feat(massicot): provision kanidm

flake.lock

@@ -2,11 +2,11 @@
   "nodes": {
     "catppuccin": {
       "locked": {
-        "lastModified": 1720472194,
+        "lastModified": 1721784420,
-        "narHash": "sha256-CYscFEts6tyvosc1T29nxhzIYJAj/1CCEkV3ZMzSN/c=",
+        "narHash": "sha256-bgF6fN4Qgk7NErFKGuuqWXcLORsiykTYyqMUFRiAUBY=",
         "owner": "catppuccin",
         "repo": "nix",
-        "rev": "d75d5803852fb0833767dc969a4581ac13204e22",
+        "rev": "8bdb55cc1c13f572b6e4307a3c0d64f1ae286a4f",
         "type": "github"
       },
       "original": {
@@ -99,11 +99,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720734513,
+        "lastModified": 1722203588,
-        "narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=",
+        "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "90ae324e2c56af10f20549ab72014804a3064c7f",
+        "rev": "792757f643cedc13f02098d8ed506d82e19ec1da",
         "type": "github"
       },
       "original": {
@@ -119,11 +119,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720926593,
+        "lastModified": 1722136042,
-        "narHash": "sha256-fW6e27L6qY6s+TxInwrS2EXZZfhMAlaNqT0sWS49qMA=",
+        "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=",
         "owner": "Mic92",
         "repo": "nix-index-database",
-        "rev": "5fe5b0cdf1268112dc96319388819b46dc051ef4",
+        "rev": "c0ca47e8523b578464014961059999d8eddd4aae",
         "type": "github"
       },
       "original": {
@@ -143,11 +143,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1720920808,
+        "lastModified": 1722302960,
-        "narHash": "sha256-aq9nBiDz0i+JH47YDtPcx/f5OaMMxy/JvBNLDMe97aI=",
+        "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=",
         "owner": "nix-community",
         "repo": "nix-vscode-extensions",
-        "rev": "2571d560820e4ce23cf060a4460cebc0d9d17f60",
+        "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66",
         "type": "github"
       },
       "original": {
@@ -158,11 +158,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1720737798,
+        "lastModified": 1722278305,
-        "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=",
+        "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=",
         "owner": "NixOS",
         "repo": "nixos-hardware",
-        "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751",
+        "rev": "eab049fe178c11395d65a858ba1b56461ba9652d",
         "type": "github"
       },
       "original": {
@@ -174,11 +174,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1721187324,
+        "lastModified": 1722307517,
-        "narHash": "sha256-QA/hwTo9TsEbtTxFjHdyIopyRqVbC3psML9D1CuSGcg=",
+        "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=",
         "owner": "xinyangli",
         "repo": "nixpkgs",
-        "rev": "5a00e83edebdcf87790dfa0a304b092f4e3ed694",
+        "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34",
         "type": "github"
       },
       "original": {
@@ -190,11 +190,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1720691131,
+        "lastModified": 1722087241,
-        "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=",
+        "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4",
+        "rev": "8c50662509100d53229d4be607f1a3a31157fa12",
         "type": "github"
       },
       "original": {
@@ -206,11 +206,11 @@
     },
     "nixpkgs-stable_2": {
       "locked": {
-        "lastModified": 1720915306,
+        "lastModified": 1721524707,
-        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
         "type": "github"
       },
       "original": {
@@ -222,11 +222,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1720935990,
+        "lastModified": 1722304333,
-        "narHash": "sha256-SAji50yPFmnQfD2XsDHk6tqEkRHDcWMpEoOlnEneqAY=",
+        "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "42851361fdfde870bfd7e3c71f2ac5d3113c63d6",
+        "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e",
         "type": "github"
       },
       "original": {
@@ -258,11 +258,11 @@
         "nixpkgs-stable": "nixpkgs-stable_2"
       },
       "locked": {
-        "lastModified": 1720926522,
+        "lastModified": 1722114803,
-        "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=",
+        "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "0703ba03fd9c1665f8ab68cc3487302475164617",
+        "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
         "type": "github"
       },
       "original": {

flake.nix

@@ -59,6 +59,7 @@
     , ... }@inputs:
     let
       sharedHmModules = [
+        inputs.sops-nix.homeManagerModules.sops
         inputs.nix-index-database.hmModules.nix-index
         catppuccin.homeManagerModules.catppuccin
         self.homeManagerModules
@@ -100,6 +101,7 @@
       };
     in
     {
+      nixpkgs = nixpkgs;
       nixosModules.default = import ./modules/nixos;
       homeManagerModules = import ./modules/home-manager;
 
@@ -175,6 +177,18 @@
               machines/raspite/configuration.nix
             ] ++ sharedColmenaModules;
           };
+
+          weilite = { ... }: {
+            imports = [
+              machines/weilite
+            ] ++ sharedColmenaModules;
+            deployment = {
+              targetHost = "weilite.coho-tet.ts.net";
+              targetPort = 22;
+              buildOnTarget = false;
+            };
+            nixpkgs.system = "x86_64-linux";
+          };
         };
 
       nixosConfigurations = {

home/xin/calcite.nix

@@ -54,4 +54,9 @@
     vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; };
     zellij = { enable = true; };
   };
+
+  programs.atuin = {
+    enable = true;
+    flags = [ "--disable-up-arrow" ];
+  };
 }

machines/massicot/default.nix

@@ -33,6 +33,7 @@
   boot.loader.grub = {
     enable = true;
     efiSupport = true;
+    configurationLimit = 5;
   };
 
   fileSystems."/mnt/storage" = {

machines/massicot/services.nix

@@ -63,6 +63,7 @@ in
     };
   };
   services.kanidm = {
+    package = pkgs.kanidm.withSecretProvisioning;
     enableServer = true;
     serverSettings = {
       domain = "auth.xinyang.life";
@@ -72,6 +73,84 @@ in
       tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
       # db_path = "/var/lib/kanidm/kanidm.db";
     };
+    provision = {
+      enable = true;
+      autoRemove = true;
+      groups = {
+        forgejo-access = {
+          members = [ "xin" ];
+        };
+        gts-users = {
+          members = [ "xin" ];
+        };
+        ocis-users = {
+          members = [ "xin" ];
+        };
+        linux_users = {
+          members = [ "xin" ];
+        };
+        hedgedoc-users = {
+          members = [ "xin" ];
+        };
+        immich-users = {
+          members = [ "xin" "zhuo" ];
+        };
+      };
+      persons = {
+        xin = {
+          displayName = "Xinyang Li";
+          mailAddresses = [ "lixinyang411@gmail.com" ];
+        };
+        
+        zhuo = {
+          displayName = "Zhuo";
+          mailAddresses = [ "13681104320@163.com" ];
+        };
+      };
+      systems.oauth2 = {
+        forgejo = {
+          displayName = "ForgeJo";
+          originUrl = "https://git.xinyang.life/";
+          originLanding = "	https://git.xinyang.life/user/oauth2/kandim";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            forgejo-access = [ "openid" "email" "profile" "groups" ];
+          };
+        };
+        gts = {
+          displayName = "GoToSocial";
+          originUrl = "https://xinyang.life/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            gts-users = [ "openid" "email" "profile" "groups" ];
+          };
+        };
+        owncloud = {
+          displayName = "ownCloud";
+          originUrl = "https://home.xinyang.life:9201/";
+          public = true;
+          scopeMaps = {
+            ocis-users = [ "openid" "email" "profile" ];
+          };
+        };
+        hedgedoc = {
+          displayName = "HedgeDoc";
+          originUrl = "https://docs.xinyang.life/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            hedgedoc-users = [ "openid" "email" "profile" ];
+          };
+        };
+        immich-mobile = {
+          displayName = "Immich";
+          originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            immich-users = [ "openid" "email" "profile" ];
+          };
+        };
+      };
+    };
   };
   services.matrix-conduit = {
     enable = true;
@@ -179,10 +258,6 @@ in
     
     virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
         reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
-        route {
-           reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
-           abort
-        }
     '';
     virtualHosts."https://auth.xinyang.life".extraConfig = ''
       reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {

machines/weilite/default.nix

@@ -0,0 +1,88 @@
+{ config, pkgs, lib, modulesPath, ... }:
+
+with lib;
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  config = {
+    networking.hostName = "weilite";
+    commonSettings = {
+      auth.enable = true;
+      nix = {
+        enable = true;
+        enableMirrors = true;
+      };
+    };
+
+    boot = {
+      loader =  {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+      };
+      initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
+      kernelModules = [ "kvm-intel" ];
+    };
+
+    environment.systemPackages = [
+      pkgs.virtiofsd
+    ];
+
+    systemd.mounts = [
+      { what = "XinPhotos";
+        where = "/mnt/XinPhotos";
+        type = "virtiofs";
+        wantedBy = [ "immich-server.service" ];
+      }
+    ];
+
+    services.openssh.ports = [ 22 2222 ];
+
+    services.immich = {
+      enable = true;
+      mediaLocation = "/mnt/XinPhotos/immich";
+      host = "127.0.0.1";
+      port = 3001;
+      openFirewall = true;
+      machine-learning.enable = false;
+      environment = {
+        IMMICH_MACHINE_LEARNING_ENABLED = "false";
+      };
+    };
+
+    services.dae = {
+      enable = true;
+      configFile = "/var/lib/dae/config.dae";
+    };
+
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      permitCertUid = "caddy";
+    };
+
+    services.caddy = {
+      enable = true;
+      virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
+        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
+      '';
+    };
+
+    time.timeZone = "Asia/Shanghai";
+  
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "btrfs";
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/sda1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+    system.stateVersion = "24.11";
+  };
+}

modules/home-manager/zellij.nix

@@ -19,6 +19,13 @@ in
             "Ctrl p"
             "Ctrl n"
           ];
+          shared_except = {
+            _args = [ "pane" "locked" ];
+            bind = {
+              _args = [ "Ctrl b"];
+              SwitchToMode = "Pane";
+            };
+          };
         };
       };
     };

modules/nixos/common-settings/auth.nix

@@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption mkOption types;
+
+  cfg = config.commonSettings.auth;
+in
+{
+  options.commonSettings.auth = {
+    enable = mkEnableOption "Common auth settings for servers";
+  };
+
+  config = mkIf cfg.enable {
+    custom.kanidm-client = {
+      enable = true;
+      uri = "https://auth.xinyang.life";
+      asSSHAuth = {
+        enable = true;
+        allowedGroups = [ "linux_users" ];
+      };
+      sudoers = [ "xin@auth.xinyang.life" ];
+    };
+
+    services.openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+        GSSAPIAuthentication = "no";
+        KerberosAuthentication = "no";
+      };
+    };
+    services.fail2ban.enable = true;
+
+    security.sudo = {
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+  };
+}
+

modules/nixos/default.nix

@@ -1,7 +1,8 @@
 { config, pkgs, ... }:
 {
   imports = [
-    ./common-nix-conf.nix
+    ./common-settings/auth.nix
+    ./common-settings/nix-conf.nix
     ./restic.nix
     ./vaultwarden.nix
     ./prometheus.nix

modules/nixos/vaultwarden.nix

@@ -22,8 +22,8 @@ in
       # TODO: mailserver support
     };
   };
-  config = {
+  config = mkIf cfg.enable {
-    services.vaultwarden = mkIf cfg.enable {
+    services.vaultwarden =  {
       enable = true;
       dbBackend = "sqlite";
       config = {