diff --git a/flake.lock b/flake.lock index d808b79..2392682 100644 --- a/flake.lock +++ b/flake.lock @@ -116,11 +116,11 @@ }, "catppuccin": { "locked": { - "lastModified": 1728407414, - "narHash": "sha256-B8LaxUP93eh+it8RW1pGq4SsU2kj7f0ipzFuhBvpON8=", + "lastModified": 1726952185, + "narHash": "sha256-l/HbsQjJMT6tlf8KCooFYi3J6wjIips3n6/aWAoLY4g=", "owner": "catppuccin", "repo": "nix", - "rev": "96cf8b4a05fb23a53c027621b1147b5cf9e5439f", + "rev": "630b559cc1cb4c0bdd525af506935323e4ccd5d1", "type": "github" }, "original": { @@ -143,11 +143,11 @@ ] }, "locked": { - "lastModified": 1728263678, - "narHash": "sha256-gyUVsPAWY9AgVKjrNPoowrIr5BvK4gI0UkDXvv8iSxA=", + "lastModified": 1711386353, + "narHash": "sha256-gWEpb8Hybnoqb4O4tmpohGZk6+aerAbJpywKcFIiMlg=", "owner": "zhaofengli", "repo": "colmena", - "rev": "b0a62f234fae02a006123e661ff70e62af16106b", + "rev": "cd65ef7a25cdc75052fbd04b120aeb066c3881db", "type": "github" }, "original": { @@ -433,11 +433,11 @@ ] }, "locked": { - "lastModified": 1728791962, - "narHash": "sha256-nr5QiXwQcZmf6/auC1UpX8iAtINMtdi2mH+OkqJQVmU=", + "lastModified": 1727111745, + "narHash": "sha256-EYLvFRoTPWtD+3uDg2wwQvlz88OrIr3zld+jFE5gDcY=", "owner": "nix-community", "repo": "home-manager", - "rev": "64c6325b28ebd708653dd41d88f306023f296184", + "rev": "21c021862fa696c8199934e2153214ab57150cb6", "type": "github" }, "original": { @@ -540,11 +540,11 @@ ] }, "locked": { - "lastModified": 1728790083, - "narHash": "sha256-grMdAd4KSU6uPqsfLzA1B/3pb9GtGI9o8qb0qFzEU/Y=", + "lastModified": 1726975622, + "narHash": "sha256-bPDZosnom0+02ywmMZAvmj7zvsQ6mVv/5kmvSgbTkaY=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "5c54c33aa04df5dd4b0984b7eb861d1981009b22", + "rev": "c7515c2fdaf2e1f3f49856cef6cec95bb2138417", "type": "github" }, "original": { @@ -564,11 +564,11 @@ ] }, "locked": { - "lastModified": 1728179514, - "narHash": "sha256-mOGZFPYm9SuEXnYiXhgs/JmLu7RofRaMpAYyJiWudkc=", + "lastModified": 1727142313, + "narHash": "sha256-uEkvjrMOmQiGMw2m7iAHZDE82Wt+i3P65+dFmgpBbAM=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "018196c371073d669510fd69dd2f6dc0ec608c41", + "rev": "487e99ffa42d57de53eba5ca4b60cd95fb442c42", "type": "github" }, "original": { @@ -579,11 +579,11 @@ }, "nixos-hardware": { "locked": { - "lastModified": 1728729581, - "narHash": "sha256-oazkQ/z7r43YkDLLQdMg8oIB3CwWNb+2ZrYOxtLEWTQ=", + "lastModified": 1727040444, + "narHash": "sha256-19FNN5QT9Z11ZUMfftRplyNN+2PgcHKb3oq8KMW/hDA=", "owner": "NixOS", "repo": "nixos-hardware", - "rev": "a8dd1b21995964b115b1e3ec639dd6ce24ab9806", + "rev": "d0cb432a9d28218df11cbd77d984a2a46caeb5ac", "type": "github" }, "original": { @@ -623,11 +623,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1728740863, - "narHash": "sha256-u+rxA79a0lyhG+u+oPBRtTDtzz8kvkc9a6SWSt9ekVc=", + "lastModified": 1726969270, + "narHash": "sha256-8fnFlXBgM/uSvBlLWjZ0Z0sOdRBesyNdH0+esxqizGc=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a3f9ad65a0bf298ed5847629a57808b97e6e8077", + "rev": "23cbb250f3bf4f516a2d0bf03c51a30900848075", "type": "github" }, "original": { @@ -639,11 +639,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1728156290, - "narHash": "sha256-uogSvuAp+1BYtdu6UWuObjHqSbBohpyARXDWqgI12Ss=", + "lastModified": 1725762081, + "narHash": "sha256-vNv+aJUW5/YurRy1ocfvs4q/48yVESwlC/yHzjkZSP8=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "17ae88b569bb15590549ff478bab6494dde4a907", + "rev": "dc454045f5b5d814e5862a6d057e7bb5c29edc05", "type": "github" }, "original": { @@ -655,11 +655,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1728875381, - "narHash": "sha256-AS9lhq7s3WWfuX8/oHN8c1qoVDFZaL9BO33eWoU9YzY=", + "lastModified": 1727147895, + "narHash": "sha256-2YZYrtEqQlPT77i6F3PSfA6pHeC62Q94u+c5N26BbNo=", "owner": "xinyangli", "repo": "nixpkgs", - "rev": "6e5bbf8c5a13f682d0d223b8c109e270fed721d8", + "rev": "1b7b0516e42e87d04944092f04e85a393f12e3a8", "type": "github" }, "original": { @@ -713,11 +713,11 @@ }, "nur": { "locked": { - "lastModified": 1728871971, - "narHash": "sha256-9DA3YgtiAC7ADY0Qsjnz95R8jebLJQcdg37dZIgEtdI=", + "lastModified": 1727146799, + "narHash": "sha256-EgTExhm77mFu0dNkl4A9LaVYwZYcx62hIG1Q7IJbzzg=", "owner": "nix-community", "repo": "NUR", - "rev": "97bf2fe3008121ebd4a71ffc01ddd6bb8a6345c2", + "rev": "819ed7a5b7dfec428810dfa1403d4fcb5cad44f3", "type": "github" }, "original": { @@ -774,11 +774,11 @@ "nixpkgs-stable": "nixpkgs-stable_2" }, "locked": { - "lastModified": 1728345710, - "narHash": "sha256-lpunY1+bf90ts+sA2/FgxVNIegPDKCpEoWwOPu4ITTQ=", + "lastModified": 1726524647, + "narHash": "sha256-qis6BtOOBBEAfUl7FMHqqTwRLB61OL5OFzIsOmRz2J4=", "owner": "Mic92", "repo": "sops-nix", - "rev": "06535d0e3d0201e6a8080dd32dbfde339b94f01b", + "rev": "e2d404a7ea599a013189aa42947f66cede0645c8", "type": "github" }, "original": { diff --git a/machines/calcite/configuration.nix b/machines/calcite/configuration.nix index 4601e8c..f397b7a 100644 --- a/machines/calcite/configuration.nix +++ b/machines/calcite/configuration.nix @@ -126,11 +126,7 @@ # Enable CUPS to print documents. services.printing.enable = true; - services.printing.drivers = [ - pkgs.hplip - pkgs.gutenprintBin - pkgs.canon-cups-ufr2 - ]; + # services.printing.drivers = [ pkgs.hplip ]; hardware.pulseaudio.enable = false; security.rtkit.enable = true; @@ -184,7 +180,6 @@ # List packages installed in system profile. To search, run: # $ nix search wget environment.systemPackages = with pkgs; [ - imhex oidc-agent # Filesystem (owncloud-client.overrideAttrs ( @@ -192,8 +187,8 @@ src = pkgs.fetchFromGitHub { owner = "xinyangli"; repo = "client"; - rev = "780d1c4c8bf02be42e118c792ff833ab10c2fdcc"; - hash = "sha256-pEwcGJI9sN9nooW/RQHmi52Du6yzofgZeB8PcjwPtZ8="; + rev = "e5ec2d68077361f1597b137a944884dda5574487"; + hash = "sha256-xs8g7DdL1VxArK3n1c/9k7nW2vwYRHRuz6zaeX7E3eM="; }; } )) diff --git a/machines/massicot/kanidm-provision.nix b/machines/massicot/kanidm-provision.nix index b7702de..91f86d2 100644 --- a/machines/massicot/kanidm-provision.nix +++ b/machines/massicot/kanidm-provision.nix @@ -118,18 +118,31 @@ ]; }; }; - # It's used for all the clients. I'm too lazy to change the name. + owncloud = { + displayName = "ownCloud"; + originUrl = "https://drive.xinyang.life:8443/"; + originLanding = "https://drive.xinyang.life:8443/"; + public = true; + preferShortUsername = true; + scopeMaps = { + ocis-users = [ + "openid" + "email" + "profile" + ]; + }; + }; + owncloud-android = { displayName = "ownCloud Apps"; originLanding = "https://drive.xinyang.life:8443/"; originUrl = [ - "http://localhost:38622/" - "http://localhost:43580/" - "https://drive.xinyang.life:8443/" + "http://localhost/" + "http://127.0.0.1/" # TODO: Should allow mobile redirect url not ending with / # "oc://android.owncloud.com" ]; - public = true; + basicSecretFile = config.sops.secrets."kanidm/ocis_android_secret".path; preferShortUsername = true; scopeMaps = { ocis-users = [ diff --git a/machines/massicot/secrets.yaml b/machines/massicot/secrets.yaml index 0f4bbdc..302df3b 100644 --- a/machines/massicot/secrets.yaml +++ b/machines/massicot/secrets.yaml @@ -9,6 +9,9 @@ forgejo: restic: repo: ENC[AES256_GCM,data:/vybkTU7LMWSlco9W2pJouU9wm4okXClSHXQMCA6SGIHWp4Ppl6C+jS4sNJALc6ntKzcEHyWO/R3JPjQKjZNH4YtrnNQp/ZY9g==,iv:gAvp6blg5JuBKzLw6YSgM1Uc24Aesov3ttCRXZXBvJw=,tag:pvH1y6BFOl7jIn/qQejUbQ==,type:str] password: ENC[AES256_GCM,data:5eIIBtGtBFwcAQ+ZwTYOtg==,iv:3GEM8Imu0i1aTwwSspvz2EzwJOXUC/b15hzkFFuZ+YY=,tag:wscba+nMtshldgUtcEKnOw==,type:str] +kanidm: + ocis_android_secret: ENC[AES256_GCM,data:vuEIvBEhIME+C/s3xoskddtf5nogC9nPq+HUyyAl3u9nvH3bTzUkfE/1wolaCLeeupnD3pDokdRyKzjEmoZACQ==,iv:cmx/0i23p1uEI0oAiWdcvGRq4+075+VuAMkFSfXzfso=,tag:yVnqz16L5kyW9vAVng53pA==,type:str] + ocis_desktop_secret: ENC[AES256_GCM,data:WTfUQzTB9An9p9xof2nuIkD5mYzMaisS62Cv86zX05rkB/wXmTnZiY7ztUoN9OmhGoPgeZg0+d+Jo6bV1hoqlw==,iv:V4iqtYIOcyDXIijcD0IXqpaSs2rxyWiOSZGer/BFSe4=,tag:1nCU1KmWQcY5ZXjlzhxaQQ==,type:str] sops: kms: [] gcp_kms: [] @@ -33,8 +36,8 @@ sops: dnFBa0lDWWZtS1BHdzBoVzNTaGNkSEEKi/W1n7RT8NpTp00SBMwxsUJAPDhumJ/i V2VnaSNwouD3SswTcoBzqQpBP9XrqzjIYGke90ZODFQbMY9WDQ+O0g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-09-30T07:19:35Z" - mac: ENC[AES256_GCM,data:WSGvA1RkChrD07Sf4BFVMbdTXQYxAHeGGQ52e+pnPh0lZPOzMc9sLDrBPqDK2OfrHC+hK8RC7FxQTGs6G/oBB4nUzIZPn9WycTiU5elwWDfktizH0gr3EJDm7Gs+bTWQpwdoJZGZ8XErK+yegCaKL5cSOSTlBBbQOnZfnoNBg5c=,iv:xyJRFfxHC2xV0ro4CbdOPau1zORxA64OqpvKr4aFZvQ=,tag:c9NA90d5WTK2pfxwoyOX5A==,type:str] + lastmodified: "2024-09-14T05:48:04Z" + mac: ENC[AES256_GCM,data:zdGdvk2pMaZYUsTI9XsSUpgtWrNmZNPg7KoV0zAt19h7Qccu3OGTSfXD+rhhhxhhWgBohGIhDVAVQcORnAw1Y/ykgqxERCANuzoBvvR1eKfPcRNiCEr2dmUAybDF7B2MWKlJ5Fsnpk/caK717Fe8XdAJDuplFwmMWi2c1c61/NQ=,iv:KPQTGzFQH+CQmLeXBzMSbU4lVH0/Wc6CeTp6w/pMMOY=,tag:UVA+sQwQa2bpy2/woBgAkQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/machines/massicot/services.nix b/machines/massicot/services.nix index 4be75c5..dfdac4d 100644 --- a/machines/massicot/services.nix +++ b/machines/massicot/services.nix @@ -268,15 +268,33 @@ in virtualHosts."http://auth.xinyang.life:80".extraConfig = '' reverse_proxy ${config.security.acme.certs."auth.xinyang.life".listenHTTP} ''; - virtualHosts."https://auth.xinyang.life".extraConfig = '' - reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { - header_up Host {upstream_hostport} - header_down Access-Control-Allow-Origin "*" - transport http { - tls_server_name ${config.services.kanidm.serverSettings.domain} + virtualHosts."https://auth.xinyang.life".extraConfig = + let + reverseProxyKanidm = '' + reverse_proxy https://127.0.0.1:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } } - } - ''; + ''; + in + '' + reverse_proxy /oauth2/openid/owncloud/userinfo https://127.0.0.1:${toString kanidm_listen_port} { + header_up Host {upstream_hostport} + header_down Access-Control-Allow-Origin "*" + transport http { + tls_server_name ${config.services.kanidm.serverSettings.domain} + } + @error status 400 + handle_response @error { + rewrite /oauth2/openid/owncloud/userinfo /oauth2/openid/owncloud-android/userinfo + ${reverseProxyKanidm} + } + } + ${reverseProxyKanidm} + ''; virtualHosts."https://rss.xinyang.life".extraConfig = '' reverse_proxy ${config.custom.miniflux.environment.LISTEN_ADDR} diff --git a/machines/weilite/services/ocis.nix b/machines/weilite/services/ocis.nix index dfd4c50..7438591 100644 --- a/machines/weilite/services/ocis.nix +++ b/machines/weilite/services/ocis.nix @@ -15,20 +15,21 @@ OCIS_LOG_PRETTY = "true"; PROXY_AUTOPROVISION_ACCOUNTS = "true"; PROXY_USER_OIDC_CLAIM = "preferred_username"; - PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud-android"; - PROXY_OIDC_REWRITE_WELLKNOWN = "true"; + PROXY_OIDC_ISSUER = "https://auth.xinyang.life/oauth2/openid/owncloud"; + PROXY_OIDC_REWRITE_WELLKNOWN = "false"; PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD = "none"; OCIS_EXCLUDE_RUN_SERVICES = "idp"; WEB_HTTP_ADDR = "127.0.0.1:12345"; - WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration"; - WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud-android"; - WEB_OIDC_CLIENT_ID = "owncloud-android"; + WEB_OIDC_METADATA_URL = "https://auth.xinyang.life/oauth2/openid/owncloud/.well-known/openid-configuration"; + WEB_OIDC_AUTHORITY = "https://auth.xinyang.life/oauth2/openid/owncloud"; + WEB_OIDC_CLIENT_ID = "owncloud"; }; # environmentFile = config.sops.secrets."ocis/env".path; }; networking.firewall.allowedTCPPorts = [ 8443 ]; services.caddy.virtualHosts."${config.services.ocis.url}".extraConfig = '' + redir /.well-known/openid-configuration https://auth.xinyang.life/oauth2/openid/owncloud-android/.well-known/openid-configuration permanent reverse_proxy ${config.services.ocis.address}:${toString config.services.ocis.port} ''; }