services/hedgedoc: Init

2026-02-09 20:39:18 -08:00 · 2021-09-10 03:39:53 +01:00 · 2021-09-10 03:39:53 +01:00 · c69008f554
commit c69008f554
parent c47c41d628
2 changed files with 86 additions and 0 deletions
--- a/config/hosts/daiyousei.nix
+++ b/config/hosts/daiyousei.nix
@ -6,6 +6,7 @@
    services.nginx
    services.keycloak
    services.openldap
+    services.hedgedoc
    services.dnscrypt-proxy
  ];

--- a/config/services/hedgedoc.nix
+++ b/config/services/hedgedoc.nix
@ -0,0 +1,85 @@
+{ config, lib, tf, ... }: with lib;
+
+{
+  kw.secrets.variables = (mapListToAttrs
+    (field:
+      nameValuePair "hedgedoc-${field}" {
+        path = "services/hedgedoc";
+        inherit field;
+      }) [ "secret" ]);
+
+  secrets.files.hedgedoc-env = {
+    text = ''
+      CMD_OAUTH2_USER_PROFILE_URL=https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/userinfo
+      CMD_OAUTH2_CLIENT_SECRET=${tf.variables.hedgedoc-secret.ref}
+      CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+      CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+      CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+      CMD_OAUTH2_PROVIDERNAME=Keycloak
+      CMD_DOMAIN=md.kittywit.ch
+    '';
+    owner = "hedgedoc";
+    group = "hedgedoc";
+  };
+
+  services.hedgedoc = {
+    enable = true;
+    configuration = {
+      debug = true;
+      path = "/run/hedgedoc/hedgedoc.sock";
+      domain = "md.${config.network.dns.domain}";
+      protocolUseSSL = true;
+      allowFreeURL = true;
+      email = false;
+      allowEmailRegister = false;
+      allowAnonymous = false;
+      allowAnonymousEdits = true;
+      imageUploadType = "filesystem";
+      allowGravatar = true;
+      db = {
+        dialect = "postgres";
+        host = "/run/postgresql";
+      };
+      oauth2 = {
+        tokenURL = "https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/token";
+        authorizationURL = "https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/auth";
+        clientID = "hedgedoc";
+        clientSecret = "";
+      };
+    };
+    environmentFile = config.secrets.files.hedgedoc-env.path;
+  };
+
+  deploy.tf.dns.records.services_hedgedoc = {
+    inherit (config.network.dns) zone;
+    domain = "md";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
+  systemd.services.hedgedoc = {
+    serviceConfig = {
+      UMask = "0007";
+      RuntimeDirectory = "hedgedoc";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "hedgedoc" ];
+    ensureUsers = [
+      {
+        name = "hedgedoc";
+        ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  users.users.nginx.extraGroups = [ "hedgedoc" ];
+  services.nginx.virtualHosts."md.${config.network.dns.domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://unix:/run/hedgedoc/hedgedoc.sock";
+      proxyWebsockets = true;
+    };
+  };
+}