2023-02-25 00:03:29 +01:00
|
|
|
{ config, pkgs, lib, mkDomain, ... }:
|
|
|
|
|
{
|
|
|
|
|
# hedgedoc
|
|
|
|
|
# Realtime collaborative markdown notes on all platforms
|
|
|
|
|
|
2023-10-15 23:42:36 +02:00
|
|
|
sops.secrets."hedgedoc/htpasswd".owner = config.services.nginx.user;
|
|
|
|
|
sops.secrets."hedgedoc/env-file".owner = "hedgedoc";
|
|
|
|
|
sops.secrets."hedgedoc/env-file".restartUnits = [ "hedgedoc.service" ];
|
|
|
|
|
|
2023-02-25 00:03:29 +01:00
|
|
|
services.hedgedoc = {
|
2023-10-15 23:42:36 +02:00
|
|
|
enable = true; # FIXME: make it load
|
|
|
|
|
environmentFile = config.sops.secrets."hedgedoc/env-file".path;
|
|
|
|
|
|
|
|
|
|
settings.host = "localhost";
|
2023-02-25 00:03:29 +01:00
|
|
|
settings.port = 44776;
|
2023-10-15 23:42:36 +02:00
|
|
|
|
|
|
|
|
# reverse proxy
|
2023-02-25 00:03:29 +01:00
|
|
|
settings.domain = mkDomain "hedgedoc";
|
2023-10-15 23:42:36 +02:00
|
|
|
settings.hsts.enale = true;
|
|
|
|
|
settings.useSSL = false; # we terminate ssl with nginx
|
|
|
|
|
settings.protocolUseSSL = true; # https:// prefix
|
|
|
|
|
settings.urlAddPort = false;
|
|
|
|
|
|
|
|
|
|
settings.db.dialect = "sqlite";
|
2023-12-10 09:47:02 +01:00
|
|
|
settings.db.storage = "/var/lib/hedgedoc/db.sqlite";
|
2023-10-15 23:42:36 +02:00
|
|
|
|
|
|
|
|
settings.email = false; # email sign-in
|
|
|
|
|
settings.allowFreeURL = true; # allow note creation by accessing a nonexistent note URL.
|
|
|
|
|
#settings.allowAnonymous = false; # default is true
|
2023-02-25 00:03:29 +01:00
|
|
|
settings.allowEmailRegister = false; # default is true
|
|
|
|
|
settings.allowAnonymousEdits = false; # default is false
|
2023-10-15 23:42:36 +02:00
|
|
|
#settings.uploadsPath
|
|
|
|
|
|
|
|
|
|
# content security policy
|
|
|
|
|
#settings.csp = {
|
|
|
|
|
# enable = true;
|
|
|
|
|
# addDefaults = true;
|
|
|
|
|
# upgradeInsecureRequest = "auto";
|
|
|
|
|
# #directives.scriptSrc = "trustworthy.scripts.example.com";
|
|
|
|
|
#};
|
|
|
|
|
|
2023-02-25 00:03:29 +01:00
|
|
|
#settings.useCDN = true;
|
|
|
|
|
#settings.debug = true;
|
|
|
|
|
# there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
|
|
|
|
|
# there are also auth options, like ldap, saml and oauth2
|
|
|
|
|
};
|
|
|
|
|
services.nginx.virtualHosts.${mkDomain "hedgedoc"} = lib.mkIf config.services.hedgedoc.enable {
|
|
|
|
|
forceSSL = true; # addSSL = true;
|
|
|
|
|
enableACME = true; #useACMEHost = acmeDomain;
|
|
|
|
|
locations."/" = {
|
2023-10-15 23:42:36 +02:00
|
|
|
proxyPass = "http://localhost:${toString config.services.hedgedoc.settings.port}";
|
2023-02-25 00:03:29 +01:00
|
|
|
proxyWebsockets = true;
|
|
|
|
|
# TODO: proxy headers:
|
|
|
|
|
# https://docs.hedgedoc.org/guides/reverse-proxy/
|
2023-10-15 23:42:36 +02:00
|
|
|
extraConfig = ''
|
|
|
|
|
auth_basic "Ke 'e e u vill?!?";
|
|
|
|
|
auth_basic_user_file ${config.sops.secrets."hedgedoc/htpasswd".path};
|
|
|
|
|
|
|
|
|
|
proxy_set_header Host $host;
|
|
|
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
|
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
|
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
|
|
|
'';
|
2023-02-25 00:03:29 +01:00
|
|
|
};
|
2023-10-15 23:42:36 +02:00
|
|
|
extraConfig= ''
|
|
|
|
|
add_header X-Frame-Options SAMEORIGIN;
|
|
|
|
|
add_header X-Content-Type-Options nosniff;
|
|
|
|
|
add_header Referrer-Policy strict-origin-when-cross-origin;
|
|
|
|
|
'';
|
2023-02-25 00:03:29 +01:00
|
|
|
};
|
|
|
|
|
}
|
