xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: xin:6bf182214110ff57bfadcb12472cd10d5cdae030
Branches Tags
xin:master
xin:testing-weilite
xin:testing-raspite
xin:deploy
xin:testing-calcite
xin:next
xin:deploy-comin-eval
...
compare: xin:35b19d67d7afafaf70414dbd41766285abab6130
Branches Tags
xin:testing-weilite
xin:testing-raspite
xin:deploy
xin:testing-calcite
xin:next
xin:deploy-comin-eval
xin:master

2 commits
6bf1822141 ... 35b19d67d7

Author SHA1 Message Date
xinyangli
35b19d67d7
auth: switch domain 2025-02-14 14:33:02 +08:00
xinyangli
2e2968360c
idp: migrate to biotite 2025-02-14 13:51:50 +08:00
14 changed files with 351 additions and 45 deletions
Show stats Expand all files Collapse all files

1
machines/biotite/default.nix
View file

@ -15,6 +15,7 @@
./services/hedgedoc.nix ./services/hedgedoc.nix
./services/forgejo.nix ./services/forgejo.nix
./services/vaultwarden.nix ./services/vaultwarden.nix
./services/kanidm.nix
]; ];
networking.hostName = "biotite"; networking.hostName = "biotite";

43
machines/biotite/services/forgejo.nix
View file

@ -69,28 +69,29 @@ in
systemd.services.forgejo = { systemd.services.forgejo = {
serviceConfig = { serviceConfig = {
EnvironmentFile = config.sops.templates."forgejo/env".path; EnvironmentFile = config.sops.templates."forgejo/env".path;
preStart =
let
providerName = "kanidm";
args = lib.concatStringsSep " " [
"--name ${providerName}"
"--provider openidConnect"
"--key forgejo"
"--secret $CLIENT_SECRET"
"--icon-url ${idpUrl}/pkg/img/favicon.png"
"--group-claim-name forgejo_role --admin-group Admin"
];
exe = getExe config.services.forgejo.package;
in
''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args}
else
${exe} admin auth update-oauth --id "$provider_id" ${args}
fi
'';
}; };
preStart =
let
providerName = "kanidm";
args = lib.concatStringsSep " " [
"--name ${providerName}"
"--provider openidConnect"
"--key forgejo"
"--secret $CLIENT_SECRET"
"--auto-discover-url https://${idpUrl}/oauth2/openid/forgejo/.well-known/openid-configuration"
"--icon-url https://${idpUrl}/pkg/img/favicon.png"
"--group-claim-name forgejo_role --admin-group Admin"
];
exe = getExe config.services.forgejo.package;
in
''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
if [[ -z "$provider_id" ]]; then
${exe} admin auth add-oauth ${args}
else
${exe} admin auth update-oauth --id "$provider_id" ${args}
fi
'';
}; };
users.users.git = { users.users.git = {

2
machines/biotite/services/gotosocial.nix
View file

@ -26,7 +26,7 @@ in
instance-expose-public-timeline = true; instance-expose-public-timeline = true;
oidc-enabled = true; oidc-enabled = true;
oidc-idp-name = "Kanidm"; oidc-idp-name = "Kanidm";
oidc-issuer = "${idpUrl}/oauth2/openid/gotosocial"; oidc-issuer = "https://${idpUrl}/oauth2/openid/gotosocial";
oidc-client-id = "gotosocial"; oidc-client-id = "gotosocial";
oidc-link-existing = true; oidc-link-existing = true;
}; };

8
machines/biotite/services/hedgedoc.nix
View file

@ -20,10 +20,10 @@ in
email = false; email = false;
allowEmailRegister = false; allowEmailRegister = false;
oauth2 = { oauth2 = {
baseURL = "${idpUrl}/oauth2/openid/hedgedoc"; baseURL = "https://${idpUrl}/oauth2/openid/hedgedoc";
authorizationURL = "${idpUrl}/ui/oauth2"; authorizationURL = "https://${idpUrl}/ui/oauth2";
tokenURL = "${idpUrl}/oauth2/token"; tokenURL = "https://${idpUrl}/oauth2/token";
userProfileURL = "${idpUrl}/oauth2/openid/hedgedoc/userinfo"; userProfileURL = "https://${idpUrl}/oauth2/openid/hedgedoc/userinfo";
userProfileEmailAttr = "email"; userProfileEmailAttr = "email";
userProfileUsernameAttr = "name"; userProfileUsernameAttr = "name";
userProfileDisplayNameAttr = "preferred_name"; userProfileDisplayNameAttr = "preferred_name";

242
machines/biotite/services/kanidm-provision.nix Normal file
View file

@ -0,0 +1,242 @@
{ pkgs, config, ... }:
let
inherit (config.my-lib.settings)
gotosocialUrl
minifluxUrl
hedgedocDomain
forgejoDomain
grafanaUrl
synapseDelegateUrl
;
in
{
services.kanidm.provision = {
enable = true;
autoRemove = true;
groups = {
forgejo-access = {
members = [ "xin" ];
};
forgejo-admin = {
members = [ "xin" ];
};
gts-users = {
members = [ "xin" ];
};
ocis-users = {
members = [ "xin" ];
};
linux_users = {
members = [ "xin" ];
};
hedgedoc-users = {
members = [ "xin" ];
};
immich-users = {
members = [
"xin"
"zhuo"
"ycm"
"yzl"
];
};
grafana-superadmins = {
members = [ "xin" ];
};
grafana-admins = {
members = [ "xin" ];
};
grafana-editors = {
members = [ "xin" ];
};
grafana-users = {
members = [ "xin" ];
};
miniflux-users = {
members = [ "xin" ];
};
synapse-users = {
members = [ "xin" ];
};
idm_people_self_mail_write = {
members = [ ];
};
};
persons = {
xin = {
displayName = "Xinyang Li";
mailAddresses = [ "lixinyang411@gmail.com" ];
};
zhuo = {
displayName = "Zhuo";
mailAddresses = [ "13681104320@163.com" ];
};
ycm = {
displayName = "Chunming";
mailAddresses = [ "chunmingyou@gmail.com" ];
};
yzl = {
displayName = "Zhengli Yang";
mailAddresses = [ "13391935399@189.cn" ];
};
};
systems.oauth2 = {
forgejo = {
displayName = "ForgeJo";
originUrl = "https://${forgejoDomain}/user/oauth2/kanidm/callback";
originLanding = "https://${forgejoDomain}/user/oauth2/kanidm";
allowInsecureClientDisablePkce = true;
scopeMaps = {
forgejo-access = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
forgejo_role = {
joinType = "array";
valuesByGroup = {
forgejo-access = [ "Access" ];
forgejo-admin = [ "Admin" ];
};
};
};
};
gts = {
displayName = "GoToSocial";
originUrl = "https://xinyang.life/auth/callback";
originLanding = "https://xinyang.life/auth/callback";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [
"openid"
"email"
"profile"
"groups"
];
};
};
gotosocial = {
displayName = "GoToSocial";
originUrl = "${gotosocialUrl}/auth/callback";
originLanding = "${gotosocialUrl}/auth/callback";
allowInsecureClientDisablePkce = true;
scopeMaps = {
gts-users = [
"openid"
"email"
"profile"
"groups"
];
};
};
# It's used for all the clients. I'm too lazy to change the name.
owncloud-android = {
displayName = "ownCloud Apps";
originLanding = "https://drive.xinyang.life:8443/";
originUrl = [
"http://localhost:38622/"
"http://localhost:43580/"
"https://drive.xinyang.life:8443/"
# TODO: Should allow mobile redirect url not ending with /
# "oc://android.owncloud.com"
];
public = true;
preferShortUsername = true;
scopeMaps = {
ocis-users = [
"openid"
"email"
"profile"
"offline_access"
];
};
};
hedgedoc = {
displayName = "HedgeDoc";
originUrl = "https://${hedgedocDomain}/auth/oauth2/callback";
originLanding = "https://${hedgedocDomain}/auth/oauth2";
allowInsecureClientDisablePkce = true;
scopeMaps = {
hedgedoc-users = [
"openid"
"email"
"profile"
];
};
};
immich = {
displayName = "Immich";
originUrl = [
"https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"
"https://immich.xinyang.life:8000/auth/login"
"https://immich.xinyang.life:8000/user-settings"
"https://immich.xiny.li:8443/api/oauth/mobile-redirect/"
"https://immich.xiny.li:8443/auth/login"
"https://immich.xiny.li:8443/user-settings"
];
originLanding = "https://immich.xiny.li:8443/auth/login?autoLaunch=0";
allowInsecureClientDisablePkce = true;
scopeMaps = {
immich-users = [
"openid"
"email"
"profile"
];
};
};
miniflux = {
displayName = "Miniflux";
originUrl = "${minifluxUrl}/oauth2/oidc/callback";
originLanding = "${minifluxUrl}/oauth2/oidc/redirect";
scopeMaps = {
miniflux-users = [
"openid"
"email"
"profile"
];
};
};
grafana = {
displayName = "Grafana";
originUrl = "${grafanaUrl}/login/generic_oauth";
originLanding = "${grafanaUrl}/";
scopeMaps = {
grafana-users = [
"openid"
"email"
"profile"
"groups"
];
};
claimMaps = {
grafana_role = {
joinType = "array";
valuesByGroup = {
grafana-superadmins = [ "GrafanaAdmin" ];
grafana-admins = [ "Admin" ];
grafana-editors = [ "Editor" ];
};
};
};
};
synapse = {
displayName = "Synapse";
originUrl = "${synapseDelegateUrl}/_synapse/client/oidc/callback";
originLanding = "${synapseDelegateUrl}/";
scopeMaps = {
synapse-users = [
"openid"
"profile"
];
};
};
};
};
}

54
machines/biotite/services/kanidm.nix Normal file
View file

@ -0,0 +1,54 @@
{
config,
pkgs,
lib,
...
}:
let
kanidm_listen_port = 5324;
inherit (config.my-lib.settings) idpUrl;
in
{
imports = [
./kanidm-provision.nix
];
security.acme = {
acceptTerms = true;
certs.${idpUrl} = {
email = "lixinyang411@gmail.com";
listenHTTP = "127.0.0.1:1360";
group = "kanidm";
};
};
services.kanidm = {
package = pkgs.kanidm.withSecretProvisioning;
enableServer = true;
serverSettings = {
domain = idpUrl;
origin = "https://${idpUrl}";
bindaddress = "[::]:${toString kanidm_listen_port}";
tls_key = ''${config.security.acme.certs.${idpUrl}.directory}/key.pem'';
tls_chain = ''${config.security.acme.certs.${idpUrl}.directory}/fullchain.pem'';
online_backup.versions = 7;
# db_path = "/var/lib/kanidm/kanidm.db";
};
};
services.caddy = {
enable = true;
virtualHosts."http://${idpUrl}".extraConfig = ''
reverse_proxy ${config.security.acme.certs.${idpUrl}.listenHTTP}
'';
virtualHosts."https://${idpUrl}".extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} {
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
}
'';
};
}

2
machines/biotite/services/miniflux.nix
View file

@ -17,7 +17,7 @@ in
OAUTH2_CLIENT_ID = "miniflux"; OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret"; OAUTH2_CLIENT_SECRET_FILE = "%d/oauth2_secret";
OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback"; OAUTH2_REDIRECT_URL = "${minifluxUrl}/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "${idpUrl}/oauth2/openid/miniflux"; OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://${idpUrl}/oauth2/openid/miniflux";
OAUTH2_USER_CREATION = 1; OAUTH2_USER_CREATION = 1;
CREATE_ADMIN = 0; CREATE_ADMIN = 0;
}; };

8
machines/biotite/services/synapse.nix
View file

@ -85,11 +85,11 @@ in
oidc_providers = [ oidc_providers = [
{ {
idp_id = "Kanidm"; idp_id = "Kanidm";
idp_name = lib.removePrefix "https://" idpUrl; idp_name = idpUrl;
issuer = "${idpUrl}/oauth2/openid/synapse"; issuer = "${idpUrl}/oauth2/openid/synapse";
authorization_endpoint = "${idpUrl}/ui/oauth2"; authorization_endpoint = "https://${idpUrl}/ui/oauth2";
token_endpoint = "${idpUrl}/oauth2/token"; token_endpoint = "https://${idpUrl}/oauth2/token";
userinfo_endpoint = "${idpUrl}/oauth2/openid/synapse/userinfo"; userinfo_endpoint = "https://${idpUrl}/oauth2/openid/synapse/userinfo";
client_id = "synapse"; client_id = "synapse";
client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path; client_secret_path = config.sops.secrets."synapse/oidc_client_secret".path;
scopes = [ scopes = [

3
machines/calcite/configuration.nix
View file

@ -6,6 +6,7 @@
}: }:
let let
inherit (lib) mkForce getExe; inherit (lib) mkForce getExe;
inherit (config.my-lib.settings) idpUrl;
in in
{ {
imports = [ imports = [
@ -223,7 +224,7 @@ in
services.kanidm = { services.kanidm = {
enableClient = true; enableClient = true;
clientSettings = { clientSettings = {
uri = "https://auth.xinyang.life"; uri = "https://${idpUrl}";
}; };
}; };

7
machines/weilite/services/immich.nix
View file

@ -3,11 +3,14 @@
... ...
}: }:
let let
inherit (config.my-lib.settings) idpUrl;
user = config.systemd.services.immich-server.serviceConfig.User; user = config.systemd.services.immich-server.serviceConfig.User;
immichUrl = "immich.xiny.li:8443";
jsonSettings = { jsonSettings = {
oauth = { oauth = {
enabled = true; enabled = true;
issuerUrl = "https://auth.xinyang.life/oauth2/openid/immich/"; issuerUrl = "https://${idpUrl}/oauth2/openid/immich/";
clientId = "immich"; clientId = "immich";
clientSecret = config.sops.placeholder."immich/oauth_client_secret"; clientSecret = config.sops.placeholder."immich/oauth_client_secret";
scope = "openid email profile"; scope = "openid email profile";
@ -16,7 +19,7 @@ let
buttonText = "Login with Kanidm"; buttonText = "Login with Kanidm";
autoLaunch = true; autoLaunch = true;
mobileOverrideEnabled = true; mobileOverrideEnabled = true;
mobileRedirectUri = "https://immich.xinyang.life:8000/api/oauth/mobile-redirect/"; mobileRedirectUri = "https://${immichUrl}/api/oauth/mobile-redirect/";
}; };
passwordLogin = { passwordLogin = {
enabled = false; enabled = false;

8
modules/nixos/common-settings/auth.nix
View file

@ -11,6 +11,8 @@ let
mkEnableOption mkEnableOption
; ;
inherit (config.my-lib.settings) idpUrl;
cfg = config.commonSettings.auth; cfg = config.commonSettings.auth;
in in
{ {
@ -22,7 +24,7 @@ in
services.kanidm = { services.kanidm = {
enableClient = true; enableClient = true;
clientSettings = { clientSettings = {
uri = "https://auth.xinyang.life"; uri = "https://${idpUrl}";
}; };
enablePam = true; enablePam = true;
unixSettings = { unixSettings = {
@ -45,11 +47,11 @@ in
environment.etc."ssh/auth" = { environment.etc."ssh/auth" = {
mode = "0555"; mode = "0555";
text = '' text = ''
#!${pkgs.stdenv.shell} #!/bin/sh
${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1 ${pkgs.kanidm}/bin/kanidm_ssh_authorizedkeys $1
''; '';
}; };
users.groups.wheel.members = [ "xin@auth.xinyang.life" ]; users.groups.wheel.members = [ "xin@${idpUrl}" ];
users.groups.kanidm-ssh-runner = { }; users.groups.kanidm-ssh-runner = { };
users.users.kanidm-ssh-runner = { users.users.kanidm-ssh-runner = {
isSystemUser = true; isSystemUser = true;

6
modules/nixos/monitor/grafana.nix
View file

@ -22,9 +22,9 @@ in
name = "Kanidm"; name = "Kanidm";
client_id = "grafana"; client_id = "grafana";
scopes = "openid,profile,email,groups"; scopes = "openid,profile,email,groups";
auth_url = "${idpUrl}/ui/oauth2"; auth_url = "https://${idpUrl}/ui/oauth2";
token_url = "${idpUrl}/oauth2/token"; token_url = "https://${idpUrl}/oauth2/token";
api_url = "${idpUrl}/oauth2/openid/grafana/userinfo"; api_url = "https://${idpUrl}/oauth2/openid/grafana/userinfo";
use_pkce = true; use_pkce = true;
use_refresh_token = true; use_refresh_token = true;
allow_sign_up = true; allow_sign_up = true;

10
modules/nixos/monitor/loki.nix
View file

@ -15,6 +15,7 @@ let
; ;
inherit (config.my-lib.settings) inherit (config.my-lib.settings)
alertmanagerPort alertmanagerPort
internalDomain
; ;
cfg = config.custom.monitoring; cfg = config.custom.monitoring;
lokiPort = 3100; lokiPort = 3100;
@ -94,16 +95,17 @@ in
rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig); rulerFile = pkgs.writeText "ruler.yml" (builtins.toJSON rulerConfig);
in in
mkIf cfg.loki.enable { mkIf cfg.loki.enable {
systemd.services.loki.serviceConfig.After = "tailscaled.service";
services.loki = { services.loki = {
enable = true; enable = true;
configuration = { configuration = {
auth_enabled = false; auth_enabled = false;
server.http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; server.http_listen_address = "${config.networking.hostName}.${internalDomain}";
server.http_listen_port = lokiPort; server.http_listen_port = lokiPort;
common = { common = {
ring = { ring = {
instance_addr = "${config.networking.hostName}.coho-tet.ts.net"; instance_addr = "${config.networking.hostName}.${internalDomain}";
kvstore.store = "inmemory"; kvstore.store = "inmemory";
}; };
replication_factor = 1; replication_factor = 1;
@ -160,7 +162,7 @@ in
configuration = { configuration = {
server = { server = {
http_listen_address = "${config.networking.hostName}.coho-tet.ts.net"; http_listen_address = "${config.networking.hostName}.${internalDomain}";
http_listen_port = 28183; http_listen_port = 28183;
grpc_listen_port = 0; grpc_listen_port = 0;
}; };
@ -169,7 +171,7 @@ in
clients = [ clients = [
{ {
url = "http://thorite.coho-tet.ts.net:${toString lokiPort}/loki/api/v1/push"; url = "http://thorite.${internalDomain}:${toString lokiPort}/loki/api/v1/push";
} }
]; ];

2
overlays/my-lib/settings.nix
View file

@ -1,7 +1,7 @@
{ {
settings = { settings = {
alertmanagerPort = 9093; alertmanagerPort = 9093;
idpUrl = "https://auth.xinyang.life"; idpUrl = "auth.xiny.li";
gotosocialUrl = "https://gts.xiny.li"; gotosocialUrl = "https://gts.xiny.li";
minifluxUrl = "https://rss.xiny.li"; minifluxUrl = "https://rss.xiny.li";
hedgedocDomain = "docs.xiny.li"; hedgedocDomain = "docs.xiny.li";