jana/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

retry
Some checks failed
/ lint (push) Failing after 31s
Details

Browse source
This commit is contained in:
Jana Dönszelmann 2025-08-20 11:41:30 +02:00
parent 4bbb51ef42
commit c0870ccac3
No known key found for this signature in database
12 changed files with 113 additions and 91 deletions
Download patch file Download diff file Expand all files Collapse all files

13
.github/workflows/deploy.yml vendored
View file

@ -1,6 +1,11 @@
on: [push]
on:
push:
branches:
- master
jobs:
test:
runs-on: docker
build:
runs-on: nixos-latest
steps:
- run: echo All good!
- uses: actions/checkout@v4
- run: nix develop
- run: colmena build -v --on @fili

7
.github/workflows/lint.yml vendored Normal file
View file

@ -0,0 +1,7 @@
on: [push]
jobs:
lint:
runs-on: nixos-latest
steps:
- uses: actions/checkout@v4
- run: nix fmt -- --check .

1
fili/configuration.nix
View file

@ -16,7 +16,6 @@ _: {
networkmanager.enable = true;
};
nix.settings = {
# users that can interact with nix
trusted-users = [

3
fili/lib/auth.nix
View file

@ -1,4 +1,5 @@
{ baseUrl, clientId }: {
{ baseUrl, clientId }:
{
inherit clientId;
userAuthUrl = "${baseUrl}/ui/oauth2";

11
fili/services/auth/kanidm.nix
View file

@ -1,9 +1,11 @@
{pkgs, config, ...}: let
{ pkgs, config, ... }:
let
lib = pkgs.lib;
domain = "auth.donsz.nl";
port = 3013;
backupsDir = "/var/lib/kanidm/backup";
in {
in
{
services.kanidm.enableServer = true;
services.kanidm.package = pkgs.kanidm_1_6;
services.kanidm.serverSettings = {
@ -26,12 +28,11 @@ in {
mkdir -p "${backupsDir}"
'';
serviceConfig = {
SupplementaryGroups =
[ config.security.acme.certs.${domain}.group ];
SupplementaryGroups = [ config.security.acme.certs.${domain}.group ];
};
};
environment.systemPackages = [pkgs.kanidm];
environment.systemPackages = [ pkgs.kanidm ];
services.nginx.virtualHosts.${domain} = {
forceSSL = true;

59
fili/services/auth/oauth2-proxy.nix
View file

@ -1,45 +1,50 @@
{pkgs, config, ...}: {
{ pkgs, config, ... }:
{
sops.secrets.oauth2-proxy = {
sopsFile = ../../../secrets/oauth2-proxy.env;
};
services.oauth2-proxy =
let
auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; };
in {
enable = true;
auth = import ../../lib/auth.nix {
baseUrl = "https://auth.donsz.nl";
clientId = "homeserver";
};
in
{
enable = true;
provider = "oidc";
clientID = "${auth.clientId}";
oidcIssuerUrl = auth.oidcIssuerUri;
provider = "oidc";
clientID = "${auth.clientId}";
oidcIssuerUrl = auth.oidcIssuerUri;
proxyPrefix = "/oauth2";
reverseProxy = true;
proxyPrefix = "/oauth2";
reverseProxy = true;
keyFile = config.sops.secrets.oauth2-proxy.path;
keyFile = config.sops.secrets.oauth2-proxy.path;
loginURL = auth.apiAuthUrl;
redeemURL = auth.tokenUrl;
validateURL = auth.rfc7662TokenIntrospectionUrl;
profileURL = auth.oidcUserInfo;
loginURL = auth.apiAuthUrl;
redeemURL = auth.tokenUrl;
validateURL = auth.rfc7662TokenIntrospectionUrl;
profileURL = auth.oidcUserInfo;
scope = "openid profile email";
scope = "openid profile email";
email.domains = [ "*" ];
email.domains = [ "*" ];
cookie = {
domain = "donsz.nl";
refresh = "1h";
secure = true;
cookie = {
domain = "donsz.nl";
refresh = "1h";
secure = true;
};
extraConfig = {
whitelist-domain = [ "*.donsz.nl" ];
};
nginx.domain = "oauth2.donsz.nl";
};
extraConfig = {
whitelist-domain = ["*.donsz.nl"];
};
nginx.domain = "oauth2.donsz.nl";
};
services.nginx.virtualHosts."oauth2.donsz.nl" = {
forceSSL = true;
http2 = true;

20
fili/services/forgejo.nix
View file

@ -1,4 +1,9 @@
{ lib, pkgs, config, ... }:
{
lib,
pkgs,
config,
...
}:
let
cfg = config.services.forgejo;
srv = cfg.settings.server;
@ -6,7 +11,7 @@ in
{
sops.secrets.forgejo = {
sopsFile = ../../secrets/forgejo.yaml;
key="email_password";
key = "email_password";
format = "yaml";
};
@ -33,7 +38,7 @@ in
lfs.enable = true;
user = "forgejo";
group = "forgejo";
repositoryRoot="/storage/storage/git";
repositoryRoot = "/storage/storage/git";
database = {
type = "postgres";
@ -43,8 +48,8 @@ in
settings = {
DEFAULT = {
APP_NAME="jana's git server";
APP_SLOGAN="meow!";
APP_NAME = "jana's git server";
APP_SLOGAN = "meow!";
};
server = {
DOMAIN = "git.donsz.nl";
@ -62,7 +67,7 @@ in
DEFAULT_ACTIONS_URL = "github";
};
repository = {
DEFAULT_PRIVATE="private";
DEFAULT_PRIVATE = "private";
};
mailer = {
ENABLED = true;
@ -83,10 +88,9 @@ in
token = "SutcrCJ3ULoE5LBj9Tm8zkvTRDEJCpbvpe7FEJHC";
url = "https://git.donsz.nl/";
labels = [
"node-22:docker://node:22-bookworm"
"nixos-latest:docker://nixos/nix"
];
settings = {};
settings = { };
};
};

3
fili/services/nginx.nix
View file

@ -1,4 +1,5 @@
{pkgs, config, ...}: {
{ pkgs, config, ... }:
{
services.nginx = {
enable = true;
statusPage = true;

3
fili/services/websites/homepage.nix
View file

@ -1,4 +1,5 @@
{flakes, pkgs, ...}: {
{ flakes, pkgs, ... }:
{
services.nginx = {
virtualHosts."donsz.nl" = {
forceSSL = true;

3
fili/services/websites/mapf.nix
View file

@ -1,4 +1,5 @@
{flakes,...}: {
{ flakes, ... }:
{
# imports = [
# flakes.mapf.nixosModules.default
# ];

19
fili/services/websites/totpal.nix
View file

@ -1,8 +1,6 @@
{ flakes, pkgs,... }:
{ flakes, pkgs, ... }:
let
totpal =
flakes.totpal.packages.${pkgs.system}.default
;
totpal = flakes.totpal.packages.${pkgs.system}.default;
in
{
services.nginx = {
@ -17,12 +15,11 @@ in
};
};
systemd.services.totpal =
{
description = "totpal";
serviceConfig = {
Type = "simple";
ExecStart = "${totpal}/bin/totpal";
};
systemd.services.totpal = {
description = "totpal";
serviceConfig = {
Type = "simple";
ExecStart = "${totpal}/bin/totpal";
};
};
}

62
users/users.nix
View file

@ -17,43 +17,43 @@
};
users.extraUsers.jonathan = {
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
# ori (lenovo laptop/desktop)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori"
isNormalUser = true;
shell = pkgs.fish;
openssh.authorizedKeys.keys = [
# ori (lenovo laptop/desktop)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori"
# bastion (arch server)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion"
# bastion (arch server)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion"
# fili (server)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili"
# fili (server)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili"
# kili (tudelft laptop)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili"
# kili (tudelft laptop)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili"
# nori hp tudelft laptop
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori"
# nori hp tudelft laptop
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori"
# oneplus 5 phone
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost"
# oneplus 5 phone
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost"
# git deploy key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy"
];
# Make me admin
extraGroups = [
"systemd-journal"
"wheel"
"networkmanager"
"libvirtd"
"dialout"
"storage"
"syncthing"
"jellyfin"
"media"
];
};
# git deploy key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy"
];
# Make me admin
extraGroups = [
"systemd-journal"
"wheel"
"networkmanager"
"libvirtd"
"dialout"
"storage"
"syncthing"
"jellyfin"
"media"
];
};
users.extraUsers.jana = {
isNormalUser = true;