feat: hedgedoc

2023-09-14 15:16:09 +02:00 · 2023-09-14 15:16:09 +02:00 · 1233b1afde
commit 1233b1afde
parent 2822385074
13 changed files with 178 additions and 9 deletions
--- a/nixos-modules/services/authelia.nix
+++ b/nixos-modules/services/authelia.nix
@ -0,0 +1,83 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.authelia;
+  stateDir = "/var/lib/authelia";
+  instanceName = "main";
+in
+{
+  options.ragon.services.authelia.enable = lib.mkEnableOption "Enables the authelia SSO Server";
+  options.ragon.services.authelia.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "sso.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+
+    ragon.secrets.autheliaStorageEncryption = { };
+    ragon.secrets.autheliaSessionSecret = { };
+    ragon.secrets.autheliaOidcIssuerPrivateKey = { };
+    ragon.secrets.autheliaOidcHmacSecret = { };
+    ragon.secrets.autheliaJwtSecret = { };
+    ragon.secrets.autheliaEmail = { user = "authelia"; };
+    services.authelia.instances.${instanceName} = {
+      enable = true;
+      secrets = {
+        storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryption.path;
+        sessionSecretFile = config.age.secrets.autheliaSessionSecret.path;
+        oidcIssuerPrivateKeyFile = config.age.secrets.autheliaOidcIssuerPrivateKey.path;
+        oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path;
+        jwtSecretFile = config.age.secrets.autheliaJwtSecret.path;
+      };
+      settingstFiles = [
+        config.age.secrets.autheliaEmail.path
+      ];
+      settings = {
+        theme = "auto";
+        default_2fa_method = "webauthn";
+        authentication_backend = {
+          file = {
+            path = "${stateDir}/users.yml";
+          };
+        };
+        storage = {
+          postgres = {
+            host = "/run/postgresql";
+          };
+        };
+        notifier = {
+          smtp = {
+            address = "smtp://smtp.ionos.de:465";
+            sender = "xyno.systems SSO <machdas@xyno.space>";
+            username = "machdas@xyno.space";
+            subject = "[xyno.systems SSO] {title}";
+            startup_check_address = "autodelete@phochkamp.de";
+          };
+        };
+
+      };
+    };
+    systemd.tmpfiles.rules = [
+      "d ${stateDir} 0755 authelia authelia -"
+    ];
+    ragon.agenix.secrets.autheliaSecret.owner = "authelia";
+    services.nginx.virtualHosts."${cfg.domain}" = {
+      locations."/".proxyWebsockets = true;
+      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.authelia.instances.${instanceName}.settings.server.port}";
+    } // (lib.my.findOutTlsConfig cfg.domain config);
+    services.postgresql = {
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "authelia" ];
+      ensureUsers = [
+        {
+          name = "authelia";
+          ensurePermissions."DATABASE authelia" = "ALL PRIVILEGES";
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "${stateDir}"
+    ];
+  };
+}
--- a/nixos-modules/services/hedgedoc.nix
+++ b/nixos-modules/services/hedgedoc.nix
@ -5,38 +5,54 @@ let
 in
 {
  options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server";
-  options.ragon.services.hedgedoc.domainPrefix =
+  options.ragon.services.hedgedoc.domain =
    lib.mkOption {
      type = lib.types.str;
-      default = "md";
+      default = "md.xyno.systems";
    };
  config = lib.mkIf cfg.enable {
+    ragon.secrets.autheliaHedgedoc = { user = "authelia"; };
+    services.authelia.instances.main.settingsFiles = [
+      config.age.secrets.autheliaHedgedoc.path
+    ];
    services.hedgedoc = {
      enable = true;
      environmentFile = "${config.age.secrets.hedgedocSecret.path}";
      configuration = {
        protocolUseSSL = true;
        sessionSecret = "$SESSION_SECRET";
-        allowEmailRegister = false;
-        domain = "${cfg.domainPrefix}.${domain}";
+        allowAnonymous = false;
+        allowAnonymousEdits = false;
+        allowFreeURL = true;
+        email = false;
+        oauth2 = {
+          clientID = "$OAUTH2_CLIENT_ID";
+          clientSecret = "$OAUTH2_CLIENT_SECRET";
+          providerName = "xyno.systems SSO";
+          authorizationURL = "https://sso.xyno.systems/oauth2/authorize";
+          tokenURL = "https://sso.xyno.systems/oauth2/token";
+          userProfileURL = "https://sso.xyno.systems/oauth2/userinfo";
+          scope = "openid profile email";
+          userProfileUsernameAttr = "sub";
+          userProfileEmailAttr = "email";
+          userProfileDisplayNameAttr = "name";
+        };
+        domain = "${cfg.domain}";
        db = {
          dialect = "postgres";
          host = "/run/postgresql";
          database = "hedgedoc";
        };
-        allowAnonymousEdits = false;
-        allowFreeURL = true;
      };

    };
    ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc";
    services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
-      forceSSL = true;
-      useACMEHost = "${domain}";
      locations."/".proxyWebsockets = true;
      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
-    };
+    } // (lib.my.findOutTlsConfig cfg.domain config);
    services.postgresql = {
+
      enable = true;

      # Ensure the database, user, and permissions always exist