From 76c9b07d565d84c27bc1b82fc11b069ca543618f Mon Sep 17 00:00:00 2001
From: schweby <schweby@posteo.net>
Date: Sat, 7 Aug 2021 19:38:40 +0200
Subject: [PATCH] parsons: init hegedocs

---
 hosts/parsons/configuration.nix |   2 +
 services/hedgedoc_hacc.nix      | 110 ++++++++++++++++++++++++++++++++
 services/hedgedoc_i4f.nix       |  96 ++++++++++++++++++++++++++++
 3 files changed, 208 insertions(+)
 create mode 100644 services/hedgedoc_hacc.nix
 create mode 100644 services/hedgedoc_i4f.nix

diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix
index d3ca58a..7ad9e55 100644
--- a/hosts/parsons/configuration.nix
+++ b/hosts/parsons/configuration.nix
@@ -12,6 +12,8 @@
     ../../services/mattermost.nix
     ../../services/thelounge.nix
     ../../services/murmur.nix
+    ../../services/hedgedoc_hacc.nix
+    ../../services/hedgedoc_i4f.nix
   ];
 
   hexchen.encboot = {
diff --git a/services/hedgedoc_hacc.nix b/services/hedgedoc_hacc.nix
new file mode 100644
index 0000000..696ef6d
--- /dev/null
+++ b/services/hedgedoc_hacc.nix
@@ -0,0 +1,110 @@
+{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }:
+
+{
+  containers.hedgedoc = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.5";
+    autoStart = true;
+    bindMounts = {
+      "/persist" = {
+        hostPath = "/persist/containers/pad-hacc";
+        isReadOnly = false;
+      };
+    };
+    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
+      boot.isContainer = true;
+      networking.useDHCP = false;
+      users.users.root.hashedPassword = "";
+
+      imports = [
+        ../modules/mattermost.nix
+        ((import sources.nix-hexchen) {}).profiles.nopersist
+      ];
+
+      nixpkgs.config.allowUnfree = true;
+      networking.firewall.enable = false;
+      networking.defaultGateway = {
+        address = "192.168.100.1";
+        interface = "eth0";
+      };
+      services.coredns = {
+        enable = true;
+        config = ''
+        .:53 {
+          forward . 1.1.1.1
+        }
+        '';
+      };
+      services.hedgedoc = {
+        enable = true;
+        configuration = {
+          allowAnonymous = true;
+          allowFreeURL = true;
+          allowGravatar = false;
+          allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
+          dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc";
+          defaultPermission = "limited";
+          domain  = "pad.hacc.space";
+          host = "0.0.0.0";
+          protocolUseSSL = true;
+          hsts.preload = false;
+          email = false;
+          oauth2 = {
+            authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
+            tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
+            clientID = "hedgedoc";
+            clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
+          };
+        };
+      };
+      systemd.services.hedgedoc.environment = {
+        "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
+        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
+        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
+        "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
+        "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
+      };
+      services.postgresql = {
+        enable = true;
+        ensureDatabases = [ "hedgedoc" ];
+        ensureUsers = [{
+          name = "hedgedoc";
+          ensurePermissions = {
+            "DATABASE hedgedoc" = "ALL PRIVILEGES";
+          };
+        }];
+      };
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "hedgedoc" ];
+        startAt = "*-*-* 23:45:00";
+      };
+    })).config.system.build.toplevel;
+  };
+  services.nginx.virtualHosts."pad.hacc.earth" = {
+    enableACME = true;
+    forceSSL = true;
+    globalRedirect = "pad.hacc.space";
+  };
+
+  services.nginx.virtualHosts."pad.hacc.space" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://192.168.100.3:3000";
+      extraConfig = ''
+        proxy_pass_request_headers on;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        add_header Access-Control-Allow-Origin "*";
+        proxy_buffering off;
+      '';
+    };
+  };
+}
diff --git a/services/hedgedoc_i4f.nix b/services/hedgedoc_i4f.nix
new file mode 100644
index 0000000..95b1016
--- /dev/null
+++ b/services/hedgedoc_i4f.nix
@@ -0,0 +1,96 @@
+{ config, lib, pkgs, modules, evalConfig, sources, ... }:
+
+{
+  containers.pad-i4f = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.6";
+    autoStart = true;
+    bindMounts = {
+      "/persist" = {
+        hostPath = "/persist/containers/pad-i4f";
+        isReadOnly = false;
+      };
+    };
+    path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: {
+      boot.isContainer = true;
+      networking.useDHCP = false;
+      users.users.root.hashedPassword = "";
+
+      imports = [
+        ../modules/mattermost.nix
+        ((import sources.nix-hexchen) {}).profiles.nopersist
+      ];
+
+      nixpkgs.config.allowUnfree = true;
+      networking.firewall.enable = false;
+      networking.defaultGateway = {
+        address = "192.168.100.1";
+        interface = "eth0";
+      };
+      services.coredns = {
+        enable = true;
+        config = ''
+        .:53 {
+          forward . 1.1.1.1
+        }
+        '';
+      };
+      services.hedgedoc = {
+        enable = true;
+        configuration = {
+          allowAnonymous = true;
+          allowFreeURL = true;
+          allowGravatar = false;
+          allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ];
+          dbURL = "postgres://hedgedoc:hedgedoc@localhost:5432/hedgedoc";
+          defaultPermission = "freely";
+          domain  = "pad.infra4future.de";
+          host = "0.0.0.0";
+          protocolUseSSL = true;
+          hsts.preload = false;
+          email = false;
+          };
+        };
+      services.postgresql = {
+        enable = true;
+        authentication = ''
+          local all       all                     trust
+          host  hedgedoc  hedgedoc  127.0.0.1/32  trust
+          '';
+        ensureDatabases = [ "hedgedoc" ];
+        ensureUsers = [{
+          name = "hedgedoc";
+          ensurePermissions = {
+            "DATABASE hedgedoc" = "ALL PRIVILEGES";
+          };
+        }];
+      };
+      services.postgresqlBackup = {
+        enable = true;
+        databases = [ "hedgedoc" ];
+        startAt = "*-*-* 23:45:00";
+      };
+    })).config.system.build.toplevel;
+  };
+
+  services.nginx.virtualHosts."pad.infra4future.de" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://192.168.100.41:3000";
+      extraConfig = ''
+        proxy_pass_request_headers on;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $http_connection;
+        add_header Access-Control-Allow-Origin "*";
+        proxy_buffering off;
+      '';
+    };
+  };
+}