Add hedgedoc + kanidm

2023-04-22 16:49:04 +02:00 · 2023-04-22 16:49:04 +02:00 · af6a6b8d79
parent 057879fb71
commit af6a6b8d79
4 changed files with 106 additions and 4 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,2 @@
 result
+/secrets_tmp/
--- a/hosts/voyager/configuration.nix
+++ b/hosts/voyager/configuration.nix
@ -3,16 +3,18 @@
 {
  imports =
    [
-    ../../base.nix
+      ../../base.nix
      ../../common/metrics-exporters.nix
      ./hardware-configuration.nix
      ./filesystems.nix
-      ./vms.nix
+      #./vms.nix

      ./services/nginx
+      ./services/kanidm.nix
+      ./services/jellyfin.nix
      ./services/metrics
      ./services/flame.nix
-      ./services/jellyfin.nix
+      #./services/hedgedoc.nix
      ./services/code-server.nix
  # TODO:
  # x Boot
@ -26,7 +28,8 @@
  # - NFS exports
  # - FreeBSD VM
  # - Kali VM
-  # - Kerberos / IPA / Kanidm
+  # x Kerberos / IPA / Kanidm
+  # - Backup system
  ];

  networking = {
--- a/hosts/voyager/services/hedgedoc.nix
+++ b/hosts/voyager/services/hedgedoc.nix
@ -0,0 +1,51 @@
+{ config, pkgs, lib, ... }:
+let
+    cfg = config.services.hedgedoc.settings;
+    domain = "md.feal.no";
+    port = 3000;
+    host = "0.0.0.0";
+in {
+    services.hedgedoc = {
+        enable = true;
+
+        settings = {
+            inherit domain port host;
+            protocolUseSSL = true;
+            db = {
+                dialect = "sqlite";
+                storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
+            };
+            email = false;
+            oauth2 = let
+              authServerUrl = config.services.kanidm.serverSettings.origin;
+            in {
+              baseURL = "${authServerUrl}/oauth2";
+              tokenURL = "${authServerUrl}/oauth2/token";
+              authorizationURL = "${authServerUrl}/ui/oauth2";
+              userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+
+              clientID = "hedgedoc";
+              scope = "openid email profile";
+              userProfileUsernameAttr = "name";
+              userProfileEmailAttr = "email";
+              userProfileDisplayNameAttr = "displayname";
+
+              providerName = "KaniDM";
+              # rolesClaim = "roles";
+              # accessRole = "hedgedoc_users";
+            };
+
+        };
+    };
+    #networking.firewall.allowedTCPPorts = [ port ];
+    services.nginx.virtualHosts.${domain} = {
+      locations."/" = {
+        proxyPass = "http://${host}:${toString port}/";
+      };
+
+      locations."/socket.io/" = {
+        proxyPass = "http://${host}:${toString port}/";
+        proxyWebsockets = true;
+      };
+    };
+}
--- a/hosts/voyager/services/kanidm.nix
+++ b/hosts/voyager/services/kanidm.nix
@ -0,0 +1,47 @@
+{ config, pkgs, lib, ... }:
+let
+  cfg = config.services.kanidm;
+  certPath = "/etc/ssl-snakeoil/auth_feal_no";
+  ldapbindaddress = "0.0.0.0:636";
+in {
+  # Kanidm - Identity management / auth provider
+  services.kanidm = {
+    enableServer = true;
+    serverSettings = {
+      origin = "https://${cfg.serverSettings.domain}";
+      domain = "auth.feal.no";
+      bindaddress = "127.0.1.2:8300";
+      inherit ldapbindaddress;
+
+      tls_chain = "/run/credentials/kanidm.service/cert.crt";
+      tls_key   = "/run/credentials/kanidm.service/cert.key";
+    };
+  };
+
+  systemd.services.kanidm = {
+    serviceConfig.LoadCredential = [
+      "cert.crt:${certPath}.crt"
+      "cert.key:${certPath}.key"
+    ];
+  };
+
+
+  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
+    forceSSL = true;
+    sslCertificate    = "${certPath}.crt";
+    sslCertificateKey = "${certPath}.key";
+    locations."/" = {
+      proxyPass = "https://${cfg.serverSettings.bindaddress}";
+      extraConfig = ''
+        proxy_ssl_verify off;
+      '';
+    };
+  };
+
+  environment = {
+    systemPackages = [ pkgs.kanidm ];
+    etc."kanidm/config".text = ''
+      uri="${cfg.serverSettings.origin}"
+    '';
+  };
+ }