Merge branch 'hedgedoc'

Merge pull request #22 from chaos-jetzt/hedgedoc

hosts/goldberg/configuration.nix

@@ -8,6 +8,7 @@
     ../../services/vaultwarden.nix
     ../../services/dokuwiki.nix
     ../../services/freescout.nix
+    ../../services/hedgedoc.nix
   ];
 
   system.stateVersion = "23.05";

hosts/shirley/configuration.nix

@@ -8,6 +8,7 @@
     ../../services/vaultwarden.nix
     ../../services/dokuwiki.nix
     ../../services/freescout.nix
+    ../../services/hedgedoc.nix
   ];
 
   system.stateVersion = "23.05";

secrets/goldberg/secrets.yaml

@@ -9,6 +9,7 @@ dokuwiki:
     keycloak_key: ENC[AES256_GCM,data:/6+NWA==,iv:61M+OdGx3lCR3uFWmArpYUm9Q4L+pv656V8g257YMTw=,tag:fOESdHA6+bpMMDRbWRFn+A==,type:str]
 vaultwarden:
     env: ENC[AES256_GCM,data:mDqHHAjisl0din/q67+zH7NMKLXld9qC0Si6ZREhRStXr6HEFD/QwaGLN86AvUI7sHNf9l4nrgKOht7uXNJrkjuidGsFEEJWkuUOjBRnrtipNKV2YK7giPQXEhH7wTdGeaqxqi4sk90Oq/FoKi2vPkFyNWGOQ5vOXkKKXjjHnbyKIQkIRWya2Dy6IN0CXU8UK0OiQXY3kgEFOyJoqt4sx/HOScHNKkaLb8U+0rpfzxSVyP3oY4o/DFkE51bnd/CNKg3ZK4Ynp/5m7Rs=,iv:aWpDXSp6Ds7cfdw/vfM3I5wcHz0MytnhpIIWEa24LBE=,tag:5YZKo4ZCT57gji8iyBMAiQ==,type:str]
+hedgedoc_env: ENC[AES256_GCM,data:MeMyjUNchdUm9gqt7hOZU0xvlZvbUWmgh2iiZjkmb20y9dGt083FbGLNuWLkWd8WFM93dETaOj9WD0mbRK11THXyV61rjrwpBkx2NjCFeHX/JjUe7MzxAhm/7Kn9IFl9As5B++SiD97QxEBpcG0AJDoluXqVpZSIHgG6W5FXSYDgZ+/V8dmfSplF5Nj2cseD5kI=,iv:7l8wNfi9HWc8Ep1Y9bUkdJo+2UQVkTfqW0J3pfPxpNg=,tag:xS+vD73r6rDmeeAB4bstww==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -24,8 +25,8 @@ sops:
             QjBmYlNYWlFoWHd0ZFJkWE0xMkpvZzQKJwKap35S2pWGNOtBHe931dRqAQAczbWv
             /BUEtl900F8YLQCB1/myV0Dk5X9XDlww1yrzw/La3gXANY93Ndu3MA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-24T23:32:14Z"
-    mac: ENC[AES256_GCM,data:H6fvAvgQCx/iXcLnId7KW5wQ/xMpW/IELg9saYOC6UBMngXNMAoneEgTtmo89Dbwvc2e1qo5fzkk7XacBTx6SNOq27gwPUyfsNKD/V+VPpJtAV+PH47CoR83pnS0uPbiyCAIJvp+bXBI9LNMBb6VrrqR7NqKva2BG528n6b3LUQ=,iv:9KyBPOKu4swk6IZCNt/xI9DKqeuwyG7z1aEXIXDxVvg=,tag:hIVSBQd/85C0+sEiCKGQ/w==,type:str]
+    lastmodified: "2023-07-24T14:30:13Z"
+    mac: ENC[AES256_GCM,data:UXYfO7Ezx6jhuElF4ncJ3qcm5e9S4dLnIJ6ieELzmwHZEAIf8HCeovJIuubv9UbQeXg3F+jQzUA7xP8cGcx4fh6WzaXZuq+i/GbF79HCbgtYb8KogC7C/nbi7aFgd6euM84txNpIFlBMmcOAaVAdO+9zM6AxaclPq0Am+I+eG2E=,iv:ObMNbl1fI0yFQraR56rxSxBzv++MMdNY6JOZtPqBl5U=,tag:Nu5GZqWutwWxxORWcfLlVQ==,type:str]
     pgp:
         - created_at: "2023-07-23T14:01:56Z"
           enc: |-

secrets/shirley/secrets.yaml

@@ -4,6 +4,7 @@ dokuwiki:
     keycloak_key: ENC[AES256_GCM,data:gXCRVg==,iv:BqBPRnD8mIQ97MHfn/KESqe8ABXGaDXEIAGyYcbfXlI=,tag:KhgQX5N3MATmnqXnEIjzBQ==,type:str]
 vaultwarden:
     env: ENC[AES256_GCM,data:4zeSpiaJQ8v00EBHrS6IU/1KXCEP6EBpkMacW0mf3ygZxSfUL3oQ11sXOu24OOMnTpaZUPJ68rj1jSNgBoVQ7rLttpCHKy62ART2xi0PcSCpDCBLpBocPdpFydQzwFOrMAYpcS6SB/ijy2ZxvfzVQqykcqfLdwdZs3PCys15OSQT269FmFERT25pTW7d6zxE3eY2YhLf1Y+6MjYHffAEv8RqN35UWyAOh8dJU09lbEsUiBRwN3tNhQ0STOsShhxY/ogMZdAHQwvGjo0=,iv:yK9PBOURtOVBBPwuJSpARvb5eXUIhPypEbEYbX2PqRs=,tag:MG7fcBPMg9eMjtD5V+yjBw==,type:str]
+hedgedoc_env: ENC[AES256_GCM,data:M/UW8QjiiHU/YsSYsYnZbeA+SPAub53E1FAiSvRFTeQeR0d3+t0g0lfn9Wqcok541NjETs7LN4lCrYBR6cH4EqQ9581pj2Fi5KabypA/2DUNTaAjtCbA2RNM/M/1/ka5n8AFNgzXppb/yEQ2xqQfV7IN/d6ClJzfFi+3FoFa3wRwAajvkH+yP8rfTBkQFamQWTQ=,iv:6vOeJHkNnva92GCrhuIj3HtG6z50UBnxRGg97jv2/gk=,tag:eYN4q7/HL0BtPdYLlbaW+A==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -19,8 +20,8 @@ sops:
             Z3FXczZaSUVLY2lCcWJaQklXNHBzczAKQev4noy5ValCq65BhvXl1weY2QNsTe6f
             f4SUmm5NGbTiGaghOLC1Cio3K8ibA0vszVyySNE1khkvcM7JewIXAQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-12-30T21:13:58Z"
-    mac: ENC[AES256_GCM,data:hdQd5oQUBMdbjPqVsMd5sFIJOCq7GjcRPZ4trcT+MkZhYUyTkrHIk80XpVWUugsV4CXafq503gH5BnwMZaaYWtA53k4laIkKzuChXTSJ/D0TY1mX2+WxxMjrc5wPA2iWJwTS25O9pPA4y2tqonYXAG8jHAxDiNZmtdTKepJyaB8=,iv:H73rk9mNbsd+HoxDzcE+Cx5CmqFeuw3A9oQc5yxyMik=,tag:t4w1WozItK+QlIrs5wL8Mw==,type:str]
+    lastmodified: "2023-07-24T15:00:19Z"
+    mac: ENC[AES256_GCM,data:TqoMFF2XBc1iA/FnwgEwKdTKneHV6AvvPRVR+E7bkpqHQsxcl/wRLUzfQ5bg3YDviB/kB1KDuS25xQn/ztJKoBn7deWF0+9xz5npStQimNWuzgbTCIQS5hbqahgOejnnGVvJ/zms67ZOOG/Ek8W4eE8DUNMlUlNNIxGD8fkRwYI=,iv:FYW3K/QipSCrk0ZrxUhJANB5CBY4K5af4KhUf7GwuYU=,tag:HeLAe/yCZnDXqNHeUDpylQ==,type:str]
     pgp:
         - created_at: "2023-07-23T14:01:46Z"
           enc: |-

services/hedgedoc.nix

@@ -0,0 +1,81 @@
+{ config
+, baseDomain
+, lib
+, ...
+}:
+
+let
+  domain = "md.${baseDomain}";
+  isDev = (builtins.substring 0 3 baseDomain) == "dev";
+  realm = if isDev then "dev" else "chaos-jetzt";
+  sso_url = "https://sso.chaos.jetzt/auth/realms/${realm}/protocol/openid-connect";
+  sock_path = "/run/hedgedoc/hedgedoc.sock";
+in {
+  # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+  sops.secrets."hedgedoc_env" = {};
+
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = config.sops.secrets.hedgedoc_env.path;
+    settings = {
+      inherit domain;
+
+      allowAnonymousEdits = true;
+      allowEmailRegister = false;
+      allowFreeURL = true;
+      requireFreeURLAuthentication = false;
+      allowGravatar = false;
+      allowOrigin = [ domain ];
+      db = {
+        dialect = "postgres";
+        host = "/run/postgresql";
+      };
+      email = false;
+      path = sock_path;
+      protocolUseSSL = true;
+      # NOTE(@e1mo): Currently disabled until we decide if we want
+      # SSO but left in here as this is a known working config.
+      oauth2 = lib.mkIf false {
+        baseURL = sso_url;
+        userProfileURL = "${sso_url}/userinfo";
+        userProfileUsernameAttr = "preferred_username";
+        userProfileDisplayNameAttr = "preferred_username";
+        userProfileEmailAttr = "email";
+        tokenURL = "${sso_url}/token";
+        authorizationURL = "${sso_url}/auth";
+        clientID = "hedgedoc";
+        providerName = if isDev then "SSO (dev)" else "SSO";
+      };
+      useCDN = false;
+      logLevel = "warn";
+    };
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://unix:${sock_path}";
+      proxyWebsockets = true;
+    };
+  };
+
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "hedgedoc" ];
+    ensureUsers = [{
+      name = "hedgedoc";
+      ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES";
+    }];
+  };
+
+  # Required for nginx to be able to access the hedgedoc socket
+  users.users.nginx.extraGroups = [ "hedgedoc" ];
+  systemd.services.hedgedoc = {
+    serviceConfig = {
+      UMask = "0007";
+      RuntimeDirectory = "hedgedoc";
+    };
+  };
+}