Merge branch 'hedgedoc'
Merge pull request #22 from chaos-jetzt/hedgedoc
This commit is contained in:
Moritz 'e1mo' Fromm
commit
e44a633770
5 changed files with 89 additions and 4 deletions
|
|
@ -8,6 +8,7 @@
|
||||||
../../services/vaultwarden.nix
|
../../services/vaultwarden.nix
|
||||||
../../services/dokuwiki.nix
|
../../services/dokuwiki.nix
|
||||||
../../services/freescout.nix
|
../../services/freescout.nix
|
||||||
|
../../services/hedgedoc.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
system.stateVersion = "23.05";
|
system.stateVersion = "23.05";
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@
|
||||||
../../services/vaultwarden.nix
|
../../services/vaultwarden.nix
|
||||||
../../services/dokuwiki.nix
|
../../services/dokuwiki.nix
|
||||||
../../services/freescout.nix
|
../../services/freescout.nix
|
||||||
|
../../services/hedgedoc.nix
|
||||||
];
|
];
|
||||||
|
|
||||||
system.stateVersion = "23.05";
|
system.stateVersion = "23.05";
|
||||||
|
|
|
||||||
|
|
@ -9,6 +9,7 @@ dokuwiki:
|
||||||
keycloak_key: ENC[AES256_GCM,data:/6+NWA==,iv:61M+OdGx3lCR3uFWmArpYUm9Q4L+pv656V8g257YMTw=,tag:fOESdHA6+bpMMDRbWRFn+A==,type:str]
|
keycloak_key: ENC[AES256_GCM,data:/6+NWA==,iv:61M+OdGx3lCR3uFWmArpYUm9Q4L+pv656V8g257YMTw=,tag:fOESdHA6+bpMMDRbWRFn+A==,type:str]
|
||||||
vaultwarden:
|
vaultwarden:
|
||||||
env: ENC[AES256_GCM,data:mDqHHAjisl0din/q67+zH7NMKLXld9qC0Si6ZREhRStXr6HEFD/QwaGLN86AvUI7sHNf9l4nrgKOht7uXNJrkjuidGsFEEJWkuUOjBRnrtipNKV2YK7giPQXEhH7wTdGeaqxqi4sk90Oq/FoKi2vPkFyNWGOQ5vOXkKKXjjHnbyKIQkIRWya2Dy6IN0CXU8UK0OiQXY3kgEFOyJoqt4sx/HOScHNKkaLb8U+0rpfzxSVyP3oY4o/DFkE51bnd/CNKg3ZK4Ynp/5m7Rs=,iv:aWpDXSp6Ds7cfdw/vfM3I5wcHz0MytnhpIIWEa24LBE=,tag:5YZKo4ZCT57gji8iyBMAiQ==,type:str]
|
env: ENC[AES256_GCM,data:mDqHHAjisl0din/q67+zH7NMKLXld9qC0Si6ZREhRStXr6HEFD/QwaGLN86AvUI7sHNf9l4nrgKOht7uXNJrkjuidGsFEEJWkuUOjBRnrtipNKV2YK7giPQXEhH7wTdGeaqxqi4sk90Oq/FoKi2vPkFyNWGOQ5vOXkKKXjjHnbyKIQkIRWya2Dy6IN0CXU8UK0OiQXY3kgEFOyJoqt4sx/HOScHNKkaLb8U+0rpfzxSVyP3oY4o/DFkE51bnd/CNKg3ZK4Ynp/5m7Rs=,iv:aWpDXSp6Ds7cfdw/vfM3I5wcHz0MytnhpIIWEa24LBE=,tag:5YZKo4ZCT57gji8iyBMAiQ==,type:str]
|
||||||
|
hedgedoc_env: ENC[AES256_GCM,data:MeMyjUNchdUm9gqt7hOZU0xvlZvbUWmgh2iiZjkmb20y9dGt083FbGLNuWLkWd8WFM93dETaOj9WD0mbRK11THXyV61rjrwpBkx2NjCFeHX/JjUe7MzxAhm/7Kn9IFl9As5B++SiD97QxEBpcG0AJDoluXqVpZSIHgG6W5FXSYDgZ+/V8dmfSplF5Nj2cseD5kI=,iv:7l8wNfi9HWc8Ep1Y9bUkdJo+2UQVkTfqW0J3pfPxpNg=,tag:xS+vD73r6rDmeeAB4bstww==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
|
@ -24,8 +25,8 @@ sops:
|
||||||
QjBmYlNYWlFoWHd0ZFJkWE0xMkpvZzQKJwKap35S2pWGNOtBHe931dRqAQAczbWv
|
QjBmYlNYWlFoWHd0ZFJkWE0xMkpvZzQKJwKap35S2pWGNOtBHe931dRqAQAczbWv
|
||||||
/BUEtl900F8YLQCB1/myV0Dk5X9XDlww1yrzw/La3gXANY93Ndu3MA==
|
/BUEtl900F8YLQCB1/myV0Dk5X9XDlww1yrzw/La3gXANY93Ndu3MA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2022-12-24T23:32:14Z"
|
lastmodified: "2023-07-24T14:30:13Z"
|
||||||
mac: ENC[AES256_GCM,data:H6fvAvgQCx/iXcLnId7KW5wQ/xMpW/IELg9saYOC6UBMngXNMAoneEgTtmo89Dbwvc2e1qo5fzkk7XacBTx6SNOq27gwPUyfsNKD/V+VPpJtAV+PH47CoR83pnS0uPbiyCAIJvp+bXBI9LNMBb6VrrqR7NqKva2BG528n6b3LUQ=,iv:9KyBPOKu4swk6IZCNt/xI9DKqeuwyG7z1aEXIXDxVvg=,tag:hIVSBQd/85C0+sEiCKGQ/w==,type:str]
|
mac: ENC[AES256_GCM,data:UXYfO7Ezx6jhuElF4ncJ3qcm5e9S4dLnIJ6ieELzmwHZEAIf8HCeovJIuubv9UbQeXg3F+jQzUA7xP8cGcx4fh6WzaXZuq+i/GbF79HCbgtYb8KogC7C/nbi7aFgd6euM84txNpIFlBMmcOAaVAdO+9zM6AxaclPq0Am+I+eG2E=,iv:ObMNbl1fI0yFQraR56rxSxBzv++MMdNY6JOZtPqBl5U=,tag:Nu5GZqWutwWxxORWcfLlVQ==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-07-23T14:01:56Z"
|
- created_at: "2023-07-23T14:01:56Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
|
||||||
|
|
@ -4,6 +4,7 @@ dokuwiki:
|
||||||
keycloak_key: ENC[AES256_GCM,data:gXCRVg==,iv:BqBPRnD8mIQ97MHfn/KESqe8ABXGaDXEIAGyYcbfXlI=,tag:KhgQX5N3MATmnqXnEIjzBQ==,type:str]
|
keycloak_key: ENC[AES256_GCM,data:gXCRVg==,iv:BqBPRnD8mIQ97MHfn/KESqe8ABXGaDXEIAGyYcbfXlI=,tag:KhgQX5N3MATmnqXnEIjzBQ==,type:str]
|
||||||
vaultwarden:
|
vaultwarden:
|
||||||
env: ENC[AES256_GCM,data:4zeSpiaJQ8v00EBHrS6IU/1KXCEP6EBpkMacW0mf3ygZxSfUL3oQ11sXOu24OOMnTpaZUPJ68rj1jSNgBoVQ7rLttpCHKy62ART2xi0PcSCpDCBLpBocPdpFydQzwFOrMAYpcS6SB/ijy2ZxvfzVQqykcqfLdwdZs3PCys15OSQT269FmFERT25pTW7d6zxE3eY2YhLf1Y+6MjYHffAEv8RqN35UWyAOh8dJU09lbEsUiBRwN3tNhQ0STOsShhxY/ogMZdAHQwvGjo0=,iv:yK9PBOURtOVBBPwuJSpARvb5eXUIhPypEbEYbX2PqRs=,tag:MG7fcBPMg9eMjtD5V+yjBw==,type:str]
|
env: ENC[AES256_GCM,data:4zeSpiaJQ8v00EBHrS6IU/1KXCEP6EBpkMacW0mf3ygZxSfUL3oQ11sXOu24OOMnTpaZUPJ68rj1jSNgBoVQ7rLttpCHKy62ART2xi0PcSCpDCBLpBocPdpFydQzwFOrMAYpcS6SB/ijy2ZxvfzVQqykcqfLdwdZs3PCys15OSQT269FmFERT25pTW7d6zxE3eY2YhLf1Y+6MjYHffAEv8RqN35UWyAOh8dJU09lbEsUiBRwN3tNhQ0STOsShhxY/ogMZdAHQwvGjo0=,iv:yK9PBOURtOVBBPwuJSpARvb5eXUIhPypEbEYbX2PqRs=,tag:MG7fcBPMg9eMjtD5V+yjBw==,type:str]
|
||||||
|
hedgedoc_env: ENC[AES256_GCM,data:M/UW8QjiiHU/YsSYsYnZbeA+SPAub53E1FAiSvRFTeQeR0d3+t0g0lfn9Wqcok541NjETs7LN4lCrYBR6cH4EqQ9581pj2Fi5KabypA/2DUNTaAjtCbA2RNM/M/1/ka5n8AFNgzXppb/yEQ2xqQfV7IN/d6ClJzfFi+3FoFa3wRwAajvkH+yP8rfTBkQFamQWTQ=,iv:6vOeJHkNnva92GCrhuIj3HtG6z50UBnxRGg97jv2/gk=,tag:eYN4q7/HL0BtPdYLlbaW+A==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
|
@ -19,8 +20,8 @@ sops:
|
||||||
Z3FXczZaSUVLY2lCcWJaQklXNHBzczAKQev4noy5ValCq65BhvXl1weY2QNsTe6f
|
Z3FXczZaSUVLY2lCcWJaQklXNHBzczAKQev4noy5ValCq65BhvXl1weY2QNsTe6f
|
||||||
f4SUmm5NGbTiGaghOLC1Cio3K8ibA0vszVyySNE1khkvcM7JewIXAQ==
|
f4SUmm5NGbTiGaghOLC1Cio3K8ibA0vszVyySNE1khkvcM7JewIXAQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2022-12-30T21:13:58Z"
|
lastmodified: "2023-07-24T15:00:19Z"
|
||||||
mac: ENC[AES256_GCM,data:hdQd5oQUBMdbjPqVsMd5sFIJOCq7GjcRPZ4trcT+MkZhYUyTkrHIk80XpVWUugsV4CXafq503gH5BnwMZaaYWtA53k4laIkKzuChXTSJ/D0TY1mX2+WxxMjrc5wPA2iWJwTS25O9pPA4y2tqonYXAG8jHAxDiNZmtdTKepJyaB8=,iv:H73rk9mNbsd+HoxDzcE+Cx5CmqFeuw3A9oQc5yxyMik=,tag:t4w1WozItK+QlIrs5wL8Mw==,type:str]
|
mac: ENC[AES256_GCM,data:TqoMFF2XBc1iA/FnwgEwKdTKneHV6AvvPRVR+E7bkpqHQsxcl/wRLUzfQ5bg3YDviB/kB1KDuS25xQn/ztJKoBn7deWF0+9xz5npStQimNWuzgbTCIQS5hbqahgOejnnGVvJ/zms67ZOOG/Ek8W4eE8DUNMlUlNNIxGD8fkRwYI=,iv:FYW3K/QipSCrk0ZrxUhJANB5CBY4K5af4KhUf7GwuYU=,tag:HeLAe/yCZnDXqNHeUDpylQ==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2023-07-23T14:01:46Z"
|
- created_at: "2023-07-23T14:01:46Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
|
||||||
81
services/hedgedoc.nix
Normal file
81
services/hedgedoc.nix
Normal file
|
|
@ -0,0 +1,81 @@
|
||||||
|
{ config
|
||||||
|
, baseDomain
|
||||||
|
, lib
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
|
||||||
|
let
|
||||||
|
domain = "md.${baseDomain}";
|
||||||
|
isDev = (builtins.substring 0 3 baseDomain) == "dev";
|
||||||
|
realm = if isDev then "dev" else "chaos-jetzt";
|
||||||
|
sso_url = "https://sso.chaos.jetzt/auth/realms/${realm}/protocol/openid-connect";
|
||||||
|
sock_path = "/run/hedgedoc/hedgedoc.sock";
|
||||||
|
in {
|
||||||
|
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
||||||
|
sops.secrets."hedgedoc_env" = {};
|
||||||
|
|
||||||
|
services.hedgedoc = {
|
||||||
|
enable = true;
|
||||||
|
environmentFile = config.sops.secrets.hedgedoc_env.path;
|
||||||
|
settings = {
|
||||||
|
inherit domain;
|
||||||
|
|
||||||
|
allowAnonymousEdits = true;
|
||||||
|
allowEmailRegister = false;
|
||||||
|
allowFreeURL = true;
|
||||||
|
requireFreeURLAuthentication = false;
|
||||||
|
allowGravatar = false;
|
||||||
|
allowOrigin = [ domain ];
|
||||||
|
db = {
|
||||||
|
dialect = "postgres";
|
||||||
|
host = "/run/postgresql";
|
||||||
|
};
|
||||||
|
email = false;
|
||||||
|
path = sock_path;
|
||||||
|
protocolUseSSL = true;
|
||||||
|
# NOTE(@e1mo): Currently disabled until we decide if we want
|
||||||
|
# SSO but left in here as this is a known working config.
|
||||||
|
oauth2 = lib.mkIf false {
|
||||||
|
baseURL = sso_url;
|
||||||
|
userProfileURL = "${sso_url}/userinfo";
|
||||||
|
userProfileUsernameAttr = "preferred_username";
|
||||||
|
userProfileDisplayNameAttr = "preferred_username";
|
||||||
|
userProfileEmailAttr = "email";
|
||||||
|
tokenURL = "${sso_url}/token";
|
||||||
|
authorizationURL = "${sso_url}/auth";
|
||||||
|
clientID = "hedgedoc";
|
||||||
|
providerName = if isDev then "SSO (dev)" else "SSO";
|
||||||
|
};
|
||||||
|
useCDN = false;
|
||||||
|
logLevel = "warn";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${domain}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://unix:${sock_path}";
|
||||||
|
proxyWebsockets = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
services.postgresql = {
|
||||||
|
enable = true;
|
||||||
|
ensureDatabases = [ "hedgedoc" ];
|
||||||
|
ensureUsers = [{
|
||||||
|
name = "hedgedoc";
|
||||||
|
ensurePermissions."DATABASE hedgedoc" = "ALL PRIVILEGES";
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
|
||||||
|
# Required for nginx to be able to access the hedgedoc socket
|
||||||
|
users.users.nginx.extraGroups = [ "hedgedoc" ];
|
||||||
|
systemd.services.hedgedoc = {
|
||||||
|
serviceConfig = {
|
||||||
|
UMask = "0007";
|
||||||
|
RuntimeDirectory = "hedgedoc";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
Loading…
Reference in a new issue