auth and git

2025-08-19 21:12:39 +02:00 · 2025-08-19 21:12:39 +02:00 · 2d9feaa634
commit 2d9feaa634
parent d35531c1bd
24 changed files with 787 additions and 16 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,7 @@
 keys:
  - &jana age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
 creation_rules:
  - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
    key_groups:
      - age:
          - *jana
--- a/fili/lib/auth.nix
+++ b/fili/lib/auth.nix
@ -0,0 +1,19 @@
 { baseUrl, clientId }: {
  inherit clientId;
  userAuthUrl = "${baseUrl}/ui/oauth2";
  apiAuthUrl = "${baseUrl}/oauth2/authorise";
  tokenUrl = "${baseUrl}/oauth2/token";
  rfc7662TokenIntrospectionUrl = "${baseUrl}/oauth2/token/introspect";
  rfc7009TokenRevokeUrl = "${baseUrl}/oauth2/token/revoke";
  oauth2Rfc8414Discovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/oauth-authorization-server";
  oidcIssuerUri = "${baseUrl}/oauth2/openid/${clientId}";
  oidcDiscovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/openid-configuration";
  oidcUserInfo = "${baseUrl}/oauth2/openid/${clientId}/userinfo";
  oidcTokenSigningPubkey = "${baseUrl}/openid/${clientId}/public_key.jwk";
 }
--- a/fili/services/auth/default.nix
+++ b/fili/services/auth/default.nix
@ -0,0 +1,6 @@
 _: {
  imports = [
    ./kanidm.nix
    ./oauth2-proxy.nix
  ];
 }
--- a/fili/services/auth/kanidm.nix
+++ b/fili/services/auth/kanidm.nix
@ -0,0 +1,45 @@
 {pkgs, config, ...}: let
  lib = pkgs.lib;
  domain = "auth.donsz.nl";
  port = 3013;
  backupsDir = "/var/lib/kanidm/backup";
 in {
  services.kanidm.enableServer = true;
  services.kanidm.package = pkgs.kanidm_1_6;
  services.kanidm.serverSettings = {
    tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
    tls_key = "/var/lib/acme/${domain}/key.pem";
    bindaddress = "[::1]:${toString port}";
    ldapbindaddress = "[::1]:3636";
    inherit domain;
    origin = "https://${domain}";
    trust_x_forward_for = true;
    online_backup = {
      path = backupsDir;
      schedule = "0 0 * * *";
    };
  };
  systemd.services.kanidm = {
    preStart = lib.mkBefore ''
      mkdir -p "${backupsDir}"
    '';
    serviceConfig = {
      SupplementaryGroups =
        [ config.security.acme.certs.${domain}.group ];
    };
  };
  environment.systemPackages = [pkgs.kanidm];
  services.nginx.virtualHosts.${domain} = {
    forceSSL = true;
    http2 = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "https://[::1]:${toString port}";
    };
  };
 }
--- a/fili/services/auth/oauth2-proxy.nix
+++ b/fili/services/auth/oauth2-proxy.nix
@ -0,0 +1,50 @@
 {pkgs, config, ...}: {
  sops.secrets.oauth2-proxy = {
    sopsFile = ../../../secrets/oauth2-proxy.env;
  };
  services.oauth2-proxy =
    let
      auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
    in {
    enable = true;
    provider = "oidc";
    clientID = "${auth.clientId}";
    oidcIssuerUrl = auth.oidcIssuerUri;
    proxyPrefix = "/oauth2";
    reverseProxy = true;
    keyFile = config.sops.secrets.oauth2-proxy.path;
    loginURL = auth.apiAuthUrl;
    redeemURL = auth.tokenUrl;
    validateURL = auth.rfc7662TokenIntrospectionUrl;
    profileURL = auth.oidcUserInfo;
    scope = "openid profile email";
    email.domains = [ "*" ];
    cookie = {
      domain = "donsz.nl";
      refresh = "1h";
      secure = true;
    };
    extraConfig = {
      whitelist-domain = ["*.donsz.nl"];
    };
    nginx.domain = "oauth2.donsz.nl";
  };
  services.nginx.virtualHosts."oauth2.donsz.nl" = {
    forceSSL = true;
    http2 = true;
    enableACME = true;
    locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
  };
 }
--- a/fili/services/databases.nix
+++ b/fili/services/databases.nix
@ -46,6 +46,10 @@
        name = "dnote";
        ensureDBOwnership = true;
      }
      {
        name = "forgejo";
        ensureDBOwnership = true;
      }
    ];
    ensureDatabases = map (i: i.name) ensureUsers;
  };
--- a/fili/services/default.nix
+++ b/fili/services/default.nix
@ -3,8 +3,10 @@ _: {
    ./nginx.nix
    ./databases.nix
    ./matrix-synapse.nix
-    ./reviewqueue.nix
+    ./forgejo.nix
-    ./homepage.nix
+
    ./media
    ./websites
    ./auth
  ];
 }
--- a/fili/services/forgejo.nix
+++ b/fili/services/forgejo.nix
@ -0,0 +1,76 @@
 { lib, pkgs, config, ... }:
 let
  cfg = config.services.forgejo;
  srv = cfg.settings.server;
 in
 {
  sops.secrets.forgejo = {
    sopsFile = ../../secrets/forgejo.yaml;
    key="email_password";
    format = "yaml";
  };
  users.groups.forgejo = { };
  users.users.forgejo = {
    isSystemUser = true;
    group = "forgejo";
    extraGroups = [ "storage" ];
  };
  services.nginx = {
    virtualHosts."git.donsz.nl" = {
      forceSSL = true;
      enableACME = true;
      extraConfig = ''
        client_max_body_size 512M;
      '';
      locations."/".proxyPass = "http://[::1]:13121";
    };
  };
  services.forgejo = {
    enable = true;
    lfs.enable = true;
    user = "forgejo";
    group = "forgejo";
    repositoryRoot="/storage/storage/git";
    database = {
      type = "postgres";
      name = "forgejo";
      createDatabase = false;
    };
    settings = {
      DEFAULT = {
        APP_NAME="jana's git server";
        APP_SLOGAN="meow!";
      };
      server = {
        DOMAIN = "git.donsz.nl";
        ROOT_URL = "https://git.donsz.nl/";
        HTTP_PORT = 13121;
      };
      service = {
        DISABLE_REGISTRATION = true;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
        SHOW_REGISTRATION_BUTTON = false;
        ENABLE_PASSWORD_SIGNIN_FORM = false;
      };
      actions = {
        ENABLED = true;
        DEFAULT_ACTIONS_URL = "github";
      };
      repository = {
        DEFAULT_PRIVATE="private";
      };
      mailer = {
        ENABLED = true;
        SMTP_ADDR = "smtp.fastmail.com";
        FROM = "git@donsz.nl";
        USER = "git@donsz.nl";
      };
    };
    mailerPasswordFile = config.sops.secrets.forgejo.path;
  };
 }
--- a/fili/services/homepage.nix
+++ b/fili/services/homepage.nix
@ -1,3 +0,0 @@
 {inputs,...}: {
 }
--- a/fili/services/media/torrent.nix
+++ b/fili/services/media/torrent.nix
@ -66,12 +66,6 @@
    ];
  };
  # proxy."dl.donsz.nl" = {
  #   port = 9091;
  #   to = "192.168.15.1";
  #   authenticated = true;
  # };
  services.nginx = {
    virtualHosts."dl.donsz.nl" = {
      forceSSL = true;
@ -83,6 +77,7 @@
      };
    };
  };
  services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = { };
  systemd.services.transmission.vpnConfinement = {
    enable = true;
--- a/fili/services/nginx.nix
+++ b/fili/services/nginx.nix
@ -1,4 +1,4 @@
-_: {
+{pkgs, config, ...}: {
  services.nginx = {
    enable = true;
    statusPage = true;
--- a/fili/services/reviewqueue.nix
+++ b/fili/services/reviewqueue.nix
--- a/fili/services/websites/default.nix
+++ b/fili/services/websites/default.nix
@ -0,0 +1,9 @@
 _: {
  imports = [
    ./reviewqueue.nix
    ./homepage.nix
    ./totpal.nix
    ./harmonica-tabs.nix
    ./mapf.nix
  ];
 }
--- a/fili/services/websites/harmonica-tabs.nix
+++ b/fili/services/websites/harmonica-tabs.nix
@ -0,0 +1,29 @@
 { pkgs, flakes, ... }:
 {
  services.nginx = {
    virtualHosts."harmonica.donsz.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[::1]:42424";
      };
    };
  };
  systemd.services.harmonica-tabs = {
    description = "harmonica tabs";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ];
    restartIfChanged = true;
    serviceConfig = {
      DynamicUser = true;
      ExecStart = "${flakes.harmonica.packages.${pkgs.system}.default}/bin/services";
      WorkingDirectory = "${flakes.harmonica.packages.${pkgs.system}.default}";
      Restart = "always";
    };
  };
 }
--- a/fili/services/websites/homepage.nix
+++ b/fili/services/websites/homepage.nix
@ -0,0 +1,22 @@
 {flakes, pkgs, ...}: {
  services.nginx = {
    virtualHosts."donsz.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;
      locations."/" = {
        root = flakes.homepage.packages.${pkgs.system}.website;
      };
    };
    virtualHosts."jdonszelmann.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;
      locations."/" = {
        root = flakes.homepage.packages.${pkgs.system}.website;
      };
    };
  };
 }
--- a/fili/services/websites/mapf.nix
+++ b/fili/services/websites/mapf.nix
@ -0,0 +1,29 @@
 {flakes,...}: {
  # imports = [
  #   flakes.mapf.nixosModules.default
  # ];
  sops.secrets.mapf = {
    sopsFile = ../../../secrets/mapf-prod.env;
  };
  services.nginx = {
    virtualHosts."mapf.donsz.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[::1]:8080";
      };
    };
  };
  # donsz.services.mapf = {
  #   enable = true;
  #   envfile = "/run/secrets/sops/mapf";
  #   db_name = "mapfprod";
  #   db_user = "mapfprod";
  #   db_password = "";
  # };
 }
--- a/fili/services/websites/reviewqueue.nix
+++ b/fili/services/websites/reviewqueue.nix
@ -0,0 +1,38 @@
 { pkgs, flakes, ... }:
 {
  sops.secrets.reviewqueue = {
    sopsFile = ../../../secrets/reviewqueue.env;
  };
  services.nginx = {
    virtualHosts."queue.donsz.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[::1]:3000";
      };
    };
  };
  systemd.services.reviewqueue = {
    description = "Review Queue";
    wantedBy = [ "multi-user.target" ];
    after = [ "network.target" ]; # if networking is needed
    restartIfChanged = true; # set to false, if restarting is problematic
    serviceConfig = {
      ExecStart = "${flakes.reviewqueue.packages.${pkgs.system}.default}/bin/reviewqueue";
      Restart = "always";
      EnvironmentFile = "/run/secrets/reviewqueue";
      StateDirectory = "/var/lib/reviewqueue";
    };
    environment = {
      DB_PATH = "/var/lib/reviewqueue/db.sqlite";
    };
  };
 }
--- a/fili/services/websites/totpal.nix
+++ b/fili/services/websites/totpal.nix
@ -0,0 +1,28 @@
 { flakes, pkgs,... }:
 let
  totpal =
    flakes.totpal.packages.${pkgs.system}.default
  ;
 in
 {
  services.nginx = {
    virtualHosts."totpal.donsz.nl" = {
      forceSSL = true;
      http2 = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://[::1]:2442";
      };
    };
  };
  systemd.services.totpal =
    {
      description = "totpal";
      serviceConfig = {
        Type = "simple";
        ExecStart = "${totpal}/bin/totpal";
      };
    };
 }
--- a/flake.lock
+++ b/flake.lock
@ -22,6 +22,29 @@
        "type": "github"
      }
    },
    "fenix": {
      "inputs": {
        "nixpkgs": [
          "reviewqueue",
          "naersk",
          "nixpkgs"
        ],
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
        "lastModified": 1752475459,
        "narHash": "sha256-z6QEu4ZFuHiqdOPbYss4/Q8B0BFhacR8ts6jO/F/aOU=",
        "owner": "nix-community",
        "repo": "fenix",
        "rev": "bf0d6f70f4c9a9cf8845f992105652173f4b617f",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "fenix",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
@ -71,6 +94,135 @@
        "type": "github"
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_4": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_5": {
      "inputs": {
        "systems": "systems_4"
      },
      "locked": {
        "lastModified": 1731533236,
        "narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "harmonica": {
      "inputs": {
        "nixpkgs": "nixpkgs_2"
      },
      "locked": {
        "lastModified": 1738890519,
        "narHash": "sha256-bc5s4lnFojTbnEvG4HUrrrRtDHfnuxVps8hL8K8Sgb4=",
        "ref": "refs/heads/main",
        "rev": "2eb8c5b4d441e79bf4775483a129d25c2dd3e336",
        "revCount": 3,
        "type": "git",
        "url": "ssh://git@github.com/jdonszelmann/harmonica-tabs"
      },
      "original": {
        "type": "git",
        "url": "ssh://git@github.com/jdonszelmann/harmonica-tabs"
      }
    },
    "homepage": {
      "inputs": {
        "flake-utils": "flake-utils_3",
        "nixpkgs": "nixpkgs_3"
      },
      "locked": {
        "lastModified": 1747823174,
        "narHash": "sha256-8P6od55oOAaE0/QAaHn33ADFISTiE+QOt2s0AmaPAFQ=",
        "owner": "jdonszelmann",
        "repo": "homepage",
        "rev": "39ef8624648f4e8803aa7510036ad48f5d4a459c",
        "type": "github"
      },
      "original": {
        "owner": "jdonszelmann",
        "repo": "homepage",
        "type": "github"
      }
    },
    "mapf": {
      "inputs": {
        "flake-utils": "flake-utils_4",
        "nixpkgs": "nixpkgs_4"
      },
      "locked": {
        "lastModified": 1721482233,
        "narHash": "sha256-zNTFyWdpOOTSXfCtcvdU7MjHohnKQpZcSlhCPS/C93Y=",
        "ref": "refs/heads/master",
        "rev": "aa47dd1bc41ba25d14b1ac62edcee14f6fec1aa5",
        "revCount": 677,
        "type": "git",
        "url": "ssh://git@github.com/jdonszelmann/mapf-server"
      },
      "original": {
        "type": "git",
        "url": "ssh://git@github.com/jdonszelmann/mapf-server"
      }
    },
    "naersk": {
      "inputs": {
        "fenix": "fenix",
        "nixpkgs": "nixpkgs_6"
      },
      "locked": {
        "lastModified": 1752689277,
        "narHash": "sha256-uldUBFkZe/E7qbvxa3mH1ItrWZyT6w1dBKJQF/3ZSsc=",
        "owner": "nix-community",
        "repo": "naersk",
        "rev": "0e72363d0938b0208d6c646d10649164c43f4d64",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "naersk",
        "type": "github"
      }
    },
    "nix-github-actions": {
      "inputs": {
        "nixpkgs": [
@ -108,6 +260,22 @@
        "type": "github"
      }
    },
    "nixpkgs-mozilla": {
      "flake": false,
      "locked": {
        "lastModified": 1744624473,
        "narHash": "sha256-S6zT/w5SyAkJ//dYdjbrXgm+6Vkd/k7qqUl4WgZ6jjk=",
        "owner": "mozilla",
        "repo": "nixpkgs-mozilla",
        "rev": "2292d4b35aa854e312ad2e95c4bb5c293656f21a",
        "type": "github"
      },
      "original": {
        "owner": "mozilla",
        "repo": "nixpkgs-mozilla",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1703950681,
@ -125,6 +293,54 @@
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1738680400,
        "narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "799ba5bffed04ced7067a91798353d360788b30d",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1716137900,
        "narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_4": {
      "locked": {
        "lastModified": 1721379653,
        "narHash": "sha256-8MUgifkJ7lkZs3u99UDZMB4kbOxvMEXQZ31FO3SopZ0=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "1d9c2c9b3e71b9ee663d11c5d298727dace8d374",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_5": {
      "locked": {
        "lastModified": 1751104741,
        "narHash": "sha256-xPlVbk6WlgTzDvWFRyzvXMdh/ZFLEOTCQik18wg5AFQ=",
@ -140,7 +356,37 @@
        "type": "github"
      }
    },
-    "nixpkgs_3": {
+    "nixpkgs_6": {
      "locked": {
        "lastModified": 1752077645,
        "narHash": "sha256-HM791ZQtXV93xtCY+ZxG1REzhQenSQO020cu6rHtAPk=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "be9e214982e20b8310878ac2baa063a961c1bdf6",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixpkgs-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_7": {
      "locked": {
        "lastModified": 1755020227,
        "narHash": "sha256-gGmm+h0t6rY88RPTaIm3su95QvQIVjAJx558YUG4Id8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "695d5db1b8b20b73292501683a524e0bd79074fb",
        "type": "github"
      },
      "original": {
        "id": "nixpkgs",
        "type": "indirect"
      }
    },
    "nixpkgs_8": {
      "locked": {
        "lastModified": 1703499205,
        "narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=",
@ -156,18 +402,77 @@
        "type": "github"
      }
    },
    "nixpkgs_9": {
      "locked": {
        "lastModified": 1732014248,
        "narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "reviewqueue": {
      "inputs": {
        "flake-utils": "flake-utils_5",
        "naersk": "naersk",
        "nixpkgs": "nixpkgs_7",
        "nixpkgs-mozilla": "nixpkgs-mozilla"
      },
      "locked": {
        "lastModified": 1755627228,
        "narHash": "sha256-0BiTSjVWxgFnhOFxM1hpeMoMZcQBsgZTeVIgXOSUMcg=",
        "owner": "jdonszelmann",
        "repo": "review-queue",
        "rev": "e2cf27dea96d2fde03c913d4b4462d3785019b36",
        "type": "github"
      },
      "original": {
        "owner": "jdonszelmann",
        "repo": "review-queue",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "colmena": "colmena",
        "flake-utils": "flake-utils_2",
-        "nixpkgs": "nixpkgs_2",
+        "harmonica": "harmonica",
        "homepage": "homepage",
        "mapf": "mapf",
        "nixpkgs": "nixpkgs_5",
        "reviewqueue": "reviewqueue",
        "sops-nix": "sops-nix",
        "totpal": "totpal",
        "vpn-confinement": "vpn-confinement"
      }
    },
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
        "lastModified": 1752428706,
        "narHash": "sha256-EJcdxw3aXfP8Ex1Nm3s0awyH9egQvB2Gu+QEnJn2Sfg=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
        "rev": "591e3b7624be97e4443ea7b5542c191311aa141d",
        "type": "github"
      },
      "original": {
        "owner": "rust-lang",
        "ref": "nightly",
        "repo": "rust-analyzer",
        "type": "github"
      }
    },
    "sops-nix": {
      "inputs": {
-        "nixpkgs": "nixpkgs_3",
+        "nixpkgs": "nixpkgs_8",
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
@ -215,6 +520,69 @@
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "totpal": {
      "inputs": {
        "nixpkgs": "nixpkgs_9"
      },
      "locked": {
        "lastModified": 1737322813,
        "narHash": "sha256-WMRUKiNDielsw/2MwRIDEvL4+OmcBXHd6UVqCottDkc=",
        "owner": "jdonszelmann",
        "repo": "totpal",
        "rev": "c671f568d20d13e79a2c434926da6be3035fd1f6",
        "type": "github"
      },
      "original": {
        "owner": "jdonszelmann",
        "repo": "totpal",
        "type": "github"
      }
    },
    "vpn-confinement": {
      "locked": {
        "lastModified": 1749672087,
--- a/flake.nix
+++ b/flake.nix
@ -6,6 +6,14 @@
    flake-utils.url = "github:numtide/flake-utils";
    sops-nix.url = "github:jdonszelmann/sops-nix";
    vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";
    # websites
    homepage.url = "github:jdonszelmann/homepage";
    totpal.url = "github:jdonszelmann/totpal";
    harmonica.url = "git+ssh://git@github.com/jdonszelmann/harmonica-tabs";
    mapf.url = "git+ssh://git@github.com/jdonszelmann/mapf-server";
    reviewqueue.url = "github:jdonszelmann/review-queue";
  };
  outputs =
    {
@ -15,8 +23,9 @@
      flake-utils,
      sops-nix,
      vpn-confinement,
      mapf,
      ...
-    }:
+    }@inputs:
    let
      pkgsForSystem =
        system:
@ -32,6 +41,8 @@
      colmena = {
        meta = {
          nixpkgs = pkgsForSystem "x86_64-linux";
          specialArgs.flakes = inputs;
        };
        fili = {
--- a/secrets/forgejo.yaml
+++ b/secrets/forgejo.yaml
@ -0,0 +1,16 @@
 email_password: ENC[AES256_GCM,data:bTFBUQ4ZQO3BYCA9ztly5w==,iv:YRggZh60iv1vvxbxvrv6224ztVUXlvZvp4p5IY4N3wo=,tag:BOQnvUGpiETuR7sP/fp/Pg==,type:str]
 sops:
    age:
        - recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRV1c0YzBkWFpHTkt4ZXI2
            dG9jL1dnNTRmbDNmelNxVHlSQTEzd0pIRFZjCjUwYnRQL1RBMmdTRkFud1M4cTdo
            QnlESXlHZWhUUWdXZHpWYlBIMXR4aEUKLS0tIDZ4TUJYZzdHWGJpWVBiUHJVSnhQ
            MnpUMzl3ZmhNZ25aWU5YcnVvUTY0c1EKt3q2WUaYFvFvJmLVHT10QbxqdAx1cvKU
            ZGVJLxMbvzdNbK1MQacRbY+0JU+79WRG+BehGFxiExhYzNQS00ZQLg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-08-19T20:18:15Z"
    mac: ENC[AES256_GCM,data:h112brIAuwrVKG2d7lRJvg5lSb6ruNTm+78E9IhBzPRRZJTCqWflp+rK7LpQevmaVgrLGHgF2LEnchzvQW2AMZh8726foQaUDGWhovvKMsnMmsU5axJ5QrKsPIvjpbqBjK3PZrqdVDZl53v6sNdAL8fi2uY0f0ncPOHbLb7E4Ag=,iv:YozwZvXgEA0Asyjcz6VuSIfNNCgoAzOqluLepttEJks=,tag:QpqhqCo//IbTDhMaVSIGqQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2
--- a/secrets/oauth2-proxy.env
+++ b/secrets/oauth2-proxy.env
@ -0,0 +1,8 @@
 OAUTH2_PROXY_CLIENT_SECRET=ENC[AES256_GCM,data:V/98HFTiIsMwLPKlTLG5t9cdGPLQ3267wYA1mW7OZD9HKHu4yl0EnSkS66LV6ANU,iv:iA1OLYXzxEGTWgxjHzrr3TXqQK7JhpjlXO48du+LwSU=,tag:V9K/FuM0LM6+BvEdSYlsSg==,type:str]
 OAUTH2_PROXY_COOKIE_SECRET=ENC[AES256_GCM,data:mj4KK93nfPWb/0XGfeLOkgi69KQndghSvbm6Usg258s=,iv:3IZRadYRmP4pZ+7YRZ4ctyhMl6BP2GzqVAmMKijjE44=,tag:I9vIbsUl5YURMTPRJnje+A==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOL0VuWDliWTZIL0dydXRa\nMFc3YzFNeGh5UFNvR3E5UnVBVTlLWjNFT2lrCm4rYlhYZER1RnNuNUFtVDE2VHZD\nakpsbjNXQkY3Sm1nMW56bldUSTE4Uk0KLS0tIFplQ2VmaTIyYy9zcDJwcmgydTRW\nb0w3em1xNG5YVEVRQzlhbWN5aVE2OVkKkxhaO0R7oYVkyPkN24SK0SYe2m2ulma8\nzAsUJ6DmUBZrm/MOx8NDgGnPoF2o+d/Nk8jxeOCdge8oIixeI/i5jw==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
 sops_lastmodified=2025-08-20T09:03:37Z
 sops_mac=ENC[AES256_GCM,data:Lfuo/k0swCDLTXS9qBUrNtGvgO4CoN6NxYOnJJbczzuO00FzVLdr5CoDx0WVP1OaTC06AoQIbURH9azRf/wVsQxlqnrU6/jqRT2YN8ZOasSCfxchcFMavj8iWAM3f5Ib3ITg1VrruKfXCJUNWePqkBz9S4z3YhINyPcJ41oAIyw=,iv:dUliQFPNvWRuto/8BtOkSMOc7TuBRZt89AOD686I2Vo=,tag:uAOJDnSyzlBQziLzyGAQew==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/secrets/reviewqueue.env
+++ b/secrets/reviewqueue.env
@ -0,0 +1,11 @@
 #ENC[AES256_GCM,data:wv0EtbYFXXAmf5dLBMv+Z4H3l9WoxF6QVg==,iv:t1BAHNW41you67UkLENuH/Zq8u69+TWzu+oqn/oEY0Q=,tag:RUVpGpUySzjht0PA+y1Fsg==,type:comment]
 GITHUB_TOKEN=ENC[AES256_GCM,data:3jzTyFPhgKfnAIeSw8sNifib00swg4Ucf/QVTDUFvQQVClFe+59guGZ7Z9we8zVyoQ+nzIkNsTzW6mZ7tV8vtjKTs35KC8JecdQVewCnyQ4Oa0ODFwEI1SQtz7ti,iv:/v+7yrvEHWf7jkbnMapHbZSJxws6J0sbdCuww+J6Tag=,tag:LxqPKMomUsW4yLAcFR+Hpw==,type:str]
 HOST=ENC[AES256_GCM,data:6UAKpEQWCnxqevidVg300euWmYXPQQ==,iv:Fk/OPIJZV4Wnu0N7zgcjEmLUF3Bn3qQAKHtuqfSWoF4=,tag:BjTrsO0GIYKCjF+rVSPSNQ==,type:str]
 OAUTH_CLIENT_ID=ENC[AES256_GCM,data:oXhdE2Pkl0+yPf56kjSXSnDwXCo=,iv:p1kv+T8PhdxsYgokOOXCB8XP5TT1nFh8CUuHWJQHWrI=,tag:a/Ezh3CwGrBBZNMW2PKgAA==,type:str]
 OAUTH_CLIENT_SECRET=ENC[AES256_GCM,data:yu7/kyk8CtGJ4rgqX1iW0h6/G5dwM7DDe9V+ov3aU7Ueh8tjO4kOIw==,iv:GBtG92pFIBwZBYe6H6hNxOEGyZrk9DX3JdbQF82nwPI=,tag:1h6xOCwq3644lCFCntfwRA==,type:str]
 sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSmpaaUNWSGE1c0MzNURJ\nU2QzNFRZdS9ZeDR2TzlhZ3dnbi9wQW5hKzM4CnpjN3JYQkpvUkdsbW9LSWJhcmFF\nb0NjcEgrcE5qKzFmZlhtWVJ5QWZ4cjgKLS0tIE5ubW5idFE1VmVIdkRvdVVvK1Zl\nc2JTR2FCUGo3Q3pzWjhjK3I3MG9WZkEKGa6eY+IpfymIzfkAbGoJziyf9NP5U8xC\nUM0Xj68fstT9GLOg3/Zp1/4tueIO2Dh8omQi2LJZPjdmzY+Ph25IqA==\n-----END AGE ENCRYPTED FILE-----\n
 sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
 sops_lastmodified=2025-08-13T16:48:41Z
 sops_mac=ENC[AES256_GCM,data:CqtTl2qvFi2yL1GF0ZZpC5336Knbyl4EeVm8NI4pzp3rsIf7JPcqg5e2WUWMNuFFR69Q23plndAsOd8XtIPGoqlKyTnHqMMDLDsPZ0r198+zxbNM/z7ZaiI0YmaVTXkm5MMld+5/9FOUFkJyLqcGj1lMLMQIRRX2rn+ccx/7R48=,iv:puOXtn3haqSOyoUNLFrdOzLlGAeuhhlTdMXaokPV+J4=,tag:GloK7jJo3JvUvq9AnPuIwg==,type:str]
 sops_unencrypted_suffix=_unencrypted
 sops_version=3.10.2
--- a/users/users.nix
+++ b/users/users.nix
@ -91,6 +91,7 @@
      "syncthing"
      "jellyfin"
      "media"
      "nginx"
    ];
  };