From 98989afdec1a1e884fbe7c7c1e44f9911fde47b4 Mon Sep 17 00:00:00 2001
From: servius <servius@darksailor.dev>
Date: Wed, 11 Feb 2026 04:27:14 +0530
Subject: [PATCH] feat: upgrade to excalidraw-full

---
 nixos/tako/services/excalidraw.nix | 102 +++++++++++++++++++++++------
 secrets/secrets.yaml               |   9 ++-
 2 files changed, 89 insertions(+), 22 deletions(-)

diff --git a/nixos/tako/services/excalidraw.nix b/nixos/tako/services/excalidraw.nix
index 506ccc74..8a8dbef9 100644
--- a/nixos/tako/services/excalidraw.nix
+++ b/nixos/tako/services/excalidraw.nix
@@ -1,29 +1,91 @@
-{...}: {
+{config, ...}: let
+  dataDir = "/var/lib/excalidraw";
+  base_domain = "darksailor.dev";
+in {
+  # SOPS secrets and templates
+  sops = {
+    secrets = {
+      "excalidraw/jwt_secret" = {};
+      "authelia/oidc/excalidraw/client_id" = {
+        owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
+        mode = "0440";
+        restartUnits = ["authelia-darksailor.service"];
+      };
+      "authelia/oidc/excalidraw/client_secret" = {
+        owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
+        mode = "0440";
+        restartUnits = ["authelia-darksailor.service"];
+      };
+    };
+    templates."excalidraw.env".content = ''
+      OIDC_ISSUER_URL=https://auth.${base_domain}
+      OIDC_CLIENT_ID=${config.sops.placeholder."authelia/oidc/excalidraw/client_id"}
+      OIDC_CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/excalidraw/client_secret"}
+      OIDC_REDIRECT_URL=https://draw.${base_domain}/auth/callback
+      JWT_SECRET=${config.sops.placeholder."excalidraw/jwt_secret"}
+      STORAGE_TYPE=sqlite
+      DATA_SOURCE_NAME=excalidraw.db
+      LOCAL_STORAGE_PATH=/root/data
+    '';
+  };
+
+  # Create data directory and initialize SQLite DB
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 root root -"
+    "d ${dataDir}/data 0755 root root -"
+    "f ${dataDir}/excalidraw.db 0644 root root -"
+  ];
+
   virtualisation.oci-containers = {
     backend = "docker";
     containers = {
+      # Excalidraw Full backend
       excalidraw = {
-        image = "excalidraw/excalidraw:latest";
-        ports = ["127.0.0.1:5959:80"];
-        volumes = [];
+        image = "ghcr.io/betterandbetterii/excalidraw-full:latest";
+        ports = ["127.0.0.1:3002:3002"];
+        environmentFiles = [
+          config.sops.templates."excalidraw.env".path
+        ];
+        volumes = [
+          "${dataDir}/data:/root/data"
+          "${dataDir}/excalidraw.db:/root/excalidraw.db"
+        ];
       };
     };
   };
-  services.caddy.virtualHosts."draw.darksailor.dev".extraConfig = ''
-    reverse_proxy localhost:5959
+
+  # Caddy reverse proxy
+  services.caddy.virtualHosts."draw.${base_domain}".extraConfig = ''
+    reverse_proxy localhost:3002
   '';
-  # services.authelia = {
-  #   instances.darksailor = {
-  #     settings = {
-  #       access_control = {
-  #         rules = [
-  #           {
-  #             domain = "draw.darksailor.dev";
-  #             policy = "one_factor";
-  #           }
-  #         ];
-  #       };
-  #     };
-  #   };
-  # };
+
+  # Configure Authelia OIDC for Excalidraw
+  services.authelia.instances.darksailor.settings = {
+    identity_providers = {
+      oidc = {
+        clients = [
+          {
+            client_name = "Excalidraw: Darksailor";
+            client_id = ''{{ secret "${config.sops.secrets."authelia/oidc/excalidraw/client_id".path}" }}'';
+            client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/excalidraw/client_secret".path}" }}'';
+            public = false;
+            authorization_policy = "one_factor";
+            require_pkce = false;
+            redirect_uris = [
+              "https://draw.${base_domain}/auth/callback"
+            ];
+            scopes = [
+              "openid"
+              "email"
+              "profile"
+            ];
+            response_types = ["code"];
+            grant_types = ["authorization_code"];
+            userinfo_signed_response_alg = "none";
+            token_endpoint_auth_method = "client_secret_post";
+          }
+        ];
+      };
+    };
+  };
 }
diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml
index bcaf041d..2a9a4f85 100644
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -49,6 +49,9 @@ authelia:
             client_id: ENC[AES256_GCM,data:T6O5yS0HwwJ8,iv:JiWbN2+s8RCF6saTNYEzwMrsSq2ghRAv3aZ75nSTaUg=,tag:oYZYR5BbyxYqmigzcN6k+g==,type:str]
             client_secret: ENC[AES256_GCM,data:pQpVJoX8MPUqWUXmnv8K0oGwWfgRRoQgpz//FzyJsflE79ytivaR+CE7jhww7CG7o5lezEXUJrup7fyISYEvRA==,iv:r3IuwvNb1bT9bGSDTKFcd4yJNhaREha3DgFoQqNuttc=,tag:NeA3h39G+6T7guaBeYEPTw==,type:str]
         jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str]
+        excalidraw:
+            client_id: ENC[AES256_GCM,data:ANaCFTiPnR/bP51lSMfiTRX7ZGZ2pmX3Guamsyj7KRzD34G18E+UUgXi0YdbDfmFxcEj+nvoerf7wWhtvIzO1Q==,iv:CyNiLA0PH0p1Zwdf8B6/Ysb6GODClnXkPctbtZnoddw=,tag:X3kAkBKD407QFg/Se33Flg==,type:str]
+            client_secret: ENC[AES256_GCM,data:VHIbKjHWXfQCUp3wh2dsMpMaDdCabmVlLMHcMnTCXPr5ZNIS1zpyGD6keapoOYywwvDFenICf73vpHun5aFhLw==,iv:HjRTwREC2jMsW1VrVYe4iywGc9apWZWLwh5aHOjvde0=,tag:Jl9kDI8C9VjSm6SiePk7Ow==,type:str]
 lldap:
     jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str]
     seed: ENC[AES256_GCM,data:jJPutPkhFVFxLbbQNZznHHiilP/cN2r+/vT4ArQVRQSqPMnkkwgc3LNk4sUTrT9V,iv:LD1IJ1CgtDfYf1gSyyaU+hir0InuDEq0u7ppMmwGJRY=,tag:cK4l4Evr7V9WEUEL7V9jtQ==,type:str]
@@ -87,6 +90,8 @@ tuwunel:
     client_id: ENC[AES256_GCM,data:25wSM5POfSJTmAaP/3vVqqbqa46vF21hZgCuJ1qfh8pHl8K6fMLdd0Q4GeVH1tgsBHKY0zStqYIc/RIgmerSVw==,iv:tWCw4jWymrSWR+xj37Bt7Qx60bRhpWQ+UEZ2dDJRGQo=,tag:PBa/P66bWexmlUEIaCtEKw==,type:str]
     client_secret: ENC[AES256_GCM,data:cH/zkBj46u/07XiSd/4DsLYImkQwxNT8jQDjOuESi5dED6KEXwCjNNPzVvQuEuM7r4enZeIfb3cQztcxQJwTSA==,iv:eD5DKLUvTaK0ce1MJCLJHEl44hwtKx8rQ93eohqcUNE=,tag:FkkYHjAOaEu2gs8v7+EVgA==,type:str]
     registration_token: ENC[AES256_GCM,data:A0Wd9DTruGnCoPosKUHrd3AgN3T9JbkW/6fTJyzcryV0COqLSjOqCD4W2PXPwnk83MFeQ84RpJ3J4tuvYv2JuQ==,iv:7JIQUwfeEN03N0F35z6VipN66DpErqnY6aQrLznnw8g=,tag:RF2gB8kVKT3ioPVVRyj4aQ==,type:str]
+excalidraw:
+    jwt_secret: ENC[AES256_GCM,data:W1Tqr8tjd7xmp3WiGXfrRgS4YD5f9MUECs3zum7KY0bv2fp4J9jn/pt1PfY=,iv:TJWkJdP2eItuzsyqaGzUwd+v0iQXShoqUL8X10TME+8=,tag:htJC/jKB7mYVKOR59pEekQ==,type:str]
 sops:
     age:
         - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk
@@ -98,7 +103,7 @@ sops:
             VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
             ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-10T14:49:29Z"
-    mac: ENC[AES256_GCM,data:ua8maqTc3KkkNni+fNnQLqP4PwRVVh5FuUjsAN5+w+ad3sD/+QunnAkHAMKUajAlwXKS/PIAqz6p0iwSn80ip3yXxMZPRG134+q729m5rwkGcV4FzyR2wIYVP5vRbZEMuMbfomMMjUyJk/Gsg4CY8iecgvvoMkWvK2INSH07TcE=,iv:GiyicPX4YAZAXuKXxJskuJyzi8ukQ/vv2aOncKf/Qew=,tag:tAmz6F6WMMzLLYmBlsrxvQ==,type:str]
+    lastmodified: "2026-02-10T22:47:33Z"
+    mac: ENC[AES256_GCM,data:E9MGlDYKb7Uf5rnGrowqaSyYexfgS6LXSZRWd/H1q9eizY65Z4otbY9eEVJu9yC4SJasiL48+FLnkrmCz9pRz2VK9s16jOUFhNItUqRWrCjQ4HD+FHMrJsqoxB+3jr2QwbX+zKkAVDbO9UZEZRbg8zNNVrOYzaR21WQzDQo0L0g=,iv:VZl7zPsvWIPE3ZuwC8VWqeSSTq3gJgIOZ33IGmNCc5s=,tag:nC+pw1fNy/cIcjiLPgxfwA==,type:str]
     unencrypted_suffix: _unencrypted
     version: 3.11.0