Projet

Général

Profil

HedgeDoc

Cette page décrit l'installation de HedeDoc (éditeur collaboratif Markdown) : https://hedgedoc.org/ sur https://md.tetaneutral.net

la VM a Debian 10 / 2 Go RAM / 20 Go disque

Paquets prérequis

apt install git
apt install nodejs
apt install postgresql
apt install nginx
apt install certbot
apt install python3-certbot-nginx
apt install npm
npm install --global yarn

Création utilisateur + base de données PostgreSQL

adduser hedgedoc (long random password)
su - postgres
createuser --pwprompt hedgedoc (meme mot de passe)
createdb -O hedgedoc hedgedoc
exit

Installation du logiiciel lui-même:

sudo -u hedgedoc bash
git clone -b 1.7.2 https://github.com/hedgedoc/hedgedoc.git
cd hedgedoc
./bin/setup
yarn run build

Créer env.sh

# Environment pour HedgeDoc
# https://docs.hedgedoc.org/configuration/

CMD_DOMAIN=md.tetaneutral.net
CMD_HOST=127.0.0.1
CMD_PORT=3000
CMD_PROTOCOL_USESSL=true

CMD_DB_URL=postgres://hedgedoc:<mot de passe>@localhost:5432/hedgedoc

CMD_ALLOW_ANONYMOUS=false
CMD_ALLOW_ANONYMOUS_EDITS=true
CMD_ALLOW_ANONYMOUS_VIEWS=true
CMD_DEFAULT_PERMISSION=limited
CMD_DEFAULT_USE_HARD_BREAK=false

CMD_SESSION_SECRET=<secret generé par pwgen 32 1>

CMD_IMAGE_UPLOAD_TYPE=filesystem

CMD_EMAIL=false
CMD_ALLOW_EMAIL_REGISTER=false

CMD_ALLOW_FREEURL=true
CMD_REQUIRE_FREEURL_AUTHENTICATION=true

CMD_LDAP_URL=ldaps://ldap.tetaneutral.net/
CMD_LDAP_BINDDN='cn=directory manager'
CMD_LDAP_BINDCREDENTIALS=<mdp root ldap>
CMD_LDAP_SEARCHBASE=ou=people,dc=tetaneutral,dc=net
CMD_LDAP_SEARCHFILTER='(cn={{username}})'
CMD_LDAP_SEARCHATTRIBUTES='cn,nsUniqueId'
CMD_LDAP_USERIDFIELD=nsUniqueId
CMD_LDAP_USERNAMEFIELD=cn
CMD_LDAP_PROVIDERNAME=Tetaneutral.net

CMD_USECDN=false
CMD_ALLOW_GRAVATAR=true
CMD_ALLOW_ORIGIN=md.tetaneutral.net

DEBUG=false
NODE_ENV=production

et .sequelizerc :

var path = require('path');

module.exports = {
    'config':          path.resolve('config.json'),
    'migrations-path': path.resolve('lib', 'migrations'),
    'models-path':     path.resolve('lib', 'models'),
    'url':             'postgres://hedgedoc:<mot de passe>@localhost:5432/hedgedoc'
}

Lancement manuel pour débug

su - hedgedoc
cd ~/hedgedoc
source env.sh
export $(grep -v ^# env.sh | cut -d= -f1)
node app.js

Permet d'avoir les messages d'erreur eventuels en direct sur la console.
Ctrl+C pour terminer l'appli.

Service systemd

Créer /etc/systemd/system/hedgedoc.service :

[Unit]
Description=HedgeDoc
After=network.target

[Service]
Type=simple
User=hedgedoc
EnvironmentFile=/home/hedgedoc/hedgedoc/env.sh
WorkingDirectory=/home/hedgedoc/hedgedoc
ExecStart=/usr/local/bin/yarn start
TimeoutSec=15
Restart=always

[Install]
WantedBy=multi-user.target

Ensuite exécuter systemctl daemon-reload pour lire le nouveau service et

systemctl enable hedgedoc
systemctl start hedgedoc

pour lancer le service et le rendre permanent.

Reverse Proxy

Configuration du reverser proxy nginx + certbot pour certificat let's encrypt :

  1. /etc/nginx/sites-available/md.tetaneutral.net.conf :
    map $http_upgrade $connection_upgrade {
            default upgrade;
            ''      close;
    }
    
    server {
        listen 80 ;
        listen [::]:80 ;
        if ($host = md.tetaneutral.net) {
            return 301 https://$host$request_uri;
        } # managed by Certbot
        server_name md.tetaneutral.net;
        return 404; # managed by Certbot
    }
    
    server {
            server_name md.tetaneutral.net;
    
            location / {
                    proxy_pass http://127.0.0.1:3000;
                    proxy_set_header Host $host; 
                    proxy_set_header X-Real-IP $remote_addr; 
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
                    proxy_set_header X-Forwarded-Proto $scheme;
            }
    
            location /socket.io/ {
                    proxy_pass http://127.0.0.1:3000;
                    proxy_set_header Host $host; 
                    proxy_set_header X-Real-IP $remote_addr; 
                    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
                    proxy_set_header X-Forwarded-Proto $scheme;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection $connection_upgrade;
            }
    
        listen [::]:443 ssl http2;
        listen 443 ssl http2;
        ssl_certificate /etc/letsencrypt/live/md.tetaneutral.net/fullchain.pem; # managed by Certbot
        ssl_certificate_key /etc/letsencrypt/live/md.tetaneutral.net/privkey.pem; # managed by Certbot
        include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
        ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
    }
    

Mise à jour en 1.9.4

Le 2022/10/02

Pb d'auth LDAP. Corrigé par le patch :

--- node_modules/ldapauth-fork/lib/ldapauth.js~ 2022-10-01 10:02:38.154999000 +0000
+++ node_modules/ldapauth-fork/lib/ldapauth.js  2022-10-07 08:40:07.150568701 +0000
@@ -321,13 +321,13 @@

   // groupDnProperty will be accessed in the user returned by the search, and
   // so needs to be requested from the LDAP server.
-  if (
-    opts.attributes &&
-    self.opts.groupDnProperty &&
-    !opts.attributes.includes(self.opts.groupDnProperty)
-  ) {
-    opts.attributes.push(self.opts.groupDnProperty);
-  }
+  //if (
+  //  opts.attributes &&
+  //  self.opts.groupDnProperty &&
+  //  !opts.attributes.includes(self.opts.groupDnProperty)
+  //) {
+  //  opts.attributes.push(self.opts.groupDnProperty);
+  //}

   self._search(self.opts.searchBase, opts, function (err, result) {
     if (err) {



	

Fix upstream : https://github.com/hedgedoc/hedgedoc/pull/2583