Add hedgedoc + kanidm

This commit is contained in:
Felix Albrigtsen 2023-04-22 16:49:04 +02:00
parent 057879fb71
commit af6a6b8d79
4 changed files with 106 additions and 4 deletions

1
.gitignore vendored
View File

@ -1 +1,2 @@
result
/secrets_tmp/

View File

@ -7,12 +7,14 @@
../../common/metrics-exporters.nix
./hardware-configuration.nix
./filesystems.nix
./vms.nix
#./vms.nix
./services/nginx
./services/kanidm.nix
./services/jellyfin.nix
./services/metrics
./services/flame.nix
./services/jellyfin.nix
#./services/hedgedoc.nix
./services/code-server.nix
# TODO:
# x Boot
@ -26,7 +28,8 @@
# - NFS exports
# - FreeBSD VM
# - Kali VM
# - Kerberos / IPA / Kanidm
# x Kerberos / IPA / Kanidm
# - Backup system
];
networking = {

View File

@ -0,0 +1,51 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.hedgedoc.settings;
domain = "md.feal.no";
port = 3000;
host = "0.0.0.0";
in {
services.hedgedoc = {
enable = true;
settings = {
inherit domain port host;
protocolUseSSL = true;
db = {
dialect = "sqlite";
storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite";
};
email = false;
oauth2 = let
authServerUrl = config.services.kanidm.serverSettings.origin;
in {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
clientID = "hedgedoc";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
# rolesClaim = "roles";
# accessRole = "hedgedoc_users";
};
};
};
#networking.firewall.allowedTCPPorts = [ port ];
services.nginx.virtualHosts.${domain} = {
locations."/" = {
proxyPass = "http://${host}:${toString port}/";
};
locations."/socket.io/" = {
proxyPass = "http://${host}:${toString port}/";
proxyWebsockets = true;
};
};
}

View File

@ -0,0 +1,47 @@
{ config, pkgs, lib, ... }:
let
cfg = config.services.kanidm;
certPath = "/etc/ssl-snakeoil/auth_feal_no";
ldapbindaddress = "0.0.0.0:636";
in {
# Kanidm - Identity management / auth provider
services.kanidm = {
enableServer = true;
serverSettings = {
origin = "https://${cfg.serverSettings.domain}";
domain = "auth.feal.no";
bindaddress = "127.0.1.2:8300";
inherit ldapbindaddress;
tls_chain = "/run/credentials/kanidm.service/cert.crt";
tls_key = "/run/credentials/kanidm.service/cert.key";
};
};
systemd.services.kanidm = {
serviceConfig.LoadCredential = [
"cert.crt:${certPath}.crt"
"cert.key:${certPath}.key"
];
};
services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
forceSSL = true;
sslCertificate = "${certPath}.crt";
sslCertificateKey = "${certPath}.key";
locations."/" = {
proxyPass = "https://${cfg.serverSettings.bindaddress}";
extraConfig = ''
proxy_ssl_verify off;
'';
};
};
environment = {
systemPackages = [ pkgs.kanidm ];
etc."kanidm/config".text = ''
uri="${cfg.serverSettings.origin}"
'';
};
}