defiant/hedgedoc: move to keycloak

hosts/defiant/services/hedgedoc.nix

@@ -4,7 +4,7 @@ let
   domain = "md.feal.no";
   port = 3300;
   host = "127.0.1.2";
-  authServerUrl = "https://auth.feal.no";
+  authServerUrl = "https://iam.feal.no";
 in {
   # Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
   sops.secrets."hedgedoc/env" = {
@@ -21,9 +21,8 @@ in {
 
       allowFreeURL = true;
       allowAnonymous = false;
-      allowAnonymousEdits = true; # Allow anonymous edits with the "freely" permission
+      allowAnonymousEdits = true;
 
-      # dbURL = "postgres://hedgedoc@localhost/hedgedoc";
       db = {
         username = "hedgedoc";
         database = "hedgedoc";
@@ -32,20 +31,23 @@ in {
       };
 
       email = false;
-      oauth2 = {
-        baseURL = "${authServerUrl}/oauth2";
-        tokenURL = "${authServerUrl}/oauth2/token";
-        authorizationURL = "${authServerUrl}/ui/oauth2";
-        userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+      oauth2 = let
+        oidc = "${authServerUrl}/realms/feal.no/protocol/openid-connect";
+      in {
+        providerName = "Keycloak";
+        authorizationURL = "${oidc}/auth";
+        baseURL = "${authServerUrl}";
+        tokenURL = "${oidc}/token";
+        userProfileURL = "${oidc}/userinfo";
 
         clientID = "hedgedoc";
         clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
         scope = "openid email profile";
-        userProfileUsernameAttr = "name";
+        userProfileDisplayNameAttr = "name";
         userProfileEmailAttr = "email";
-        userProfileDisplayNameAttr = "displayname";
-
-        providerName = "KaniDM";
+        userProfileUsernameAttr = "preferred_username";
+        rolesClaim = "hedgedoc-roles";
+        accessRole = "hedgedoc-user";
       };
     };
   };