xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:153762ca5ba6bb73f780a252a847e7a006776789
Branches Tags
xin:master
xin:deploy
...
compare: xin:9a53ca1cea4bbf5b929306924a55a1f8f2589a79
Branches Tags
xin:deploy
xin:master

2 commits
153762ca5b ... 9a53ca1cea

Author SHA1 Message Date
xinyangli
9a53ca1cea
massicot/forgejo: provision auth 2024-08-21 17:16:30 +08:00
xinyangli
509304de03
modules/nix-conf: local mirror take precedence over official cache 2024-08-21 11:05:49 +08:00
5 changed files with 51 additions and 14 deletions
Show stats Expand all files Collapse all files

3
machines/massicot/default.nix
View file

@ -31,6 +31,9 @@
"miniflux/oauth2_secret" = { "miniflux/oauth2_secret" = {
owner = "root"; owner = "root";
}; };
"forgejo/env" = {
owner = "forgejo";
};
}; };
}; };

15
machines/massicot/kanidm-provision.nix
View file

@ -5,6 +5,9 @@
forgejo-access = { forgejo-access = {
members = [ "xin" ]; members = [ "xin" ];
}; };
forgejo-admin = {
members = [ "xin" ];
};
gts-users = { gts-users = {
members = [ "xin" ]; members = [ "xin" ];
}; };
@ -35,6 +38,9 @@
miniflux-users = { miniflux-users = {
members = [ "xin" ]; members = [ "xin" ];
}; };
idm_people_self_mail_write = {
members = [ ];
};
}; };
persons = { persons = {
xin = { xin = {
@ -61,6 +67,15 @@
scopeMaps = { scopeMaps = {
forgejo-access = [ "openid" "email" "profile" "groups" ]; forgejo-access = [ "openid" "email" "profile" "groups" ];
}; };
claimMaps = {
forgejo_role = {
joinType = "array";
valuesByGroup = {
forgejo-access = [ "Access" ];
forgejo-admin = [ "Admin" ];
};
};
};
}; };
gts = { gts = {
displayName = "GoToSocial"; displayName = "GoToSocial";

12
machines/massicot/secrets.yaml
View file

@ -1,9 +1,11 @@
storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str] storage_box_mount: ENC[AES256_GCM,data:9lOAL3tkfB0pN4/cuM4SX0xoMrW0UUEzTN8spw3MQ3BWrfsRc3Stsce3puXz1sRf,iv:7Q9wzpBgQ3tqcfy0n/c6Ya84Kg60nhR/e2H0pVntWsY=,tag:9a0xvNBGQpCvhxgmV3hrww==,type:str]
gts_env: ENC[AES256_GCM,data:CKFKHXCJvTD0HFkVrBWhabcl/cloCT03qcZIc5JymiIAu+o6wef6gsQlkKP81vxC9S3XMYtLgXQ03D7Jetkfg+7nafF1+ogN,iv:/axRqZIatwYL++/KmBIievPPyKRkHGmVpgRe2Eet+fg=,tag:gwxyuePOYiD1vlSyq3yjXA==,type:str] gts_env: ENC[AES256_GCM,data:StggMdJPevrDbrVDrBDETdQYnSOaTESkgSqpGKrSHXhS21nyCE5ya7/X4l0GVTXoGCyfWG7vK+PDW22mJxpYcj2CBaVUYDu/,iv:2fqWDaWAWxTXdG7w5HU6jBcappFEByNtYs0Jd6PaYnA=,tag:KGhrMemao6g4FkEAZmmacg==,type:str]
hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str] hedgedoc_env: ENC[AES256_GCM,data:zwAA+zKSJT0tZyYArCaa1lfL0y8DNHDp/thS11DrVxNvjmk38o0ydsKArfZKzFYye+qNBzz1B4sPCdW4cFgQUNgbM+n9AvoMB8CssdmQ+sALKmozA5aEV23q+khZSGlHocP6WA==,iv:SgZruOS1nanK64Ex1dvgoD1HzbGbNa4DFSBuVoaNgEc=,tag:R+I8m1AloDCXs5PdpEpS0w==,type:str]
grafana_oauth_secret: ENC[AES256_GCM,data:2dSgxeWXNtlvbrgW9whCVuM6tfzd4lVhynwQTSPbBJndhI8scpJle7LjI1+b14FS9boBsuYO+ym4Pf1I8/jJtKkj6X6I0BmXFBC/SfpCpo+ZGrxacg==,iv:N8iTPqMagKP3hWc7n0bjgYKvaFaw11ITvDn9lUkkAPY=,tag:Cz59fA2Zq3jVvhfxaFuGAA==,type:str] grafana_oauth_secret: ENC[AES256_GCM,data:43+EBnN912eK/08MdJokWPxi2Lxn/D4hSHPhNmHOk9awWQ7ut/el0vaAa+Epqnui3le2p4VuotQT6XlIuDLrixIomrc6Qw5HERAEdZmbrGvDlrrNhw==,iv:Pfn8rL0LtG3hym9EdSZRjaPLMlWlut/nt2FEtRWnULo=,tag:moDWqF3aBbnO4aG0Cysfcw==,type:str]
miniflux: miniflux:
oauth2_secret: ENC[AES256_GCM,data:Q0JeT5VHGEDATXB9jf5+eU1Hoi9FsJrw6IK2T0bodvVgki+1oF+sWld5NGpoiXm/bQ==,iv:e8+84Zk5eXNIyIPhTG8jFhO+DCRorPFG0lDDNT4OxCs=,tag:IxlyFBcFaSy7Nz0aQCH3bw==,type:str] oauth2_secret: ENC[AES256_GCM,data:jcZR9E9jXNKfkAoGgBI19qQeaz26R6qiAWjP4XrftHSCQV974tjJl+fiU8Xgi0bViA==,iv:/aY0bL/oAAHBhohy3FHB/UEDYryw7A7JOKvEbLtDHJg=,tag:Fn/6NurNkRphXySR+y9S9Q==,type:str]
forgejo:
env: ENC[AES256_GCM,data:TMeguXfanISeyvsay9SBqm3SSGKpp5nCkqhHblf0QHNzHWGQKwpORmWfOtVfgOh9qdDqq8wYBpXznmbvixjV,iv:IR/rMoAIvZCw9FURmau4+g8c3pvI9BRs7v1NJ5ia4jI=,tag:kjwf6RN5HN8I2sUhDcr4UQ==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -28,8 +30,8 @@ sops:
dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i
V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-05T08:53:56Z" lastmodified: "2024-08-21T05:54:31Z"
mac: ENC[AES256_GCM,data:DtAL9k/t4pGV2UqCrb1R/1nT3gjJ8wced5yQOF5oneoncg/uuyX7IDZ0iZz0eGirj9Zadh9UQWNwxMzoiNu6pD1v04MkxT0NVDJ32vt5X+YDQJ60vRJjn9+zKvLk8Esx9sFsuBxjVXXmbtev7+djU+LbpPLfaobdheO2XlJXtdU=,iv:y2KI5ylgvuQ7ktYAr6XPEX3qyxnSP7BWC79mdsr4hgk=,tag:cvXvXeKvRwvttgQfmZRi2w==,type:str] mac: ENC[AES256_GCM,data:oNBabsDRuHjMBXynr8ytCLmv5NPyA0mRUcPJfFZjjAb9ZbGP+pquwJT3S0l2yo4Nsd0YQP8X1pGS3PEv9v+N538bxmMJJCERR7iZ5U5G4h0AvKi+UkjkveDdhPWBXhC1O+Up7reT/LLzOiZ1WUHCYRQfcb9R1RL3G2NpeYuOShk=,iv:FLmtKyZjZuGDnMjOgJdoIU9EXLQSZavs8f4q2C+Sxbk=,tag:sGoJNppCTYxZ2u2l0eMHgg==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

32
machines/massicot/services.nix
View file

@ -142,6 +142,8 @@ in
services.forgejo = { services.forgejo = {
enable = true; enable = true;
# Use cutting edge instead of lts
package = pkgs.forgejo;
repositoryRoot = "/mnt/storage/forgejo/repositories"; repositoryRoot = "/mnt/storage/forgejo/repositories";
lfs = { lfs = {
enable = true; enable = true;
@ -151,11 +153,10 @@ in
service.DISABLE_REGISTRATION = true; service.DISABLE_REGISTRATION = true;
server = { server = {
ROOT_URL = "https://git.xinyang.life/"; ROOT_URL = "https://git.xinyang.life/";
START_SSH_SERVER = true; START_SSH_SERVER = false;
BUILTIN_SSH_SERVER_USER = "git"; SSH_USER = config.services.forgejo.user;
SSH_USER = "git";
SSH_DOMAIN = "ssh.xinyang.life"; SSH_DOMAIN = "ssh.xinyang.life";
SSH_PORT = 2222; SSH_PORT = 22;
LFS_MAX_FILE_SIZE = 10737418240; LFS_MAX_FILE_SIZE = 10737418240;
LANDING_PAGE = "/explore/repos"; LANDING_PAGE = "/explore/repos";
}; };
@ -166,13 +167,14 @@ in
ENABLE_BASIC_AUTHENTICATION = false; ENABLE_BASIC_AUTHENTICATION = false;
}; };
oauth2 = { oauth2 = {
ENABLE = false; # Disable forgejo as oauth2 provider ENABLED = false; # Disable forgejo as oauth2 provider
}; };
oauth2_client = { oauth2_client = {
ACCOUNT_LINKING = "auto"; ACCOUNT_LINKING = "auto";
USERNAME = "email";
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true; UPDATE_AVATAR = false;
OPENID_CONNECT_SCOPES = "openid profile email"; OPENID_CONNECT_SCOPES = "openid profile email groups";
}; };
other = { other = {
SHOW_FOOTER_VERSION = false; SHOW_FOOTER_VERSION = false;
@ -180,6 +182,22 @@ in
}; };
}; };
systemd.services.forgejo = {
serviceConfig = {
EnvironmentFile = config.sops.secrets."forgejo/env".path;
ExecStartPost = ''
${lib.getExe config.services.forgejo.package} admin auth update-oauth \
--id 1 \
--name kanidm \
--provider openidConnect \
--key forgejo \
--secret $CLIENT_SECRET \
--icon-url https://auth.xinyang.life/pkg/img/favicon.png \
--group-claim-name forgejo_role --admin-group Admin
'';
};
};
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings = {

3
modules/nixos/common-settings/nix-conf.nix
View file

@ -43,8 +43,7 @@ in
]; ];
extra-substituters = mkIf cfg.enableMirrors [ extra-substituters = mkIf cfg.enableMirrors [
"https://mirrors.bfsu.edu.cn/nix-channels/store?priority=100" "https://mirrors.cernet.edu.cn/nix-channels/store?priority=20"
"https://mirrors.ustc.edu.cn/nix-channels/store?priority=100"
]; ];
trusted-public-keys = [ trusted-public-keys = [