xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

biotite: move services to new machines and new domain

Browse source 
- related services: forgejo, miniflux, vaultwarden
- moved from xinyang.life to xiny.li
- clean up modules
This commit is contained in:
xinyangli 2024-12-04 16:02:03 +08:00
parent 947e97ce4e
commit ad9c205fc5
Signed by: xin
SSH key fingerprint: SHA256:UU5pRTl7NiLFJbWJZa+snLylZSXIz5rgHmwjzv8v4oE
18 changed files with 263 additions and 670 deletions
Download patch file Download diff file Expand all files Collapse all files

113
machines/biotite/services/forgejo.nix Normal file
View file

@ -0,0 +1,113 @@
{
config,
pkgs,
lib,
my-lib,
...
}:
let
inherit (lib) getExe;
inherit (my-lib.settings) idpUrl forgejoDomain forgejoGitDomain;
settings = {
service.DISABLE_REGISTRATION = true;
server = {
DOMAIN = forgejoDomain;
ROOT_URL = "https://${forgejoDomain}";
HTTP_ADDR = "/var/run/forgejo/forgejo.sock";
START_SSH_SERVER = false;
SSH_USER = config.services.forgejo.user;
SSH_DOMAIN = forgejoGitDomain;
SSH_PORT = 22;
PROTOCOL = "http+unix";
LFS_MAX_FILE_SIZE = 10737418240;
LANDING_PAGE = "/explore/repos";
};
repository = {
ENABLE_PUSH_CREATE_USER = true;
};
service = {
ENABLE_BASIC_AUTHENTICATION = false;
};
oauth2 = {
ENABLED = false; # Disable forgejo as oauth2 provider
};
oauth2_client = {
ACCOUNT_LINKING = "auto";
USERNAME = "email";
ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = false;
OPENID_CONNECT_SCOPES = "openid profile email groups";
};
other = {
SHOW_FOOTER_VERSION = false;
};
};
in
{
sops.secrets."forgejo/client_secret" = { };
sops.templates."forgejo/env" = {
content = ''
CLIENT_SECRET=${config.sops.placeholder."forgejo/client_secret"}
'';
owner = config.systemd.services.forgejo.serviceConfig.User;
};
services.forgejo = {
enable = true;
inherit settings;
# Use cutting edge instead of lts
package = pkgs.forgejo;
# repositoryRoot = "/mnt/storage/forgejo/repositories";
lfs = {
enable = true;
# contentDir = "/mnt/storage/forgejo/lfs";
};
};
systemd.services.forgejo = {
serviceConfig = {
EnvironmentFile = config.sops.templates."forgejo/env".path;
preStart =
let
providerName = "kanidm";
args = lib.concatStringsSep " " [
"--name ${providerName}"
"--provider openidConnect"
"--key forgejo"
"--secret $CLIENT_SECRET"
"--icon-url ${idpUrl}/pkg/img/favicon.png"
"--group-claim-name forgejo_role --admin-group Admin"
];
exe = getExe config.services.forgejo.package;
in
''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args}
else
${exe} admin auth update-oauth --id "$provider_id" ${args}
fi
'';
};
};
users.users.git = {
isSystemUser = true;
useDefaultShell = true;
group = "git";
extraGroups = [ "forgejo" ];
};
users.groups.git = { };
services.caddy = {
virtualHosts."https://${forgejoDomain}".extraConfig = with settings; ''
${
if server.PROTOCOL == "http+unix" then
"reverse_proxy unix/${server.HTTP_ADDR}"
else
"reverse_proxy http://${server.HTTP_ADDR}:${toString server.HTTP_PORT}"
}
'';
};
users.users.caddy.extraGroups = lib.optional (settings.server.PROTOCOL == "http+unix") "forgejo";
}

44
machines/biotite/services/hedgedoc.nix Normal file
View file

@ -0,0 +1,44 @@
{ config, my-lib, ... }:
let
inherit (my-lib.settings) hedgedocDomain idpUrl;
in
{
sops.secrets."hedgedoc/client_secret" = { };
sops.templates."hedgedoc/env" = {
content = ''
CMD_OAUTH2_CLIENT_SECRET=${config.sops.placeholder."hedgedoc/client_secret"}
'';
owner = config.systemd.services.hedgedoc.serviceConfig.User;
};
services.hedgedoc = {
enable = true;
environmentFile = config.sops.templates."hedgedoc/env".path;
settings = {
domain = hedgedocDomain;
protocolUseSSL = true; # use SSL for resources
path = "/run/hedgedoc/hedgedoc.sock";
email = false;
allowEmailRegister = false;
oauth2 = {
baseURL = "${idpUrl}/oauth2/openid/hedgedoc";
authorizationURL = "${idpUrl}/ui/oauth2";
tokenURL = "${idpUrl}/oauth2/token";
userProfileURL = "${idpUrl}/oauth2/openid/hedgedoc/userinfo";
userProfileEmailAttr = "email";
userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "preferred_name";
scope = "openid email profile";
clientID = "hedgedoc";
};
allowAnonymous = false;
defaultPermission = "private";
};
};
services.caddy = {
enable = true;
virtualHosts."https://${hedgedocDomain}".extraConfig = ''
reverse_proxy unix/${config.services.hedgedoc.settings.path}
'';
};
users.users.caddy.extraGroups = [ "hedgedoc" ];
}

35
machines/biotite/services/miniflux.nix Normal file
View file

@ -0,0 +1,35 @@
{ config, my-lib, ... }:
let
inherit (my-lib.settings) idpUrl minifluxUrl;
in
{
sops = {
secrets."miniflux/oauth2_secret" = { };
};
services.miniflux = {
enable = true;
config = {
LOG_LEVEL = "debug";
LISTEN_ADDR = "127.0.0.1:58173";
BASE_URL = "https://rss.xiny.li/";
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret";
OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "${idpUrl}/oauth2/openid/miniflux";
OAUTH2_USER_CREATION = 1;
CREATE_ADMIN = 0;
};
createDatabaseLocally = true;
};
systemd.services.miniflux.serviceConfig.LoadCredential = [
"oauth2_secret:${config.sops.secrets."miniflux/oauth2_secret".path}"
];
services.caddy.virtualHosts.${minifluxUrl}.extraConfig = ''
reverse_proxy ${config.services.miniflux.config.LISTEN_ADDR}
'';
}

25
machines/biotite/services/vaultwarden.nix Normal file
View file

@ -0,0 +1,25 @@
{ config, my-lib, ... }:
let
inherit (my-lib.settings) vaultwardenUrl;
in
{
services.vaultwarden = {
enable = true;
dbBackend = "sqlite";
config = {
DOMAIN = "${vaultwardenUrl}";
SIGNUPS_ALLOWED = false;
ROCKET_ADDRESS = "127.0.0.1";
ROCKET_PORT = 8222;
ROCKET_LOG = "normal";
};
};
services.caddy = {
virtualHosts.${vaultwardenUrl}.extraConfig = with config.services.vaultwarden.config; ''
reverse_proxy ${ROCKET_ADDRESS}:${toString ROCKET_PORT}
'';
};
}