From c69008f554550e228b74cff5f448953e9f716e14 Mon Sep 17 00:00:00 2001
From: kat witch <kat@kittywit.ch>
Date: Fri, 10 Sep 2021 03:39:53 +0100
Subject: [PATCH] services/hedgedoc: Init

---
 config/hosts/daiyousei.nix   |  1 +
 config/services/hedgedoc.nix | 85 ++++++++++++++++++++++++++++++++++++
 2 files changed, 86 insertions(+)
 create mode 100644 config/services/hedgedoc.nix

diff --git a/config/hosts/daiyousei.nix b/config/hosts/daiyousei.nix
index 20dd8217..791df59e 100644
--- a/config/hosts/daiyousei.nix
+++ b/config/hosts/daiyousei.nix
@@ -6,6 +6,7 @@
     services.nginx
     services.keycloak
     services.openldap
+    services.hedgedoc
     services.dnscrypt-proxy
   ];
 
diff --git a/config/services/hedgedoc.nix b/config/services/hedgedoc.nix
new file mode 100644
index 00000000..fa85c1bd
--- /dev/null
+++ b/config/services/hedgedoc.nix
@@ -0,0 +1,85 @@
+{ config, lib, tf, ... }: with lib;
+
+{
+  kw.secrets.variables = (mapListToAttrs
+    (field:
+      nameValuePair "hedgedoc-${field}" {
+        path = "services/hedgedoc";
+        inherit field;
+      }) [ "secret" ]);
+
+  secrets.files.hedgedoc-env = {
+    text = ''
+      CMD_OAUTH2_USER_PROFILE_URL=https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/userinfo
+      CMD_OAUTH2_CLIENT_SECRET=${tf.variables.hedgedoc-secret.ref}
+      CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+      CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+      CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+      CMD_OAUTH2_PROVIDERNAME=Keycloak
+      CMD_DOMAIN=md.kittywit.ch
+    '';
+    owner = "hedgedoc";
+    group = "hedgedoc";
+  };
+
+  services.hedgedoc = {
+    enable = true;
+    configuration = {
+      debug = true;
+      path = "/run/hedgedoc/hedgedoc.sock";
+      domain = "md.${config.network.dns.domain}";
+      protocolUseSSL = true;
+      allowFreeURL = true;
+      email = false;
+      allowEmailRegister = false;
+      allowAnonymous = false;
+      allowAnonymousEdits = true;
+      imageUploadType = "filesystem";
+      allowGravatar = true;
+      db = {
+        dialect = "postgres";
+        host = "/run/postgresql";
+      };
+      oauth2 = {
+        tokenURL = "https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/token";
+        authorizationURL = "https://auth.${config.network.dns.domain}/auth/realms/kittywitch/protocol/openid-connect/auth";
+        clientID = "hedgedoc";
+        clientSecret = "";
+      };
+    };
+    environmentFile = config.secrets.files.hedgedoc-env.path;
+  };
+
+  deploy.tf.dns.records.services_hedgedoc = {
+    inherit (config.network.dns) zone;
+    domain = "md";
+    cname = { inherit (config.network.addresses.public) target; };
+  };
+
+  systemd.services.hedgedoc = {
+    serviceConfig = {
+      UMask = "0007";
+      RuntimeDirectory = "hedgedoc";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = [ "hedgedoc" ];
+    ensureUsers = [
+      {
+        name = "hedgedoc";
+        ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES";
+      }
+    ];
+  };
+
+  users.users.nginx.extraGroups = [ "hedgedoc" ];
+  services.nginx.virtualHosts."md.${config.network.dns.domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://unix:/run/hedgedoc/hedgedoc.sock";
+      proxyWebsockets = true;
+    };
+  };
+}