{ config, lib, pkgs, ... }: let dn = "table.tfcconnection.org"; auth_dn = "staff.tfcconnection.org/index.php/apps/oidc/"; in with lib; { services.nginx.virtualHosts.${dn} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8484"; proxyWebsockets = true; }; }; virtualisation = { podman = { enable = true; }; oci-containers = { # backend = "podman"; containers = { grist = { image = "docker.io/gristlabs/grist:latest"; environment = { # The URL of given OIDC provider. Used for redirects, among other things. GRIST_OIDC_IDP_ISSUER = "https://${auth_dn}"; # Client ID, as configured with the OIDC provider. GRIST_OIDC_IDP_CLIENT_ID = "LtgrHHZmKucQAZtYNZGrirxdEru5pWByaJQcEfiufcitd0kfi2qVjuU6gPZE4haz"; # Client secret, as provided by the OIDC provider. GRIST_OIDC_IDP_CLIENT_SECRET = "V70dywtpkRSvk0RbK6KFxcOxATP0URHhn36tztYDZipz9Y8v6GBFwj4JmxcSvR3H"; # The URL to redirect to with the OIDC provider to log out. # Some OIDC providers will automatically configure this. GRIST_OIDC_IDP_END_SESSION_ENDPOINT = "https://${auth_dn}/logout"; # Allow self-signed certificates so this example behaves correctly. # REMOVE THIS IF HOSTING ON THE INTERNET. NODE_TLS_REJECT_UNAUTHORIZED = 0; # Forces Grist to only use a single team called 'Example' # GRIST_SINGLE_ORG: my-grist-team # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation # Force users to login (disable anonymous access) # GRIST_FORCE_LOGIN: true # Base URL Grist redirects to when navigating. Change this to your domain. APP_HOME_URL = "https://${dn}"; # Default email for the "Admin" account GRIST_DEFAULT_EMAIL = "chris@tfcconnection.org"; TZ = "America/Chicago"; }; restart = "always"; autoStart = true; volumes = [ "/storge/grist:/persist" ]; }; }; }; }; }