tsuki/hedgedoc: misc:
- configure oauth2 (this requires a custom module for now, will be resolved in 23.11) - harden systemd service - add systemd requires list - use socket postgres uri
This commit is contained in:
parent
96617500df
commit
1f3b5addd3
@ -9,7 +9,7 @@
|
||||
./services/gitea
|
||||
./services/grafana
|
||||
./services/headscale.nix
|
||||
./services/hedgedoc.nix
|
||||
./services/hedgedoc
|
||||
./services/hydra.nix
|
||||
./services/invidious.nix
|
||||
# ./services/jitsi.nix
|
||||
|
93
hosts/tsuki/services/hedgedoc/default.nix
Normal file
93
hosts/tsuki/services/hedgedoc/default.nix
Normal file
@ -0,0 +1,93 @@
|
||||
{ pkgs, lib, config, options, ... }: let
|
||||
cfg = config.services.hedgedoc;
|
||||
in {
|
||||
imports = [ ./hedgedoc.nix ];
|
||||
disabledModules = [ "services/web-apps/hedgedoc.nix" ];
|
||||
|
||||
config = {
|
||||
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
|
||||
sops.secrets."hedgedoc/env" = {
|
||||
restartUnits = [ "hedgedoc.service" ];
|
||||
};
|
||||
|
||||
services.hedgedoc = {
|
||||
enable = true;
|
||||
workDir = "${config.machineVars.dataDrives.default}/var/hedgedoc";
|
||||
environmentFile = config.sops.secrets."hedgedoc/env".path;
|
||||
settings = {
|
||||
domain = "docs.nani.wtf";
|
||||
email = false;
|
||||
allowAnonymous = false;
|
||||
allowAnonymousEdits = true;
|
||||
protocolUseSSL = true;
|
||||
|
||||
db = {
|
||||
username = "hedgedoc";
|
||||
# TODO: set a password
|
||||
database = "hedgedoc";
|
||||
host = "/var/run/postgresql";
|
||||
dialect = "postgresql";
|
||||
};
|
||||
|
||||
oauth2 = let
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
in rec {
|
||||
baseURL = "${authServerUrl}/oauth2";
|
||||
tokenURL = "${authServerUrl}/oauth2/token";
|
||||
authorizationURL = "${authServerUrl}/ui/oauth2";
|
||||
userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
|
||||
|
||||
clientID = "hedgedoc";
|
||||
|
||||
scope = "openid email profile";
|
||||
userProfileUsernameAttr = "name";
|
||||
userProfileEmailAttr = "email";
|
||||
userProfileDisplayNameAttr = "displayname";
|
||||
|
||||
providerName = "KaniDM";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "hedgedoc" ];
|
||||
ensureUsers = [{
|
||||
name = "hedgedoc";
|
||||
ensurePermissions = {
|
||||
"DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
|
||||
systemd.services.hedgedoc = {
|
||||
requires = [
|
||||
"postgresql.service"
|
||||
"kanidm.service"
|
||||
];
|
||||
serviceConfig = {
|
||||
CapabilityBoundingSet = "";
|
||||
LockPersonality = true;
|
||||
NoNewPrivileges = true;
|
||||
PrivateDevices = true;
|
||||
PrivateMounts = true;
|
||||
PrivateTmp = true;
|
||||
PrivateUsers = true;
|
||||
ProtectClock = true;
|
||||
ProtectHome = true;
|
||||
ProtectHostname = true;
|
||||
ProtectKernelLogs = true;
|
||||
ProtectKernelModules = true;
|
||||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ProtectSystem = "strict";
|
||||
ReadWritePaths = [ cfg.workDir ];
|
||||
RemoveIPC = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0007";
|
||||
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
|
||||
SystemCallArchitectures = "native";
|
||||
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
1075
hosts/tsuki/services/hedgedoc/hedgedoc.nix
Normal file
1075
hosts/tsuki/services/hedgedoc/hedgedoc.nix
Normal file
File diff suppressed because it is too large
Load Diff
Loading…
Reference in New Issue
Block a user