{ config, pkgs, ... }: let fqdn = "hedgedoc.berlin.ccc.de"; cfg = config.services.hedgedoc.settings; in { services = { hedgedoc = { enable = true; settings = { domain = fqdn; #environmentFile = config.age.secrets.hedgedoc_settings.path; protocolUseSSL = true; db = { dialect = "postgresql"; host = "/run/postgresql"; username = "hedgedoc"; database = "hedgedoc"; }; enableStatsApi = true; }; }; nginx = { enable = true; resolver.addresses = [ "[2606:4700:4700::1111]" "[2620:fe::fe]" "1.1.1.1" "9.9.9.9" ]; statusPage = true; # http://127.0.0.1/nginx_status sslProtocols = "TLSv1.3"; recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; recommendedBrotliSettings = true; virtualHosts."${fqdn}" = { default = true; quic = true; kTLS = true; forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://${cfg.host}:${toString cfg.port}"; recommendedProxySettings = true; }; "/socket.io/" = { proxyPass = "http://${cfg.host}:${toString cfg.port}"; proxyWebsockets = true; recommendedProxySettings = true; }; "/metrics" = { proxyPass = "http://${cfg.host}:${toString cfg.port}"; recommendedProxySettings = true; #allow 195.160.173.255; #allow 2001:678:760:cccb::ffff; #deny all; }; "/status" = { proxyPass = "http://${cfg.host}:${toString cfg.port}"; recommendedProxySettings = true; #allow 195.160.173.255; #allow 2001:678:760:cccb::ffff; #deny all; }; }; }; }; postgresql = { enable = true; package = pkgs.postgresql_18; enableJIT = true; initdbArgs = [ "--locale=C" "--encoding=UTF8" ]; ensureUsers = [{ name = cfg.db.username; ensureDBOwnership = true; }]; ensureDatabases = [ cfg.db.database ]; }; postgresqlBackup = { enable = true; startAt = "*-*-* 09:00:00"; compression = "zstd"; }; }; }