{ config, pkgs, lib, ... }: let domain = "pad.${config.fsr.domain}"; in { services = { postgresql = { enable = true; ensureUsers = [ { name = "hedgedoc"; ensurePermissions = { "DATABASE hedgedoc" = "ALL PRIVILEGES"; }; } ]; ensureDatabases = [ "hedgedoc" ]; }; hedgedoc = { enable = true; configuration = { port = 3002; domain = "${domain}"; protocolUseSSL = true; dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc"; sessionSecret = "\${SESSION_SECRET}"; allowAnonymousEdits = true; csp = { enable = true; directives = { scriptSrc = "${domain}"; }; upgradeInsecureRequest = "auto"; addDefaults = true; }; }; }; nginx = { recommendedProxySettings = true; virtualHosts = { "${domain}" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}"; proxyWebsockets = true; }; }; }; }; }; sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User; sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User; systemd.services.hedgedoc.preStart = lib.mkBefore '' export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})" export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})" ''; systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ]; systemd.services.hedgedoc-pgsetup = { description = "Prepare HedgeDoc postgres database"; wantedBy = [ "multi-user.target" ]; after = [ "networking.target" "postgresql.service" ]; serviceConfig.Type = "oneshot"; path = [ pkgs.sudo config.services.postgresql.package ]; script = '' sudo -u ${config.services.postgresql.superUser} psql -c "ALTER ROLE hedgedoc WITH PASSWORD '$(cat ${config.sops.secrets.postgres_hedgedoc.path})'" ''; }; }