2024-08-25 09:45:58 +00:00
|
|
|
{
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
lib,
|
|
|
|
...
|
|
|
|
}:
|
2023-09-28 10:58:29 +00:00
|
|
|
let
|
|
|
|
kanidm_listen_port = 5324;
|
|
|
|
in
|
2023-09-11 12:20:32 +00:00
|
|
|
{
|
2024-09-14 08:33:01 +00:00
|
|
|
imports = [
|
|
|
|
./kanidm-provision.nix
|
|
|
|
];
|
2024-08-25 09:45:58 +00:00
|
|
|
networking.firewall.allowedTCPPorts = [
|
|
|
|
80
|
|
|
|
443
|
|
|
|
2222
|
|
|
|
8448
|
|
|
|
];
|
|
|
|
networking.firewall.allowedUDPPorts = [
|
|
|
|
80
|
|
|
|
443
|
|
|
|
8448
|
|
|
|
];
|
2023-12-15 13:26:20 +00:00
|
|
|
|
2023-12-17 06:55:53 +00:00
|
|
|
custom.vaultwarden = {
|
|
|
|
enable = true;
|
|
|
|
domain = "vaultwarden.xinyang.life";
|
|
|
|
};
|
|
|
|
|
2023-12-24 05:58:53 +00:00
|
|
|
custom.hedgedoc = {
|
|
|
|
enable = true;
|
|
|
|
caddy = true;
|
|
|
|
domain = "docs.xinyang.life";
|
|
|
|
mediaPath = "/mnt/storage/hedgedoc";
|
|
|
|
oidc = {
|
|
|
|
enable = true;
|
|
|
|
baseURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc";
|
|
|
|
authorizationURL = "https://auth.xinyang.life/ui/oauth2";
|
|
|
|
tokenURL = "https://auth.xinyang.life/oauth2/token";
|
|
|
|
userProfileURL = "https://auth.xinyang.life/oauth2/openid/hedgedoc/userinfo";
|
|
|
|
};
|
|
|
|
environmentFile = config.sops.secrets.hedgedoc_env.path;
|
|
|
|
};
|
|
|
|
|
2023-12-20 03:13:20 +00:00
|
|
|
custom.prometheus = {
|
|
|
|
enable = true;
|
2024-07-31 07:39:32 +00:00
|
|
|
exporters.blackbox.enable = true;
|
2024-08-05 12:04:10 +00:00
|
|
|
exporters.miniflux.enable = true;
|
2023-12-20 03:13:20 +00:00
|
|
|
};
|
|
|
|
|
2023-09-28 10:58:29 +00:00
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
certs."auth.xinyang.life" = {
|
2024-08-01 09:01:53 +00:00
|
|
|
email = "lixinyang411@gmail.com";
|
|
|
|
listenHTTP = "127.0.0.1:1360";
|
|
|
|
group = "kanidm";
|
2023-09-28 10:58:29 +00:00
|
|
|
};
|
|
|
|
};
|
2024-07-31 03:38:44 +00:00
|
|
|
|
|
|
|
services.ntfy-sh = {
|
|
|
|
enable = true;
|
|
|
|
group = "caddy";
|
|
|
|
settings = {
|
|
|
|
listen-unix = "/var/run/ntfy-sh/ntfy.sock";
|
|
|
|
listen-unix-mode = 432; # octal 0660
|
|
|
|
base-url = "https://ntfy.xinyang.life";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
systemd.services.ntfy-sh.serviceConfig.RuntimeDirectory = "ntfy-sh";
|
|
|
|
|
2023-09-28 10:58:29 +00:00
|
|
|
services.kanidm = {
|
2024-07-30 02:59:12 +00:00
|
|
|
package = pkgs.kanidm.withSecretProvisioning;
|
2023-09-28 10:58:29 +00:00
|
|
|
enableServer = true;
|
|
|
|
serverSettings = {
|
|
|
|
domain = "auth.xinyang.life";
|
|
|
|
origin = "https://auth.xinyang.life";
|
|
|
|
bindaddress = "[::]:${toString kanidm_listen_port}";
|
|
|
|
tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
|
|
|
|
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
|
2024-08-25 08:33:12 +00:00
|
|
|
online_backup.versions = 7;
|
2023-09-28 10:58:29 +00:00
|
|
|
# db_path = "/var/lib/kanidm/kanidm.db";
|
|
|
|
};
|
|
|
|
};
|
2024-08-05 01:57:11 +00:00
|
|
|
|
2024-08-05 02:52:54 +00:00
|
|
|
custom.miniflux = {
|
2024-08-05 01:57:11 +00:00
|
|
|
enable = true;
|
2024-08-05 02:52:54 +00:00
|
|
|
environment = {
|
2024-08-05 12:04:10 +00:00
|
|
|
LOG_LEVEL = "debug";
|
2024-08-05 01:57:11 +00:00
|
|
|
LISTEN_ADDR = "127.0.0.1:58173";
|
2024-08-05 12:04:10 +00:00
|
|
|
BASE_URL = "https://rss.xinyang.life/";
|
2024-08-05 01:57:11 +00:00
|
|
|
OAUTH2_PROVIDER = "oidc";
|
2024-08-05 12:04:10 +00:00
|
|
|
OAUTH2_CLIENT_ID = "miniflux";
|
2024-08-05 01:57:11 +00:00
|
|
|
OAUTH2_REDIRECT_URL = "https://rss.xinyang.life/oauth2/oidc/callback";
|
|
|
|
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.xinyang.life/oauth2/openid/miniflux";
|
|
|
|
OAUTH2_USER_CREATION = 1;
|
|
|
|
};
|
2024-08-05 02:52:54 +00:00
|
|
|
oauth2SecretFile = config.sops.secrets."miniflux/oauth2_secret".path;
|
2024-08-05 01:57:11 +00:00
|
|
|
};
|
|
|
|
|
2023-09-11 12:20:32 +00:00
|
|
|
services.matrix-conduit = {
|
|
|
|
enable = true;
|
|
|
|
# package = inputs.conduit.packages.${pkgs.system}.default;
|
|
|
|
package = pkgs.matrix-conduit;
|
|
|
|
settings.global = {
|
|
|
|
server_name = "xinyang.life";
|
|
|
|
port = 6167;
|
|
|
|
# database_path = "/var/lib/matrix-conduit/";
|
2024-06-11 10:20:21 +00:00
|
|
|
max_concurrent_requests = 100;
|
|
|
|
log = "info";
|
2023-09-11 12:20:32 +00:00
|
|
|
database_backend = "rocksdb";
|
|
|
|
allow_registration = false;
|
2024-07-10 08:39:00 +00:00
|
|
|
|
|
|
|
well_known = {
|
|
|
|
client = "https://msg.xinyang.life";
|
|
|
|
server = "msg.xinyang.life:443";
|
|
|
|
};
|
2023-09-11 12:20:32 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-09-14 08:33:01 +00:00
|
|
|
users.users.conduit = {
|
|
|
|
isSystemUser = true;
|
|
|
|
group = "conduit";
|
|
|
|
};
|
|
|
|
users.groups.conduit = { };
|
|
|
|
|
2023-09-11 12:20:32 +00:00
|
|
|
services.gotosocial = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
log-level = "debug";
|
|
|
|
host = "xinyang.life";
|
|
|
|
letsencrypt-enabled = false;
|
|
|
|
bind-address = "localhost";
|
|
|
|
instance-expose-public-timeline = true;
|
2023-09-28 10:58:29 +00:00
|
|
|
oidc-enabled = true;
|
|
|
|
oidc-idp-name = "Kanidm";
|
|
|
|
oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
|
|
|
|
oidc-client-id = "gts";
|
|
|
|
oidc-link-existing = true;
|
2023-12-15 13:26:20 +00:00
|
|
|
storage-local-base-path = "/mnt/storage/gotosocial/storage";
|
2023-09-11 12:20:32 +00:00
|
|
|
};
|
2023-12-15 13:26:20 +00:00
|
|
|
environmentFile = config.sops.secrets.gts_env.path;
|
2023-09-11 12:20:32 +00:00
|
|
|
};
|
|
|
|
|
2023-10-03 03:53:16 +00:00
|
|
|
services.forgejo = {
|
2023-09-11 12:20:32 +00:00
|
|
|
enable = true;
|
2024-08-21 09:16:30 +00:00
|
|
|
# Use cutting edge instead of lts
|
|
|
|
package = pkgs.forgejo;
|
2023-12-15 13:26:20 +00:00
|
|
|
repositoryRoot = "/mnt/storage/forgejo/repositories";
|
|
|
|
lfs = {
|
|
|
|
enable = true;
|
|
|
|
contentDir = "/mnt/storage/forgejo/lfs";
|
|
|
|
};
|
2023-09-11 12:20:32 +00:00
|
|
|
settings = {
|
|
|
|
service.DISABLE_REGISTRATION = true;
|
|
|
|
server = {
|
|
|
|
ROOT_URL = "https://git.xinyang.life/";
|
2024-08-21 09:16:30 +00:00
|
|
|
START_SSH_SERVER = false;
|
|
|
|
SSH_USER = config.services.forgejo.user;
|
2023-12-06 16:00:30 +00:00
|
|
|
SSH_DOMAIN = "ssh.xinyang.life";
|
2024-08-21 09:16:30 +00:00
|
|
|
SSH_PORT = 22;
|
2023-12-15 13:26:20 +00:00
|
|
|
LFS_MAX_FILE_SIZE = 10737418240;
|
|
|
|
LANDING_PAGE = "/explore/repos";
|
2023-09-11 12:20:32 +00:00
|
|
|
};
|
2023-10-03 03:53:16 +00:00
|
|
|
repository = {
|
|
|
|
ENABLE_PUSH_CREATE_USER = true;
|
|
|
|
};
|
|
|
|
service = {
|
|
|
|
ENABLE_BASIC_AUTHENTICATION = false;
|
|
|
|
};
|
|
|
|
oauth2 = {
|
2024-08-21 09:16:30 +00:00
|
|
|
ENABLED = false; # Disable forgejo as oauth2 provider
|
2023-10-03 03:53:16 +00:00
|
|
|
};
|
|
|
|
oauth2_client = {
|
|
|
|
ACCOUNT_LINKING = "auto";
|
2024-08-21 09:16:30 +00:00
|
|
|
USERNAME = "email";
|
2023-10-03 03:53:16 +00:00
|
|
|
ENABLE_AUTO_REGISTRATION = true;
|
2024-08-21 09:16:30 +00:00
|
|
|
UPDATE_AVATAR = false;
|
|
|
|
OPENID_CONNECT_SCOPES = "openid profile email groups";
|
2023-10-03 03:53:16 +00:00
|
|
|
};
|
|
|
|
other = {
|
|
|
|
SHOW_FOOTER_VERSION = false;
|
|
|
|
};
|
2023-09-11 12:20:32 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-08-21 09:16:30 +00:00
|
|
|
systemd.services.forgejo = {
|
|
|
|
serviceConfig = {
|
|
|
|
EnvironmentFile = config.sops.secrets."forgejo/env".path;
|
|
|
|
ExecStartPost = ''
|
|
|
|
${lib.getExe config.services.forgejo.package} admin auth update-oauth \
|
|
|
|
--id 1 \
|
|
|
|
--name kanidm \
|
|
|
|
--provider openidConnect \
|
|
|
|
--key forgejo \
|
|
|
|
--secret $CLIENT_SECRET \
|
|
|
|
--icon-url https://auth.xinyang.life/pkg/img/favicon.png \
|
|
|
|
--group-claim-name forgejo_role --admin-group Admin
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-08-01 09:01:53 +00:00
|
|
|
services.grafana = {
|
|
|
|
enable = true;
|
|
|
|
settings = {
|
|
|
|
server = {
|
|
|
|
http_addr = "127.0.0.1";
|
|
|
|
http_port = 3003;
|
|
|
|
root_url = "https://grafana.xinyang.life";
|
|
|
|
domain = "grafana.xinyang.life";
|
|
|
|
};
|
|
|
|
"auth.generic_oauth" = {
|
|
|
|
enabled = true;
|
|
|
|
name = "Kanidm";
|
|
|
|
client_id = "grafana";
|
|
|
|
scopes = "openid,profile,email,groups";
|
|
|
|
auth_url = "https://auth.xinyang.life/ui/oauth2";
|
|
|
|
token_url = "https://auth.xinyang.life/oauth2/token";
|
|
|
|
api_url = "https://auth.xinyang.life/oauth2/openid/grafana/userinfo";
|
|
|
|
use_pkce = true;
|
|
|
|
use_refresh_token = true;
|
|
|
|
allow_sign_up = true;
|
|
|
|
login_attribute_path = "preferred_username";
|
|
|
|
groups_attribute_path = "groups";
|
|
|
|
role_attribute_path = "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin' || contains(grafana_role[*], 'Admin') && 'Admin' || contains(grafana_role[*], 'Editor') && 'Editor' || 'Viewer'";
|
|
|
|
allow_assign_grafana_admin = true;
|
|
|
|
auto_login = true;
|
|
|
|
};
|
2024-08-25 09:45:58 +00:00
|
|
|
"auth" = {
|
|
|
|
disable_login_form = true;
|
|
|
|
};
|
2024-08-01 09:01:53 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-08-25 09:45:58 +00:00
|
|
|
systemd.services.grafana.serviceConfig.EnvironmentFile =
|
|
|
|
config.sops.secrets.grafana_oauth_secret.path;
|
2024-08-01 09:01:53 +00:00
|
|
|
|
2024-01-09 04:27:51 +00:00
|
|
|
users.users.git = {
|
|
|
|
isSystemUser = true;
|
|
|
|
useDefaultShell = true;
|
|
|
|
group = "git";
|
|
|
|
extraGroups = [ "forgejo" ];
|
|
|
|
};
|
|
|
|
users.groups.git = { };
|
|
|
|
|
2024-07-31 03:38:44 +00:00
|
|
|
users.users = {
|
2024-08-25 09:45:58 +00:00
|
|
|
${config.services.caddy.user}.extraGroups = [ config.services.ntfy-sh.group ];
|
2024-07-31 03:38:44 +00:00
|
|
|
};
|
2024-01-09 04:27:51 +00:00
|
|
|
|
2023-09-11 12:20:32 +00:00
|
|
|
services.caddy = {
|
|
|
|
enable = true;
|
|
|
|
virtualHosts."xinyang.life:443".extraConfig = ''
|
|
|
|
tls internal
|
|
|
|
encode zstd gzip
|
2024-07-10 08:39:00 +00:00
|
|
|
reverse_proxy /.well-known/matrix/* localhost:6167
|
2023-09-11 12:20:32 +00:00
|
|
|
reverse_proxy * http://localhost:8080 {
|
|
|
|
flush_interval -1
|
|
|
|
}
|
|
|
|
'';
|
2024-06-11 10:20:21 +00:00
|
|
|
virtualHosts."https://msg.xinyang.life:443".extraConfig = ''
|
|
|
|
reverse_proxy /_matrix/* localhost:6167
|
|
|
|
'';
|
2023-12-24 05:58:53 +00:00
|
|
|
virtualHosts."https://git.xinyang.life:443".extraConfig = ''
|
2023-09-11 12:20:32 +00:00
|
|
|
reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
|
|
|
|
'';
|
2024-08-01 09:01:53 +00:00
|
|
|
|
2023-09-28 10:58:29 +00:00
|
|
|
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
|
2024-08-01 09:01:53 +00:00
|
|
|
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
|
2023-09-28 10:58:29 +00:00
|
|
|
'';
|
2024-09-30 07:20:07 +00:00
|
|
|
virtualHosts."https://auth.xinyang.life".extraConfig = ''
|
|
|
|
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
|
|
|
|
header_up Host {upstream_hostport}
|
|
|
|
header_down Access-Control-Allow-Origin "*"
|
|
|
|
transport http {
|
|
|
|
tls_server_name ${config.services.kanidm.serverSettings.domain}
|
2023-09-28 10:58:29 +00:00
|
|
|
}
|
2024-09-30 07:20:07 +00:00
|
|
|
}
|
|
|
|
'';
|
2024-08-05 01:57:11 +00:00
|
|
|
|
|
|
|
virtualHosts."https://rss.xinyang.life".extraConfig = ''
|
2024-08-05 12:04:10 +00:00
|
|
|
reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR}
|
2024-08-05 01:57:11 +00:00
|
|
|
'';
|
|
|
|
|
2024-08-01 09:01:53 +00:00
|
|
|
virtualHosts."https://ntfy.xinyang.life".extraConfig = ''
|
2024-07-31 03:38:44 +00:00
|
|
|
reverse_proxy unix/${config.services.ntfy-sh.settings.listen-unix}
|
|
|
|
@httpget {
|
|
|
|
protocol http
|
|
|
|
method GET
|
|
|
|
path_regexp ^/([-_a-z0-9]{0,64}$|docs/|static/)
|
|
|
|
}
|
|
|
|
redir @httpget https://{host}{uri}
|
|
|
|
'';
|
2024-08-01 09:01:53 +00:00
|
|
|
|
|
|
|
virtualHosts."https://grafana.xinyang.life".extraConfig =
|
|
|
|
let
|
|
|
|
grafanaSettings = config.services.grafana.settings.server;
|
|
|
|
in
|
|
|
|
''
|
|
|
|
reverse_proxy http://${grafanaSettings.http_addr}:${toString grafanaSettings.http_port}
|
|
|
|
'';
|
2023-09-11 12:20:32 +00:00
|
|
|
};
|
|
|
|
}
|