{ config, lib, pkgs, ... }: let dn = "table.tfcconnection.org"; auth_dn = "auth.tfcconnection.org/realms/master"; in with lib; { services.nginx.virtualHosts.${dn} = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:8484"; proxyWebsockets = true; }; }; virtualisation = { podman = { enable = true; }; oci-containers = { # backend = "podman"; containers = { grist = { image = "docker.io/gristlabs/grist:latest"; environment = { # The URL of given OIDC provider. Used for redirects, among other things. DEBUG = "1"; GRIST_OIDC_IDP_ISSUER = "https://${auth_dn}/"; GRIST_OIDC_IDP_SCOPES = "openid profile email"; # Client ID, as configured with the OIDC provider. GRIST_OIDC_IDP_CLIENT_ID = "grist"; # Client secret, as provided by the OIDC provider. GRIST_OIDC_IDP_CLIENT_SECRET = "jDT6shCxvZ7YLQXBAs27bcl64MvIGcw9"; # The URL to redirect to with the OIDC provider to log out. # Some OIDC providers will automatically configure this. # GRIST_OIDC_IDP_END_SESSION_ENDPOINT = "https://${auth_dn}/logout"; # Allow self-signed certificates so this example behaves correctly. # REMOVE THIS IF HOSTING ON THE INTERNET. # NODE_TLS_REJECT_UNAUTHORIZED = "0"; # Forces Grist to only use a single team called 'Example' # GRIST_SINGLE_ORG: my-grist-team # alternatively, GRIST_ORG_IN_PATH: "true" for multi-team operation # Force users to login (disable anonymous access) GRIST_FORCE_LOGIN: true # Base URL Grist redirects to when navigating. Change this to your domain. GRIST_OIDC_SP_HOST = "https://${dn}"; APP_HOME_URL = "https://${dn}"; # Default email for the "Admin" account GRIST_DEFAULT_EMAIL = "chris@tfcconnection.org"; TZ = "America/Chicago"; }; ports = [ "8484:8484" ]; # restart = "always"; autoStart = true; volumes = [ "/storage/grist:/persist" ]; }; }; }; }; }