xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(massicot): provision kanidm

Browse source
This commit is contained in:
xinyangli 2024-07-30 10:59:12 +08:00
parent 56f7449ed9
commit c4cb116514
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
4 changed files with 97 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
flake.lock
View file

@ -99,11 +99,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722119539, "lastModified": 1722203588,
"narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=", "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "d0240a064db3987eb4d5204cf2400bc4452d9922", "rev": "792757f643cedc13f02098d8ed506d82e19ec1da",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -143,11 +143,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1722130475, "lastModified": 1722302960,
"narHash": "sha256-VT2GvIRL8+nNSQ/XS9N6m42VDBiNDy7Luz3wMHoPLBk=", "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nix-vscode-extensions", "repo": "nix-vscode-extensions",
"rev": "25a36236f5051034e2085fb3414493c921bb1994", "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -158,11 +158,11 @@
}, },
"nixos-hardware": { "nixos-hardware": {
"locked": { "locked": {
"lastModified": 1722114937, "lastModified": 1722278305,
"narHash": "sha256-MOZ9woPwdpFJcHx3wic2Mlw9aztdKjMnFT3FaeLzJkM=", "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixos-hardware", "repo": "nixos-hardware",
"rev": "e67b60fb1b2c3aad2202d95b91d4c218cf2a4fdd", "rev": "eab049fe178c11395d65a858ba1b56461ba9652d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -174,11 +174,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1722178855, "lastModified": 1722307517,
"narHash": "sha256-x842DNrWlcEW4O3ghvoVDkphr8ve1AWzSU2E25Q0hMM=", "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=",
"owner": "xinyangli", "owner": "xinyangli",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "85549341bb07139d6d12531114d45efad79cfb60", "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -222,11 +222,11 @@
}, },
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1722176547, "lastModified": 1722304333,
"narHash": "sha256-Z1nF2QaPEVdflInS3R1++mAJR0TIZ1V5hKNm8x6OjFA=", "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "NUR", "repo": "NUR",
"rev": "4bf1f4aecb27b07334f138eb22668c76d14ce62d", "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e",
"type": "github" "type": "github"
}, },
"original": { "original": {

3
flake.nix
View file

@ -101,6 +101,7 @@
}; };
in in
{ {
nixpkgs = nixpkgs;
nixosModules.default = import ./modules/nixos; nixosModules.default = import ./modules/nixos;
homeManagerModules = import ./modules/home-manager; homeManagerModules = import ./modules/home-manager;
@ -183,7 +184,7 @@
] ++ sharedColmenaModules; ] ++ sharedColmenaModules;
deployment = { deployment = {
targetHost = "weilite.coho-tet.ts.net"; targetHost = "weilite.coho-tet.ts.net";
targetPort = 2222; targetPort = 22;
buildOnTarget = false; buildOnTarget = false;
}; };
nixpkgs.system = "x86_64-linux"; nixpkgs.system = "x86_64-linux";

1
machines/massicot/default.nix
View file

@ -33,6 +33,7 @@
boot.loader.grub = { boot.loader.grub = {
enable = true; enable = true;
efiSupport = true; efiSupport = true;
configurationLimit = 5;
}; };
fileSystems."/mnt/storage" = { fileSystems."/mnt/storage" = {

83
machines/massicot/services.nix
View file

@ -63,6 +63,7 @@ in
}; };
}; };
services.kanidm = { services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true; enableServer = true;
serverSettings = { serverSettings = {
domain = "auth.xinyang.life"; domain = "auth.xinyang.life";
@ -72,6 +73,84 @@ in
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
# db_path = "/var/lib/kanidm/kanidm.db"; # db_path = "/var/lib/kanidm/kanidm.db";
}; };
provision = {
enable = true;
autoRemove = true;
groups = {
forgejo-access = {
members = [ "xin" ];
};
gts-users = {
members = [ "xin" ];
};
ocis-users = {
members = [ "xin" ];
};
linux_users = {
members = [ "xin" ];
};
hedgedoc-users = {
members = [ "xin" ];
};
immich-users = {
members = [ "xin" "zhuo" ];
};
};
persons = {
xin = {
displayName = "Xinyang Li";
mailAddresses = [ "lixinyang411@gmail.com" ];
};
zhuo = {
displayName = "Zhuo";
mailAddresses = [ "13681104320@163.com" ];
};
};
systems.oauth2 = {
forgejo = {
displayName = "ForgeJo";
originUrl = "https://git.xinyang.life/";
originLanding = " https://git.xinyang.life/user/oauth2/kandim";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [ "openid" "email" "profile" "groups" ];
};
};
gts = {
displayName = "GoToSocial";
originUrl = "https://xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [ "openid" "email" "profile" "groups" ];
};
};
owncloud = {
displayName = "ownCloud";
originUrl = "https://home.xinyang.life:9201/";
public = true;
scopeMaps = {
ocis-users = [ "openid" "email" "profile" ];
};
};
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://docs.xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
hedgedoc-users = [ "openid" "email" "profile" ];
};
};
immich-mobile = {
displayName = "Immich";
originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [ "openid" "email" "profile" ];
};
};
};
};
}; };
services.matrix-conduit = { services.matrix-conduit = {
enable = true; enable = true;
@ -179,10 +258,6 @@ in
virtualHosts."http://auth.xinyang.life:80".extraConfig = '' virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
route {
reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
abort
}
''; '';
virtualHosts."https://auth.xinyang.life".extraConfig = '' virtualHosts."https://auth.xinyang.life".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {