{
config,
pkgs,
lib,
...
}:
with lib;
let
cfg = config.custom.hedgedoc;
in
{
options = {
custom.hedgedoc = {
enable = mkEnableOption "HedgeDoc Markdown Editor";
domain = mkOption {
type = types.str;
default = "docs.example.com";
description = "Domain name of the HedgeDoc server";
};
caddy = mkOption {
type = types.bool;
default = true;
description = "Enable Caddy as reverse proxy";
};
mediaPath = mkOption {
type = types.path;
default = /var/lib/hedgedoc/uploads;
description = "Directory for storing medias";
};
oidc = {
enable = mkEnableOption "OIDC support for HedgeDoc";
baseURL = mkOption { type = types.str; };
authorizationURL = mkOption { type = types.str; };
tokenURL = mkOption { type = types.str; };
userProfileURL = mkOption { type = types.str; };
};
environmentFile = mkOption { type = types.path; };
};
};
config = mkIf cfg.enable {
services.hedgedoc = {
enable = true;
environmentFile = cfg.environmentFile;
settings = {
domain = cfg.domain;
protocolUseSSL = cfg.caddy;
uploadsPath = cfg.mediaPath;
path = "/run/hedgedoc/hedgedoc.sock";
email = false;
allowEmailRegister = false;
oauth2 = mkIf cfg.oidc.enable {
baseURL = cfg.oidc.baseURL;
authorizationURL = cfg.oidc.authorizationURL;
tokenURL = cfg.oidc.tokenURL;
userProfileURL = cfg.oidc.userProfileURL;
userProfileEmailAttr = "email";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "preferred_name";
scope = "openid email profile";
clientID = "$HEDGEDOC_CLIENT_ID";
clientSecret = "$HEDGEDOC_CLIENT_SECRET";
};
allowAnonymous = false;
defaultPermission = "private";
};
};
services.caddy = mkIf cfg.caddy {
enable = true;
virtualHosts."https://${cfg.domain}".extraConfig = ''
reverse_proxy unix/${config.services.hedgedoc.settings.path}
'';
};
users.users.caddy.extraGroups = mkIf cfg.caddy [ "hedgedoc" ];
};
}