Add kanidm

Revert "Add authentik"
This reverts commit 8ca88da93a.
2024-08-12 20:56:11 +01:00 · 2024-08-12 19:44:59 +01:00 · 2024-08-12 19:44:30 +01:00 · 2024-08-12 00:10:54 +01:00 · 2024-08-11 23:23:46 +01:00 · 2024-08-11 23:05:46 +01:00
3 changed files with 60 additions and 21 deletions
--- a/flake.lock
+++ b/flake.lock
@@ -8,11 +8,11 @@
        "systems": "systems"
      },
      "locked": {
-        "lastModified": 1722339003,
-        "narHash": "sha256-ZeS51uJI30ehNkcZ4uKqT4ZDARPyqrHADSKAwv5vVCU=",
+        "lastModified": 1723293904,
+        "narHash": "sha256-b+uqzj+Wa6xgMS9aNbX4I+sXeb5biPDi39VgvSFqFvU=",
        "owner": "ryantm",
        "repo": "agenix",
-        "rev": "3f1dae074a12feb7327b4bf43cbac0d124488bb7",
+        "rev": "f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41",
        "type": "github"
      },
      "original": {
@@ -388,11 +388,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1723149858,
-        "narHash": "sha256-3u51s7jdhavmEL1ggtd8wqrTH2clTy5yaZmhLvAXTqc=",
+        "lastModified": 1723310128,
+        "narHash": "sha256-IiH8jG6PpR4h9TxSGMYh+2/gQiJW9MwehFvheSb5rPc=",
        "owner": "NixOS",
        "repo": "nixos-hardware",
-        "rev": "107bb46eef1f05e86fc485ee8af9b637e5157988",
+        "rev": "c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf",
        "type": "github"
      },
      "original": {
@@ -459,11 +459,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1722813957,
-        "narHash": "sha256-IAoYyYnED7P8zrBFMnmp7ydaJfwTnwcnqxUElC1I26Y=",
+        "lastModified": 1723175592,
+        "narHash": "sha256-M0xJ3FbDUc4fRZ84dPGx5VvgFsOzds77KiBMW/mMTnI=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "cb9a96f23c491c081b38eab96d22fa958043c9fa",
+        "rev": "5e0ca22929f3342b19569b21b2f3462f053e497b",
        "type": "github"
      },
      "original": {
@@ -490,11 +490,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1722987190,
-        "narHash": "sha256-68hmex5efCiM2aZlAAEcQgmFI4ZwWt8a80vOeB/5w3A=",
+        "lastModified": 1723282977,
+        "narHash": "sha256-oTK91aOlA/4IsjNAZGMEBz7Sq1zBS0Ltu4/nIQdYDOg=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "21cc704b5e918c5fbf4f9fff22b4ac2681706d90",
+        "rev": "a781ff33ae258bbcfd4ed6e673860c3e923bf2cc",
        "type": "github"
      },
      "original": {
@@ -541,11 +541,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1723232379,
-        "narHash": "sha256-F4Y3f9305aHGWKqAd3s2GyNRONdpDBuNuK4TCSdaHz8=",
+        "lastModified": 1723391864,
+        "narHash": "sha256-nX/aloqD8ZHcuPS7sk7fx1txTaXCi+o6iYm0mIX4uIE=",
        "owner": "nix-community",
        "repo": "plasma-manager",
-        "rev": "22bea90404c5ff6457913a03c1a54a3caa5b1c57",
+        "rev": "f843f4258eea57c5ba60f6ce1d96d12d6494b56e",
        "type": "github"
      },
      "original": {
@@ -576,11 +576,11 @@
    "secrets": {
      "flake": false,
      "locked": {
-        "lastModified": 1722712220,
-        "narHash": "sha256-gEmbk/DROfVZ+v/BAZHDloHzS0KdqIzxtW7z9g2eH4Y=",
+        "lastModified": 1723415003,
+        "narHash": "sha256-zSzDvI0sHayG5se7ALXhJhl41tConoWYbdqeow6OmBo=",
        "ref": "refs/heads/master",
-        "rev": "dfe0e95be5ef539bf28602ff47beeea26cc4d1b8",
-        "revCount": 22,
+        "rev": "db951141cab2de0b4176f4f6fc42a50b30dd3950",
+        "revCount": 26,
        "type": "git",
        "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
      },
--- a/hosts/vps1/default.nix
+++ b/hosts/vps1/default.nix
@@ -1,4 +1,4 @@
-{ lib, ... }:
+{ config, lib, ... }:

 {
  imports = [
@@ -37,10 +37,45 @@
    groups = {
      jellyfin = { };
    };
+    extraGroups.acme.members = [ "kanidm" "nginx" ];
  };

  services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";

+  security.acme.certs."auth.vimium.com" = {
+    postRun = "systemctl restart kanidm.service";
+    group = "acme";
+  };
+
+  services.kanidm = let
+    baseDomain = "vimium.com";
+    domain = "auth.${baseDomain}";
+    uri = "https://${domain}";
+  in {
+    enableClient = true;
+    enableServer = true;
+    clientSettings = {
+      inherit uri;
+    };
+    serverSettings = {
+      bindaddress = "[::1]:3013";
+      domain = baseDomain;
+      origin = uri;
+      tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
+      tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
+    };
+  };
+
+  services.nginx.virtualHosts = {
+    "auth.vimium.com" = {
+      useACMEHost = "auth.vimium.com";
+      forceSSL = true;
+      locations."/" = {
+        proxyPass = "https://[::1]:3013";
+      };
+    };
+  };
+
  modules = rec {
    databases.postgresql.enable = true;
    services = {
--- a/modules/services/nginx/default.nix
+++ b/modules/services/nginx/default.nix
@@ -118,8 +118,12 @@ in {
          serverAliases = [ "www.jdholt.com" ];
          extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
          locations."/skycam/snapshot.jpg" = {
-            proxyPass = "http://skycam.mesh.vimium.net:8080/snapshot";
            extraConfig = ''
+              set $backend "skycam.mesh.vimium.net:8080";
+
+              resolver 100.100.100.100;
+
+              proxy_pass http://$backend/snapshot;
              proxy_cache skycam_cache;
              proxy_cache_valid any 10s;
              proxy_ignore_headers Cache-Control Expires Set-Cookie;
Author	SHA1	Message	Date
Jordan Holt	413869266e	Add kanidm Some checks failed Check flake / build-amd64-linux (push) Has been cancelled Details	2024-08-12 20:56:11 +01:00
Jordan Holt	0cb2740a86	Revert "Add authentik" This reverts commit `8ca88da93a`.	2024-08-12 19:44:59 +01:00
Jordan Holt	3a77365452	Add tailscale resolver for skycam	2024-08-12 19:44:30 +01:00
Jordan Holt	8ca88da93a	Add authentik All checks were successful Check flake / build-amd64-linux (push) Successful in 5m44s Details	2024-08-12 00:10:54 +01:00
Jordan Holt	cf6898565b	flake.lock: Update Flake lock file updates: • Updated input 'secrets': 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=2725922f5ed145f060e840c93ad5f73606eddb28' (2024-08-11) → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=db951141cab2de0b4176f4f6fc42a50b30dd3950' (2024-08-11)	2024-08-11 23:23:46 +01:00
Jordan Holt	cc97ede099	flake.lock: Update Flake lock file updates: • Updated input 'agenix': 'github:ryantm/agenix/3f1dae074a12feb7327b4bf43cbac0d124488bb7' (2024-07-30) → 'github:ryantm/agenix/f6291c5935fdc4e0bef208cfc0dcab7e3f7a1c41' (2024-08-10) • Added input 'authentik-nix': 'github:nix-community/authentik-nix/80fc87361809f78b8a8cd7e57a14b66a726379ef' (2024-08-05) • Added input 'authentik-nix/authentik-src': 'github:goauthentik/authentik/8f207c75046d722c17dee2bcf65fa386b06f5b9a' (2024-08-05) • Added input 'authentik-nix/flake-compat': 'github:edolstra/flake-compat/0f9255e01c2351cc7d116c072cb317785dd33b33' (2023-10-04) • Added input 'authentik-nix/flake-parts': 'github:hercules-ci/flake-parts/c3c5ecc05edc7dafba779c6c1a61cd08ac6583e9' (2024-06-30) • Added input 'authentik-nix/flake-parts/nixpkgs-lib': '`eb9ceca17d`.tar.gz?narHash=sha256-lIbdfCsf8LMFloheeE6N31%2BBMIeixqyQWbSr2vk79EQ%3D' (2024-06-01) • Added input 'authentik-nix/flake-utils': 'github:numtide/flake-utils/b1d9ab70662946ef0850d488da1c9019f3a9752a' (2024-03-11) • Added input 'authentik-nix/flake-utils/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Added input 'authentik-nix/napalm': 'github:nix-community/napalm/e1babff744cd278b56abe8478008b4a9e23036cf' (2024-06-09) • Added input 'authentik-nix/napalm/flake-utils': follows 'authentik-nix/flake-utils' • Added input 'authentik-nix/napalm/nixpkgs': follows 'authentik-nix/nixpkgs' • Added input 'authentik-nix/nixpkgs': 'github:NixOS/nixpkgs/feb2849fdeb70028c70d73b848214b00d324a497' (2024-07-09) • Added input 'authentik-nix/poetry2nix': 'github:nix-community/poetry2nix/4fd045cdb85f2a0173021a4717dc01d92d7ab2b2' (2024-06-28) • Added input 'authentik-nix/poetry2nix/flake-utils': follows 'authentik-nix/flake-utils' • Added input 'authentik-nix/poetry2nix/nix-github-actions': 'github:nix-community/nix-github-actions/5163432afc817cf8bd1f031418d1869e4c9d5547' (2023-12-29) • Added input 'authentik-nix/poetry2nix/nix-github-actions/nixpkgs': follows 'authentik-nix/poetry2nix/nixpkgs' • Added input 'authentik-nix/poetry2nix/nixpkgs': follows 'authentik-nix/nixpkgs' • Added input 'authentik-nix/poetry2nix/systems': 'github:nix-systems/default/da67096a3b9bf56a91d16901293e51ba5b49a27e' (2023-04-09) • Added input 'authentik-nix/poetry2nix/treefmt-nix': 'github:numtide/treefmt-nix/68eb1dc333ce82d0ab0c0357363ea17c31ea1f81' (2024-06-16) • Added input 'authentik-nix/poetry2nix/treefmt-nix/nixpkgs': follows 'authentik-nix/poetry2nix/nixpkgs' • Updated input 'nixos-hardware': 'github:NixOS/nixos-hardware/107bb46eef1f05e86fc485ee8af9b637e5157988' (2024-08-08) → 'github:NixOS/nixos-hardware/c54cf53e022b0b3c1d3b8207aa0f9b194c24f0cf' (2024-08-10) • Updated input 'nixpkgs': 'github:NixOS/nixpkgs/21cc704b5e918c5fbf4f9fff22b4ac2681706d90' (2024-08-06) → 'github:NixOS/nixpkgs/a781ff33ae258bbcfd4ed6e673860c3e923bf2cc' (2024-08-10) • Updated input 'nixpkgs-unstable': 'github:NixOS/nixpkgs/cb9a96f23c491c081b38eab96d22fa958043c9fa' (2024-08-04) → 'github:NixOS/nixpkgs/5e0ca22929f3342b19569b21b2f3462f053e497b' (2024-08-09) • Updated input 'plasma-manager': 'github:nix-community/plasma-manager/22bea90404c5ff6457913a03c1a54a3caa5b1c57' (2024-08-09) → 'github:nix-community/plasma-manager/f843f4258eea57c5ba60f6ce1d96d12d6494b56e' (2024-08-11) • Updated input 'secrets': 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=dfe0e95be5ef539bf28602ff47beeea26cc4d1b8' (2024-08-03) → 'git+ssh://git@git.vimium.com/jordan/nix-secrets.git?ref=refs/heads/master&rev=2725922f5ed145f060e840c93ad5f73606eddb28' (2024-08-11)	2024-08-11 23:05:46 +01:00
Jordan Holt	6ddb31c36f	Evaluate skycam upstream at runtime All checks were successful Check flake / build-amd64-linux (push) Successful in 2m52s Details	2024-08-11 22:27:45 +01:00