{ config, pkgs, lib, ... }:
let
domain = "pad.${config.networking.domain}";
template = pkgs.writeText "hedgedoc-template.md" ''
---
tags: listed
---
'';
in
{
services = {
postgresql = {
enable = true;
ensureUsers = [
{
name = "hedgedoc";
ensureDBOwnership = true;
}
];
ensureDatabases = [ "hedgedoc" ];
};
hedgedoc = {
enable = true;
settings = {
allowFreeURL = true;
port = 3002;
domain = "${domain}";
protocolUseSSL = true;
db = {
dialect = "postgres";
host = "/run/postgresql/";
};
sessionSecret = "\${SESSION_SECRET}";
csp = {
enable = true;
directives = {
scriptSrc = "${domain}";
};
upgradeInsecureRequest = "auto";
addDefaults = true;
};
allowGravatar = false;
## authentication
# disable email
email = false;
allowEmailRegister = false;
# allow anonymous editing, but not creation of pads
allowAnonymous = false;
allowAnonymousEdits = true;
defaultPermission = "limited";
defaultNotePath = builtins.toString template;
# ldap auth
ldap = rec {
url = "ldap://localhost";
searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
searchFilter = "(uid={{username}})";
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
bindCredentials = "\${LDAP_CREDENTIALS}";
useridField = "uid";
providerName = "iFSR";
};
};
};
nginx = {
recommendedProxySettings = true;
virtualHosts = {
"${domain}" = {
locations."/" = {
proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}";
proxyWebsockets = true;
};
locations."/robots.txt" = {
extraConfig = ''
add_header Content-Type text/plain;
return 200 "User-agent: *\nDisallow: /\n";
'';
};
};
};
};
};
sops.secrets =
let
user = config.systemd.services.hedgedoc.serviceConfig.User;
in
{
hedgedoc_session_secret.owner = user;
hedgedoc_ldap_search = {
key = "portunus/search-password";
owner = user;
};
};
systemd.services.hedgedoc.preStart = lib.mkBefore ''
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
'';
}