{ config, lib, pkgs, ... }: { sops.secrets = { "hedgedoc-hacc/env" = {}; }; containers.pad-hacc.bindMounts = { "/secrets".hostPath = "/run/secrets/hedgedoc-hacc"; }; hacc.containers.pad-hacc = { config = { config, lib, ... }: { services.hedgedoc = { enable = true; settings = { allowAnonymous = true; allowFreeURL = true; allowGravatar = false; allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ]; db = { host = "/run/postgresql"; username = "codimd"; dialect = "postgres"; database = "codimd"; }; defaultPermission = "limited"; domain = "pad.hacc.space"; host = "0.0.0.0"; protocolUseSSL = true; hsts.preload = false; email = false; oauth2 = { authorizationURL = "https://login.infra4future.de/oauth2/authorize"; tokenURL = "https://login.infra4future.de/oauth2/token"; clientID = "hedgedoc"; # must be set to make the NixOS module happy, but env var takes precedence clientSecret = "lol nope"; }; }; environmentFile = "/secrets/env"; }; systemd.services.hedgedoc.environment = { "CMD_LOGLEVEL" = "warn"; "CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo"; "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname"; "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name"; "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email"; "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future"; }; services.postgresql = { enable = true; ensureDatabases = [ "codimd" ]; ensureUsers = [{ name = "codimd"; ensureDBOwnership = true; }]; authentication = '' local all all trust host codimd codimd 127.0.0.1/32 trust ''; package = pkgs.postgresql_15; }; services.postgresqlBackup = { enable = true; databases = [ "codimd" ]; startAt = "*-*-* 23:45:00"; location = "/persist/backups/postgres"; }; hacc.bindToPersist = [ "/var/lib/hedgedoc" ]; }; }; services.nginx.virtualHosts."pad.hacc.earth" = { enableACME = true; forceSSL = true; globalRedirect = "pad.hacc.space"; }; services.nginx.virtualHosts."pad.hacc.space" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://${config.containers.pad-hacc.localAddress}:3000"; extraConfig = '' add_header Access-Control-Allow-Origin "*"; proxy_buffering off; ''; }; }; }