flora/services/hedgedoc.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77

{ config, lib, pkgs, ... }:
let
  hedgedoc-patched = pkgs.hedgedoc.overrideAttrs (old: {
    src = pkgs.fetchgit {
      url = "https://stuebinm.eu/git/hedgedoc";
      rev = "b0f98a43381486995b99ed79e0eabb3af149dbf3";
      sha256 = "1199k5q8wampkw2ri4wgwzqgh1ff0l4kdxx9h8ywqy2f7faf922c";
    };
  });
in
{
    # Container containing CodiMD and its database
  # has its own internal network; needs a reverse-proxy to be reachable from the outside
  # TODO: persistent memory for pads
  containers.codimd = { 
    autoStart = true;
    privateNetwork = true;
    hostAddress6 = "fd00::42:10";
    localAddress6 = "fd00::42:11";
    
    config = {config, pkgs, ... }: {
      # open CodiMD port
      networking.firewall.allowedTCPPorts = [ config.services.hedgedoc.configuration.port ];

      # database (postgres 11), with default database reachable for CodiMD; no imperative config needed!
      services.postgresql = {
        enable = true;
        package = pkgs.postgresql_11;
        ensureDatabases = [ "codimd" ];
        ensureUsers = [ {
          name = "hedgedoc";
          ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";};
        } ];
        # ugly workaround to allow CodiMD to login without password — this service has lots of options,
        # but apparently not for authentification, which even needs to be forced …
        authentication = pkgs.lib.mkForce ''
          # Generated file; do not edit!
          local all all              trust
          host  codimd hedgedoc  ::1/18       trust
          host  codimd codimd ::1/128      trust
        '';
      };
      # CodiMD itself
      services.hedgedoc = {
        enable = true;
        workDir = "/var/codimd/";
        configuration = {
          dbURL = "postgres:///codimd";
          port = 3000;
          domain = "nix.stuebinm.eu";
          urlAddPort = false;
          protocolUseSSL = true;
          allowPDFExport = true;
          host = "::";
          allowEmailRegister = false;
          allowFreeURL = true;
          uploadsPath = "/var/codimd/uploads";
          #email = false;
        };
      };

      systemd.services.hedgedoc.serviceConfig.ExecStart = pkgs.lib.mkForce "${hedgedoc-patched}/bin/hedgedoc";
    };
  };

    
  networking.firewall.allowedTCPPorts = [ 80 443 ];

  services.nginx.virtualHosts."nix.stuebinm.eu" = {
    locations."/" = {
      proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000";
      proxyWebsockets = true;
    };
    forceSSL = true;
    enableACME = true;
  };
}