feat(massicot): provision kanidm

feat(weilite): add a vm for running immich
feat(modules): add modules for some common settings
2024-07-30 10:59:12 +08:00 · 2024-07-29 14:56:28 +08:00 · 2024-07-29 14:56:01 +08:00 · 2024-07-22 16:45:21 +08:00 · 2024-07-22 16:43:02 +08:00
11 changed files with 269 additions and 37 deletions
--- a/flake.lock
+++ b/flake.lock
@ -2,11 +2,11 @@
  "nodes": {
    "catppuccin": {
      "locked": {
-        "lastModified": 1720472194,
-        "narHash": "sha256-CYscFEts6tyvosc1T29nxhzIYJAj/1CCEkV3ZMzSN/c=",
+        "lastModified": 1721784420,
+        "narHash": "sha256-bgF6fN4Qgk7NErFKGuuqWXcLORsiykTYyqMUFRiAUBY=",
        "owner": "catppuccin",
        "repo": "nix",
-        "rev": "d75d5803852fb0833767dc969a4581ac13204e22",
+        "rev": "8bdb55cc1c13f572b6e4307a3c0d64f1ae286a4f",
        "type": "github"
      },
      "original": {
@ -99,11 +99,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720734513,
-        "narHash": "sha256-neWQ8eNtLTd+YMesb7WjKl1SVCbDyCm46LUgP/g/hdo=",
+        "lastModified": 1722203588,
+        "narHash": "sha256-91V5FMSQ4z9bkhTCf0f86Zjw0bh367daSf0mzCIW0vU=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "90ae324e2c56af10f20549ab72014804a3064c7f",
+        "rev": "792757f643cedc13f02098d8ed506d82e19ec1da",
        "type": "github"
      },
      "original": {
@ -119,11 +119,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720926593,
-        "narHash": "sha256-fW6e27L6qY6s+TxInwrS2EXZZfhMAlaNqT0sWS49qMA=",
+        "lastModified": 1722136042,
+        "narHash": "sha256-x3FmT4QSyK28itMiR5zfYhUrG5nY+2dv+AIcKfmSp5A=",
        "owner": "Mic92",
        "repo": "nix-index-database",
-        "rev": "5fe5b0cdf1268112dc96319388819b46dc051ef4",
+        "rev": "c0ca47e8523b578464014961059999d8eddd4aae",
        "type": "github"
      },
      "original": {
@ -143,11 +143,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1720920808,
-        "narHash": "sha256-aq9nBiDz0i+JH47YDtPcx/f5OaMMxy/JvBNLDMe97aI=",
+        "lastModified": 1722302960,
+        "narHash": "sha256-byZl18UZCHy3vLhxrXp8THzlzmwNfil93ZQLY30i7/Q=",
        "owner": "nix-community",
        "repo": "nix-vscode-extensions",
-        "rev": "2571d560820e4ce23cf060a4460cebc0d9d17f60",
+        "rev": "e1a1e6cabd0140ed353e173290e6d92510f5fd66",
        "type": "github"
      },
      "original": {
@ -158,11 +158,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1720737798,
-        "narHash": "sha256-G/OtEAts7ZUvW5lrGMXSb8HqRp2Jr9I7reBuvCOL54w=",
+        "lastModified": 1722278305,
+        "narHash": "sha256-xLBAegsn9wbj+pQfbX07kykd5VBV3Ywk3IbObVAAlWA=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "c5013aa7ce2c7ec90acee5d965d950c8348db751",
+        "rev": "eab049fe178c11395d65a858ba1b56461ba9652d",
        "type": "github"
      },
      "original": {
@ -174,11 +174,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1721187324,
-        "narHash": "sha256-QA/hwTo9TsEbtTxFjHdyIopyRqVbC3psML9D1CuSGcg=",
+        "lastModified": 1722307517,
+        "narHash": "sha256-QTsnr7l9MlOVMASsv6w1luxAKqR32RJceBYQlg5bpkM=",
        "owner": "xinyangli",
        "repo": "nixpkgs",
-        "rev": "5a00e83edebdcf87790dfa0a304b092f4e3ed694",
+        "rev": "ebd00a4a357b00eb56b5d11f57aeb2b1fca9be34",
        "type": "github"
      },
      "original": {
@ -190,11 +190,11 @@
    },
    "nixpkgs-stable": {
      "locked": {
-        "lastModified": 1720691131,
-        "narHash": "sha256-CWT+KN8aTPyMIx8P303gsVxUnkinIz0a/Cmasz1jyIM=",
+        "lastModified": 1722087241,
+        "narHash": "sha256-2ShmEaFi0kJVOEEu5gmlykN5dwjWYWYUJmlRTvZQRpU=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "a046c1202e11b62cbede5385ba64908feb7bfac4",
+        "rev": "8c50662509100d53229d4be607f1a3a31157fa12",
        "type": "github"
      },
      "original": {
@ -206,11 +206,11 @@
    },
    "nixpkgs-stable_2": {
      "locked": {
-        "lastModified": 1720915306,
-        "narHash": "sha256-6vuViC56+KSr+945bCV8akHK+7J5k6n/epYg/W3I5eQ=",
+        "lastModified": 1721524707,
+        "narHash": "sha256-5NctRsoE54N86nWd0psae70YSLfrOek3Kv1e8KoXe/0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "74348da2f3a312ee25cea09b98cdba4cb9fa5d5d",
+        "rev": "556533a23879fc7e5f98dd2e0b31a6911a213171",
        "type": "github"
      },
      "original": {
@ -222,11 +222,11 @@
    },
    "nur": {
      "locked": {
-        "lastModified": 1720935990,
-        "narHash": "sha256-SAji50yPFmnQfD2XsDHk6tqEkRHDcWMpEoOlnEneqAY=",
+        "lastModified": 1722304333,
+        "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=",
        "owner": "nix-community",
        "repo": "NUR",
-        "rev": "42851361fdfde870bfd7e3c71f2ac5d3113c63d6",
+        "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e",
        "type": "github"
      },
      "original": {
@ -258,11 +258,11 @@
        "nixpkgs-stable": "nixpkgs-stable_2"
      },
      "locked": {
-        "lastModified": 1720926522,
-        "narHash": "sha256-eTpnrT6yu1vp8C0B5fxHXhgKxHoYMoYTEikQx///jxY=",
+        "lastModified": 1722114803,
+        "narHash": "sha256-s6YhI8UHwQvO4cIFLwl1wZ1eS5Cuuw7ld2VzUchdFP0=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "0703ba03fd9c1665f8ab68cc3487302475164617",
+        "rev": "eb34eb588132d653e4c4925d862f1e5a227cc2ab",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -59,6 +59,7 @@
    , ... }@inputs:
    let
      sharedHmModules = [
+        inputs.sops-nix.homeManagerModules.sops
        inputs.nix-index-database.hmModules.nix-index
        catppuccin.homeManagerModules.catppuccin
        self.homeManagerModules
@ -100,6 +101,7 @@
      };
    in
    {
+      nixpkgs = nixpkgs;
      nixosModules.default = import ./modules/nixos;
      homeManagerModules = import ./modules/home-manager;

@ -175,6 +177,18 @@
              machines/raspite/configuration.nix
            ] ++ sharedColmenaModules;
          };
+
+          weilite = { ... }: {
+            imports = [
+              machines/weilite
+            ] ++ sharedColmenaModules;
+            deployment = {
+              targetHost = "weilite.coho-tet.ts.net";
+              targetPort = 22;
+              buildOnTarget = false;
+            };
+            nixpkgs.system = "x86_64-linux";
+          };
        };

      nixosConfigurations = {
--- a/home/xin/calcite.nix
+++ b/home/xin/calcite.nix
@ -54,4 +54,9 @@
    vscode = { enable = true; languages = { cxx = true; python = true; scala = true; latex = true; }; };
    zellij = { enable = true; };
  };
+
+  programs.atuin = {
+    enable = true;
+    flags = [ "--disable-up-arrow" ];
+  };
 }
--- a/machines/massicot/default.nix
+++ b/machines/massicot/default.nix
@ -33,6 +33,7 @@
  boot.loader.grub = {
    enable = true;
    efiSupport = true;
+    configurationLimit = 5;
  };

  fileSystems."/mnt/storage" = {
--- a/machines/massicot/services.nix
+++ b/machines/massicot/services.nix
@ -63,6 +63,7 @@ in
    };
  };
  services.kanidm = {
+    package = pkgs.kanidm.withSecretProvisioning;
    enableServer = true;
    serverSettings = {
      domain = "auth.xinyang.life";
@ -72,6 +73,84 @@ in
      tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
      # db_path = "/var/lib/kanidm/kanidm.db";
    };
+    provision = {
+      enable = true;
+      autoRemove = true;
+      groups = {
+        forgejo-access = {
+          members = [ "xin" ];
+        };
+        gts-users = {
+          members = [ "xin" ];
+        };
+        ocis-users = {
+          members = [ "xin" ];
+        };
+        linux_users = {
+          members = [ "xin" ];
+        };
+        hedgedoc-users = {
+          members = [ "xin" ];
+        };
+        immich-users = {
+          members = [ "xin" "zhuo" ];
+        };
+      };
+      persons = {
+        xin = {
+          displayName = "Xinyang Li";
+          mailAddresses = [ "lixinyang411@gmail.com" ];
+        };
+        
+        zhuo = {
+          displayName = "Zhuo";
+          mailAddresses = [ "13681104320@163.com" ];
+        };
+      };
+      systems.oauth2 = {
+        forgejo = {
+          displayName = "ForgeJo";
+          originUrl = "https://git.xinyang.life/";
+          originLanding = "	https://git.xinyang.life/user/oauth2/kandim";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            forgejo-access = [ "openid" "email" "profile" "groups" ];
+          };
+        };
+        gts = {
+          displayName = "GoToSocial";
+          originUrl = "https://xinyang.life/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            gts-users = [ "openid" "email" "profile" "groups" ];
+          };
+        };
+        owncloud = {
+          displayName = "ownCloud";
+          originUrl = "https://home.xinyang.life:9201/";
+          public = true;
+          scopeMaps = {
+            ocis-users = [ "openid" "email" "profile" ];
+          };
+        };
+        hedgedoc = {
+          displayName = "HedgeDoc";
+          originUrl = "https://docs.xinyang.life/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            hedgedoc-users = [ "openid" "email" "profile" ];
+          };
+        };
+        immich-mobile = {
+          displayName = "Immich";
+          originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+          allowInsecureClientDisablePkce = true;
+          scopeMaps = {
+            immich-users = [ "openid" "email" "profile" ];
+          };
+        };
+      };
+    };
  };
  services.matrix-conduit = {
    enable = true;
@ -179,10 +258,6 @@ in
    
    virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
        reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
-        route {
-           reverse_proxy * ${config.security.acme.certs."auth.xinyang.life".listenHTTP} order first
-           abort
-        }
    '';
    virtualHosts."https://auth.xinyang.life".extraConfig = ''
      reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
--- a/machines/weilite/default.nix
+++ b/machines/weilite/default.nix
@ -0,0 +1,88 @@
+{ config, pkgs, lib, modulesPath, ... }:
+
+with lib;
+
+{
+  imports = [
+    (modulesPath + "/profiles/qemu-guest.nix")
+  ];
+
+  config = {
+    networking.hostName = "weilite";
+    commonSettings = {
+      auth.enable = true;
+      nix = {
+        enable = true;
+        enableMirrors = true;
+      };
+    };
+
+    boot = {
+      loader =  {
+        systemd-boot.enable = true;
+        efi.canTouchEfiVariables = true;
+      };
+      initrd.availableKernelModules = [ "uhci_hcd" "ehci_pci" "ahci" "usb_storage" "sd_mod" ];
+      kernelModules = [ "kvm-intel" ];
+    };
+
+    environment.systemPackages = [
+      pkgs.virtiofsd
+    ];
+
+    systemd.mounts = [
+      { what = "XinPhotos";
+        where = "/mnt/XinPhotos";
+        type = "virtiofs";
+        wantedBy = [ "immich-server.service" ];
+      }
+    ];
+
+    services.openssh.ports = [ 22 2222 ];
+
+    services.immich = {
+      enable = true;
+      mediaLocation = "/mnt/XinPhotos/immich";
+      host = "127.0.0.1";
+      port = 3001;
+      openFirewall = true;
+      machine-learning.enable = false;
+      environment = {
+        IMMICH_MACHINE_LEARNING_ENABLED = "false";
+      };
+    };
+
+    services.dae = {
+      enable = true;
+      configFile = "/var/lib/dae/config.dae";
+    };
+
+    services.tailscale = {
+      enable = true;
+      openFirewall = true;
+      permitCertUid = "caddy";
+    };
+
+    services.caddy = {
+      enable = true;
+      virtualHosts."weilite.coho-tet.ts.net:8080".extraConfig = ''
+        reverse_proxy 127.0.0.1:${toString config.services.immich.port}
+      '';
+    };
+
+    time.timeZone = "Asia/Shanghai";
+  
+    fileSystems."/" = {
+      device = "/dev/disk/by-label/nixos";
+      fsType = "btrfs";
+    };
+
+    fileSystems."/boot" = {
+      device = "/dev/sda1";
+      fsType = "vfat";
+      options = [ "fmask=0022" "dmask=0022" ];
+    };
+
+    system.stateVersion = "24.11";
+  };
+}
--- a/modules/home-manager/zellij.nix
+++ b/modules/home-manager/zellij.nix
@ -19,6 +19,13 @@ in
            "Ctrl p"
            "Ctrl n"
          ];
+          shared_except = {
+            _args = [ "pane" "locked" ];
+            bind = {
+              _args = [ "Ctrl b"];
+              SwitchToMode = "Pane";
+            };
+          };
        };
      };
    };
--- a/modules/nixos/common-settings/auth.nix
+++ b/modules/nixos/common-settings/auth.nix
@ -0,0 +1,41 @@
+{ config, lib, pkgs, ... }:
+
+let
+  inherit (lib) mkIf mkEnableOption mkOption types;
+
+  cfg = config.commonSettings.auth;
+in
+{
+  options.commonSettings.auth = {
+    enable = mkEnableOption "Common auth settings for servers";
+  };
+
+  config = mkIf cfg.enable {
+    custom.kanidm-client = {
+      enable = true;
+      uri = "https://auth.xinyang.life";
+      asSSHAuth = {
+        enable = true;
+        allowedGroups = [ "linux_users" ];
+      };
+      sudoers = [ "xin@auth.xinyang.life" ];
+    };
+
+    services.openssh = {
+      settings = {
+        PasswordAuthentication = false;
+        KbdInteractiveAuthentication = false;
+        PermitRootLogin = "no";
+        GSSAPIAuthentication = "no";
+        KerberosAuthentication = "no";
+      };
+    };
+    services.fail2ban.enable = true;
+
+    security.sudo = {
+      execWheelOnly = true;
+      wheelNeedsPassword = false;
+    };
+  };
+}
+
--- a/modules/nixos/common-settings/nix-conf.nix
+++ b/modules/nixos/common-settings/nix-conf.nix
--- a/modules/nixos/default.nix
+++ b/modules/nixos/default.nix
@ -1,7 +1,8 @@
 { config, pkgs, ... }:
 {
  imports = [
-    ./common-nix-conf.nix
+    ./common-settings/auth.nix
+    ./common-settings/nix-conf.nix
    ./restic.nix
    ./vaultwarden.nix
    ./prometheus.nix
--- a/modules/nixos/vaultwarden.nix
+++ b/modules/nixos/vaultwarden.nix
@ -22,8 +22,8 @@ in
      # TODO: mailserver support
    };
  };
-  config = {
-    services.vaultwarden = mkIf cfg.enable {
+  config = mkIf cfg.enable {
+    services.vaultwarden =  {
      enable = true;
      dbBackend = "sqlite";
      config = {
Author	SHA1	Message	Date
xinyangli	c4cb116514	feat(massicot): provision kanidm	2024-07-30 10:59:12 +08:00
xinyangli	56f7449ed9	feat(weilite): add a vm for running immich	2024-07-29 14:56:28 +08:00
xinyangli	ffb223d03f	feat(modules): add modules for some common settings	2024-07-29 14:56:01 +08:00
xinyangli	1ce5b9ef9a	feat(home-manager): add atuin	2024-07-22 16:45:21 +08:00
xinyangli	837149b8f6	feat(home-manager): bind zellij pane key	2024-07-22 16:43:02 +08:00