{ config, pkgs, lib, ... }: let domain = "pad.${config.networking.domain}"; template = pkgs.writeText "hedgedoc-template.md" '' --- tags: listed --- ''; in { services = { postgresql = { enable = true; ensureUsers = [ { name = "hedgedoc"; ensureDBOwnership = true; } ]; ensureDatabases = [ "hedgedoc" ]; }; hedgedoc = { enable = true; settings = { allowFreeURL = true; port = 3002; domain = "${domain}"; protocolUseSSL = true; db = { dialect = "postgres"; host = "/run/postgresql/"; }; sessionSecret = "\${SESSION_SECRET}"; csp = { enable = true; directives = { scriptSrc = "${domain}"; }; upgradeInsecureRequest = "auto"; addDefaults = true; }; allowGravatar = false; ## authentication # disable email email = false; allowEmailRegister = false; # allow anonymous editing, but not creation of pads allowAnonymous = false; allowAnonymousEdits = true; defaultPermission = "limited"; defaultNotePath = builtins.toString template; # ldap auth ldap = rec { url = "ldap://localhost"; searchBase = "ou=users,${config.services.portunus.ldap.suffix}"; searchFilter = "(uid={{username}})"; bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}"; bindCredentials = "\${LDAP_CREDENTIALS}"; useridField = "uid"; providerName = "iFSR"; }; }; }; nginx = { recommendedProxySettings = true; virtualHosts = { "${domain}" = { locations."/" = { proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}"; proxyWebsockets = true; }; locations."/robots.txt" = { extraConfig = '' add_header Content-Type text/plain; return 200 "User-agent: *\nDisallow: /\n"; ''; }; }; }; }; }; sops.secrets = let user = config.systemd.services.hedgedoc.serviceConfig.User; in { hedgedoc_session_secret.owner = user; hedgedoc_ldap_search = { key = "portunus/search-password"; owner = user; }; }; systemd.services.hedgedoc.preStart = lib.mkBefore '' export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})" export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})" ''; }