haccfiles/parsons/hedgedoc-i4f.nix

{ config, lib, pkgs, evalConfig, ... }:

{
  containers.pad-i4f = {
    privateNetwork = true;
    hostAddress = "192.168.100.1";
    localAddress = "192.168.100.6";
    autoStart = true;
    ephemeral = true;
    bindMounts = {
      "/persist" = {
        hostPath = "/persist/containers/pad-i4f";
        isReadOnly = false;
      };
    };
    path = evalConfig ({ config, lib, ... }: {
      services.hedgedoc = {
        enable = true;
        settings = {
          allowAnonymous = true;
          allowFreeURL = true;
          allowGravatar = false;
          allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ];
          db = {
            host = "/run/postgresql";
            dialect = "postgres";
            database = "hedgedoc";
          };
          defaultPermission = "freely";
          domain  = "pad.infra4future.de";
          host = "0.0.0.0";
          protocolUseSSL = true;
          hsts.preload = false;
          email = false;
          };
        };
      systemd.services.hedgedoc.environment = {
        "CMD_LOGLEVEL" = "warn";
      };
      services.postgresql = {
        enable = true;
        package = pkgs.postgresql_15;
        authentication = ''
          local all       all                     trust
          host  hedgedoc  hedgedoc  127.0.0.1/32  trust
          '';
        ensureDatabases = [ "hedgedoc" ];
        ensureUsers = [{
          name = "hedgedoc";
          ensureDBOwnership = true;
        }];
      };
      services.postgresqlBackup = {
        enable = true;
        databases = [ "hedgedoc" ];
        startAt = "*-*-* 23:45:00";
        location = "/persist/backups/postgres";
      };
      hacc.bindToPersist = [ "/var/lib/hedgedoc" ];
    });
  };

  services.nginx.virtualHosts."pad.infra4future.de" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://${config.containers.pad-i4f.localAddress}:3000";
      extraConfig = ''
        add_header Access-Control-Allow-Origin "*";
        proxy_buffering off;
      '';
    };
  };
}
less verbose container definitions move some options (the nopersist & container profiles + allowUnfree packages) into the evalConfig used for containers, so we don't have to repeat ourselves as much. also removed some no-longer-needed specialArgs. also made thelounge work with nopersist, which for some reason it didn't use before. 2023-09-27 21:24:23 +00:00			`{ config, lib, pkgs, evalConfig, ... }:`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00
			`{`
			`containers.pad-i4f = {`
			`privateNetwork = true;`
			`hostAddress = "192.168.100.1";`
			`localAddress = "192.168.100.6";`
			`autoStart = true;`
make all nixos containers ephemeral 2024-02-22 20:15:41 +00:00			`ephemeral = true;`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`bindMounts = {`
			`"/persist" = {`
			`hostPath = "/persist/containers/pad-i4f";`
			`isReadOnly = false;`
			`};`
			`};`
less verbose container definitions move some options (the nopersist & container profiles + allowUnfree packages) into the evalConfig used for containers, so we don't have to repeat ourselves as much. also removed some no-longer-needed specialArgs. also made thelounge work with nopersist, which for some reason it didn't use before. 2023-09-27 21:24:23 +00:00			`path = evalConfig ({ config, lib, ... }: {`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`services.hedgedoc = {`
			`enable = true;`
nixos-22.11: fix module warnings (also wow nextcloud encryption is apparently broken. colour me surprised!) 2022-11-23 23:03:50 +00:00			`settings = {`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`allowAnonymous = true;`
			`allowFreeURL = true;`
			`allowGravatar = false;`
			`allowOrigin = [ "localhost" "pad.infra4future.de" "fff-muc.de" ];`
services/hedgedocs: use socket auth for postgres 2022-01-12 18:33:07 +00:00			`db = {`
			`host = "/run/postgresql";`
			`dialect = "postgres";`
			`database = "hedgedoc";`
			`};`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`defaultPermission = "freely";`
			`domain = "pad.infra4future.de";`
			`host = "0.0.0.0";`
			`protocolUseSSL = true;`
			`hsts.preload = false;`
			`email = false;`
			`};`
			`};`
services/hedgedoc: lower loglevel to warn 2022-01-19 20:22:32 +00:00			`systemd.services.hedgedoc.environment = {`
			`"CMD_LOGLEVEL" = "warn";`
			`};`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`services.postgresql = {`
			`enable = true;`
initial work towards nixos 23.11 Note: this updates all postgres instances, since postgresql_11 no longer exists. 2023-11-30 16:43:48 +00:00			`package = pkgs.postgresql_15;`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`authentication = ''`
			`local all all trust`
			`host hedgedoc hedgedoc 127.0.0.1/32 trust`
			`'';`
			`ensureDatabases = [ "hedgedoc" ];`
			`ensureUsers = [{`
			`name = "hedgedoc";`
initial work towards nixos 23.11 Note: this updates all postgres instances, since postgresql_11 no longer exists. 2023-11-30 16:43:48 +00:00			`ensureDBOwnership = true;`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`}];`
			`};`
			`services.postgresqlBackup = {`
			`enable = true;`
			`databases = [ "hedgedoc" ];`
			`startAt = "--* 23:45:00";`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`location = "/persist/backups/postgres";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`};`
bundle hexchen's nopersist & bindmount moduls the bind mount module has been tweaked in a couple ways: - rename hexchen.* to hacc.* - rename bindmount to bindMount to make it consistent with usage in the nixpkgs container module - add a hacc.bindToPersist option as shorthand for prepending /perist to a path via bind mount the nopersist module has been shortened a little by moving service-specific things which are used once out into the individual service files, and removing those which we don't need at all (this also means we get to loose a mkForce or two in case of mismatches between hexchen's and our current config). 2024-01-31 22:30:06 +00:00			`hacc.bindToPersist = [ "/var/lib/hedgedoc" ];`
nicer container configs today i woke up to the realisation that there's an extremely obvious way to make these nicer, & then i did exactly that. For some reason I did not think of this when originally removing the dependency to nix-hexchen's evalConfig. unfortunately, this is not /quite/ a no-op. The only actual change is different whitespace in some of the semantically-equivalent coredns-configs that got unified. 2023-02-18 13:45:14 +00:00			`});`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`};`

			`services.nginx.virtualHosts."pad.infra4future.de" = {`
			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
parsons: fix hegedocs 2021-08-07 18:27:04 +00:00			`proxyPass = "http://${config.containers.pad-i4f.localAddress}:3000";`
parsons: init hegedocs 2021-08-07 17:38:40 +00:00			`extraConfig = ''`
			`add_header Access-Control-Allow-Origin "*";`
			`proxy_buffering off;`
			`'';`
			`};`
			`};`
			`}`