hedgedoc ldap config #23
|
@ -83,6 +83,7 @@
|
||||||
./hosts/quitte/configuration.nix
|
./hosts/quitte/configuration.nix
|
||||||
./modules/options.nix
|
./modules/options.nix
|
||||||
./modules/base.nix
|
./modules/base.nix
|
||||||
|
./modules/ldap.nix
|
||||||
# ./modules/keycloak.nix replaced by portunus
|
# ./modules/keycloak.nix replaced by portunus
|
||||||
./modules/nginx.nix
|
./modules/nginx.nix
|
||||||
./modules/hedgedoc.nix
|
./modules/hedgedoc.nix
|
||||||
|
|
|
@ -25,7 +25,6 @@ in
|
||||||
protocolUseSSL = true;
|
protocolUseSSL = true;
|
||||||
dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
|
dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
|
||||||
sessionSecret = "\${SESSION_SECRET}";
|
sessionSecret = "\${SESSION_SECRET}";
|
||||||
allowAnonymousEdits = true;
|
|
||||||
csp = {
|
csp = {
|
||||||
enable = true;
|
enable = true;
|
||||||
directives = {
|
directives = {
|
||||||
|
@ -34,6 +33,26 @@ in
|
||||||
upgradeInsecureRequest = "auto";
|
upgradeInsecureRequest = "auto";
|
||||||
addDefaults = true;
|
addDefaults = true;
|
||||||
};
|
};
|
||||||
|
allowGravatar = false;
|
||||||
|
|
||||||
|
## authentication
|
||||||
|
# disable email
|
||||||
|
email = false;
|
||||||
|
allowEmailRegister = false;
|
||||||
|
# allow anonymous editing, but not creation of pads
|
||||||
|
allowAnonymous = false;
|
||||||
|
allowAnonymousEdits = true;
|
||||||
|
defaultPermission = "limited";
|
||||||
|
# ldap auth
|
||||||
|
ldap = rec {
|
||||||
|
url = "ldap://localhost";
|
||||||
|
searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
|
||||||
|
searchFilter = "(uid={{username}})";
|
||||||
|
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
|
||||||
|
bindCredentials = "\${LDAP_CREDENTIALS}";
|
||||||
|
useridField = "uid";
|
||||||
|
providerName = "iFSR";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
@ -52,12 +71,23 @@ in
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User;
|
sops.secrets =
|
||||||
sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User;
|
let
|
||||||
|
user = config.systemd.services.hedgedoc.serviceConfig.User;
|
||||||
|
in
|
||||||
|
{
|
||||||
|
postgres_hedgedoc.owner = user;
|
||||||
|
hedgedoc_session_secret.owner = user;
|
||||||
|
hedgedoc_ldap_search = {
|
||||||
|
key = "portunus_search";
|
||||||
|
owner = user;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
systemd.services.hedgedoc.preStart = lib.mkBefore ''
|
systemd.services.hedgedoc.preStart = lib.mkBefore ''
|
||||||
export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
|
export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
|
||||||
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
|
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
|
||||||
|
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
|
||||||
'';
|
'';
|
||||||
systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];
|
systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue