l codimd: set domain and serve via ssl

2021-10-12 15:35:52 +02:00 · 2021-10-12 15:35:52 +02:00 · 55bdc0f653
parent e4793149c0
commit 55bdc0f653
1 changed files with 28 additions and 11 deletions
--- a/lass/2configs/codimd.nix
+++ b/lass/2configs/codimd.nix
@ -1,27 +1,44 @@
 { config, pkgs, lib, ... }:
 with import <stockholm/lib>;
-{
-  services.nginx.virtualHosts.codimd = {
+let
+  domain = "codi.lassul.us";
+in {
+  services.nginx.virtualHosts.${domain} = {
    enableACME = true;
-    addSSL = true;
-    serverName = "codi.lassul.us";
-    locations."/".extraConfig = ''
-      client_max_body_size 4G;
-      proxy_set_header Host $host;
-      proxy_pass http://localhost:3091;
-    '';
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "https://localhost:3091";
+      proxyWebsockets = true;
+    };
+  };
+
+  security.acme.certs.${domain}.group = "hedgecert";
+  users.groups.hedgecert.members = [ "codimd" "nginx" ];
+
+  security.dhparams = {
+    enable = true;
+    params.hedgedoc = {};
  };

  services.hedgedoc = {
    enable = true;
-    configuration.allowOrigin = [ "*" ];
+    configuration.allowOrigin = [ domain ];
    configuration = {
      db = {
        dialect = "sqlite";
        storage = "/var/lib/codimd/db.codimd.sqlite";
-        useCDN = false;
      };
+      useCDN = false;
      port = 3091;
+      domain = domain;
+      allowFreeURL = true;
+
+      useSSL = true;
+      protocolUseSSL = true;
+      sslCAPath = [ "/etc/ssl/certs/ca-certificates.crt" ];
+      sslCertPath = "/var/lib/acme/${domain}/cert.pem";
+      sslKeyPath = "/var/lib/acme/${domain}/key.pem";
+      dhParamPath = config.security.dhparams.params.hedgedoc.path;
    };
  };
 }