nixos-config/modules/system/web-services/hedgedoc.nix

{
  config,
  pkgs,
  lib,
  ...
}:
let
  cfg = config.custom.services.hedgedoc;
  dataDir = "/var/lib/hedgedoc";
in
{
  options.custom.services.hedgedoc = {
    enable = lib.mkEnableOption "";
    domain = lib.mkOption {
      type = lib.types.nonEmptyStr;
      default = "";
    };
    port = lib.mkOption {
      type = lib.types.port;
      default = 3000;
    };
    doBackups = lib.mkEnableOption "";
  };

  config = lib.mkIf cfg.enable {
    meta = {
      domains.list = [ cfg.domain ];
      ports.tcp.list = [ cfg.port ];
    };

    sops = {
      secrets."hedgedoc/gitlab-auth-secret" = { };
      templates."hedgedoc/environment" = {
        owner = config.users.users.hedgedoc.name;
        content = "GITLAB_CLIENTSECRET=${config.sops.placeholder."hedgedoc/gitlab-auth-secret"}";
        restartUnits = [ "hedgedoc.service" ];
      };
    };

    services.hedgedoc = {
      enable = true;

      environmentFile = config.sops.templates."hedgedoc/environment".path;
      settings = {
        inherit (cfg) domain port;
        protocolUseSSL = true;
        allowAnonymous = false;
        email = false;
        defaultPermission = "limited";
        sessionSecret = "$SESSION_SECRET";
        gitlab = {
          baseURL = "https://code.fbi.h-da.de";
          clientID = "dc71d7ec1525ce3b425d7d41d602f67e1a06cef981259605a87841a6be62cc58";
          clientSecret = "$GITLAB_CLIENTSECRET";
        };
      };
    };

    # Ensure session-secret
    systemd.services.hedgedoc.preStart = lib.mkBefore ''
      secret_file="${dataDir}/session-secret"

      if [ ! -f $secret_file ]; then
        ${lib.getExe pkgs.pwgen} -s 64 1 > $secret_file
      fi

      SESSION_SECRET="$(cat $secret_file)"
      export SESSION_SECRET
    '';

    custom = {
      services.resticBackups.hedgedoc = lib.mkIf cfg.doBackups {
        conflictingService = "hedgedoc.service";
        paths =
          let
            inherit (config.services.hedgedoc) settings;
          in
          [
            settings.uploadsPath
            settings.db.storage
          ];
      };

      persist.directories = [ dataDir ];
    };
  };
}