2023-03-07 23:14:10 +01:00
|
|
|
{ pkgs, lib, config, options, ... }:
|
|
|
|
{
|
|
|
|
config = {
|
|
|
|
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
|
|
|
sops.secrets."hedgedoc/env" = {
|
|
|
|
restartUnits = [ "hedgedoc.service" ];
|
|
|
|
};
|
|
|
|
|
|
|
|
services.hedgedoc = {
|
|
|
|
enable = true;
|
|
|
|
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
|
|
|
settings = {
|
|
|
|
domain = "docs.nani.wtf";
|
|
|
|
dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
|
|
|
|
email = false;
|
|
|
|
allowAnonymous = false;
|
|
|
|
allowAnonymousEdits = true;
|
|
|
|
protocolUseSSL = true;
|
|
|
|
|
|
|
|
oauth2 = let
|
|
|
|
authServerUrl = config.services.kanidm.serverSettings.origin;
|
2023-05-08 02:09:08 +02:00
|
|
|
in rec {
|
2023-03-07 23:14:10 +01:00
|
|
|
baseURL = "${authServerUrl}/oauth2";
|
|
|
|
tokenURL = "${authServerUrl}/oauth2/token";
|
|
|
|
authorizationURL = "${authServerUrl}/ui/oauth2";
|
2023-05-08 02:09:08 +02:00
|
|
|
userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
|
2023-03-07 23:14:10 +01:00
|
|
|
|
|
|
|
clientID = "hedgedoc";
|
|
|
|
|
|
|
|
scope = "openid email profile";
|
|
|
|
userProfileUsernameAttr = "name";
|
|
|
|
userProfileEmailAttr = "email";
|
|
|
|
userProfileDisplayNameAttr = "displayname";
|
|
|
|
|
|
|
|
providerName = "KaniDM";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.postgresql = {
|
|
|
|
ensureDatabases = [ "hedgedoc" ];
|
|
|
|
ensureUsers = [{
|
|
|
|
name = "hedgedoc";
|
|
|
|
ensurePermissions = {
|
|
|
|
"DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
|
|
|
|
};
|
|
|
|
}];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|