2022-09-06 15:09:30 +02:00
|
|
|
{ config, pkgs, lib, ... }:
|
2022-09-06 17:16:31 +02:00
|
|
|
let
|
2023-09-17 20:10:55 +02:00
|
|
|
domain = "pad.${config.networking.domain}";
|
2023-08-24 20:36:30 +02:00
|
|
|
template = pkgs.writeText "hedgedoc-template.md" ''
|
|
|
|
|
---
|
|
|
|
|
tags: listed
|
|
|
|
|
---
|
|
|
|
|
'';
|
2022-09-06 17:16:31 +02:00
|
|
|
in
|
|
|
|
|
{
|
2022-09-06 15:09:30 +02:00
|
|
|
services = {
|
|
|
|
|
postgresql = {
|
|
|
|
|
enable = true;
|
|
|
|
|
ensureUsers = [
|
|
|
|
|
{
|
|
|
|
|
name = "hedgedoc";
|
2023-12-14 15:42:10 +01:00
|
|
|
ensureDBOwnership = true;
|
2022-09-06 15:09:30 +02:00
|
|
|
}
|
|
|
|
|
];
|
|
|
|
|
ensureDatabases = [ "hedgedoc" ];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
hedgedoc = {
|
|
|
|
|
enable = true;
|
2023-02-15 15:53:15 +01:00
|
|
|
settings = {
|
2023-08-24 16:25:15 +02:00
|
|
|
allowFreeURL = true;
|
2022-09-06 15:09:30 +02:00
|
|
|
port = 3002;
|
|
|
|
|
domain = "${domain}";
|
|
|
|
|
protocolUseSSL = true;
|
2023-07-20 13:00:30 +02:00
|
|
|
db = {
|
|
|
|
|
dialect = "postgres";
|
|
|
|
|
host = "/run/postgresql/";
|
|
|
|
|
};
|
2022-09-06 15:09:30 +02:00
|
|
|
sessionSecret = "\${SESSION_SECRET}";
|
|
|
|
|
csp = {
|
|
|
|
|
enable = true;
|
|
|
|
|
directives = {
|
|
|
|
|
scriptSrc = "${domain}";
|
|
|
|
|
};
|
|
|
|
|
upgradeInsecureRequest = "auto";
|
|
|
|
|
addDefaults = true;
|
|
|
|
|
};
|
2023-02-24 17:57:55 +01:00
|
|
|
allowGravatar = false;
|
|
|
|
|
|
|
|
|
|
## authentication
|
|
|
|
|
# disable email
|
|
|
|
|
email = false;
|
|
|
|
|
allowEmailRegister = false;
|
|
|
|
|
# allow anonymous editing, but not creation of pads
|
|
|
|
|
allowAnonymous = false;
|
|
|
|
|
allowAnonymousEdits = true;
|
|
|
|
|
defaultPermission = "limited";
|
2023-08-24 20:36:30 +02:00
|
|
|
defaultNotePath = builtins.toString template;
|
2023-02-24 17:57:55 +01:00
|
|
|
# ldap auth
|
|
|
|
|
ldap = rec {
|
|
|
|
|
url = "ldap://localhost";
|
|
|
|
|
searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
|
|
|
|
|
searchFilter = "(uid={{username}})";
|
|
|
|
|
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
|
|
|
|
|
bindCredentials = "\${LDAP_CREDENTIALS}";
|
|
|
|
|
useridField = "uid";
|
|
|
|
|
providerName = "iFSR";
|
|
|
|
|
};
|
2022-09-06 15:09:30 +02:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
nginx = {
|
|
|
|
|
recommendedProxySettings = true;
|
|
|
|
|
virtualHosts = {
|
|
|
|
|
"${domain}" = {
|
|
|
|
|
locations."/" = {
|
2023-02-15 15:53:15 +01:00
|
|
|
proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}";
|
2022-09-06 15:09:30 +02:00
|
|
|
proxyWebsockets = true;
|
|
|
|
|
};
|
2024-03-06 20:59:11 +01:00
|
|
|
locations."/robots.txt" = {
|
|
|
|
|
extraConfig = ''
|
|
|
|
|
add_header Content-Type text/plain;
|
|
|
|
|
return 200 "User-agent: *\nDisallow: /\n";
|
|
|
|
|
'';
|
|
|
|
|
};
|
2022-09-06 15:09:30 +02:00
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
|
2023-02-24 17:57:55 +01:00
|
|
|
sops.secrets =
|
|
|
|
|
let
|
|
|
|
|
user = config.systemd.services.hedgedoc.serviceConfig.User;
|
|
|
|
|
in
|
|
|
|
|
{
|
|
|
|
|
hedgedoc_session_secret.owner = user;
|
|
|
|
|
hedgedoc_ldap_search = {
|
2023-07-07 17:12:59 +02:00
|
|
|
key = "portunus/search-password";
|
2023-02-24 17:57:55 +01:00
|
|
|
owner = user;
|
|
|
|
|
};
|
|
|
|
|
};
|
2022-09-06 15:09:30 +02:00
|
|
|
|
|
|
|
|
systemd.services.hedgedoc.preStart = lib.mkBefore ''
|
|
|
|
|
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
|
2023-02-24 17:57:55 +01:00
|
|
|
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
|
2022-09-06 15:09:30 +02:00
|
|
|
'';
|
|
|
|
|
}
|
2023-08-24 20:36:30 +02:00
|
|
|
|
