66 lines
2.0 KiB
Nix
66 lines
2.0 KiB
Nix
{ config, pkgs, lib, ... }:
|
|
let
|
|
cfg = config.services.hedgedoc.settings;
|
|
domain = "md.feal.no";
|
|
port = 3300;
|
|
host = "0.0.0.0";
|
|
authServerUrl = config.services.kanidm.serverSettings.origin;
|
|
in {
|
|
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
|
sops.secrets."hedgedoc/env" = {
|
|
restartUnits = [ "hedgedoc.service" ];
|
|
};
|
|
|
|
services.hedgedoc = {
|
|
enable = true;
|
|
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
|
settings = {
|
|
inherit domain port host;
|
|
protocolUseSSL = true;
|
|
sessionSecret = "$CMD_SESSION_SECRET";
|
|
|
|
allowFreeURL = true;
|
|
allowAnonymous = false;
|
|
allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
|
|
|
|
dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
|
|
|
|
email = false;
|
|
oauth2 = {
|
|
baseURL = "${authServerUrl}/oauth2";
|
|
tokenURL = "${authServerUrl}/oauth2/token";
|
|
authorizationURL = "${authServerUrl}/ui/oauth2";
|
|
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
|
|
|
|
clientID = "hedgedoc";
|
|
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
|
|
scope = "openid email profile";
|
|
userProfileUsernameAttr = "name";
|
|
userProfileEmailAttr = "email";
|
|
userProfileDisplayNameAttr = "displayname";
|
|
|
|
providerName = "KaniDM";
|
|
};
|
|
|
|
};
|
|
};
|
|
|
|
systemd.services.hedgedoc.serviceConfig = {
|
|
WorkingDirectory = lib.mkForce "/var/lib/hedgedoc";
|
|
StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ port ];
|
|
|
|
services.postgresql = {
|
|
ensureDatabases = [ "hedgedoc" ];
|
|
ensureUsers = [{
|
|
name = "hedgedoc";
|
|
ensurePermissions = {
|
|
"DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
|
|
};
|
|
}];
|
|
};
|
|
|
|
}
|