From 6053722acfbe22ee3f365dc8418cada74da7f19a Mon Sep 17 00:00:00 2001 From: Sridhar Ratnakumar Date: Sun, 19 May 2024 10:12:11 -0400 Subject: [PATCH] add hedgedoc --- flake.nix | 4 ++++ nixos/hedgedoc.nix | 39 +++++++++++++++++++++++++++++++++++++++ systems/ax41.nix | 1 + 3 files changed, 44 insertions(+) create mode 100644 nixos/hedgedoc.nix diff --git a/flake.nix b/flake.nix index 76f0a9f..00fe592 100644 --- a/flake.nix +++ b/flake.nix @@ -55,6 +55,10 @@ immediacy = { targetHost = "immediacy"; targetUser = "srid"; + keys."hedgedoc.env" = { + user = "hedgedoc"; + keyCommand = read1Password "hedgedoc.env"; + }; }; github-runner = let diff --git a/nixos/hedgedoc.nix b/nixos/hedgedoc.nix new file mode 100644 index 0000000..f97bb07 --- /dev/null +++ b/nixos/hedgedoc.nix @@ -0,0 +1,39 @@ +{ config, pkgs, lib, ... }: + +let + domain = "pad.srid.ca"; + port = 9112; +in +{ + services.hedgedoc = { + enable = true; + + # GitHub secrets set in colmena (see flake.nix) + environmentFile = "/run/keys/hedgedoc.env"; + + settings = { + # URL config + inherit domain port; + protocolUseSSL = true; + urlAddPort = false; + allowOrigin = [ "localhost" ]; + + # Accept GitHub users only. + # NOTE: Fine-grained access (eg: whitelist of users) not possible until + # HedgeDoc 2.0 + email = false; + allowAnonymous = false; + }; + }; + + services.nginx = { + virtualHosts.${domain} = { + enableACME = true; + addSSL = true; + locations."/" = { + proxyPass = "http://localhost:${builtins.toString port}"; + proxyWebsockets = true; + }; + }; + }; +} diff --git a/systems/ax41.nix b/systems/ax41.nix index ea84346..f55407b 100644 --- a/systems/ax41.nix +++ b/systems/ax41.nix @@ -13,6 +13,7 @@ in "${self}/nixos/self/primary-as-admin.nix" "${self}/nixos/docker.nix" "${self}/nixos/actualism-app.nix" + "${self}/nixos/hedgedoc.nix" # "${self}/nixos/server/harden/basics.nix" ];