Pretalx
Open source tooling for events and conferences
This project is funded by NLnet through these subgrants:
Options
services.ngi-pretalx
- services.ngi-pretalx.celery.backendFile
-
Path to a file that contains the location (connection URI) of Celery backend. If you use a standard Redis-based setup, the file should contain
redis://127.0.0.1/1or similar. Check the documentation https://docs.celeryq.dev/en/stable/getting-started/backends-and-brokers/redis.html. Consider using a secret managing scheme such asagenixorsops-nixto generate this file.- Type:
null or absolute path- Default:
null
- services.ngi-pretalx.celery.brokerFile
-
Path to a file that contains the location (connection URI) of Celery broker. If you use a standard Redis-based setup, the file should contain
redis://127.0.0.1/2or similar. Check the documentation https://docs.celeryq.dev/en/stable/getting-started/backends-and-brokers/redis.html. Consider using a secret managing scheme such asagenixorsops-nixto generate this file.- Type:
null or absolute path- Default:
null
- services.ngi-pretalx.celery.enable
-
Whether to enable Enable support for Celery..
- Type:
boolean- Default:
false
- services.ngi-pretalx.celery.extraArgs
-
Extra arguments to pass to celery. See https://docs.celeryq.dev/en/stable/reference/cli.html#celery-worker for more info.
- Type:
list of string- Default:
[ ]
- services.ngi-pretalx.database.backend
-
The default is SQLite ("sqlite3"), which is not a production database. Please use a database like PostgreSQL ("postgresql") or MySQL ("mysql").
- Type:
one of "postgresql", "mysql", "sqlite3"- Default:
"sqlite3"
- services.ngi-pretalx.database.host
-
Database host, or path to a socket (if you use PostgreSQL or MySQL). For local PostgreSQL authentication, you can leave this variable empty.
- Type:
null or string- Default:
null
- services.ngi-pretalx.database.name
-
Database name. If you use SQLite, this is the filesystem path to the database file.
- Type:
string- Default:
"pretalx"
- services.ngi-pretalx.database.passwordFile
-
Path to a file containing the database password. If you use PostgreSQL, consider using its peer authentication and not setting a password. Consider using a secret managing scheme such as
agenixorsops-nixto generate this file.- Type:
null or absolute path- Default:
null
- services.ngi-pretalx.database.port
-
Database port (e.g.
5432for PostgreSQL or3306for MySQL).- Type:
null or signed integer- Default:
null
- services.ngi-pretalx.database.user
-
Database user that pretalx should connect as.
- Type:
null or string- Default:
null
- services.ngi-pretalx.enable
-
Whether to enable Enable pretalx server..
- Type:
boolean- Default:
false
- services.ngi-pretalx.extraConfig
-
Extra configuration to be appended to the generated pretalx configuration file. See https://docs.pretalx.org/administrator/configure.html for all options.
- Type:
attribute set- Default:
{ }
- services.ngi-pretalx.filesystem.data
-
Path that is the base for all other directories (see options
media,static,logs). Unless you have a compelling reason to keep other files apart, setting this option is the easiest way to configure file storage.- Type:
absolute path- Default:
"/var/lib/pretalx/data"
- services.ngi-pretalx.filesystem.logs
-
Directory that contains logged data. It needs to be writable by the pretalx process.
- Type:
string- Default:
"/var/lib/pretalx/data/logs"
- services.ngi-pretalx.filesystem.media
-
Directory that contains user generated files. It needs to be writable by the pretalx process.
- Type:
string- Default:
"/var/lib/pretalx/data/media"
- services.ngi-pretalx.filesystem.static
-
Directory that contains static files. It needs to be writable by the pretalx process. pretalx will put files there.
- Type:
string- Default:
"${config.services.ngi-pretalx.package.static}"
- services.ngi-pretalx.group
-
Group that contains the system user that executes pretalx.
- Type:
string- Default:
"pretalx"
- services.ngi-pretalx.gunicorn.extraArgs
-
Command line arguments passed to Gunicorn server.
- Type:
string- Default:
"--workers=4 --max-requests=1200 --max-requests-jitter=50 --log-level=error"
- services.ngi-pretalx.init.admin.email
-
E-mail address of the administrator.
- Type:
string
- services.ngi-pretalx.init.admin.passwordFile
-
Path to a file containing the administrator password. Consider using a secret managing scheme such as
agenixorsops-nixto generate this file.- Type:
absolute path
- services.ngi-pretalx.init.organiser.name
-
Name of the conference organiser.
- Type:
string
- services.ngi-pretalx.init.organiser.slug
-
Slug of the conference organiser (to be used in URLs).
- Type:
string
- services.ngi-pretalx.locale.language_code
-
Default locale.
- Type:
string- Default:
"en"
- services.ngi-pretalx.locale.time_zone
-
Default time zone as a
pytzname.You can use following code to generate the full list of timezone names:
import pytz print(pytz.all_timezones)- Type:
string- Default:
"UTC"
- services.ngi-pretalx.logging.email
-
E-mail address (or comma-separated list of addresses) to send system logs to.
- Type:
string
- services.ngi-pretalx.logging.email_level
-
Log level to start sending emails at.
- Type:
one of "DEBUG", "INFO", "WARNING", "ERROR", "CRITICAL"- Default:
"ERROR"
- services.ngi-pretalx.logging.enable
-
Whether to enable Enable support for logging..
- Type:
boolean- Default:
false
- services.ngi-pretalx.mail.enable
-
Enable sending e-mails from pretalx.
- Type:
boolean- Default:
true
- services.ngi-pretalx.mail.from
-
Fall-back sender address, e.g. for when pretalx sends event-independent e-mails.
- Type:
string- Default:
"admin@localhost"
- services.ngi-pretalx.mail.host
-
Hostname of the SMTP server for sending e-mails.
- Type:
string- Default:
"localhost"
- services.ngi-pretalx.mail.passwordFile
-
Path to a file containing the password for SMTP server authentication. Consider using a secret managing scheme such as
agenixorsops-nixto generate this file.- Type:
absolute path
- services.ngi-pretalx.mail.port
-
TCP port of the SMTP server for sending e-mails.
- Type:
signed integer- Default:
25
- services.ngi-pretalx.mail.ssl
-
Whether to use SSL for sending mail.
- Type:
boolean- Default:
true
- services.ngi-pretalx.mail.tls
-
Whether to use TLS for sending mail.
- Type:
boolean- Default:
false
- services.ngi-pretalx.mail.user
-
Username for SMTP server authentication.
- Type:
string
- services.ngi-pretalx.nginx
-
nginx virtualHost settings.
- Type:
submodule- Default:
{ }
- services.ngi-pretalx.nginx.acmeFallbackHost
-
Host which to proxy requests to if ACME challenge is not found. Useful if you want multiple hosts to be able to verify the same domain name.
With this option, you could request certificates for the present domain with an ACME client that is running on another host, which you would specify here.
- Type:
null or string- Default:
null
- services.ngi-pretalx.nginx.acmeRoot
-
Directory for the ACME challenge, which is public. Don't put certs or keys in here. Set to null to inherit from config.security.acme.
- Type:
null or string- Default:
"/var/lib/acme/acme-challenge"
- services.ngi-pretalx.nginx.addSSL
-
Whether to enable HTTPS in addition to plain HTTP. This will set defaults for
listento listen on all interfaces on the respective default ports (80, 443).- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.basicAuth
-
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the Nix store.
- Type:
attribute set of string- Default:
{ }
- services.ngi-pretalx.nginx.basicAuthFile
-
Basic Auth password file for a vhost. Can be created by running {command}
nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.- Type:
null or absolute path- Default:
null
- services.ngi-pretalx.nginx.default
-
Makes this vhost the default.
- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.enableACME
-
Whether to ask Let's Encrypt to sign a certificate for this vhost. Alternately, you can use an existing certificate through {option}
useACMEHost.- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.extraConfig
-
These lines go to the end of the vhost verbatim.
- Type:
strings concatenated with "\n"- Default:
""
- services.ngi-pretalx.nginx.forceSSL
-
Whether to add a separate nginx server block that redirects (defaults to 301, configurable with
redirectCode) all plain HTTP traffic to HTTPS. This will set defaults forlistento listen on all interfaces on the respective default ports (80, 443), where the non-SSL listens are used for the redirect vhosts.- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.globalRedirect
-
If set, all requests for this host are redirected (defaults to 301, configurable with
redirectCode) to the given hostname.- Type:
null or string- Default:
null
- services.ngi-pretalx.nginx.http2
-
Whether to enable the HTTP/2 protocol. Note that (as of writing) due to nginx's implementation, to disable HTTP/2 you have to disable it on all vhosts that use a given IP address / port. If there is one server block configured to enable http2, then it is enabled for all server blocks on this IP. See https://stackoverflow.com/a/39466948/263061.
- Type:
boolean- Default:
true
- services.ngi-pretalx.nginx.http3
-
Whether to enable the HTTP/3 protocol. This requires using
pkgs.nginxQuicpackage which can be achieved by settingservices.nginx.package = pkgs.nginxQuic;and activate the QUIC transport protocolservices.nginx.virtualHosts.<name>.quic = true;. Note that HTTP/3 support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/ HTTP/3 availability must be manually advertised, preferably in each location block.- Type:
boolean- Default:
true
- services.ngi-pretalx.nginx.http3_hq
-
Whether to enable the HTTP/0.9 protocol negotiation used in QUIC interoperability tests. This requires using
pkgs.nginxQuicpackage which can be achieved by settingservices.nginx.package = pkgs.nginxQuic;and activate the QUIC transport protocolservices.nginx.virtualHosts.<name>.quic = true;. Note that special application protocol support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.kTLS
-
Whether to enable kTLS support. Implementing TLS in the kernel (kTLS) improves performance by significantly reducing the need for copying operations between user space and the kernel. Required Nginx version 1.21.4 or later.
- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.listen
-
Listen addresses and ports for this virtual host. IPv6 addresses must be enclosed in square brackets. Note: this option overrides
addSSLandonlySSL.If you only want to set the addresses manually and not the ports, take a look at
listenAddresses.- Type:
list of (submodule)- Default:
[ ]
- services.ngi-pretalx.nginx.listen.*.addr
-
Listen address.
- Type:
string
- services.ngi-pretalx.nginx.listen.*.extraParameters
-
Extra parameters of this listen directive.
- Type:
list of string- Default:
[ ]
- services.ngi-pretalx.nginx.listen.*.port
-
Port number to listen on. If unset and the listen address is not a socket then nginx defaults to 80.
- Type:
null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)- Default:
null
- services.ngi-pretalx.nginx.listen.*.proxyProtocol
-
Enable PROXY protocol.
- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.listen.*.ssl
-
Enable SSL.
- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.listenAddresses
-
Listen addresses for this virtual host. Compared to
listenthis only sets the addresses and the ports are chosen automatically.Note: This option overrides
enableIPv6- Type:
list of string- Default:
[ ]
- services.ngi-pretalx.nginx.locations
-
Declarative location config
- Type:
attribute set of (submodule)- Default:
{ }
-
services.ngi-pretalx.nginx.locations.
.alias -
Alias directory for requests.
- Type:
null or absolute path- Default:
null
-
services.ngi-pretalx.nginx.locations.
.basicAuth -
Basic Auth protection for a vhost.
WARNING: This is implemented to store the password in plain text in the Nix store.
- Type:
attribute set of string- Default:
{ }
-
services.ngi-pretalx.nginx.locations.
.basicAuthFile -
Basic Auth password file for a vhost. Can be created by running {command}
nix-shell --packages apacheHttpd --run 'htpasswd -B -c FILENAME USERNAME'.- Type:
null or absolute path- Default:
null
-
services.ngi-pretalx.nginx.locations.
.extraConfig -
These lines go to the end of the location verbatim.
- Type:
strings concatenated with "\n"- Default:
""
-
services.ngi-pretalx.nginx.locations.
.fastcgiParams -
FastCGI parameters to override. Unlike in the Nginx configuration file, overriding only some default parameters won't unset the default values for other parameters.
- Type:
attribute set of (string or absolute path)- Default:
{ }
-
services.ngi-pretalx.nginx.locations.
.index -
Adds index directive.
- Type:
null or string- Default:
null
-
services.ngi-pretalx.nginx.locations.
.priority -
Order of this location block in relation to the others in the vhost. The semantics are the same as with
lib.mkOrder. Smaller values have a greater priority.- Type:
signed integer- Default:
1000
-
services.ngi-pretalx.nginx.locations.
.proxyPass -
Adds proxy_pass directive and sets recommended proxy headers if recommendedProxySettings is enabled.
- Type:
null or string- Default:
null
-
services.ngi-pretalx.nginx.locations.
.proxyWebsockets -
Whether to support proxying websocket connections with HTTP/1.1.
- Type:
boolean- Default:
false
-
services.ngi-pretalx.nginx.locations.
.recommendedProxySettings -
Enable recommended proxy settings.
- Type:
boolean- Default:
config.services.nginx.recommendedProxySettings
-
services.ngi-pretalx.nginx.locations.
.recommendedUwsgiSettings -
Enable recommended uwsgi settings.
- Type:
boolean- Default:
config.services.nginx.recommendedUwsgiSettings
-
services.ngi-pretalx.nginx.locations.
.return -
Adds a return directive, for e.g. redirections.
- Type:
null or string or signed integer- Default:
null
-
services.ngi-pretalx.nginx.locations.
.root -
Root directory for requests.
- Type:
null or absolute path- Default:
null
-
services.ngi-pretalx.nginx.locations.
.tryFiles -
Adds try_files directive.
- Type:
null or string- Default:
null
-
services.ngi-pretalx.nginx.locations.
.uwsgiPass -
Adds uwsgi_pass directive and sets recommended proxy headers if recommendedUwsgiSettings is enabled.
- Type:
null or string- Default:
null
- services.ngi-pretalx.nginx.onlySSL
-
Whether to enable HTTPS and reject plain HTTP connections. This will set defaults for
listento listen on all interfaces on port 443.- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.quic
-
Whether to enable the QUIC transport protocol. This requires using
pkgs.nginxQuicpackage which can be achieved by settingservices.nginx.package = pkgs.nginxQuic;. Note that QUIC support is experimental and not yet recommended for production. Read more at https://quic.nginx.org/- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.redirectCode
-
HTTP status used by
globalRedirectandforceSSL. Possible usecases include temporary (302, 307) redirects, keeping the request method and body (307, 308), or explicitly resetting the method to GET (303). See https://developer.mozilla.org/en-US/docs/Web/HTTP/Redirections.- Type:
integer between 300 and 399 (both inclusive)- Default:
301
- services.ngi-pretalx.nginx.rejectSSL
-
Whether to listen for and reject all HTTPS connections to this vhost. Useful in default server blocks to avoid serving the certificate for another vhost. Uses the
ssl_reject_handshakedirective available in nginx versions 1.19.4 and above.- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.reuseport
-
Create an individual listening socket . It is required to specify only once on one of the hosts.
- Type:
boolean- Default:
false
- services.ngi-pretalx.nginx.root
-
The path of the web root directory.
- Type:
null or absolute path- Default:
null
- services.ngi-pretalx.nginx.serverAliases
-
Additional names of virtual hosts served by this virtual host configuration.
- Type:
list of string- Default:
[ ]
- services.ngi-pretalx.nginx.serverName
-
Name of this virtual host. Defaults to attribute name in virtualHosts.
- Type:
null or string- Default:
null
- services.ngi-pretalx.nginx.sslCertificate
-
Path to server SSL certificate.
- Type:
absolute path
- services.ngi-pretalx.nginx.sslCertificateKey
-
Path to server SSL certificate key.
- Type:
absolute path
- services.ngi-pretalx.nginx.sslTrustedCertificate
-
Path to root SSL certificate for stapling and client certificates.
- Type:
null or absolute path- Default:
null
- services.ngi-pretalx.nginx.useACMEHost
-
A host of an existing Let's Encrypt certificate to use. This is useful if you have many subdomains and want to avoid hitting the rate limit. Alternately, you can generate a certificate through {option}
enableACME. Note that this option does not create any certificates, nor it does add subdomains to existing ones – you will need to create them manually using .- Type:
null or string- Default:
null
- services.ngi-pretalx.package
-
The pretalxFull package to use.
- Type:
package- Default:
pkgs.pretalxFull
- services.ngi-pretalx.redis.enable
-
Whether to enable Enable support for Redis..
- Type:
boolean- Default:
false
- services.ngi-pretalx.redis.locationFile
-
Path to a file that contains the location (connection URI) of Redis server, if you want to use it as a cache. Contents of the file:
redis://[:password]@127.0.0.1:6379/1would be sensible, orunix://[:password]@/path/to/socket.sock?db=0if you prefer to use sockets. Consider using a secret managing scheme such asagenixorsops-nixto generate this file.- Type:
absolute path
- services.ngi-pretalx.redis.session
-
Whether to use Redis as session storage.
- Type:
boolean- Default:
false
- services.ngi-pretalx.site.csp
-
Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
- Type:
null or string- Default:
null
- services.ngi-pretalx.site.csp_form
-
Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
- Type:
null or string- Default:
null
- services.ngi-pretalx.site.csp_img
-
Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
- Type:
null or string- Default:
null
- services.ngi-pretalx.site.csp_script
-
Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
- Type:
null or string- Default:
null
- services.ngi-pretalx.site.csp_style
-
Use this setting to update the CSP security headers. See https://docs.pretalx.org/administrator/configure.html#csp-csp-script-csp-style-csp-img-csp-form.
- Type:
null or string- Default:
null
- services.ngi-pretalx.site.media
-
Path that is appended to the site URL to address media files (all files uploaded by users or generated by pretalx).
- Type:
string- Default:
"/media/"
- services.ngi-pretalx.site.secretFile
-
Path to a file containing a secret key that the Django web framework uses for cryptographic signing. See https://docs.pretalx.org/administrator/configure.html#secret. Consider using a secret managing scheme such as
agenixorsops-nixto generate this file.- Type:
null or absolute path- Default:
null
- services.ngi-pretalx.site.static
-
Path that is appended to the site URL to address static files.
- Type:
string- Default:
"/static/"
- services.ngi-pretalx.site.url
-
URL for pretalx. pretalx uses this value when it has to render full URLs, for example in emails or feeds. It is also used to determine the allowed incoming hosts.
- Type:
string- Default:
"http://options.invalid"
- services.ngi-pretalx.user
-
Username of the system user that should own files and services related to pretalx.
- Type:
string- Default:
"pretalx"
Examples
Basic configuration for Pretalx, incl. secret management with SOPS, excl. database settings.
{ config, pkgs, ... }: { networking = { firewall.allowedTCPPorts = [ config.services.nginx.defaultHTTPListenPort ]; hostName = "server"; domain = "example.com"; }; sops = { # See <https://github.com/Mic92/sops-nix>. age.keyFile = "/dev/null"; # For a production configuration, set this option. defaultSopsFile = "/dev/null"; # For a production configuration, set this option. validateSopsFiles = false; # For a production configuration, remove this line. secrets = let pretalxSecret = { owner = config.services.ngi-pretalx.user; group = config.services.ngi-pretalx.group; }; in { "pretalx/database/password" = pretalxSecret; "pretalx/redis/location" = pretalxSecret; "pretalx/init/admin/password" = pretalxSecret; "pretalx/celery/backend" = pretalxSecret; "pretalx/celery/broker" = pretalxSecret; }; }; services = { ngi-pretalx = { enable = true; package = pkgs.pretalxFull; nginx = { # For a production configuration use this attribute set to configure the virtual host for pretalx. }; database = { user = "pretalx"; passwordFile = config.sops.secrets."pretalx/database/password".path; }; redis = { enable = true; locationFile = config.sops.secrets."pretalx/redis/location".path; }; celery = { enable = true; backendFile = config.sops.secrets."pretalx/celery/backend".path; brokerFile = config.sops.secrets."pretalx/celery/broker".path; }; init = { admin = { email = "pretalx@localhost"; passwordFile = config.sops.secrets."pretalx/init/admin/password".path; }; organiser = { name = "NGI Packages"; slug = "ngipkgs"; }; }; mail.enable = false; }; redis.servers."pretalx" = { enable = true; user = config.services.ngi-pretalx.user; }; nginx = { enable = true; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedProxySettings = true; }; }; }
Supplementary to `base.nix`, adds database configuration for MySQL.
{ config, pkgs, ... }: { services = { ngi-pretalx.database = { backend = "mysql"; host = "/var/run/mysqld/mysqld.sock"; user = "pretalx"; }; mysql = { enable = true; package = pkgs.mariadb; ensureUsers = [ { name = config.services.ngi-pretalx.database.user; ensurePermissions."${config.services.ngi-pretalx.database.name}.*" = "ALL PRIVILEGES"; } ]; ensureDatabases = [ config.services.ngi-pretalx.database.name ]; }; }; }
Supplementary to `base.nix`, adds database configuration for PostgreSQL.
{ config, ... }: { services = { ngi-pretalx.database = { backend = "postgresql"; user = "pretalx"; }; postgresql = { enable = true; authentication = "local all all trust"; ensureUsers = [ { name = config.services.ngi-pretalx.database.user; ensureDBOwnership = true; } ]; ensureDatabases = [ config.services.ngi-pretalx.database.name ]; }; }; }