Compare commits
38 Commits
1c41525b97
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
4b1a42fa0e
|
|||
|
2ef8bef684
|
|||
| 0e735d7cb2 | |||
| 1e810965cd | |||
| 3516443d6d | |||
|
9668f9f2e5
|
|||
|
1c048694dc
|
|||
|
40eb2fe7bc
|
|||
|
90c6028020
|
|||
|
a79696e5fa
|
|||
|
cff859a972
|
|||
|
96105a32ea
|
|||
|
c46b2fdc4d
|
|||
|
c39d7a3667
|
|||
|
5009cce450
|
|||
|
62352cd2a1
|
|||
|
48a723aae1
|
|||
|
21d741064b
|
|||
|
ad36e7722a
|
|||
|
795e159482
|
|||
|
8b2b30a422
|
|||
|
921e9e7fec
|
|||
|
2cd3568ac3
|
|||
|
1212a6881a
|
|||
|
bcc1c9edf2
|
|||
|
af10f91a69
|
|||
|
1684e24959
|
|||
|
fc34f43f4d
|
|||
|
9844252b4d
|
|||
|
24aadc213e
|
|||
|
80610f3d74
|
|||
|
49791d7e3f
|
|||
|
bdc277d57c
|
|||
|
542140869e
|
|||
|
75c64c7019
|
|||
|
c66411653e
|
|||
|
dc75ef6600
|
|||
|
7de519b118
|
@@ -7,5 +7,6 @@
|
|||||||
[ "selfprivacy", "passthru", "auth", "oauth2-provider-name" ],
|
[ "selfprivacy", "passthru", "auth", "oauth2-provider-name" ],
|
||||||
[ "selfprivacy", "sso", "enable" ],
|
[ "selfprivacy", "sso", "enable" ],
|
||||||
[ "selfprivacy", "useBinds" ],
|
[ "selfprivacy", "useBinds" ],
|
||||||
[ "services", "kanidm", "serverSettings", "origin" ]
|
[ "services", "kanidm", "serverSettings", "origin" ],
|
||||||
|
[ "services", "writefreely" ]
|
||||||
]
|
]
|
||||||
|
|||||||
@@ -11,7 +11,7 @@
|
|||||||
spModuleSchemaVersion = 1;
|
spModuleSchemaVersion = 1;
|
||||||
id = "writefreely";
|
id = "writefreely";
|
||||||
name = "WriteFreely";
|
name = "WriteFreely";
|
||||||
description = "An open source platform for building a writing space on the web.";
|
description = "An open source platform for building a writing space on the web. Notice that the first signed in user will become the only admin automatically, and there is no possibility to change this.";
|
||||||
svgIcon = builtins.readFile ./icon.svg;
|
svgIcon = builtins.readFile ./icon.svg;
|
||||||
isMovable = true;
|
isMovable = true;
|
||||||
isRequired = false;
|
isRequired = false;
|
||||||
@@ -27,7 +27,7 @@
|
|||||||
];
|
];
|
||||||
homepage = "https://writefreely.org";
|
homepage = "https://writefreely.org";
|
||||||
sourcePage = "https://github.com/writefreely/writefreely";
|
sourcePage = "https://github.com/writefreely/writefreely";
|
||||||
supportLevel = "normal";
|
supportLevel = "experimental";
|
||||||
sso = {
|
sso = {
|
||||||
userGroup = "sp.writefreely.users";
|
userGroup = "sp.writefreely.users";
|
||||||
};
|
};
|
||||||
|
|||||||
99
module.nix
99
module.nix
@@ -41,7 +41,7 @@ in
|
|||||||
(lib.mkOption {
|
(lib.mkOption {
|
||||||
default = "writefreely";
|
default = "writefreely";
|
||||||
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
type = lib.types.strMatching "[A-Za-z0-9][A-Za-z0-9\-]{0,61}[A-Za-z0-9]";
|
||||||
description = "Subdomain (changing subdomain after setting up will cause breakage of the federation!)";
|
description = "Subdomain (changing subdomain after enabling the federation will cause its breakage!)";
|
||||||
})
|
})
|
||||||
// {
|
// {
|
||||||
meta = {
|
meta = {
|
||||||
@@ -51,6 +51,30 @@ in
|
|||||||
weight = 0;
|
weight = 0;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
appName =
|
||||||
|
(lib.mkOption {
|
||||||
|
default = "WriteFreely";
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Name of the WriteFreely instance.";
|
||||||
|
})
|
||||||
|
// {
|
||||||
|
meta = {
|
||||||
|
type = "string";
|
||||||
|
weight = 1;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
description =
|
||||||
|
(lib.mkOption {
|
||||||
|
default = "WriteFreely instance.";
|
||||||
|
type = lib.types.str;
|
||||||
|
description = "Description of the WriteFreely instance. This makes no sense if the federation is not enabled.";
|
||||||
|
})
|
||||||
|
// {
|
||||||
|
meta = {
|
||||||
|
type = "string";
|
||||||
|
weight = 2;
|
||||||
|
};
|
||||||
|
};
|
||||||
enableFederation =
|
enableFederation =
|
||||||
(lib.mkOption {
|
(lib.mkOption {
|
||||||
default = false;
|
default = false;
|
||||||
@@ -60,19 +84,7 @@ in
|
|||||||
// {
|
// {
|
||||||
meta = {
|
meta = {
|
||||||
type = "bool";
|
type = "bool";
|
||||||
weight = 1;
|
weight = 3;
|
||||||
};
|
|
||||||
};
|
|
||||||
title =
|
|
||||||
(lib.mkOption {
|
|
||||||
default = "WriteFreely";
|
|
||||||
type = lib.types.str;
|
|
||||||
description = "Name of the WriteFreely instance.";
|
|
||||||
})
|
|
||||||
// {
|
|
||||||
meta = {
|
|
||||||
type = "str";
|
|
||||||
weight = 2;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@@ -88,7 +100,7 @@ in
|
|||||||
fileSystems = lib.mkIf sp.useBinds {
|
fileSystems = lib.mkIf sp.useBinds {
|
||||||
"/var/lib/writefreely" = {
|
"/var/lib/writefreely" = {
|
||||||
device = "/volumes/${cfg.location}/writefreely";
|
device = "/volumes/${cfg.location}/writefreely";
|
||||||
options = [ "bind" ];
|
options = [ "bind" "uid=writefreely" "gid=writefreely" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
@@ -99,11 +111,13 @@ in
|
|||||||
settings = {
|
settings = {
|
||||||
server.port = 8081;
|
server.port = 8081;
|
||||||
app = {
|
app = {
|
||||||
site_name = cfg.title;
|
host = lib.mkForce "https://${cfg.subdomain}.${sp.domain}";
|
||||||
|
site_name = cfg.appName;
|
||||||
|
site_description = cfg.description;
|
||||||
single_user = false;
|
single_user = false;
|
||||||
federation = cfg.enableFederation;
|
federation = cfg.enableFederation;
|
||||||
disable_password_auth = true;
|
disable_password_auth = true;
|
||||||
open_registration = false;
|
open_registration = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
"oauth.generic" = {
|
"oauth.generic" = {
|
||||||
@@ -113,32 +127,42 @@ in
|
|||||||
token_endpoint = "/oauth2/token";
|
token_endpoint = "/oauth2/token";
|
||||||
inspect_endpoint = "/oauth2/openid/${oauthClientID}/userinfo";
|
inspect_endpoint = "/oauth2/openid/${oauthClientID}/userinfo";
|
||||||
auth_endpoint = "/ui/oauth2";
|
auth_endpoint = "/ui/oauth2";
|
||||||
|
client_secret = "@replace_oauth_secret@";
|
||||||
|
map_user_id = "preferred_username";
|
||||||
|
map_username = "preferred_username";
|
||||||
|
scope = "openid email profile";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd = {
|
systemd = {
|
||||||
services.writefreely = {
|
services.writefreely = {
|
||||||
requeres = [ "writefreely-secrets.service" ];
|
requires = [ "writefreely-sqlite-init.service" ];
|
||||||
|
path = [ pkgs.openssl ];
|
||||||
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/writefreely";
|
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/writefreely";
|
||||||
serviceConfig.Slice = "writefreely.slice";
|
serviceConfig.Slice = "writefreely.slice";
|
||||||
|
restartTriggers = [ (
|
||||||
|
pkgs.writeText "writefreely-restart-trigger"
|
||||||
|
(builtins.toJSON config.services.writefreely.settings)
|
||||||
|
) ];
|
||||||
};
|
};
|
||||||
|
|
||||||
services.writefreely-secrets = let inherit (config.services.writefreely) stateDir;
|
services.writefreely-sqlite-init = let
|
||||||
|
cfgFile = "${config.services.writefreely.stateDir}/config.ini";
|
||||||
in {
|
in {
|
||||||
wantedBy = [ "multi-user.target" ];
|
postStart = ''
|
||||||
requiredBy = [ "writefreely.service" ];
|
chmod 660 '${cfgFile}'
|
||||||
|
${lib.getExe pkgs.replace-secret} "@replace_oauth_secret@" "${oauthClientSecretFP}" "${cfgFile}"
|
||||||
serviceConfig = {
|
chmod 440 '${cfgFile}'
|
||||||
Type = "oneshot";
|
|
||||||
Slice = "writefreely.slice";
|
|
||||||
};
|
|
||||||
|
|
||||||
script = let crudini = lib.getExe pkgs.crudini;
|
|
||||||
in ''
|
|
||||||
${crudini} --set ${stateDir}/config.ini oauth.generic client_secret '$(cat ${oauthClientSecretFP})'
|
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
unitConfig.RequiresMountsFor = lib.mkIf sp.useBinds "/volumes/${cfg.location}/writefreely";
|
||||||
|
serviceConfig = {
|
||||||
|
Slice = "writefreely.slice";
|
||||||
|
ExecStartPre = [
|
||||||
|
"+${pkgs.coreutils}/bin/chown writefreely:writefreely /var/lib/writefreely"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
slices.writefreely = {
|
slices.writefreely = {
|
||||||
@@ -146,13 +170,26 @@ in
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${cfg.subdomain}.${sp.domain}" = {
|
||||||
|
useACMEHost = sp.domain;
|
||||||
|
forceSSL = true;
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8081";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
selfprivacy.auth.clients.${oauthClientID} = {
|
selfprivacy.auth.clients.${oauthClientID} = {
|
||||||
inherit usersGroup;
|
inherit usersGroup;
|
||||||
subdomain = cfg.subdomain;
|
subdomain = cfg.subdomain;
|
||||||
originLanding = "https://${cfg.subdomain}.${sp.domain}/";
|
originLanding = "https://${cfg.subdomain}.${sp.domain}/";
|
||||||
originUrl = "https://${cfg.subdomain}.${sp.domain}/auth/oauth2/callback";
|
originUrl = "https://${cfg.subdomain}.${sp.domain}/oauth/callback/generic";
|
||||||
clientSystemdUnits = [ "writefreely.service" ];
|
clientSystemdUnits = [ "writefreely.service" ];
|
||||||
enablePkce = false;
|
enablePkce = false;
|
||||||
|
scopeMaps = {
|
||||||
|
"${usersGroup}" = [ "email" "openid" "profile" ];
|
||||||
|
};
|
||||||
linuxUserOfClient = "writefreely";
|
linuxUserOfClient = "writefreely";
|
||||||
linuxGroupOfClient = "writefreely";
|
linuxGroupOfClient = "writefreely";
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user