From 3b0b4b33dd2bc85c6d00d8e11dc01d06d9d31249 Mon Sep 17 00:00:00 2001
From: Seth Flynn <getchoo@tuta.io>
Date: Thu, 20 Feb 2025 03:54:59 -0500
Subject: nixos/hedgedoc: init

---
 modules/nixos/mixins/default.nix  |  1 +
 modules/nixos/mixins/hedgedoc.nix | 76 +++++++++++++++++++++++++++++++++++++++
 2 files changed, 77 insertions(+)
 create mode 100644 modules/nixos/mixins/hedgedoc.nix

(limited to 'modules/nixos/mixins')

diff --git a/modules/nixos/mixins/default.nix b/modules/nixos/mixins/default.nix
index f402776..e9930bf 100644
--- a/modules/nixos/mixins/default.nix
+++ b/modules/nixos/mixins/default.nix
@@ -8,6 +8,7 @@
     ./forgejo.nix
     ./gnome.nix
     ./grafana.nix
+    ./hedgedoc.nix
     ./home-manager.nix
     ./journal-upload.nix
     ./kanidm.nix
diff --git a/modules/nixos/mixins/hedgedoc.nix b/modules/nixos/mixins/hedgedoc.nix
new file mode 100644
index 0000000..8b65994
--- /dev/null
+++ b/modules/nixos/mixins/hedgedoc.nix
@@ -0,0 +1,76 @@
+{
+  config,
+  lib,
+  secretsDir,
+  ...
+}:
+
+let
+  hedgedocCfg = config.services.hedgedoc;
+  oauth2Domain = "https://" + config.services.kanidm.serverSettings.domain;
+in
+
+{
+  config = lib.mkMerge [
+    {
+      services = {
+        hedgedoc = {
+          settings = {
+            domain = lib.mkDefault ("hedgedoc." + config.networking.domain);
+            port = 4000;
+
+            allowOrigin = [
+              hedgedocCfg.settings.domain
+              "localhost"
+            ];
+
+            # Managed by reverse proxy
+            protocolUseSSL = true;
+            urlAddPort = false;
+
+            allowAnonymous = false;
+          };
+        };
+      };
+    }
+
+    (lib.mkIf hedgedocCfg.enable {
+      services = {
+        nginx.virtualHosts.${hedgedocCfg.settings.domain} = {
+          locations."/" = {
+            proxyPass = "http://${hedgedocCfg.settings.host}:${toString hedgedocCfg.settings.port}";
+            proxyWebsockets = true;
+          };
+        };
+      };
+    })
+
+    (lib.mkIf (hedgedocCfg.enable && config.services.kanidm.enableServer) {
+      age.secrets.hedgedocClientSecret.file = secretsDir + "/hedgedocClientSecret.age";
+
+      services.hedgedoc = {
+        environmentFile = config.age.secrets.hedgedocClientSecret.path;
+
+        settings = {
+          email = false;
+
+          oauth2 = {
+            clientID = "hedgedoc";
+            clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
+            providerName = "Kanidm";
+
+            baseURL = oauth2Domain;
+            authorizationURL = oauth2Domain + "/ui/oauth2";
+            tokenURL = oauth2Domain + "/oauth2/token";
+            userProfileURL = oauth2Domain + "/oauth2/openid/hedgedoc/userinfo";
+
+            scope = "openid email profile";
+            userProfileDisplayNameAttr = "name";
+            userProfileEmailAttr = "email";
+            userProfileUsernameAttr = "preferred_username";
+          };
+        };
+      };
+    })
+  ];
+}
-- 
cgit v1.2.3