{ config, pkgs, lib, ... }: let cfg = config.services.hedgedoc.settings; domain = "md.feal.no"; port = 3300; host = "127.0.1.2"; authServerUrl = "https://iam.feal.no"; in { # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET sops.secrets."hedgedoc/env" = { restartUnits = [ "hedgedoc.service" ]; }; services.hedgedoc = { enable = true; environmentFile = config.sops.secrets."hedgedoc/env".path; settings = { inherit domain port host; protocolUseSSL = true; sessionSecret = "$CMD_SESSION_SECRET"; allowFreeURL = true; allowAnonymous = false; allowAnonymousEdits = true; db = { username = "hedgedoc"; database = "hedgedoc"; host = "/run/postgresql"; dialect = "postgresql"; }; email = false; oauth2 = let oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect"; in { providerName = "Keycloak"; authorizationURL = "${oidc}/auth"; baseURL = "${authServerUrl}"; tokenURL = "${oidc}/token"; userProfileURL = "${oidc}/userinfo"; clientID = "hedgedoc"; clientSecret = "$CMD_OAUTH2_CLIENT_SECRET"; scope = "openid email profile"; userProfileDisplayNameAttr = "name"; userProfileEmailAttr = "email"; userProfileUsernameAttr = "preferred_username"; rolesClaim = "hedgedoc-roles"; accessRole = "hedgedoc-user"; }; }; }; systemd.services.hedgedoc = { requires = [ "postgresql.service" # "kanidm.service" ]; serviceConfig = let workDir = "/var/lib/hedgedoc"; in { WorkingDirectory = lib.mkForce workDir; StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ]; # Better safe than sorry :) CapabilityBoundingSet = ""; LockPersonality = true; NoNewPrivileges = true; PrivateDevices = true; PrivateMounts = true; PrivateTmp = true; PrivateUsers = true; ProtectClock = true; ProtectHome = true; ProtectHostname = true; ProtectKernelLogs = true; ProtectKernelModules = true; ProtectKernelTunables = true; ProtectProc = "invisible"; ProtectSystem = "strict"; ReadWritePaths = [ workDir ]; RemoveIPC = true; RestrictSUIDSGID = true; UMask = "0007"; RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ]; SystemCallArchitectures = "native"; # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap"; }; }; services.postgresql = { ensureDatabases = [ "hedgedoc" ]; ensureUsers = [{ name = "hedgedoc"; ensureDBOwnership = true; }]; }; services.postgresqlBackup.databases = [ "hedgedoc" ]; services.nginx.virtualHosts."${domain}" = { listen = [ { addr = "192.168.10.175"; port = 43443; ssl = true; } { addr = "192.168.10.175"; port = 43080; ssl = false; } ]; enableACME = true; forceSSL = true; locations = { "/" = { proxyPass = "http://${host}:${toString port}"; }; "/socket.io" = { proxyPass = "http://${host}:${toString port}"; proxyWebsockets = true; }; }; }; }