From 2d9feaa634da42bca2fdc35efd89d7dc0d94a647 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jana=20D=C3=B6nszelmann?= Date: Tue, 19 Aug 2025 21:12:39 +0200 Subject: [PATCH] auth and git --- .sops.yaml | 7 + fili/lib/auth.nix | 19 ++ fili/services/auth/default.nix | 6 + fili/services/auth/kanidm.nix | 45 +++ fili/services/auth/oauth2-proxy.nix | 50 +++ fili/services/databases.nix | 4 + fili/services/default.nix | 6 +- fili/services/forgejo.nix | 76 +++++ fili/services/homepage.nix | 3 - fili/services/media/torrent.nix | 7 +- fili/services/nginx.nix | 2 +- fili/services/reviewqueue.nix | 0 fili/services/websites/default.nix | 9 + fili/services/websites/harmonica-tabs.nix | 29 ++ fili/services/websites/homepage.nix | 22 ++ fili/services/websites/mapf.nix | 29 ++ fili/services/websites/reviewqueue.nix | 38 +++ fili/services/websites/totpal.nix | 28 ++ flake.lock | 374 +++++++++++++++++++++- flake.nix | 13 +- secrets/forgejo.yaml | 16 + secrets/oauth2-proxy.env | 8 + secrets/reviewqueue.env | 11 + users/users.nix | 1 + 24 files changed, 787 insertions(+), 16 deletions(-) create mode 100644 .sops.yaml create mode 100644 fili/lib/auth.nix create mode 100644 fili/services/auth/default.nix create mode 100644 fili/services/auth/kanidm.nix create mode 100644 fili/services/auth/oauth2-proxy.nix create mode 100644 fili/services/forgejo.nix delete mode 100644 fili/services/homepage.nix delete mode 100644 fili/services/reviewqueue.nix create mode 100644 fili/services/websites/default.nix create mode 100644 fili/services/websites/harmonica-tabs.nix create mode 100644 fili/services/websites/homepage.nix create mode 100644 fili/services/websites/mapf.nix create mode 100644 fili/services/websites/reviewqueue.nix create mode 100644 fili/services/websites/totpal.nix create mode 100644 secrets/forgejo.yaml create mode 100644 secrets/oauth2-proxy.env create mode 100644 secrets/reviewqueue.env diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..eb54ef9 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,7 @@ +keys: + - &jana age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +creation_rules: + - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$ + key_groups: + - age: + - *jana diff --git a/fili/lib/auth.nix b/fili/lib/auth.nix new file mode 100644 index 0000000..7a58668 --- /dev/null +++ b/fili/lib/auth.nix @@ -0,0 +1,19 @@ +{ baseUrl, clientId }: { + inherit clientId; + + userAuthUrl = "${baseUrl}/ui/oauth2"; + apiAuthUrl = "${baseUrl}/oauth2/authorise"; + tokenUrl = "${baseUrl}/oauth2/token"; + + rfc7662TokenIntrospectionUrl = "${baseUrl}/oauth2/token/introspect"; + rfc7009TokenRevokeUrl = "${baseUrl}/oauth2/token/revoke"; + + oauth2Rfc8414Discovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/oauth-authorization-server"; + + oidcIssuerUri = "${baseUrl}/oauth2/openid/${clientId}"; + oidcDiscovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/openid-configuration"; + + oidcUserInfo = "${baseUrl}/oauth2/openid/${clientId}/userinfo"; + oidcTokenSigningPubkey = "${baseUrl}/openid/${clientId}/public_key.jwk"; + +} diff --git a/fili/services/auth/default.nix b/fili/services/auth/default.nix new file mode 100644 index 0000000..a96e992 --- /dev/null +++ b/fili/services/auth/default.nix @@ -0,0 +1,6 @@ +_: { + imports = [ + ./kanidm.nix + ./oauth2-proxy.nix + ]; +} diff --git a/fili/services/auth/kanidm.nix b/fili/services/auth/kanidm.nix new file mode 100644 index 0000000..afb828d --- /dev/null +++ b/fili/services/auth/kanidm.nix @@ -0,0 +1,45 @@ +{pkgs, config, ...}: let + lib = pkgs.lib; + domain = "auth.donsz.nl"; + port = 3013; + backupsDir = "/var/lib/kanidm/backup"; +in { + services.kanidm.enableServer = true; + services.kanidm.package = pkgs.kanidm_1_6; + services.kanidm.serverSettings = { + tls_chain = "/var/lib/acme/${domain}/fullchain.pem"; + tls_key = "/var/lib/acme/${domain}/key.pem"; + bindaddress = "[::1]:${toString port}"; + ldapbindaddress = "[::1]:3636"; + inherit domain; + origin = "https://${domain}"; + trust_x_forward_for = true; + + online_backup = { + path = backupsDir; + schedule = "0 0 * * *"; + }; + }; + + systemd.services.kanidm = { + preStart = lib.mkBefore '' + mkdir -p "${backupsDir}" + ''; + serviceConfig = { + SupplementaryGroups = + [ config.security.acme.certs.${domain}.group ]; + }; + }; + + environment.systemPackages = [pkgs.kanidm]; + + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/" = { + proxyPass = "https://[::1]:${toString port}"; + }; + }; +} diff --git a/fili/services/auth/oauth2-proxy.nix b/fili/services/auth/oauth2-proxy.nix new file mode 100644 index 0000000..20cfa28 --- /dev/null +++ b/fili/services/auth/oauth2-proxy.nix @@ -0,0 +1,50 @@ +{pkgs, config, ...}: { + sops.secrets.oauth2-proxy = { + sopsFile = ../../../secrets/oauth2-proxy.env; + }; + + services.oauth2-proxy = + let + auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; }; + in { + enable = true; + + provider = "oidc"; + clientID = "${auth.clientId}"; + oidcIssuerUrl = auth.oidcIssuerUri; + + proxyPrefix = "/oauth2"; + reverseProxy = true; + + keyFile = config.sops.secrets.oauth2-proxy.path; + + loginURL = auth.apiAuthUrl; + redeemURL = auth.tokenUrl; + validateURL = auth.rfc7662TokenIntrospectionUrl; + profileURL = auth.oidcUserInfo; + + scope = "openid profile email"; + + email.domains = [ "*" ]; + + cookie = { + domain = "donsz.nl"; + refresh = "1h"; + secure = true; + }; + + extraConfig = { + whitelist-domain = ["*.donsz.nl"]; + }; + + nginx.domain = "oauth2.donsz.nl"; + }; + + services.nginx.virtualHosts."oauth2.donsz.nl" = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in"; + }; +} diff --git a/fili/services/databases.nix b/fili/services/databases.nix index d123089..b6f7e84 100644 --- a/fili/services/databases.nix +++ b/fili/services/databases.nix @@ -46,6 +46,10 @@ name = "dnote"; ensureDBOwnership = true; } + { + name = "forgejo"; + ensureDBOwnership = true; + } ]; ensureDatabases = map (i: i.name) ensureUsers; }; diff --git a/fili/services/default.nix b/fili/services/default.nix index 926b54d..88e607e 100644 --- a/fili/services/default.nix +++ b/fili/services/default.nix @@ -3,8 +3,10 @@ _: { ./nginx.nix ./databases.nix ./matrix-synapse.nix - ./reviewqueue.nix - ./homepage.nix + ./forgejo.nix + ./media + ./websites + ./auth ]; } diff --git a/fili/services/forgejo.nix b/fili/services/forgejo.nix new file mode 100644 index 0000000..538cf8c --- /dev/null +++ b/fili/services/forgejo.nix @@ -0,0 +1,76 @@ +{ lib, pkgs, config, ... }: +let + cfg = config.services.forgejo; + srv = cfg.settings.server; +in +{ + sops.secrets.forgejo = { + sopsFile = ../../secrets/forgejo.yaml; + key="email_password"; + format = "yaml"; + }; + + users.groups.forgejo = { }; + users.users.forgejo = { + isSystemUser = true; + group = "forgejo"; + extraGroups = [ "storage" ]; + }; + + services.nginx = { + virtualHosts."git.donsz.nl" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + client_max_body_size 512M; + ''; + locations."/".proxyPass = "http://[::1]:13121"; + }; + }; + + services.forgejo = { + enable = true; + lfs.enable = true; + user = "forgejo"; + group = "forgejo"; + repositoryRoot="/storage/storage/git"; + + database = { + type = "postgres"; + name = "forgejo"; + createDatabase = false; + }; + + settings = { + DEFAULT = { + APP_NAME="jana's git server"; + APP_SLOGAN="meow!"; + }; + server = { + DOMAIN = "git.donsz.nl"; + ROOT_URL = "https://git.donsz.nl/"; + HTTP_PORT = 13121; + }; + service = { + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + ENABLE_PASSWORD_SIGNIN_FORM = false; + }; + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "github"; + }; + repository = { + DEFAULT_PRIVATE="private"; + }; + mailer = { + ENABLED = true; + SMTP_ADDR = "smtp.fastmail.com"; + FROM = "git@donsz.nl"; + USER = "git@donsz.nl"; + }; + }; + mailerPasswordFile = config.sops.secrets.forgejo.path; + }; +} diff --git a/fili/services/homepage.nix b/fili/services/homepage.nix deleted file mode 100644 index df4e214..0000000 --- a/fili/services/homepage.nix +++ /dev/null @@ -1,3 +0,0 @@ -{inputs,...}: { - -} diff --git a/fili/services/media/torrent.nix b/fili/services/media/torrent.nix index 7189f44..4b0a0d5 100644 --- a/fili/services/media/torrent.nix +++ b/fili/services/media/torrent.nix @@ -66,12 +66,6 @@ ]; }; - # proxy."dl.donsz.nl" = { - # port = 9091; - # to = "192.168.15.1"; - # authenticated = true; - # }; - services.nginx = { virtualHosts."dl.donsz.nl" = { forceSSL = true; @@ -83,6 +77,7 @@ }; }; }; + services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = { }; systemd.services.transmission.vpnConfinement = { enable = true; diff --git a/fili/services/nginx.nix b/fili/services/nginx.nix index 3d1b7c6..e1e9279 100644 --- a/fili/services/nginx.nix +++ b/fili/services/nginx.nix @@ -1,4 +1,4 @@ -_: { +{pkgs, config, ...}: { services.nginx = { enable = true; statusPage = true; diff --git a/fili/services/reviewqueue.nix b/fili/services/reviewqueue.nix deleted file mode 100644 index e69de29..0000000 diff --git a/fili/services/websites/default.nix b/fili/services/websites/default.nix new file mode 100644 index 0000000..4cf107d --- /dev/null +++ b/fili/services/websites/default.nix @@ -0,0 +1,9 @@ +_: { + imports = [ + ./reviewqueue.nix + ./homepage.nix + ./totpal.nix + ./harmonica-tabs.nix + ./mapf.nix + ]; +} diff --git a/fili/services/websites/harmonica-tabs.nix b/fili/services/websites/harmonica-tabs.nix new file mode 100644 index 0000000..ee25d61 --- /dev/null +++ b/fili/services/websites/harmonica-tabs.nix @@ -0,0 +1,29 @@ +{ pkgs, flakes, ... }: +{ + services.nginx = { + virtualHosts."harmonica.donsz.nl" = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://[::1]:42424"; + }; + }; + }; + + systemd.services.harmonica-tabs = { + description = "harmonica tabs"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; + restartIfChanged = true; + + serviceConfig = { + DynamicUser = true; + ExecStart = "${flakes.harmonica.packages.${pkgs.system}.default}/bin/services"; + WorkingDirectory = "${flakes.harmonica.packages.${pkgs.system}.default}"; + Restart = "always"; + }; + }; +} diff --git a/fili/services/websites/homepage.nix b/fili/services/websites/homepage.nix new file mode 100644 index 0000000..0a66c3e --- /dev/null +++ b/fili/services/websites/homepage.nix @@ -0,0 +1,22 @@ +{flakes, pkgs, ...}: { + services.nginx = { + virtualHosts."donsz.nl" = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/" = { + root = flakes.homepage.packages.${pkgs.system}.website; + }; + }; + virtualHosts."jdonszelmann.nl" = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/" = { + root = flakes.homepage.packages.${pkgs.system}.website; + }; + }; + }; +} diff --git a/fili/services/websites/mapf.nix b/fili/services/websites/mapf.nix new file mode 100644 index 0000000..00a6844 --- /dev/null +++ b/fili/services/websites/mapf.nix @@ -0,0 +1,29 @@ +{flakes,...}: { + # imports = [ + # flakes.mapf.nixosModules.default + # ]; + + sops.secrets.mapf = { + sopsFile = ../../../secrets/mapf-prod.env; + }; + + services.nginx = { + virtualHosts."mapf.donsz.nl" = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://[::1]:8080"; + }; + }; + }; + + # donsz.services.mapf = { + # enable = true; + # envfile = "/run/secrets/sops/mapf"; + # db_name = "mapfprod"; + # db_user = "mapfprod"; + # db_password = ""; + # }; +} diff --git a/fili/services/websites/reviewqueue.nix b/fili/services/websites/reviewqueue.nix new file mode 100644 index 0000000..baaff65 --- /dev/null +++ b/fili/services/websites/reviewqueue.nix @@ -0,0 +1,38 @@ +{ pkgs, flakes, ... }: +{ + sops.secrets.reviewqueue = { + sopsFile = ../../../secrets/reviewqueue.env; + }; + + services.nginx = { + virtualHosts."queue.donsz.nl" = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://[::1]:3000"; + }; + }; + }; + + systemd.services.reviewqueue = { + description = "Review Queue"; + + wantedBy = [ "multi-user.target" ]; + after = [ "network.target" ]; # if networking is needed + + restartIfChanged = true; # set to false, if restarting is problematic + + serviceConfig = { + ExecStart = "${flakes.reviewqueue.packages.${pkgs.system}.default}/bin/reviewqueue"; + Restart = "always"; + EnvironmentFile = "/run/secrets/reviewqueue"; + StateDirectory = "/var/lib/reviewqueue"; + }; + + environment = { + DB_PATH = "/var/lib/reviewqueue/db.sqlite"; + }; + }; +} diff --git a/fili/services/websites/totpal.nix b/fili/services/websites/totpal.nix new file mode 100644 index 0000000..85d3043 --- /dev/null +++ b/fili/services/websites/totpal.nix @@ -0,0 +1,28 @@ +{ flakes, pkgs,... }: +let + totpal = + flakes.totpal.packages.${pkgs.system}.default + ; +in +{ + services.nginx = { + virtualHosts."totpal.donsz.nl" = { + forceSSL = true; + http2 = true; + enableACME = true; + + locations."/" = { + proxyPass = "http://[::1]:2442"; + }; + }; + }; + + systemd.services.totpal = + { + description = "totpal"; + serviceConfig = { + Type = "simple"; + ExecStart = "${totpal}/bin/totpal"; + }; + }; +} diff --git a/flake.lock b/flake.lock index 02fd13c..2c5e0b2 100644 --- a/flake.lock +++ b/flake.lock @@ -22,6 +22,29 @@ "type": "github" } }, + "fenix": { + "inputs": { + "nixpkgs": [ + "reviewqueue", + "naersk", + "nixpkgs" + ], + "rust-analyzer-src": "rust-analyzer-src" + }, + "locked": { + "lastModified": 1752475459, + "narHash": "sha256-z6QEu4ZFuHiqdOPbYss4/Q8B0BFhacR8ts6jO/F/aOU=", + "owner": "nix-community", + "repo": "fenix", + "rev": "bf0d6f70f4c9a9cf8845f992105652173f4b617f", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "fenix", + "type": "github" + } + }, "flake-compat": { "flake": false, "locked": { @@ -71,6 +94,135 @@ "type": "github" } }, + "flake-utils_3": { + "inputs": { + "systems": "systems_2" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_4": { + "inputs": { + "systems": "systems_3" + }, + "locked": { + "lastModified": 1710146030, + "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "flake-utils_5": { + "inputs": { + "systems": "systems_4" + }, + "locked": { + "lastModified": 1731533236, + "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=", + "owner": "numtide", + "repo": "flake-utils", + "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b", + "type": "github" + }, + "original": { + "owner": "numtide", + "repo": "flake-utils", + "type": "github" + } + }, + "harmonica": { + "inputs": { + "nixpkgs": "nixpkgs_2" + }, + "locked": { + "lastModified": 1738890519, + "narHash": "sha256-bc5s4lnFojTbnEvG4HUrrrRtDHfnuxVps8hL8K8Sgb4=", + "ref": "refs/heads/main", + "rev": "2eb8c5b4d441e79bf4775483a129d25c2dd3e336", + "revCount": 3, + "type": "git", + "url": "ssh://git@github.com/jdonszelmann/harmonica-tabs" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/jdonszelmann/harmonica-tabs" + } + }, + "homepage": { + "inputs": { + "flake-utils": "flake-utils_3", + "nixpkgs": "nixpkgs_3" + }, + "locked": { + "lastModified": 1747823174, + "narHash": "sha256-8P6od55oOAaE0/QAaHn33ADFISTiE+QOt2s0AmaPAFQ=", + "owner": "jdonszelmann", + "repo": "homepage", + "rev": "39ef8624648f4e8803aa7510036ad48f5d4a459c", + "type": "github" + }, + "original": { + "owner": "jdonszelmann", + "repo": "homepage", + "type": "github" + } + }, + "mapf": { + "inputs": { + "flake-utils": "flake-utils_4", + "nixpkgs": "nixpkgs_4" + }, + "locked": { + "lastModified": 1721482233, + "narHash": "sha256-zNTFyWdpOOTSXfCtcvdU7MjHohnKQpZcSlhCPS/C93Y=", + "ref": "refs/heads/master", + "rev": "aa47dd1bc41ba25d14b1ac62edcee14f6fec1aa5", + "revCount": 677, + "type": "git", + "url": "ssh://git@github.com/jdonszelmann/mapf-server" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/jdonszelmann/mapf-server" + } + }, + "naersk": { + "inputs": { + "fenix": "fenix", + "nixpkgs": "nixpkgs_6" + }, + "locked": { + "lastModified": 1752689277, + "narHash": "sha256-uldUBFkZe/E7qbvxa3mH1ItrWZyT6w1dBKJQF/3ZSsc=", + "owner": "nix-community", + "repo": "naersk", + "rev": "0e72363d0938b0208d6c646d10649164c43f4d64", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "naersk", + "type": "github" + } + }, "nix-github-actions": { "inputs": { "nixpkgs": [ @@ -108,6 +260,22 @@ "type": "github" } }, + "nixpkgs-mozilla": { + "flake": false, + "locked": { + "lastModified": 1744624473, + "narHash": "sha256-S6zT/w5SyAkJ//dYdjbrXgm+6Vkd/k7qqUl4WgZ6jjk=", + "owner": "mozilla", + "repo": "nixpkgs-mozilla", + "rev": "2292d4b35aa854e312ad2e95c4bb5c293656f21a", + "type": "github" + }, + "original": { + "owner": "mozilla", + "repo": "nixpkgs-mozilla", + "type": "github" + } + }, "nixpkgs-stable": { "locked": { "lastModified": 1703950681, @@ -125,6 +293,54 @@ } }, "nixpkgs_2": { + "locked": { + "lastModified": 1738680400, + "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "799ba5bffed04ced7067a91798353d360788b30d", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_3": { + "locked": { + "lastModified": 1716137900, + "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_4": { + "locked": { + "lastModified": 1721379653, + "narHash": "sha256-8MUgifkJ7lkZs3u99UDZMB4kbOxvMEXQZ31FO3SopZ0=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "1d9c2c9b3e71b9ee663d11c5d298727dace8d374", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_5": { "locked": { "lastModified": 1751104741, "narHash": "sha256-xPlVbk6WlgTzDvWFRyzvXMdh/ZFLEOTCQik18wg5AFQ=", @@ -140,7 +356,37 @@ "type": "github" } }, - "nixpkgs_3": { + "nixpkgs_6": { + "locked": { + "lastModified": 1752077645, + "narHash": "sha256-HM791ZQtXV93xtCY+ZxG1REzhQenSQO020cu6rHtAPk=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "be9e214982e20b8310878ac2baa063a961c1bdf6", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "nixpkgs_7": { + "locked": { + "lastModified": 1755020227, + "narHash": "sha256-gGmm+h0t6rY88RPTaIm3su95QvQIVjAJx558YUG4Id8=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "695d5db1b8b20b73292501683a524e0bd79074fb", + "type": "github" + }, + "original": { + "id": "nixpkgs", + "type": "indirect" + } + }, + "nixpkgs_8": { "locked": { "lastModified": 1703499205, "narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=", @@ -156,18 +402,77 @@ "type": "github" } }, + "nixpkgs_9": { + "locked": { + "lastModified": 1732014248, + "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "reviewqueue": { + "inputs": { + "flake-utils": "flake-utils_5", + "naersk": "naersk", + "nixpkgs": "nixpkgs_7", + "nixpkgs-mozilla": "nixpkgs-mozilla" + }, + "locked": { + "lastModified": 1755627228, + "narHash": "sha256-0BiTSjVWxgFnhOFxM1hpeMoMZcQBsgZTeVIgXOSUMcg=", + "owner": "jdonszelmann", + "repo": "review-queue", + "rev": "e2cf27dea96d2fde03c913d4b4462d3785019b36", + "type": "github" + }, + "original": { + "owner": "jdonszelmann", + "repo": "review-queue", + "type": "github" + } + }, "root": { "inputs": { "colmena": "colmena", "flake-utils": "flake-utils_2", - "nixpkgs": "nixpkgs_2", + "harmonica": "harmonica", + "homepage": "homepage", + "mapf": "mapf", + "nixpkgs": "nixpkgs_5", + "reviewqueue": "reviewqueue", "sops-nix": "sops-nix", + "totpal": "totpal", "vpn-confinement": "vpn-confinement" } }, + "rust-analyzer-src": { + "flake": false, + "locked": { + "lastModified": 1752428706, + "narHash": "sha256-EJcdxw3aXfP8Ex1Nm3s0awyH9egQvB2Gu+QEnJn2Sfg=", + "owner": "rust-lang", + "repo": "rust-analyzer", + "rev": "591e3b7624be97e4443ea7b5542c191311aa141d", + "type": "github" + }, + "original": { + "owner": "rust-lang", + "ref": "nightly", + "repo": "rust-analyzer", + "type": "github" + } + }, "sops-nix": { "inputs": { - "nixpkgs": "nixpkgs_3", + "nixpkgs": "nixpkgs_8", "nixpkgs-stable": "nixpkgs-stable" }, "locked": { @@ -215,6 +520,69 @@ "type": "github" } }, + "systems_2": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_3": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "systems_4": { + "locked": { + "lastModified": 1681028828, + "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", + "owner": "nix-systems", + "repo": "default", + "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", + "type": "github" + }, + "original": { + "owner": "nix-systems", + "repo": "default", + "type": "github" + } + }, + "totpal": { + "inputs": { + "nixpkgs": "nixpkgs_9" + }, + "locked": { + "lastModified": 1737322813, + "narHash": "sha256-WMRUKiNDielsw/2MwRIDEvL4+OmcBXHd6UVqCottDkc=", + "owner": "jdonszelmann", + "repo": "totpal", + "rev": "c671f568d20d13e79a2c434926da6be3035fd1f6", + "type": "github" + }, + "original": { + "owner": "jdonszelmann", + "repo": "totpal", + "type": "github" + } + }, "vpn-confinement": { "locked": { "lastModified": 1749672087, diff --git a/flake.nix b/flake.nix index 6b513aa..a458091 100644 --- a/flake.nix +++ b/flake.nix @@ -6,6 +6,14 @@ flake-utils.url = "github:numtide/flake-utils"; sops-nix.url = "github:jdonszelmann/sops-nix"; vpn-confinement.url = "github:Maroka-chan/VPN-Confinement"; + + # websites + + homepage.url = "github:jdonszelmann/homepage"; + totpal.url = "github:jdonszelmann/totpal"; + harmonica.url = "git+ssh://git@github.com/jdonszelmann/harmonica-tabs"; + mapf.url = "git+ssh://git@github.com/jdonszelmann/mapf-server"; + reviewqueue.url = "github:jdonszelmann/review-queue"; }; outputs = { @@ -15,8 +23,9 @@ flake-utils, sops-nix, vpn-confinement, + mapf, ... - }: + }@inputs: let pkgsForSystem = system: @@ -32,6 +41,8 @@ colmena = { meta = { nixpkgs = pkgsForSystem "x86_64-linux"; + + specialArgs.flakes = inputs; }; fili = { diff --git a/secrets/forgejo.yaml b/secrets/forgejo.yaml new file mode 100644 index 0000000..5b2db1f --- /dev/null +++ b/secrets/forgejo.yaml @@ -0,0 +1,16 @@ +email_password: ENC[AES256_GCM,data:bTFBUQ4ZQO3BYCA9ztly5w==,iv:YRggZh60iv1vvxbxvrv6224ztVUXlvZvp4p5IY4N3wo=,tag:BOQnvUGpiETuR7sP/fp/Pg==,type:str] +sops: + age: + - recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRV1c0YzBkWFpHTkt4ZXI2 + dG9jL1dnNTRmbDNmelNxVHlSQTEzd0pIRFZjCjUwYnRQL1RBMmdTRkFud1M4cTdo + QnlESXlHZWhUUWdXZHpWYlBIMXR4aEUKLS0tIDZ4TUJYZzdHWGJpWVBiUHJVSnhQ + MnpUMzl3ZmhNZ25aWU5YcnVvUTY0c1EKt3q2WUaYFvFvJmLVHT10QbxqdAx1cvKU + ZGVJLxMbvzdNbK1MQacRbY+0JU+79WRG+BehGFxiExhYzNQS00ZQLg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-19T20:18:15Z" + mac: ENC[AES256_GCM,data:h112brIAuwrVKG2d7lRJvg5lSb6ruNTm+78E9IhBzPRRZJTCqWflp+rK7LpQevmaVgrLGHgF2LEnchzvQW2AMZh8726foQaUDGWhovvKMsnMmsU5axJ5QrKsPIvjpbqBjK3PZrqdVDZl53v6sNdAL8fi2uY0f0ncPOHbLb7E4Ag=,iv:YozwZvXgEA0Asyjcz6VuSIfNNCgoAzOqluLepttEJks=,tag:QpqhqCo//IbTDhMaVSIGqQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/secrets/oauth2-proxy.env b/secrets/oauth2-proxy.env new file mode 100644 index 0000000..8285d22 --- /dev/null +++ b/secrets/oauth2-proxy.env @@ -0,0 +1,8 @@ +OAUTH2_PROXY_CLIENT_SECRET=ENC[AES256_GCM,data:V/98HFTiIsMwLPKlTLG5t9cdGPLQ3267wYA1mW7OZD9HKHu4yl0EnSkS66LV6ANU,iv:iA1OLYXzxEGTWgxjHzrr3TXqQK7JhpjlXO48du+LwSU=,tag:V9K/FuM0LM6+BvEdSYlsSg==,type:str] +OAUTH2_PROXY_COOKIE_SECRET=ENC[AES256_GCM,data:mj4KK93nfPWb/0XGfeLOkgi69KQndghSvbm6Usg258s=,iv:3IZRadYRmP4pZ+7YRZ4ctyhMl6BP2GzqVAmMKijjE44=,tag:I9vIbsUl5YURMTPRJnje+A==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOL0VuWDliWTZIL0dydXRa\nMFc3YzFNeGh5UFNvR3E5UnVBVTlLWjNFT2lrCm4rYlhYZER1RnNuNUFtVDE2VHZD\nakpsbjNXQkY3Sm1nMW56bldUSTE4Uk0KLS0tIFplQ2VmaTIyYy9zcDJwcmgydTRW\nb0w3em1xNG5YVEVRQzlhbWN5aVE2OVkKkxhaO0R7oYVkyPkN24SK0SYe2m2ulma8\nzAsUJ6DmUBZrm/MOx8NDgGnPoF2o+d/Nk8jxeOCdge8oIixeI/i5jw==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2025-08-20T09:03:37Z +sops_mac=ENC[AES256_GCM,data:Lfuo/k0swCDLTXS9qBUrNtGvgO4CoN6NxYOnJJbczzuO00FzVLdr5CoDx0WVP1OaTC06AoQIbURH9azRf/wVsQxlqnrU6/jqRT2YN8ZOasSCfxchcFMavj8iWAM3f5Ib3ITg1VrruKfXCJUNWePqkBz9S4z3YhINyPcJ41oAIyw=,iv:dUliQFPNvWRuto/8BtOkSMOc7TuBRZt89AOD686I2Vo=,tag:uAOJDnSyzlBQziLzyGAQew==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.10.2 diff --git a/secrets/reviewqueue.env b/secrets/reviewqueue.env new file mode 100644 index 0000000..2047928 --- /dev/null +++ b/secrets/reviewqueue.env @@ -0,0 +1,11 @@ +#ENC[AES256_GCM,data:wv0EtbYFXXAmf5dLBMv+Z4H3l9WoxF6QVg==,iv:t1BAHNW41you67UkLENuH/Zq8u69+TWzu+oqn/oEY0Q=,tag:RUVpGpUySzjht0PA+y1Fsg==,type:comment] +GITHUB_TOKEN=ENC[AES256_GCM,data:3jzTyFPhgKfnAIeSw8sNifib00swg4Ucf/QVTDUFvQQVClFe+59guGZ7Z9we8zVyoQ+nzIkNsTzW6mZ7tV8vtjKTs35KC8JecdQVewCnyQ4Oa0ODFwEI1SQtz7ti,iv:/v+7yrvEHWf7jkbnMapHbZSJxws6J0sbdCuww+J6Tag=,tag:LxqPKMomUsW4yLAcFR+Hpw==,type:str] +HOST=ENC[AES256_GCM,data:6UAKpEQWCnxqevidVg300euWmYXPQQ==,iv:Fk/OPIJZV4Wnu0N7zgcjEmLUF3Bn3qQAKHtuqfSWoF4=,tag:BjTrsO0GIYKCjF+rVSPSNQ==,type:str] +OAUTH_CLIENT_ID=ENC[AES256_GCM,data:oXhdE2Pkl0+yPf56kjSXSnDwXCo=,iv:p1kv+T8PhdxsYgokOOXCB8XP5TT1nFh8CUuHWJQHWrI=,tag:a/Ezh3CwGrBBZNMW2PKgAA==,type:str] +OAUTH_CLIENT_SECRET=ENC[AES256_GCM,data:yu7/kyk8CtGJ4rgqX1iW0h6/G5dwM7DDe9V+ov3aU7Ueh8tjO4kOIw==,iv:GBtG92pFIBwZBYe6H6hNxOEGyZrk9DX3JdbQF82nwPI=,tag:1h6xOCwq3644lCFCntfwRA==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSmpaaUNWSGE1c0MzNURJ\nU2QzNFRZdS9ZeDR2TzlhZ3dnbi9wQW5hKzM4CnpjN3JYQkpvUkdsbW9LSWJhcmFF\nb0NjcEgrcE5qKzFmZlhtWVJ5QWZ4cjgKLS0tIE5ubW5idFE1VmVIdkRvdVVvK1Zl\nc2JTR2FCUGo3Q3pzWjhjK3I3MG9WZkEKGa6eY+IpfymIzfkAbGoJziyf9NP5U8xC\nUM0Xj68fstT9GLOg3/Zp1/4tueIO2Dh8omQi2LJZPjdmzY+Ph25IqA==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2025-08-13T16:48:41Z +sops_mac=ENC[AES256_GCM,data:CqtTl2qvFi2yL1GF0ZZpC5336Knbyl4EeVm8NI4pzp3rsIf7JPcqg5e2WUWMNuFFR69Q23plndAsOd8XtIPGoqlKyTnHqMMDLDsPZ0r198+zxbNM/z7ZaiI0YmaVTXkm5MMld+5/9FOUFkJyLqcGj1lMLMQIRRX2rn+ccx/7R48=,iv:puOXtn3haqSOyoUNLFrdOzLlGAeuhhlTdMXaokPV+J4=,tag:GloK7jJo3JvUvq9AnPuIwg==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.10.2 diff --git a/users/users.nix b/users/users.nix index d03e618..d78880e 100644 --- a/users/users.nix +++ b/users/users.nix @@ -91,6 +91,7 @@ "syncthing" "jellyfin" "media" + "nginx" ]; };