biotite: move services to new machines and new domain

- related services: forgejo, miniflux, vaultwarden - moved from xinyang.life to xiny.li - clean up modules
2024-12-04 16:02:03 +08:00 · 2024-12-04 16:02:03 +08:00 · ad9c205fc5
commit ad9c205fc5
parent 947e97ce4e
18 changed files with 263 additions and 670 deletions
--- a/machines/biotite/default.nix
+++ b/machines/biotite/default.nix
@ -10,6 +10,10 @@
    ./services/gotosocial.nix
    ./services/synapse.nix
    ./services/restic.nix
+    ./services/miniflux.nix
+    ./services/hedgedoc.nix
+    ./services/forgejo.nix
+    ./services/vaultwarden.nix
  ];

  networking.hostName = "biotite";
--- a/machines/biotite/secrets.yaml
+++ b/machines/biotite/secrets.yaml
@ -5,6 +5,12 @@ synapse:
 restic:
    repo_url: ENC[AES256_GCM,data:ZcBMqwEsyc7zyEftJZj4XkKBzUHwlqd6cjX8xVDn9m26jBL7aP5atpnXDRE9FXY4CuAllFyQZyAOQ2L61Nfx+iplL2ADbSoH,iv:fhNODiyoOlZEqYR2O/GsH2IWTPDr3rXSJgWC/EFDLSA=,tag:nZdKKnpiszSiXxdZI1KQ/A==,type:str]
    repo_password: ENC[AES256_GCM,data:9YDOz1tiyykz6zSXboWtIg==,iv:j96mRLXGuD4NZcC0Nv1yXFbtOlr6UborqclefZ7J94w=,tag:MqhSewK2NuckTJBf7xu+lA==,type:str]
+miniflux:
+    oauth2_secret: ENC[AES256_GCM,data:/WtZemrdKU8bQbxzrAn437uqoJSO+yZSUDCnxovXV0HFZYQvAn2rbMrgOdoc1OuP,iv:xENKuGDYS1ctnO/WkGv1TxjtQYZ8p64Ik/lMIIam4Q0=,tag:RbAA0LUmsAQDqEM5+a2quQ==,type:str]
+hedgedoc:
+    client_secret: ENC[AES256_GCM,data:J6lRBM7V6F+gPYVyEbOzsFUQe8+3ggP0r58c655DNt7TGgKGdq95pRvLaghMmBCc,iv:i+eLYwnmG1/bKtad2iM2pwEAC3GZLNaKS5ldbubRvyY=,tag:yxaug6YdYo8RR3YOyHd/iA==,type:str]
+forgejo:
+    client_secret: ENC[AES256_GCM,data:5OXhaGzBCbge2tvTaU4ry6/KoavQeYJ45EuakCQJlxb5gMXjRK/s+feF25YJSr2f,iv:TT8j+ciKeSQCZzu1E7D70hWNFpn0cGiomz7jURXjavc=,tag:JVJR033Pc2vaLudaovkl8w==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -29,8 +35,8 @@ sops:
            RzBMVDNjS29SUkdRK3dIV01sU0hYR3cK1SbvKAM6Gpsffv3HIi/WtWnCZUBic0AT
            ZRv4pvJBx1oxWsKIHW0t6VrqWMQ+suup8p6dW+h5HE8Z4ciIMrXLEg==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-03T07:38:24Z"
-    mac: ENC[AES256_GCM,data:KMKdwgu9+3DjG1lrQYQEz/jYWsHUBK6RgHRyRKzWG0jTDg30owRpCgnSnX5gHzygmSYSnVRtcTOWzqm5bI7/KJkXBivaqkLqCh6EHnTj+pnAHmeEOAjoOVLOMSCEYvHMf/EuJIL199Hf2G12LtulDJV7Wi5r5Jy8L9odVlYuM9g=,iv:WTeqWdIztScZnXc2hzI7JHO/4ySgqycOp2eN9EPTQpw=,tag:lTMrE5JVVFCIDehXCxJZoQ==,type:str]
+    lastmodified: "2024-12-04T05:07:32Z"
+    mac: ENC[AES256_GCM,data:hD7645epMVYHU6K1AZsHu+fp/PMIqqiZpv7K4Vxzo84slzn0CfZSYaVaYxKNGjOIgEGN9D2FFmq9WL6ChMskMfqqafY7qDpSQqFp9TUwb5jN34XcQg9vplfNw+lMqsnDCt1HENWErRnlDxTI2ctSEcx3UKGBOQ3ttLzUIySdnFY=,iv:reOsqvc8E3l8yxb5gVcqF/rU2o2yKmaUyGNRNT+Skx8=,tag:eBoV8G+X0cPs3Q1xAuv55w==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
    version: 3.9.1
--- a/machines/biotite/services/forgejo.nix
+++ b/machines/biotite/services/forgejo.nix
@ -0,0 +1,113 @@
+{
+  config,
+  pkgs,
+  lib,
+  my-lib,
+  ...
+}:
+let
+  inherit (lib) getExe;
+  inherit (my-lib.settings) idpUrl forgejoDomain forgejoGitDomain;
+  settings = {
+    service.DISABLE_REGISTRATION = true;
+    server = {
+      DOMAIN = forgejoDomain;
+      ROOT_URL = "https://${forgejoDomain}";
+      HTTP_ADDR = "/var/run/forgejo/forgejo.sock";
+      START_SSH_SERVER = false;
+      SSH_USER = config.services.forgejo.user;
+      SSH_DOMAIN = forgejoGitDomain;
+      SSH_PORT = 22;
+      PROTOCOL = "http+unix";
+      LFS_MAX_FILE_SIZE = 10737418240;
+      LANDING_PAGE = "/explore/repos";
+    };
+    repository = {
+      ENABLE_PUSH_CREATE_USER = true;
+    };
+    service = {
+      ENABLE_BASIC_AUTHENTICATION = false;
+    };
+    oauth2 = {
+      ENABLED = false; # Disable forgejo as oauth2 provider
+    };
+    oauth2_client = {
+      ACCOUNT_LINKING = "auto";
+      USERNAME = "email";
+      ENABLE_AUTO_REGISTRATION = true;
+      UPDATE_AVATAR = false;
+      OPENID_CONNECT_SCOPES = "openid profile email groups";
+    };
+    other = {
+      SHOW_FOOTER_VERSION = false;
+    };
+  };
+in
+{
+  sops.secrets."forgejo/client_secret" = { };
+  sops.templates."forgejo/env" = {
+    content = ''
+      CLIENT_SECRET=${config.sops.placeholder."forgejo/client_secret"}
+    '';
+    owner = config.systemd.services.forgejo.serviceConfig.User;
+  };
+
+  services.forgejo = {
+    enable = true;
+    inherit settings;
+    # Use cutting edge instead of lts
+    package = pkgs.forgejo;
+    # repositoryRoot = "/mnt/storage/forgejo/repositories";
+    lfs = {
+      enable = true;
+      # contentDir = "/mnt/storage/forgejo/lfs";
+    };
+  };
+
+  systemd.services.forgejo = {
+    serviceConfig = {
+      EnvironmentFile = config.sops.templates."forgejo/env".path;
+      preStart =
+        let
+          providerName = "kanidm";
+          args = lib.concatStringsSep " " [
+            "--name ${providerName}"
+            "--provider openidConnect"
+            "--key forgejo"
+            "--secret $CLIENT_SECRET"
+            "--icon-url ${idpUrl}/pkg/img/favicon.png"
+            "--group-claim-name forgejo_role --admin-group Admin"
+          ];
+          exe = getExe config.services.forgejo.package;
+        in
+        ''
+          provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
+          if [[ -z "$provider_id" ]]; then
+            ${exe} admin auth add-oauth ${args}
+          else
+            ${exe} admin auth update-oauth --id "$provider_id" ${args}
+          fi
+        '';
+    };
+  };
+
+  users.users.git = {
+    isSystemUser = true;
+    useDefaultShell = true;
+    group = "git";
+    extraGroups = [ "forgejo" ];
+  };
+  users.groups.git = { };
+
+  services.caddy = {
+    virtualHosts."https://${forgejoDomain}".extraConfig = with settings; ''
+      ${
+        if server.PROTOCOL == "http+unix" then
+          "reverse_proxy unix/${server.HTTP_ADDR}"
+        else
+          "reverse_proxy http://${server.HTTP_ADDR}:${toString server.HTTP_PORT}"
+      }
+    '';
+  };
+  users.users.caddy.extraGroups = lib.optional (settings.server.PROTOCOL == "http+unix") "forgejo";
+}
--- a/machines/biotite/services/hedgedoc.nix
+++ b/machines/biotite/services/hedgedoc.nix
@ -0,0 +1,44 @@
+{ config, my-lib, ... }:
+let
+  inherit (my-lib.settings) hedgedocDomain idpUrl;
+in
+{
+  sops.secrets."hedgedoc/client_secret" = { };
+  sops.templates."hedgedoc/env" = {
+    content = ''
+      CMD_OAUTH2_CLIENT_SECRET=${config.sops.placeholder."hedgedoc/client_secret"}
+    '';
+    owner = config.systemd.services.hedgedoc.serviceConfig.User;
+  };
+  services.hedgedoc = {
+    enable = true;
+    environmentFile = config.sops.templates."hedgedoc/env".path;
+    settings = {
+      domain = hedgedocDomain;
+      protocolUseSSL = true; # use SSL for resources
+      path = "/run/hedgedoc/hedgedoc.sock";
+      email = false;
+      allowEmailRegister = false;
+      oauth2 = {
+        baseURL = "${idpUrl}/oauth2/openid/hedgedoc";
+        authorizationURL = "${idpUrl}/ui/oauth2";
+        tokenURL = "${idpUrl}/oauth2/token";
+        userProfileURL = "${idpUrl}/oauth2/openid/hedgedoc/userinfo";
+        userProfileEmailAttr = "email";
+        userProfileUsernameAttr = "name";
+        userProfileDisplayNameAttr = "preferred_name";
+        scope = "openid email profile";
+        clientID = "hedgedoc";
+      };
+      allowAnonymous = false;
+      defaultPermission = "private";
+    };
+  };
+  services.caddy = {
+    enable = true;
+    virtualHosts."https://${hedgedocDomain}".extraConfig = ''
+      reverse_proxy unix/${config.services.hedgedoc.settings.path}
+    '';
+  };
+  users.users.caddy.extraGroups = [ "hedgedoc" ];
+}
--- a/machines/biotite/services/miniflux.nix
+++ b/machines/biotite/services/miniflux.nix
@ -0,0 +1,35 @@
+{ config, my-lib, ... }:
+let
+  inherit (my-lib.settings) idpUrl minifluxUrl;
+in
+{
+  sops = {
+    secrets."miniflux/oauth2_secret" = { };
+  };
+
+  services.miniflux = {
+    enable = true;
+    config = {
+      LOG_LEVEL = "debug";
+      LISTEN_ADDR = "127.0.0.1:58173";
+      BASE_URL = "https://rss.xiny.li/";
+      OAUTH2_PROVIDER = "oidc";
+      OAUTH2_CLIENT_ID = "miniflux";
+      OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret";
+      OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback";
+      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "${idpUrl}/oauth2/openid/miniflux";
+      OAUTH2_USER_CREATION = 1;
+      CREATE_ADMIN = 0;
+    };
+    createDatabaseLocally = true;
+  };
+
+  systemd.services.miniflux.serviceConfig.LoadCredential = [
+    "oauth2_secret:${config.sops.secrets."miniflux/oauth2_secret".path}"
+  ];
+
+  services.caddy.virtualHosts.${minifluxUrl}.extraConfig = ''
+    reverse_proxy ${config.services.miniflux.config.LISTEN_ADDR}
+  '';
+
+}
--- a/machines/biotite/services/vaultwarden.nix
+++ b/machines/biotite/services/vaultwarden.nix
@ -0,0 +1,25 @@
+{ config, my-lib, ... }:
+let
+  inherit (my-lib.settings) vaultwardenUrl;
+in
+{
+  services.vaultwarden = {
+    enable = true;
+    dbBackend = "sqlite";
+    config = {
+      DOMAIN = "${vaultwardenUrl}";
+      SIGNUPS_ALLOWED = false;
+
+      ROCKET_ADDRESS = "127.0.0.1";
+      ROCKET_PORT = 8222;
+
+      ROCKET_LOG = "normal";
+    };
+  };
+
+  services.caddy = {
+    virtualHosts.${vaultwardenUrl}.extraConfig = with config.services.vaultwarden.config; ''
+      reverse_proxy ${ROCKET_ADDRESS}:${toString ROCKET_PORT}
+    '';
+  };
+}