jana/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: jana:526d91e10ddf6f108b095ba180511c4166e954ff
Branches Tags
jana:main
jana:workflows
...
compare: jana:bc9e9f02eb757bfd24acbfee7bac954d9beca99a
Branches Tags
jana:main
jana:workflows

1 commit
526d91e10d ... bc9e9f02eb

Author SHA1 Message Date
Jana Dönszelmann
bc9e9f02eb
retry
Some checks are pending
/ lint (push) Waiting to run
Details
2025-08-20 11:57:58 +02:00
13 changed files with 161 additions and 93 deletions
Download patch file Download diff file Expand all files Collapse all files

13
.github/workflows/deploy.yml vendored
View file

@ -1,6 +1,11 @@
on: [push] on:
push:
branches:
- main
jobs: jobs:
test: build:
runs-on: docker runs-on: nixos-latest
steps: steps:
- run: echo All good! - uses: actions/checkout@v4
- run: nix develop
- run: colmena build -v --on @fili

7
.github/workflows/lint.yml vendored Normal file
View file

@ -0,0 +1,7 @@
on: [push]
jobs:
lint:
runs-on: nixos-latest
steps:
- uses: actions/checkout@v4
- run: nix fmt -- --check .

1
fili/configuration.nix
View file

@ -16,7 +16,6 @@ _: {
networkmanager.enable = true; networkmanager.enable = true;
}; };
nix.settings = { nix.settings = {
# users that can interact with nix # users that can interact with nix
trusted-users = [ trusted-users = [

3
fili/lib/auth.nix
View file

@ -1,4 +1,5 @@
{ baseUrl, clientId }: { { baseUrl, clientId }:
{
inherit clientId; inherit clientId;
userAuthUrl = "${baseUrl}/ui/oauth2"; userAuthUrl = "${baseUrl}/ui/oauth2";

11
fili/services/auth/kanidm.nix
View file

@ -1,9 +1,11 @@
{pkgs, config, ...}: let { pkgs, config, ... }:
let
lib = pkgs.lib; lib = pkgs.lib;
domain = "auth.donsz.nl"; domain = "auth.donsz.nl";
port = 3013; port = 3013;
backupsDir = "/var/lib/kanidm/backup"; backupsDir = "/var/lib/kanidm/backup";
in { in
{
services.kanidm.enableServer = true; services.kanidm.enableServer = true;
services.kanidm.package = pkgs.kanidm_1_6; services.kanidm.package = pkgs.kanidm_1_6;
services.kanidm.serverSettings = { services.kanidm.serverSettings = {
@ -26,12 +28,11 @@ in {
mkdir -p "${backupsDir}" mkdir -p "${backupsDir}"
''; '';
serviceConfig = { serviceConfig = {
SupplementaryGroups = SupplementaryGroups = [ config.security.acme.certs.${domain}.group ];
[ config.security.acme.certs.${domain}.group ];
}; };
}; };
environment.systemPackages = [pkgs.kanidm]; environment.systemPackages = [ pkgs.kanidm ];
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;

59
fili/services/auth/oauth2-proxy.nix
View file

@ -1,45 +1,50 @@
{pkgs, config, ...}: { { pkgs, config, ... }:
{
sops.secrets.oauth2-proxy = { sops.secrets.oauth2-proxy = {
sopsFile = ../../../secrets/oauth2-proxy.env; sopsFile = ../../../secrets/oauth2-proxy.env;
}; };
services.oauth2-proxy = services.oauth2-proxy =
let let
auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; }; auth = import ../../lib/auth.nix {
in { baseUrl = "https://auth.donsz.nl";
enable = true; clientId = "homeserver";
};
in
{
enable = true;
provider = "oidc"; provider = "oidc";
clientID = "${auth.clientId}"; clientID = "${auth.clientId}";
oidcIssuerUrl = auth.oidcIssuerUri; oidcIssuerUrl = auth.oidcIssuerUri;
proxyPrefix = "/oauth2"; proxyPrefix = "/oauth2";
reverseProxy = true; reverseProxy = true;
keyFile = config.sops.secrets.oauth2-proxy.path; keyFile = config.sops.secrets.oauth2-proxy.path;
loginURL = auth.apiAuthUrl; loginURL = auth.apiAuthUrl;
redeemURL = auth.tokenUrl; redeemURL = auth.tokenUrl;
validateURL = auth.rfc7662TokenIntrospectionUrl; validateURL = auth.rfc7662TokenIntrospectionUrl;
profileURL = auth.oidcUserInfo; profileURL = auth.oidcUserInfo;
scope = "openid profile email"; scope = "openid profile email";
email.domains = [ "*" ]; email.domains = [ "*" ];
cookie = { cookie = {
domain = "donsz.nl"; domain = "donsz.nl";
refresh = "1h"; refresh = "1h";
secure = true; secure = true;
};
extraConfig = {
whitelist-domain = [ "*.donsz.nl" ];
};
nginx.domain = "oauth2.donsz.nl";
}; };
extraConfig = {
whitelist-domain = ["*.donsz.nl"];
};
nginx.domain = "oauth2.donsz.nl";
};
services.nginx.virtualHosts."oauth2.donsz.nl" = { services.nginx.virtualHosts."oauth2.donsz.nl" = {
forceSSL = true; forceSSL = true;
http2 = true; http2 = true;

54
fili/services/forgejo.nix
View file

@ -1,4 +1,9 @@
{ lib, pkgs, config, ... }: {
lib,
pkgs,
config,
...
}:
let let
cfg = config.services.forgejo; cfg = config.services.forgejo;
srv = cfg.settings.server; srv = cfg.settings.server;
@ -6,7 +11,7 @@ in
{ {
sops.secrets.forgejo = { sops.secrets.forgejo = {
sopsFile = ../../secrets/forgejo.yaml; sopsFile = ../../secrets/forgejo.yaml;
key="email_password"; key = "email_password";
format = "yaml"; format = "yaml";
}; };
@ -33,7 +38,7 @@ in
lfs.enable = true; lfs.enable = true;
user = "forgejo"; user = "forgejo";
group = "forgejo"; group = "forgejo";
repositoryRoot="/storage/storage/git"; repositoryRoot = "/storage/storage/git";
database = { database = {
type = "postgres"; type = "postgres";
@ -43,8 +48,8 @@ in
settings = { settings = {
DEFAULT = { DEFAULT = {
APP_NAME="jana's git server"; APP_NAME = "jana's git server";
APP_SLOGAN="meow!"; APP_SLOGAN = "meow!";
}; };
server = { server = {
DOMAIN = "git.donsz.nl"; DOMAIN = "git.donsz.nl";
@ -62,7 +67,7 @@ in
DEFAULT_ACTIONS_URL = "github"; DEFAULT_ACTIONS_URL = "github";
}; };
repository = { repository = {
DEFAULT_PRIVATE="private"; DEFAULT_PRIVATE = "private";
}; };
mailer = { mailer = {
ENABLED = true; ENABLED = true;
@ -74,19 +79,48 @@ in
mailerPasswordFile = config.sops.secrets.forgejo.path; mailerPasswordFile = config.sops.secrets.forgejo.path;
}; };
users.groups.forgejo-runner = { };
users.users.forgejo-runner = {
isSystemUser = true;
group = "forgejo-runner";
};
sops.secrets.forgejo-runner = {
sopsFile = ../../secrets/forgejo-runner.yaml;
format = "yaml";
key = "token";
};
services.gitea-actions-runner = { services.gitea-actions-runner = {
package = pkgs.forgejo-runner; package = pkgs.forgejo-runner;
instances.fili = { instances.fili = {
enable = true; enable = true;
name = "forgejo-runner-01"; name = "forgejo-runner-01";
token = "SutcrCJ3ULoE5LBj9Tm8zkvTRDEJCpbvpe7FEJHC"; tokenFile = config.sops.secrets.forgejo-runner.path;
url = "https://git.donsz.nl/"; url = "https://git.donsz.nl/";
labels = [ labels = [
"node-22:docker://node:22-bookworm" "nix:host"
"nixos-latest:docker://nixos/nix" "docker:docker://node:16-bullseye"
"ubuntu-latest:docker://node:16-bullseye"
];
settings = { };
hostPackages = with pkgs; [
# default ones
bash
coreutils
curl
gawk
gitMinimal
gnused
nodejs
wget
# used in deployments
lix
openssh
]; ];
settings = {};
}; };
}; };

3
fili/services/nginx.nix
View file

@ -1,4 +1,5 @@
{pkgs, config, ...}: { { pkgs, config, ... }:
{
services.nginx = { services.nginx = {
enable = true; enable = true;
statusPage = true; statusPage = true;

3
fili/services/websites/homepage.nix
View file

@ -1,4 +1,5 @@
{flakes, pkgs, ...}: { { flakes, pkgs, ... }:
{
services.nginx = { services.nginx = {
virtualHosts."donsz.nl" = { virtualHosts."donsz.nl" = {
forceSSL = true; forceSSL = true;

3
fili/services/websites/mapf.nix
View file

@ -1,4 +1,5 @@
{flakes,...}: { { flakes, ... }:
{
# imports = [ # imports = [
# flakes.mapf.nixosModules.default # flakes.mapf.nixosModules.default
# ]; # ];

19
fili/services/websites/totpal.nix
View file

@ -1,8 +1,6 @@
{ flakes, pkgs,... }: { flakes, pkgs, ... }:
let let
totpal = totpal = flakes.totpal.packages.${pkgs.system}.default;
flakes.totpal.packages.${pkgs.system}.default
;
in in
{ {
services.nginx = { services.nginx = {
@ -17,12 +15,11 @@ in
}; };
}; };
systemd.services.totpal = systemd.services.totpal = {
{ description = "totpal";
description = "totpal"; serviceConfig = {
serviceConfig = { Type = "simple";
Type = "simple"; ExecStart = "${totpal}/bin/totpal";
ExecStart = "${totpal}/bin/totpal";
};
}; };
};
} }

16
secrets/forgejo-runner.yaml Normal file
View file

@ -0,0 +1,16 @@
token: ENC[AES256_GCM,data:QKJOB1yt7GJgJ4YIpptcMywGHFzF7FbZ86Yj587jgTO1elalkJG5Tg==,iv:F5/7z0KMAKnAfz9GU8csNcKavmaP8kI67bdrBNJcSso=,tag:ztDHSDO80NGqfZ9h+F5s5g==,type:str]
sops:
age:
- recipient: age1ygkcl4ss92z5ptzt3w5g4n98qx2c4kagyssm96m5z4c7t299c5wszjchxw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZTEkxK1VPRTNJSE92YWpO
NFJ0cUxHZW9RekFJbEVjcEdFVUJvWWJERUUwClBvU3dhQ29mNXpTQlVFZDg1dHNT
NFptZ3ZXWlZvZ3psMWI1d0twQUg5aVUKLS0tIG9sU0NGSUY5ek1ZK1plZDJMcHlj
UG03bnlmb0xLNmRvVjczRnMwVUtMQkEK9wRT5YByZf1Fj6eYHmiHQJpbcH+al3yA
PC0SiWgl2yNWkonrzoa97ehL64ugdH+HfJboKNGvViiHdIElnHZwrQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-08-20T09:53:17Z"
mac: ENC[AES256_GCM,data:L1wpGzIbHWV/3uv3Xspnxv7QU+WPB7X7DCAKtDXXp6+l81oYQjkj0LXu792dj1IDYuezE6IW4GUb5ptuBiLHRlPrY/TaTCRnkiMfXYjwoOAhoAYufHhUnGsSH3M/YOnLrN3fi1m2yhHBJwUFFDfoqN/5RTzCn4wbEgXg4t4hsQA=,iv:nsqyQthQm5mi5/5LPV8nwACeij48GAdX0Q0nsnYJYYg=,tag:k7q2COG5AYGQCJ9ly5y5AA==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.2

62
users/users.nix
View file

@ -17,43 +17,43 @@
}; };
users.extraUsers.jonathan = { users.extraUsers.jonathan = {
isNormalUser = true; isNormalUser = true;
shell = pkgs.fish; shell = pkgs.fish;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
# ori (lenovo laptop/desktop) # ori (lenovo laptop/desktop)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori"
# bastion (arch server) # bastion (arch server)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion"
# fili (server) # fili (server)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili"
# kili (tudelft laptop) # kili (tudelft laptop)
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili"
# nori hp tudelft laptop # nori hp tudelft laptop
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori"
# oneplus 5 phone # oneplus 5 phone
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost"
# git deploy key # git deploy key
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy"
]; ];
# Make me admin # Make me admin
extraGroups = [ extraGroups = [
"systemd-journal" "systemd-journal"
"wheel" "wheel"
"networkmanager" "networkmanager"
"libvirtd" "libvirtd"
"dialout" "dialout"
"storage" "storage"
"syncthing" "syncthing"
"jellyfin" "jellyfin"
"media" "media"
]; ];
}; };
users.extraUsers.jana = { users.extraUsers.jana = {
isNormalUser = true; isNormalUser = true;