diff --git a/flake.lock b/flake.lock index e74d8bd..70b6d93 100644 --- a/flake.lock +++ b/flake.lock @@ -222,11 +222,11 @@ }, "nur": { "locked": { - "lastModified": 1722304333, - "narHash": "sha256-fC+PkQuMo1DykB7my6VLPOQi6ugnZuOGdGmAAKCmFVY=", + "lastModified": 1722309060, + "narHash": "sha256-lJ5auEUvSI0H0GwW5yWLgizvJ2A+N4aL2u2Xqa6JVCc=", "owner": "nix-community", "repo": "NUR", - "rev": "6cfe9fb0882d3d57fd67c783905757bb10b9115e", + "rev": "e491266f3f0e1fee7709c4d3d68130b5500dcd46", "type": "github" }, "original": { diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix new file mode 100644 index 0000000..0fdb7b1 --- /dev/null +++ b/machines/massicot/kanidm-provision.nix @@ -0,0 +1,78 @@ +{ + enable = true; + autoRemove = true; + groups = { + forgejo-access = { + members = [ "xin" ]; + }; + gts-users = { + members = [ "xin" ]; + }; + ocis-users = { + members = [ "xin" ]; + }; + linux_users = { + members = [ "xin" ]; + }; + hedgedoc-users = { + members = [ "xin" ]; + }; + immich-users = { + members = [ "xin" "zhuo" ]; + }; + }; + persons = { + xin = { + displayName = "Xinyang Li"; + mailAddresses = [ "lixinyang411@gmail.com" ]; + }; + + zhuo = { + displayName = "Zhuo"; + mailAddresses = [ "13681104320@163.com" ]; + }; + }; + systems.oauth2 = { + forgejo = { + displayName = "ForgeJo"; + originUrl = "https://git.xinyang.life/"; + originLanding = " https://git.xinyang.life/user/oauth2/kandim"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + forgejo-access = [ "openid" "email" "profile" "groups" ]; + }; + }; + gts = { + displayName = "GoToSocial"; + originUrl = "https://xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + gts-users = [ "openid" "email" "profile" "groups" ]; + }; + }; + owncloud = { + displayName = "ownCloud"; + originUrl = "https://home.xinyang.life:9201/"; + public = true; + scopeMaps = { + ocis-users = [ "openid" "email" "profile" ]; + }; + }; + hedgedoc = { + displayName = "HedgeDoc"; + originUrl = "https://docs.xinyang.life/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + hedgedoc-users = [ "openid" "email" "profile" ]; + }; + }; + immich-mobile = { + displayName = "Immich"; + originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; + allowInsecureClientDisablePkce = true; + scopeMaps = { + immich-users = [ "openid" "email" "profile" ]; + }; + }; + }; +} \ No newline at end of file diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 2bb6541..6c87d4a 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -73,84 +73,7 @@ in tls_chain = ''${config.security.acme.certs."auth.xinyang.life".directory}/fullchain.pem''; # db_path = "/var/lib/kanidm/kanidm.db"; }; - provision = { - enable = true; - autoRemove = true; - groups = { - forgejo-access = { - members = [ "xin" ]; - }; - gts-users = { - members = [ "xin" ]; - }; - ocis-users = { - members = [ "xin" ]; - }; - linux_users = { - members = [ "xin" ]; - }; - hedgedoc-users = { - members = [ "xin" ]; - }; - immich-users = { - members = [ "xin" "zhuo" ]; - }; - }; - persons = { - xin = { - displayName = "Xinyang Li"; - mailAddresses = [ "lixinyang411@gmail.com" ]; - }; - - zhuo = { - displayName = "Zhuo"; - mailAddresses = [ "13681104320@163.com" ]; - }; - }; - systems.oauth2 = { - forgejo = { - displayName = "ForgeJo"; - originUrl = "https://git.xinyang.life/"; - originLanding = " https://git.xinyang.life/user/oauth2/kandim"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - forgejo-access = [ "openid" "email" "profile" "groups" ]; - }; - }; - gts = { - displayName = "GoToSocial"; - originUrl = "https://xinyang.life/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - gts-users = [ "openid" "email" "profile" "groups" ]; - }; - }; - owncloud = { - displayName = "ownCloud"; - originUrl = "https://home.xinyang.life:9201/"; - public = true; - scopeMaps = { - ocis-users = [ "openid" "email" "profile" ]; - }; - }; - hedgedoc = { - displayName = "HedgeDoc"; - originUrl = "https://docs.xinyang.life/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - hedgedoc-users = [ "openid" "email" "profile" ]; - }; - }; - immich-mobile = { - displayName = "Immich"; - originUrl = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; - allowInsecureClientDisablePkce = true; - scopeMaps = { - immich-users = [ "openid" "email" "profile" ]; - }; - }; - }; - }; + provision = import ./kanidm-provision.nix; }; services.matrix-conduit = { enable = true; diff --git a/modules/nixos/hedgedoc.nix b/modules/nixos/hedgedoc.nix index 934420d..6aa5de2 100644 --- a/modules/nixos/hedgedoc.nix +++ b/modules/nixos/hedgedoc.nix @@ -44,8 +44,8 @@ in }; }; }; - config = { - services.hedgedoc = mkIf cfg.enable { + config = mkIf cfg.enable { + services.hedgedoc = { enable = true; environmentFile = cfg.environmentFile; settings = { @@ -71,13 +71,13 @@ in defaultPermission = "private"; }; }; - services.caddy = mkIf ( cfg.enable && cfg.enable ) { + services.caddy = mkIf cfg.caddy { enable = true; virtualHosts."https://${cfg.domain}".extraConfig = '' reverse_proxy unix/${config.services.hedgedoc.settings.path} ''; }; - users.users.caddy.extraGroups = mkIf ( cfg.enable && cfg.enable ) [ "hedgedoc" ]; + users.users.caddy.extraGroups = mkIf cfg.caddy [ "hedgedoc" ]; }; } diff --git a/modules/nixos/prometheus.nix b/modules/nixos/prometheus.nix index 5234e76..9ddd255 100644 --- a/modules/nixos/prometheus.nix +++ b/modules/nixos/prometheus.nix @@ -25,7 +25,7 @@ in }; }; - config = mkMerge [{ + config = mkIf cfg.enable (mkMerge [{ services.caddy.globalConfig = '' servers { metrics @@ -91,5 +91,5 @@ in }) ]; } - ]; + ]); } diff --git a/modules/nixos/restic.nix b/modules/nixos/restic.nix index 178d599..07a8dad 100644 --- a/modules/nixos/restic.nix +++ b/modules/nixos/restic.nix @@ -16,8 +16,8 @@ in }; }; }; - config = { - services.restic.backups = lib.mkIf cfg.enable { + config = lib.mkIf cfg.enable { + services.restic.backups = { remotebackup = { repositoryFile = cfg.repositoryFile; passwordFile = cfg.passwordFile;