{ config, lib, ... }: let cfg = config.vhack.etesync; in { options.vhack.etesync = { enable = lib.mkEnableOption '' a secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars, tasks and notes. ''; secretFile = lib.mkOption { type = lib.types.path; description = "The age encrypted globale etebase secretfile passed to agenix"; }; }; config = lib.mkIf cfg.enable { services.etebase-server = { enable = true; port = 8001; settings = { global.secret_file = "${config.age.secrets.etebase-server.path}"; allowed_hosts = { allowed_host1 = "etebase.vhack.eu"; allowed_host2 = "dav.vhack.eu"; }; }; }; age.secrets.etebase-server = { file = cfg.secretFile; mode = "700"; owner = "etebase-server"; group = "etebase-server"; }; vhack.persist.directories = [ { directory = "/var/lib/etebase-server"; user = "etebase-server"; group = "etebase-server"; mode = "0700"; } ]; services.nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; virtualHosts = { "etebase.vhack.eu" = { enableACME = true; forceSSL = true; locations = { # TODO: Maybe fix permissions to use pregenerated static files which would # improve performance. #"/static" = { # root = config.services.etebase-server.settings.global.static_root; #}; "/" = { proxyPass = "http://127.0.0.1:${builtins.toString config.services.etebase-server.port}"; }; }; serverAliases = [ "dav.vhack.eu" ]; }; }; }; users = { users.etebase-server.uid = config.vhack.constants.ids.uids.etebase-server; groups.etebase-server.gid = config.vhack.constants.ids.gids.etebase-server; }; }; }