wurzel/fruitbasket
9
1
Fork 0
Code Issues 5 Pull requests Packages Projects Releases Wiki Activity

hedgedoc ldap config #23

Merged
fugidev merged 1 commit from hedgedoc into main 2023-03-01 02:19:35 +01:00
Conversation 1 Commits 1 Files changed 2 +34 -3
2 changed files with 34 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -83,6 +83,7 @@
./hosts/quitte/configuration.nix ./hosts/quitte/configuration.nix
./modules/options.nix ./modules/options.nix
./modules/base.nix ./modules/base.nix
./modules/ldap.nix
# ./modules/keycloak.nix replaced by portunus # ./modules/keycloak.nix replaced by portunus
./modules/nginx.nix ./modules/nginx.nix
./modules/hedgedoc.nix ./modules/hedgedoc.nix

36
modules/hedgedoc.nix
View file

@ -25,7 +25,6 @@ in
protocolUseSSL = true; protocolUseSSL = true;
dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc"; dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
sessionSecret = "\${SESSION_SECRET}"; sessionSecret = "\${SESSION_SECRET}";
allowAnonymousEdits = true;
csp = { csp = {
enable = true; enable = true;
directives = { directives = {
@ -34,6 +33,26 @@ in
upgradeInsecureRequest = "auto"; upgradeInsecureRequest = "auto";
addDefaults = true; addDefaults = true;
}; };
allowGravatar = false;
## authentication
# disable email
email = false;
allowEmailRegister = false;
# allow anonymous editing, but not creation of pads
allowAnonymous = false;
allowAnonymousEdits = true;
defaultPermission = "limited";
# ldap auth
ldap = rec {
url = "ldap://localhost";
searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
searchFilter = "(uid={{username}})";
bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
bindCredentials = "\${LDAP_CREDENTIALS}";
useridField = "uid";
providerName = "iFSR";
};
}; };
}; };
@ -52,12 +71,23 @@ in
}; };
}; };
sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User; sops.secrets =
sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User; let
user = config.systemd.services.hedgedoc.serviceConfig.User;
in
{
postgres_hedgedoc.owner = user;
hedgedoc_session_secret.owner = user;
hedgedoc_ldap_search = {
key = "portunus_search";
owner = user;
};
};
systemd.services.hedgedoc.preStart = lib.mkBefore '' systemd.services.hedgedoc.preStart = lib.mkBefore ''
export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})" export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})" export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
''; '';
systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ]; systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];