Add sops-secrets, configure oauth

hosts/voyager/services/hedgedoc.nix

@@ -5,6 +5,11 @@ let
     port = 3000;
     host = "0.0.0.0";
 in {
+    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+    sops.secrets."hedgedoc/env" = {
+      restartUnits = [ "hedgedoc.service" ];
+    };
+
     services.hedgedoc = {
         enable = true;
 
@@ -15,6 +20,8 @@ in {
                 dialect = "sqlite";
                 storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
             };
+            environmentFile = config.sops.secrets."hedgedoc/env".path;
+
             email = false;
             oauth2 = let
               authServerUrl = config.services.kanidm.serverSettings.origin;
@@ -31,13 +38,10 @@ in {
               userProfileDisplayNameAttr = "displayname";
 
               providerName = "KaniDM";
-              # rolesClaim = "roles";
-              # accessRole = "hedgedoc_users";
             };
 
         };
     };
-    #networking.firewall.allowedTCPPorts = [ port ];
     services.nginx.virtualHosts.${domain} = {
       locations."/" = {
         proxyPass = "http://${host}:${toString port}/";