nixos-config/machines/renge/services/hedgedoc.nix
Simon Bruder f945341668
Relicense
This applies the REUSE specification to the repository, so the licensing
information can be tracked for every file individually.
2024-01-13 14:35:31 +01:00

65 lines
1.6 KiB
Nix

# SPDX-FileCopyrightText: 2021-2023 Simon Bruder <simon@sbruder.de>
#
# SPDX-License-Identifier: AGPL-3.0-or-later
{ config, lib, pkgs, ... }:
let
cfg = config.services.hedgedoc;
in
{
services.postgresql = {
enable = true;
ensureDatabases = [ "hedgedoc" ];
ensureUsers = lib.singleton {
name = "hedgedoc";
ensureDBOwnership = true;
};
};
services.hedgedoc = {
enable = true;
settings = {
host = "127.0.0.1";
port = 3001;
db = {
dialect = "postgres";
host = "/run/postgresql";
user = "hedgedoc";
database = "hedgedoc";
};
domain = "pad.sbruder.de";
protocolUseSSL = true;
csp.enable = true;
imageUploadType = "filesystem";
};
};
systemd.services.hedgedoc = {
after = [ "postgresql.service" ];
preStart = toString (pkgs.writeShellScript "hedgedoc-generate-session-secret" ''
if [ ! -f /var/lib/hedgedoc/session_secret_env ]; then
echo "CMD_SESSION_SECRET=$(${pkgs.pwgen}/bin/pwgen -s 32 1)" > /var/lib/hedgedoc/session_secret_env
fi
'');
serviceConfig = {
Environment = [
"CMD_LOGLEVEL=warn"
];
EnvironmentFile = [
"-/var/lib/hedgedoc/session_secret_env" # - ensures that it will not fail on first start
];
};
};
systemd.tmpfiles.rules = [
"d ${cfg.settings.uploadsPath} 0700 hedgedoc hedgedoc - -"
];
services.nginx.virtualHosts."pad.sbruder.de" = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${cfg.settings.host}:${toString cfg.settings.port}";
};
}