chaos-jetzt-nixfiles/services/hedgedoc.nix

82 lines
2.2 KiB
Nix
Raw Normal View History

2023-07-24 16:54:48 +02:00
{ config
, baseDomain
, lib
, ...
}:
let
domain = "md.${baseDomain}";
isDev = (builtins.substring 0 3 baseDomain) == "dev";
realm = if isDev then "dev" else "chaos-jetzt";
sso_url = "https://sso.chaos.jetzt/auth/realms/${realm}/protocol/openid-connect";
sock_path = "/run/hedgedoc/hedgedoc.sock";
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc_env" = {};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets.hedgedoc_env.path;
settings = {
inherit domain;
allowAnonymousEdits = true;
allowEmailRegister = false;
allowFreeURL = true;
requireFreeURLAuthentication = false;
allowGravatar = false;
allowOrigin = [ domain ];
db = {
dialect = "postgres";
host = "/run/postgresql";
};
email = false;
path = sock_path;
protocolUseSSL = true;
# NOTE(@e1mo): Currently disabled until we decide if we want
# SSO but left in here as this is a known working config.
oauth2 = lib.mkIf false {
2023-07-24 16:54:48 +02:00
baseURL = sso_url;
userProfileURL = "${sso_url}/userinfo";
userProfileUsernameAttr = "preferred_username";
userProfileDisplayNameAttr = "preferred_username";
userProfileEmailAttr = "email";
tokenURL = "${sso_url}/token";
authorizationURL = "${sso_url}/auth";
clientID = "hedgedoc";
providerName = if isDev then "SSO (dev)" else "SSO";
};
useCDN = false;
logLevel = "warn";
};
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${sock_path}";
proxyWebsockets = true;
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES";
}];
};
# Required for nginx to be able to access the hedgedoc socket
users.users.nginx.extraGroups = [ "hedgedoc" ];
systemd.services.hedgedoc = {
serviceConfig = {
UMask = "0007";
RuntimeDirectory = "hedgedoc";
};
};
}