Merge branch 'infra4future-pad' into 'main'

added hainich/hedgedoc-i4f

See merge request hacc/infra/haccfiles!66

hosts/hainich/configuration.nix

@@ -7,7 +7,7 @@
     ./hardware.nix
     ./services/murmur.nix
     ./services/mail.nix
-    ./services/codimd.nix
+    ./services/hedgedoc.nix
     ../../common
 #   ./wireguard.nix
     ./services/nginx.nix
@@ -115,6 +115,8 @@
       "/run/florinori"
       "/var/lib/containers/codimd/var/lib/codimd"
       "/var/lib/containers/codimd/var/backup/postgresql"
+      "/var/lib/containers/hedgedoc-i4f/var/lib/codimd"
+      "/var/lib/containers/hedgedoc-i4f/var/backup/postgresql"
       "/var/lib/containers/lantifa/var/lib/mediawiki"
       "/var/lib/containers/lantifa/var/backup/mysql"
       "/var/lib/murmur"

hosts/hainich/services/codimd.nix

@@ -1,91 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-{
-  containers.codimd = {
-    privateNetwork = true;
-    hostAddress = "192.168.100.1";
-    localAddress = "192.168.100.3";
-    autoStart = true;
-    config = { config, lib, pkgs, ... }: {
-      networking.firewall.enable = false;
-      services.coredns = {
-        enable = true;
-        config = ''
-        .:53 {
-          forward . 1.1.1.1
-        }
-        '';
-      };
-      services.hedgedoc = {
-        enable = true;
-        configuration = {
-          allowAnonymous = true;
-          allowFreeURL = true;
-          allowGravatar = false;
-          allowOrigin = [ "localhost" "pad.hacc.space" "fff-muc.de" ];
-          dbURL = "postgres://codimd:codimd@localhost:5432/codimd";
-          defaultPermission = "limited";
-          domain  = "pad.hacc.space";
-          host = "0.0.0.0";
-          protocolUseSSL = true;
-          hsts.preload = false;
-          email = false;
-          oauth2 = {
-            authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
-            tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
-            clientID = "codimd";
-            clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
-          };
-        };
-      };
-      systemd.services.hedgedoc.environment = {
-        "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
-        "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
-        "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
-        "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
-        "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
-      };
-      services.postgresql = {
-        enable = true;
-        ensureDatabases = [ "codimd" ];
-        ensureUsers = [{
-          name = "codimd";
-          ensurePermissions = {
-            "DATABASE codimd" = "ALL PRIVILEGES";
-          };
-        }];
-      };
-      services.postgresqlBackup = {
-        enable = true;
-        databases = [ "codimd" ];
-        startAt = "*-*-* 23:45:00";
-      };
-    };
-  };
-
-  services.nginx.virtualHosts."pad.hacc.earth" = {
-    enableACME = true;
-    forceSSL = true;
-    globalRedirect = "pad.hacc.space";
-  };
-
-  services.nginx.virtualHosts."pad.hacc.space" = {
-    forceSSL = true;
-    enableACME = true;
-    locations."/" = {
-      proxyPass = "http://192.168.100.3:3000";
-      extraConfig = ''
-        proxy_pass_request_headers on;
-        proxy_set_header Host $host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $http_host;
-        proxy_set_header Upgrade $http_upgrade;
-        proxy_set_header Connection $http_connection;
-        add_header Access-Control-Allow-Origin "*";
-        proxy_buffering off;
-      '';
-    };
-  };
-}

hosts/hainich/services/hedgedoc.nix

@@ -0,0 +1,122 @@
+{ config, lib, pkgs, ... }:
+
+let
+  mkHedgedocContainer = {extraOptions, name}: {config, lib, pkgs, ...}: {
+    imports = [ extraOptions ];
+    networking.firewall.enable = false;
+    services.coredns = {
+      enable = true;
+      config = ''
+        .:53 {
+          forward . 1.1.1.1
+        }
+        '';
+    };
+    services.hedgedoc = {
+      enable = true;
+      configuration = {
+        allowAnonymous = true;
+        allowFreeURL = true;
+        allowGravatar = false;
+        allowOrigin = [ "localhost" ];
+        dbURL = "postgres://${name}:${name}@localhost:5432/${name}";
+        defaultPermission = "limited";
+        #domain  = "pad.infra4future.de";
+        host = "0.0.0.0";
+        protocolUseSSL = true;
+        hsts.preload = false;
+        email = false;
+        oauth2 = {
+          authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth";
+          tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token";
+          clientID = name;
+          #clientSecret = "2984f185-f7ff-4837-8ba6-cdabb066f9b7";
+        };
+      };
+    };
+    systemd.services.hedgedoc.environment = {
+      "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo";
+      "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name";
+      "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name";
+      "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email";
+      "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future";
+    };
+    services.postgresql = {
+      enable = true;
+      ensureDatabases = [ name ];
+      ensureUsers = [{
+        inherit name;
+        ensurePermissions = {
+          "DATABASE ${name}" = "ALL PRIVILEGES";
+        };
+      }];
+    };
+    services.postgresqlBackup = {
+      enable = true;
+      databases = [ name ];
+      startAt = "*-*-* 23:45:00";
+    };
+  };
+in
+{
+  containers.hedgedoci4f = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.41";
+    autoStart = true;
+    config = mkHedgedocContainer {
+      name = "hedgedoc-i4f";
+      extraOptions = {config, pkgs, ...}: {
+        services.hedgedoc.configuration = {
+          defaultPermission = pkgs.lib.mkForce "freely";
+          allowOrigin = [ "pad.infra4future.de" "fff-muc.de" ];
+          domain = "pad.infra4future.de";
+          oauth2.clientSecret = "2984f185-f7ff-4837-8ba6-cdabb066f9b7";
+        };
+      };
+    };
+  };
+
+  containers.codimd = {
+    privateNetwork = true;
+    hostAddress = "192.168.100.1";
+    localAddress = "192.168.100.3";
+    autoStart = true;
+    config = mkHedgedocContainer {
+      name = "codimd";
+      extraOptions = {config, pkgs, ...}: {
+        services.hedgedoc.configuration = {
+          allowOrigin = [ "pad.hacc.space" "fff-muc.de" ];
+          domain = "pad.hacc.space";
+          oauth2.clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62";
+        };
+      };
+    };
+  };
+
+
+  services.nginx.virtualHosts =
+    let mkHedgedocHost = addr: {
+          forceSSL = true;
+          enableACME = true;
+          locations."/" = {
+            proxyPass = "http://192.168.100.3:3000";
+            extraConfig = ''
+              proxy_pass_request_headers on;
+              proxy_set_header Host $host;
+              proxy_set_header X-Real-IP $remote_addr;
+              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+              proxy_set_header X-Forwarded-Proto $scheme;
+              proxy_set_header X-Forwarded-Host $http_host;
+              proxy_set_header Upgrade $http_upgrade;
+              proxy_set_header Connection $http_connection;
+              add_header Access-Control-Allow-Origin "*";
+              proxy_buffering off;
+            '';
+          };
+        };
+    in {
+      "pad.infra4future.de" = mkHedgedocHost "http://192.168.100.3:3000";
+      "pad.hacc.space" = mkHedgedocHost "http://192.168.100.3:3000";
+    };
+}