massicot: host hedgedoc with oidc

2023-12-24 13:58:53 +08:00 · 2023-12-24 13:58:53 +08:00 · 8b735dd5da
commit 8b735dd5da
parent b944954b3c
5 changed files with 110 additions and 7 deletions
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -4,5 +4,6 @@
    ./restic.nix
    ./vaultwarden.nix
    ./prometheus.nix
+    ./hedgedoc.nix
  ];
-}
+}
--- a/modules/nixos/hedgedoc.nix
+++ b/modules/nixos/hedgedoc.nix
@ -0,0 +1,83 @@
+{ config, pkgs, lib, ... }:
+
+with lib;
+
+let
+  cfg = config.custom.hedgedoc;
+in
+{
+  options = {
+    custom.hedgedoc = {
+      enable = mkEnableOption "HedgeDoc Markdown Editor";
+      domain = mkOption {
+        type = types.str;
+        default = "docs.example.com";
+        description = "Domain name of the HedgeDoc server";
+      };
+      caddy = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable Caddy as reverse proxy";
+      };
+      mediaPath = mkOption {
+        type = types.path;
+        default = /var/lib/hedgedoc/uploads;
+        description = "Directory for storing medias";
+      };
+      oidc = {
+        enable = mkEnableOption "OIDC support for HedgeDoc";
+        baseURL = mkOption {
+          type = types.str;
+        };
+        authorizationURL = mkOption {
+          type = types.str;
+        };
+        tokenURL = mkOption {
+          type = types.str;
+        };
+        userProfileURL = mkOption {
+          type = types.str;
+        };
+      };
+      environmentFile = mkOption {
+        type = types.path;
+      };
+    };
+  };
+  config = {
+    services.hedgedoc = mkIf cfg.enable {
+      enable = true;
+      environmentFile = cfg.environmentFile;
+      settings = {
+        domain = cfg.domain;
+        protocolUseSSL = cfg.caddy;
+        uploadsPath = cfg.mediaPath;
+        path = "/run/hedgedoc/hedgedoc.sock";
+        email = false;
+        allowEmailRegister = false;
+        oauth2 = mkIf cfg.oidc.enable {
+          baseURL = cfg.oidc.baseURL;
+          authorizationURL = cfg.oidc.authorizationURL;
+          tokenURL = cfg.oidc.tokenURL;
+          userProfileURL = cfg.oidc.userProfileURL;
+          userProfileEmailAttr = "email";
+          userProfileUsernameAttr = "name";
+          userProfileDisplayNameAttr = "preferred_name";
+          scope = "openid email profile";
+          clientID = "$HEDGEDOC_CLIENT_ID";
+          clientSecret = "$HEDGEDOC_CLIENT_SECRET";
+        };
+        allowAnonymous = false;
+        defaultPermission = "private";
+      };
+    };
+    services.caddy = mkIf ( cfg.enable && cfg.enable ) {
+      enable = true;
+      virtualHosts."https://${cfg.domain}".extraConfig = ''
+        reverse_proxy unix/${config.services.hedgedoc.settings.path}
+      '';
+    };
+    users.users.caddy.extraGroups = mkIf ( cfg.enable && cfg.enable ) [ "hedgedoc" ];
+
+  };
+}