HedgeDoc Setup
Overview
Collaborative markdown editor for session notes and writing workshops.
- Public URL:
write.dungeon.clubvia Cloudflare Tunnel (kuroda) - Internal:
localhost:3000on Cosmos LXC (Proxmox, kuroda.cloud) - Image:
lscr.io/linuxserver/hedgedoc(v1.10.7, LinuxServer.io) - Database: MariaDB 11 (
Hedgedoc-dbcontainer,localhost:3306) - Network: Both containers on
hostmode
Key env vars
CMD_DOMAIN=write.dungeon.club
CMD_PROTOCOL_USESSL=true
DB_HOST=localhost
DB_PORT=3306
DB_USER=hedgedoc
DB_NAME=hedgedoc
Auth (live)
OAuth2 via Authentik (auth.dungeon.club). Members log in with Discord via Authentik.
CMD_OAUTH2_PROVIDERNAME=Dungeon Books Guild
CMD_OAUTH2_SCOPE=openid email profile
CMD_OAUTH2_AUTHORIZATION_URL=https://auth.dungeon.club/application/o/authorize/
CMD_OAUTH2_TOKEN_URL=https://auth.dungeon.club/application/o/token/
CMD_OAUTH2_USER_PROFILE_URL=https://auth.dungeon.club/application/o/userinfo/
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
CMD_OAUTH2_CLIENT_ID=<from Authentik HedgeDoc provider>
CMD_OAUTH2_CLIENT_SECRET=<from Authentik HedgeDoc provider>
CMD_EMAIL=true
CMD_ALLOW_EMAIL_REGISTER=false
CMD_ALLOW_ANONYMOUS=false
CMD_ALLOW_ANONYMOUS_EDITS=true
Authentik provider: OAuth2/OpenID, application slug hedgedoc, redirect URI https://write.dungeon.club/auth/oauth2/callback.
Cloudflare Tunnel
- Tunnel:
kuroda - Route:
write.dungeon.club→http://localhost:3000
Gotchas
- Must use
network_mode: hostfor both HedgeDoc and MariaDB containers (so DB is reachable at localhost) CMD_DOMAINmust match the public URL exactly — HedgeDoc generates CSP headers from it. Wrong domain = all assets blocked by browser.- Set
sessionSecretin config.json to avoid session resets on container restart.