From 6005be75773f0a09691c82df0c7ce86ba429c12b Mon Sep 17 00:00:00 2001 From: eyjhb Date: Sun, 11 Aug 2024 13:39:24 +0200 Subject: [PATCH] gerd.hedgedoc: added hedgedoc with ldap support --- machines/gerd.nix | 2 + machines/gerd/services/hedgedoc.nix | 49 +++++++++++++++++++ secrets/default.nix | 1 + secrets/lldap/bind-user-pass-hedgedoc-env.age | 10 ++++ secrets/secrets.nix | 1 + 5 files changed, 63 insertions(+) create mode 100644 machines/gerd/services/hedgedoc.nix create mode 100644 secrets/lldap/bind-user-pass-hedgedoc-env.age diff --git a/machines/gerd.nix b/machines/gerd.nix index af0759b..0ca28bf 100644 --- a/machines/gerd.nix +++ b/machines/gerd.nix @@ -12,6 +12,7 @@ ./gerd/services/forgejo.nix ./gerd/services/teeworlds.nix ./gerd/services/murmur.nix + ./gerd/services/hedgedoc.nix ]; networking.hostName = "gerd"; @@ -23,6 +24,7 @@ disk = "/dev/sda"; pools.rpool.datasets = { "safe/svcs/forgejo" = { mountpoint = "/srv/forgejo"; extra.options.quota = "5G"; }; + "safe/svcs/hedgedoc" = { mountpoint = "/srv/hedgedoc"; extra.options.quota = "5G"; }; }; }; diff --git a/machines/gerd/services/hedgedoc.nix b/machines/gerd/services/hedgedoc.nix new file mode 100644 index 0000000..d66fda6 --- /dev/null +++ b/machines/gerd/services/hedgedoc.nix @@ -0,0 +1,49 @@ +{ config, ... }: + +let + domain = "hedgedoc.fricloud.dk"; + stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc"; +in { + services.hedgedoc = { + enable = true; + settings = { + # only change default port, because 3000 is used by other service + port = 6864; + domain = domain; + protocolUseSSL = true; + debug = true; + uploadsPath = stateDir + "/uploads"; + db.dialect = "sqlite"; + db.storage = stateDir + "/db.sqlite"; + + # disable annonymous notes, but allow annonymous edits + allowAnonymous = false; + allowAnonymousEdits = true; + defaultPermission = "private"; # only owner can view and edit + + # disable email login and register + email = false; + allowEmailRegister = false; + + # setup ldap + # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md + ldap = { + url = "ldap://localhost:3890"; + bindDn = "uid=bind_user,ou=people,dc=fricloud,dc=dk"; + searchBase = "ou=people,dc=fricloud,dc=dk"; + searchFilter = "(&(memberOf=cn=base_member,ou=groups,dc=fricloud,dc=dk)(uid={{username}}))"; + useridField = "uid"; + }; + }; + }; + + # add state directory to ReadWritePaths + systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ]; + systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}"; + }; +} diff --git a/secrets/default.nix b/secrets/default.nix index a64d3e9..7f88c6f 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -16,6 +16,7 @@ group = "secrets-lldap-bind-user-pass"; mode = "0440"; }; + lldap-bind-user-pass-hedgedoc-env.file = ./lldap/bind-user-pass-hedgedoc-env.age; # mumble murmur-env.file = ./murmur/env.age; diff --git a/secrets/lldap/bind-user-pass-hedgedoc-env.age b/secrets/lldap/bind-user-pass-hedgedoc-env.age new file mode 100644 index 0000000..aac3fd4 --- /dev/null +++ b/secrets/lldap/bind-user-pass-hedgedoc-env.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 QSDXqg lB8SsqHApg4Bmrg+YP4Gns7+UtUb8jOjxEXzTRHT4A8 +psFKfMdO5j54Q1ISyA+FgWZCRHVmEWXNNkjweqWZ1qs +-> ssh-ed25519 n8n9DQ WGAMIZbfqukK5mrTlKYy8rUNy+DEwxFijZiCxOGlX1o +7/YPyZbUfJ7SB9T38JwgcW2LAnZSLgMFDbf6N7NbRbI +-> ssh-ed25519 BTp6UA ZkEWRVFiMWnQQap3CGb+FihCw/y8funz6UFuxPYsmQU +e9h5DaikoTLmsWPIC82DA7EUUOX7X1ZrSmBKeMk9T04 +--- Uif4qB0IT17YXBP1r36yXjUzO2rd6wuVi9wP0x0D1WY +wZh(ȂSF+;L %Лv́4h?dǤ_ +&%K-O+D"RA#_. \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 066a77f..310205a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,6 +20,7 @@ in # lldap "lldap/admin-user-pass.age".publicKeys = defaultAccess; "lldap/bind-user-pass.age".publicKeys = defaultAccess; + "lldap/bind-user-pass-hedgedoc-env.age".publicKeys = defaultAccess; # mumble "murmur/env.age".publicKeys = defaultAccess;