{
config,
lib,
globals,
...
}: {
options.hedgedoc.enable = lib.mkEnableOption "hedgedoc";
config = lib.mkIf config.hedgedoc.enable {
kubernetes.resources = {
configMaps.hedgedoc-config.data.config = lib.generators.toJSON {} {
useSSL = false;
};
secrets.hedgedoc.stringData = {
databaseURL = "ref+sops://secrets.yml#/hedgedoc/databaseURL";
sessionSecret = "ref+sops://secrets.yml#/hedgedoc/sessionSecret";
databasePassword = "ref+sops://secrets.yml#/hedgedoc/databasePassword";
};
deployments = {
server.spec = {
selector.matchLabels = {
app = "hedgedoc";
component = "website";
};
strategy = {
type = "RollingUpdate";
rollingUpdate = {
maxSurge = 0;
maxUnavailable = 1;
};
};
template = {
metadata.labels = {
app = "hedgedoc";
component = "website";
};
spec = {
nodeName = "jefke";
containers.hedgedoc = {
image = globals.images.hedgedoc;
ports.web.containerPort = 3000;
env = {
CMD_DOMAIN.value = "md.kun.is";
CMD_PORT.value = "3000";
CMD_URL_ADDPORT.value = "false";
CMD_ALLOW_ANONYMOUS.value = "true";
CMD_ALLOW_EMAIL_REGISTER.value = "false";
CMD_PROTOCOL_USESSL.value = "true";
CMD_CSP_ENABLE.value = "false";
CMD_OAUTH2_PROVIDERNAME.value = "Authentik";
CMD_OAUTH2_CLIENT_ID.value = "ZF56062l4BPnq2INv2zaO9cEiE6sAj7CrxbWhExj";
CMD_OAUTH2_CLIENT_SECRET.value = "ref+sops://secrets.yml#/authentik/oauth2/hedgedoc/client_secret";
CMD_OAUTH2_SCOPE.value = "openid email profile";
CMD_OAUTH2_USER_PROFILE_URL.value = "https://authentik.kun.is/application/o/userinfo/";
CMD_OAUTH2_TOKEN_URL.value = "https://authentik.kun.is/application/o/token/";
CMD_OAUTH2_AUTHORIZATION_URL.value = "https://authentik.kun.is/application/o/authorize/";
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR.value = "preferred_username";
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR.value = "name";
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR.value = "email";
CMD_DB_URL.valueFrom.secretKeyRef = {
name = "hedgedoc";
key = "databaseURL";
};
CMD_SESSION_SECRET.valueFrom.secretKeyRef = {
name = "hedgedoc";
key = "sessionSecret";
};
};
volumeMounts = [
{
name = "uploads";
mountPath = "/hedgedoc/public/uploads";
}
{
name = "config";
mountPath = "/hedgedoc/config.json";
subPath = "config";
}
];
};
volumes = {
config.configMap.name = "hedgedoc-config";
uploads.hostPath = {
path = "/mnt/longhorn/persistent/volumes/hedgedoc-uploads";
type = "Directory";
};
};
securityContext = {
fsGroup = 65534;
fsGroupChangePolicy = "OnRootMismatch";
};
};
};
};
database.spec = {
selector.matchLabels = {
app = "hedgedoc";
component = "database";
};
strategy = {
type = "RollingUpdate";
rollingUpdate = {
maxSurge = 0;
maxUnavailable = 1;
};
};
template = {
metadata.labels = {
app = "hedgedoc";
component = "database";
};
spec = {
nodeName = "jefke";
containers.postgres = {
image = globals.images.postgres15;
imagePullPolicy = "IfNotPresent";
ports.postgres.containerPort = 5432;
env = {
POSTGRES_DB.value = "hedgedoc";
POSTGRES_USER.value = "hedgedoc";
PGDATA.value = "/pgdata/data";
POSTGRES_PASSWORD.valueFrom.secretKeyRef = {
name = "hedgedoc";
key = "databasePassword";
};
};
volumeMounts = [
{
name = "database";
mountPath = "/pgdata";
}
];
};
volumes.database.hostPath = {
path = "/mnt/longhorn/persistent/volumes/hedgedoc-db";
type = "Directory";
};
};
};
};
};
services = {
server.spec = {
selector = {
app = "hedgedoc";
component = "website";
};
ports.web = {
port = 80;
targetPort = "web";
};
};
database.spec = {
selector = {
app = "hedgedoc";
component = "database";
};
ports.postgres = {
port = 5432;
targetPort = "postgres";
};
};
};
};
lab = {
ingresses.web = {
host = "md.kun.is";
service = {
name = "server";
portName = "web";
};
};
};
};
}