{ config, lib, pkgs, ... }: { containers.codimd = { privateNetwork = true; hostAddress = "192.168.100.1"; localAddress = "192.168.100.3"; autoStart = true; config = { config, lib, pkgs, ... }: { networking.firewall.enable = false; services.coredns = { enable = true; config = '' .:53 { forward . 1.1.1.1 } ''; }; services.hedgedoc = { enable = true; configuration = { allowAnonymous = true; allowFreeURL = true; allowGravatar = false; allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ]; dbURL = "postgres://codimd:codimd@localhost:5432/codimd"; defaultPermission = "limited"; domain = "pad.hacc.space"; host = "0.0.0.0"; protocolUseSSL = true; hsts.preload = false; email = false; oauth2 = { authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; clientID = "codimd"; clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62"; }; }; }; systemd.services.hedgedoc.environment = { "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name"; "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name"; "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email"; "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future"; }; services.postgresql = { enable = true; ensureDatabases = [ "codimd" ]; ensureUsers = [{ name = "codimd"; ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES"; }; }]; }; services.postgresqlBackup = { enable = true; databases = [ "codimd" ]; startAt = "*-*-* 23:45:00"; }; }; }; services.nginx.virtualHosts."pad.hacc.space" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://192.168.100.3:3000"; extraConfig = '' proxy_pass_request_headers on; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; add_header Access-Control-Allow-Origin "*"; proxy_buffering off; ''; }; }; services.nginx.virtualHosts."pad.hacc.earth" = { forceSSL = true; enableACME = true; locations."/".return = "301 https://pac.hacc.space$request_uri"; }; }