mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2025-12-06 00:57:22 +01:00
100 lines
2.8 KiB
Nix
100 lines
2.8 KiB
Nix
{ self, lib, config, ... }:
|
|
let
|
|
cfg = config.services.firefly-iii;
|
|
fireflyDomain = "stonks.swarsel.win";
|
|
fireflyUser = "firefly-iii";
|
|
serviceName = "firefly";
|
|
in
|
|
{
|
|
options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server";
|
|
config = lib.mkIf config.swarselsystems.modules.server.firefly {
|
|
|
|
users.users.firefly-iii = {
|
|
group = "nginx";
|
|
isSystemUser = true;
|
|
};
|
|
|
|
sops = {
|
|
secrets = {
|
|
"firefly-iii-app-key" = { owner = fireflyUser; group = "nginx"; mode = "0440"; };
|
|
};
|
|
};
|
|
|
|
topology.self.services.firefly-iii = {
|
|
name = "Firefly-III";
|
|
info = "https://${fireflyDomain}";
|
|
icon = "${self}/topology/images/firefly-iii.png";
|
|
};
|
|
|
|
services = {
|
|
firefly-iii = {
|
|
enable = true;
|
|
user = fireflyUser;
|
|
group = if cfg.enableNginx then "nginx" else fireflyUser;
|
|
dataDir = "/Vault/data/firefly-iii";
|
|
settings = {
|
|
TZ = config.repo.secrets.common.location.timezone;
|
|
APP_URL = "https://${fireflyDomain}";
|
|
APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
|
|
APP_ENV = "local";
|
|
DB_CONNECTION = "sqlite";
|
|
TRUSTED_PROXIES = "**";
|
|
# turning these on breaks api access using the waterfly app
|
|
# AUTHENTICATION_GUARD = "remote_user_guard";
|
|
# AUTHENTICATION_GUARD_HEADER = "X-User";
|
|
# AUTHENTICATION_GUARD_EMAIL = "X-Email";
|
|
};
|
|
enableNginx = true;
|
|
virtualHost = fireflyDomain;
|
|
};
|
|
|
|
nginx = {
|
|
virtualHosts = {
|
|
"${fireflyDomain}" = {
|
|
locations = {
|
|
"/api" = {
|
|
setOauth2Headers = false;
|
|
extraConfig = ''
|
|
index index.php;
|
|
try_files $uri $uri/ /index.php?$query_string;
|
|
add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
nodes.moonside.services.nginx = {
|
|
upstreams = {
|
|
"${serviceName}" = {
|
|
servers = {
|
|
"192.168.1.2:80" = { };
|
|
};
|
|
};
|
|
};
|
|
virtualHosts = {
|
|
"${fireflyDomain}" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
acmeRoot = null;
|
|
oauth2.enable = true;
|
|
oauth2.allowedGroups = [ "firefly_access" ];
|
|
# main config is automatically added by nixos firefly config.
|
|
# hence, only provide certificate
|
|
locations = {
|
|
"/" = {
|
|
proxyPass = "http://${serviceName}";
|
|
};
|
|
"/api" = {
|
|
proxyPass = "http://${serviceName}";
|
|
setOauth2Headers = false;
|
|
bypassAuth = true;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
};
|
|
}
|