nixos-config/hosts/voyager/services/hedgedoc.nix

66 lines
2.0 KiB
Nix

{ config, pkgs, lib, ... }:
let
cfg = config.services.hedgedoc.settings;
domain = "md.feal.no";
port = 3300;
host = "0.0.0.0";
authServerUrl = config.services.kanidm.serverSettings.origin;
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
restartUnits = [ "hedgedoc.service" ];
};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
inherit domain port host;
protocolUseSSL = true;
sessionSecret = "$CMD_SESSION_SECRET";
allowFreeURL = true;
allowAnonymous = false;
allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
email = false;
oauth2 = {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
};
};
};
systemd.services.hedgedoc.serviceConfig = {
WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
};
networking.firewall.allowedTCPPorts = [ port ];
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensurePermissions = {
"DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
};
}];
};
}