Add sops-secrets, configure oauth

2023-04-26 12:07:36 +02:00
parent 34b77b3ed0
commit 57cd31d4a9
4 changed files with 71 additions and 4 deletions
--- a/hosts/chapel/services/hedgedoc.nix
+++ b/hosts/chapel/services/hedgedoc.nix
@@ -0,0 +1,22 @@
+{ config, pkgs, ... }:
+
+{
+  services.hedgedoc = {
+    enable = true;
+    settings = {
+      port = 3031;
+      allowFreeURL = true;
+    };
+    config = {
+      domain = "md.feal.no";
+      db = {
+        dialect = "mysql";
+        host = "mysql.home.feal.no";
+        port = 3306;
+        database = "hedgedoc";
+        username = "hedgedoc";
+        password = "DummyPasswordPlzSops";
+      };
+    };
+  };
+}
--- a/hosts/voyager/services/hedgedoc.nix
+++ b/hosts/voyager/services/hedgedoc.nix
@@ -5,6 +5,11 @@ let
    port = 3000;
    host = "0.0.0.0";
 in {
+    # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
+    sops.secrets."hedgedoc/env" = {
+      restartUnits = [ "hedgedoc.service" ];
+    };
+
    services.hedgedoc = {
        enable = true;

@@ -15,6 +20,8 @@ in {
                dialect = "sqlite";
                storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
            };
+            environmentFile = config.sops.secrets."hedgedoc/env".path;
+
            email = false;
            oauth2 = let
              authServerUrl = config.services.kanidm.serverSettings.origin;
@@ -31,13 +38,10 @@ in {
              userProfileDisplayNameAttr = "displayname";

              providerName = "KaniDM";
-              # rolesClaim = "roles";
-              # accessRole = "hedgedoc_users";
            };

        };
    };
-    #networking.firewall.allowedTCPPorts = [ port ];
    services.nginx.virtualHosts.${domain} = {
      locations."/" = {
        proxyPass = "http://${host}:${toString port}/";