From b3094727e5fd923ba3261720bbd9337591de8193 Mon Sep 17 00:00:00 2001
From: Sheppy <sheppy@atlantishq.de>
Date: Thu, 28 Dec 2023 23:06:13 +0000
Subject: [PATCH] feat: add hedgedoc \w oidc-auth

---
 group_vars/all.yaml                           | 11 ++++++
 roles/docker-deployments/tasks/main.yaml      |  4 ++
 .../templates/hedgedoc.yaml                   | 39 +++++++++++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 roles/docker-deployments/templates/hedgedoc.yaml

diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index 460327d..691d732 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -209,3 +209,14 @@ keycloak_clients:
         master_address: "https://async-icinga.atlantishq.de"
         skips:
             - "/report"
+
+    hedgedoc:
+        party_secret : "HISTORY_PURGED_SECRET"
+        client_id: z_hedgedoc
+        client_secret: "HISTORY_PURGED_SECRET"
+        redirect_uris:
+            - "https://hedgedoc.atlantishq.de/*"
+        description: "Hedgedoc"
+        keycloak_id: "00000000-0000-0000-0000-000000000012"
+        groups: "monitoring"
+        master_address: "https://async-icinga.atlantishq.de"
diff --git a/roles/docker-deployments/tasks/main.yaml b/roles/docker-deployments/tasks/main.yaml
index b7ce812..d0cec66 100644
--- a/roles/docker-deployments/tasks/main.yaml
+++ b/roles/docker-deployments/tasks/main.yaml
@@ -50,6 +50,7 @@
     - harbor
     - event-dispatcher
     - reactive-resume
+    - hedgedoc
 
 - name: Copy Harbor Registry config
   copy:
@@ -97,6 +98,7 @@
     - event-dispatcher
     - tor
     - reactive-resume
+    - hedgedoc
 
 - name: Copy compose templates
   template:
@@ -115,6 +117,7 @@
     - event-dispatcher
     - tor
     - reactive-resume
+    - hedgedoc
 
 - name: Log into private registry
   docker_login:
@@ -149,6 +152,7 @@
     - event-dispatcher
     - tor
     - reactive-resume
+    - hedgedoc
 
 - name: OAuth2Proxy directories
   file:
diff --git a/roles/docker-deployments/templates/hedgedoc.yaml b/roles/docker-deployments/templates/hedgedoc.yaml
new file mode 100644
index 0000000..8d9c504
--- /dev/null
+++ b/roles/docker-deployments/templates/hedgedoc.yaml
@@ -0,0 +1,39 @@
+version: '3'
+services:
+  database:
+    image: postgres:13.4-alpine
+    environment:
+      - POSTGRES_USER=hedgedoc
+      - POSTGRES_PASSWORD=HISTORY_PURGED_SECRET
+      - POSTGRES_DB=hedgedoc
+    volumes:
+      - /data/hedgedoc/pgsql:/var/lib/postgresql/data
+    restart: always
+  app:
+    # Make sure to use the latest release from https://hedgedoc.org/latest-release
+    image: quay.io/hedgedoc/hedgedoc:1.9.9
+    environment:
+      - CMD_DB_URL=postgres://hedgedoc:HISTORY_PURGED_SECRET@database:5432/hedgedoc
+      - CMD_DOMAIN=hedgedoc.atlantishq.de
+      - CMD_PROTOCOL_USESSL=true
+      - CMD_ALLOW_ORIGIN=['hedgedoc.atlantishq.de']
+      - CMD_EMAIL=false
+      - CMD_ALLOW_EMAIL_REGISTER=false
+      - CMD_OAUTH2_USER_PROFILE_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/userinfo
+      - CMD_OAUTH2_TOKEN_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/token
+      - CMD_OAUTH2_AUTHORIZATION_URL=https://{{ keycloak_address }}/realms/master/protocol/openid-connect/auth
+      - CMD_OAUTH2_CLIENT_ID=z_hedgedoc
+      - CMD_OAUTH2_CLIENT_SECRET=HISTORY_PURGED_SECRET
+      - CMD_OAUTH2_SCOPE=openid email profile
+      - CMD_OAUTH2_ROLES_CLAIM=roles
+      - CMD_OAUTH2_PROVIDERNAME=AtlantisHQ Auth
+      - CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
+      - CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
+      - CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
+    volumes:
+      - /data/hedgedoc/uploads:/hedgedoc/public/uploads
+    ports:
+      - "5012:3000"
+    restart: always
+    depends_on:
+      - database