config/profiles/web/services/hedgedoc.nix

72 lines
2.7 KiB
Nix

{ config, pkgs, lib, mkDomain, ... }:
{
# hedgedoc
# Realtime collaborative markdown notes on all platforms
sops.secrets."hedgedoc/htpasswd".owner = config.services.nginx.user;
sops.secrets."hedgedoc/env-file".owner = "hedgedoc";
sops.secrets."hedgedoc/env-file".restartUnits = [ "hedgedoc.service" ];
services.hedgedoc = {
enable = true; # FIXME: make it load
environmentFile = config.sops.secrets."hedgedoc/env-file".path;
settings.host = "localhost";
settings.port = 44776;
# reverse proxy
settings.domain = mkDomain "hedgedoc";
settings.hsts.enale = true;
settings.useSSL = false; # we terminate ssl with nginx
settings.protocolUseSSL = true; # https:// prefix
settings.urlAddPort = false;
settings.db.dialect = "sqlite";
settings.db.storage = "/var/lib/hedgedoc/db.sqlite";
settings.email = false; # email sign-in
settings.allowFreeURL = true; # allow note creation by accessing a nonexistent note URL.
#settings.allowAnonymous = false; # default is true
settings.allowEmailRegister = false; # default is true
settings.allowAnonymousEdits = false; # default is false
#settings.uploadsPath
# content security policy
#settings.csp = {
# enable = true;
# addDefaults = true;
# upgradeInsecureRequest = "auto";
# #directives.scriptSrc = "trustworthy.scripts.example.com";
#};
#settings.useCDN = true;
#settings.debug = true;
# there are also a metric fuckton of integration services, like github, twitter, minio, mattermost, dropbox etc.
# there are also auth options, like ldap, saml and oauth2
};
services.nginx.virtualHosts.${mkDomain "hedgedoc"} = lib.mkIf config.services.hedgedoc.enable {
forceSSL = true; # addSSL = true;
enableACME = true; #useACMEHost = acmeDomain;
locations."/" = {
proxyPass = "http://localhost:${toString config.services.hedgedoc.settings.port}";
proxyWebsockets = true;
# TODO: proxy headers:
# https://docs.hedgedoc.org/guides/reverse-proxy/
extraConfig = ''
auth_basic "Ke 'e e u vill?!?";
auth_basic_user_file ${config.sops.secrets."hedgedoc/htpasswd".path};
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
extraConfig= ''
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header Referrer-Policy strict-origin-when-cross-origin;
'';
};
}