haccfiles/services/hedgedoc-hacc.nix

{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:

{
  containers.pad-hacc = {
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.5";
    autoStart = true;
    bindMounts = {
      "/persist" = {
        hostPath = "/persist/containers/pad-hacc";
        isReadOnly = false;
      };
    };
    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
      boot.isContainer = true;
      networking.useDHCP = false;
      users.users.root.hashedPassword = "";
      system.stateVersion = "21.05";

      imports = [ sources.nix-hexchen.nixosModules.profiles.nopersist ];

      nixpkgs.config.allowUnfree = true;
      networking.firewall.enable = false;
      networking.defaultGateway = {
        address = "192.168.100.1";
        interface = "eth0";
      };
      services.coredns = {
        enable = true;
        config = ''
        .:53 {
          forward . 1.1.1.1
        }
        '';
      };
      services.hedgedoc = {
        enable = true;
        configuration = {
          allowAnonymous = true;
          allowFreeURL = true;
          allowGravatar = false;
          allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
          db = {
            host = "/run/postgresql";
            username = "codimd";
            dialect = "postgres";
            database = "codimd";
          };
          defaultPermission = "limited";
          domain  = "pad.hacc.space";
          host = "0.0.0.0";
          protocolUseSSL = true;
          hsts.preload = false;
          email = false;
          oauth2 = {
            authorizationURL = "https://login.infra4future.de/oauth2/authorize";
            tokenURL = "https://login.infra4future.de/oauth2/token";
            clientID = "hedgedoc";
            # must be set to make the NixOS module happy, but env var takes precedence
            clientSecret = "lol nope";
          };
        };
        environmentFile = "/persist/secrets.env";
      };
      systemd.services.hedgedoc.environment = {
        "CMD_LOGLEVEL" = "warn";
        "CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
        "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
        "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
      };

      services.postgresql = {
        enable = true;
        ensureDatabases = [ "codimd" ];
        ensureUsers = [{
          name = "codimd";
          ensurePermissions = {
            "DATABASE codimd" = "ALL PRIVILEGES";
          };
        }];
        authentication = ''
          local all all trust
          host  codimd  codimd  127.0.0.1/32  trust
        '';
        package = pkgs.postgresql_11;
      };
      services.postgresqlBackup = {
        enable = true;
        databases = [ "codimd" ];
        startAt = "*-*-* 23:45:00";
        location = "/persist/backups/postgres";
      };
    })).config.system.build.toplevel;
  };
  services.nginx.virtualHosts."pad.hacc.earth" = {
    enableACME = true;
    forceSSL = true;
    globalRedirect = "pad.hacc.space";
  };

  services.nginx.virtualHosts."pad.hacc.space" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
      extraConfig = ''
        add_header Access-Control-Allow-Origin "*";
        proxy_buffering off;
      '';
    };
  };
}
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:`

			`{`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`containers.pad-hacc = {`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`privateNetwork = true;`
			`hostAddress = "192.168.100.1";`
			`localAddress = "192.168.100.5";`
			`autoStart = true;`
			`bindMounts = {`
			`"/persist" = {`
			`hostPath = "/persist/containers/pad-hacc";`
			`isReadOnly = false;`
			`};`
			`};`
			`path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {`
			`boot.isContainer = true;`
			`networking.useDHCP = false;`
			`users.users.root.hashedPassword = "";`
containers: set stateVersion to 21.05 (which is what parsons is on as well) 2022-11-10 20:28:58 +00:00			`system.stateVersion = "21.05";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00
shoehorn nix-hexchen-style config into flakes this replaces niv with nix flakes, attempting to preserve the old structure as much as possible. Notable caveats: - I'm not sure if flake inputs expose version information anywhere, so the version in pkgs/mattermost/default.nix is now hardcoded. Confusingly, this appears to trigger a rebuild. Maybe I've missed something. - a lot of the old-style host.nix & deploy.nix machinery in nix-hexchen does not work with flakes, and their newer replacements are not exposed by upstream; I've put basic imitations of the relevant parts in this repo - (in particular, directories in hosts/ won't become deployable configs automatically) - parts of the code are now probably more complicated than they'd have to be - old variables names were preserved; confusingly, this means the flake inputs are still called "sources" 2022-11-13 21:45:50 +00:00			`imports = [ sources.nix-hexchen.nixosModules.profiles.nopersist ];`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00
			`nixpkgs.config.allowUnfree = true;`
			`networking.firewall.enable = false;`
			`networking.defaultGateway = {`
			`address = "192.168.100.1";`
			`interface = "eth0";`
			`};`
			`services.coredns = {`
			`enable = true;`
			`config = ''`
			`.:53 {`
			`forward . 1.1.1.1`
			`}`
			`'';`
			`};`
			`services.hedgedoc = {`
			`enable = true;`
			`configuration = {`
			`allowAnonymous = true;`
			`allowFreeURL = true;`
			`allowGravatar = false;`
			`allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];`
services/hedgedocs: use socket auth for postgres 2022-01-12 18:33:07 +00:00			`db = {`
			`host = "/run/postgresql";`
fixer tous les things 2022-01-27 20:20:25 +00:00			`username = "codimd";`
services/hedgedocs: use socket auth for postgres 2022-01-12 18:33:07 +00:00			`dialect = "postgres";`
			`database = "codimd";`
			`};`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`defaultPermission = "limited";`
			`domain = "pad.hacc.space";`
			`host = "0.0.0.0";`
			`protocolUseSSL = true;`
			`hsts.preload = false;`
			`email = false;`
			`oauth2 = {`
feat: new SSO!!!! :tada: 2022-04-30 20:43:12 +00:00			`authorizationURL = "https://login.infra4future.de/oauth2/authorize";`
			`tokenURL = "https://login.infra4future.de/oauth2/token";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`clientID = "hedgedoc";`
environmentFiles are generally a good and reasonable idea 2022-11-11 15:28:50 +00:00			`# must be set to make the NixOS module happy, but env var takes precedence`
			`clientSecret = "lol nope";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`};`
			`};`
environmentFiles are generally a good and reasonable idea 2022-11-11 15:28:50 +00:00			`environmentFile = "/persist/secrets.env";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`};`
			`systemd.services.hedgedoc.environment = {`
services/hedgedoc: lower loglevel to warn 2022-01-19 20:22:32 +00:00			`"CMD_LOGLEVEL" = "warn";`
feat: new SSO!!!! :tada: 2022-04-30 20:43:12 +00:00			`"CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";`
			`"CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";`
			`"CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`"CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";`
			`"CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";`
			`};`
environmentFiles are generally a good and reasonable idea 2022-11-11 15:28:50 +00:00
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`services.postgresql = {`
			`enable = true;`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`ensureDatabases = [ "codimd" ];`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`ensureUsers = [{`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`name = "codimd";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`ensurePermissions = {`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`"DATABASE codimd" = "ALL PRIVILEGES";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`};`
			`}];`
fixing pad.hacc.space (hopefully) (I haven't tested this, since I don't want to try the upgrade-adventure a second time today, but I think this should fix it) 2022-01-12 22:59:48 +00:00			`authentication = ''`
			`local all all trust`
fixer tous les things 2022-01-27 20:20:25 +00:00			`host codimd codimd 127.0.0.1/32 trust`
fixing pad.hacc.space (hopefully) (I haven't tested this, since I don't want to try the upgrade-adventure a second time today, but I think this should fix it) 2022-01-12 22:59:48 +00:00			`'';`
fixer tous les things 2022-01-27 20:20:25 +00:00			`package = pkgs.postgresql_11;`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`};`
			`services.postgresqlBackup = {`
			`enable = true;`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`databases = [ "codimd" ];`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`startAt = "--* 23:45:00";`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`location = "/persist/backups/postgres";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`};`
			`})).config.system.build.toplevel;`
			`};`
			`services.nginx.virtualHosts."pad.hacc.earth" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`globalRedirect = "pad.hacc.space";`
			`};`

			`services.nginx.virtualHosts."pad.hacc.space" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`extraConfig = ''`
			`add_header Access-Control-Allow-Origin "*";`
			`proxy_buffering off;`
			`'';`
			`};`
			`};`
			`}`