SebastianStork/nixos-config
1
0
Fork 0
mirror of https://github.com/SebastianStork/nixos-config.git synced 2026-01-21 16:21:34 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

hedgedoc: switch from email auth to gitLab oauth

Browse source
This commit is contained in:
SebastianStork 2025-08-01 12:04:56 +02:00
parent 57097a2e7b
commit f9b25dd455
1 changed files with 29 additions and 41 deletions
Download patch file Download diff file Expand all files Collapse all files

70
modules/system/services/hedgedoc.nix
View file

@ -6,11 +6,6 @@
}: }:
let let
cfg = config.custom.services.hedgedoc; cfg = config.custom.services.hedgedoc;
user = config.users.users.hedgedoc.name;
dataDir = "/var/lib/hedgedoc";
manageUsers = "CMD_CONFIG_FILE=/run/hedgedoc/config.json NODE_ENV=production ${lib.getExe' pkgs.hedgedoc "manage_users"}";
in in
{ {
options.custom.services.hedgedoc = { options.custom.services.hedgedoc = {
@ -32,59 +27,52 @@ in
ports.list = [ cfg.port ]; ports.list = [ cfg.port ];
}; };
sops = { sops =
secrets = { let
"hedgedoc/seb-password".owner = user; owner = config.users.users.hedgedoc.name;
# "hedgedoc/gitlab-auth-secret".owner = user; in
{
secrets = {
"hedgedoc/seb-password".owner = owner;
"hedgedoc/gitlab-auth-secret".owner = owner;
};
templates."hedgedoc/environment" = {
inherit owner;
content = "GITLAB_CLIENTSECRET=${config.sops.placeholder."hedgedoc/gitlab-auth-secret"}";
};
}; };
# templates."hedgedoc/environment" = {
# owner = user;
# content = "GITLAB_CLIENTSECRET=${config.sops.placeholder."hedgedoc/gitlab-auth-secret"}";
# };
};
services.hedgedoc = { services.hedgedoc = {
enable = true; enable = true;
# environmentFile = config.sops.templates."hedgedoc/environment".path; environmentFile = config.sops.templates."hedgedoc/environment".path;
settings = { settings = {
inherit (cfg) domain port; inherit (cfg) domain port;
protocolUseSSL = true; protocolUseSSL = true;
allowAnonymous = false; allowAnonymous = false;
allowEmailRegister = false; email = false;
defaultPermission = "limited"; defaultPermission = "limited";
sessionSecret = "$SESSION_SECRET"; sessionSecret = "$SESSION_SECRET";
# gitlab = { gitlab = {
# baseURL = "https://code.fbi.h-da.de"; baseURL = "https://code.fbi.h-da.de";
# clientID = "dc71d7ec1525ce3b425d7d41d602f67e1a06cef981259605a87841a6be62cc58"; clientID = "dc71d7ec1525ce3b425d7d41d602f67e1a06cef981259605a87841a6be62cc58";
# clientSecret = "$GITLAB_CLIENTSECRET"; clientSecret = "$GITLAB_CLIENTSECRET";
# }; };
}; };
}; };
systemd.services.hedgedoc = { # Ensure session-secret
# Ensure session-secret systemd.services.hedgedoc.preStart =
preStart = lib.mkBefore '' let
if [ ! -f ${dataDir}/session-secret ]; then sessionSecret = "/var/lib/hedgedoc/session-secret";
${lib.getExe pkgs.pwgen} -s 64 1 > ${dataDir}/session-secret in
lib.mkBefore ''
if [ ! -f ${sessionSecret} ]; then
${lib.getExe pkgs.pwgen} -s 64 1 > ${sessionSecret}
fi fi
export SESSION_SECRET=$(cat ${dataDir}/session-secret) export SESSION_SECRET=$(cat ${sessionSecret})
''; '';
postStart =
let
manageUserSeb =
mode:
"${manageUsers} --${mode} sebastian.stork@pm.me --pass \"$(cat ${
config.sops.secrets."hedgedoc/seb-password".path
})\"";
in
"${manageUserSeb "add"} || ${manageUserSeb "reset"}";
};
environment.shellAliases.hedgedoc-manage-users = "sudo --user=${user} ${manageUsers}";
custom.services.resticBackups.hedgedoc = lib.mkIf cfg.doBackups { custom.services.resticBackups.hedgedoc = lib.mkIf cfg.doBackups {
conflictingService = "hedgedoc.service"; conflictingService = "hedgedoc.service";
extraConfig.paths = extraConfig.paths =