2023-03-01 02:19:35 +01:00
2 changed files with 34 additions and 3 deletions
--- a/flake.nix
+++ b/flake.nix
@ -83,6 +83,7 @@
            ./hosts/quitte/configuration.nix
            ./modules/options.nix
            ./modules/base.nix
+            ./modules/ldap.nix
            # ./modules/keycloak.nix replaced by portunus
            ./modules/nginx.nix
            ./modules/hedgedoc.nix
--- a/modules/hedgedoc.nix
+++ b/modules/hedgedoc.nix
@ -25,7 +25,6 @@ in
        protocolUseSSL = true;
        dbURL = "postgres://hedgedoc:\${DB_PASSWORD}@localhost:5432/hedgedoc";
        sessionSecret = "\${SESSION_SECRET}";
-        allowAnonymousEdits = true;
        csp = {
          enable = true;
          directives = {
@ -34,6 +33,26 @@ in
          upgradeInsecureRequest = "auto";
          addDefaults = true;
        };
+        allowGravatar = false;
+
+        ## authentication
+        # disable email
+        email = false;
+        allowEmailRegister = false;
+        # allow anonymous editing, but not creation of pads
+        allowAnonymous = false;
+        allowAnonymousEdits = true;
+        defaultPermission = "limited";
+        # ldap auth
+        ldap = rec {
+          url = "ldap://localhost";
+          searchBase = "ou=users,${config.services.portunus.ldap.suffix}";
+          searchFilter = "(uid={{username}})";
+          bindDn = "uid=${config.services.portunus.ldap.searchUserName},${searchBase}";
+          bindCredentials = "\${LDAP_CREDENTIALS}";
+          useridField = "uid";
+          providerName = "iFSR";
+        };
      };
    };

@ -52,12 +71,23 @@ in
    };
  };

-  sops.secrets.postgres_hedgedoc.owner = config.systemd.services.hedgedoc.serviceConfig.User;
-  sops.secrets.hedgedoc_session_secret.owner = config.systemd.services.hedgedoc.serviceConfig.User;
+  sops.secrets =
+    let
+      user = config.systemd.services.hedgedoc.serviceConfig.User;
+    in
+    {
+      postgres_hedgedoc.owner = user;
+      hedgedoc_session_secret.owner = user;
+      hedgedoc_ldap_search = {
+        key = "portunus_search";
+        owner = user;
+      };
+    };

  systemd.services.hedgedoc.preStart = lib.mkBefore ''
    export DB_PASSWORD="$(cat ${config.sops.secrets.postgres_hedgedoc.path})"
    export SESSION_SECRET="$(cat ${config.sops.secrets.hedgedoc_session_secret.path})"
+    export LDAP_CREDENTIALS="$(cat ${config.sops.secrets.hedgedoc_ldap_search.path})"
  '';
  systemd.services.hedgedoc.after = [ "hedgedoc-pgsetup.service" ];