stuff
This commit is contained in:
Shelvacu
@@ -18,6 +18,7 @@
|
||||
./services/mira-auth.nix
|
||||
./services/mira-git.nix
|
||||
./services/mira-link-auth-git.nix
|
||||
./services/mira-wisdom.nix
|
||||
];
|
||||
|
||||
vacu.proxiedServices = {
|
||||
@@ -35,6 +36,7 @@
|
||||
rad.enable = true;
|
||||
mira-auth.enable = true;
|
||||
mira-git.enable = true;
|
||||
mira-wisdom.enable = true;
|
||||
|
||||
keycloak.enable = false;
|
||||
kanidm.enable = false;
|
||||
|
||||
@@ -34,6 +34,14 @@ in
|
||||
isReadOnly = false;
|
||||
};
|
||||
|
||||
forwardPorts = [
|
||||
{
|
||||
containerPort = 22;
|
||||
hostPort = 22;
|
||||
protocol = "tcp";
|
||||
}
|
||||
];
|
||||
|
||||
config =
|
||||
{
|
||||
lib,
|
||||
@@ -71,6 +79,7 @@ in
|
||||
|
||||
services.forgejo = {
|
||||
enable = true;
|
||||
package = pkgs.forgejo;
|
||||
stateDir = "/trip/mira-git";
|
||||
database = {
|
||||
type = "postgres";
|
||||
@@ -105,6 +114,7 @@ in
|
||||
START_SSH_SERVER = true;
|
||||
BUILTIN_SSH_SERVER_USER = "git";
|
||||
SSH_CREATE_AUTHORIZED_KEYS_FILE = false;
|
||||
SSH_SERVER_HOST_KEYS = "ssh/gitea.rsa, ssh/gitea.ed25519";
|
||||
};
|
||||
admin = {
|
||||
DEFAULT_EMAIL_NOTIFICATIONS = "disabled";
|
||||
|
||||
@@ -16,22 +16,33 @@ in
|
||||
SHOW_REGISTRATION_BUTTON = false;
|
||||
ENABLE_INTERNAL_SIGNIN = false;
|
||||
};
|
||||
oauth2_client = {
|
||||
ENABLE_AUTO_REGISTRATION = true;
|
||||
USERNAME = "nickname";
|
||||
ACCOUNT_LINKING = "disabled";
|
||||
OPENID_CONNECT_SCOPES = "email profile groups";
|
||||
};
|
||||
};
|
||||
};
|
||||
containers.mira-auth.config = { pkgs, ... }: {
|
||||
services.kanidm.package = pkgs.kanidm.withSecretProvisioning;
|
||||
services.kanidm.provision = {
|
||||
enable = true;
|
||||
groups.git_users.present = true;
|
||||
systems.oauth2.${oauth_name} = {
|
||||
present = true;
|
||||
displayName = "Forgejo (git)";
|
||||
originUrl = "https://${git_domain}/auth/login/";
|
||||
originLanding = "https://${git_domain}";
|
||||
allowInsecureClientDisablePkce = true;
|
||||
public = false;
|
||||
scopeMaps.git_users = [ "email" "openid" "profile" "groups" ];
|
||||
};
|
||||
enable = false;
|
||||
# autoRemove = false;
|
||||
# groups.git_users = {
|
||||
# present = true;
|
||||
# members = [ "shelvacu" ];
|
||||
# };
|
||||
# systems.oauth2.${oauth_name} = {
|
||||
# present = true;
|
||||
# displayName = "Forgejo (git)";
|
||||
# originUrl = "https://git.for.miras.pet/user/oauth2/Mira%20Cult%20SSO/callback";
|
||||
# originLanding = "https://${git_domain}";
|
||||
# # allowInsecureClientDisablePkce = true;
|
||||
# public = false;
|
||||
# scopeMaps.git_users = [ "email" "openid" "profile" "groups" ];
|
||||
# preferShortUsername = true;
|
||||
# };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
75
triple-dezert/proxied/services/mira-wisdom.nix
Normal file
75
triple-dezert/proxied/services/mira-wisdom.nix
Normal file
@@ -0,0 +1,75 @@
|
||||
{ config, lib, ... }:
|
||||
let
|
||||
container = config.containers.mira-wisdom;
|
||||
dbCfg = config.vacu.databases.mira-wisdom;
|
||||
domain = "wisdom.for.miras.pet";
|
||||
auth_domain = "auth.for.miras.pet";
|
||||
port = 3000;
|
||||
in
|
||||
{
|
||||
vacu.databases.mira-wisdom = {
|
||||
# user = "mira-wisdom";
|
||||
fromContainer = "mira-wisdom";
|
||||
};
|
||||
|
||||
vacu.proxiedServices.mira-wisdom = {
|
||||
inherit domain port;
|
||||
fromContainer = "mira-wisdom";
|
||||
forwardFor = true;
|
||||
maxConnections = 100;
|
||||
};
|
||||
|
||||
containers.mira-wisdom = {
|
||||
privateNetwork = true;
|
||||
hostAddress = "192.168.100.42";
|
||||
localAddress = "192.168.100.43";
|
||||
|
||||
autoStart = true;
|
||||
ephemeral = false;
|
||||
restartIfChanged = true;
|
||||
|
||||
# bindMounts."/mira-wisdom" = {
|
||||
# hostPath = "/trip/mira-wisdom";
|
||||
# isReadOnly = false;
|
||||
# };
|
||||
|
||||
config =
|
||||
let
|
||||
outer_config = config;
|
||||
in
|
||||
{
|
||||
config,
|
||||
pkgs,
|
||||
lib,
|
||||
...
|
||||
}:
|
||||
{
|
||||
system.stateVersion = "latest";
|
||||
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
networking.firewall.enable = false;
|
||||
networking.useHostResolvConf = lib.mkForce false;
|
||||
services.resolved.enable = true;
|
||||
|
||||
services.outline = {
|
||||
enable = true;
|
||||
concurrency = 3;
|
||||
databaseUrl = "postgres://${dbCfg.user}@${container.hostAddress}/${dbCfg.name}";
|
||||
defaultLanguage = "en_US";
|
||||
forceHttps = false; # this is reverse proxy's job
|
||||
oidcAuthentication = rec {
|
||||
displayName = "Mira Cult SSO";
|
||||
clientId = "outline";
|
||||
clientSecretFile = "/var/lib/outline/client_secret";
|
||||
authUrl = "https://${auth_domain}/oauth2/authorise";
|
||||
tokenUrl = "https://${auth_domain}/oauth2/token";
|
||||
userinfoUrl = "https://${auth_domain}/oauth2/openid/${clientId}/userinfo";
|
||||
};
|
||||
inherit port;
|
||||
publicUrl = "https://${domain}";
|
||||
storage.storageType = "local";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user