nixos-config/hosts/defiant/services/hedgedoc.nix

{ config, pkgs, lib, ... }:
let
  cfg = config.services.hedgedoc.settings;
  domain = "md.feal.no";
  port = 3300;
  host = "127.0.1.2";
  authServerUrl = "https://iam.feal.no";
in {
  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
  sops.secrets."hedgedoc/env" = {
    restartUnits = [ "hedgedoc.service" ];
  };

  services.hedgedoc = {
    enable = true;
    environmentFile = config.sops.secrets."hedgedoc/env".path;
    settings = {
      inherit domain port host;
      protocolUseSSL = true;
      sessionSecret = "$CMD_SESSION_SECRET";

      allowFreeURL = true;
      allowAnonymous = false;
      allowAnonymousEdits = true;

      db = {
        username = "hedgedoc";
        database = "hedgedoc";
        host = "/run/postgresql";
        dialect = "postgresql";
      };

      email = false;
      oauth2 = let
        oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect";
      in {
        providerName = "Keycloak";
        authorizationURL = "${oidc}/auth";
        baseURL = "${authServerUrl}";
        tokenURL = "${oidc}/token";
        userProfileURL = "${oidc}/userinfo";

        clientID = "hedgedoc";
        clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
        scope = "openid email profile";
        userProfileDisplayNameAttr = "name";
        userProfileEmailAttr = "email";
        userProfileUsernameAttr = "preferred_username";
        rolesClaim = "hedgedoc-roles";
        accessRole = "hedgedoc-user";
      };
    };
  };

  systemd.services.hedgedoc = {
    requires = [
      "postgresql.service"
    ];
    serviceConfig = let
      workDir = "/var/lib/hedgedoc";
    in {
      WorkingDirectory = lib.mkForce workDir;
      StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];

      # Better safe than sorry :)
      CapabilityBoundingSet = "";
      LockPersonality = true;
      NoNewPrivileges = true;
      PrivateDevices = true;
      PrivateMounts = true;
      PrivateTmp = true;
      PrivateUsers = true;
      ProtectClock = true;
      ProtectHome = true;
      ProtectHostname = true;
      ProtectKernelLogs = true;
      ProtectKernelModules = true;
      ProtectKernelTunables = true;
      ProtectProc = "invisible";
      ProtectSystem = "strict";
      ReadWritePaths = [ workDir ];
      RemoveIPC = true;
      RestrictSUIDSGID = true;
      UMask = "0007";
      RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
      SystemCallArchitectures = "native";
      # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
    };
  };

  services.postgresql = {
    ensureDatabases = [ "hedgedoc" ];
    ensureUsers = [{
      name = "hedgedoc";
      ensureDBOwnership = true;
    }];
  };

  services.postgresqlBackup.databases = [ "hedgedoc" ];

  services.nginx.virtualHosts."${domain}" = {
    listen = [
      { addr = "192.168.10.175"; port = 43443; ssl = true; }
      { addr = "192.168.10.175"; port = 43080; ssl = false; }
    ];

    enableACME = true;
    forceSSL = true;

    locations = {
      "/" = {
        proxyPass = "http://${host}:${toString port}";
      };
      "/socket.io" = {
        proxyPass = "http://${host}:${toString port}";
        proxyWebsockets = true;
      };
    };
  };
}