diff --git a/flake.lock b/flake.lock index e4691a0..44f32e4 100644 --- a/flake.lock +++ b/flake.lock @@ -128,11 +128,11 @@ "systems": "systems_2" }, "locked": { - "lastModified": 1692799911, - "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=", + "lastModified": 1694529238, + "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=", "owner": "numtide", "repo": "flake-utils", - "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44", + "rev": "ff7b65b44d01cf9ba6a71320833626af21126384", "type": "github" }, "original": { @@ -181,11 +181,11 @@ ] }, "locked": { - "lastModified": 1694375657, - "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=", + "lastModified": 1694469544, + "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=", "owner": "nix-community", "repo": "home-manager", - "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7", + "rev": "5171f5ef654425e09d9c2100f856d887da595437", "type": "github" }, "original": { @@ -201,11 +201,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1694395166, - "narHash": "sha256-F0SRxtFF8EsEff6cRO81NdCpVz/S761ytETNqRkRwU4=", + "lastModified": 1694481387, + "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "e6c8e1659000d07804526e42b99fa5f15190c324", + "rev": "3901c1225944eda6c85f09a57c338f87f06748d2", "type": "github" }, "original": { @@ -237,11 +237,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1693718952, - "narHash": "sha256-+nGdJlgTk0MPN7NygopipmyylVuAVi7OItIwTlwtGnw=", + "lastModified": 1694432324, + "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "793de77d9f83418b428e8ba70d1e42c6507d0d35", + "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779", "type": "github" }, "original": { @@ -269,11 +269,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1694304580, - "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=", + "lastModified": 1694426803, + "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=", "owner": "nixos", "repo": "nixpkgs", - "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760", + "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a", "type": "github" }, "original": { @@ -301,27 +301,23 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1694183432, - "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b", - "type": "github" + "lastModified": 1694538145, + "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=", + "path": "/home/xin/nixpkgs", + "type": "path" }, "original": { - "owner": "nixos", - "ref": "nixos-unstable", - "repo": "nixpkgs", - "type": "github" + "path": "/home/xin/nixpkgs", + "type": "path" } }, "nur": { "locked": { - "lastModified": 1694400936, - "narHash": "sha256-MOUf6iF1B5jw25xWgRTj47L2lS32F5wIACEErYqq2n0=", + "lastModified": 1694533535, + "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=", "owner": "nix-community", "repo": "NUR", - "rev": "1850109f159c735841f7f6a51100b05d5b055113", + "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a", "type": "github" }, "original": { @@ -396,11 +392,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1693898833, - "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=", + "lastModified": 1694495315, + "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=", "owner": "Mic92", "repo": "sops-nix", - "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623", + "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index d84f120..a6be7dc 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,8 @@ { inputs = { # Pin nixpkgs to a specific commit - nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable"; + nixpkgs.url = "path:/home/xin/nixpkgs"; nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05"; home-manager = { diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 161b83b..3fee0e6 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -1,5 +1,27 @@ { config, pkgs, inputs, ... }: +let + kanidm_listen_port = 5324; +in { + security.acme = { + acceptTerms = true; + certs."auth.xinyang.life" = { + email = "lixinyang411@gmail.com"; + listenHTTP = "127.0.0.1:1360"; + group = "kanidm"; + }; + }; + services.kanidm = { + enableServer = true; + serverSettings = { + domain = "auth.xinyang.life"; + origin = "https://auth.xinyang.life"; + bindaddress = "[::]:${toString kanidm_listen_port}"; + tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem''; + tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; + # db_path = "/var/lib/kanidm/kanidm.db"; + }; + }; services.matrix-conduit = { enable = true; # package = inputs.conduit.packages.${pkgs.system}.default; @@ -20,8 +42,13 @@ host = "xinyang.life"; letsencrypt-enabled = false; bind-address = "localhost"; - landing-page-user = "me"; instance-expose-public-timeline = true; + oidc-enabled = true; + oidc-idp-name = "Kanidm"; + oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts"; + oidc-client-id = "gts"; + oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5"; + oidc-link-existing = true; }; }; @@ -53,15 +80,32 @@ header Access-Control-Allow-Origin "*" respond `{"m.server": "xinyang.life:443"}` } - reverse_proxy * http://localhost:8080 { flush_interval -1 } ''; virtualHosts."git.xinyang.life:443".extraConfig = '' - tls internal reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT} ''; + + virtualHosts."http://auth.xinyang.life:80".extraConfig = '' + reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} + route { + reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first + abort + } + ''; + virtualHosts."https://auth.xinyang.life:443".extraConfig = '' + reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + } + ''; + # + # respond `Hello World` + }; networking.firewall.allowedTCPPorts = [ 80 443 8448 ];