From bc9e9f02eb757bfd24acbfee7bac954d9beca99a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jana=20D=C3=B6nszelmann?= Date: Wed, 20 Aug 2025 11:41:30 +0200 Subject: [PATCH] retry --- .github/workflows/deploy.yml | 13 ++++-- .github/workflows/lint.yml | 7 ++++ fili/configuration.nix | 1 - fili/lib/auth.nix | 3 +- fili/services/auth/kanidm.nix | 11 ++--- fili/services/auth/oauth2-proxy.nix | 59 ++++++++++++++------------- fili/services/forgejo.nix | 54 ++++++++++++++++++++----- fili/services/nginx.nix | 3 +- fili/services/websites/homepage.nix | 3 +- fili/services/websites/mapf.nix | 3 +- fili/services/websites/totpal.nix | 19 ++++----- secrets/forgejo-runner.yaml | 16 ++++++++ users/users.nix | 62 ++++++++++++++--------------- 13 files changed, 161 insertions(+), 93 deletions(-) create mode 100644 .github/workflows/lint.yml create mode 100644 secrets/forgejo-runner.yaml diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index efdc13f..1686423 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,6 +1,11 @@ -on: [push] +on: + push: + branches: + - main jobs: - test: - runs-on: docker + build: + runs-on: nixos-latest steps: - - run: echo All good! + - uses: actions/checkout@v4 + - run: nix develop + - run: colmena build -v --on @fili diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 0000000..2600013 --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,7 @@ +on: [push] +jobs: + lint: + runs-on: nixos-latest + steps: + - uses: actions/checkout@v4 + - run: nix fmt -- --check . diff --git a/fili/configuration.nix b/fili/configuration.nix index a0559d4..0b41d94 100644 --- a/fili/configuration.nix +++ b/fili/configuration.nix @@ -16,7 +16,6 @@ _: { networkmanager.enable = true; }; - nix.settings = { # users that can interact with nix trusted-users = [ diff --git a/fili/lib/auth.nix b/fili/lib/auth.nix index 7a58668..f277d2e 100644 --- a/fili/lib/auth.nix +++ b/fili/lib/auth.nix @@ -1,4 +1,5 @@ -{ baseUrl, clientId }: { +{ baseUrl, clientId }: +{ inherit clientId; userAuthUrl = "${baseUrl}/ui/oauth2"; diff --git a/fili/services/auth/kanidm.nix b/fili/services/auth/kanidm.nix index afb828d..9e023e1 100644 --- a/fili/services/auth/kanidm.nix +++ b/fili/services/auth/kanidm.nix @@ -1,9 +1,11 @@ -{pkgs, config, ...}: let +{ pkgs, config, ... }: +let lib = pkgs.lib; domain = "auth.donsz.nl"; port = 3013; backupsDir = "/var/lib/kanidm/backup"; -in { +in +{ services.kanidm.enableServer = true; services.kanidm.package = pkgs.kanidm_1_6; services.kanidm.serverSettings = { @@ -26,12 +28,11 @@ in { mkdir -p "${backupsDir}" ''; serviceConfig = { - SupplementaryGroups = - [ config.security.acme.certs.${domain}.group ]; + SupplementaryGroups = [ config.security.acme.certs.${domain}.group ]; }; }; - environment.systemPackages = [pkgs.kanidm]; + environment.systemPackages = [ pkgs.kanidm ]; services.nginx.virtualHosts.${domain} = { forceSSL = true; diff --git a/fili/services/auth/oauth2-proxy.nix b/fili/services/auth/oauth2-proxy.nix index 20cfa28..ec19873 100644 --- a/fili/services/auth/oauth2-proxy.nix +++ b/fili/services/auth/oauth2-proxy.nix @@ -1,45 +1,50 @@ -{pkgs, config, ...}: { +{ pkgs, config, ... }: +{ sops.secrets.oauth2-proxy = { sopsFile = ../../../secrets/oauth2-proxy.env; }; services.oauth2-proxy = let - auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; }; - in { - enable = true; + auth = import ../../lib/auth.nix { + baseUrl = "https://auth.donsz.nl"; + clientId = "homeserver"; + }; + in + { + enable = true; - provider = "oidc"; - clientID = "${auth.clientId}"; - oidcIssuerUrl = auth.oidcIssuerUri; + provider = "oidc"; + clientID = "${auth.clientId}"; + oidcIssuerUrl = auth.oidcIssuerUri; - proxyPrefix = "/oauth2"; - reverseProxy = true; + proxyPrefix = "/oauth2"; + reverseProxy = true; - keyFile = config.sops.secrets.oauth2-proxy.path; + keyFile = config.sops.secrets.oauth2-proxy.path; - loginURL = auth.apiAuthUrl; - redeemURL = auth.tokenUrl; - validateURL = auth.rfc7662TokenIntrospectionUrl; - profileURL = auth.oidcUserInfo; + loginURL = auth.apiAuthUrl; + redeemURL = auth.tokenUrl; + validateURL = auth.rfc7662TokenIntrospectionUrl; + profileURL = auth.oidcUserInfo; - scope = "openid profile email"; + scope = "openid profile email"; - email.domains = [ "*" ]; + email.domains = [ "*" ]; - cookie = { - domain = "donsz.nl"; - refresh = "1h"; - secure = true; + cookie = { + domain = "donsz.nl"; + refresh = "1h"; + secure = true; + }; + + extraConfig = { + whitelist-domain = [ "*.donsz.nl" ]; + }; + + nginx.domain = "oauth2.donsz.nl"; }; - extraConfig = { - whitelist-domain = ["*.donsz.nl"]; - }; - - nginx.domain = "oauth2.donsz.nl"; - }; - services.nginx.virtualHosts."oauth2.donsz.nl" = { forceSSL = true; http2 = true; diff --git a/fili/services/forgejo.nix b/fili/services/forgejo.nix index a9422b1..c73f83a 100644 --- a/fili/services/forgejo.nix +++ b/fili/services/forgejo.nix @@ -1,4 +1,9 @@ -{ lib, pkgs, config, ... }: +{ + lib, + pkgs, + config, + ... +}: let cfg = config.services.forgejo; srv = cfg.settings.server; @@ -6,7 +11,7 @@ in { sops.secrets.forgejo = { sopsFile = ../../secrets/forgejo.yaml; - key="email_password"; + key = "email_password"; format = "yaml"; }; @@ -33,7 +38,7 @@ in lfs.enable = true; user = "forgejo"; group = "forgejo"; - repositoryRoot="/storage/storage/git"; + repositoryRoot = "/storage/storage/git"; database = { type = "postgres"; @@ -43,8 +48,8 @@ in settings = { DEFAULT = { - APP_NAME="jana's git server"; - APP_SLOGAN="meow!"; + APP_NAME = "jana's git server"; + APP_SLOGAN = "meow!"; }; server = { DOMAIN = "git.donsz.nl"; @@ -62,7 +67,7 @@ in DEFAULT_ACTIONS_URL = "github"; }; repository = { - DEFAULT_PRIVATE="private"; + DEFAULT_PRIVATE = "private"; }; mailer = { ENABLED = true; @@ -74,19 +79,48 @@ in mailerPasswordFile = config.sops.secrets.forgejo.path; }; + users.groups.forgejo-runner = { }; + users.users.forgejo-runner = { + isSystemUser = true; + group = "forgejo-runner"; + }; + + sops.secrets.forgejo-runner = { + sopsFile = ../../secrets/forgejo-runner.yaml; + format = "yaml"; + key = "token"; + }; + services.gitea-actions-runner = { package = pkgs.forgejo-runner; instances.fili = { enable = true; name = "forgejo-runner-01"; - token = "SutcrCJ3ULoE5LBj9Tm8zkvTRDEJCpbvpe7FEJHC"; + tokenFile = config.sops.secrets.forgejo-runner.path; url = "https://git.donsz.nl/"; labels = [ - "node-22:docker://node:22-bookworm" - "nixos-latest:docker://nixos/nix" + "nix:host" + "docker:docker://node:16-bullseye" + "ubuntu-latest:docker://node:16-bullseye" + ]; + settings = { }; + + hostPackages = with pkgs; [ + # default ones + bash + coreutils + curl + gawk + gitMinimal + gnused + nodejs + wget + + # used in deployments + lix + openssh ]; - settings = {}; }; }; diff --git a/fili/services/nginx.nix b/fili/services/nginx.nix index e1e9279..e58c7b6 100644 --- a/fili/services/nginx.nix +++ b/fili/services/nginx.nix @@ -1,4 +1,5 @@ -{pkgs, config, ...}: { +{ pkgs, config, ... }: +{ services.nginx = { enable = true; statusPage = true; diff --git a/fili/services/websites/homepage.nix b/fili/services/websites/homepage.nix index 0a66c3e..3de7867 100644 --- a/fili/services/websites/homepage.nix +++ b/fili/services/websites/homepage.nix @@ -1,4 +1,5 @@ -{flakes, pkgs, ...}: { +{ flakes, pkgs, ... }: +{ services.nginx = { virtualHosts."donsz.nl" = { forceSSL = true; diff --git a/fili/services/websites/mapf.nix b/fili/services/websites/mapf.nix index 00a6844..5fb3a7c 100644 --- a/fili/services/websites/mapf.nix +++ b/fili/services/websites/mapf.nix @@ -1,4 +1,5 @@ -{flakes,...}: { +{ flakes, ... }: +{ # imports = [ # flakes.mapf.nixosModules.default # ]; diff --git a/fili/services/websites/totpal.nix b/fili/services/websites/totpal.nix index 85d3043..74e5560 100644 --- a/fili/services/websites/totpal.nix +++ b/fili/services/websites/totpal.nix @@ -1,8 +1,6 @@ -{ flakes, pkgs,... }: +{ flakes, pkgs, ... }: let - totpal = - flakes.totpal.packages.${pkgs.system}.default - ; + totpal = flakes.totpal.packages.${pkgs.system}.default; in { services.nginx = { @@ -17,12 +15,11 @@ in }; }; - systemd.services.totpal = - { - description = "totpal"; - serviceConfig = { - Type = "simple"; - ExecStart = "${totpal}/bin/totpal"; - }; + systemd.services.totpal = { + description = "totpal"; + serviceConfig = { + Type = "simple"; + ExecStart = "${totpal}/bin/totpal"; }; + }; } diff --git a/secrets/forgejo-runner.yaml b/secrets/forgejo-runner.yaml new file mode 100644 index 0000000..0b886ae --- /dev/null +++ b/secrets/forgejo-runner.yaml @@ -0,0 +1,16 @@ +token: ENC[AES256_GCM,data:QKJOB1yt7GJgJ4YIpptcMywGHFzF7FbZ86Yj587jgTO1elalkJG5Tg==,iv:F5/7z0KMAKnAfz9GU8csNcKavmaP8kI67bdrBNJcSso=,tag:ztDHSDO80NGqfZ9h+F5s5g==,type:str] +sops: + age: + - recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEkxK1VPRTNJSE92YWpO + NFJ0cUxHZW9RekFJbEVjcEdFVUJvWWJERUUwClBvU3dhQ29mNXpTQlVFZDg1dHNT + NFptZ3ZXWlZvZ3psMWI1d0twQUg5aVUKLS0tIG9sU0NGSUY5ek1ZK1plZDJMcHlj + UG03bnlmb0xLNmRvVjczRnMwVUtMQkEK9wRT5YByZf1Fj6eYHmiHQJpbcH+al3yA + PC0SiWgl2yNWkonrzoa97ehL64ugdH+HfJboKNGvViiHdIElnHZwrQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-08-20T09:53:17Z" + mac: ENC[AES256_GCM,data:L1wpGzIbHWV/3uv3Xspnxv7QU+WPB7X7DCAKtDXXp6+l81oYQjkj0LXu792dj1IDYuezE6IW4GUb5ptuBiLHRlPrY/TaTCRnkiMfXYjwoOAhoAYufHhUnGsSH3M/YOnLrN3fi1m2yhHBJwUFFDfoqN/5RTzCn4wbEgXg4t4hsQA=,iv:nsqyQthQm5mi5/5LPV8nwACeij48GAdX0Q0nsnYJYYg=,tag:k7q2COG5AYGQCJ9ly5y5AA==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/users/users.nix b/users/users.nix index d78880e..4dffaba 100644 --- a/users/users.nix +++ b/users/users.nix @@ -17,43 +17,43 @@ }; users.extraUsers.jonathan = { - isNormalUser = true; - shell = pkgs.fish; - openssh.authorizedKeys.keys = [ - # ori (lenovo laptop/desktop) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori" + isNormalUser = true; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + # ori (lenovo laptop/desktop) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori" - # bastion (arch server) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion" + # bastion (arch server) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion" - # fili (server) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili" + # fili (server) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili" - # kili (tudelft laptop) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili" + # kili (tudelft laptop) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili" - # nori hp tudelft laptop - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori" + # nori hp tudelft laptop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori" - # oneplus 5 phone - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost" + # oneplus 5 phone + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost" - # git deploy key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy" - ]; - # Make me admin - extraGroups = [ - "systemd-journal" - "wheel" - "networkmanager" - "libvirtd" - "dialout" - "storage" - "syncthing" - "jellyfin" - "media" - ]; - }; + # git deploy key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy" + ]; + # Make me admin + extraGroups = [ + "systemd-journal" + "wheel" + "networkmanager" + "libvirtd" + "dialout" + "storage" + "syncthing" + "jellyfin" + "media" + ]; + }; users.extraUsers.jana = { isNormalUser = true;