jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nixos-configuration/hosts/weinturm-pretix-prod/services/pretix.nix
Jakob Lechner 8e8041e423 Refactoring
2025-04-16 22:54:28 +02:00

110 lines
2.8 KiB
Nix
Raw Blame History

args@{ config, lib, pkgs, custom-utils, ... }:
let
cfg = config.services.pretix;
ports = import ../ports.nix args;
domain = "tickets.weinturm-open-air.de";
extraDomains = [
"tickets.weinturm.jalr.de"
"tickets.wasted-openair.de"
"oel.wasted-openair.de"
"tickets.buendnis-gegen-rechts-nea.de"
];
gunicornWorkers = 4;
secretsFile = ../secrets.yaml;
in
{
sops.secrets = {
pretix-cfg = {
sopsFile = secretsFile;
};
pretix-banktool-cfg = {
sopsFile = secretsFile;
};
};
# Add user to `redis-pretix` group
# to grant access to /run/redis-pretix/redis.sock
users.users.pretix.extraGroups = [ "redis-pretix" ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = lib.mkForce "helfer@weinturm-open-air.de";
};
jalr.mailserver = {
enable = true;
fqdn = "tickets.weinturm-open-air.de";
relayPort = ports.postfix-relay.tcp;
domains = [
{
domain = "tickets.weinturm-open-air.de";
enableDKIM = false;
}
];
messageSizeLimit = 10 * 1024 * 1024;
users = [ ];
spam.enable = false;
};
services = {
pretix = {
enable = true;
settings = {
pretix = {
instance_name = "Digitaler Dienst GmbH";
url = "https://${domain}";
registration = false;
password_reset = true;
};
locale = {
default = "de";
timezone = "Europe/Berlin";
};
mail = {
from = "no-reply@tickets.weinturm-open-air.de";
};
redis.location = "unix:///run/redis-pretix/redis.sock?db=0";
celery.backend = "redis+socket:///run/redis-pretix/redis.sock?virtual_host=2";
celery.broker = "redis+socket:///run/redis-pretix/redis.sock?virtual_host=1";
};
nginx = {
enable = true;
inherit domain;
};
gunicorn = {
extraArgs = [
"--workers=${toString gunicornWorkers}"
];
};
};
pretix-banktool = {
enable = true;
days = 14;
secretsFile = config.sops.secrets.pretix-banktool-cfg.path;
};
nginx = lib.mkIf cfg.nginx.enable {
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"${cfg.nginx.domain}" = {
enableACME = true;
forceSSL = true;
kTLS = true;
extraConfig = ''
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
more_set_headers Referrer-Policy same-origin;
more_set_headers X-Content-Type-Options nosniff;
'';
serverAliases = extraDomains;
};
};
};
};
}
Reference in a new issue View git blame Copy permalink