blob: ccca49fac527f2ecb20f9d922273cf680d45ae26 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
|
{ config, pkgs, lib, ... }:
with import <stockholm/lib>;
let
domain = "pad.lassul.us";
in {
# redirect legacy domain to new one
services.nginx.virtualHosts."codi.lassul.us" = {
enableACME = true;
addSSL = true;
locations."/".return = "301 https://${domain}\$request_uri";
};
services.nginx.virtualHosts.${domain} = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "https://localhost:3091";
proxyWebsockets = true;
};
};
security.acme.certs.${domain}.group = "hedgecert";
users.groups.hedgecert.members = [ "hedgedoc" "nginx" ];
security.dhparams = {
enable = true;
params.hedgedoc = {};
};
systemd.services.hedgedoc.environment = {
CMD_COOKIE_POLICY = "none";
CMD_CSP_ALLOW_FRAMING = "true";
};
services.hedgedoc = {
enable = true;
configuration.allowOrigin = [ domain ];
settings = {
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
useCDN = false;
port = 3091;
domain = domain;
allowFreeURL = true;
useSSL = true;
protocolUseSSL = true;
sslCAPath = [ "/etc/ssl/certs/ca-certificates.crt" ];
sslCertPath = "/var/lib/acme/${domain}/cert.pem";
sslKeyPath = "/var/lib/acme/${domain}/key.pem";
dhParamPath = config.security.dhparams.params.hedgedoc.path;
};
};
}
|