Add kanidm

This reverts commit 8ca88da93a.

flake.lock

@@ -541,11 +541,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723232379,
-        "narHash": "sha256-F4Y3f9305aHGWKqAd3s2GyNRONdpDBuNuK4TCSdaHz8=",
+        "lastModified": 1723391864,
+        "narHash": "sha256-nX/aloqD8ZHcuPS7sk7fx1txTaXCi+o6iYm0mIX4uIE=",
         "owner": "nix-community",
         "repo": "plasma-manager",
-        "rev": "22bea90404c5ff6457913a03c1a54a3caa5b1c57",
+        "rev": "f843f4258eea57c5ba60f6ce1d96d12d6494b56e",
         "type": "github"
       },
       "original": {
@@ -576,11 +576,11 @@
     "secrets": {
       "flake": false,
       "locked": {
-        "lastModified": 1723385164,
-        "narHash": "sha256-/z4nBwpHsGWl1gmGv7FQQgoOcPwUaVzL7rfjI5nTOLg=",
+        "lastModified": 1723415003,
+        "narHash": "sha256-zSzDvI0sHayG5se7ALXhJhl41tConoWYbdqeow6OmBo=",
         "ref": "refs/heads/master",
-        "rev": "b47efe67031e12a2d5560b94fdb4de7dca3df80c",
-        "revCount": 24,
+        "rev": "db951141cab2de0b4176f4f6fc42a50b30dd3950",
+        "revCount": 26,
         "type": "git",
         "url": "ssh://git@git.vimium.com/jordan/nix-secrets.git"
       },

hosts/desktop.nix

@@ -6,7 +6,7 @@
   ];
 
   nixpkgs.overlays = [
-    (import ../overlays/gnome)
+    (import ../overlays/gnome.nix)
   ];
 
   services.printing.enable = true;

hosts/skycam/default.nix

@@ -55,7 +55,7 @@
   '';
 
   nixpkgs.overlays = [
-    (import ./../../overlays/libcamera)
+    (import ./../../overlays/libcamera.nix)
   ];
 
   networking = {

hosts/vps1/default.nix

@@ -1,4 +1,4 @@
-{ config, lib, self, ... }:
+{ config, lib, ... }:
 
 {
   imports = [
@@ -37,91 +37,42 @@
     groups = {
       jellyfin = { };
     };
+    extraGroups.acme.members = [ "kanidm" "nginx" ];
   };
 
   services.openssh.settings.PermitRootLogin = lib.mkForce "prohibit-password";
 
-  services.postgresql = {
-    ensureUsers = [
-      {
-        name = "zitadel";
-        ensureDBOwnership = true;
-        ensureClauses = {
-          superuser = true;
-        };
-      }
-    ];
-    ensureDatabases = [ "zitadel" ];
+  security.acme.certs."auth.vimium.com" = {
+    postRun = "systemctl restart kanidm.service";
+    group = "acme";
   };
 
-  age.secrets."files/services/zitadel/masterkey" = {
-    file = "${self.inputs.secrets}/files/services/zitadel/masterkey.age";
-    owner = "zitadel";
-    group = "zitadel";
+  services.kanidm = let
+    baseDomain = "vimium.com";
+    domain = "auth.${baseDomain}";
+    uri = "https://${domain}";
+  in {
+    enableClient = true;
+    enableServer = true;
+    clientSettings = {
+      inherit uri;
     };
-
-  systemd.services.zitadel = {
-    requires = [ "postgresql.service" ];
-    after = [ "postgresql.service" ];
-  };
-
-  services.zitadel = {
-    enable = true;
-    masterKeyFile = config.age.secrets."files/services/zitadel/masterkey".path;
-    settings = {
-      Database.postgres = {
-        Host = "/run/postgresql";
-        Port = 5432;
-        Database = "zitadel";
-        User = {
-          Username = "zitadel";
-          SSL.Mode = "disable";
-        };
-        Admin = {
-          ExistingDatabase = "zitadel";
-          Username = "zitadel";
-          SSL.Mode = "disable";
-        };
-      };
-      ExternalDomain = "id.vimium.com";
-      ExternalPort = 443;
-      ExternalSecure = true;
-      Machine = {
-        Identification = {
-          Hostname.Enabled = true;
-          PrivateIp.Enabled = false;
-          Webhook.Enabled = false;
-        };
-      };
-      Port = 8081;
-      WebAuthNName = "Vimium";
-    };
-    steps.FirstInstance = {
-      InstanceName = "Vimium";
-      Org.Name = "Vimium";
-      Org.Human = {
-        UserName = "jordan@vimium.com";
-        FirstName = "Jordan";
-        LastName = "Holt";
-        Email = {
-          Address = "jordan@vimium.com";
-          Verified = true;
-        };
-        Password = "Password1!";
-        PasswordChangeRequired = true;
-      };
-      LoginPolicy.AllowRegister = false;
+    serverSettings = {
+      bindaddress = "[::1]:3013";
+      domain = baseDomain;
+      origin = uri;
+      tls_chain = "${config.security.acme.certs.${domain}.directory}/full.pem";
+      tls_key = "${config.security.acme.certs.${domain}.directory}/key.pem";
     };
   };
 
-  services.nginx.virtualHosts."id.vimium.com" = {
-    enableACME = true;
+  services.nginx.virtualHosts = {
+    "auth.vimium.com" = {
+      useACMEHost = "auth.vimium.com";
       forceSSL = true;
       locations."/" = {
-      extraConfig = ''
-        grpc_pass grpc://localhost:${builtins.toString config.services.zitadel.settings.Port};
-        grpc_set_header Host $host:$server_port;
-      '';
+        proxyPass = "https://[::1]:3013";
+      };
     };
   };
 

modules/databases/postgresql.nix

@@ -17,7 +17,6 @@ in {
   config = lib.mkIf cfg.enable {
     services.postgresql = {
       enable = true;
-      enableJIT = true;
       initdbArgs = [
         "--allow-group-access"
         "--encoding=UTF8"

modules/services/nginx/default.nix

@@ -118,8 +118,12 @@ in {
           serverAliases = [ "www.jdholt.com" ];
           extraConfig = nginxErrorPages + nginxEdgeHeaders + nginxStrictHeaders;
           locations."/skycam/snapshot.jpg" = {
-            proxyPass = "http://skycam.mesh.vimium.net:8080/snapshot";
             extraConfig = ''
+              set $backend "skycam.mesh.vimium.net:8080";
+
+              resolver 100.100.100.100;
+
+              proxy_pass http://$backend/snapshot;
               proxy_cache skycam_cache;
               proxy_cache_valid any 10s;
               proxy_ignore_headers Cache-Control Expires Set-Cookie;