update flake and more pocketid

2026-01-03 02:00:21 +01:00 · 2026-01-03 02:00:21 +01:00 · c40e6e3255
commit c40e6e3255
parent a3289c777e
10 changed files with 29 additions and 72 deletions
--- a/fili/services/auth/default.nix
+++ b/fili/services/auth/default.nix
@ -1,8 +1,6 @@
 _: {
  imports = [
-    ./kanidm.nix
    ./oauth2-proxy.nix
-
    ./pocketid.nix
  ];
 }
--- a/fili/services/auth/kanidm.nix
+++ b/fili/services/auth/kanidm.nix
@ -1,46 +0,0 @@
-{ pkgs, config, ... }:
-let
-  lib = pkgs.lib;
-  domain = "auth.donsz.nl";
-  port = 3013;
-  backupsDir = "/var/lib/kanidm/backup";
-in
-{
-  services.kanidm.enableServer = true;
-  services.kanidm.package = pkgs.kanidm_1_6;
-  services.kanidm.serverSettings = {
-    tls_chain = "/var/lib/acme/${domain}/fullchain.pem";
-    tls_key = "/var/lib/acme/${domain}/key.pem";
-    bindaddress = "[::1]:${toString port}";
-    ldapbindaddress = "[::1]:3636";
-    inherit domain;
-    origin = "https://${domain}";
-    trust_x_forward_for = true;
-
-    online_backup = {
-      path = backupsDir;
-      schedule = "0 0 * * *";
-    };
-  };
-
-  systemd.services.kanidm = {
-    preStart = lib.mkBefore ''
-      mkdir -p "${backupsDir}"
-    '';
-    serviceConfig = {
-      SupplementaryGroups = [ config.security.acme.certs.${domain}.group ];
-    };
-  };
-
-  environment.systemPackages = [ pkgs.kanidm ];
-
-  services.nginx.virtualHosts.${domain} = {
-    forceSSL = true;
-    http2 = true;
-    enableACME = true;
-
-    locations."/" = {
-      proxyPass = "https://[::1]:${toString port}";
-    };
-  };
-}
--- a/fili/services/auth/pocketid.nix
+++ b/fili/services/auth/pocketid.nix
@ -5,7 +5,7 @@
    sopsFile = ../../../secrets/pocketid.env;
  };

-  services.nginx.virtualHosts."auth2.donsz.nl" = {
+  services.nginx.virtualHosts."auth.donsz.nl" = {
    forceSSL = true;
    enableACME = true;
    extraConfig = ''
@ -24,8 +24,9 @@
      PORT = 1411;

      TRUST_PROXY = true;
-      APP_URL = "https://auth2.donsz.nl";
-      ALLOW_USER_SIGNUPS = "disabled";
+      APP_URL = "https://auth.donsz.nl";
+      ALLOW_USER_SIGNUPS = "withToken";
+
      UI_CONFIG_DISABLED = true;
      ALLOW_OWN_ACCOUNT_EDIT = true;
      DB_PROVIDER = "postgres";
@ -47,6 +48,10 @@
      EMAIL_LOGIN_NOTIFICATION_ENABLED = true;
      EMAIL_API_KEY_EXPIRATION_ENABLED = true;
      EMAIL_ONE_TIME_ACCESS_AS_ADMIN_ENABLED = true;
+
+      ACCENT_COLOR = "#c66995";
+
+      LOG_LEVEL = "debug";
    };
  };
 }
--- a/fili/services/forgejo.nix
+++ b/fili/services/forgejo.nix
@ -64,8 +64,9 @@ in
        HTTP_PORT = 13121;
      };
      service = {
-        DISABLE_REGISTRATION = true;
+        DISABLE_REGISTRATION = false;
        ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
+
        SHOW_REGISTRATION_BUTTON = false;
        ENABLE_PASSWORD_SIGNIN_FORM = false;
      };
--- a/fili/services/media/jellyfin.nix
+++ b/fili/services/media/jellyfin.nix
@ -126,7 +126,7 @@ in
    extraPackages = with pkgs; [
      intel-ocl
      intel-media-driver
-      intel-media-sdk
+      # intel-media-sdk
    ];
  };

--- a/fili/services/nginx.nix
+++ b/fili/services/nginx.nix
@ -19,5 +19,4 @@

  security.acme.defaults.email = "jana@donsz.nl";
  security.acme.acceptTerms = true;
-  security.acme.preliminarySelfsigned = true;
 }