feat: hedgedoc

2023-09-14 15:16:09 +02:00 · 2023-09-14 15:16:09 +02:00 · 1233b1afde
commit 1233b1afde
parent 2822385074
13 changed files with 178 additions and 9 deletions
--- a/nixos-modules/services/hedgedoc.nix
+++ b/nixos-modules/services/hedgedoc.nix
@ -5,38 +5,54 @@ let
 in
 {
  options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server";
-  options.ragon.services.hedgedoc.domainPrefix =
+  options.ragon.services.hedgedoc.domain =
    lib.mkOption {
      type = lib.types.str;
-      default = "md";
+      default = "md.xyno.systems";
    };
  config = lib.mkIf cfg.enable {
+    ragon.secrets.autheliaHedgedoc = { user = "authelia"; };
+    services.authelia.instances.main.settingsFiles = [
+      config.age.secrets.autheliaHedgedoc.path
+    ];
    services.hedgedoc = {
      enable = true;
      environmentFile = "${config.age.secrets.hedgedocSecret.path}";
      configuration = {
        protocolUseSSL = true;
        sessionSecret = "$SESSION_SECRET";
-        allowEmailRegister = false;
-        domain = "${cfg.domainPrefix}.${domain}";
+        allowAnonymous = false;
+        allowAnonymousEdits = false;
+        allowFreeURL = true;
+        email = false;
+        oauth2 = {
+          clientID = "$OAUTH2_CLIENT_ID";
+          clientSecret = "$OAUTH2_CLIENT_SECRET";
+          providerName = "xyno.systems SSO";
+          authorizationURL = "https://sso.xyno.systems/oauth2/authorize";
+          tokenURL = "https://sso.xyno.systems/oauth2/token";
+          userProfileURL = "https://sso.xyno.systems/oauth2/userinfo";
+          scope = "openid profile email";
+          userProfileUsernameAttr = "sub";
+          userProfileEmailAttr = "email";
+          userProfileDisplayNameAttr = "name";
+        };
+        domain = "${cfg.domain}";
        db = {
          dialect = "postgres";
          host = "/run/postgresql";
          database = "hedgedoc";
        };
-        allowAnonymousEdits = false;
-        allowFreeURL = true;
      };

    };
    ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc";
    services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
-      forceSSL = true;
-      useACMEHost = "${domain}";
      locations."/".proxyWebsockets = true;
      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
-    };
+    } // (lib.my.findOutTlsConfig cfg.domain config);
    services.postgresql = {
+
      enable = true;

      # Ensure the database, user, and permissions always exist