From 9a53ca1cea4bbf5b929306924a55a1f8f2589a79 Mon Sep 17 00:00:00 2001 From: xinyangli Date: Wed, 21 Aug 2024 17:16:30 +0800 Subject: [PATCH] massicot/forgejo: provision auth --- machines/massicot/default.nix | 3 +++ machines/massicot/kanidm-provision.nix | 15 ++++++++++++ machines/massicot/secrets.yaml | 12 ++++++---- machines/massicot/services.nix | 32 ++++++++++++++++++++------ 4 files changed, 50 insertions(+), 12 deletions(-) diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix index ac3ba94..bcdc5f7 100644 --- a/machines/massicot/default.nix +++ b/machines/massicot/default.nix @@ -31,6 +31,9 @@ "miniflux/oauth2_secret" = { owner = "root"; }; + "forgejo/env" = { + owner = "forgejo"; + }; }; }; diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index 48c4c0b..71ca402 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -5,6 +5,9 @@ forgejo-access = { members = [ "xin" ]; }; + forgejo-admin = { + members = [ "xin" ]; + }; gts-users = { members = [ "xin" ]; }; @@ -35,6 +38,9 @@ miniflux-users = { members = [ "xin" ]; }; + idm_people_self_mail_write = { + members = [ ]; + }; }; persons = { xin = { @@ -61,6 +67,15 @@ scopeMaps = { forgejo-access = [ "openid" "email" "profile" "groups" ]; }; + claimMaps = { + forgejo_role = { + joinType = "array"; + valuesByGroup = { + forgejo-access = [ "Access" ]; + forgejo-admin = [ "Admin" ]; + }; + }; + }; }; gts = { displayName = "GoToSocial"; diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index b5ca7fe..cc3fd7f 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -1,9 +1,11 @@ storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] -gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] +gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str] hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] -grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str] +grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str] miniflux: - oauth2_secret: ENC[AES256_GCM,data:Q0JeT5VHGEDATXB9jf5+eU1Hoi9FsJrw6IK2T0bodvVgki+1oF+sWld5NGpoiXm/bQ==,iv:e8+84Zk5eXNIyIPhTG8jFhO+DCRorPFG0lDDNT4OxCs=,tag:IxlyFBcFaSy7Nz0aQCH3bw==,type:str] + oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str] +forgejo: + env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str] sops: kms: [] gcp_kms: [] @@ -28,8 +30,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-05T08:53:56Z" - mac: ENC[AES256_GCM,data:DtAL9k/t4pGV2UqCrb1R/1nT3gjJ8wced5yQOF5oneoncg/uuyX7IDZ0iZz0eGirj9Zadh9UQWNwxMzoiNu6pD1v04MkxT0NVDJ32vt5X+YDQJ60vRJjn9+zKvLk8Esx9sFsuBxjVXXmbtev7+djU+LbpPLfaobdheO2XlJXtdU=,iv:y2KI5ylgvuQ7ktYAr6XPEX3qyxnSP7BWC79mdsr4hgk=,tag:cvXvXeKvRwvttgQfmZRi2w==,type:str] + lastmodified: "2024-08-21T05:54:31Z" + mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 96ede16..3137765 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -142,6 +142,8 @@ in services.forgejo = { enable = true; + # Use cutting edge instead of lts + package = pkgs.forgejo; repositoryRoot = "/mnt/storage/forgejo/repositories"; lfs = { enable = true; @@ -151,11 +153,10 @@ in service.DISABLE_REGISTRATION = true; server = { ROOT_URL = "https://git.xinyang.life/"; - START_SSH_SERVER = true; - BUILTIN_SSH_SERVER_USER = "git"; - SSH_USER = "git"; + START_SSH_SERVER = false; + SSH_USER = config.services.forgejo.user; SSH_DOMAIN = "ssh.xinyang.life"; - SSH_PORT = 2222; + SSH_PORT = 22; LFS_MAX_FILE_SIZE = 10737418240; LANDING_PAGE = "/explore/repos"; }; @@ -166,13 +167,14 @@ in ENABLE_BASIC_AUTHENTICATION = false; }; oauth2 = { - ENABLE = false; # Disable forgejo as oauth2 provider + ENABLED = false; # Disable forgejo as oauth2 provider }; oauth2_client = { ACCOUNT_LINKING = "auto"; + USERNAME = "email"; ENABLE_AUTO_REGISTRATION = true; - UPDATE_AVATAR = true; - OPENID_CONNECT_SCOPES = "openid profile email"; + UPDATE_AVATAR = false; + OPENID_CONNECT_SCOPES = "openid profile email groups"; }; other = { SHOW_FOOTER_VERSION = false; @@ -180,6 +182,22 @@ in }; }; + systemd.services.forgejo = { + serviceConfig = { + EnvironmentFile = config.sops.secrets."forgejo/env".path; + ExecStartPost = '' + ${lib.getExe config.services.forgejo.package} admin auth update-oauth \ + --id 1 \ + --name kanidm \ + --provider openidConnect \ + --key forgejo \ + --secret $CLIENT_SECRET \ + --icon-url https://auth.xinyang.life/pkg/img/favicon.png \ + --group-claim-name forgejo_role --admin-group Admin + ''; + }; + }; + services.grafana = { enable = true; settings = {