AES256_GCM,data:vh9famQgmQI0nc9/5F8egDCwI9OvevPLATiepEcSpy+eCjJxU0WkG9NPECOCNlteW7xOOZfXAXfn8KW7j4vqHseLKu3MwGO98dYJXeW3KKyKNlVW1UF0dEb6BGLjqBnQDzURE5L8gRR5pFZ8nepWo0UG6Zuy93XrthTZ/tjuz6wvaKv0761ULtfMLQ9HddF14y666h/OkSPftkPvEA35fOdiBgPj9O/mZu11KvyBYKoQLkQxihCvwNMzMXmMSehH9WMOPk4EU3ZGLHHjlfTXa3Syn2yf28PazNao/XMEs8H9FlhPw42r1Tku5tMLM3wObKpin0t50sqbEf/LxUPo6Vu/i6e4E3UkDrEbyKFA4VXGd6vxD+gyELydrkDrHRm50JWGZmbwvW3be+Ezqe7eXuzgoNabe4BG4wogTszOpM2uXrveTiSmoQyC4JZ6lszdnodlGVFIvaKU5xdrpLQAI9W2OA==,iv:AeadtoIAjTrPiB5iPgIW7FTwLZa2BQFr/jhaTvs8WAc=,tag:VW480DHQ315YLPtDuaFYtg==,type:str]
|
flexget: ENC[AES256_GCM,data:vh9famQgmQI0nc9/5F8egDCwI9OvevPLATiepEcSpy+eCjJxU0WkG9NPECOCNlteW7xOOZfXAXfn8KW7j4vqHseLKu3MwGO98dYJXeW3KKyKNlVW1UF0dEb6BGLjqBnQDzURE5L8gRR5pFZ8nepWo0UG6Zuy93XrthTZ/tjuz6wvaKv0761ULtfMLQ9HddF14y666h/OkSPftkPvEA35fOdiBgPj9O/mZu11KvyBYKoQLkQxihCvwNMzMXmMSehH9WMOPk4EU3ZGLHHjlfTXa3Syn2yf28PazNao/XMEs8H9FlhPw42r1Tku5tMLM3wObKpin0t50sqbEf/LxUPo6Vu/i6e4E3UkDrEbyKFA4VXGd6vxD+gyELydrkDrHRm50JWGZmbwvW3be+Ezqe7eXuzgoNabe4BG4wogTszOpM2uXrveTiSmoQyC4JZ6lszdnodlGVFIvaKU5xdrpLQAI9W2OA==,iv:AeadtoIAjTrPiB5iPgIW7FTwLZa2BQFr/jhaTvs8WAc=,tag:VW480DHQ315YLPtDuaFYtg==,type:str]
|
||||||
|
hedgedoc:
|
||||||
|
env-file: ENC[AES256_GCM,data:evTDjmO3oBTBVUPArwlfZiDCsU7QMTFWw+LzpFedROBgGhElY/vhSM6qHXWjfyMopg9eFYgcPsXgxti0ZmpdTkoItNFzo/MpbI8msgclI20AxogfsT/jkMJaEPB7W3X4PyMqm6D/zRVwWGh3Vtqm3Ze1yf4=,iv:0XoqGvS/Y5O0n4zZ7mGBBJU6JZRm5g92McLwRnIXx/U=,tag:uqIwBAEFWVk4pFkZcCiEoQ==,type:str]
|
||||||
|
htpasswd: ENC[AES256_GCM,data:qc1DDiJydPxxjPZQy2Rdh860ylZBrpbk1yj8BRd71yjPWpnxCY1869qZp4HFv4ptdyL4BRoYvJUikpb7RGVc6CbOb7l7I5ov8NA8hEEa3HB6lGjvVV4=,iv:NnXlJZ/LLhMmrAFA/efk6LHjm/1aexWFsAsA4GUgxsI=,tag:jL5ymk5CsZ3TPCfL39CDwQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
@ -32,8 +35,8 @@ sops:
|
||||||
SkU1Q0NZOGVXRENrOThBT1lDdGxWWW8KtypJmkOVD0Ej14fXZzKzKrnPNv7O5SAp
|
SkU1Q0NZOGVXRENrOThBT1lDdGxWWW8KtypJmkOVD0Ej14fXZzKzKrnPNv7O5SAp
|
||||||
jdQe7GSwCJKqqHuX2T/E4mzCVrSPsB/GVfqh0IymZg6NJZjYO79Wbg==
|
jdQe7GSwCJKqqHuX2T/E4mzCVrSPsB/GVfqh0IymZg6NJZjYO79Wbg==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-10-14T23:43:49Z"
|
lastmodified: "2023-10-15T20:59:15Z"
|
||||||
mac: ENC[AES256_GCM,data:krcWdjXtd8ammOUQvqaIxE5U3UylnUMHuAqTdM82QsmQ2d+kvsjbY4ftvbNdJ1wwNQmq2PzhmtH7iunTSC9pTlmZkUxyXM43cM/EC0KqzZJA2ST6h86vZwkZ0gExWJLgk+uxoYDPT2M3c3sn6hZot8BHlUCiO1wQABHH57+FPvY=,iv:mV+q86wp9lV8ACZaL9LnUCAOcCjdvqQjVr2Fs+q6rv0=,tag:lvJoIrjExFitcAUKvsuF/Q==,type:str]
|
mac: ENC[AES256_GCM,data:2AFjhWJ7JriF9Mmj1cbHlVCOdyrLvWcEyspH79xWB7CauvI8sWafZd9yO4nq5ZxwOFIZxulbWADNc8oW7y5EhLDZapTwbxEl9GDhOm8O2z4HUrbXtXoQVRcjJFCE+17TLXBwsbLu15ji0xMLgfmVBoUgHntIFcSPID3L8FYSdLU=,iv:bWSLlTsdlIAE5Rujq22cLc8xWGrU8jkNtd2NahdOzl8=,tag:nxgUbd/A4gxPeBpCmSfzzw==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.7.3
|
||||||
|
|
Loading…
Reference in New Issue