add hedgedoc module

flake.nix

@@ -12,7 +12,7 @@
     #packages."x86_64-linux".sanddorn = self.nixosConfigurations.sanddorn.config.system.build.sdImage;
 
     nixosConfigurations = {
-      /*birne = nixpkgs.lib.nixosSystem {
+      birne = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           ./hosts/birne/configuration.nix
@@ -50,16 +50,16 @@
           }
         ];
       };
-      */
+      quitte = nixpkgs.lib.nixosSystem {
-      durian = nixpkgs.lib.nixosSystem {
         system = "x86_64-linux";
         modules = [
           inputs.sops-nix.nixosModules.sops
-          ./hosts/durian/configuration.nix
+          ./hosts/quitte/configuration.nix
           ./modules/base.nix
           ./modules/sops.nix
           ./modules/keycloak.nix
           ./modules/nginx.nix
+          ./modules/hedgedoc.nix
           {
             sops.defaultSopsFile = ./secrets/durian.yaml;
           }

hosts/birne/configuration.nix

@@ -5,8 +5,8 @@
 { config, pkgs, ... }:
 
 {
-  imports =
+  imports =[ # Include the results of the hardware scan.
-    [ # Include the results of the hardware scan.
+    ./hardware-configuration.nix
   ];
 
   # Use the systemd-boot EFI boot loader.

hosts/quitte/configuration.nix

@@ -30,7 +30,7 @@
   networking.defaultGateway = "141.30.30.129";
   networking.nameservers = [ "141.30.1.1" ];
   
-  networking.hostName = "durian"; # Define your hostname.
+  networking.hostName = "quitte"; # Define your hostname.
   # Pick only one of the below networking options.
   # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.
   # networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.

modules/hedgedoc.nix

@@ -0,0 +1,76 @@
+{ config, pkgs, lib, ... }:
+let 
+  domain = "pad.quitte.tassilo-tanneberger.de";
+in {
+  services = {
+    postgresql = {
+      enable = true;
+      ensureUsers = [
+        {
+          name = "hedgedoc";
+          ensurePermissions = {
+            "DATABASE hedgedoc" = "ALL PRIVILEGES";
+          };
+        }
+      ];
+      ensureDatabases = [ "hedgedoc" ];
+    };
+
+    hedgedoc = {
+      enable = true;
+      configuration = {
+        port = 3002;
+        domain = "${domain}";
+        protocolUseSSL = true;
+        dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
+        sessionSecret = "\${SESSION_SECRET}";
+        allowAnonymousEdits = true;
+        csp = {
+          enable = true;
+          directives = {
+            scriptSrc = "${domain}";
+          };
+          upgradeInsecureRequest = "auto";
+          addDefaults = true;
+        };
+      };
+    };
+
+    nginx = {
+      recommendedProxySettings = true;
+      virtualHosts = {
+        "${domain}" = {
+          enableACME = true;
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://127.0.0.1:3002";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    };
+  };
+
+  sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User;
+  sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User;
+  sops.secrets.restic_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User;
+  sops.secrets.kaki_private_key.group = "remote-backups";
+
+  systemd.services.hedgedoc.preStart = lib.mkBefore ''
+    export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
+    export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
+  '';
+  systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];
+
+  systemd.services.hedgedoc-pgsetup = {
+    description = "Prepare HedgeDoc postgres database";
+    wantedBy = [ "multi-user.target" ];
+    after = [ "networking.target" "postgresql.service" ];
+    serviceConfig.Type = "oneshot";
+
+    path = [ pkgs.sudo config.services.postgresql.package ];
+    script = ''
+      sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE hedgedoc WITH PASSWORD '$(cat ${config.sops.secrets.postgres_hedgedoc.path})'"
+    '';
+  };
+}

secrets/durian.yaml

@@ -1,4 +1,6 @@
 postgres_keycloak: ENC[AES256_GCM,data:Vi0NLjpYDvFGIYYL/VPdgOqAS51KXQynBFlBjK64elU=,iv:JY65V7b8zWSX4aNEK5pD7iyxnqIr8jexcG3pIBNbmvg=,tag:auDyPClH1VbWbFoWWK5E9w==,type:str]
+postgres_hedgedoc: ENC[AES256_GCM,data:VCoWXZbNGWfmorTNZRFWkDUp0B5JMmsA+bJFVrUREj0=,iv:fnSs3FOgmFn5/BqKTODpwIq023ZRMF8s/JiDyf2ZqkE=,tag:oit5sHf6QffhYYi/WJk5SQ==,type:str]
+hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -14,8 +16,8 @@ sops:
             bzNnbFZnZnZiY0xsbVlvUStBblBMWGcK7HSz9iFQiH0BJ3etF09opJreBoBtiBZ0
             L74EBGuEV4+dNWqY3QwAASmDYJJ8ocQMuAgctjsgstKBKUeOrkhDRg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-08-16T13:03:32Z"
+    lastmodified: "2022-09-06T13:02:09Z"
-    mac: ENC[AES256_GCM,data:2exwH5VVfOOZ4SCwOcwFhg8Pwtmm936Cfn6A91YfyWu7tTkFq3vzFj0P3mG7RI0CyCTg1ptHt9j2zGKzy+mSO8Cb5ohPAJE/cuVkI998+D84uPkjLHHOq1wJRZxza9RHFiENPK0AOx3jSlAeFZqmIQPExX3gVRyJManU32OVu4o=,iv:xUXek6g9ayI5E7Exxq9EapesSfkD+AM3LWSVHPv2rLM=,tag:MpfvDuNse4UvOmcXASga0A==,type:str]
+    mac: ENC[AES256_GCM,data:9lbw83A7J9VUTrNsrTVNJQAfjK9ItMPAlNlsB5jOBXafBL0xMSWRhWVfgCwbmgmJ5SP6kpS8emCiHudqxdDLEReWomrBp3t0uabPiODIiI1AxB6DT6O+/9Dlnq5eXc1l/gw0xOPGRUZ+/WaHHddE8rhGFn/DhKrr3X0mZRwE18w=,iv:7DnEKYHlx3ZONSBsVY29+yNnCSvMCzgE6mP85frie6M=,tag:jSsXEiXXcMjgAxU9rp2soA==,type:str]
     pgp:
         - created_at: "2022-08-16T13:01:34Z"
           enc: |