{ config, ... }: let svc_domain = "hedgedoc.${config.mine.shared.settings.domain}"; stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc"; in { services.hedgedoc = { enable = true; settings = { # only change default port, because 3000 is used by other service port = 6864; domain = svc_domain; protocolUseSSL = true; debug = true; uploadsPath = stateDir + "/uploads"; db.dialect = "sqlite"; db.storage = stateDir + "/db.sqlite"; # disable annonymous notes, but allow annonymous edits allowAnonymous = false; allowAnonymousEdits = true; defaultPermission = "private"; # only owner can view and edit # disable email login and register email = false; allowEmailRegister = false; # setup ldap # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md ldap = { url = config.mine.shared.settings.ldap.url; bindDn = config.mine.shared.settings.ldap.bind_dn; searchBase = config.mine.shared.settings.ldap.search_base; searchFilter = "(&${config.mine.shared.settings.ldap.user_filter}(|(${config.mine.shared.settings.ldap.attr.uid}={{username}})(${config.mine.shared.settings.ldap.attr.email}={{username}})))"; useridField = config.mine.shared.settings.ldap.attr.uid; }; }; }; # add state directory to ReadWritePaths systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ]; systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path; services.nginx.virtualHosts."${svc_domain}" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}"; }; }