xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

massicot/forgejo: provision auth

Browse source
This commit is contained in:
xinyangli 2024-08-21 17:16:30 +08:00
parent 509304de03
commit 9a53ca1cea
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
4 changed files with 50 additions and 12 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
machines/massicot/default.nix
View file

@ -31,6 +31,9 @@
"miniflux/oauth2_secret" = {
owner = "root";
};
"forgejo/env" = {
owner = "forgejo";
};
};
};

15
machines/massicot/kanidm-provision.nix
View file

@ -5,6 +5,9 @@
forgejo-access = {
members = [ "xin" ];
};
forgejo-admin = {
members = [ "xin" ];
};
gts-users = {
members = [ "xin" ];
};
@ -35,6 +38,9 @@
miniflux-users = {
members = [ "xin" ];
};
idm_people_self_mail_write = {
members = [ ];
};
};
persons = {
xin = {
@ -61,6 +67,15 @@
scopeMaps = {
forgejo-access = [ "openid" "email" "profile" "groups" ];
};
claimMaps = {
forgejo_role = {
joinType = "array";
valuesByGroup = {
forgejo-access = [ "Access" ];
forgejo-admin = [ "Admin" ];
};
};
};
};
gts = {
displayName = "GoToSocial";

12
machines/massicot/secrets.yaml
View file

@ -1,9 +1,11 @@
storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str]
gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str]
grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
miniflux:
oauth2_secret: ENC[AES256_GCM,data:Q0JeT5VHGEDATXB9jf5+eU1Hoi9FsJrw6IK2T0bodvVgki+1oF+sWld5NGpoiXm/bQ==,iv:e8+84Zk5eXNIyIPhTG8jFhO+DCRorPFG0lDDNT4OxCs=,tag:IxlyFBcFaSy7Nz0aQCH3bw==,type:str]
oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
forgejo:
env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
sops:
kms: []
gcp_kms: []
@ -28,8 +30,8 @@ sops:
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-05T08:53:56Z"
mac: ENC[AES256_GCM,data:DtAL9k/t4pGV2UqCrb1R/1nT3gjJ8wced5yQOF5oneoncg/uuyX7IDZ0iZz0eGirj9Zadh9UQWNwxMzoiNu6pD1v04MkxT0NVDJ32vt5X+YDQJ60vRJjn9+zKvLk8Esx9sFsuBxjVXXmbtev7+djU+LbpPLfaobdheO2XlJXtdU=,iv:y2KI5ylgvuQ7ktYAr6XPEX3qyxnSP7BWC79mdsr4hgk=,tag:cvXvXeKvRwvttgQfmZRi2w==,type:str]
lastmodified: "2024-08-21T05:54:31Z"
mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.0

32
machines/massicot/services.nix
View file

@ -142,6 +142,8 @@ in
services.forgejo = {
enable = true;
# Use cutting edge instead of lts
package = pkgs.forgejo;
repositoryRoot = "/mnt/storage/forgejo/repositories";
lfs = {
enable = true;
@ -151,11 +153,10 @@ in
service.DISABLE_REGISTRATION = true;
server = {
ROOT_URL = "https://git.xinyang.life/";
START_SSH_SERVER = true;
BUILTIN_SSH_SERVER_USER = "git";
SSH_USER = "git";
START_SSH_SERVER = false;
SSH_USER = config.services.forgejo.user;
SSH_DOMAIN = "ssh.xinyang.life";
SSH_PORT = 2222;
SSH_PORT = 22;
LFS_MAX_FILE_SIZE = 10737418240;
LANDING_PAGE = "/explore/repos";
};
@ -166,13 +167,14 @@ in
ENABLE_BASIC_AUTHENTICATION = false;
};
oauth2 = {
ENABLE = false; # Disable forgejo as oauth2 provider
ENABLED = false; # Disable forgejo as oauth2 provider
};
oauth2_client = {
ACCOUNT_LINKING = "auto";
USERNAME = "email";
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
OPENID_CONNECT_SCOPES = "openid profile email";
UPDATE_AVATAR = false;
OPENID_CONNECT_SCOPES = "openid profile email groups";
};
other = {
SHOW_FOOTER_VERSION = false;
@ -180,6 +182,22 @@ in
};
};
systemd.services.forgejo = {
serviceConfig = {
EnvironmentFile = config.sops.secrets."forgejo/env".path;
ExecStartPost = ''
${lib.getExe config.services.forgejo.package} admin auth update-oauth \
--id 1 \
--name kanidm \
--provider openidConnect \
--key forgejo \
--secret $CLIENT_SECRET \
--icon-url https://auth.xinyang.life/pkg/img/favicon.png \
--group-claim-name forgejo_role --admin-group Admin
'';
};
};
services.grafana = {
enable = true;
settings = {