xin/diffu
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

massicot: host hedgedoc with oidc

Browse source
This commit is contained in:
xinyangli 2023-12-24 13:58:53 +08:00
parent b944954b3c
commit 8b735dd5da
5 changed files with 110 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
machines/massicot/default.nix
View file

@ -18,6 +18,9 @@
gts_env = {
owner = "gotosocial";
};
hedgedoc_env = {
owner = "hedgedoc";
};
grafana_cloud_api = {
owner = "prometheus";
sopsFile = ../secrets.yaml;

5
machines/massicot/secrets.yaml
View file

@ -1,5 +1,6 @@
storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
sops:
kms: []
gcp_kms: []
@ -24,8 +25,8 @@ sops:
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-15T13:06:05Z"
mac: ENC[AES256_GCM,data:ArxA3+i+W2hU0mpzjPqzBA1pQdZySwJ+LVAez2PWFMsrgT4QATi+KmlWWfuPBkOq/DYafAES8lTemDeuzuQl7bWZq06g3s35C8Q3D/TDUKFF3ALEL5grSxKTVzg4Npjc2q2OIOXrIp/j83Gn1lBuyBFg0YdGkJ+b/BmDGkTbyUg=,iv:8MB/+WklLsFTnlvxLyvCK8VUMNeXtaPTGXlp9hRGzOM=,tag:VbbnQfPewNGdrPqmZJSYlA==,type:str]
lastmodified: "2023-12-22T08:05:27Z"
mac: ENC[AES256_GCM,data:CiXU49arW+3w4/Lkh4l+6VjopyP7XNCU4AmuwZmnmQ7Vv4RCt84fC6lM6o4HiCc5jB07QY+2WZ5LvWz9zgSt636UpnCMgbG1w2Lxae38fW02RHJv90rn+cyyddB5kSucr5/P5NKBOZut54Cf4zVW9BaqajpQMxe4hEOn+xXpXz8=,iv:beWRlUvb6OUOK+mUXdvpvmM8S7xK0QIkIA2Bk9QA35c=,tag:KrBXqsAdBAhtwygdEHnUqQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

23
machines/massicot/services.nix
View file

@ -11,6 +11,21 @@ in
domain = "vaultwarden.xinyang.life";
};
custom.hedgedoc = {
enable = true;
caddy = true;
domain = "docs.xinyang.life";
mediaPath = "/mnt/storage/hedgedoc";
oidc = {
enable = true;
baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc";
authorizationURL = "https://auth.xinyang.life/ui/oauth2";
tokenURL = "https://auth.xinyang.life/oauth2/token";
userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo";
};
environmentFile = config.sops.secrets.hedgedoc_env.path;
};
custom.prometheus = {
enable = true;
exporters.enable = true;
@ -27,7 +42,7 @@ in
fsType = "cifs";
options = ["uid=${share},gid=${share},credentials=${config.sops.secrets.storage_box_mount.path}"];
};
}) [ "forgejo" "gotosocial" "conduit" ] );
}) [ "forgejo" "gotosocial" "conduit" "hedgedoc" ] );
system.activationScripts = {
conduit-media-link.text = ''
@ -144,7 +159,7 @@ in
flush_interval -1
}
'';
virtualHosts."git.xinyang.life:443".extraConfig = ''
virtualHosts."https://git.xinyang.life:443".extraConfig = ''
reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
'';
@ -155,8 +170,8 @@ in
abort
}
'';
virtualHosts."https://auth.xinyang.life:443".extraConfig = ''
reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} {
virtualHosts."https://auth.xinyang.life".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {

1
modules/nixos/default.nix
View file

@ -4,5 +4,6 @@
./restic.nix
./vaultwarden.nix
./prometheus.nix
./hedgedoc.nix
];
}

83
modules/nixos/hedgedoc.nix Normal file
View file

@ -0,0 +1,83 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfg = config.custom.hedgedoc;
in
{
options = {
custom.hedgedoc = {
enable = mkEnableOption "HedgeDoc Markdown Editor";
domain = mkOption {
type = types.str;
default = "docs.example.com";
description = "Domain name of the HedgeDoc server";
};
caddy = mkOption {
type = types.bool;
default = true;
description = "Enable Caddy as reverse proxy";
};
mediaPath = mkOption {
type = types.path;
default = /var/lib/hedgedoc/uploads;
description = "Directory for storing medias";
};
oidc = {
enable = mkEnableOption "OIDC support for HedgeDoc";
baseURL = mkOption {
type = types.str;
};
authorizationURL = mkOption {
type = types.str;
};
tokenURL = mkOption {
type = types.str;
};
userProfileURL = mkOption {
type = types.str;
};
};
environmentFile = mkOption {
type = types.path;
};
};
};
config = {
services.hedgedoc = mkIf cfg.enable {
enable = true;
environmentFile = cfg.environmentFile;
settings = {
domain = cfg.domain;
protocolUseSSL = cfg.caddy;
uploadsPath = cfg.mediaPath;
path = "/run/hedgedoc/hedgedoc.sock";
email = false;
allowEmailRegister = false;
oauth2 = mkIf cfg.oidc.enable {
baseURL = cfg.oidc.baseURL;
authorizationURL = cfg.oidc.authorizationURL;
tokenURL = cfg.oidc.tokenURL;
userProfileURL = cfg.oidc.userProfileURL;
userProfileEmailAttr = "email";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "preferred_name";
scope = "openid email profile";
clientID = "$HEDGEDOC_CLIENT_ID";
clientSecret = "$HEDGEDOC_CLIENT_SECRET";
};
allowAnonymous = false;
defaultPermission = "private";
};
};
services.caddy = mkIf ( cfg.enable && cfg.enable ) {
enable = true;
virtualHosts."https://${cfg.domain}".extraConfig = ''
reverse_proxy unix/${config.services.hedgedoc.settings.path}
'';
};
users.users.caddy.extraGroups = mkIf ( cfg.enable && cfg.enable ) [ "hedgedoc" ];
};
}