hedgedoc: move from voyaer to sarek

hosts/sarek/configuration.nix

@@ -9,6 +9,7 @@
 
       ./services/nginx.nix
       ./services/postgresql.nix
+      ./services/hedgedoc.nix
       ./services/flame.nix
   ];
 

hosts/sarek/services/hedgedoc.nix

@@ -0,0 +1,96 @@
+{ config, pkgs, lib, ... }:
+let
+    cfg = config.services.hedgedoc.settings;
+    domain = "md.feal.no";
+    port = 3300;
+    host = "0.0.0.0";
+    authServerUrl = "https://auth.feal.no";
+in {
+    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+    sops.secrets."hedgedoc/env" = {
+      restartUnits = [ "hedgedoc.service" ];
+    };
+
+    services.hedgedoc = {
+        enable = true;
+        environmentFile = config.sops.secrets."hedgedoc/env".path;
+        settings = {
+            inherit domain port host;
+            protocolUseSSL = true;
+            sessionSecret = "$CMD_SESSION_SECRET";
+
+            allowFreeURL = true;
+            allowAnonymous = false;
+            allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
+
+            dbURL = "postgres://hedgedoc:@localhost/hedgedoc";
+
+            email = false;
+            oauth2 = {
+              baseURL = "${authServerUrl}/oauth2";
+              tokenURL = "${authServerUrl}/oauth2/token";
+              authorizationURL = "${authServerUrl}/ui/oauth2";
+              userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+
+              clientID = "hedgedoc";
+              clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
+              scope = "openid email profile";
+              userProfileUsernameAttr = "name";
+              userProfileEmailAttr = "email";
+              userProfileDisplayNameAttr = "displayname";
+
+              providerName = "KaniDM";
+            };
+
+        };
+    };
+
+    systemd.services.hedgedoc = {
+      requires = [
+        "postgresql.service"
+        # "kanidm.service"
+      ];
+      serviceConfig = let
+        workDir = "/var/lib/hedgedoc";
+      in {
+        WorkingDirectory = lib.mkForce workDir;
+        StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
+
+        # Better safe than sorry :)
+        CapabilityBoundingSet = "";
+        LockPersonality = true;
+        NoNewPrivileges = true;
+        PrivateDevices = true;
+        PrivateMounts = true;
+        PrivateTmp = true;
+        PrivateUsers = true;
+        ProtectClock = true;
+        ProtectHome = true;
+        ProtectHostname = true;
+        ProtectKernelLogs = true;
+        ProtectKernelModules = true;
+        ProtectKernelTunables = true;
+        ProtectProc = "invisible";
+        ProtectSystem = "strict";
+        ReadWritePaths = [ workDir ];
+        RemoveIPC = true;
+        RestrictSUIDSGID = true;
+        UMask = "0007";
+        RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
+        SystemCallArchitectures = "native";
+        SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
+      };
+    };
+
+    networking.firewall.allowedTCPPorts = [ port ];
+
+    services.postgresql = {
+      ensureDatabases = [ "hedgedoc" ];
+      ensureUsers = [{
+        name = "hedgedoc";
+        ensurePermissions = {
+          "DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
+        };
+      }];
+    };
+}

hosts/sarek/services/postgresql.nix

@@ -3,6 +3,11 @@
   services.postgresql = {
     enable = true;
     enableTCPIP = true; # Expose on the network
+    authentication = pkgs.lib.mkOverride 10 ''
+     local all all trust
+     host all all 127.0.0.1/32 trust
+     host all all ::1/128 trust
+    '';
   };
 
   services.postgresqlBackup = {