Rename codimd.c3d2.de to hedgedoc.c3d2.de, redirect, add ldap login

2022-07-24 03:58:44 +02:00 · 2022-07-24 03:58:44 +02:00 · f0800a6150
parent a48b72c4a3
commit f0800a6150
4 changed files with 78 additions and 64 deletions
--- a/flake.lock
+++ b/flake.lock
@ -3,16 +3,16 @@
    "fenix": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ],
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1658471435,
-        "narHash": "sha256-NQ6pbKcXv/zZYXiGzx+BsPJglrEps9qJxCdpmB135n4=",
+        "lastModified": 1658557620,
+        "narHash": "sha256-IUiiWZXk6Q5xUm+Pl01S9DXmDZj065KbArecCd9cahc=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "353d5ac5d0e3e8c26fe7c6744afdb1929496b1df",
+        "rev": "441b2aeebfb0582ce300becebcf8ffb58300d9ec",
        "type": "github"
      },
      "original": {
@ -45,7 +45,7 @@
          "naersk"
        ],
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ],
        "utils": "utils"
      },
@ -148,7 +148,7 @@
      "inputs": {
        "flake-utils": "flake-utils",
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ]
      },
      "locked": {
@ -168,7 +168,7 @@
    "naersk": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ]
      },
      "locked": {
@ -259,6 +259,22 @@
        "type": "github"
      }
    },
+    "nixos": {
+      "locked": {
+        "lastModified": 1658500284,
+        "narHash": "sha256-g7vwZ5UF8PvC9f2/7Zf5O6zxgJiMSuh1CiGZVuuOhEQ=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "e3583ad6e533a9d8dd78f90bfa93812d390ea187",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-22.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixos-hardware": {
      "locked": {
        "lastModified": 1658401027,
@ -276,11 +292,11 @@
    },
    "nixos-unstable": {
      "locked": {
-        "lastModified": 1658380158,
-        "narHash": "sha256-DBunkegKWlxPZiOcw3/SNIFg93amkdGIy2g0y/jDpHg=",
+        "lastModified": 1658465217,
+        "narHash": "sha256-f2Zyt7TsDZ1TK3Cu6ZtzWoWQ4nnQq07uXTPxW26rIQY=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a65b5b3f5504b8b89c196aba733bdf2b0bd13c16",
+        "rev": "2d372784634e224c5a629d80a19705af655fbc7d",
        "type": "github"
      },
      "original": {
@ -292,11 +308,11 @@
    },
    "nixos-unstable-sandro": {
      "locked": {
-        "lastModified": 1658533212,
-        "narHash": "sha256-+rbyEE2e26gZ+e4455yOPbcLVtT+w4jYZ2QdtV9WLeo=",
+        "lastModified": 1658627301,
+        "narHash": "sha256-FkWtHYuXeODkBDMg3c9vvu+Y+SkfaudoLg5338aT+48=",
        "owner": "SuperSandro2000",
        "repo": "nixpkgs",
-        "rev": "bc4f3aa3cf7d3d541b2f177de8bf54b2bde94ec2",
+        "rev": "ab3be9aef4ba2d3850674dc1e21fc510865d55db",
        "type": "github"
      },
      "original": {
@ -382,22 +398,6 @@
        "type": "indirect"
      }
    },
-    "nixpkgs_3": {
-      "locked": {
-        "lastModified": 1658422817,
-        "narHash": "sha256-kzZrlzqK6kbkTEnDK21wjRDamUJP0m30pm3XRPk0aZg=",
-        "owner": "nixos",
-        "repo": "nixpkgs",
-        "rev": "70e3e0ee807371e16563a88b77b8533e2cea8aa2",
-        "type": "github"
-      },
-      "original": {
-        "owner": "nixos",
-        "ref": "nixos-22.05",
-        "repo": "nixpkgs",
-        "type": "github"
-      }
-    },
    "oparl-scraper": {
      "flake": false,
      "locked": {
@ -435,7 +435,7 @@
    "openwrt-imagebuilder": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ]
      },
      "locked": {
@ -455,7 +455,7 @@
    "riscv64": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ]
      },
      "locked": {
@ -480,10 +480,10 @@
        "hydra-ca": "hydra-ca",
        "microvm": "microvm",
        "naersk": "naersk",
+        "nixos": "nixos",
        "nixos-hardware": "nixos-hardware",
        "nixos-unstable": "nixos-unstable",
        "nixos-unstable-sandro": "nixos-unstable-sandro",
-        "nixpkgs": "nixpkgs_3",
        "nixpkgs-mobilizon": "nixpkgs-mobilizon",
        "oparl-scraper": "oparl-scraper",
        "openwrt": "openwrt",
@ -502,11 +502,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1658391799,
-        "narHash": "sha256-Bw/zHZXdxe4DLhtT/hk0t/oDwXKLTTtb6Xt4HTbWT74=",
+        "lastModified": 1658530835,
+        "narHash": "sha256-ZzqSWm8gM+DRDcBlSRIG+EccgF9G6C2KmC0vBt1T+0A=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "84a6fac37ad61ff512993ee64b47deff9a52c560",
+        "rev": "0b131bc78eece8be69b5d3633f4db04cf2c1151b",
        "type": "github"
      },
      "original": {
@ -535,18 +535,18 @@
    "secrets": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ],
        "sops-nix": [
          "sops-nix"
        ]
      },
      "locked": {
-        "lastModified": 1657928876,
-        "narHash": "sha256-vK8OIjiD3XpzTH6uv358IU71Jwvu5o2+q8ISg+Vg+tU=",
+        "lastModified": 1658611658,
+        "narHash": "sha256-rl7y2T0+/w0AezY3l5BGvBNMGvSnH4WWEJ6OWwhNyFw=",
        "ref": "refs/heads/master",
-        "rev": "ce0f7c9f962851cdead48cf8dd3ee088aa00efed",
-        "revCount": 143,
+        "rev": "854379a9c9d037aca41e6da65176f1a36bbf0bf9",
+        "revCount": 144,
        "type": "git",
        "url": "ssh://gitea@gitea.c3d2.de/c3d2-admins/secrets.git"
      },
@ -558,10 +558,10 @@
    "sops-nix": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ],
        "nixpkgs-22_05": [
-          "nixpkgs"
+          "nixos"
        ]
      },
      "locked": {
@ -603,7 +603,7 @@
          "naersk"
        ],
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ],
        "utils": "utils_2"
      },
@ -670,7 +670,7 @@
    "yammat": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ]
      },
      "locked": {
@ -691,7 +691,7 @@
    "zentralwerk": {
      "inputs": {
        "nixpkgs": [
-          "nixpkgs"
+          "nixos"
        ],
        "openwrt": [
          "openwrt"
--- a/flake.nix
+++ b/flake.nix
@ -494,6 +494,7 @@
            }
            ./hosts/containers/hedgedoc
          ];
+          nixpkgs = inputs.nixos-unstable-sandro;
        };

        pulsebert = nixosSystem' {
--- a/hosts/containers/hedgedoc/default.nix
+++ b/hosts/containers/hedgedoc/default.nix
@ -12,16 +12,20 @@

  networking = {
    hostName = "hedgedoc";
+    hosts = {
+      "2a00:8180:2c00:282::48" = [ "auth.c3d2.de" ];
+      "172.20.73.72" = [ "auth.c3d2.de" ];
+    };
    firewall.allowedTCPPorts = [ 80 443 ];
  };

  services = {
    hedgedoc = {
      enable = true;
-      configuration = {
+      settings = {
        allowAnonymousEdits = true;
        allowFreeURL = true;
-        allowOrigin = [ "codimd.c3d2.de" ];
+        allowOrigin = [ "hedgedoc.c3d2.de" ];
        csp = {
          enable = true;
          addDefaults = true;
@ -32,7 +36,16 @@
          host = "/run/postgresql/";
        };
        defaultPermission = "freely";
-        domain = "codimd.c3d2.de";
+        domain = "hedgedoc.c3d2.de";
+        ldap = {
+          url = "ldaps://auth.c3d2.de";
+          bindDn = "uid=search,ou=users,dc=c3d2,dc=de";
+          bindCredentials = "$bindCredentials";
+          searchBase = "ou=users,dc=c3d2,dc=de";
+          searchFilter = "(&(objectclass=person)(uid={{username}}))";
+          tlsca = "/etc/ssl/certs/ca-certificates.crt";
+          useridField = "uid";
+        };
        protocolUseSSL = true;
        sessionSecret = "$sessionSecret";
      };
@ -41,21 +54,18 @@

    nginx = {
      enable = true;
-      virtualHosts."codimd.c3d2.de" = {
-        default = true;
-        forceSSL = true;
-        enableACME = true;
-        locations."/" = {
-          proxyPass = "http://localhost:${toString config.services.hedgedoc.configuration.port}";
-          # extraConfig = ''
-          #   satisfy any;
-          #   auth_basic secured;
-          #   auth_basic_user_file ${pkgs.matemat-auth};
-          #   allow 2a00:8180:2c00:200::/56;
-          #   allow 172.22.99.0/24;
-          #   allow 172.20.72.0/21;
-          #   deny all;
-          # '';
+      enableReload = true;
+      virtualHosts = {
+        "codimd.c3d2.de" = {
+          forceSSL = true;
+          enableACME = true;
+          locations."/".return = "301 https://hedgedoc.c3d2.de$request_uri";
+        };
+        "hedgedoc.c3d2.de" = {
+          default = true;
+          forceSSL = true;
+          enableACME = true;
+          locations."/".proxyPass = "http://localhost:${toString config.services.hedgedoc.configuration.port}";
        };
      };
    };
--- a/hosts/containers/public-access-proxy/default.nix
+++ b/hosts/containers/public-access-proxy/default.nix
@ -67,7 +67,10 @@
      ];
      proxyTo.host = config.c3d2.hosts.c3d2-web.ip4;
    } {
-      hostNames = [ "codimd.c3d2.de" ];
+      hostNames = [
+        "codimd.c3d2.de"
+        "hedgedoc.c3d2.de"
+      ];
      proxyTo.host = config.c3d2.hosts.hedgedoc.ip4;
    } {
      hostNames = [ "ftp.c3d2.de" ];