nix-dotfiles/hosts/tsuki/services/hedgedoc.nix

81 lines
2.0 KiB
Nix
Raw Normal View History

{ pkgs, lib, config, ... }: let
2024-01-23 05:40:19 +01:00
cfg = config.services.hedgedoc;
in {
sops = {
secrets = {
"hedgedoc/env/cmd_session_secret" = { };
"hedgedoc/env/cmd_oauth2_client_secret" = { };
};
templates."hedgedoc.env" = {
restartUnits = [ "hedgedoc.service" ];
2024-01-23 05:40:19 +01:00
owner = "hedgedoc";
group = "hedgedoc";
content = let
inherit (config.sops) placeholder;
in ''
CMD_SESSION_SECRET=${placeholder."hedgedoc/env/cmd_session_secret"}
CMD_OAUTH2_CLIENT_SECRET=${placeholder."hedgedoc/env/cmd_oauth2_client_secret"}
'';
};
};
users.groups.hedgedoc.members = [ "nginx" ];
2024-01-23 05:40:19 +01:00
services.hedgedoc = {
enable = true;
environmentFile = config.sops.templates."hedgedoc.env".path;
settings = {
domain = "docs.nani.wtf";
email = false;
allowAnonymous = false;
allowAnonymousEdits = true;
protocolUseSSL = true;
path = "/run/hedgedoc/hedgedoc.sock";
2024-01-23 05:40:19 +01:00
db = {
username = "hedgedoc";
# TODO: set a password
database = "hedgedoc";
host = "/var/run/postgresql";
dialect = "postgres";
};
2024-01-23 05:40:19 +01:00
oauth2 = let
authServerUrl = config.services.kanidm.serverSettings.origin;
in rec {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
clientID = "hedgedoc";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
};
};
};
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensureDBOwnership = true;
}];
};
2024-01-23 05:40:19 +01:00
systemd.services.hedgedoc = rec {
requires = [
"postgresql.service"
"kanidm.service"
];
after = requires;
};
}