Add hedgedoc + kanidm
This commit is contained in:
parent
ac24def5dc
commit
4a843fbd2d
|
@ -1 +1,2 @@
|
|||
result
|
||||
/secrets_tmp/
|
||||
|
|
|
@ -3,16 +3,18 @@
|
|||
{
|
||||
imports =
|
||||
[
|
||||
../../base.nix
|
||||
../../base.nix
|
||||
../../common/metrics-exporters.nix
|
||||
./hardware-configuration.nix
|
||||
./filesystems.nix
|
||||
./vms.nix
|
||||
#./vms.nix
|
||||
|
||||
./services/nginx
|
||||
./services/kanidm.nix
|
||||
./services/jellyfin.nix
|
||||
./services/metrics
|
||||
./services/flame.nix
|
||||
./services/jellyfin.nix
|
||||
#./services/hedgedoc.nix
|
||||
./services/code-server.nix
|
||||
# TODO:
|
||||
# x Boot
|
||||
|
@ -26,7 +28,8 @@
|
|||
# - NFS exports
|
||||
# - FreeBSD VM
|
||||
# - Kali VM
|
||||
# - Kerberos / IPA / Kanidm
|
||||
# x Kerberos / IPA / Kanidm
|
||||
# - Backup system
|
||||
];
|
||||
|
||||
networking = {
|
||||
|
|
|
@ -0,0 +1,51 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.hedgedoc.settings;
|
||||
domain = "md.feal.no";
|
||||
port = 3000;
|
||||
host = "0.0.0.0";
|
||||
in {
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
|
||||
settings = {
|
||||
inherit domain port host;
|
||||
protocolUseSSL = true;
|
||||
db = {
|
||||
dialect = "sqlite";
|
||||
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
|
||||
};
|
||||
email = false;
|
||||
oauth2 = let
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
in {
|
||||
baseURL = "${authServerUrl}/oauth2";
|
||||
tokenURL = "${authServerUrl}/oauth2/token";
|
||||
authorizationURL = "${authServerUrl}/ui/oauth2";
|
||||
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
|
||||
|
||||
clientID = "hedgedoc";
|
||||
scope = "openid email profile";
|
||||
userProfileUsernameAttr = "name";
|
||||
userProfileEmailAttr = "email";
|
||||
userProfileDisplayNameAttr = "displayname";
|
||||
|
||||
providerName = "KaniDM";
|
||||
# rolesClaim = "roles";
|
||||
# accessRole = "hedgedoc_users";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
#networking.firewall.allowedTCPPorts = [ port ];
|
||||
services.nginx.virtualHosts.${domain} = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://${host}:${toString port}/";
|
||||
};
|
||||
|
||||
locations."/socket.io/" = {
|
||||
proxyPass = "http://${host}:${toString port}/";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
}
|
|
@ -0,0 +1,47 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.kanidm;
|
||||
certPath = "/etc/ssl-snakeoil/auth_feal_no";
|
||||
ldapbindaddress = "0.0.0.0:636";
|
||||
in {
|
||||
# Kanidm - Identity management / auth provider
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
serverSettings = {
|
||||
origin = "https://${cfg.serverSettings.domain}";
|
||||
domain = "auth.feal.no";
|
||||
bindaddress = "127.0.1.2:8300";
|
||||
inherit ldapbindaddress;
|
||||
|
||||
tls_chain = "/run/credentials/kanidm.service/cert.crt";
|
||||
tls_key = "/run/credentials/kanidm.service/cert.key";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.kanidm = {
|
||||
serviceConfig.LoadCredential = [
|
||||
"cert.crt:${certPath}.crt"
|
||||
"cert.key:${certPath}.key"
|
||||
];
|
||||
};
|
||||
|
||||
|
||||
services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = "${certPath}.crt";
|
||||
sslCertificateKey = "${certPath}.key";
|
||||
locations."/" = {
|
||||
proxyPass = "https://${cfg.serverSettings.bindaddress}";
|
||||
extraConfig = ''
|
||||
proxy_ssl_verify off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
environment = {
|
||||
systemPackages = [ pkgs.kanidm ];
|
||||
etc."kanidm/config".text = ''
|
||||
uri="${cfg.serverSettings.origin}"
|
||||
'';
|
||||
};
|
||||
}
|
Loading…
Reference in New Issue