1 files changed, 66 insertions, 0 deletions
diff --git a/hosts/flora/services/hedgedoc.nix b/hosts/flora/services/hedgedoc.nix
new file mode 100644
index 0000000..4ce2256
--- /dev/null
+++ b/hosts/flora/services/hedgedoc.nix
@@ -0,0 +1,66 @@
+{ config, lib, pkgs, ... }:
+
+{
+    # Container containing CodiMD and its database
+  # has its own internal network; needs a reverse-proxy to be reachable from the outside
+  # TODO: persistent memory for pads
+  containers.codimd = { 
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress6 = "fd00::42:10";
+    localAddress6 = "fd00::42:11";
+    
+    config = {config, pkgs, ... }: {
+      # open CodiMD port
+      networking.firewall.allowedTCPPorts = [ config.services.codimd.configuration.port ];
+
+      # database (postgres 11), with default database reachable for CodiMD; no imperative config needed!
+      services.postgresql = {
+        enable = true;
+        package = pkgs.postgresql_11;
+        ensureDatabases = [ "codimd" ];
+        ensureUsers = [ {
+          name = "codimd";
+          ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";};
+        } ];
+        # ugly workaround to allow CodiMD to login without password — this service has lots of options,
+        # but apparently not for authentification, which even needs to be forced …
+        authentication = pkgs.lib.mkForce ''
+            # Generated file; do not edit!
+            local all all              trust
+            host  codimd codimd ::1/128      trust
+          '';
+      };
+      # CodiMD itself
+      services.hedgedoc = {
+        enable = true;
+        workDir = "/var/codimd/";
+        configuration = {
+          dbURL = "postgres:///codimd";
+          port = 3000;
+          domain = "nix.stuebinm.eu";
+          urlAddPort = false;
+          protocolUseSSL = true;
+          allowPDFExport = true;
+          host = "::";
+          allowEmailRegister = false;
+          allowFreeURL = true;
+          uploadsPath = "/var/codimd/uploads";
+          #email = false;
+        };
+      };
+    };
+  };
+
+    
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+
+  services.nginx.virtualHosts."nix.stuebinm.eu" = {
+    locations."/" = {
+      proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000";
+      proxyWebsockets = true;
+    };
+    forceSSL = true;
+    enableACME = true;
+  };
+}