From c4cb1165140d77f66a28e4d432591ee34ca2c10c Mon Sep 17 00:00:00 2001
From: xinyangli <lixinyang411@gmail.com>
Date: Tue, 30 Jul 2024 10:59:12 +0800
Subject: [PATCH] feat(massicot): provision kanidm

---
 flake.lock                     | 30 ++++++------
 flake.nix                      |  3 +-
 machines/massicot/default.nix  |  1 +
 machines/massicot/services.nix | 83 ++++++++++++++++++++++++++++++++--
 4 files changed, 97 insertions(+), 20 deletions(-)

diff --git a/flake.lock b/flake.lock
index 6a58e96..e74d8bd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -99,11 +99,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722119539,
-        "narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=",
+        "lastModified": 1722203588,
+        "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "d0240a064db3987eb4d5204cf2400bc4452d9922",
+        "rev": "792757f643cedc13f02098d8ed506d82e19ec1da",
         "type": "github"
       },
       "original": {
@@ -143,11 +143,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1722130475,
-        "narHash": "sha256-VT2GvIRL8+nNSQ/XS9N6m42VDBiNDy7Luz3wMHoPLBk=",
+        "lastModified": 1722302960,
+        "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "25a36236f5051034e2085fb3414493c921bb1994",
+        "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66",
         "type": "github"
       },
       "original": {
@@ -158,11 +158,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1722114937,
-        "narHash": "sha256-MOZ9woPwdpFJcHx3wic2Mlw9aztdKjMnFT3FaeLzJkM=",
+        "lastModified": 1722278305,
+        "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "e67b60fb1b2c3aad2202d95b91d4c218cf2a4fdd",
+        "rev": "eab049fe178c11395d65a858ba1b56461ba9652d",
         "type": "github"
       },
       "original": {
@@ -174,11 +174,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1722178855,
-        "narHash": "sha256-x842DNrWlcEW4O3ghvoVDkphr8ve1AWzSU2E25Q0hMM=",
+        "lastModified": 1722307517,
+        "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=",
         "owner": "xinyangli",
         "repo": "nixpkgs",
-        "rev": "85549341bb07139d6d12531114d45efad79cfb60",
+        "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34",
         "type": "github"
       },
       "original": {
@@ -222,11 +222,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1722176547,
-        "narHash": "sha256-Z1nF2QaPEVdflInS3R1++mAJR0TIZ1V5hKNm8x6OjFA=",
+        "lastModified": 1722304333,
+        "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "4bf1f4aecb27b07334f138eb22668c76d14ce62d",
+        "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e",
         "type": "github"
       },
       "original": {
diff --git a/flake.nix b/flake.nix
index 7b39af7..c2ba7c6 100644
--- a/flake.nix
+++ b/flake.nix
@@ -101,6 +101,7 @@
       };
     in
     {
+      nixpkgs = nixpkgs;
       nixosModules.default = import ./modules/nixos;
       homeManagerModules = import ./modules/home-manager;
 
@@ -183,7 +184,7 @@
             ] ++ sharedColmenaModules;
             deployment = {
               targetHost = "weilite.coho-tet.ts.net";
-              targetPort = 2222;
+              targetPort = 22;
               buildOnTarget = false;
             };
             nixpkgs.system = "x86_64-linux";
diff --git a/machines/massicot/default.nix b/machines/massicot/default.nix
index 66c7b50..56cbfe5 100644
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@@ -33,6 +33,7 @@
   boot.loader.grub = {
     enable = true;
     efiSupport = true;
+    configurationLimit = 5;
   };
 
   fileSystems."/mnt/storage" = {
diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix
index a9889f0..2bb6541 100644
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@@ -63,6 +63,7 @@ in
     };
   };
   services.kanidm = {
+    package = pkgs.kanidm.withSecretProvisioning;
     enableServer = true;
     serverSettings = {
       domain = "auth.xinyang.life";
@@ -72,6 +73,84 @@ in
       tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
       # db_path = "/var/lib/kanidm/kanidm.db";
     };
+    provision = {
+      enable = true;
+      autoRemove = true;
+      groups = {
+        forgejo-access = {
+          members = [ "xin" ];
+        };
+        gts-users = {
+          members = [ "xin" ];
+        };
+        ocis-users = {
+          members = [ "xin" ];
+        };
+        linux_users = {
+          members = [ "xin" ];
+        };
+        hedgedoc-users = {
+          members = [ "xin" ];
+        };
+        immich-users = {
+          members = [ "xin" "zhuo" ];
+        };
+      };
+      persons = {
+        xin = {
+          displayName = "Xinyang Li";
+          mailAddresses = [ "lixinyang411@gmail.com" ];
+        };
+        
+        zhuo = {
+          displayName = "Zhuo";
+          mailAddresses = [ "13681104320@163.com" ];
+        };
+      };
+      systems.oauth2 = {
+        forgejo = {
+          displayName = "ForgeJo";
+          originUrl = "https://git.xinyang.life/";
+          originLanding = "	https://git.xinyang.life/user/oauth2/kandim";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            forgejo-access = [ "openid" "email" "profile" "groups" ];
+          };
+        };
+        gts = {
+          displayName = "GoToSocial";
+          originUrl = "https://xinyang.life/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            gts-users = [ "openid" "email" "profile" "groups" ];
+          };
+        };
+        owncloud = {
+          displayName = "ownCloud";
+          originUrl = "https://home.xinyang.life:9201/";
+          public = true;
+          scopeMaps = {
+            ocis-users = [ "openid" "email" "profile" ];
+          };
+        };
+        hedgedoc = {
+          displayName = "HedgeDoc";
+          originUrl = "https://docs.xinyang.life/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            hedgedoc-users = [ "openid" "email" "profile" ];
+          };
+        };
+        immich-mobile = {
+          displayName = "Immich";
+          originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            immich-users = [ "openid" "email" "profile" ];
+          };
+        };
+      };
+    };
   };
   services.matrix-conduit = {
     enable = true;
@@ -179,10 +258,6 @@ in
     
     virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
         reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
-        route {
-           reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
-           abort
-        }
     '';
     virtualHosts."https://auth.xinyang.life".extraConfig = ''
       reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {