fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

gerd.hedgedoc: added hedgedoc with ldap support

Browse source
This commit is contained in:
eyjhb 2024-08-11 13:39:24 +02:00
parent 68d8ee30a9
commit 6005be7577
No known key found for this signature in database
GPG key ID: 609F508E3239F920
5 changed files with 63 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
machines/gerd.nix
View file

@ -12,6 +12,7 @@
./gerd/services/forgejo.nix ./gerd/services/forgejo.nix
./gerd/services/teeworlds.nix ./gerd/services/teeworlds.nix
./gerd/services/murmur.nix ./gerd/services/murmur.nix
./gerd/services/hedgedoc.nix
]; ];
networking.hostName = "gerd"; networking.hostName = "gerd";
@ -23,6 +24,7 @@
disk = "/dev/sda"; disk = "/dev/sda";
pools.rpool.datasets = { pools.rpool.datasets = {
"safe/svcs/forgejo" = { mountpoint = "/srv/forgejo"; extra.options.quota = "5G"; }; "safe/svcs/forgejo" = { mountpoint = "/srv/forgejo"; extra.options.quota = "5G"; };
"safe/svcs/hedgedoc" = { mountpoint = "/srv/hedgedoc"; extra.options.quota = "5G"; };
}; };
}; };

49
machines/gerd/services/hedgedoc.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, ... }:
let
domain = "hedgedoc.fricloud.dk";
stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc";
in {
services.hedgedoc = {
enable = true;
settings = {
# only change default port, because 3000 is used by other service
port = 6864;
domain = domain;
protocolUseSSL = true;
debug = true;
uploadsPath = stateDir + "/uploads";
db.dialect = "sqlite";
db.storage = stateDir + "/db.sqlite";
# disable annonymous notes, but allow annonymous edits
allowAnonymous = false;
allowAnonymousEdits = true;
defaultPermission = "private"; # only owner can view and edit
# disable email login and register
email = false;
allowEmailRegister = false;
# setup ldap
# https://github.com/lldap/lldap/blob/main/example_configs/hedgedoc.md
ldap = {
url = "ldap://localhost:3890";
bindDn = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
searchBase = "ou=people,dc=fricloud,dc=dk";
searchFilter = "(&(memberOf=cn=base_member,ou=groups,dc=fricloud,dc=dk)(uid={{username}}))";
useridField = "uid";
};
};
};
# add state directory to ReadWritePaths
systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ];
systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path;
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}";
};
}

1
secrets/default.nix
View file

@ -16,6 +16,7 @@
group = "secrets-lldap-bind-user-pass"; group = "secrets-lldap-bind-user-pass";
mode = "0440"; mode = "0440";
}; };
lldap-bind-user-pass-hedgedoc-env.file = ./lldap/bind-user-pass-hedgedoc-env.age;
# mumble # mumble
murmur-env.file = ./murmur/env.age; murmur-env.file = ./murmur/env.age;

10
secrets/lldap/bind-user-pass-hedgedoc-env.age Normal file
View file

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 QSDXqg lB8SsqHApg4Bmrg+YP4Gns7+UtUb8jOjxEXzTRHT4A8
psFKfMdO5j54Q1ISyA+FgWZCRHVmEWXNNkjweqWZ1qs
-> ssh-ed25519 n8n9DQ WGAMIZbfqukK5mrTlKYy8rUNy+DEwxFijZiCxOGlX1o
7/YPyZbUfJ7SB9T38JwgcW2LAnZSLgMFDbf6N7NbRbI
-> ssh-ed25519 BTp6UA ZkEWRVFiMWnQQap3CGb+FihCw/y8funz6UFuxPYsmQU
e9h5DaikoTLmsWPIC82DA7EUUOX7X1ZrSmBKeMk9T04
--- Uif4qB0IT17YXBP1r36yXjUzO2rd6wuVi9wP0x0D1WY
ËÔèw¥Zhõ(È‚ùSú¯ÝFø+;•LÛ Õ%þúГvÌ<76>4ßh?ÞàýdǤ¯_
ŸÎô&Ê%Kì<4B>-ïO+ªš™ü¯"R™¨A#_£Ø.

1
secrets/secrets.nix
View file

@ -20,6 +20,7 @@ in
# lldap # lldap
"lldap/admin-user-pass.age".publicKeys = defaultAccess; "lldap/admin-user-pass.age".publicKeys = defaultAccess;
"lldap/bind-user-pass.age".publicKeys = defaultAccess; "lldap/bind-user-pass.age".publicKeys = defaultAccess;
"lldap/bind-user-pass-hedgedoc-env.age".publicKeys = defaultAccess;
# mumble # mumble
"murmur/env.age".publicKeys = defaultAccess; "murmur/env.age".publicKeys = defaultAccess;