massicot: unclutter services

machines/massicot/services/kanidm/default.nix

@@ -0,0 +1,52 @@
+{ config, pkgs, ... }:
+let
+  kanidm_listen_port = 5324;
+in
+{
+  config = {
+    services.caddy = {
+      virtualHosts."http://auth.xinyang.life:80".extraConfig = ''
+        reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP}
+      '';
+      virtualHosts."https://auth.xinyang.life".extraConfig = ''
+        reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
+            header_up Host {upstream_hostport}
+            header_down Access-Control-Allow-Origin "*"
+            transport http {
+                tls_server_name ${config.services.kanidm.serverSettings.domain}
+            }
+        }
+      '';
+    };
+
+    services.kanidm = {
+      package = pkgs.kanidm.withSecretProvisioning;
+      enableServer = true;
+      serverSettings = {
+        domain = "auth.xinyang.life";
+        origin = "https://auth.xinyang.life";
+        bindaddress = "[::]:${toString kanidm_listen_port}";
+        tls_key = ''${config.security.acme.certs."auth.xinyang.life".directory}/key.pem'';
+        tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem'';
+        online_backup.versions = 7;
+        # db_path = "/var/lib/kanidm/kanidm.db";
+      };
+      provision = import ./kanidm-provision.nix;
+    };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    security.acme = {
+      acceptTerms = true;
+      certs."auth.xinyang.life" = {
+        email = "lixinyang411@gmail.com";
+        listenHTTP = "127.0.0.1:1360";
+        group = "kanidm";
+      };
+    };
+
+  };
+}

machines/massicot/services/kanidm/kanidm-provision.nix

@@ -0,0 +1,178 @@
+{
+  enable = true;
+  autoRemove = true;
+  groups = {
+    forgejo-access = {
+      members = [ "xin" ];
+    };
+    forgejo-admin = {
+      members = [ "xin" ];
+    };
+    gts-users = {
+      members = [ "xin" ];
+    };
+    ocis-users = {
+      members = [ "xin" ];
+    };
+    linux_users = {
+      members = [ "xin" ];
+    };
+    hedgedoc-users = {
+      members = [ "xin" ];
+    };
+    immich-users = {
+      members = [
+        "xin"
+        "zhuo"
+        "ycm"
+      ];
+    };
+    grafana-superadmins = {
+      members = [ "xin" ];
+    };
+    grafana-admins = {
+      members = [ "xin" ];
+    };
+    grafana-editors = {
+      members = [ "xin" ];
+    };
+    grafana-users = {
+      members = [ "xin" ];
+    };
+    miniflux-users = {
+      members = [ "xin" ];
+    };
+    idm_people_self_mail_write = {
+      members = [ ];
+    };
+  };
+  persons = {
+    xin = {
+      displayName = "Xinyang Li";
+      mailAddresses = [ "lixinyang411@gmail.com" ];
+    };
+
+    zhuo = {
+      displayName = "Zhuo";
+      mailAddresses = [ "13681104320@163.com" ];
+    };
+
+    ycm = {
+      displayName = "Chunming";
+      mailAddresses = [ "chunmingyou@gmail.com" ];
+    };
+  };
+  systems.oauth2 = {
+    forgejo = {
+      displayName = "ForgeJo";
+      originUrl = "https://git.xinyang.life/";
+      originLanding = "https://git.xinyang.life/user/oauth2/kandim";
+      allowInsecureClientDisablePkce = true;
+      scopeMaps = {
+        forgejo-access = [
+          "openid"
+          "email"
+          "profile"
+          "groups"
+        ];
+      };
+      claimMaps = {
+        forgejo_role = {
+          joinType = "array";
+          valuesByGroup = {
+            forgejo-access = [ "Access" ];
+            forgejo-admin = [ "Admin" ];
+          };
+        };
+      };
+    };
+    gts = {
+      displayName = "GoToSocial";
+      originUrl = "https://xinyang.life/";
+      originLanding = "https://xinyang.life/";
+      allowInsecureClientDisablePkce = true;
+      scopeMaps = {
+        gts-users = [
+          "openid"
+          "email"
+          "profile"
+          "groups"
+        ];
+      };
+    };
+    owncloud = {
+      displayName = "ownCloud";
+      originUrl = "https://home.xinyang.life:9201/";
+      originLanding = "https://home.xinyang.life:9201/";
+      public = true;
+      scopeMaps = {
+        ocis-users = [
+          "openid"
+          "email"
+          "profile"
+        ];
+      };
+    };
+    hedgedoc = {
+      displayName = "HedgeDoc";
+      originUrl = "https://docs.xinyang.life/";
+      originLanding = "https://docs.xinyang.life/auth/oauth2";
+      allowInsecureClientDisablePkce = true;
+      scopeMaps = {
+        hedgedoc-users = [
+          "openid"
+          "email"
+          "profile"
+        ];
+      };
+    };
+    immich-mobile = {
+      displayName = "Immich";
+      originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+      originLanding = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
+      allowInsecureClientDisablePkce = true;
+      scopeMaps = {
+        immich-users = [
+          "openid"
+          "email"
+          "profile"
+        ];
+      };
+    };
+    miniflux = {
+      displayName = "Miniflux";
+      originUrl = "https://rss.xinyang.life/";
+      originLanding = "https://rss.xinyang.life/";
+      scopeMaps = {
+        miniflux-users = [
+          "openid"
+          "email"
+          "profile"
+        ];
+      };
+    };
+    grafana = {
+      displayName = "Grafana";
+      originUrl = "https://grafana.xinyang.life/";
+      originLanding = "https://grafana.xinyang.life/";
+      scopeMaps = {
+        grafana-users = [
+          "openid"
+          "email"
+          "profile"
+          "groups"
+        ];
+      };
+      claimMaps = {
+        grafana_role = {
+          joinType = "array";
+          valuesByGroup = {
+            grafana-superadmins = [ "GrafanaAdmin" ];
+            grafana-admins = [ "Admin" ];
+            grafana-editors = [ "Editor" ];
+          };
+        };
+      };
+    };
+  };
+}