xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat(massicot): provision kanidm

Browse source
This commit is contained in:
xinyangli 2024-07-30 10:59:12 +08:00
parent 56f7449ed9
commit c4cb116514
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
4 changed files with 97 additions and 20 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
flake.lock
View file

@ -99,11 +99,11 @@
]
},
"locked": {
"lastModified": 1722119539,
"narHash": "sha256-2kU90liMle0vKR8exJx1XM4hZh9CdNgZGHCTbeA9yzY=",
"lastModified": 1722203588,
"narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "d0240a064db3987eb4d5204cf2400bc4452d9922",
"rev": "792757f643cedc13f02098d8ed506d82e19ec1da",
"type": "github"
},
"original": {
@ -143,11 +143,11 @@
]
},
"locked": {
"lastModified": 1722130475,
"narHash": "sha256-VT2GvIRL8+nNSQ/XS9N6m42VDBiNDy7Luz3wMHoPLBk=",
"lastModified": 1722302960,
"narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
"rev": "25a36236f5051034e2085fb3414493c921bb1994",
"rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66",
"type": "github"
},
"original": {
@ -158,11 +158,11 @@
},
"nixos-hardware": {
"locked": {
"lastModified": 1722114937,
"narHash": "sha256-MOZ9woPwdpFJcHx3wic2Mlw9aztdKjMnFT3FaeLzJkM=",
"lastModified": 1722278305,
"narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=",
"owner": "NixOS",
"repo": "nixos-hardware",
"rev": "e67b60fb1b2c3aad2202d95b91d4c218cf2a4fdd",
"rev": "eab049fe178c11395d65a858ba1b56461ba9652d",
"type": "github"
},
"original": {
@ -174,11 +174,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1722178855,
"narHash": "sha256-x842DNrWlcEW4O3ghvoVDkphr8ve1AWzSU2E25Q0hMM=",
"lastModified": 1722307517,
"narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=",
"owner": "xinyangli",
"repo": "nixpkgs",
"rev": "85549341bb07139d6d12531114d45efad79cfb60",
"rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34",
"type": "github"
},
"original": {
@ -222,11 +222,11 @@
},
"nur": {
"locked": {
"lastModified": 1722176547,
"narHash": "sha256-Z1nF2QaPEVdflInS3R1++mAJR0TIZ1V5hKNm8x6OjFA=",
"lastModified": 1722304333,
"narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=",
"owner": "nix-community",
"repo": "NUR",
"rev": "4bf1f4aecb27b07334f138eb22668c76d14ce62d",
"rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e",
"type": "github"
},
"original": {

3
flake.nix
View file

@ -101,6 +101,7 @@
};
in
{
nixpkgs = nixpkgs;
nixosModules.default = import ./modules/nixos;
homeManagerModules = import ./modules/home-manager;
@ -183,7 +184,7 @@
] ++ sharedColmenaModules;
deployment = {
targetHost = "weilite.coho-tet.ts.net";
targetPort = 2222;
targetPort = 22;
buildOnTarget = false;
};
nixpkgs.system = "x86_64-linux";

1
machines/massicot/default.nix
View file

@ -33,6 +33,7 @@
boot.loader.grub = {
enable = true;
efiSupport = true;
configurationLimit = 5;
};
fileSystems."/mnt/storage" = {

83
machines/massicot/services.nix
View file

@ -63,6 +63,7 @@ in
};
};
services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true;
serverSettings = {
domain = "auth.xinyang.life";
@ -72,6 +73,84 @@ in
tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
# db_path = "/var/lib/kanidm/kanidm.db";
};
provision = {
enable = true;
autoRemove = true;
groups = {
forgejo-access = {
members = [ "xin" ];
};
gts-users = {
members = [ "xin" ];
};
ocis-users = {
members = [ "xin" ];
};
linux_users = {
members = [ "xin" ];
};
hedgedoc-users = {
members = [ "xin" ];
};
immich-users = {
members = [ "xin" "zhuo" ];
};
};
persons = {
xin = {
displayName = "Xinyang Li";
mailAddresses = [ "lixinyang411@gmail.com" ];
};
zhuo = {
displayName = "Zhuo";
mailAddresses = [ "13681104320@163.com" ];
};
};
systems.oauth2 = {
forgejo = {
displayName = "ForgeJo";
originUrl = "https://git.xinyang.life/";
originLanding = " https://git.xinyang.life/user/oauth2/kandim";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [ "openid" "email" "profile" "groups" ];
};
};
gts = {
displayName = "GoToSocial";
originUrl = "https://xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [ "openid" "email" "profile" "groups" ];
};
};
owncloud = {
displayName = "ownCloud";
originUrl = "https://home.xinyang.life:9201/";
public = true;
scopeMaps = {
ocis-users = [ "openid" "email" "profile" ];
};
};
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://docs.xinyang.life/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
hedgedoc-users = [ "openid" "email" "profile" ];
};
};
immich-mobile = {
displayName = "Immich";
originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [ "openid" "email" "profile" ];
};
};
};
};
};
services.matrix-conduit = {
enable = true;
@ -179,10 +258,6 @@ in
virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
route {
reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
abort
}
'';
virtualHosts."https://auth.xinyang.life".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {