From a3289c777e99b6f630d954c25036b937fdfd5c30 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jana=20D=C3=B6nszelmann?= Date: Fri, 2 Jan 2026 22:05:00 +0100 Subject: [PATCH] pocketid --- .direnv/flake-profile | 2 +- .direnv/flake-profile-10-link | 1 - .direnv/flake-profile-11-link | 1 + fili/services/auth/default.nix | 2 ++ fili/services/auth/pocketid.nix | 52 +++++++++++++++++++++++++++++++++ fili/services/databases.nix | 4 +++ flake.lock | 8 ++--- flake.nix | 2 +- secrets/pocketid.env | 8 +++++ 9 files changed, 73 insertions(+), 7 deletions(-) delete mode 120000 .direnv/flake-profile-10-link create mode 120000 .direnv/flake-profile-11-link create mode 100644 fili/services/auth/pocketid.nix create mode 100644 secrets/pocketid.env diff --git a/.direnv/flake-profile b/.direnv/flake-profile index b9f8d1a..c7ae88b 120000 --- a/.direnv/flake-profile +++ b/.direnv/flake-profile @@ -1 +1 @@ -flake-profile-10-link \ No newline at end of file +flake-profile-11-link \ No newline at end of file diff --git a/.direnv/flake-profile-10-link b/.direnv/flake-profile-10-link deleted file mode 120000 index f4f9a9a..0000000 --- a/.direnv/flake-profile-10-link +++ /dev/null @@ -1 +0,0 @@ -/nix/store/cmsv2fznjjsyg9cj2yvkaccjj2iv4r9h-nix-shell-env \ No newline at end of file diff --git a/.direnv/flake-profile-11-link b/.direnv/flake-profile-11-link new file mode 120000 index 0000000..2688811 --- /dev/null +++ b/.direnv/flake-profile-11-link @@ -0,0 +1 @@ +/nix/store/0r147knri9hgvgkbnqqwgmqbrsfr90w0-nix-shell-env \ No newline at end of file diff --git a/fili/services/auth/default.nix b/fili/services/auth/default.nix index a96e992..1717685 100644 --- a/fili/services/auth/default.nix +++ b/fili/services/auth/default.nix @@ -2,5 +2,7 @@ _: { imports = [ ./kanidm.nix ./oauth2-proxy.nix + + ./pocketid.nix ]; } diff --git a/fili/services/auth/pocketid.nix b/fili/services/auth/pocketid.nix new file mode 100644 index 0000000..8ce83a8 --- /dev/null +++ b/fili/services/auth/pocketid.nix @@ -0,0 +1,52 @@ +{ config, ... }: +{ + sops.secrets.pocketid = { + owner = config.services.pocket-id.user; + sopsFile = ../../../secrets/pocketid.env; + }; + + services.nginx.virtualHosts."auth2.donsz.nl" = { + forceSSL = true; + enableACME = true; + extraConfig = '' + proxy_busy_buffers_size 512k; + proxy_buffers 4 512k; + proxy_buffer_size 256k; + ''; + locations."/".proxyPass = "http://[::1]:${toString config.services.pocket-id.settings.PORT}"; + }; + + services.pocket-id = { + enable = true; + user = "pocket-id"; + environmentFile = config.sops.secrets.pocketid.path; + settings = { + PORT = 1411; + + TRUST_PROXY = true; + APP_URL = "https://auth2.donsz.nl"; + ALLOW_USER_SIGNUPS = "disabled"; + UI_CONFIG_DISABLED = true; + ALLOW_OWN_ACCOUNT_EDIT = true; + DB_PROVIDER = "postgres"; + DB_CONNECTION_STRING = "postgres://pocketid:pocketid@localhost:5432/pocketid"; + KEYS_STORAGE = "database"; + + METRICS_ENABLED = false; + TRACING_ENABLED = false; + ANALYTICS_DISABLED = true; + + SESSION_DURATION = 1440; + + SMTP_HOST = "smtp.fastmail.com"; + SMTP_PORT = "587"; + SMTP_FROM = "auth@donsz.nl"; + SMTP_USER = "pocketid-auth"; + SMTP_TLS = "starttls"; + + EMAIL_LOGIN_NOTIFICATION_ENABLED = true; + EMAIL_API_KEY_EXPIRATION_ENABLED = true; + EMAIL_ONE_TIME_ACCESS_AS_ADMIN_ENABLED = true; + }; + }; +} diff --git a/fili/services/databases.nix b/fili/services/databases.nix index b6f7e84..1487022 100644 --- a/fili/services/databases.nix +++ b/fili/services/databases.nix @@ -50,6 +50,10 @@ name = "forgejo"; ensureDBOwnership = true; } + { + name = "pocketid"; + ensureDBOwnership = true; + } ]; ensureDatabases = map (i: i.name) ensureUsers; }; diff --git a/flake.lock b/flake.lock index 2970a0d..18fd076 100644 --- a/flake.lock +++ b/flake.lock @@ -554,16 +554,16 @@ }, "nixpkgs_8": { "locked": { - "lastModified": 1757345582, - "narHash": "sha256-HnJYHM9zCVV5Avil6/IPw1m1s2vLd+fmFN7VR/UkidA=", + "lastModified": 1767370960, + "narHash": "sha256-tfhuZkpzWMh/db2rwy0Ehr+57YMO3chFPkFE/n0/yNM=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "49a25608bff9b2add8edcee8ff92dda38909e671", + "rev": "cd49ffafb0e185a0e29cdeacc8aa0391d9a1b669", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-25.05", + "ref": "release-25.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index 1faa0ea..263cbb6 100644 --- a/flake.nix +++ b/flake.nix @@ -1,7 +1,7 @@ { description = "jana's server infrastructure"; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs/release-25.05"; + nixpkgs.url = "github:NixOS/nixpkgs/release-25.11"; colmena.url = "github:zhaofengli/colmena"; flake-utils.url = "github:numtide/flake-utils"; sops-nix.url = "github:Mic92/sops-nix"; diff --git a/secrets/pocketid.env b/secrets/pocketid.env new file mode 100644 index 0000000..a2d115b --- /dev/null +++ b/secrets/pocketid.env @@ -0,0 +1,8 @@ +SMTP_PASSWORD=ENC[AES256_GCM,data:xVA5h25ta5L0rEftlTfswLQJ,iv:NdWqVkJZ7dbJUc3b0S9pXiYoBrUQ1Gm26rIbzDI4C9Y=,tag:IHaXCVqXERjxESWr0Q1EvA==,type:str] +ENCRYPTION_KEY=ENC[AES256_GCM,data:6ck4ahREjIAUJ0lyBjiuBLZ7sB2vRsXffo4+Lasmy+E6KyN/ocAJV6cPYDc=,iv:UWRQ5Vp+T/KQSTsPrpTYORP53YEQm0Y8h3hEvvMNPQI=,tag:yfdD3CLho3dAzg/3GeSkdQ==,type:str] +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAva0JNT0hMQjRiTUJGV1J1\ndEM5SUw1RVE4bEtWVGgzUzBvUThKVlJXcHh3CjhiSnZoa2Y0MENXVTRXdHNtT1gx\nQUJTNXpLdEVyckRuZ0xQMGpIYzNEWmMKLS0tIFVwZFF6ZFBwOHBUUzQzZVhYY2NL\nMmVoSktZaXhVckczU0pWalFBZG5GVnMKYBQt9/1t67+ATCG0Eg68uAPE24kuhe+9\nbfHEFgqOTAjEZh2tKvdfBwhEU7GzHJtYhHi70v2it9DJahzNwlz7ig==\n-----END AGE ENCRYPTED FILE-----\n +sops_age__list_0__map_recipient=age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw +sops_lastmodified=2026-01-02T21:16:54Z +sops_mac=ENC[AES256_GCM,data:IJLLTzV+AOgHvmzBKM/JC++p6lXWFmTpP9PtDidbJy3c0Tt+0kP/3ilarmqcHaM45fzb61jntBoZAVVU5MAjZpQzDJWw8gh6f14N+vqMlqWbekfvd3m9ouSoxp8NM+4i3E8OQF3GVbrghCsQ21O0a91FnM7wx0xLprI1NU+kNK4=,iv:1ckQb2b0oyVc09phBobn+YBw/E4fUzsxOiU1Cs35Hzo=,tag:IRKzh4WkXU/RARxie7qlFQ==,type:str] +sops_unencrypted_suffix=_unencrypted +sops_version=3.11.0