The following will be installed:
Install APT available packages
apt install postgresql nodejs npm -yUpdate NPM to the latest version (APT doesn't contain the latest - install it from there then update)
npm install -g npm@latestTo install Yarn 4, run
corepack enableCreate a new database
CREATE DATABASE hedgedoc;Create a new user
CREATE USER hedgedoc WITH ENCRYPTED PASSWORD '********************';Grant all permissions on the new database to the new user
GRANT ALL PRIVILEGES ON DATABASE hedgedoc TO hedgedoc;Connect to the new database using the root level postgres user and grant permission to the public schema
\c hedgedoc postgres
GRANT ALL ON SCHEMA public TO hedgedoc;Exit PSQL
\qClone HedgeDoc to your server. Change the branch (-b) version as needed.
git clone https://github.com/hedgedoc/hedgedoc.git /opt/hedgedoc/ -b 1.10.5Create a new POSIX user to run HedgeDoc
useradd -s /bin/bash -d /opt/hedgedoc hedgedocChange the ownership of the project to the new user
chown -R hedgedoc:hedgedoc /opt/hedgedoc/Login as the hedgedoc user. Since their home directory has been set to /opt/hedgedoc/, you'll be dropped into the application directory on login.
su - hedgedocVerify you're in the correct directory (/opt/hedgedoc/). If you're not in the application directory, something above didn't work correctly.
pwdOPTIONAL: I use a proxy for internet access on my servers - use these yarn commands to configure a proxy server.
Run the setup script. This will install dependencies and generate an example configuration file.
bin/setupGenerate a sessionSecret to prevent users from being logged out due to application restart. If this is not configured, a random secret will be generated during each startup. This means prior web sessions will be invalidated. I used pwgen to create a 64 character string: pwgen -snc 64
{
"production": {
"sessionSecret": "<string-here>",Create a systemd service file to run HedgeDoc.
NOTE: In this scenario, where object storage is using filesystem and not a DB like S3 or Minio, you must make sure the service unit has adequate access to write files to the app's installation directory. I had to create the .cache directory inside the app directory AND add it the ReadWritePaths section in the service file.
Pay close attention to the service's log stream if it doesn't start up correctly (use journalctl -fu hedgedoc.service)
bash -c "cat > /etc/systemd/system/hedgedoc.service" <<'EOF'
[Unit]
Description=HedgeDoc - The best platform to write and share markdown.
Documentation=https://docs.hedgedoc.org/
After=network.target
# Uncomment if you use MariaDB/MySQL
# After=mysql.service
# Uncomment if you use PostgreSQL
# After=postgresql.service
[Service]
Type=exec
Environment=NODE_ENV=production
Restart=always
RestartSec=15s
ExecStart=/usr/bin/yarn start
CapabilityBoundingSet=
NoNewPrivileges=true
PrivateDevices=true
RemoveIPC=true
LockPersonality=true
ProtectControlGroups=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectClock=true
ProtectHostname=true
ProtectProc=noaccess
RestrictRealtime=true
RestrictSUIDSGID=true
RestrictNamespaces=true
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
ProtectSystem=strict
ProtectHome=true
PrivateTmp=true
SystemCallArchitectures=native
SystemCallFilter=@system-service pkey_alloc pkey_mprotect
# You may have to adjust these settings
User=hedgedoc
Group=hedgedoc
WorkingDirectory=/opt/hedgedoc
# Example: local storage for uploads and SQLite
# ReadWritePaths=/opt/hedgedoc/public/uploads /opt/hedgedoc/db
ReadWritePaths=/opt/hedgedoc/.cache/
[Install]
WantedBy=multi-user.target
EOFReload systemd and enable the service
systemctl daemon-reload && \
systemctl enable --now hedgedoc.service