forked from wurzel/fruitbasket
add hedgedoc module
This commit is contained in:
parent
8649d4812d
commit
1d4acbb6ac
6 changed files with 89 additions and 11 deletions
76
modules/hedgedoc.nix
Normal file
76
modules/hedgedoc.nix
Normal file
|
@ -0,0 +1,76 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
domain = "pad.quitte.tassilo-tanneberger.de";
|
||||
in {
|
||||
services = {
|
||||
postgresql = {
|
||||
enable = true;
|
||||
ensureUsers = [
|
||||
{
|
||||
name = "hedgedoc";
|
||||
ensurePermissions = {
|
||||
"DATABASE hedgedoc" = "ALL PRIVILEGES";
|
||||
};
|
||||
}
|
||||
];
|
||||
ensureDatabases = [ "hedgedoc" ];
|
||||
};
|
||||
|
||||
hedgedoc = {
|
||||
enable = true;
|
||||
configuration = {
|
||||
port = 3002;
|
||||
domain = "${domain}";
|
||||
protocolUseSSL = true;
|
||||
dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
|
||||
sessionSecret = "\${SESSION_SECRET}";
|
||||
allowAnonymousEdits = true;
|
||||
csp = {
|
||||
enable = true;
|
||||
directives = {
|
||||
scriptSrc = "${domain}";
|
||||
};
|
||||
upgradeInsecureRequest = "auto";
|
||||
addDefaults = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
nginx = {
|
||||
recommendedProxySettings = true;
|
||||
virtualHosts = {
|
||||
"${domain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:3002";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User;
|
||||
sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User;
|
||||
sops.secrets.restic_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User;
|
||||
sops.secrets.kaki_private_key.group = "remote-backups";
|
||||
|
||||
systemd.services.hedgedoc.preStart = lib.mkBefore ''
|
||||
export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
|
||||
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
|
||||
'';
|
||||
systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];
|
||||
|
||||
systemd.services.hedgedoc-pgsetup = {
|
||||
description = "Prepare HedgeDoc postgres database";
|
||||
wantedBy = [ "multi-user.target" ];
|
||||
after = [ "networking.target" "postgresql.service" ];
|
||||
serviceConfig.Type = "oneshot";
|
||||
|
||||
path = [ pkgs.sudo config.services.postgresql.package ];
|
||||
script = ''
|
||||
sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE hedgedoc WITH PASSWORD '$(cat ${config.sops.secrets.postgres_hedgedoc.path})'"
|
||||
'';
|
||||
};
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue