blob: c7b5379b0825ec1f694787340034ea3281e85051 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
{ config, lib, pkgs, ... }:
{
# Container containing CodiMD and its database
# has its own internal network; needs a reverse-proxy to be reachable from the outside
# TODO: persistent memory for pads
containers.codimd = {
autoStart = true;
privateNetwork = true;
hostAddress6 = "fd00::42:10";
localAddress6 = "fd00::42:11";
config = {config, pkgs, ... }: {
# open CodiMD port
networking.firewall.allowedTCPPorts = [ config.services.codimd.configuration.port ];
# database (postgres 11), with default database reachable for CodiMD; no imperative config needed!
services.postgresql = {
enable = true;
package = pkgs.postgresql_11;
ensureDatabases = [ "codimd" ];
ensureUsers = [ {
name = "codimd";
ensurePermissions = { "DATABASE codimd" = "ALL PRIVILEGES";};
} ];
# ugly workaround to allow CodiMD to login without password — this service has lots of options,
# but apparently not for authentification, which even needs to be forced …
authentication = pkgs.lib.mkForce ''
# Generated file; do not edit!
local all all trust
host codimd codimd ::1/128 trust
'';
};
# CodiMD itself
services.hedgedoc = {
enable = true;
workDir = "/var/codimd/";
configuration = {
dbURL = "postgres:///codimd";
port = 3000;
domain = "nix.stuebinm.eu";
urlAddPort = false;
protocolUseSSL = true;
allowPDFExport = true;
host = "::";
allowEmailRegister = false;
allowFreeURL = true;
uploadsPath = "/var/codimd/uploads";
#email = false;
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
services.nginx.virtualHosts."nix.stuebinm.eu" = {
locations."/" = {
proxyPass = "http://[" + config.containers.codimd.localAddress6 + "]:3000";
proxyWebsockets = true;
};
forceSSL = true;
enableACME = true;
};
}
|