diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 9a659a6..a3ce8bc 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -1,11 +1,6 @@ -on: - push: - branches: - - master +on: [push] jobs: - build: + test: runs-on: nixos-latest steps: - - uses: actions/checkout@v4 - - run: nix develop - - run: colmena build -v --on @fili + - run: echo All good! diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml deleted file mode 100644 index 2600013..0000000 --- a/.github/workflows/lint.yml +++ /dev/null @@ -1,7 +0,0 @@ -on: [push] -jobs: - lint: - runs-on: nixos-latest - steps: - - uses: actions/checkout@v4 - - run: nix fmt -- --check . diff --git a/fili/configuration.nix b/fili/configuration.nix index 0b41d94..a0559d4 100644 --- a/fili/configuration.nix +++ b/fili/configuration.nix @@ -16,6 +16,7 @@ _: { networkmanager.enable = true; }; + nix.settings = { # users that can interact with nix trusted-users = [ diff --git a/fili/lib/auth.nix b/fili/lib/auth.nix index f277d2e..7a58668 100644 --- a/fili/lib/auth.nix +++ b/fili/lib/auth.nix @@ -1,5 +1,4 @@ -{ baseUrl, clientId }: -{ +{ baseUrl, clientId }: { inherit clientId; userAuthUrl = "${baseUrl}/ui/oauth2"; diff --git a/fili/services/auth/kanidm.nix b/fili/services/auth/kanidm.nix index 9e023e1..afb828d 100644 --- a/fili/services/auth/kanidm.nix +++ b/fili/services/auth/kanidm.nix @@ -1,11 +1,9 @@ -{ pkgs, config, ... }: -let +{pkgs, config, ...}: let lib = pkgs.lib; domain = "auth.donsz.nl"; port = 3013; backupsDir = "/var/lib/kanidm/backup"; -in -{ +in { services.kanidm.enableServer = true; services.kanidm.package = pkgs.kanidm_1_6; services.kanidm.serverSettings = { @@ -28,11 +26,12 @@ in mkdir -p "${backupsDir}" ''; serviceConfig = { - SupplementaryGroups = [ config.security.acme.certs.${domain}.group ]; + SupplementaryGroups = + [ config.security.acme.certs.${domain}.group ]; }; }; - environment.systemPackages = [ pkgs.kanidm ]; + environment.systemPackages = [pkgs.kanidm]; services.nginx.virtualHosts.${domain} = { forceSSL = true; diff --git a/fili/services/auth/oauth2-proxy.nix b/fili/services/auth/oauth2-proxy.nix index ec19873..20cfa28 100644 --- a/fili/services/auth/oauth2-proxy.nix +++ b/fili/services/auth/oauth2-proxy.nix @@ -1,50 +1,45 @@ -{ pkgs, config, ... }: -{ +{pkgs, config, ...}: { sops.secrets.oauth2-proxy = { sopsFile = ../../../secrets/oauth2-proxy.env; }; services.oauth2-proxy = let - auth = import ../../lib/auth.nix { - baseUrl = "https://auth.donsz.nl"; - clientId = "homeserver"; - }; - in - { - enable = true; + auth = import ../../lib/auth.nix { baseUrl = "https://auth.donsz.nl"; clientId = "homeserver"; }; + in { + enable = true; - provider = "oidc"; - clientID = "${auth.clientId}"; - oidcIssuerUrl = auth.oidcIssuerUri; + provider = "oidc"; + clientID = "${auth.clientId}"; + oidcIssuerUrl = auth.oidcIssuerUri; - proxyPrefix = "/oauth2"; - reverseProxy = true; + proxyPrefix = "/oauth2"; + reverseProxy = true; - keyFile = config.sops.secrets.oauth2-proxy.path; + keyFile = config.sops.secrets.oauth2-proxy.path; - loginURL = auth.apiAuthUrl; - redeemURL = auth.tokenUrl; - validateURL = auth.rfc7662TokenIntrospectionUrl; - profileURL = auth.oidcUserInfo; + loginURL = auth.apiAuthUrl; + redeemURL = auth.tokenUrl; + validateURL = auth.rfc7662TokenIntrospectionUrl; + profileURL = auth.oidcUserInfo; - scope = "openid profile email"; + scope = "openid profile email"; - email.domains = [ "*" ]; + email.domains = [ "*" ]; - cookie = { - domain = "donsz.nl"; - refresh = "1h"; - secure = true; - }; - - extraConfig = { - whitelist-domain = [ "*.donsz.nl" ]; - }; - - nginx.domain = "oauth2.donsz.nl"; + cookie = { + domain = "donsz.nl"; + refresh = "1h"; + secure = true; }; + extraConfig = { + whitelist-domain = ["*.donsz.nl"]; + }; + + nginx.domain = "oauth2.donsz.nl"; + }; + services.nginx.virtualHosts."oauth2.donsz.nl" = { forceSSL = true; http2 = true; diff --git a/fili/services/forgejo.nix b/fili/services/forgejo.nix index 24f1e9c..9a960f6 100644 --- a/fili/services/forgejo.nix +++ b/fili/services/forgejo.nix @@ -1,9 +1,4 @@ -{ - lib, - pkgs, - config, - ... -}: +{ lib, pkgs, config, ... }: let cfg = config.services.forgejo; srv = cfg.settings.server; @@ -11,7 +6,7 @@ in { sops.secrets.forgejo = { sopsFile = ../../secrets/forgejo.yaml; - key = "email_password"; + key="email_password"; format = "yaml"; }; @@ -38,7 +33,7 @@ in lfs.enable = true; user = "forgejo"; group = "forgejo"; - repositoryRoot = "/storage/storage/git"; + repositoryRoot="/storage/storage/git"; database = { type = "postgres"; @@ -48,8 +43,8 @@ in settings = { DEFAULT = { - APP_NAME = "jana's git server"; - APP_SLOGAN = "meow!"; + APP_NAME="jana's git server"; + APP_SLOGAN="meow!"; }; server = { DOMAIN = "git.donsz.nl"; @@ -67,7 +62,7 @@ in DEFAULT_ACTIONS_URL = "github"; }; repository = { - DEFAULT_PRIVATE = "private"; + DEFAULT_PRIVATE="private"; }; mailer = { ENABLED = true; @@ -90,7 +85,7 @@ in labels = [ "nixos-latest:docker://nixos/nix" ]; - settings = { }; + settings = {}; }; }; diff --git a/fili/services/nginx.nix b/fili/services/nginx.nix index e58c7b6..e1e9279 100644 --- a/fili/services/nginx.nix +++ b/fili/services/nginx.nix @@ -1,5 +1,4 @@ -{ pkgs, config, ... }: -{ +{pkgs, config, ...}: { services.nginx = { enable = true; statusPage = true; diff --git a/fili/services/websites/homepage.nix b/fili/services/websites/homepage.nix index 3de7867..0a66c3e 100644 --- a/fili/services/websites/homepage.nix +++ b/fili/services/websites/homepage.nix @@ -1,5 +1,4 @@ -{ flakes, pkgs, ... }: -{ +{flakes, pkgs, ...}: { services.nginx = { virtualHosts."donsz.nl" = { forceSSL = true; diff --git a/fili/services/websites/mapf.nix b/fili/services/websites/mapf.nix index 5fb3a7c..00a6844 100644 --- a/fili/services/websites/mapf.nix +++ b/fili/services/websites/mapf.nix @@ -1,5 +1,4 @@ -{ flakes, ... }: -{ +{flakes,...}: { # imports = [ # flakes.mapf.nixosModules.default # ]; diff --git a/fili/services/websites/totpal.nix b/fili/services/websites/totpal.nix index 74e5560..85d3043 100644 --- a/fili/services/websites/totpal.nix +++ b/fili/services/websites/totpal.nix @@ -1,6 +1,8 @@ -{ flakes, pkgs, ... }: +{ flakes, pkgs,... }: let - totpal = flakes.totpal.packages.${pkgs.system}.default; + totpal = + flakes.totpal.packages.${pkgs.system}.default + ; in { services.nginx = { @@ -15,11 +17,12 @@ in }; }; - systemd.services.totpal = { - description = "totpal"; - serviceConfig = { - Type = "simple"; - ExecStart = "${totpal}/bin/totpal"; + systemd.services.totpal = + { + description = "totpal"; + serviceConfig = { + Type = "simple"; + ExecStart = "${totpal}/bin/totpal"; + }; }; - }; } diff --git a/users/users.nix b/users/users.nix index 4dffaba..d78880e 100644 --- a/users/users.nix +++ b/users/users.nix @@ -17,43 +17,43 @@ }; users.extraUsers.jonathan = { - isNormalUser = true; - shell = pkgs.fish; - openssh.authorizedKeys.keys = [ - # ori (lenovo laptop/desktop) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori" + isNormalUser = true; + shell = pkgs.fish; + openssh.authorizedKeys.keys = [ + # ori (lenovo laptop/desktop) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIET69oniNUA2nJV5+GxQ6XuK+vQbO8Uhtgrp1TrmiXVi jana@ori" - # bastion (arch server) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion" + # bastion (arch server) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHJT6QJcxhUKjvHBv3Bd1rugyfAFUpxIe9cu1Frw3ylL jana@bastion" - # fili (server) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili" + # fili (server) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0pmCsQeMMJ0r3o/XN7Zw8YFa9OEqrL3ikoGTK0OUY6 jana@fili" - # kili (tudelft laptop) - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili" + # kili (tudelft laptop) + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOAXOTU6E06zjK/zkzlSPhTG35PoNRYgTCStEPUYyjeE jana@kili" - # nori hp tudelft laptop - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori" + # nori hp tudelft laptop + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOSCuEu1kFg8mAgpOuYZ/IH2Ur7LQP7sQrDjcPmerkSx jana@nori" - # oneplus 5 phone - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost" + # oneplus 5 phone + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBTqoHEVYxD+mwmZhPj+1+i1P0XmgTxXgSnPdPwFT1vr u0_a484@localhost" - # git deploy key - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy" - ]; - # Make me admin - extraGroups = [ - "systemd-journal" - "wheel" - "networkmanager" - "libvirtd" - "dialout" - "storage" - "syncthing" - "jellyfin" - "media" - ]; - }; + # git deploy key + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICgadaDrViJp0Z6fbLBAo9grkmCeNQliIPXe12l3X3i/ jana@deploy" + ]; + # Make me admin + extraGroups = [ + "systemd-journal" + "wheel" + "networkmanager" + "libvirtd" + "dialout" + "storage" + "syncthing" + "jellyfin" + "media" + ]; + }; users.extraUsers.jana = { isNormalUser = true;