fruitbasket/modules/hedgedoc.nix

102 lines
2.6 KiB
Nix
Raw Normal View History

2022-09-06 15:09:30 +02:00
{ config, pkgs, lib, ... }:
2022-09-06 17:16:31 +02:00
let
domain = "pad.${config.networking.domain}";
2023-08-24 20:36:30 +02:00
template = pkgs.writeText "hedgedoc-template.md" ''
---
tags: listed
---
'';
2022-09-06 17:16:31 +02:00
in
{
2022-09-06 15:09:30 +02:00
services = {
postgresql = {
enable = true;
ensureUsers = [
{
name = "hedgedoc";
ensurePermissions = {
"DATABASE hedgedoc" = "ALL PRIVILEGES";
};
}
];
ensureDatabases = [ "hedgedoc" ];
};
hedgedoc = {
enable = true;
2023-02-15 15:53:15 +01:00
settings = {
2023-08-24 16:25:15 +02:00
allowFreeURL = true;
2022-09-06 15:09:30 +02:00
port = 3002;
domain = "${domain}";
protocolUseSSL = true;
2023-07-20 13:00:30 +02:00
db = {
dialect = "postgres";
host = "/run/postgresql/";
};
2022-09-06 15:09:30 +02:00
sessionSecret = "\${SESSION_SECRET}";
csp = {
enable = true;
directives = {
scriptSrc = "${domain}";
};
upgradeInsecureRequest = "auto";
addDefaults = true;
};
allowGravatar = false;
## authentication
# disable email
email = false;
allowEmailRegister = false;
# allow anonymous editing, but not creation of pads
allowAnonymous = false;
allowAnonymousEdits = true;
defaultPermission = "limited";
2023-08-24 20:36:30 +02:00
defaultNotePath = builtins.toString template;
# ldap auth
ldap = rec {
url = "ldap://localhost";
searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
searchFilter = "(uid={{username}})";
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
bindCredentials = "\${LDAP_CREDENTIALS}";
useridField = "uid";
providerName = "iFSR";
};
2022-09-06 15:09:30 +02:00
};
};
nginx = {
recommendedProxySettings = true;
virtualHosts = {
"${domain}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
2023-02-15 15:53:15 +01:00
proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}";
2022-09-06 15:09:30 +02:00
proxyWebsockets = true;
};
};
};
};
};
sops.secrets =
let
user = config.systemd.services.hedgedoc.serviceConfig.User;
in
{
hedgedoc_session_secret.owner = user;
hedgedoc_ldap_search = {
key = "portunus/search-password";
owner = user;
};
};
2022-09-06 15:09:30 +02:00
systemd.services.hedgedoc.preStart = lib.mkBefore ''
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
2022-09-06 15:09:30 +02:00
'';
}
2023-08-24 20:36:30 +02:00