From af01cffa4d5e68556f4882b77e07ad5af9e38b04 Mon Sep 17 00:00:00 2001
From: "Ricardo (XenGi) Band" <email@ricardo.band>
Date: Sat, 14 Feb 2026 01:44:06 +0100
Subject: [PATCH] fixup postgres and hedgedoc

---
 flake.nix                        |  14 ++++++++++++++
 hosts/common.nix                 |   1 +
 hosts/md/default.nix             |   2 +-
 hosts/md/hedgedoc.nix            |  12 ++++--------
 hosts/md/nginx.nix               |  21 ++++++++++++++-------
 hosts/md/postgres.nix            |  23 -----------------------
 hosts/sql/postgres.nix           |   5 +++++
 secrets/hedgedoc_db_password.age | Bin 0 -> 949 bytes
 secrets/secrets.nix              |  13 +++++++++++--
 services/postgres.nix            |   4 ++--
 10 files changed, 52 insertions(+), 43 deletions(-)
 delete mode 100644 hosts/md/postgres.nix
 create mode 100644 secrets/hedgedoc_db_password.age

diff --git a/flake.nix b/flake.nix
index 93b8e34..c42b20a 100644
--- a/flake.nix
+++ b/flake.nix
@@ -70,6 +70,12 @@
                 owner = "matrix-synapse";
                 group = "matrix-synapse";
               };
+              matrix_db_password = {
+                file = ./secrets/matrix_db_password.age;
+                mode = "440";
+                owner = "matrix-synapse";
+                group = "matrix-synapse";
+              };
               draupnir_access_token = {
                 file = ./secrets/draupnir_access_token.age;
                 mode = "440";
@@ -100,6 +106,14 @@
         modules = [
           agenix.nixosModules.default
           { environment.systemPackages = [ (agenix.packages.${system}.default) ]; }
+          {
+            age.secrets.hedgedoc_db_password = {
+              file = ./secrets/hedgedoc_db_password.age;
+              owner = "hedgedoc";
+              group = "hedgedoc";
+              mode = "0440";
+            };
+          }
           ./hosts/md
         ];
       };
diff --git a/hosts/common.nix b/hosts/common.nix
index 07bc60f..1724822 100644
--- a/hosts/common.nix
+++ b/hosts/common.nix
@@ -128,3 +128,4 @@
     };
   };
 }
+
diff --git a/hosts/md/default.nix b/hosts/md/default.nix
index d9ddd6c..5243b5a 100644
--- a/hosts/md/default.nix
+++ b/hosts/md/default.nix
@@ -6,7 +6,7 @@
     ../../services/openssh.nix
     ./hedgedoc.nix
     ../../services/nginx.nix
-    ./nginx
+    ./nginx.nix
     ./postgres.nix
   ];
 
diff --git a/hosts/md/hedgedoc.nix b/hosts/md/hedgedoc.nix
index 2226fa1..675617d 100644
--- a/hosts/md/hedgedoc.nix
+++ b/hosts/md/hedgedoc.nix
@@ -4,15 +4,11 @@
   services.hedgedoc = {
     enable = true;
     settings = {
-      domain = "${config.networking.fqdn}";
-      #environmentFile = config.age.secrets.hedgedoc_settings.path;
+      domain = "md.${config.networking.domain}";
+      environmentFile = config.age.secrets.hedgedoc_db_password.path;
+      dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@sql.berlin.ccc.de:5432/hedgedoc";
+      db.dialect = "postgresql";
       protocolUseSSL = true;
-      db = {
-        dialect = "postgresql";
-        host = "/run/postgresql";
-        username = "hedgedoc";
-        database = "hedgedoc";
-      };
       enableStatsApi = true;
     };
   };
diff --git a/hosts/md/nginx.nix b/hosts/md/nginx.nix
index 53f39db..8f5f8c6 100644
--- a/hosts/md/nginx.nix
+++ b/hosts/md/nginx.nix
@@ -4,7 +4,7 @@ let
   cfg = config.services.hedgedoc.settings;
 in
 {
-  nginx.virtualHosts."${config.networking.fqdn}" = {
+  services.nginx.virtualHosts."md.${config.networking.domain}" = {
     default = true;
     quic = true;
     kTLS = true;
@@ -14,6 +14,9 @@ in
       "/" = {
         proxyPass = "http://${cfg.host}:${toString cfg.port}";
         recommendedProxySettings = true;
+        extraConfig = ''
+          #add_header Content-Security-Policy "frame-src 'self'; default-src 'self'; script-src 'self'; img-src 'self'; style-src 'self' 'unsafe-inline'; font-src 'self'; form-action 'self'; upgrade-insecure-requests;" always;
+        '';
       };
       "/socket.io/" = {
         proxyPass = "http://${cfg.host}:${toString cfg.port}";
@@ -23,16 +26,20 @@ in
       "/metrics" = {
         proxyPass = "http://${cfg.host}:${toString cfg.port}";
         recommendedProxySettings = true;
-        #allow 195.160.173.255;
-        #allow 2001:678:760:cccb::ffff;
-        #deny all;
+        extraConfig = ''
+          allow 195.160.173.14;
+          allow 2001:678:760:cccb::14;
+          deny all;
+        '';
       };
       "/status" = {
         proxyPass = "http://${cfg.host}:${toString cfg.port}";
         recommendedProxySettings = true;
-        #allow 195.160.173.255;
-        #allow 2001:678:760:cccb::ffff;
-        #deny all;
+        extraConfig = ''
+          allow 195.160.173.14;
+          allow 2001:678:760:cccb::14;
+          deny all;
+        '';
       };
     };
   };
diff --git a/hosts/md/postgres.nix b/hosts/md/postgres.nix
deleted file mode 100644
index ec1adcc..0000000
--- a/hosts/md/postgres.nix
+++ /dev/null
@@ -1,23 +0,0 @@
-{ config, pkgs, ... }:
-
-{
-  services = {
-    postgresql = {
-      enable = true;
-      package = pkgs.postgresql_18;
-      enableJIT = true;
-      initdbArgs = [
-        "--locale=C"
-        "--encoding=UTF8"
-      ];
-      ensureUsers = [{ name = cfg.db.username; ensureDBOwnership = true; }];
-      ensureDatabases = [ cfg.db.database ];
-    };
-    postgresqlBackup = {
-      enable = true;
-      startAt = "*-*-* 09:00:00";
-      compression = "zstd";
-    };
-  };
-}
-
diff --git a/hosts/sql/postgres.nix b/hosts/sql/postgres.nix
index 61f3af8..fdbdc5c 100644
--- a/hosts/sql/postgres.nix
+++ b/hosts/sql/postgres.nix
@@ -58,6 +58,11 @@ in
       ensureDatabases = map (e: e.database) entries;
       authentication = "${builtins.concatStringsSep "\n" (map (e: e.auth) entries)}";
     };
+    postgresqlBackup = {
+      enable = true;
+      startAt = "*-*-* 09:00:00";
+      compression = "zstd";
+    };
   };
   systemd.services.postgresql.postStart = ''
     ${config.services.postgresql.package}/bin/psql \
diff --git a/secrets/hedgedoc_db_password.age b/secrets/hedgedoc_db_password.age
new file mode 100644
index 0000000000000000000000000000000000000000..94833611f8559be25553bdb1d290be2cb5ff03d7
GIT binary patch
literal 949
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCSH_0Y~UELX_LDJyV~
z2ndKW@H0>KGqcP#NDWG?$O<V*FDa?8$SiR#ba4xJ%r42xF6T0~%+K-hbM`mzuh4cg
z_spnp&rA<BO3!u<sPHPwaL&sO(Kas$cZ^E0@I<%Gwah0eyj-Esr?jxb!n`!n%*Qp<
zztYjvygbXbtSGe1&@{xQG(8~4(<vp%*exj6EtD(5tuo)DvZ}x}sY2Tzxzsc@z{$+F
zpt3x-+%wcGs-m#i(l{tMz1%M-%N5<W6kqK$pFo9(D)aC(zr@Pa2(!eHpq!!z!*tJz
z@~XfL^HiT)KWFXy{Nmi8$o#<apk%Jx(v+g)v?xo@0*i{kQhyK2DCeq7XQzxXqafcB
zqs*#u&(vU}3gZmzatyy^RfPK*1uFQJIu@n{yXHhhx&;>|`Iwiw1Qh6JXJ_YlgczCy
zd6<R;n1+|<n<N_KS#Wuj`TOddm71p*6jdgdS@`4?q?);fc{)`lhg#%T7#ro6<#|||
zm*-~qW7wu&=^W~uuHc)LQk+&^>13pzuI=MuX_jSV>YSXLldc`$pH*3;ogGzCoK&3Y
zZJgv$%vF%+=iwDzS?Zgb7*u5%5M-er;g#)c>|$D0<?ZO?laW^F=vkDQ8)RvajvkV3
z?ggfX=?dZb21&VYj@n_B`Z=i~Rpv&fmZ5n?u4SRg1*w7grCvq)J|2b<p(X|C>0G`!
z+NJ?n1-`zfS*Zr;X$77+fd%<tnI$Qe1(CVhmM+eT#rpbzre(P%zUa24xq3zFJ1UqZ
z`neUkxO@2d>RUwky65{RdWPk?gy%=NyJTlYWh9vdL<Qwm8W^QUWOMmDdY47|CPx&T
zdutaKrxuiX<hhpz1UVb(`(;H$<Qtm%I~r-5=OraZ<#Xxk>ME4w=Z5=6W%?L8W@q?2
zduV%Smn520czNggW?Fcq8(3QUS~@0qB<6WVI&v9x6cqJEa!sAS*5j=>V^u)HXDRV-
zKQ)vts-^2xoM5|r-*DcH8IOGRLj*lONnZPZ{;1uRnetcG9KWR6A)`{GB>C-I+R3uy
t!=X(tQsUmtyBE4g#;wqL<1(J9{8krrb;4?9d~+>iC~tlqkh<m7c>vRFLW=+Z

literal 0
HcmV?d00001

diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index e21b110..7c39d82 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -18,18 +18,27 @@ let
   _md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md";
   _sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql";
   _www = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID4TJCMuJZn03soKuxxv6ywFKiXfhLf9Ab03fbMqNaBJ root@www";
+  _monitoring = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID4TJCMuJZn03soKuxxv6ywFKiXfhLf9Ab03fbMqNaBJ root@monitoring";
 in
 {
   "matrix_admin_password.age".publicKeys = users;
+
   "draupnir_access_token.age".publicKeys = users ++ [ _matrix ];
   "matrix_signing_key.age".publicKeys = users ++ [ _matrix ];
   "matrix_registration_shared_secret.age".publicKeys = users ++ [ _matrix ];
+  "matrix_db_password.age".publicKeys = users ++ [ _matrix ];
+
   "pushover_app_token.age".publicKeys = users ++ [ _matrix ];
   "pushover_user_key.age".publicKeys = users ++ [ _matrix ];
-  "grafana_admin_password.age".publicKeys = users ++ [ _matrix ];
-  "grafana_secret_key.age".publicKeys = users ++ [ _matrix ];
+
+  "hedgedoc_db_password.age".publicKeys = users ++ [ _md ];
+
+  "grafana_admin_password.age".publicKeys = users ++ [ _monitoring ];
+  "grafana_secret_key.age".publicKeys = users ++ [ _monitoring ];
+
   "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ];
   "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ];
+
   "www-staging-htpasswd.age".publicKeys = users ++ [ _www ];
 }
 
diff --git a/services/postgres.nix b/services/postgres.nix
index e50f232..6226bef 100644
--- a/services/postgres.nix
+++ b/services/postgres.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ pkgs, lib, ... }:
 
 {
   services = {
@@ -10,7 +10,7 @@
         "--locale=C"
         "--encoding=UTF8"
       ];
-      settings.listen_addresses = "*";
+      settings.listen_addresses = lib.mkDefault "*";
     };
     postgresqlBackup = {
       enable = true;