121 lines
		
	
	
		
			3.2 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
			
		
		
	
	
			121 lines
		
	
	
		
			3.2 KiB
		
	
	
	
		
			Nix
		
	
	
	
	
	
| { config, pkgs, lib, ... }:
 | |
| let
 | |
|   cfg = config.services.hedgedoc.settings;
 | |
|   domain = "md.feal.no";
 | |
|   port = 3300;
 | |
|   host = "127.0.1.2";
 | |
|   authServerUrl = "https://iam.feal.no";
 | |
| in {
 | |
|   # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
 | |
|   sops.secrets."hedgedoc/env" = {
 | |
|     restartUnits = [ "hedgedoc.service" ];
 | |
|   };
 | |
| 
 | |
|   services.hedgedoc = {
 | |
|     enable = true;
 | |
|     environmentFile = config.sops.secrets."hedgedoc/env".path;
 | |
|     settings = {
 | |
|       inherit domain port host;
 | |
|       protocolUseSSL = true;
 | |
|       sessionSecret = "$CMD_SESSION_SECRET";
 | |
| 
 | |
|       allowFreeURL = true;
 | |
|       allowAnonymous = false;
 | |
|       allowAnonymousEdits = true;
 | |
| 
 | |
|       db = {
 | |
|         username = "hedgedoc";
 | |
|         database = "hedgedoc";
 | |
|         host = "/run/postgresql";
 | |
|         dialect = "postgresql";
 | |
|       };
 | |
| 
 | |
|       email = false;
 | |
|       oauth2 = let
 | |
|         oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect";
 | |
|       in {
 | |
|         providerName = "Keycloak";
 | |
|         authorizationURL = "${oidc}/auth";
 | |
|         baseURL = "${authServerUrl}";
 | |
|         tokenURL = "${oidc}/token";
 | |
|         userProfileURL = "${oidc}/userinfo";
 | |
| 
 | |
|         clientID = "hedgedoc";
 | |
|         clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
 | |
|         scope = "openid email profile";
 | |
|         userProfileDisplayNameAttr = "name";
 | |
|         userProfileEmailAttr = "email";
 | |
|         userProfileUsernameAttr = "preferred_username";
 | |
|         rolesClaim = "hedgedoc-roles";
 | |
|         accessRole = "hedgedoc-user";
 | |
|       };
 | |
|     };
 | |
|   };
 | |
| 
 | |
|   systemd.services.hedgedoc = {
 | |
|     requires = [
 | |
|       "postgresql.service"
 | |
|     ];
 | |
|     serviceConfig = let
 | |
|       workDir = "/var/lib/hedgedoc";
 | |
|     in {
 | |
|       WorkingDirectory = lib.mkForce workDir;
 | |
|       StateDirectory = lib.mkForce [ "hedgedoc" "hedgedoc/uploads" ];
 | |
| 
 | |
|       # Better safe than sorry :)
 | |
|       CapabilityBoundingSet = "";
 | |
|       LockPersonality = true;
 | |
|       NoNewPrivileges = true;
 | |
|       PrivateDevices = true;
 | |
|       PrivateMounts = true;
 | |
|       PrivateTmp = true;
 | |
|       PrivateUsers = true;
 | |
|       ProtectClock = true;
 | |
|       ProtectHome = true;
 | |
|       ProtectHostname = true;
 | |
|       ProtectKernelLogs = true;
 | |
|       ProtectKernelModules = true;
 | |
|       ProtectKernelTunables = true;
 | |
|       ProtectProc = "invisible";
 | |
|       ProtectSystem = "strict";
 | |
|       ReadWritePaths = [ workDir ];
 | |
|       RemoveIPC = true;
 | |
|       RestrictSUIDSGID = true;
 | |
|       UMask = "0007";
 | |
|       RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
 | |
|       SystemCallArchitectures = "native";
 | |
|       # SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
 | |
|     };
 | |
|   };
 | |
| 
 | |
|   services.postgresql = {
 | |
|     ensureDatabases = [ "hedgedoc" ];
 | |
|     ensureUsers = [{
 | |
|       name = "hedgedoc";
 | |
|       ensureDBOwnership = true;
 | |
|     }];
 | |
|   };
 | |
| 
 | |
|   services.postgresqlBackup.databases = [ "hedgedoc" ];
 | |
| 
 | |
|   services.nginx.virtualHosts."${domain}" = {
 | |
|     listen = [
 | |
|       { addr = "192.168.10.175"; port = 43443; ssl = true; }
 | |
|       { addr = "192.168.10.175"; port = 43080; ssl = false; }
 | |
|     ];
 | |
| 
 | |
|     enableACME = true;
 | |
|     forceSSL = true;
 | |
| 
 | |
|     locations = {
 | |
|       "/" = {
 | |
|         proxyPass = "http://${host}:${toString port}";
 | |
|       };
 | |
|       "/socket.io" = {
 | |
|         proxyPass = "http://${host}:${toString port}";
 | |
|         proxyWebsockets = true;
 | |
|       };
 | |
|     };
 | |
|   };
 | |
| }
 |