tsuki/hedgedoc: misc:

- configure oauth2 (this requires a custom module for now,
    will be resolved in 23.11)
- harden systemd service
- add systemd requires list
- use socket postgres uri
This commit is contained in:
Oystein Kristoffer Tveit 2023-07-12 02:30:00 +02:00
parent 96617500df
commit 1f3b5addd3
Signed by: oysteikt
GPG Key ID: 9F2F7D8250F35146
3 changed files with 1169 additions and 1 deletions

View File

@ -9,7 +9,7 @@
./services/gitea ./services/gitea
./services/grafana ./services/grafana
./services/headscale.nix ./services/headscale.nix
./services/hedgedoc.nix ./services/hedgedoc
./services/hydra.nix ./services/hydra.nix
./services/invidious.nix ./services/invidious.nix
# ./services/jitsi.nix # ./services/jitsi.nix

View File

@ -0,0 +1,93 @@
{ pkgs, lib, config, options, ... }: let
cfg = config.services.hedgedoc;
in {
imports = [ ./hedgedoc.nix ];
disabledModules = [ "services/web-apps/hedgedoc.nix" ];
config = {
# Contains CMD_SESSION_SECRET and CMD_OAUTH2_CLIENT_SECRET
sops.secrets."hedgedoc/env" = {
restartUnits = [ "hedgedoc.service" ];
};
services.hedgedoc = {
enable = true;
workDir = "${config.machineVars.dataDrives.default}/var/hedgedoc";
environmentFile = config.sops.secrets."hedgedoc/env".path;
settings = {
domain = "docs.nani.wtf";
email = false;
allowAnonymous = false;
allowAnonymousEdits = true;
protocolUseSSL = true;
db = {
username = "hedgedoc";
# TODO: set a password
database = "hedgedoc";
host = "/var/run/postgresql";
dialect = "postgresql";
};
oauth2 = let
authServerUrl = config.services.kanidm.serverSettings.origin;
in rec {
baseURL = "${authServerUrl}/oauth2";
tokenURL = "${authServerUrl}/oauth2/token";
authorizationURL = "${authServerUrl}/ui/oauth2";
userProfileURL = "${authServerUrl}/oauth2/openid/${clientID}/userinfo";
clientID = "hedgedoc";
scope = "openid email profile";
userProfileUsernameAttr = "name";
userProfileEmailAttr = "email";
userProfileDisplayNameAttr = "displayname";
providerName = "KaniDM";
};
};
};
services.postgresql = {
ensureDatabases = [ "hedgedoc" ];
ensureUsers = [{
name = "hedgedoc";
ensurePermissions = {
"DATABASE \"hedgedoc\"" = "ALL PRIVILEGES";
};
}];
};
systemd.services.hedgedoc = {
requires = [
"postgresql.service"
"kanidm.service"
];
serviceConfig = {
CapabilityBoundingSet = "";
LockPersonality = true;
NoNewPrivileges = true;
PrivateDevices = true;
PrivateMounts = true;
PrivateTmp = true;
PrivateUsers = true;
ProtectClock = true;
ProtectHome = true;
ProtectHostname = true;
ProtectKernelLogs = true;
ProtectKernelModules = true;
ProtectKernelTunables = true;
ProtectProc = "invisible";
ProtectSystem = "strict";
ReadWritePaths = [ cfg.workDir ];
RemoveIPC = true;
RestrictSUIDSGID = true;
UMask = "0007";
RestrictAddressFamilies = [ "AF_UNIX AF_INET AF_INET6" ];
SystemCallArchitectures = "native";
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @module @mount @obsolete @raw-io @reboot @setuid @swap";
};
};
};
}

File diff suppressed because it is too large Load Diff