feat: HedgeDoc module(#168)

Reviewed-on: https://git.selfprivacy.org/SelfPrivacy/selfprivacy-nixos-config/pulls/168 Reviewed-by: Inex Code <inex.code@selfprivacy.org> Co-authored-by: Thary <thary@riseup.net> Co-committed-by: Thary <thary@riseup.net>
2025-09-05 15:33:30 +03:00
parent 73cbdf994e
commit 45c96d3472
5 changed files with 255 additions and 0 deletions
--- a/sp-modules/hedgedoc/module.nix
+++ b/sp-modules/hedgedoc/module.nix
@@ -0,0 +1,186 @@
+{
+  config,
+  lib,
+  pkgs,
+  ...
+}:
+let
+  sp = config.selfprivacy;
+  cfg = sp.modules.hedgedoc;
+
+  oauthClientID = "hedgedoc";
+  auth-passthru = config.selfprivacy.passthru.auth;
+  oauth2-provider-origin = config.services.kanidm.serverSettings.origin;
+  usersGroup = "sp.hedgedoc.users";
+  oauthClientSecretFP = auth-passthru.mkOAuth2ClientSecretFP oauthClientID;
+in
+{
+  options.selfprivacy.modules.hedgedoc = {
+    enable =
+      (lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = "Enable HedgeDoc";
+      })
+      // {
+        meta = {
+          type = "enable";
+        };
+      };
+    location =
+      (lib.mkOption {
+        type = lib.types.str;
+        description = "HedgeDoc location";
+      })
+      // {
+        meta = {
+          type = "location";
+        };
+      };
+    subdomain =
+      (lib.mkOption {
+        default = "hedgedoc";
+        type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+        description = "Subdomain";
+      })
+      // {
+        meta = {
+          widget = "subdomain";
+          type = "string";
+          regex = "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
+          weight = 0;
+        };
+      };
+    allowAnonymous =
+      (lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = "Allow usage (e.g., notes creation) without an account";
+      })
+      // {
+        meta = {
+          type = "bool";
+          weight = 1;
+        };
+      };
+    allowLibravatar =
+      (lib.mkOption {
+        default = false;
+        type = lib.types.bool;
+        description = "Use Libravatar as profile picture source";
+      })
+      // {
+        meta = {
+          type = "bool";
+          weight = 2;
+        };
+      };
+  };
+
+  config = lib.mkIf cfg.enable {
+    assertions = [
+      {
+        assertion = sp.sso.enable;
+        message = "HedgeDoc cannot be enabled when SSO is disabled.";
+      }
+    ];
+
+    fileSystems = lib.mkIf sp.useBinds {
+      "/var/lib/hedgedoc" = {
+        device = "/volumes/${cfg.location}/hedgedoc";
+        options = [ "bind" ];
+      };
+    };
+
+    services.postgresql = {
+      ensureDatabases = [ "hedgedoc" ];
+      ensureUsers = [
+        {
+          name = "hedgedoc";
+          ensureDBOwnership = true;
+        }
+      ];
+    };
+
+    services.hedgedoc = {
+      enable = true;
+      package = pkgs.hedgedoc.overrideAttrs (old: {
+        doCheck = true;
+        patches = (old.patches or [ ]) ++ [
+          ./hedgedocClientSecretAsFile.patch
+        ];
+      });
+
+
+      settings = {
+        port = 3001;
+        protocolUseSSL = true;
+        useSSL = false;
+        domain = "${cfg.subdomain}.${sp.domain}";
+        host = "127.0.0.1";
+
+        # HedgeDoc saves the old option name for compatibility, even though it fetches avatars from Libravatar
+        allowGravatar = cfg.allowLibravatar;
+
+        db = {
+          username = "hedgedoc";
+          database = "hedgedoc";
+          host = "/run/postgresql";
+          dialect = "postgresql";
+        };
+        uploadsPath = "/var/lib/hedgedoc/uploads";
+
+        allowEmailRegister = false;
+        email = false;
+        allowAnonymous = cfg.allowAnonymous;
+
+        oauth2 = {
+          baseURL = oauth2-provider-origin;
+          clientID = "hedgedoc";
+          clientSecret = oauthClientSecretFP;
+          authorizationURL = "${oauth2-provider-origin}/ui/oauth2";
+          tokenURL = "${oauth2-provider-origin}/oauth2/token";
+          userProfileURL = "${oauth2-provider-origin}/oauth2/openid/${oauthClientID}/userinfo";
+          scope = "openid email profile";
+          userProfileUsernameAttr = "sub";
+          userProfileDisplayNameAttr = "name";
+          userProfileEmailAttr = "email";
+        };
+
+        loglevel = "error";
+      };
+    };
+
+    services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
+      useACMEHost = sp.domain;
+      forceSSL = true;
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:3001";
+          proxyWebsockets = true;
+        };
+      };
+    };
+
+    systemd = {
+      services.hedgedoc = {
+        unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/hedgedoc";
+        serviceConfig.Slice = "hedgedoc.slice";
+      };
+      slices.hedgedoc = {
+        description = "HedgeDoc service slice";
+      };
+    };
+
+    selfprivacy.auth.clients.${oauthClientID} = {
+      inherit usersGroup;
+      subdomain = cfg.subdomain;
+      originLanding = "https://${cfg.subdomain}.${sp.domain}/";
+      originUrl = "https://${cfg.subdomain}.${sp.domain}/auth/oauth2/callback";
+      clientSystemdUnits = [ "hedgedoc.service" ];
+      enablePkce = false;
+      linuxUserOfClient = "hedgedoc";
+      linuxGroupOfClient = "hedgedoc";
+    };
+  };
+}