From bdefd4523a7ac25f766d68c7fce40b9561dddeb3 Mon Sep 17 00:00:00 2001
From: Jordan Holt <jordan@vimium.com>
Date: Mon, 24 Feb 2025 15:16:16 +0000
Subject: [PATCH] vps1: add outline service

---
 flake.lock             |  8 ++++----
 hosts/vps1/default.nix | 45 +++++++++++++++++++++++++++++++++++++++++-
 2 files changed, 48 insertions(+), 5 deletions(-)

diff --git a/flake.lock b/flake.lock
index 0b6a1f0..3567b90 100644
--- a/flake.lock
+++ b/flake.lock
@@ -688,11 +688,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1730732927,
-        "narHash": "sha256-t3MTEgi6O7DMxMjdi3xcTAztLDQmEtqQ+oU+ZbWz2AI=",
+        "lastModified": 1740407512,
+        "narHash": "sha256-Hy+8DoWLZUFfls5XwaMGPDOck2dDKyIrEgo9T+AkjjU=",
         "ref": "refs/heads/master",
-        "rev": "4ae2ac777c38f60a29384b70c456f41847cdf1b5",
-        "revCount": 28,
+        "rev": "4e69a52227a61bf4bfbfd9b781bef4bf1fa0bd2b",
+        "revCount": 29,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },
diff --git a/hosts/vps1/default.nix b/hosts/vps1/default.nix
index 830aad4..fee3d25 100644
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -2,6 +2,7 @@
   config,
   pkgs,
   lib,
+  self,
   ...
 }:
 
@@ -11,7 +12,10 @@
     ../server.nix
   ];
 
-  nixpkgs.hostPlatform = "x86_64-linux";
+  nixpkgs = {
+    hostPlatform = "x86_64-linux";
+    config.allowUnfree = true;
+  };
 
   networking = {
     hostId = "08bf6db3";
@@ -86,6 +90,45 @@
         proxyPass = "https://127.0.0.1:3013";
       };
     };
+    "outline.vimium.com" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:3000";
+        extraConfig = ''
+          proxy_set_header Upgrade $http_upgrade;
+          proxy_set_header Connection "Upgrade";
+          proxy_set_header Host $host;
+
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Scheme $scheme;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_redirect off;
+        '';
+      };
+    };
+  };
+
+  age.secrets."passwords/services/outline/oidc-client-secret" = {
+    file = "${self.inputs.secrets}/passwords/services/outline/oidc-client-secret.age";
+    owner = "outline";
+    group = "outline";
+  };
+
+  services.outline = {
+    enable = true;
+    forceHttps = false;
+    oidcAuthentication = {
+      clientId = "outline";
+      clientSecretFile = config.age.secrets."passwords/services/outline/oidc-client-secret".path;
+      displayName = "Vimium";
+      authUrl = "https://auth.vimium.com/ui/oauth2";
+      tokenUrl = "https://auth.vimium.com/oauth2/token";
+      userinfoUrl = "https://auth.vimium.com/oauth2/openid/outline/userinfo";
+    };
+    publicUrl = "https://outline.vimium.com";
+    storage.storageType = "local";
   };
 
   modules = rec {