How I solved my notes sharing issue

July 18, 2024 by Evann (Estym) Regnault

Lately, I've been looking for a way to share some Obsidian notes with friends and letting them edit them.

The thing is, it's possible to share them with Obsidian Sync however the pricing is a bit of a letdown starting at $4 per user.

I've got a Keycloak on my infrastructure to access some services for me and my friends, they all have an account made for them and are connecting using Discord for ease of use purposes as well as specific roles depending on the servers they are on, as well as depending on the specific users.

So obviously, it would be quite logical for them to be able to access vaults only if they have the roles linked to them.

However while looking into it, I noticed that no one, made a thing like that, at least specifically for obsidian, and even less with an OIDC authentication.

So yeah, I needed to make my own thing.

NFS/SMB

The first thing that came to my mind was that it would be possible to share the file using some kind of Network File System, the most common being NFS and SMB.

The thing is, I'm using Open Media Vault on my NAS which doesn't have any sort of external authentication, and I really didn't want to do any kind of migration of my data.

WebDav

Then I looked into the community plugins of Obsidian and found one named Remotely Save which had support for many protocols.

While talking with one of my co-workers about their homelab services, they told me about NextCloud which can be used for file-sharing and has support for roles as well as plugins for an OIDC connection and is based on the WebDav Protocol.

However, the Remotely Save plugin couldn't communicate with the OIDC plugins so, my co-worker told me to use something named Sabre/Dav which is a PHP Framework made to create a WebDav server from the ground up.

Now, the documentation was kind of trash, as well as being obsolete, but I persevered.

But what do I need?

Basic Authentication support
Keycloak roles fetching
Folders with read permissions based on groups

The pipeline

So as you can see, this is pretty basic, I've also put a Redis instance between Keycloak-Webdav and Keycloak to prevent sending too many requests to Keycloak and as such slowing down the synchronization.

Issues

The major problem of this implementation is that there is no source control, which means that if two users are editing the same note, only the file saved last will persist, hence discarding all the changes made by the previous user.

Source code

If the source code of this project interests you for something, it is accessible at this repository.

A docker image is also available here.

CouchDB

While browsing the r/selfhosted subreddit I found this comment on a post.

I didn't know anything about CouchDB so I've looked into it, and oh boy was it incredible.

The main feature of CouchDB is its replication as well as it being a Version Manager which makes it work kind of like Git ! That means that two users could edit their files simultaneously and then merge them at the end.

Also, the Self-Hosted Livesync plugin has support for, as its name indicates, a livesync feature, which means it can be used as a collaborative tool.

Now, the elephant in the room, how can I make it possible to use Keycloak with couch db?

How does the plugin work

The plugin uses a basic authentication header to communicate with CouchDB, which means, I'll need to somehow use the basic auth credentials to authenticate into Keycloak.

Good thing is, I've already done that in the webdav-keycloak server, the problem is, how will I send the roles, and the user back to CouchDB from Keycloak?

Proxy

CouchDB has a Proxy Authentication configuration which can be used to send back, a username, the user roles, as well as a validation token by using headers.

That means, that if I can just make a proxy that takes the request from the Self-Hosted Livesync plugin, adds the headers to the request, forwards it to the CouchDB instance then sends the response back to Obsidian, it should work.

So that's exactly what I did, and it worked immediately.

Source code

If the source code interests you, you can access it at this repository.

A docker image is also available here.

Issues

The sad thing is, my users still cannot connect using their Discord Account, they need to use their Keycloak account password which isn't that user-friendly for them.

Also, the databases aren't created automatically with their associated permissions when I create a new role on Keycloak, this is still a manual task

Conclusion

At last, after a month of searching how to do it, I finally did it, a fully self-hosted, Keycloak authenticated, Obsidian shared notes !

It was quite an adventure and I learned quite a lot of things, it really was a fun thing to do and I highly suggest you do the same thing !

This also taught me something, if I want to do something I always can if I put in the time and effort, all protocols can be wrapped to do what you need, and proxying is really powerful.