swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat[server]: manage kanidm tls cert
Some checks are pending
Flake check / Check flake (push) Waiting to run
Details

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-11-03 17:11:36 +01:00
parent 638dc6cd95
commit 3b368ec8de
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
3 changed files with 485 additions and 338 deletions
Download patch file Download diff file Expand all files Collapse all files

63
SwarselSystems.org
View file

@ -8788,8 +8788,8 @@ A stupid (but simple) way to get the =originUrl= is to simply set any URL there
To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clientID>/.well-known/oauth-authorization-server, e.g. https://<kanidmDomain>/oauth2/openid/nextcloud/.well-known/oauth-authorization-server, with clienID being the client name as specified in kanidm.
#+begin_src nix-ts :tangle modules/nixos/server/kanidm.nix
{ self, lib, pkgs, config, globals, ... }:
let
{ self, lib, pkgs, config, globals, ... }:
let
certsSopsFile = self + /secrets/certs/secrets.yaml;
inherit (config.swarselsystems) sopsFile;
@ -8806,8 +8806,14 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
forgejoDomain = globals.services.forgejo.domain;
grafanaDomain = globals.services.grafana.domain;
nextcloudDomain = globals.services.nextcloud.domain;
in
{
certBase = "/etc/ssl";
certsDir = "${certBase}/certs";
privateDir = "${certBase}/private";
certPath = "${certsDir}/${serviceName}.crt";
keyPath = "${privateDir}/${serviceName}.key";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
@ -8838,6 +8844,47 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
globals.services.${serviceName}.domain = serviceDomain;
system.activationScripts."generateSSLCert-${serviceName}" =
let
daysValid = 3650;
renewBeforeDays = 365;
in
{
text = ''
set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
need_gen=0
if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
need_gen=1
else
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
seconds_left=$(( end_epoch - now_epoch ))
days_left=$(( seconds_left / 86400 ))
if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
need_gen=1
fi
fi
if [ "$need_gen" -eq 1 ]; then
${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
-keyout "${keyPath}" \
-out "${certPath}" \
-subj "/CN=${serviceDomain}" \
-addext "subjectAltName=DNS:${serviceDomain}"
chmod 0644 "${certPath}"
chmod 0600 "${keyPath}"
chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
fi
'';
deps = [ "etc" ];
};
services = {
${serviceName} = {
package = pkgs.kanidmWithSecretProvisioning_1_7;
@ -8845,8 +8892,10 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
serverSettings = {
domain = serviceDomain;
origin = "https://${serviceDomain}";
tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_key = config.sops.secrets.kanidm-self-signed-key.path;
# tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_chain = certPath;
# tls_key = config.sops.secrets.kanidm-self-signed-key.path;
tls_key = keyPath;
bindaddress = "0.0.0.0:${toString servicePort}";
trust_x_forward_for = true;
};
@ -9049,7 +9098,7 @@ To get other URLs (token, etc.), use https://<kanidmDomain>/oauth2/openid/<clien
};
};
};
}
}
#+end_src
**** oauth2-proxy

255
index.html
View file

@ -3,7 +3,7 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
<head>
<!-- 2025-11-02 So 12:29 -->
<!-- 2025-11-03 Mo 17:12 -->
<meta http-equiv="Content-Type" content="text/html;charset=utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>SwarselSystems: NixOS + Emacs Configurationo</title>
@ -209,8 +209,8 @@
<li><a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">1.4. Hosts</a></li>
<li><a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">1.5. Programs</a></li>
<li><a href="#h:191e82b6-6ae5-4ec8-ae6d-dc683ce325d9">1.6. Services</a></li>
<li><a href="#org24c7b51">1.7. Manual steps when setting up a new machine</a></li>
<li><a href="#org88f8510">1.8. Current issues</a></li>
<li><a href="#orgdb1e0b6">1.7. Manual steps when setting up a new machine</a></li>
<li><a href="#org0e21495">1.8. Current issues</a></li>
</ul>
</li>
<li><a href="#h:c7588c0d-2528-485d-b2df-04d6336428d7">2. flake.nix</a>
@ -271,7 +271,7 @@
</li>
<li><a href="#h:28e1a7eb-356b-4015-83f7-9c552c8c0e9d">3.1.2.4. machpizza (MacBook Pro)</a></li>
<li><a href="#h:729af373-37e7-4379-9a3d-b09792219415">3.1.2.5. Magicant (Phone)</a></li>
<li><a href="#org5f762ec">3.1.2.6. Treehouse (DGX Spark)</a></li>
<li><a href="#org265df55">3.1.2.6. Treehouse (DGX Spark)</a></li>
</ul>
</li>
<li><a href="#h:4dc59747-9598-4029-aa7d-92bf186d6c06">3.1.3. Virtual hosts</a>
@ -445,15 +445,15 @@
<li><a href="#h:15b581ab-09fe-4f84-af26-2f1fbf7d726b">3.2.5.8. Hibernation</a></li>
<li><a href="#h:86fb3236-9e18-43f0-8a08-3a2acd61cc98">3.2.5.9. BTRFS</a></li>
<li><a href="#h:bbf2ecb6-c8ff-4462-b5d5-d45b28604ddf">3.2.5.10. work</a></li>
<li><a href="#org4d4148d">3.2.5.11. microvm-host</a></li>
<li><a href="#orgdbde54b">3.2.5.12. microvm-guest</a></li>
<li><a href="#orgf83553a">3.2.5.11. microvm-host</a></li>
<li><a href="#orged413e5">3.2.5.12. microvm-guest</a></li>
</ul>
</li>
</ul>
</li>
<li><a href="#h:08ded95b-9c43-475d-a0b2-fc088a512287">3.3. Home-manager</a>
<ul>
<li><a href="#org664aad5">3.3.1. Steps to setup/upgrade home-manager only</a></li>
<li><a href="#org836d017">3.3.1. Steps to setup/upgrade home-manager only</a></li>
<li><a href="#h:f0a6b5e0-2157-4522-b5e1-3f0abd91c05e">3.3.2. <span class="todo TODO">TODO</span> Common</a>
<ul>
<li><a href="#h:16fd2e85-fdd4-440a-81f0-65b9b098a43a">3.3.2.1. Imports</a></li>
@ -475,7 +475,7 @@
<li><a href="#h:4486b02f-4fb8-432b-bfa2-2e786206341d">3.3.2.12. Sourcing environment variables</a></li>
<li><a href="#h:f0e0b580-2e1c-4ca6-a983-f05d3ebbbcde">3.3.2.13. General Programs: bottom, imv, less, lesspipe, sioyek, bat, carapace, wlogout, swayr, yt-dlp, mpv, jq, nix-index, ripgrep, pandoc, fzf, zoxide, timidity</a></li>
<li><a href="#h:64dbbb9e-8097-4c1b-813c-8c10cf9b9748">3.3.2.14. nix-index</a></li>
<li><a href="#orga79078b">3.3.2.15. nix-your-shell</a></li>
<li><a href="#org891c387">3.3.2.15. nix-your-shell</a></li>
<li><a href="#h:ac0e5e62-0dbf-4782-9a96-9e558eae86ae">3.3.2.16. password-store</a></li>
<li><a href="#h:1ab84307-b3fb-4c32-9def-4b89a53a8547">3.3.2.17. direnv</a></li>
<li><a href="#h:1bd6b0c7-f201-43e2-9624-6c50de00a1f6">3.3.2.18. eza</a></li>
@ -498,12 +498,12 @@
<li><a href="#h:99d05729-df35-4958-9940-3319d6a41359">3.3.2.31.3. Mako</a></li>
<li><a href="#h:388e71be-f00a-4d45-ade1-218ce942057d">3.3.2.31.4. SwayOSD</a></li>
<li><a href="#h:1598c90b-f195-41a0-9132-94612edf3586">3.3.2.31.5. yubikey-touch-detector</a></li>
<li><a href="#org167b13d">3.3.2.31.6. blueman-applet</a></li>
<li><a href="#org7176458">3.3.2.31.7. network-manager-applet</a></li>
<li><a href="#org5685c5c">3.3.2.31.8. obsidian service for tray</a></li>
<li><a href="#org3698e4d">3.3.2.31.9. anki service for tray</a></li>
<li><a href="#org01fbaf4">3.3.2.31.10. element service for tray</a></li>
<li><a href="#orga07e14b">3.3.2.31.11. vesktop service for tray</a></li>
<li><a href="#org546b1c9">3.3.2.31.6. blueman-applet</a></li>
<li><a href="#orgba33f75">3.3.2.31.7. network-manager-applet</a></li>
<li><a href="#org0fb7a1d">3.3.2.31.8. obsidian service for tray</a></li>
<li><a href="#org42ea2da">3.3.2.31.9. anki service for tray</a></li>
<li><a href="#org215cea7">3.3.2.31.10. element service for tray</a></li>
<li><a href="#org08dbb21">3.3.2.31.11. vesktop service for tray</a></li>
</ul>
</li>
<li><a href="#h:02df9dfc-d1af-4a37-a7a0-d8da0af96a20">3.3.2.32. Sway</a></li>
@ -512,17 +512,17 @@
<li><a href="#h:7d384e3b-1be7-4644-b304-ada4af0b692b">3.3.2.35. gpg-agent</a></li>
<li><a href="#h:74e236be-a977-4d38-b8c5-0b9feef8af91">3.3.2.36. gammastep</a></li>
<li><a href="#h:d1fb3075-ad52-4c1b-ba45-5ddbd0d3b708">3.3.2.37. Spicetify</a></li>
<li><a href="#org3c49d3d">3.3.2.38. Obsidian</a></li>
<li><a href="#org8416663">3.3.2.39. Anki</a></li>
<li><a href="#org76002b7">3.3.2.40. Element-desktop</a></li>
<li><a href="#orgc999246">3.3.2.41. Hexchat</a></li>
<li><a href="#org479bb22">3.3.2.42. obs-studio</a></li>
<li><a href="#org21f2297">3.3.2.43. spotify-player</a></li>
<li><a href="#org12a1fb4">3.3.2.44. vesktop</a></li>
<li><a href="#org5886189">3.3.2.45. batsignal</a></li>
<li><a href="#orgeb5759e">3.3.2.46. autotiling</a></li>
<li><a href="#orgc400b7d">3.3.2.47. swayidle</a></li>
<li><a href="#org00e576d">3.3.2.48. swaylock</a></li>
<li><a href="#org9d7e9f9">3.3.2.38. Obsidian</a></li>
<li><a href="#org99dcb02">3.3.2.39. Anki</a></li>
<li><a href="#org2cea79e">3.3.2.40. Element-desktop</a></li>
<li><a href="#org0433212">3.3.2.41. Hexchat</a></li>
<li><a href="#orgd461d44">3.3.2.42. obs-studio</a></li>
<li><a href="#org612fc22">3.3.2.43. spotify-player</a></li>
<li><a href="#orgdea36b4">3.3.2.44. vesktop</a></li>
<li><a href="#org2d5500c">3.3.2.45. batsignal</a></li>
<li><a href="#orgb306512">3.3.2.46. autotiling</a></li>
<li><a href="#org18f8945">3.3.2.47. swayidle</a></li>
<li><a href="#org8cf5711">3.3.2.48. swaylock</a></li>
</ul>
</li>
<li><a href="#h:b1a00339-6e9b-4ae4-b5dc-6fd5669a2ddb">3.3.3. Server</a>
@ -587,8 +587,8 @@
<li><a href="#h:c3362d4e-d3a8-43e8-9ef7-272b6de0572e">3.5.31. swarsel-build</a></li>
<li><a href="#h:95ebfd13-1f6b-427f-950d-e30c1ed6f9fa">3.5.32. swarsel-instantiate</a></li>
<li><a href="#h:02842543-caca-4d4c-a4d2-7ac749b5c136">3.5.33. sshrm</a></li>
<li><a href="#orgf54c20e">3.5.34. endme</a></li>
<li><a href="#org03b4d66">3.5.35. git-replace</a></li>
<li><a href="#org78d05ab">3.5.34. endme</a></li>
<li><a href="#orgfd9792b">3.5.35. git-replace</a></li>
</ul>
</li>
<li><a href="#h:f0f1c961-3e7a-47b8-99ab-1654bb45dffc">3.6. Profiles</a>
@ -597,7 +597,7 @@
<ul>
<li><a href="#h:32d654de-8db2-403a-9a27-4c46d7b9172d">3.6.1.1. Personal</a></li>
<li><a href="#h:b926f0c8-7968-4079-924c-a5d0ae4d3a45">3.6.1.2. Minimal</a></li>
<li><a href="#org196f490">3.6.1.3. Optionals</a></li>
<li><a href="#orga4bff18">3.6.1.3. Optionals</a></li>
<li><a href="#h:b79fbb59-9cf2-48eb-b469-2589223dda95">3.6.1.4. Chaostheatre</a></li>
<li><a href="#h:cb3631a8-9c1b-42f2-ab01-502c7b4c273d">3.6.1.5. Work</a></li>
<li><a href="#h:87a83b10-3c2f-407c-89aa-922ad77748a4">3.6.1.6. Uni</a></li>
@ -608,7 +608,7 @@
<li><a href="#h:ced5841f-c088-4d88-b3a1-7d62aad8837b">3.6.2. home-manager</a>
<ul>
<li><a href="#h:26512487-8c29-4b92-835b-d67394c3f5ef">3.6.2.1. Personal</a></li>
<li><a href="#org7852052">3.6.2.2. DGX Spark</a></li>
<li><a href="#org19e1871">3.6.2.2. DGX Spark</a></li>
<li><a href="#h:0554a271-f8ec-4885-b46f-2a02dfd967bd">3.6.2.3. Optionals</a></li>
<li><a href="#h:26512487-8c29-4b92-835b-d67394c3f5ef">3.6.2.4. Minimal</a></li>
<li><a href="#h:36a0209f-2c17-4808-a1d0-a9e1920c307a">3.6.2.5. Chaostheatre</a></li>
@ -779,7 +779,7 @@
<ul>
<li><a href="#h:b92a18cf-eec3-4605-a8c2-37133ade3574">4.4.39.1. mu4e</a></li>
<li><a href="#h:43209eeb-5d46-472e-b7c2-58a3fb465199">4.4.39.2. mu4e-alert</a></li>
<li><a href="#org29e6a55">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
<li><a href="#org7d94f05">4.4.39.3. Work: Signing Mails (S/MIME, smime)</a></li>
</ul>
</li>
<li><a href="#h:c760f04e-622f-4b3e-8916-53ca8cce6edc">4.4.40. Calendar</a></li>
@ -794,8 +794,8 @@
</li>
<li><a href="#h:dae0c5bb-edb7-4fe4-ae31-9f8f064cc53c">5. Appendix A: Noweb-Ref blocks</a>
<ul>
<li><a href="#org2aed48c">5.1. General steps when setting up a new machine</a></li>
<li><a href="#org1380fac">5.2. Current patches and fixes</a></li>
<li><a href="#org6c3bc34">5.1. General steps when setting up a new machine</a></li>
<li><a href="#org7eff7db">5.2. Current patches and fixes</a></li>
</ul>
</li>
<li><a href="#h:8fc9f66a-7412-4091-8dee-a06f897baf67">6. Appendix B: Supplementary Files</a>
@ -847,7 +847,7 @@
</div>
</div>
<p>
<b>This file has 97685 words spanning 25221 lines and was last revised on 2025-11-02 12:29:26 +0100.</b>
<b>This file has 97891 words spanning 25270 lines and was last revised on 2025-11-03 17:12:01 +0100.</b>
</p>
<p>
@ -916,7 +916,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry
</p>
<p>
My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-02 12:29:26 +0100)
My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-11-03 17:12:01 +0100)
</p></li>
</ul>
@ -1219,8 +1219,8 @@ Here I give a brief overview over the hostmachines that I am using. This is held
</div>
</div>
</div>
<div id="outline-container-org24c7b51" class="outline-3">
<h3 id="org24c7b51"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
<div id="outline-container-orgdb1e0b6" class="outline-3">
<h3 id="orgdb1e0b6"><span class="section-number-3">1.7.</span> Manual steps when setting up a new machine</h3>
<div class="outline-text-3" id="text-1-7">
<div class="org-src-container">
<pre class="src src-markdown">These steps are required when setting up a normal NixOS host:
@ -1263,8 +1263,8 @@ If the new machine is home-manager only, perform these steps:
</div>
</div>
</div>
<div id="outline-container-org88f8510" class="outline-3">
<h3 id="org88f8510"><span class="section-number-3">1.8.</span> Current issues</h3>
<div id="outline-container-org0e21495" class="outline-3">
<h3 id="org0e21495"><span class="section-number-3">1.8.</span> Current issues</h3>
<div class="outline-text-3" id="text-1-8">
<div class="org-src-container">
<pre class="src src-markdown">Currently, these adaptions are made to the configuration to account for bugs in upstream repos:
@ -3779,8 +3779,8 @@ My phone. I use only a minimal config for remote debugging here.
</div>
</div>
</div>
<div id="outline-container-org5f762ec" class="outline-5">
<h5 id="org5f762ec"><span class="section-number-5">3.1.2.6.</span> Treehouse (DGX Spark)</h5>
<div id="outline-container-org265df55" class="outline-5">
<h5 id="org265df55"><span class="section-number-5">3.1.2.6.</span> Treehouse (DGX Spark)</h5>
<div class="outline-text-5" id="text-3-1-2-6">
<div class="org-src-container">
<pre class="src src-nix-ts">{ self, outputs, ... }:
@ -7937,14 +7937,14 @@ in
extraGroups = [ "video" "render" "users" ];
};
nixpkgs.config.packageOverrides = pkgs: {
vaapiIntel = pkgs.vaapiIntel.override { enableHybridCodec = true; };
intel-vaapi-driver = pkgs.intel-vaapi-driver.override { enableHybridCodec = true; };
};
hardware.graphics = {
enable = true;
extraPackages = with pkgs; [
intel-media-driver # LIBVA_DRIVER_NAME=iHD
vaapiIntel # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
vaapiVdpau
intel-vaapi-driver # LIBVA_DRIVER_NAME=i965 (older but works better for Firefox/Chromium)
libva-vdpau-driver
libvdpau-va-gl
];
};
@ -8785,7 +8785,7 @@ in
services.${serviceName} = {
enable = true;
package = pkgs.stable.immich;
package = pkgs.immich;
host = "0.0.0.0";
port = servicePort;
openFirewall = true;
@ -10157,6 +10157,12 @@ let
forgejoDomain = globals.services.forgejo.domain;
grafanaDomain = globals.services.grafana.domain;
nextcloudDomain = globals.services.nextcloud.domain;
certBase = "/etc/ssl";
certsDir = "${certBase}/certs";
privateDir = "${certBase}/private";
certPath = "${certsDir}/${serviceName}.crt";
keyPath = "${privateDir}/${serviceName}.key";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -10189,6 +10195,47 @@ in
globals.services.${serviceName}.domain = serviceDomain;
system.activationScripts."generateSSLCert-${serviceName}" =
let
daysValid = 3650;
renewBeforeDays = 365;
in
{
text = ''
set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
need_gen=0
if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
need_gen=1
else
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
seconds_left=$(( end_epoch - now_epoch ))
days_left=$(( seconds_left / 86400 ))
if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
need_gen=1
fi
fi
if [ "$need_gen" -eq 1 ]; then
${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
-keyout "${keyPath}" \
-out "${certPath}" \
-subj "/CN=${serviceDomain}" \
-addext "subjectAltName=DNS:${serviceDomain}"
chmod 0644 "${certPath}"
chmod 0600 "${keyPath}"
chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
fi
'';
deps = [ "etc" ];
};
services = {
${serviceName} = {
package = pkgs.kanidmWithSecretProvisioning_1_7;
@ -10196,8 +10243,10 @@ in
serverSettings = {
domain = serviceDomain;
origin = "https://${serviceDomain}";
tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_key = config.sops.secrets.kanidm-self-signed-key.path;
# tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_chain = certPath;
# tls_key = config.sops.secrets.kanidm-self-signed-key.path;
tls_key = keyPath;
bindaddress = "0.0.0.0:${toString servicePort}";
trust_x_forward_for = true;
};
@ -12251,8 +12300,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org4d4148d" class="outline-5">
<h5 id="org4d4148d"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
<div id="outline-container-orgf83553a" class="outline-5">
<h5 id="orgf83553a"><span class="section-number-5">3.2.5.11.</span> microvm-host</h5>
<div class="outline-text-5" id="text-3-2-5-11">
<p>
Some standard options that should be set for every microvm host.
@ -12278,8 +12327,8 @@ Some standard options that should be set for every microvm host.
</div>
</div>
</div>
<div id="outline-container-orgdbde54b" class="outline-5">
<h5 id="orgdbde54b"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
<div id="outline-container-orged413e5" class="outline-5">
<h5 id="orged413e5"><span class="section-number-5">3.2.5.12.</span> microvm-guest</h5>
<div class="outline-text-5" id="text-3-2-5-12">
<p>
Some standard options that should be set vor every microvm guest. We set the default
@ -12376,8 +12425,8 @@ in
</pre>
</div>
</div>
<div id="outline-container-org664aad5" class="outline-4">
<h4 id="org664aad5"><span class="section-number-4">3.3.1.</span> Steps to setup/upgrade home-manager only</h4>
<div id="outline-container-org836d017" class="outline-4">
<h4 id="org836d017"><span class="section-number-4">3.3.1.</span> Steps to setup/upgrade home-manager only</h4>
<div class="outline-text-4" id="text-3-3-1">
<p>
Steps to get a home-manager only setup up and running:
@ -13405,8 +13454,8 @@ nix-index provides a way to find out which packages are provided by which deriva
</div>
</div>
</div>
<div id="outline-container-orga79078b" class="outline-5">
<h5 id="orga79078b"><span class="section-number-5">3.3.2.15.</span> nix-your-shell</h5>
<div id="outline-container-org891c387" class="outline-5">
<h5 id="org891c387"><span class="section-number-5">3.3.2.15.</span> nix-your-shell</h5>
<div class="outline-text-5" id="text-3-3-2-15">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -15131,8 +15180,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
</div>
</div>
</div>
<div id="outline-container-org167b13d" class="outline-6">
<h6 id="org167b13d"><span class="section-number-6">3.3.2.31.6.</span> blueman-applet</h6>
<div id="outline-container-org546b1c9" class="outline-6">
<h6 id="org546b1c9"><span class="section-number-6">3.3.2.31.6.</span> blueman-applet</h6>
<div class="outline-text-6" id="text-3-3-2-31-6">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -15146,8 +15195,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
</div>
</div>
</div>
<div id="outline-container-org7176458" class="outline-6">
<h6 id="org7176458"><span class="section-number-6">3.3.2.31.7.</span> network-manager-applet</h6>
<div id="outline-container-orgba33f75" class="outline-6">
<h6 id="orgba33f75"><span class="section-number-6">3.3.2.31.7.</span> network-manager-applet</h6>
<div class="outline-text-6" id="text-3-3-2-31-7">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -15162,8 +15211,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
</div>
</div>
</div>
<div id="outline-container-org5685c5c" class="outline-6">
<h6 id="org5685c5c"><span class="section-number-6">3.3.2.31.8.</span> obsidian service for tray</h6>
<div id="outline-container-org0fb7a1d" class="outline-6">
<h6 id="org0fb7a1d"><span class="section-number-6">3.3.2.31.8.</span> obsidian service for tray</h6>
<div class="outline-text-6" id="text-3-3-2-31-8">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -15197,8 +15246,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
</div>
</div>
</div>
<div id="outline-container-org3698e4d" class="outline-6">
<h6 id="org3698e4d"><span class="section-number-6">3.3.2.31.9.</span> anki service for tray</h6>
<div id="outline-container-org42ea2da" class="outline-6">
<h6 id="org42ea2da"><span class="section-number-6">3.3.2.31.9.</span> anki service for tray</h6>
<div class="outline-text-6" id="text-3-3-2-31-9">
<p>
Sets up a systemd user service for anki that does not stall the shutdown process. Note that the outcommented <code>ExecStart</code> does not work because the home-manager anki package builds a separate anki package that - I think - cannot be referenced as no such expression exists in the module.
@ -15245,8 +15294,8 @@ Sets up a systemd user service for anki that does not stall the shutdown process
</div>
</div>
</div>
<div id="outline-container-org01fbaf4" class="outline-6">
<h6 id="org01fbaf4"><span class="section-number-6">3.3.2.31.10.</span> element service for tray</h6>
<div id="outline-container-org215cea7" class="outline-6">
<h6 id="org215cea7"><span class="section-number-6">3.3.2.31.10.</span> element service for tray</h6>
<div class="outline-text-6" id="text-3-3-2-31-10">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@ -15280,8 +15329,8 @@ Sets up a systemd user service for anki that does not stall the shutdown process
</div>
</div>
</div>
<div id="outline-container-orga07e14b" class="outline-6">
<h6 id="orga07e14b"><span class="section-number-6">3.3.2.31.11.</span> vesktop service for tray</h6>
<div id="outline-container-org08dbb21" class="outline-6">
<h6 id="org08dbb21"><span class="section-number-6">3.3.2.31.11.</span> vesktop service for tray</h6>
<div class="outline-text-6" id="text-3-3-2-31-11">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@ -16212,8 +16261,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org3c49d3d" class="outline-5">
<h5 id="org3c49d3d"><span class="section-number-5">3.3.2.38.</span> Obsidian</h5>
<div id="outline-container-org9d7e9f9" class="outline-5">
<h5 id="org9d7e9f9"><span class="section-number-5">3.3.2.38.</span> Obsidian</h5>
<div class="outline-text-5" id="text-3-3-2-38">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, pkgs, nixosConfig ? config, ... }:
@ -16373,8 +16422,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org8416663" class="outline-5">
<h5 id="org8416663"><span class="section-number-5">3.3.2.39.</span> Anki</h5>
<div id="outline-container-org99dcb02" class="outline-5">
<h5 id="org99dcb02"><span class="section-number-5">3.3.2.39.</span> Anki</h5>
<div class="outline-text-5" id="text-3-3-2-39">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, pkgs, globals, inputs, nixosConfig ? config, ... }:
@ -16447,8 +16496,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org76002b7" class="outline-5">
<h5 id="org76002b7"><span class="section-number-5">3.3.2.40.</span> Element-desktop</h5>
<div id="outline-container-org2cea79e" class="outline-5">
<h5 id="org2cea79e"><span class="section-number-5">3.3.2.40.</span> Element-desktop</h5>
<div class="outline-text-5" id="text-3-3-2-40">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -16484,8 +16533,8 @@ in
</div>
</div>
</div>
<div id="outline-container-orgc999246" class="outline-5">
<h5 id="orgc999246"><span class="section-number-5">3.3.2.41.</span> Hexchat</h5>
<div id="outline-container-org0433212" class="outline-5">
<h5 id="org0433212"><span class="section-number-5">3.3.2.41.</span> Hexchat</h5>
<div class="outline-text-5" id="text-3-3-2-41">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, nixosConfig ? config, ... }:
@ -16509,8 +16558,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org479bb22" class="outline-5">
<h5 id="org479bb22"><span class="section-number-5">3.3.2.42.</span> obs-studio</h5>
<div id="outline-container-orgd461d44" class="outline-5">
<h5 id="orgd461d44"><span class="section-number-5">3.3.2.42.</span> obs-studio</h5>
<div class="outline-text-5" id="text-3-3-2-42">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -16530,8 +16579,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org21f2297" class="outline-5">
<h5 id="org21f2297"><span class="section-number-5">3.3.2.43.</span> spotify-player</h5>
<div id="outline-container-org612fc22" class="outline-5">
<h5 id="org612fc22"><span class="section-number-5">3.3.2.43.</span> spotify-player</h5>
<div class="outline-text-5" id="text-3-3-2-43">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -16551,8 +16600,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org12a1fb4" class="outline-5">
<h5 id="org12a1fb4"><span class="section-number-5">3.3.2.44.</span> vesktop</h5>
<div id="outline-container-orgdea36b4" class="outline-5">
<h5 id="orgdea36b4"><span class="section-number-5">3.3.2.44.</span> vesktop</h5>
<div class="outline-text-5" id="text-3-3-2-44">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, pkgs, config, ... }:
@ -16639,8 +16688,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org5886189" class="outline-5">
<h5 id="org5886189"><span class="section-number-5">3.3.2.45.</span> batsignal</h5>
<div id="outline-container-org2d5500c" class="outline-5">
<h5 id="org2d5500c"><span class="section-number-5">3.3.2.45.</span> batsignal</h5>
<div class="outline-text-5" id="text-3-3-2-45">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -16672,8 +16721,8 @@ in
</div>
</div>
</div>
<div id="outline-container-orgeb5759e" class="outline-5">
<h5 id="orgeb5759e"><span class="section-number-5">3.3.2.46.</span> autotiling</h5>
<div id="outline-container-orgb306512" class="outline-5">
<h5 id="orgb306512"><span class="section-number-5">3.3.2.46.</span> autotiling</h5>
<div class="outline-text-5" id="text-3-3-2-46">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -16694,8 +16743,8 @@ in
</div>
</div>
</div>
<div id="outline-container-orgc400b7d" class="outline-5">
<h5 id="orgc400b7d"><span class="section-number-5">3.3.2.47.</span> swayidle</h5>
<div id="outline-container-org18f8945" class="outline-5">
<h5 id="org18f8945"><span class="section-number-5">3.3.2.47.</span> swayidle</h5>
<div class="outline-text-5" id="text-3-3-2-47">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@ -16736,8 +16785,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org00e576d" class="outline-5">
<h5 id="org00e576d"><span class="section-number-5">3.3.2.48.</span> swaylock</h5>
<div id="outline-container-org8cf5711" class="outline-5">
<h5 id="org8cf5711"><span class="section-number-5">3.3.2.48.</span> swaylock</h5>
<div class="outline-text-5" id="text-3-3-2-48">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, pkgs, ... }:
@ -19959,8 +20008,8 @@ writeShellApplication {
</div>
</div>
</div>
<div id="outline-container-orgf54c20e" class="outline-4">
<h4 id="orgf54c20e"><span class="section-number-4">3.5.34.</span> endme</h4>
<div id="outline-container-org78d05ab" class="outline-4">
<h4 id="org78d05ab"><span class="section-number-4">3.5.34.</span> endme</h4>
<div class="outline-text-4" id="text-3-5-34">
<p>
Sometimes my DE crashes after putting it to suspend - to be precise, it happens when I put it into suspend when I have multiple screens plugged in. I have never taken the time to debug the issue, but instead just switch to a different TTY and then use this script to kill the hanging session.
@ -19981,8 +20030,8 @@ writeShellApplication {
</div>
</div>
</div>
<div id="outline-container-org03b4d66" class="outline-4">
<h4 id="org03b4d66"><span class="section-number-4">3.5.35.</span> git-replace</h4>
<div id="outline-container-orgfd9792b" class="outline-4">
<h4 id="orgfd9792b"><span class="section-number-4">3.5.35.</span> git-replace</h4>
<div class="outline-text-4" id="text-3-5-35">
<p>
This script allows for quick git replace of a string.
@ -20198,8 +20247,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org196f490" class="outline-5">
<h5 id="org196f490"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
<div id="outline-container-orga4bff18" class="outline-5">
<h5 id="orga4bff18"><span class="section-number-5">3.6.1.3.</span> Optionals</h5>
<div class="outline-text-5" id="text-3-6-1-3">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -20495,8 +20544,8 @@ in
</div>
</div>
</div>
<div id="outline-container-org7852052" class="outline-5">
<h5 id="org7852052"><span class="section-number-5">3.6.2.2.</span> DGX Spark</h5>
<div id="outline-container-org19e1871" class="outline-5">
<h5 id="org19e1871"><span class="section-number-5">3.6.2.2.</span> DGX Spark</h5>
<div class="outline-text-5" id="text-3-6-2-2">
<div class="org-src-container">
<pre class="src src-nix-ts">{ lib, config, ... }:
@ -24206,8 +24255,8 @@ This adds the simple utility of sending desktop notifications whenever a new mai
</div>
</div>
</div>
<div id="outline-container-org29e6a55" class="outline-5">
<h5 id="org29e6a55"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
<div id="outline-container-org7d94f05" class="outline-5">
<h5 id="org7d94f05"><span class="section-number-5">4.4.39.3.</span> Work: Signing Mails (S/MIME, smime)</h5>
<div class="outline-text-5" id="text-4-4-39-3">
<p>
Used to automatically sign messages sent from my work email address using S/MIME certificate.
@ -24491,8 +24540,8 @@ Also see `prot-window-delete-popup-frame'." command)
This sections is no longer used really. An introduction can be found in <a href="#h:bcc3ebbe-df8a-46bd-b42d-73aad6fc66e5">Structure of this file</a> under the historical note. The little noweb-ref blocks that I still use are found in <a href="#h:48e0cb2c-e412-4ae3-a244-80a8c09dbb02">Hosts</a> and <a href="#h:3bb92528-c61c-4b8d-8214-bf2a40baaa32">Services</a>.
</p>
</div>
<div id="outline-container-org2aed48c" class="outline-3">
<h3 id="org2aed48c"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
<div id="outline-container-org6c3bc34" class="outline-3">
<h3 id="org6c3bc34"><span class="section-number-3">5.1.</span> General steps when setting up a new machine</h3>
<div class="outline-text-3" id="text-5-1">
<p>
These general steps are needed when setting up a new machine and do not fit into another block well:
@ -24505,8 +24554,8 @@ These general steps are needed when setting up a new machine and do not fit into
</div>
</div>
</div>
<div id="outline-container-org1380fac" class="outline-3">
<h3 id="org1380fac"><span class="section-number-3">5.2.</span> Current patches and fixes</h3>
<div id="outline-container-org7eff7db" class="outline-3">
<h3 id="org7eff7db"><span class="section-number-3">5.2.</span> Current patches and fixes</h3>
<div class="outline-text-3" id="text-5-2">
<p>
These are current deviations from the standard settings that I take while some things are broken upstream
@ -27466,7 +27515,7 @@ similarly, there exists an version that starts from the right.
</div>
<div id="postamble" class="status">
<p class="author">Author: Leon Schwarzäugl</p>
<p class="date">Created: 2025-11-02 So 12:29</p>
<p class="date">Created: 2025-11-03 Mo 17:12</p>
<p class="validation"><a href="https://validator.w3.org/check?uri=referer">Validate</a></p>
</div>
</body>

53
modules/nixos/server/kanidm.nix
View file

@ -16,6 +16,12 @@ let
forgejoDomain = globals.services.forgejo.domain;
grafanaDomain = globals.services.grafana.domain;
nextcloudDomain = globals.services.nextcloud.domain;
certBase = "/etc/ssl";
certsDir = "${certBase}/certs";
privateDir = "${certBase}/private";
certPath = "${certsDir}/${serviceName}.crt";
keyPath = "${privateDir}/${serviceName}.key";
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
@ -48,6 +54,47 @@ in
globals.services.${serviceName}.domain = serviceDomain;
system.activationScripts."generateSSLCert-${serviceName}" =
let
daysValid = 3650;
renewBeforeDays = 365;
in
{
text = ''
set -eu
${pkgs.coreutils}/bin/install -d -m 0755 ${certsDir}
${pkgs.coreutils}/bin/install -d -m 0750 ${privateDir}
need_gen=0
if [ ! -f "${certPath}" ] || [ ! -f "${keyPath}" ]; then
need_gen=1
else
enddate="$(${pkgs.openssl}/bin/openssl x509 -noout -enddate -in "${certPath}" | cut -d= -f2)"
end_epoch="$(${pkgs.coreutils}/bin/date -d "$enddate" +%s)"
now_epoch="$(${pkgs.coreutils}/bin/date +%s)"
seconds_left=$(( end_epoch - now_epoch ))
days_left=$(( seconds_left / 86400 ))
if [ "$days_left" -lt ${toString renewBeforeDays} ]; then
need_gen=1
fi
fi
if [ "$need_gen" -eq 1 ]; then
${pkgs.openssl}/bin/openssl req -x509 -nodes -days ${toString daysValid} -newkey rsa:4096 -sha256 \
-keyout "${keyPath}" \
-out "${certPath}" \
-subj "/CN=${serviceDomain}" \
-addext "subjectAltName=DNS:${serviceDomain}"
chmod 0644 "${certPath}"
chmod 0600 "${keyPath}"
chown ${serviceUser}:${serviceGroup} "${certPath}" "${keyPath}"
fi
'';
deps = [ "etc" ];
};
services = {
${serviceName} = {
package = pkgs.kanidmWithSecretProvisioning_1_7;
@ -55,8 +102,10 @@ in
serverSettings = {
domain = serviceDomain;
origin = "https://${serviceDomain}";
tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_key = config.sops.secrets.kanidm-self-signed-key.path;
# tls_chain = config.sops.secrets.kanidm-self-signed-crt.path;
tls_chain = certPath;
# tls_key = config.sops.secrets.kanidm-self-signed-key.path;
tls_key = keyPath;
bindaddress = "0.0.0.0:${toString servicePort}";
trust_x_forward_for = true;
};