xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:35b19d67d7afafaf70414dbd41766285abab6130
Branches Tags
xin:master
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
..
compare: xin:6bf182214110ff57bfadcb12472cd10d5cdae030
Branches Tags
xin:deploy
xin:testing-weilite
xin:testing-raspite
xin:testing-calcite
xin:next
xin:deploy-comin-eval
xin:master

No commits in common. "35b19d67d7afafaf70414dbd41766285abab6130" and "6bf182214110ff57bfadcb12472cd10d5cdae030" have entirely different histories.
35b19d67d7 ... 6bf1822141

14 changed files with 45 additions and 351 deletions
Show stats Expand all files Collapse all files

1
machines/biotite/default.nix
View file

@ -15,7 +15,6 @@
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/forgejo.nix ./services/forgejo.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/kanidm.nix
]; ];
networking.hostName = "biotite"; networking.hostName = "biotite";

43
machines/biotite/services/forgejo.nix
View file

@ -69,29 +69,28 @@ in
systemd.services.forgejo = { systemd.services.forgejo = {
serviceConfig = { serviceConfig = {
EnvironmentFile = config.sops.templates."forgejo/env".path; EnvironmentFile = config.sops.templates."forgejo/env".path;
preStart =
let
providerName = "kanidm";
args = lib.concatStringsSep " " [
"--name ${providerName}"
"--provider openidConnect"
"--key forgejo"
"--secret $CLIENT_SECRET"
"--icon-url ${idpUrl}/pkg/img/favicon.png"
"--group-claim-name forgejo_role --admin-group Admin"
];
exe = getExe config.services.forgejo.package;
in
''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args}
else
${exe} admin auth update-oauth --id "$provider_id" ${args}
fi
'';
}; };
preStart =
let
providerName = "kanidm";
args = lib.concatStringsSep " " [
"--name ${providerName}"
"--provider openidConnect"
"--key forgejo"
"--secret $CLIENT_SECRET"
"--auto-discover-url https://${idpUrl}/oauth2/openid/forgejo/.well-known/openid-configuration"
"--icon-url https://${idpUrl}/pkg/img/favicon.png"
"--group-claim-name forgejo_role --admin-group Admin"
];
exe = getExe config.services.forgejo.package;
in
''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args}
else
${exe} admin auth update-oauth --id "$provider_id" ${args}
fi
'';
}; };
users.users.git = { users.users.git = {

2
machines/biotite/services/gotosocial.nix
View file

@ -26,7 +26,7 @@ in
instance-expose-public-timeline = true; instance-expose-public-timeline = true;
oidc-enabled = true; oidc-enabled = true;
oidc-idp-name = "Kanidm"; oidc-idp-name = "Kanidm";
oidc-issuer = "https://${idpUrl}/oauth2/openid/gotosocial"; oidc-issuer = "${idpUrl}/oauth2/openid/gotosocial";
oidc-client-id = "gotosocial"; oidc-client-id = "gotosocial";
oidc-link-existing = true; oidc-link-existing = true;
}; };

8
machines/biotite/services/hedgedoc.nix
View file

@ -20,10 +20,10 @@ in
email = false; email = false;
allowEmailRegister = false; allowEmailRegister = false;
oauth2 = { oauth2 = {
baseURL = "https://${idpUrl}/oauth2/openid/hedgedoc"; baseURL = "${idpUrl}/oauth2/openid/hedgedoc";
authorizationURL = "https://${idpUrl}/ui/oauth2"; authorizationURL = "${idpUrl}/ui/oauth2";
tokenURL = "https://${idpUrl}/oauth2/token"; tokenURL = "${idpUrl}/oauth2/token";
userProfileURL = "https://${idpUrl}/oauth2/openid/hedgedoc/userinfo"; userProfileURL = "${idpUrl}/oauth2/openid/hedgedoc/userinfo";
userProfileEmailAttr = "email"; userProfileEmailAttr = "email";
userProfileUsernameAttr = "name"; userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "preferred_name"; userProfileDisplayNameAttr = "preferred_name";

242
machines/biotite/services/kanidm-provision.nix
View file

@ -1,242 +0,0 @@
{ pkgs, config, ... }:
let
inherit (config.my-lib.settings)
gotosocialUrl
minifluxUrl
hedgedocDomain
forgejoDomain
grafanaUrl
synapseDelegateUrl
;
in
{
services.kanidm.provision = {
enable = true;
autoRemove = true;
groups = {
forgejo-access = {
members = [ "xin" ];
};
forgejo-admin = {
members = [ "xin" ];
};
gts-users = {
members = [ "xin" ];
};
ocis-users = {
members = [ "xin" ];
};
linux_users = {
members = [ "xin" ];
};
hedgedoc-users = {
members = [ "xin" ];
};
immich-users = {
members = [
"xin"
"zhuo"
"ycm"
"yzl"
];
};
grafana-superadmins = {
members = [ "xin" ];
};
grafana-admins = {
members = [ "xin" ];
};
grafana-editors = {
members = [ "xin" ];
};
grafana-users = {
members = [ "xin" ];
};
miniflux-users = {
members = [ "xin" ];
};
synapse-users = {
members = [ "xin" ];
};
idm_people_self_mail_write = {
members = [ ];
};
};
persons = {
xin = {
displayName = "Xinyang Li";
mailAddresses = [ "lixinyang411@gmail.com" ];
};
zhuo = {
displayName = "Zhuo";
mailAddresses = [ "13681104320@163.com" ];
};
ycm = {
displayName = "Chunming";
mailAddresses = [ "chunmingyou@gmail.com" ];
};
yzl = {
displayName = "Zhengli Yang";
mailAddresses = [ "13391935399@189.cn" ];
};
};
systems.oauth2 = {
forgejo = {
displayName = "ForgeJo";
originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback";
originLanding = "https://${forgejoDomain}/user/oauth2/kanidm";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
forgejo_role = {
joinType = "array";
valuesByGroup = {
forgejo-access = [ "Access" ];
forgejo-admin = [ "Admin" ];
};
};
};
};
gts = {
displayName = "GoToSocial";
originUrl = "https://xinyang.life/auth/callback";
originLanding = "https://xinyang.life/auth/callback";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [
"openid"
"email"
"profile"
"groups"
];
};
};
gotosocial = {
displayName = "GoToSocial";
originUrl = "${gotosocialUrl}/auth/callback";
originLanding = "${gotosocialUrl}/auth/callback";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [
"openid"
"email"
"profile"
"groups"
];
};
};
# It's used for all the clients. I'm too lazy to change the name.
owncloud-android = {
displayName = "ownCloud Apps";
originLanding = "https://drive.xinyang.life:8443/";
originUrl = [
"http://localhost:38622/"
"http://localhost:43580/"
"https://drive.xinyang.life:8443/"
# TODO: Should allow mobile redirect url not ending with /
# "oc://android.owncloud.com"
];
public = true;
preferShortUsername = true;
scopeMaps = {
ocis-users = [
"openid"
"email"
"profile"
"offline_access"
];
};
};
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://${hedgedocDomain}/auth/oauth2/callback";
originLanding = "https://${hedgedocDomain}/auth/oauth2";
allowInsecureClientDisablePkce = true;
scopeMaps = {
hedgedoc-users = [
"openid"
"email"
"profile"
];
};
};
immich = {
displayName = "Immich";
originUrl = [
"https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
"https://immich.xinyang.life:8000/auth/login"
"https://immich.xinyang.life:8000/user-settings"
"https://immich.xiny.li:8443/api/oauth/mobile-redirect/"
"https://immich.xiny.li:8443/auth/login"
"https://immich.xiny.li:8443/user-settings"
];
originLanding = "https://immich.xiny.li:8443/auth/login?autoLaunch=0";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [
"openid"
"email"
"profile"
];
};
};
miniflux = {
displayName = "Miniflux";
originUrl = "${minifluxUrl}/oauth2/oidc/callback";
originLanding = "${minifluxUrl}/oauth2/oidc/redirect";
scopeMaps = {
miniflux-users = [
"openid"
"email"
"profile"
];
};
};
grafana = {
displayName = "Grafana";
originUrl = "${grafanaUrl}/login/generic_oauth";
originLanding = "${grafanaUrl}/";
scopeMaps = {
grafana-users = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
grafana_role = {
joinType = "array";
valuesByGroup = {
grafana-superadmins = [ "GrafanaAdmin" ];
grafana-admins = [ "Admin" ];
grafana-editors = [ "Editor" ];
};
};
};
};
synapse = {
displayName = "Synapse";
originUrl = "${synapseDelegateUrl}/_synapse/client/oidc/callback";
originLanding = "${synapseDelegateUrl}/";
scopeMaps = {
synapse-users = [
"openid"
"profile"
];
};
};
};
};
}

54
machines/biotite/services/kanidm.nix
View file

@ -1,54 +0,0 @@
{
config,
pkgs,
lib,
...
}:
let
kanidm_listen_port = 5324;
inherit (config.my-lib.settings) idpUrl;
in
{
imports = [
./kanidm-provision.nix
];
security.acme = {
acceptTerms = true;
certs.${idpUrl} = {
email = "lixinyang411@gmail.com";
listenHTTP = "127.0.0.1:1360";
group = "kanidm";
};
};
services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true;
serverSettings = {
domain = idpUrl;
origin = "https://${idpUrl}";
bindaddress = "[::]:${toString kanidm_listen_port}";
tls_key = ''${config.security.acme.certs.${idpUrl}.directory}/key.pem'';
tls_chain = ''${config.security.acme.certs.${idpUrl}.directory}/fullchain.pem'';
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db";
};
};
services.caddy = {
enable = true;
virtualHosts."http://${idpUrl}".extraConfig = ''
reverse_proxy ${config.security.acme.certs.${idpUrl}.listenHTTP}
'';
virtualHosts."https://${idpUrl}".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
}

2
machines/biotite/services/miniflux.nix
View file

@ -17,7 +17,7 @@ in
OAUTH2_CLIENT_ID = "miniflux"; OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret"; OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret";
OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback"; OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://${idpUrl}/oauth2/openid/miniflux"; OAUTH2_OIDC_DISCOVERY_ENDPOINT = "${idpUrl}/oauth2/openid/miniflux";
OAUTH2_USER_CREATION = 1; OAUTH2_USER_CREATION = 1;
CREATE_ADMIN = 0; CREATE_ADMIN = 0;
}; };

8
machines/biotite/services/synapse.nix
View file

@ -85,11 +85,11 @@ in
oidc_providers = [ oidc_providers = [
{ {
idp_id = "Kanidm"; idp_id = "Kanidm";
idp_name = idpUrl; idp_name = lib.removePrefix "https://" idpUrl;
issuer = "${idpUrl}/oauth2/openid/synapse"; issuer = "${idpUrl}/oauth2/openid/synapse";
authorization_endpoint = "https://${idpUrl}/ui/oauth2"; authorization_endpoint = "${idpUrl}/ui/oauth2";
token_endpoint = "https://${idpUrl}/oauth2/token"; token_endpoint = "${idpUrl}/oauth2/token";
userinfo_endpoint = "https://${idpUrl}/oauth2/openid/synapse/userinfo"; userinfo_endpoint = "${idpUrl}/oauth2/openid/synapse/userinfo";
client_id = "synapse"; client_id = "synapse";
client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path; client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path;
scopes = [ scopes = [

3
machines/calcite/configuration.nix
View file

@ -6,7 +6,6 @@
}: }:
let let
inherit (lib) mkForce getExe; inherit (lib) mkForce getExe;
inherit (config.my-lib.settings) idpUrl;
in in
{ {
imports = [ imports = [
@ -224,7 +223,7 @@ in
services.kanidm = { services.kanidm = {
enableClient = true; enableClient = true;
clientSettings = { clientSettings = {
uri = "https://${idpUrl}"; uri = "https://auth.xinyang.life";
}; };
}; };

7
machines/weilite/services/immich.nix
View file

@ -3,14 +3,11 @@
... ...
}: }:
let let
inherit (config.my-lib.settings) idpUrl;
user = config.systemd.services.immich-server.serviceConfig.User; user = config.systemd.services.immich-server.serviceConfig.User;
immichUrl = "immich.xiny.li:8443";
jsonSettings = { jsonSettings = {
oauth = { oauth = {
enabled = true; enabled = true;
issuerUrl = "https://${idpUrl}/oauth2/openid/immich/"; issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/";
clientId = "immich"; clientId = "immich";
clientSecret = config.sops.placeholder."immich/oauth_client_secret"; clientSecret = config.sops.placeholder."immich/oauth_client_secret";
scope = "openid email profile"; scope = "openid email profile";
@ -19,7 +16,7 @@ let
buttonText = "Login with Kanidm"; buttonText = "Login with Kanidm";
autoLaunch = true; autoLaunch = true;
mobileOverrideEnabled = true; mobileOverrideEnabled = true;
mobileRedirectUri = "https://${immichUrl}/api/oauth/mobile-redirect/"; mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/";
}; };
passwordLogin = { passwordLogin = {
enabled = false; enabled = false;

8
modules/nixos/common-settings/auth.nix
View file

@ -11,8 +11,6 @@ let
mkEnableOption mkEnableOption
; ;
inherit (config.my-lib.settings) idpUrl;
cfg = config.commonSettings.auth; cfg = config.commonSettings.auth;
in in
{ {
@ -24,7 +22,7 @@ in
services.kanidm = { services.kanidm = {
enableClient = true; enableClient = true;
clientSettings = { clientSettings = {
uri = "https://${idpUrl}"; uri = "https://auth.xinyang.life";
}; };
enablePam = true; enablePam = true;
unixSettings = { unixSettings = {
@ -47,11 +45,11 @@ in
environment.etc."ssh/auth" = { environment.etc."ssh/auth" = {
mode = "0555"; mode = "0555";
text = '' text = ''
#!/bin/sh #!${pkgs.stdenv.shell}
${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1 ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
''; '';
}; };
users.groups.wheel.members = [ "xin@${idpUrl}" ]; users.groups.wheel.members = [ "xin@auth.xinyang.life" ];
users.groups.kanidm-ssh-runner = { }; users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { users.users.kanidm-ssh-runner = {
isSystemUser = true; isSystemUser = true;

6
modules/nixos/monitor/grafana.nix
View file

@ -22,9 +22,9 @@ in
name = "Kanidm"; name = "Kanidm";
client_id = "grafana"; client_id = "grafana";
scopes = "openid,profile,email,groups"; scopes = "openid,profile,email,groups";
auth_url = "https://${idpUrl}/ui/oauth2"; auth_url = "${idpUrl}/ui/oauth2";
token_url = "https://${idpUrl}/oauth2/token"; token_url = "${idpUrl}/oauth2/token";
api_url = "https://${idpUrl}/oauth2/openid/grafana/userinfo"; api_url = "${idpUrl}/oauth2/openid/grafana/userinfo";
use_pkce = true; use_pkce = true;
use_refresh_token = true; use_refresh_token = true;
allow_sign_up = true; allow_sign_up = true;

10
modules/nixos/monitor/loki.nix
View file

@ -15,7 +15,6 @@ let
; ;
inherit (config.my-lib.settings) inherit (config.my-lib.settings)
alertmanagerPort alertmanagerPort
internalDomain
; ;
cfg = config.custom.monitoring; cfg = config.custom.monitoring;
lokiPort = 3100; lokiPort = 3100;
@ -95,17 +94,16 @@ in
rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig); rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig);
in in
mkIf cfg.loki.enable { mkIf cfg.loki.enable {
systemd.services.loki.serviceConfig.After = "tailscaled.service";
services.loki = { services.loki = {
enable = true; enable = true;
configuration = { configuration = {
auth_enabled = false; auth_enabled = false;
server.http_listen_address = "${config.networking.hostName}.${internalDomain}"; server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net";
server.http_listen_port = lokiPort; server.http_listen_port = lokiPort;
common = { common = {
ring = { ring = {
instance_addr = "${config.networking.hostName}.${internalDomain}"; instance_addr = "${config.networking.hostName}.coho-tet.ts.net";
kvstore.store = "inmemory"; kvstore.store = "inmemory";
}; };
replication_factor = 1; replication_factor = 1;
@ -162,7 +160,7 @@ in
configuration = { configuration = {
server = { server = {
http_listen_address = "${config.networking.hostName}.${internalDomain}"; http_listen_address = "${config.networking.hostName}.coho-tet.ts.net";
http_listen_port = 28183; http_listen_port = 28183;
grpc_listen_port = 0; grpc_listen_port = 0;
}; };
@ -171,7 +169,7 @@ in
clients = [ clients = [
{ {
url = "http://thorite.${internalDomain}:${toString lokiPort}/loki/api/v1/push"; url = "http://thorite.coho-tet.ts.net:${toString lokiPort}/loki/api/v1/push";
} }
]; ];

2
overlays/my-lib/settings.nix
View file

@ -1,7 +1,7 @@
{ {
settings = { settings = {
alertmanagerPort = 9093; alertmanagerPort = 9093;
idpUrl = "auth.xiny.li"; idpUrl = "https://auth.xinyang.life";
gotosocialUrl = "https://gts.xiny.li"; gotosocialUrl = "https://gts.xiny.li";
minifluxUrl = "https://rss.xiny.li"; minifluxUrl = "https://rss.xiny.li";
hedgedocDomain = "docs.xiny.li"; hedgedocDomain = "docs.xiny.li";