blob: 8b6599480f7a2f557eba0d54b2a7bf5287831630 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
{
config,
lib,
secretsDir,
...
}:
let
hedgedocCfg = config.services.hedgedoc;
oauth2Domain = "https://" + config.services.kanidm.serverSettings.domain;
in
{
config = lib.mkMerge [
{
services = {
hedgedoc = {
settings = {
domain = lib.mkDefault ("hedgedoc." + config.networking.domain);
port = 4000;
allowOrigin = [
hedgedocCfg.settings.domain
"localhost"
];
# Managed by reverse proxy
protocolUseSSL = true;
urlAddPort = false;
allowAnonymous = false;
};
};
};
}
(lib.mkIf hedgedocCfg.enable {
services = {
nginx.virtualHosts.${hedgedocCfg.settings.domain} = {
locations."/" = {
proxyPass = "http://${hedgedocCfg.settings.host}:${toString hedgedocCfg.settings.port}";
proxyWebsockets = true;
};
};
};
})
(lib.mkIf (hedgedocCfg.enable && config.services.kanidm.enableServer) {
age.secrets.hedgedocClientSecret.file = secretsDir + "/hedgedocClientSecret.age";
services.hedgedoc = {
environmentFile = config.age.secrets.hedgedocClientSecret.path;
settings = {
email = false;
oauth2 = {
clientID = "hedgedoc";
clientSecret = "$CMD_OAUTH2_CLIENT_SECRET";
providerName = "Kanidm";
baseURL = oauth2Domain;
authorizationURL = oauth2Domain + "/ui/oauth2";
tokenURL = oauth2Domain + "/oauth2/token";
userProfileURL = oauth2Domain + "/oauth2/openid/hedgedoc/userinfo";
scope = "openid email profile";
userProfileDisplayNameAttr = "name";
userProfileEmailAttr = "email";
userProfileUsernameAttr = "preferred_username";
};
};
};
})
];
}
|
