{ config, ... }: let svc_domain = "hedgedoc.${config.mine.shared.settings.domain}"; stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc"; hedgedoc_user = config.users.users.hedgedoc.name; in { services.hedgedoc = { enable = true; settings = { # only change default port, because 3000 is used by other service port = 6864; domain = svc_domain; protocolUseSSL = true; debug = true; uploadsPath = stateDir + "/uploads"; db = { dialect = "postgresql"; host = "/run/postgresql"; }; # disable annonymous notes, but allow annonymous edits allowAnonymous = false; allowAnonymousEdits = true; defaultPermission = "private"; # only owner can view and edit # disable email login and register email = false; allowEmailRegister = false; # setup ldap # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md ldap = let lconfig = config.mine.shared.settings.ldap; in { url = lconfig.url; bindDn = lconfig.bind_dn; searchBase = lconfig.search_base; searchFilter = lconfig.user_filter "{{username}}"; useridField = lconfig.attr.uid; }; }; }; # add state directory to ReadWritePaths systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ]; systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path; # setup postgresql services.postgresql = { ensureDatabases = [ hedgedoc_user ]; ensureUsers = [{ name = hedgedoc_user; ensureDBOwnership = true; }]; }; services.nginx.virtualHosts."${svc_domain}" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}"; }; mine.shared.meta.hedgedoc = { name = "Hedgedoc"; description = "We host our own Hedgedoc for writing small documents, and sharing with others. Login using your credentials."; url = "https://${svc_domain}"; package = let pkg = config.services.hedgedoc.package; in { name = pkg.pname; version = pkg.version; meta = pkg.meta; }; }; }