gerd.hedgedoc: added hedgedoc with ldap support

2024-08-11 13:39:24 +02:00 · 2024-08-11 13:39:24 +02:00 · 6005be7577
commit 6005be7577
parent 68d8ee30a9
5 changed files with 63 additions and 0 deletions
--- a/machines/gerd.nix
+++ b/machines/gerd.nix
@ -12,6 +12,7 @@
    ./gerd/services/forgejo.nix
    ./gerd/services/teeworlds.nix
    ./gerd/services/murmur.nix
+    ./gerd/services/hedgedoc.nix
  ];

  networking.hostName = "gerd";
@ -23,6 +24,7 @@
      disk = "/dev/sda";
      pools.rpool.datasets = {
        "safe/svcs/forgejo" = { mountpoint = "/srv/forgejo"; extra.options.quota = "5G"; };
+        "safe/svcs/hedgedoc" = { mountpoint = "/srv/hedgedoc"; extra.options.quota = "5G"; };
      };
    };

--- a/machines/gerd/services/hedgedoc.nix
+++ b/machines/gerd/services/hedgedoc.nix
@ -0,0 +1,49 @@
+{ config, ... }:
+
+let
+  domain = "hedgedoc.fricloud.dk";
+  stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc";
+in {
+  services.hedgedoc = {
+    enable = true;
+    settings = {
+      # only change default port, because 3000 is used by other service
+      port = 6864;
+      domain = domain;
+      protocolUseSSL = true;
+      debug = true;
+      uploadsPath = stateDir + "/uploads";
+      db.dialect = "sqlite";
+      db.storage = stateDir + "/db.sqlite";
+
+      # disable annonymous notes, but allow annonymous edits
+      allowAnonymous = false;
+      allowAnonymousEdits = true;
+      defaultPermission = "private"; # only owner can view and edit
+
+      # disable email login and register
+      email = false;
+      allowEmailRegister = false;
+
+      # setup ldap
+      # https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md
+      ldap = {
+        url = "ldap://localhost:3890";
+        bindDn = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
+        searchBase = "ou=people,dc=fricloud,dc=dk";
+        searchFilter = "(&(memberOf=cn=base_member,ou=groups,dc=fricloud,dc=dk)(uid={{username}}))";
+        useridField = "uid";
+      };
+    };
+  };
+
+  # add state directory to ReadWritePaths
+  systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ];
+  systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path;
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}";
+  };
+}