50 lines
1.7 KiB
Nix
50 lines
1.7 KiB
Nix
{ config, ... }:
|
|
|
|
let
|
|
svc_domain = "hedgedoc.${config.mine.settings.domain}";
|
|
|
|
stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc";
|
|
in {
|
|
services.hedgedoc = {
|
|
enable = true;
|
|
settings = {
|
|
# only change default port, because 3000 is used by other service
|
|
port = 6864;
|
|
domain = svc_domain;
|
|
protocolUseSSL = true;
|
|
debug = true;
|
|
uploadsPath = stateDir + "/uploads";
|
|
db.dialect = "sqlite";
|
|
db.storage = stateDir + "/db.sqlite";
|
|
|
|
# disable annonymous notes, but allow annonymous edits
|
|
allowAnonymous = false;
|
|
allowAnonymousEdits = true;
|
|
defaultPermission = "private"; # only owner can view and edit
|
|
|
|
# disable email login and register
|
|
email = false;
|
|
allowEmailRegister = false;
|
|
|
|
# setup ldap
|
|
# https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md
|
|
ldap = {
|
|
url = config.mine.settings.ldap.url;
|
|
bindDn = config.mine.settings.ldap.bind_dn;
|
|
searchBase = config.mine.settings.ldap.search_base;
|
|
searchFilter = "(&${config.mine.settings.ldap.user_filter}(|(${config.mine.settings.ldap.attr.uid}={{username}})(${config.mine.settings.ldap.attr.email}={{username}})))";
|
|
useridField = config.mine.settings.ldap.attr.uid;
|
|
};
|
|
};
|
|
};
|
|
|
|
# add state directory to ReadWritePaths
|
|
systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ];
|
|
systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path;
|
|
|
|
services.nginx.virtualHosts."${svc_domain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}";
|
|
};
|
|
}
|