massicot: add kanidm service

2023-09-28 10:58:29 +00:00 · 2023-09-28 10:58:29 +00:00 · b3744b41ce
commit b3744b41ce
parent 74ad2b8425
3 changed files with 76 additions and 35 deletions
--- a/flake.lock
+++ b/flake.lock
@ -128,11 +128,11 @@
        "systems": "systems_2"
      },
      "locked": {
-        "lastModified": 1692799911,
+        "lastModified": 1694529238,
-        "narHash": "sha256-3eihraek4qL744EvQXsK1Ha6C3CR7nnT8X2qWap4RNk=",
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
-        "rev": "f9e7cf818399d17d347f847525c5a5a8032e4e44",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
@ -181,11 +181,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1694375657,
+        "lastModified": 1694469544,
-        "narHash": "sha256-32X8dcty4vPXx+D4yJPQZBo5hJ1NQikALhevGv6elO4=",
+        "narHash": "sha256-eqZng5dZnAUyb7xXyFk5z871GY/++KVv3Gyld5mVh20=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "f7848d3e5f15ed02e3f286029697e41ee31662d7",
+        "rev": "5171f5ef654425e09d9c2100f856d887da595437",
        "type": "github"
      },
      "original": {
@ -201,11 +201,11 @@
        "nixpkgs": "nixpkgs"
      },
      "locked": {
-        "lastModified": 1694395166,
+        "lastModified": 1694481387,
-        "narHash": "sha256-F0SRxtFF8EsEff6cRO81NdCpVz/S761ytETNqRkRwU4=",
+        "narHash": "sha256-1v5DT/8PmFl9UJHRq6BeMcDTSqXIYjVBilcVFt+vRN0=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "e6c8e1659000d07804526e42b99fa5f15190c324",
+        "rev": "3901c1225944eda6c85f09a57c338f87f06748d2",
        "type": "github"
      },
      "original": {
@ -237,11 +237,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1693718952,
+        "lastModified": 1694432324,
-        "narHash": "sha256-+nGdJlgTk0MPN7NygopipmyylVuAVi7OItIwTlwtGnw=",
+        "narHash": "sha256-bo3Gv6Cp40vAXDBPi2XiDejzp/kyz65wZg4AnEWxAcY=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "793de77d9f83418b428e8ba70d1e42c6507d0d35",
+        "rev": "ca41b8a227dd235b1b308217f116c7e6e84ad779",
        "type": "github"
      },
      "original": {
@ -269,11 +269,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1694304580,
+        "lastModified": 1694426803,
-        "narHash": "sha256-5tIpNodDpEKT8mM/F5zCzWEAnidOg8eb1/x3SRaaBLs=",
+        "narHash": "sha256-osusXQo0zkEqs502SNMffsKp1O9evpDM54A37MuyT2Q=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "4c8cf44c5b9481a4f093f1df3b8b7ba997a7c760",
+        "rev": "9a74ffb2ca1fc91c6ccc48bd3f8cbc1501bf7b8a",
        "type": "github"
      },
      "original": {
@ -301,27 +301,23 @@
    },
    "nixpkgs_2": {
      "locked": {
-        "lastModified": 1694183432,
+        "lastModified": 1694538145,
-        "narHash": "sha256-YyPGNapgZNNj51ylQMw9lAgvxtM2ai1HZVUu3GS8Fng=",
+        "narHash": "sha256-/+X6c5mT4Yce7L21Dw+UynDomPQQya2WRaMAO7aotGY=",
-        "owner": "nixos",
+        "path": "/home/xin/nixpkgs",
-        "repo": "nixpkgs",
+        "type": "path"
        "rev": "db9208ab987cdeeedf78ad9b4cf3c55f5ebd269b",
        "type": "github"
      },
      "original": {
-        "owner": "nixos",
+        "path": "/home/xin/nixpkgs",
-        "ref": "nixos-unstable",
+        "type": "path"
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nur": {
      "locked": {
-        "lastModified": 1694400936,
+        "lastModified": 1694533535,
-        "narHash": "sha256-MOUf6iF1B5jw25xWgRTj47L2lS32F5wIACEErYqq2n0=",
+        "narHash": "sha256-De7zRSSjw/UQmPxqUB5+acgE0kx9v7+w5mndk1M9clQ=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "1850109f159c735841f7f6a51100b05d5b055113",
+        "rev": "140724f176a3a6d4b193b6da8eb7659d13f2fa9a",
        "type": "github"
      },
      "original": {
@ -396,11 +392,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1693898833,
+        "lastModified": 1694495315,
-        "narHash": "sha256-OIrMAGNYNeLs6IvBynxcXub7aSW3GEUvWNsb7zx6zuU=",
+        "narHash": "sha256-sZEYXs9T1NVHZSSbMqBEtEm2PGa7dEDcx0ttQkArORc=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "faf21ac162173c2deb54e5fdeed002a9bd6e8623",
+        "rev": "ea208e55f8742fdcc0986b256bdfa8986f5e4415",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -1,7 +1,8 @@
 {
  inputs = {
    # Pin nixpkgs to a specific commit
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    # nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    nixpkgs.url = "path:/home/xin/nixpkgs";
    nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05";
    home-manager = {
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@ -1,5 +1,27 @@
 { config, pkgs, inputs, ... }:
 let
  kanidm_listen_port = 5324;
 in
 {
  security.acme = {
    acceptTerms = true;
    certs."auth.xinyang.life" = {
        email = "lixinyang411@gmail.com";
        listenHTTP = "127.0.0.1:1360";
        group = "kanidm";
    };
  };
  services.kanidm = {
    enableServer = true;
    serverSettings = {
      domain = "auth.xinyang.life";
      origin = "https://auth.xinyang.life";
      bindaddress = "[::]:${toString kanidm_listen_port}";
      tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
      tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
      # db_path = "/var/lib/kanidm/kanidm.db";
    };
  };
  services.matrix-conduit = {
    enable = true;
    # package = inputs.conduit.packages.${pkgs.system}.default;
@ -20,8 +42,13 @@
      host = "xinyang.life";
      letsencrypt-enabled = false;
      bind-address = "localhost";
      landing-page-user = "me";
      instance-expose-public-timeline = true;
      oidc-enabled = true;
      oidc-idp-name = "Kanidm";
      oidc-issuer = "https://auth.xinyang.life/oauth2/openid/gts";
      oidc-client-id = "gts";
      oidc-client-secret = "QkqhD6kWj8QLACa51YyFttTfyGMkFyESPsSKzvGVT8WTs3J5";
      oidc-link-existing = true;
    };
  };
@ -53,15 +80,32 @@
          header Access-Control-Allow-Origin "*"
          respond `{"m.server": "xinyang.life:443"}`
      }
      reverse_proxy * http://localhost:8080 {
          flush_interval -1
      }
    '';
    virtualHosts."git.xinyang.life:443".extraConfig = ''
      tls internal
      reverse_proxy http://${config.services.gitea.settings.server.DOMAIN}:${toString config.services.gitea.settings.server.HTTP_PORT}
    '';
    virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
        reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
        route {
           reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
           abort
        }
    '';
    virtualHosts."https://auth.xinyang.life:443".extraConfig = ''
      reverse_proxy https://auth.xinyang.life:${toString kanidm_listen_port} {
          header_up Host {upstream_hostport}
          transport http {
              tls_server_name ${config.services.kanidm.serverSettings.domain}
          }
      }
    '';
    # 
    # respond `Hello World`
  };
  networking.firewall.allowedTCPPorts = [ 80 443 8448 ];