{ config, pkgs, lib, ... }: let cfg = config.services.hedgedoc.settings; domain = "md.feal.no"; port = 3000; host = "0.0.0.0"; in { # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET sops.secrets."hedgedoc/env" = { restartUnits = [ "hedgedoc.service" ]; }; services.hedgedoc = { enable = true; settings = { inherit domain port host; protocolUseSSL = true; db = { dialect = "sqlite"; storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; }; environmentFile = config.sops.secrets."hedgedoc/env".path; email = false; oauth2 = let authServerUrl = config.services.kanidm.serverSettings.origin; in { baseURL = "${authServerUrl}/oauth2"; tokenURL = "${authServerUrl}/oauth2/token"; authorizationURL = "${authServerUrl}/ui/oauth2"; userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; clientID = "hedgedoc"; scope = "openid email profile"; userProfileUsernameAttr = "name"; userProfileEmailAttr = "email"; userProfileDisplayNameAttr = "displayname"; providerName = "KaniDM"; }; }; }; services.nginx.virtualHosts.${domain} = { locations."/" = { proxyPass = "http://${host}:${toString port}/"; }; locations."/socket.io/" = { proxyPass = "http://${host}:${toString port}/"; proxyWebsockets = true; }; }; }