diff --git a/machines/fuuko/configuration.nix b/machines/fuuko/configuration.nix index 7ffe9c3..3942b37 100644 --- a/machines/fuuko/configuration.nix +++ b/machines/fuuko/configuration.nix @@ -8,6 +8,7 @@ ./services/ankisyncd.nix ./services/dnsmasq.nix ./services/grafana.nix + ./services/hedgedoc.nix ./services/media.nix ./services/prometheus.nix ./services/scan.nix diff --git a/machines/fuuko/services/hedgedoc.nix b/machines/fuuko/services/hedgedoc.nix new file mode 100644 index 0000000..ee498da --- /dev/null +++ b/machines/fuuko/services/hedgedoc.nix @@ -0,0 +1,62 @@ +{ config, lib, pkgs, ... }: +let + cfg = config.services.hedgedoc; +in +{ + services.postgresql = { + enable = true; + ensureDatabases = [ "hedgedoc" ]; + ensureUsers = lib.singleton { + name = "codimd"; + ensurePermissions = { + "DATABASE hedgedoc" = "ALL PRIVILEGES"; + }; + }; + }; + + services.hedgedoc = { + enable = true; + configuration = { + host = "127.0.0.1"; + port = 3001; + db = { + dialect = "postgres"; + host = "/run/postgresql"; + #user = "hedgedoc"; + database = "hedgedoc"; + }; + domain = "pad.sbruder.de"; + protocolUseSSL = true; + csp.enable = true; + imageUploadType = "filesystem"; + uploadsPath = "/data/hedgedoc/uploads"; + }; + }; + + systemd.services.hedgedoc = { + preStart = toString (pkgs.writeShellScript "hedgedoc-generate-session-secret" '' + if [ ! -f ${cfg.workDir}/session_secret_env ]; then + echo "CMD_SESSION_SECRET=$(${pkgs.pwgen}/bin/pwgen -s 32 1)" > ${cfg.workDir}/session_secret_env + fi + ''); + serviceConfig = { + Environment = [ + "CMD_LOGLEVEL=warn" + ]; + EnvironmentFile = [ + "-${cfg.workDir}/session_secret_env" # - ensures that it will not fail on first start + ]; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${cfg.configuration.uploadsPath} 0700 codimd codimd - -" + ]; + + services.nginx.virtualHosts."pad.sbruder.de" = { + enableACME = true; + forceSSL = true; + + locations."/".proxyPass = "http://${cfg.configuration.host}:${toString cfg.configuration.port}"; + }; +}