2024-11-29 00:41:30 +01:00
|
|
|
{ pkgs, lib, config, ... }: let
|
2024-01-23 05:40:19 +01:00
|
|
|
cfg = config.services.hedgedoc;
|
|
|
|
in {
|
2024-11-29 00:41:30 +01:00
|
|
|
sops = {
|
|
|
|
secrets = {
|
|
|
|
"hedgedoc/env/cmd_session_secret" = { };
|
|
|
|
"hedgedoc/env/cmd_oauth2_client_secret" = { };
|
|
|
|
};
|
|
|
|
templates."hedgedoc.env" = {
|
2023-03-07 23:14:10 +01:00
|
|
|
restartUnits = [ "hedgedoc.service" ];
|
2024-01-23 05:40:19 +01:00
|
|
|
owner = "hedgedoc";
|
|
|
|
group = "hedgedoc";
|
2024-11-29 00:41:30 +01:00
|
|
|
content = let
|
|
|
|
inherit (config.sops) placeholder;
|
|
|
|
in ''
|
|
|
|
CMD_SESSION_SECRET=${placeholder."hedgedoc/env/cmd_session_secret"}
|
|
|
|
CMD_OAUTH2_CLIENT_SECRET=${placeholder."hedgedoc/env/cmd_oauth2_client_secret"}
|
|
|
|
'';
|
2023-03-07 23:14:10 +01:00
|
|
|
};
|
2024-11-29 00:41:30 +01:00
|
|
|
};
|
2023-03-07 23:14:10 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
users.groups.hedgedoc.members = [ "nginx" ];
|
2024-01-23 05:40:19 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
services.hedgedoc = {
|
|
|
|
enable = true;
|
|
|
|
environmentFile = config.sops.templates."hedgedoc.env".path;
|
|
|
|
settings = {
|
|
|
|
domain = "docs.nani.wtf";
|
|
|
|
email = false;
|
|
|
|
allowAnonymous = false;
|
|
|
|
allowAnonymousEdits = true;
|
|
|
|
protocolUseSSL = true;
|
2023-03-07 23:14:10 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
path = "/run/hedgedoc/hedgedoc.sock";
|
2024-01-23 05:40:19 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
db = {
|
|
|
|
username = "hedgedoc";
|
|
|
|
# TODO: set a password
|
|
|
|
database = "hedgedoc";
|
|
|
|
host = "/var/run/postgresql";
|
|
|
|
dialect = "postgres";
|
|
|
|
};
|
2024-01-23 05:40:19 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
oauth2 = let
|
|
|
|
authServerUrl = config.services.kanidm.serverSettings.origin;
|
|
|
|
in rec {
|
|
|
|
baseURL = "${authServerUrl}/oauth2";
|
|
|
|
tokenURL = "${authServerUrl}/oauth2/token";
|
|
|
|
authorizationURL = "${authServerUrl}/ui/oauth2";
|
|
|
|
userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
|
2023-03-07 23:14:10 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
clientID = "hedgedoc";
|
2023-03-07 23:14:10 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
scope = "openid email profile";
|
|
|
|
userProfileUsernameAttr = "name";
|
|
|
|
userProfileEmailAttr = "email";
|
|
|
|
userProfileDisplayNameAttr = "displayname";
|
2023-03-07 23:14:10 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
providerName = "KaniDM";
|
2023-03-07 23:14:10 +01:00
|
|
|
};
|
|
|
|
};
|
2024-11-29 00:41:30 +01:00
|
|
|
};
|
2023-03-07 23:14:10 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
services.postgresql = {
|
|
|
|
ensureDatabases = [ "hedgedoc" ];
|
2024-06-10 00:43:04 +02:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
ensureUsers = [{
|
|
|
|
name = "hedgedoc";
|
|
|
|
ensureDBOwnership = true;
|
|
|
|
}];
|
|
|
|
};
|
2024-01-23 05:40:19 +01:00
|
|
|
|
2024-11-29 00:41:30 +01:00
|
|
|
systemd.services.hedgedoc = rec {
|
|
|
|
requires = [
|
|
|
|
"postgresql.service"
|
|
|
|
"kanidm.service"
|
|
|
|
];
|
|
|
|
after = requires;
|
2023-03-07 23:14:10 +01:00
|
|
|
};
|
|
|
|
}
|