From 7cbd49fe4215c2fbf5637017cd669ae27698121c Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Sun, 8 Feb 2026 12:38:03 +0100 Subject: [PATCH] improve hedhedoc --- hosts/md/default.nix | 2 +- hosts/md/hedgedoc.nix | 24 +++++++++++ hosts/md/nginx.nix | 44 ++++++++++++++++++++ secrets/hedgedoc-env.age | 19 +++++++++ services/hedgedoc.nix | 89 ---------------------------------------- 5 files changed, 88 insertions(+), 90 deletions(-) create mode 100644 hosts/md/hedgedoc.nix create mode 100644 hosts/md/nginx.nix create mode 100644 secrets/hedgedoc-env.age delete mode 100644 services/hedgedoc.nix diff --git a/hosts/md/default.nix b/hosts/md/default.nix index 9c7bc32..cf07d26 100644 --- a/hosts/md/default.nix +++ b/hosts/md/default.nix @@ -4,7 +4,7 @@ imports = [ ../common.nix ../../services/openssh.nix - ../../services/hedgedoc.nix + ./hedgedoc.nix ]; networking = { diff --git a/hosts/md/hedgedoc.nix b/hosts/md/hedgedoc.nix new file mode 100644 index 0000000..137c91a --- /dev/null +++ b/hosts/md/hedgedoc.nix @@ -0,0 +1,24 @@ +{ config, pkgs, ... }: + +let + db = { + host = "sql.berlin.ccc.de"; + port = 5432; + username = "hedgedoc"; + database = "hedgedoc"; + }; +in +{ + services.hedgedoc = { + enable = true; + settings = { + domain = "${config.networking.hostName}.${config.networking.domain}"; + dbURL = "postgres://${db.username}:\${DB_PASSWORD}@${db.host}:${toString db.port}/${db.name}"; + # sync with config.age.secrets.postgres-hedgedoc.path + environmentFile = config.age.secrets.hedgedoc-env.path; + protocolUseSSL = true; + enableStatsApi = true; + }; + }; +} + diff --git a/hosts/md/nginx.nix b/hosts/md/nginx.nix new file mode 100644 index 0000000..c0cf2ac --- /dev/null +++ b/hosts/md/nginx.nix @@ -0,0 +1,44 @@ +{ config, pkgs, ... }: + +let + cfg = config.services.hedgedoc.settings; +in +{ + services.nginx.virtualHosts."${config.networking.hostName}.${config.networking.domain}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations = { + "/" = { + recommendedProxySettings = true; + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + }; + "/socket.io/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + }; + "/metrics" = { + recommendedProxySettings = true; + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + extraConfig = '' + allow 195.160.173.14; + allow 2001:678:760:cccb::14; + deny all; + ''; + }; + "/status" = { + recommendedProxySettings = true; + proxyPass = "http://${cfg.host}:${toString cfg.port}"; + extraConfig = '' + allow 195.160.173.14; + allow 2001:678:760:cccb::14; + deny all; + ''; + }; + }; + }; +} + diff --git a/secrets/hedgedoc-env.age b/secrets/hedgedoc-env.age new file mode 100644 index 0000000..a462570 --- /dev/null +++ b/secrets/hedgedoc-env.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-ed25519 uH+n1w Hl5GuG/K5bKRhYLwG3z1pUfRPPs/O0T9ELWTAMT/DG8 +9nX8jNHmCQXa5Wv7huCTEk5kz3Me9QVSxJYPdrH5udw +-> ssh-ed25519 EvLbWw T+0rljpwVOktHR21v5JvBPe1nog0TVN1erGtIyRMbQ4 +tpNz5eRC8vFFbdtXA6Vp+7X1VDq5doJi4hM1K/FOyVE +-> ssh-ed25519 dM+fLQ R9t+cS4ye0jOaubNcMaqu8/APLkzAopkZh76tM0jQgM +DL4DykdFXXQONPqDGv5LKTrlg9+4BPHdXNPMGwPF7a4 +-> ssh-ed25519 jxWM2Q PTEewNsybqn/4gejSGy5BNucQ5izKtqUGp6mGroYizg +HEaBhzmp+0ymUUbzCgb4KpyZJ2lKYKNlaI9zMY58CJg +-> ssh-ed25519 /yCUCg 6wdCIPRGgPnPxzCdUDnDOl5lI2Fsl9DoA4QmM3DWfEs +ZdQ1sHtAsYrlaWNDZmf2+Gu9vIIp7adD6MI1oJyPPdU +-> ssh-ed25519 FGp51g 1Lvo3hKE72UUKJaN4U1XlXoP8j7EAHN0UPIP11FurCI +csB1x/PYsQgQ0gPHJAD8EcHHVo1JJ8NCtx45KpreqaE +-> ssh-ed25519 fEJY/A LlmksK8HR5YNpMwcqJUN5sgAM8jXCuanTNU+A53UMhY +kntfp+IUE1OLq03WLyuynyqSeUlrhy5piYKcqg9/DAg +--- NxH5yKP69Pq4DQx2Ziad7ECw6BdlbSfo7+vm9V3YWm8 + +Чim萮v0_d$Z#[.vأXjZH'sy4Qm +Z]^Œ nE>wf7%~DV \ No newline at end of file diff --git a/services/hedgedoc.nix b/services/hedgedoc.nix deleted file mode 100644 index 9650ced..0000000 --- a/services/hedgedoc.nix +++ /dev/null @@ -1,89 +0,0 @@ -{ config, pkgs, ... }: - -let - fqdn = "hedgedoc.berlin.ccc.de"; - cfg = config.services.hedgedoc.settings; -in -{ - services = { - hedgedoc = { - enable = true; - settings = { - domain = fqdn; - #environmentFile = config.age.secrets.hedgedoc_settings.path; - protocolUseSSL = true; - db = { - dialect = "postgresql"; - host = "/run/postgresql"; - username = "hedgedoc"; - database = "hedgedoc"; - }; - enableStatsApi = true; - }; - }; - nginx = { - enable = true; - resolver.addresses = [ - "[2606:4700:4700::1111]" - "[2620:fe::fe]" - "1.1.1.1" - "9.9.9.9" - ]; - statusPage = true; # http://127.0.0.1/nginx_status - sslProtocols = "TLSv1.3"; - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - recommendedBrotliSettings = true; - virtualHosts."${fqdn}" = { - default = true; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations = { - "/" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - }; - "/socket.io/" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - proxyWebsockets = true; - recommendedProxySettings = true; - }; - "/metrics" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - #allow 195.160.173.255; - #allow 2001:678:760:cccb::ffff; - #deny all; - }; - "/status" = { - proxyPass = "http://${cfg.host}:${toString cfg.port}"; - recommendedProxySettings = true; - #allow 195.160.173.255; - #allow 2001:678:760:cccb::ffff; - #deny all; - }; - }; - }; - }; - postgresql = { - enable = true; - package = pkgs.postgresql_18; - enableJIT = true; - initdbArgs = [ - "--locale=C" - "--encoding=UTF8" - ]; - ensureUsers = [{ name = cfg.db.username; ensureDBOwnership = true; }]; - ensureDatabases = [ cfg.db.database ]; - }; - postgresqlBackup = { - enable = true; - startAt = "*-*-* 09:00:00"; - compression = "zstd"; - }; - }; -} -