chaos-jetzt-nixfiles/services/hedgedoc.nix
Moritz 'e1mo' Fromm 08e525b19d
hedgedoc: Init
2023-08-13 21:00:26 +02:00

79 lines
2 KiB
Nix

{ config
, baseDomain
, lib
, ...
}:
let
domain = "md.${baseDomain}";
isDev = (builtins.substring 0 3 baseDomain) == "dev";
realm = if isDev then "dev" else "chaos-jetzt";
sso_url = "https://sso.chaos.jetzt/auth/realms/${realm}/protocol/openid-connect";
sock_path = "/run/hedgedoc/hedgedoc.sock";
in {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc_env" = {};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.secrets.hedgedoc_env.path;
settings = {
inherit domain;
allowAnonymousEdits = true;
allowEmailRegister = false;
allowFreeURL = true;
requireFreeURLAuthentication = false;
allowGravatar = false;
allowOrigin = [ domain ];
db = {
dialect = "postgres";
host = "/run/postgresql";
};
email = false;
path = sock_path;
protocolUseSSL = true;
oauth2 = {
baseURL = sso_url;
userProfileURL = "${sso_url}/userinfo";
userProfileUsernameAttr = "preferred_username";
userProfileDisplayNameAttr = "preferred_username";
userProfileEmailAttr = "email";
tokenURL = "${sso_url}/token";
authorizationURL = "${sso_url}/auth";
clientID = "hedgedoc";
providerName = if isDev then "SSO (dev)" else "SSO";
};
useCDN = false;
logLevel = "warn";
};
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://unix:${sock_path}";
proxyWebsockets = true;
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES";
}];
};
# Required for nginx to be able to access the hedgedoc socket
users.users.nginx.extraGroups = [ "hedgedoc" ];
systemd.services.hedgedoc = {
serviceConfig = {
UMask = "0007";
RuntimeDirectory = "hedgedoc";
};
};
}