switch to cap based home configs

2026-01-20 16:57:10 +01:00 · 2026-01-20 16:57:10 +01:00 · 49b6f5bde0
commit 49b6f5bde0
parent 50ee9aac83
64 changed files with 2064 additions and 1779 deletions
--- a/hosts/fili/services/auth/default.nix
+++ b/hosts/fili/services/auth/default.nix
@ -0,0 +1,6 @@
+_: {
+  imports = [
+    ./oauth2-proxy.nix
+    ./pocketid.nix
+  ];
+}
--- a/hosts/fili/services/auth/oauth2-proxy.nix
+++ b/hosts/fili/services/auth/oauth2-proxy.nix
@ -0,0 +1,47 @@
+{
+  config,
+  secrets,
+  ...
+}:
+{
+  sops.secrets.oauth2-proxy = {
+    sopsFile = "${secrets}/oauth2-proxy.env";
+  };
+
+  services.oauth2-proxy = {
+    enable = true;
+
+    provider = "oidc";
+    scope = "openid profile email groups";
+    clientID = "38aa51e2-783e-48f0-a4b9-440e269f1217";
+    oidcIssuerUrl = "https://auth.donsz.nl";
+    reverseProxy = true;
+
+    proxyPrefix = "/oauth2";
+
+    keyFile = config.sops.secrets.oauth2-proxy.path;
+
+    email.domains = [ "*" ];
+
+    cookie = {
+      domain = "donsz.nl";
+      refresh = "1h";
+      secure = true;
+    };
+
+    extraConfig = {
+      whitelist-domain = [ "*.donsz.nl" ];
+      insecure-oidc-allow-unverified-email = true;
+    };
+
+    nginx.domain = "oauth2.donsz.nl";
+  };
+
+  services.nginx.virtualHosts."oauth2.donsz.nl" = {
+    forceSSL = true;
+    http2 = true;
+    enableACME = true;
+
+    locations."/".return = "301 https://oauth2.donsz.nl/oauth2/sign_in";
+  };
+}
--- a/hosts/fili/services/auth/pocketid.nix
+++ b/hosts/fili/services/auth/pocketid.nix
@ -0,0 +1,57 @@
+{ config, secrets, ... }:
+{
+  sops.secrets.pocketid = {
+    owner = config.services.pocket-id.user;
+    sopsFile = "${secrets}/pocketid.env";
+  };
+
+  services.nginx.virtualHosts."auth.donsz.nl" = {
+    forceSSL = true;
+    enableACME = true;
+    extraConfig = ''
+      proxy_busy_buffers_size   512k;
+      proxy_buffers   4 512k;
+      proxy_buffer_size   256k;
+    '';
+    locations."/".proxyPass = "http://[::1]:${toString config.services.pocket-id.settings.PORT}";
+  };
+
+  services.pocket-id = {
+    enable = true;
+    user = "pocket-id";
+    environmentFile = config.sops.secrets.pocketid.path;
+    settings = {
+      PORT = 1411;
+
+      TRUST_PROXY = true;
+      APP_URL = "https://auth.donsz.nl";
+      ALLOW_USER_SIGNUPS = "withToken";
+
+      UI_CONFIG_DISABLED = true;
+      ALLOW_OWN_ACCOUNT_EDIT = true;
+      DB_PROVIDER = "postgres";
+      DB_CONNECTION_STRING = "postgres://pocketid:pocketid@localhost:5432/pocketid";
+      KEYS_STORAGE = "database";
+
+      METRICS_ENABLED = false;
+      TRACING_ENABLED = false;
+      ANALYTICS_DISABLED = true;
+
+      SESSION_DURATION = 1440;
+
+      SMTP_HOST = "smtp.fastmail.com";
+      SMTP_PORT = "587";
+      SMTP_FROM = "auth@donsz.nl";
+      SMTP_USER = "pocketid-auth";
+      SMTP_TLS = "starttls";
+
+      EMAIL_LOGIN_NOTIFICATION_ENABLED = true;
+      EMAIL_API_KEY_EXPIRATION_ENABLED = true;
+      EMAIL_ONE_TIME_ACCESS_AS_ADMIN_ENABLED = true;
+
+      ACCENT_COLOR = "#c66995";
+
+      LOG_LEVEL = "debug";
+    };
+  };
+}