blob: 6088ea022e642aee45d1d9d0e499ffc6f8f9fc6e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."md.emile.space" = {
forceSSL = true;
enableACME = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}";
};
};
};
# auth via authelia
services.authelia.instances.main.settings.identity_providers.oidc.clients = [
{
id = "HedgeDoc";
# ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ";
public = false;
authorization_policy = "two_factor";
redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ];
scopes = [
"openid"
"email"
"profile"
];
grant_types = [
"refresh_token"
"authorization_code"
];
response_types = [ "code" ];
response_modes = [
"form_post"
"query"
"fragment"
];
token_endpoint_auth_method = "client_secret_post";
}
];
services.hedgedoc = {
enable = true;
package = pkgs.hedgedoc;
environmentFile = config.age.secrets.hedgedoc_environment_variables.path;
settings = {
host = "127.0.0.1";
port = config.emile.ports.md;
domain = "md.emile.space";
urlPath = null; # we're hosting on the root of the subdomain and not a subpath
allowGravatar = true;
# we're terminating tls at the reverse proxy
useSSL = false;
# Use https:// for all links.
# This is useful if you are trying to run hedgedoc behind a reverse proxy.
# Only applied if domain is set.
protocolUseSSL = true;
# don't allow unauthenticated people to just write somewhere
allowAnonymous = false;
allowAnonymousEdits = true; # This allows us to set pads "freely"
defaultPermission = "private";
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.sqlite";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
path = null; # we want to use HTTP and not UNIX domain sockets...
allowOrigin = with config.services.hedgedoc.settings; [
host
domain
];
};
};
# backups
# services.restic.backups."hedgedoc" = {
# user = "u331921";
# timerConfig = {
# OnCalendar = "daily";
# Persistent = true;
# };
# # repository = "stfp:u331921@u331921.your-storagebox-de:23/restic";
# repository = "/mnt/storagebox-bx11/backup/hedgedoc";
# initialize = true; # initializes the repo, don't set if you want manual control
# passwordFile = config.age.secrets.restic_password.path;
# paths = [ "/var/lib/hedgedoc/" ];
# pruneOpts = [
# "--keep-daily 7"
# "--keep-weekly 5"
# "--keep-monthly 12"
# "--keep-yearly 75"
# ];
# # extraOpts = [
# # "sftp.command='ssh backup@192.168.1.100 -i /home/user/.ssh/id_rsa -s sftp'"
# # ];
# };
}
|
