jana/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

auth and git

Browse source
This commit is contained in:
Jana Dönszelmann 2025-08-19 21:12:39 +02:00
parent d35531c1bd
commit 2d9feaa634
No known key found for this signature in database
24 changed files with 787 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

6
fili/services/auth/default.nix Normal file
View file

@ -0,0 +1,6 @@
_: {
imports = [
./kanidm.nix
./oauth2-proxy.nix
];
}

45
fili/services/auth/kanidm.nix Normal file
View file

@ -0,0 +1,45 @@
{pkgs, config, ...}: let
lib = pkgs.lib;
domain = "auth.donsz.nl";
port = 3013;
backupsDir = "/var/lib/kanidm/backup";
in {
services.kanidm.enableServer = true;
services.kanidm.package = pkgs.kanidm_1_6;
services.kanidm.serverSettings = {
tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
tls_key = "/var/lib/acme/${domain}/key.pem";
bindaddress = "[::1]:${toString port}";
ldapbindaddress = "[::1]:3636";
inherit domain;
origin = "https://${domain}";
trust_x_forward_for = true;
online_backup = {
path = backupsDir;
schedule = "0 0 * * *";
};
};
systemd.services.kanidm = {
preStart = lib.mkBefore ''
mkdir -p "${backupsDir}"
'';
serviceConfig = {
SupplementaryGroups =
[ config.security.acme.certs.${domain}.group ];
};
};
environment.systemPackages = [pkgs.kanidm];
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "https://[::1]:${toString port}";
};
};
}

50
fili/services/auth/oauth2-proxy.nix Normal file
View file

@ -0,0 +1,50 @@
{pkgs, config, ...}: {
sops.secrets.oauth2-proxy = {
sopsFile = ../../../secrets/oauth2-proxy.env;
};
services.oauth2-proxy =
let
auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
in {
enable = true;
provider = "oidc";
clientID = "${auth.clientId}";
oidcIssuerUrl = auth.oidcIssuerUri;
proxyPrefix = "/oauth2";
reverseProxy = true;
keyFile = config.sops.secrets.oauth2-proxy.path;
loginURL = auth.apiAuthUrl;
redeemURL = auth.tokenUrl;
validateURL = auth.rfc7662TokenIntrospectionUrl;
profileURL = auth.oidcUserInfo;
scope = "openid profile email";
email.domains = [ "*" ];
cookie = {
domain = "donsz.nl";
refresh = "1h";
secure = true;
};
extraConfig = {
whitelist-domain = ["*.donsz.nl"];
};
nginx.domain = "oauth2.donsz.nl";
};
services.nginx.virtualHosts."oauth2.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
};
}

4
fili/services/databases.nix
View file

@ -46,6 +46,10 @@
name = "dnote";
ensureDBOwnership = true;
}
{
name = "forgejo";
ensureDBOwnership = true;
}
];
ensureDatabases = map (i: i.name) ensureUsers;
};

6
fili/services/default.nix
View file

@ -3,8 +3,10 @@ _: {
./nginx.nix
./databases.nix
./matrix-synapse.nix
./reviewqueue.nix
./homepage.nix
./forgejo.nix
./media
./websites
./auth
];
}

76
fili/services/forgejo.nix Normal file
View file

@ -0,0 +1,76 @@
{ lib, pkgs, config, ... }:
let
cfg = config.services.forgejo;
srv = cfg.settings.server;
in
{
sops.secrets.forgejo = {
sopsFile = ../../secrets/forgejo.yaml;
key="email_password";
format = "yaml";
};
users.groups.forgejo = { };
users.users.forgejo = {
isSystemUser = true;
group = "forgejo";
extraGroups = [ "storage" ];
};
services.nginx = {
virtualHosts."git.donsz.nl" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://[::1]:13121";
};
};
services.forgejo = {
enable = true;
lfs.enable = true;
user = "forgejo";
group = "forgejo";
repositoryRoot="/storage/storage/git";
database = {
type = "postgres";
name = "forgejo";
createDatabase = false;
};
settings = {
DEFAULT = {
APP_NAME="jana's git server";
APP_SLOGAN="meow!";
};
server = {
DOMAIN = "git.donsz.nl";
ROOT_URL = "https://git.donsz.nl/";
HTTP_PORT = 13121;
};
service = {
DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_PASSWORD_SIGNIN_FORM = false;
};
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
repository = {
DEFAULT_PRIVATE="private";
};
mailer = {
ENABLED = true;
SMTP_ADDR = "smtp.fastmail.com";
FROM = "git@donsz.nl";
USER = "git@donsz.nl";
};
};
mailerPasswordFile = config.sops.secrets.forgejo.path;
};
}

3
fili/services/homepage.nix
View file

@ -1,3 +0,0 @@
{inputs,...}: {
}

7
fili/services/media/torrent.nix
View file

@ -66,12 +66,6 @@
];
};
# proxy."dl.donsz.nl" = {
# port = 9091;
# to = "192.168.15.1";
# authenticated = true;
# };
services.nginx = {
virtualHosts."dl.donsz.nl" = {
forceSSL = true;
@ -83,6 +77,7 @@
};
};
};
services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = { };
systemd.services.transmission.vpnConfinement = {
enable = true;

2
fili/services/nginx.nix
View file

@ -1,4 +1,4 @@
_: {
{pkgs, config, ...}: {
services.nginx = {
enable = true;
statusPage = true;

0
fili/services/reviewqueue.nix
View file

9
fili/services/websites/default.nix Normal file
View file

@ -0,0 +1,9 @@
_: {
imports = [
./reviewqueue.nix
./homepage.nix
./totpal.nix
./harmonica-tabs.nix
./mapf.nix
];
}

29
fili/services/websites/harmonica-tabs.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, flakes, ... }:
{
services.nginx = {
virtualHosts."harmonica.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:42424";
};
};
};
systemd.services.harmonica-tabs = {
description = "harmonica tabs";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartIfChanged = true;
serviceConfig = {
DynamicUser = true;
ExecStart = "${flakes.harmonica.packages.${pkgs.system}.default}/bin/services";
WorkingDirectory = "${flakes.harmonica.packages.${pkgs.system}.default}";
Restart = "always";
};
};
}

22
fili/services/websites/homepage.nix Normal file
View file

@ -0,0 +1,22 @@
{flakes, pkgs, ...}: {
services.nginx = {
virtualHosts."donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = flakes.homepage.packages.${pkgs.system}.website;
};
};
virtualHosts."jdonszelmann.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = flakes.homepage.packages.${pkgs.system}.website;
};
};
};
}

29
fili/services/websites/mapf.nix Normal file
View file

@ -0,0 +1,29 @@
{flakes,...}: {
# imports = [
# flakes.mapf.nixosModules.default
# ];
sops.secrets.mapf = {
sopsFile = ../../../secrets/mapf-prod.env;
};
services.nginx = {
virtualHosts."mapf.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:8080";
};
};
};
# donsz.services.mapf = {
# enable = true;
# envfile = "/run/secrets/sops/mapf";
# db_name = "mapfprod";
# db_user = "mapfprod";
# db_password = "";
# };
}

38
fili/services/websites/reviewqueue.nix Normal file
View file

@ -0,0 +1,38 @@
{ pkgs, flakes, ... }:
{
sops.secrets.reviewqueue = {
sopsFile = ../../../secrets/reviewqueue.env;
};
services.nginx = {
virtualHosts."queue.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:3000";
};
};
};
systemd.services.reviewqueue = {
description = "Review Queue";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; # if networking is needed
restartIfChanged = true; # set to false, if restarting is problematic
serviceConfig = {
ExecStart = "${flakes.reviewqueue.packages.${pkgs.system}.default}/bin/reviewqueue";
Restart = "always";
EnvironmentFile = "/run/secrets/reviewqueue";
StateDirectory = "/var/lib/reviewqueue";
};
environment = {
DB_PATH = "/var/lib/reviewqueue/db.sqlite";
};
};
}

28
fili/services/websites/totpal.nix Normal file
View file

@ -0,0 +1,28 @@
{ flakes, pkgs,... }:
let
totpal =
flakes.totpal.packages.${pkgs.system}.default
;
in
{
services.nginx = {
virtualHosts."totpal.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:2442";
};
};
};
systemd.services.totpal =
{
description = "totpal";
serviceConfig = {
Type = "simple";
ExecStart = "${totpal}/bin/totpal";
};
};
}