nixos-config/hosts/voyager/services/hedgedoc.nix

{ config, pkgs, lib, ... }:
let
    cfg = config.services.hedgedoc.settings;
    domain = "md.feal.no";
    port = 3300;
    host = "0.0.0.0";
    authServerUrl = config.services.kanidm.serverSettings.origin;
in {
    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
    sops.secrets."hedgedoc/env" = {
      restartUnits = [ "hedgedoc.service" ];
    };

    services.hedgedoc = {
        enable = true;
        environmentFile = config.sops.secrets."hedgedoc/env".path;
        settings = {
            inherit domain port host;
            protocolUseSSL = true;
            sessionSecret = "$CMD_SESSION_SECRET";

            allowFreeURL = true;
            allowAnonymous = false;
            allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission

            dbURL = "postgres://hedgedoc:@localhost/hedgedoc";

            email = false;
            oauth2 = {
              baseURL = "${authServerUrl}/oauth2";
              tokenURL = "${authServerUrl}/oauth2/token";
              authorizationURL = "${authServerUrl}/ui/oauth2";
              userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";

              clientID = "hedgedoc";
              clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
              scope = "openid email profile";
              userProfileUsernameAttr = "name";
              userProfileEmailAttr = "email";
              userProfileDisplayNameAttr = "displayname";

              providerName = "KaniDM";
            };

        };
    };

    systemd.services.hedgedoc.serviceConfig = {
      WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
    };

    networking.firewall.allowedTCPPorts = [ port ];

    services.postgresql = {
      ensureDatabases = [ "hedgedoc" ];
      ensureUsers = [{
        name = "hedgedoc";
        ensurePermissions = {
          "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
        };
      }];
    };

}
Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`{ config, pkgs, lib, ... }:`
			`let`
			`cfg = config.services.hedgedoc.settings;`
			`domain = "md.feal.no";`
Fix hedgedoc oauth, update flake, update sops 2023-04-26 23:40:18 +02:00			`port = 3300;`
Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`host = "0.0.0.0";`
Fix hedgedoc oauth, update flake, update sops 2023-04-26 23:40:18 +02:00			`authServerUrl = config.services.kanidm.serverSettings.origin;`
Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`in {`
Add sops-secrets, configure oauth 2023-04-26 12:07:36 +02:00			`# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET`
			`sops.secrets."hedgedoc/env" = {`
			`restartUnits = [ "hedgedoc.service" ];`
			`};`

Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`services.hedgedoc = {`
			`enable = true;`
Fix hedgedoc oauth, update flake, update sops 2023-04-26 23:40:18 +02:00			`environmentFile = config.sops.secrets."hedgedoc/env".path;`
Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`settings = {`
			`inherit domain port host;`
			`protocolUseSSL = true;`
Fix hedgedoc oauth, update flake, update sops 2023-04-26 23:40:18 +02:00			`sessionSecret = "$CMD_SESSION_SECRET";`

			`allowFreeURL = true;`
Add postgres, fix hedgedoc, various cleanups 2023-05-03 17:49:50 +02:00			`allowAnonymous = false;`
			`allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission`

			`dbURL = "postgres://hedgedoc:@localhost/hedgedoc";`
Add sops-secrets, configure oauth 2023-04-26 12:07:36 +02:00
Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`email = false;`
Fix hedgedoc oauth, update flake, update sops 2023-04-26 23:40:18 +02:00			`oauth2 = {`
Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`baseURL = "${authServerUrl}/oauth2";`
			`tokenURL = "${authServerUrl}/oauth2/token";`
			`authorizationURL = "${authServerUrl}/ui/oauth2";`
			`userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";`

			`clientID = "hedgedoc";`
Fix hedgedoc oauth, update flake, update sops 2023-04-26 23:40:18 +02:00			`clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";`
Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`scope = "openid email profile";`
			`userProfileUsernameAttr = "name";`
			`userProfileEmailAttr = "email";`
			`userProfileDisplayNameAttr = "displayname";`

			`providerName = "KaniDM";`
			`};`

			`};`
			`};`
Fix hedgedoc oauth, update flake, update sops 2023-04-26 23:40:18 +02:00
			`systemd.services.hedgedoc.serviceConfig = {`
			`WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";`
			`StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];`
Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`};`
Fix hedgedoc oauth, update flake, update sops 2023-04-26 23:40:18 +02:00
			`networking.firewall.allowedTCPPorts = [ port ];`
Add postgres, fix hedgedoc, various cleanups 2023-05-03 17:49:50 +02:00
			`services.postgresql = {`
			`ensureDatabases = [ "hedgedoc" ];`
			`ensureUsers = [{`
			`name = "hedgedoc";`
			`ensurePermissions = {`
			`"DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";`
			`};`
			`}];`
			`};`

Add hedgedoc + kanidm 2023-04-22 16:49:04 +02:00			`}`