haccfiles/parsons/hedgedoc-hacc.nix

{ config, lib, pkgs, evalConfig, ... }:

{

  sops.secrets = {
    "hedgedoc-hacc/env" = {};
  };

  containers.pad-hacc = {
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.5";
    autoStart = true;
    ephemeral = true;
    bindMounts = {
      "/persist" = {
        hostPath = "/persist/containers/pad-hacc";
        isReadOnly = false;
      };
      "/secrets".hostPath = "/run/secrets/hedgedoc-hacc";
    };
    path = evalConfig ({ config, lib, ... }: {
      services.hedgedoc = {
        enable = true;
        settings = {
          allowAnonymous = true;
          allowFreeURL = true;
          allowGravatar = false;
          allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
          db = {
            host = "/run/postgresql";
            username = "codimd";
            dialect = "postgres";
            database = "codimd";
          };
          defaultPermission = "limited";
          domain  = "pad.hacc.space";
          host = "0.0.0.0";
          protocolUseSSL = true;
          hsts.preload = false;
          email = false;
          oauth2 = {
            authorizationURL = "https://login.infra4future.de/oauth2/authorize";
            tokenURL = "https://login.infra4future.de/oauth2/token";
            clientID = "hedgedoc";
            # must be set to make the NixOS module happy, but env var takes precedence
            clientSecret = "lol nope";
          };
        };
        environmentFile = "/secrets/env";
      };
      systemd.services.hedgedoc.environment = {
        "CMD_LOGLEVEL" = "warn";
        "CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo";
        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname";
        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name";
        "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
        "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
      };

      services.postgresql = {
        enable = true;
        ensureDatabases = [ "codimd" ];
        ensureUsers = [{
          name = "codimd";
          ensureDBOwnership = true;
        }];
        authentication = ''
          local all all trust
          host  codimd  codimd  127.0.0.1/32  trust
        '';
        package = pkgs.postgresql_15;
      };
      services.postgresqlBackup = {
        enable = true;
        databases = [ "codimd" ];
        startAt = "*-*-* 23:45:00";
        location = "/persist/backups/postgres";
      };
      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
    });
  };
  services.nginx.virtualHosts."pad.hacc.earth" = {
    enableACME = true;
    forceSSL = true;
    globalRedirect = "pad.hacc.space";
  };

  services.nginx.virtualHosts."pad.hacc.space" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000";
      extraConfig = ''
        add_header Access-Control-Allow-Origin "*";
        proxy_buffering off;
      '';
    };
  };
}