jana/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

auth and git

Browse source
This commit is contained in:
Jana Dönszelmann 2025-08-19 21:12:39 +02:00
parent d35531c1bd
commit 2d9feaa634
No known key found for this signature in database
24 changed files with 787 additions and 16 deletions
Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml Normal file
View file

@ -0,0 +1,7 @@
keys:
- &jana age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
creation_rules:
- path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups:
- age:
- *jana

19
fili/lib/auth.nix Normal file
View file

@ -0,0 +1,19 @@
{ baseUrl, clientId }: {
inherit clientId;
userAuthUrl = "${baseUrl}/ui/oauth2";
apiAuthUrl = "${baseUrl}/oauth2/authorise";
tokenUrl = "${baseUrl}/oauth2/token";
rfc7662TokenIntrospectionUrl = "${baseUrl}/oauth2/token/introspect";
rfc7009TokenRevokeUrl = "${baseUrl}/oauth2/token/revoke";
oauth2Rfc8414Discovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/oauth-authorization-server";
oidcIssuerUri = "${baseUrl}/oauth2/openid/${clientId}";
oidcDiscovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/openid-configuration";
oidcUserInfo = "${baseUrl}/oauth2/openid/${clientId}/userinfo";
oidcTokenSigningPubkey = "${baseUrl}/openid/${clientId}/public_key.jwk";
}

6
fili/services/auth/default.nix Normal file
View file

@ -0,0 +1,6 @@
_: {
imports = [
./kanidm.nix
./oauth2-proxy.nix
];
}

45
fili/services/auth/kanidm.nix Normal file
View file

@ -0,0 +1,45 @@
{pkgs, config, ...}: let
lib = pkgs.lib;
domain = "auth.donsz.nl";
port = 3013;
backupsDir = "/var/lib/kanidm/backup";
in {
services.kanidm.enableServer = true;
services.kanidm.package = pkgs.kanidm_1_6;
services.kanidm.serverSettings = {
tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
tls_key = "/var/lib/acme/${domain}/key.pem";
bindaddress = "[::1]:${toString port}";
ldapbindaddress = "[::1]:3636";
inherit domain;
origin = "https://${domain}";
trust_x_forward_for = true;
online_backup = {
path = backupsDir;
schedule = "0 0 * * *";
};
};
systemd.services.kanidm = {
preStart = lib.mkBefore ''
mkdir -p "${backupsDir}"
'';
serviceConfig = {
SupplementaryGroups =
[ config.security.acme.certs.${domain}.group ];
};
};
environment.systemPackages = [pkgs.kanidm];
services.nginx.virtualHosts.${domain} = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "https://[::1]:${toString port}";
};
};
}

50
fili/services/auth/oauth2-proxy.nix Normal file
View file

@ -0,0 +1,50 @@
{pkgs, config, ...}: {
sops.secrets.oauth2-proxy = {
sopsFile = ../../../secrets/oauth2-proxy.env;
};
services.oauth2-proxy =
let
auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
in {
enable = true;
provider = "oidc";
clientID = "${auth.clientId}";
oidcIssuerUrl = auth.oidcIssuerUri;
proxyPrefix = "/oauth2";
reverseProxy = true;
keyFile = config.sops.secrets.oauth2-proxy.path;
loginURL = auth.apiAuthUrl;
redeemURL = auth.tokenUrl;
validateURL = auth.rfc7662TokenIntrospectionUrl;
profileURL = auth.oidcUserInfo;
scope = "openid profile email";
email.domains = [ "*" ];
cookie = {
domain = "donsz.nl";
refresh = "1h";
secure = true;
};
extraConfig = {
whitelist-domain = ["*.donsz.nl"];
};
nginx.domain = "oauth2.donsz.nl";
};
services.nginx.virtualHosts."oauth2.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
};
}

4
fili/services/databases.nix
View file

@ -46,6 +46,10 @@
name = "dnote";
ensureDBOwnership = true;
}
{
name = "forgejo";
ensureDBOwnership = true;
}
];
ensureDatabases = map (i: i.name) ensureUsers;
};

6
fili/services/default.nix
View file

@ -3,8 +3,10 @@ _: {
./nginx.nix
./databases.nix
./matrix-synapse.nix
./reviewqueue.nix
./homepage.nix
./forgejo.nix
./media
./websites
./auth
];
}

76
fili/services/forgejo.nix Normal file
View file

@ -0,0 +1,76 @@
{ lib, pkgs, config, ... }:
let
cfg = config.services.forgejo;
srv = cfg.settings.server;
in
{
sops.secrets.forgejo = {
sopsFile = ../../secrets/forgejo.yaml;
key="email_password";
format = "yaml";
};
users.groups.forgejo = { };
users.users.forgejo = {
isSystemUser = true;
group = "forgejo";
extraGroups = [ "storage" ];
};
services.nginx = {
virtualHosts."git.donsz.nl" = {
forceSSL = true;
enableACME = true;
extraConfig = ''
client_max_body_size 512M;
'';
locations."/".proxyPass = "http://[::1]:13121";
};
};
services.forgejo = {
enable = true;
lfs.enable = true;
user = "forgejo";
group = "forgejo";
repositoryRoot="/storage/storage/git";
database = {
type = "postgres";
name = "forgejo";
createDatabase = false;
};
settings = {
DEFAULT = {
APP_NAME="jana's git server";
APP_SLOGAN="meow!";
};
server = {
DOMAIN = "git.donsz.nl";
ROOT_URL = "https://git.donsz.nl/";
HTTP_PORT = 13121;
};
service = {
DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
ENABLE_PASSWORD_SIGNIN_FORM = false;
};
actions = {
ENABLED = true;
DEFAULT_ACTIONS_URL = "github";
};
repository = {
DEFAULT_PRIVATE="private";
};
mailer = {
ENABLED = true;
SMTP_ADDR = "smtp.fastmail.com";
FROM = "git@donsz.nl";
USER = "git@donsz.nl";
};
};
mailerPasswordFile = config.sops.secrets.forgejo.path;
};
}

3
fili/services/homepage.nix
View file

@ -1,3 +0,0 @@
{inputs,...}: {
}

7
fili/services/media/torrent.nix
View file

@ -66,12 +66,6 @@
];
};
# proxy."dl.donsz.nl" = {
# port = 9091;
# to = "192.168.15.1";
# authenticated = true;
# };
services.nginx = {
virtualHosts."dl.donsz.nl" = {
forceSSL = true;
@ -83,6 +77,7 @@
};
};
};
services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = { };
systemd.services.transmission.vpnConfinement = {
enable = true;

2
fili/services/nginx.nix
View file

@ -1,4 +1,4 @@
_: {
{pkgs, config, ...}: {
services.nginx = {
enable = true;
statusPage = true;

0
fili/services/reviewqueue.nix
View file

9
fili/services/websites/default.nix Normal file
View file

@ -0,0 +1,9 @@
_: {
imports = [
./reviewqueue.nix
./homepage.nix
./totpal.nix
./harmonica-tabs.nix
./mapf.nix
];
}

29
fili/services/websites/harmonica-tabs.nix Normal file
View file

@ -0,0 +1,29 @@
{ pkgs, flakes, ... }:
{
services.nginx = {
virtualHosts."harmonica.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:42424";
};
};
};
systemd.services.harmonica-tabs = {
description = "harmonica tabs";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
restartIfChanged = true;
serviceConfig = {
DynamicUser = true;
ExecStart = "${flakes.harmonica.packages.${pkgs.system}.default}/bin/services";
WorkingDirectory = "${flakes.harmonica.packages.${pkgs.system}.default}";
Restart = "always";
};
};
}

22
fili/services/websites/homepage.nix Normal file
View file

@ -0,0 +1,22 @@
{flakes, pkgs, ...}: {
services.nginx = {
virtualHosts."donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = flakes.homepage.packages.${pkgs.system}.website;
};
};
virtualHosts."jdonszelmann.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
root = flakes.homepage.packages.${pkgs.system}.website;
};
};
};
}

29
fili/services/websites/mapf.nix Normal file
View file

@ -0,0 +1,29 @@
{flakes,...}: {
# imports = [
# flakes.mapf.nixosModules.default
# ];
sops.secrets.mapf = {
sopsFile = ../../../secrets/mapf-prod.env;
};
services.nginx = {
virtualHosts."mapf.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:8080";
};
};
};
# donsz.services.mapf = {
# enable = true;
# envfile = "/run/secrets/sops/mapf";
# db_name = "mapfprod";
# db_user = "mapfprod";
# db_password = "";
# };
}

38
fili/services/websites/reviewqueue.nix Normal file
View file

@ -0,0 +1,38 @@
{ pkgs, flakes, ... }:
{
sops.secrets.reviewqueue = {
sopsFile = ../../../secrets/reviewqueue.env;
};
services.nginx = {
virtualHosts."queue.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:3000";
};
};
};
systemd.services.reviewqueue = {
description = "Review Queue";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ]; # if networking is needed
restartIfChanged = true; # set to false, if restarting is problematic
serviceConfig = {
ExecStart = "${flakes.reviewqueue.packages.${pkgs.system}.default}/bin/reviewqueue";
Restart = "always";
EnvironmentFile = "/run/secrets/reviewqueue";
StateDirectory = "/var/lib/reviewqueue";
};
environment = {
DB_PATH = "/var/lib/reviewqueue/db.sqlite";
};
};
}

28
fili/services/websites/totpal.nix Normal file
View file

@ -0,0 +1,28 @@
{ flakes, pkgs,... }:
let
totpal =
flakes.totpal.packages.${pkgs.system}.default
;
in
{
services.nginx = {
virtualHosts."totpal.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
locations."/" = {
proxyPass = "http://[::1]:2442";
};
};
};
systemd.services.totpal =
{
description = "totpal";
serviceConfig = {
Type = "simple";
ExecStart = "${totpal}/bin/totpal";
};
};
}

374
flake.lock generated
View file

@ -22,6 +22,29 @@
"type": "github"
}
},
"fenix": {
"inputs": {
"nixpkgs": [
"reviewqueue",
"naersk",
"nixpkgs"
],
"rust-analyzer-src": "rust-analyzer-src"
},
"locked": {
"lastModified": 1752475459,
"narHash": "sha256-z6QEu4ZFuHiqdOPbYss4/Q8B0BFhacR8ts6jO/F/aOU=",
"owner": "nix-community",
"repo": "fenix",
"rev": "bf0d6f70f4c9a9cf8845f992105652173f4b617f",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "fenix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
@ -71,6 +94,135 @@
"type": "github"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_4"
},
"locked": {
"lastModified": 1731533236,
"narHash": "sha256-l0KFg5HjrsfsO/JpG+r7fRrqm12kzFHyUHqHCVpMMbI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "11707dc2f618dd54ca8739b309ec4fc024de578b",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"harmonica": {
"inputs": {
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1738890519,
"narHash": "sha256-bc5s4lnFojTbnEvG4HUrrrRtDHfnuxVps8hL8K8Sgb4=",
"ref": "refs/heads/main",
"rev": "2eb8c5b4d441e79bf4775483a129d25c2dd3e336",
"revCount": 3,
"type": "git",
"url": "ssh://git@github.com/jdonszelmann/harmonica-tabs"
},
"original": {
"type": "git",
"url": "ssh://git@github.com/jdonszelmann/harmonica-tabs"
}
},
"homepage": {
"inputs": {
"flake-utils": "flake-utils_3",
"nixpkgs": "nixpkgs_3"
},
"locked": {
"lastModified": 1747823174,
"narHash": "sha256-8P6od55oOAaE0/QAaHn33ADFISTiE+QOt2s0AmaPAFQ=",
"owner": "jdonszelmann",
"repo": "homepage",
"rev": "39ef8624648f4e8803aa7510036ad48f5d4a459c",
"type": "github"
},
"original": {
"owner": "jdonszelmann",
"repo": "homepage",
"type": "github"
}
},
"mapf": {
"inputs": {
"flake-utils": "flake-utils_4",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1721482233,
"narHash": "sha256-zNTFyWdpOOTSXfCtcvdU7MjHohnKQpZcSlhCPS/C93Y=",
"ref": "refs/heads/master",
"rev": "aa47dd1bc41ba25d14b1ac62edcee14f6fec1aa5",
"revCount": 677,
"type": "git",
"url": "ssh://git@github.com/jdonszelmann/mapf-server"
},
"original": {
"type": "git",
"url": "ssh://git@github.com/jdonszelmann/mapf-server"
}
},
"naersk": {
"inputs": {
"fenix": "fenix",
"nixpkgs": "nixpkgs_6"
},
"locked": {
"lastModified": 1752689277,
"narHash": "sha256-uldUBFkZe/E7qbvxa3mH1ItrWZyT6w1dBKJQF/3ZSsc=",
"owner": "nix-community",
"repo": "naersk",
"rev": "0e72363d0938b0208d6c646d10649164c43f4d64",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "naersk",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
@ -108,6 +260,22 @@
"type": "github"
}
},
"nixpkgs-mozilla": {
"flake": false,
"locked": {
"lastModified": 1744624473,
"narHash": "sha256-S6zT/w5SyAkJ//dYdjbrXgm+6Vkd/k7qqUl4WgZ6jjk=",
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"rev": "2292d4b35aa854e312ad2e95c4bb5c293656f21a",
"type": "github"
},
"original": {
"owner": "mozilla",
"repo": "nixpkgs-mozilla",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1703950681,
@ -125,6 +293,54 @@
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1738680400,
"narHash": "sha256-ooLh+XW8jfa+91F1nhf9OF7qhuA/y1ChLx6lXDNeY5U=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "799ba5bffed04ced7067a91798353d360788b30d",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1716137900,
"narHash": "sha256-sowPU+tLQv8GlqtVtsXioTKeaQvlMz/pefcdwg8MvfM=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "6c0b7a92c30122196a761b440ac0d46d3d9954f1",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_4": {
"locked": {
"lastModified": 1721379653,
"narHash": "sha256-8MUgifkJ7lkZs3u99UDZMB4kbOxvMEXQZ31FO3SopZ0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "1d9c2c9b3e71b9ee663d11c5d298727dace8d374",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_5": {
"locked": {
"lastModified": 1751104741,
"narHash": "sha256-xPlVbk6WlgTzDvWFRyzvXMdh/ZFLEOTCQik18wg5AFQ=",
@ -140,7 +356,37 @@
"type": "github"
}
},
"nixpkgs_3": {
"nixpkgs_6": {
"locked": {
"lastModified": 1752077645,
"narHash": "sha256-HM791ZQtXV93xtCY+ZxG1REzhQenSQO020cu6rHtAPk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "be9e214982e20b8310878ac2baa063a961c1bdf6",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixpkgs-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_7": {
"locked": {
"lastModified": 1755020227,
"narHash": "sha256-gGmm+h0t6rY88RPTaIm3su95QvQIVjAJx558YUG4Id8=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "695d5db1b8b20b73292501683a524e0bd79074fb",
"type": "github"
},
"original": {
"id": "nixpkgs",
"type": "indirect"
}
},
"nixpkgs_8": {
"locked": {
"lastModified": 1703499205,
"narHash": "sha256-lF9rK5mSUfIZJgZxC3ge40tp1gmyyOXZ+lRY3P8bfbg=",
@ -156,18 +402,77 @@
"type": "github"
}
},
"nixpkgs_9": {
"locked": {
"lastModified": 1732014248,
"narHash": "sha256-y/MEyuJ5oBWrWAic/14LaIr/u5E0wRVzyYsouYY3W6w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "23e89b7da85c3640bbc2173fe04f4bd114342367",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"reviewqueue": {
"inputs": {
"flake-utils": "flake-utils_5",
"naersk": "naersk",
"nixpkgs": "nixpkgs_7",
"nixpkgs-mozilla": "nixpkgs-mozilla"
},
"locked": {
"lastModified": 1755627228,
"narHash": "sha256-0BiTSjVWxgFnhOFxM1hpeMoMZcQBsgZTeVIgXOSUMcg=",
"owner": "jdonszelmann",
"repo": "review-queue",
"rev": "e2cf27dea96d2fde03c913d4b4462d3785019b36",
"type": "github"
},
"original": {
"owner": "jdonszelmann",
"repo": "review-queue",
"type": "github"
}
},
"root": {
"inputs": {
"colmena": "colmena",
"flake-utils": "flake-utils_2",
"nixpkgs": "nixpkgs_2",
"harmonica": "harmonica",
"homepage": "homepage",
"mapf": "mapf",
"nixpkgs": "nixpkgs_5",
"reviewqueue": "reviewqueue",
"sops-nix": "sops-nix",
"totpal": "totpal",
"vpn-confinement": "vpn-confinement"
}
},
"rust-analyzer-src": {
"flake": false,
"locked": {
"lastModified": 1752428706,
"narHash": "sha256-EJcdxw3aXfP8Ex1Nm3s0awyH9egQvB2Gu+QEnJn2Sfg=",
"owner": "rust-lang",
"repo": "rust-analyzer",
"rev": "591e3b7624be97e4443ea7b5542c191311aa141d",
"type": "github"
},
"original": {
"owner": "rust-lang",
"ref": "nightly",
"repo": "rust-analyzer",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": "nixpkgs_3",
"nixpkgs": "nixpkgs_8",
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
@ -215,6 +520,69 @@
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"totpal": {
"inputs": {
"nixpkgs": "nixpkgs_9"
},
"locked": {
"lastModified": 1737322813,
"narHash": "sha256-WMRUKiNDielsw/2MwRIDEvL4+OmcBXHd6UVqCottDkc=",
"owner": "jdonszelmann",
"repo": "totpal",
"rev": "c671f568d20d13e79a2c434926da6be3035fd1f6",
"type": "github"
},
"original": {
"owner": "jdonszelmann",
"repo": "totpal",
"type": "github"
}
},
"vpn-confinement": {
"locked": {
"lastModified": 1749672087,

13
flake.nix
View file

@ -6,6 +6,14 @@
flake-utils.url = "github:numtide/flake-utils";
sops-nix.url = "github:jdonszelmann/sops-nix";
vpn-confinement.url = "github:Maroka-chan/VPN-Confinement";
# websites
homepage.url = "github:jdonszelmann/homepage";
totpal.url = "github:jdonszelmann/totpal";
harmonica.url = "git+ssh://git@github.com/jdonszelmann/harmonica-tabs";
mapf.url = "git+ssh://git@github.com/jdonszelmann/mapf-server";
reviewqueue.url = "github:jdonszelmann/review-queue";
};
outputs =
{
@ -15,8 +23,9 @@
flake-utils,
sops-nix,
vpn-confinement,
mapf,
...
}:
}@inputs:
let
pkgsForSystem =
system:
@ -32,6 +41,8 @@
colmena = {
meta = {
nixpkgs = pkgsForSystem "x86_64-linux";
specialArgs.flakes = inputs;
};
fili = {

16
secrets/forgejo.yaml Normal file
View file

@ -0,0 +1,16 @@
email_password: ENC[AES256_GCM,data:bTFBUQ4ZQO3BYCA9ztly5w==,iv:YRggZh60iv1vvxbxvrv6224ztVUXlvZvp4p5IY4N3wo=,tag:BOQnvUGpiETuR7sP/fp/Pg==,type:str]
sops:
age:
- recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRV1c0YzBkWFpHTkt4ZXI2
dG9jL1dnNTRmbDNmelNxVHlSQTEzd0pIRFZjCjUwYnRQL1RBMmdTRkFud1M4cTdo
QnlESXlHZWhUUWdXZHpWYlBIMXR4aEUKLS0tIDZ4TUJYZzdHWGJpWVBiUHJVSnhQ
MnpUMzl3ZmhNZ25aWU5YcnVvUTY0c1EKt3q2WUaYFvFvJmLVHT10QbxqdAx1cvKU
ZGVJLxMbvzdNbK1MQacRbY+0JU+79WRG+BehGFxiExhYzNQS00ZQLg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-19T20:18:15Z"
mac: ENC[AES256_GCM,data:h112brIAuwrVKG2d7lRJvg5lSb6ruNTm+78E9IhBzPRRZJTCqWflp+rK7LpQevmaVgrLGHgF2LEnchzvQW2AMZh8726foQaUDGWhovvKMsnMmsU5axJ5QrKsPIvjpbqBjK3PZrqdVDZl53v6sNdAL8fi2uY0f0ncPOHbLb7E4Ag=,iv:YozwZvXgEA0Asyjcz6VuSIfNNCgoAzOqluLepttEJks=,tag:QpqhqCo//IbTDhMaVSIGqQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

8
secrets/oauth2-proxy.env Normal file
View file

@ -0,0 +1,8 @@
OAUTH2_PROXY_CLIENT_SECRET=ENC[AES256_GCM,data:V/98HFTiIsMwLPKlTLG5t9cdGPLQ3267wYA1mW7OZD9HKHu4yl0EnSkS66LV6ANU,iv:iA1OLYXzxEGTWgxjHzrr3TXqQK7JhpjlXO48du+LwSU=,tag:V9K/FuM0LM6+BvEdSYlsSg==,type:str]
OAUTH2_PROXY_COOKIE_SECRET=ENC[AES256_GCM,data:mj4KK93nfPWb/0XGfeLOkgi69KQndghSvbm6Usg258s=,iv:3IZRadYRmP4pZ+7YRZ4ctyhMl6BP2GzqVAmMKijjE44=,tag:I9vIbsUl5YURMTPRJnje+A==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOL0VuWDliWTZIL0dydXRa\nMFc3YzFNeGh5UFNvR3E5UnVBVTlLWjNFT2lrCm4rYlhYZER1RnNuNUFtVDE2VHZD\nakpsbjNXQkY3Sm1nMW56bldUSTE4Uk0KLS0tIFplQ2VmaTIyYy9zcDJwcmgydTRW\nb0w3em1xNG5YVEVRQzlhbWN5aVE2OVkKkxhaO0R7oYVkyPkN24SK0SYe2m2ulma8\nzAsUJ6DmUBZrm/MOx8NDgGnPoF2o+d/Nk8jxeOCdge8oIixeI/i5jw==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
sops_lastmodified=2025-08-20T09:03:37Z
sops_mac=ENC[AES256_GCM,data:Lfuo/k0swCDLTXS9qBUrNtGvgO4CoN6NxYOnJJbczzuO00FzVLdr5CoDx0WVP1OaTC06AoQIbURH9azRf/wVsQxlqnrU6/jqRT2YN8ZOasSCfxchcFMavj8iWAM3f5Ib3ITg1VrruKfXCJUNWePqkBz9S4z3YhINyPcJ41oAIyw=,iv:dUliQFPNvWRuto/8BtOkSMOc7TuBRZt89AOD686I2Vo=,tag:uAOJDnSyzlBQziLzyGAQew==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.10.2

11
secrets/reviewqueue.env Normal file
View file

@ -0,0 +1,11 @@
#ENC[AES256_GCM,data:wv0EtbYFXXAmf5dLBMv+Z4H3l9WoxF6QVg==,iv:t1BAHNW41you67UkLENuH/Zq8u69+TWzu+oqn/oEY0Q=,tag:RUVpGpUySzjht0PA+y1Fsg==,type:comment]
GITHUB_TOKEN=ENC[AES256_GCM,data:3jzTyFPhgKfnAIeSw8sNifib00swg4Ucf/QVTDUFvQQVClFe+59guGZ7Z9we8zVyoQ+nzIkNsTzW6mZ7tV8vtjKTs35KC8JecdQVewCnyQ4Oa0ODFwEI1SQtz7ti,iv:/v+7yrvEHWf7jkbnMapHbZSJxws6J0sbdCuww+J6Tag=,tag:LxqPKMomUsW4yLAcFR+Hpw==,type:str]
HOST=ENC[AES256_GCM,data:6UAKpEQWCnxqevidVg300euWmYXPQQ==,iv:Fk/OPIJZV4Wnu0N7zgcjEmLUF3Bn3qQAKHtuqfSWoF4=,tag:BjTrsO0GIYKCjF+rVSPSNQ==,type:str]
OAUTH_CLIENT_ID=ENC[AES256_GCM,data:oXhdE2Pkl0+yPf56kjSXSnDwXCo=,iv:p1kv+T8PhdxsYgokOOXCB8XP5TT1nFh8CUuHWJQHWrI=,tag:a/Ezh3CwGrBBZNMW2PKgAA==,type:str]
OAUTH_CLIENT_SECRET=ENC[AES256_GCM,data:yu7/kyk8CtGJ4rgqX1iW0h6/G5dwM7DDe9V+ov3aU7Ueh8tjO4kOIw==,iv:GBtG92pFIBwZBYe6H6hNxOEGyZrk9DX3JdbQF82nwPI=,tag:1h6xOCwq3644lCFCntfwRA==,type:str]
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlSmpaaUNWSGE1c0MzNURJ\nU2QzNFRZdS9ZeDR2TzlhZ3dnbi9wQW5hKzM4CnpjN3JYQkpvUkdsbW9LSWJhcmFF\nb0NjcEgrcE5qKzFmZlhtWVJ5QWZ4cjgKLS0tIE5ubW5idFE1VmVIdkRvdVVvK1Zl\nc2JTR2FCUGo3Q3pzWjhjK3I3MG9WZkEKGa6eY+IpfymIzfkAbGoJziyf9NP5U8xC\nUM0Xj68fstT9GLOg3/Zp1/4tueIO2Dh8omQi2LJZPjdmzY+Ph25IqA==\n-----END AGE ENCRYPTED FILE-----\n
sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
sops_lastmodified=2025-08-13T16:48:41Z
sops_mac=ENC[AES256_GCM,data:CqtTl2qvFi2yL1GF0ZZpC5336Knbyl4EeVm8NI4pzp3rsIf7JPcqg5e2WUWMNuFFR69Q23plndAsOd8XtIPGoqlKyTnHqMMDLDsPZ0r198+zxbNM/z7ZaiI0YmaVTXkm5MMld+5/9FOUFkJyLqcGj1lMLMQIRRX2rn+ccx/7R48=,iv:puOXtn3haqSOyoUNLFrdOzLlGAeuhhlTdMXaokPV+J4=,tag:GloK7jJo3JvUvq9AnPuIwg==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_version=3.10.2

1
users/users.nix
View file

@ -91,6 +91,7 @@
"syncthing"
"jellyfin"
"media"
"nginx"
];
};