diff --git a/SwarselSystems.org b/SwarselSystems.org index c1e36d8..41cc73f 100644 --- a/SwarselSystems.org +++ b/SwarselSystems.org @@ -1268,12 +1268,18 @@ This machine mainly acts as an external sync helper. It manages the following th All of these are processes that use little cpu but can take a lot of storage. For this I use a free Ampere instance from OCI with 50G of space. In case my account gets terminated, all of this data is easily replaceable or backed up regularly anyways. #+begin_src nix :tangle hosts/nixos/sync/default.nix - { lib, primaryUser, ... }: + { lib, primaryUser, inputs, ... }: let sharedOptions = { isBtrfs = false; isLinux = true; }; + secretsDirectory = builtins.toString inputs.nix-secrets; + workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname"; + dev1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev1"; + dev2 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev2"; + dev3 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev3"; + loc1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/loc1"; in { imports = [ @@ -1296,7 +1302,7 @@ This machine mainly acts as an external sync helper. It manages the following th enableIPv6 = false; domain = "subnet03112148.vcn03112148.oraclevcn.com"; firewall = { - allowedTCPPorts = [ 8384 22000 ]; + allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ]; allowedUDPPorts = [ 21027 22000 ]; extraCommands = '' iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT @@ -1312,7 +1318,7 @@ This machine mainly acts as an external sync helper. It manages the following th }; }; - system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change + system.stateVersion = "23.11"; services = { nginx = { @@ -1333,11 +1339,83 @@ This machine mainly acts as an external sync helper. It manages the following th }; }; - # do not manage OCI syncthing through nix config syncthing = { enable = true; guiAddress = "0.0.0.0:8384"; openDefaultPorts = true; + relay.enable = false; + settings = { + urAccepted = -1; + devices = { + "magicant" = { + id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; + }; + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + "${workHostName}" = { + id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; + }; + "${dev1}" = { + id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; + }; + "${dev2}" = { + id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; + }; + "${dev3}" = { + id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; + }; + }; + folders = { + "Default Folder" = lib.mkForce { + path = "/var/lib/syncthing/Sync"; + type = "receiveonly"; + versioning = null; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "default"; + }; + "Obsidian" = { + path = "/var/lib/syncthing/Obsidian"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "yjvni-9eaa7"; + }; + "Org" = { + path = "/var/lib/syncthing/Org"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "a7xnl-zjj3d"; + }; + "Vpn" = { + path = "/var/lib/syncthing/Vpn"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "hgp9s-fyq3p"; + }; + "${loc1}" = { + path = "/var/lib/syncthing/${loc1}"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "3"; + }; + devices = [ dev1 dev2 dev3 ]; + id = "5gsxv-rzzst"; + }; + }; + }; }; }; @@ -2993,6 +3071,9 @@ This program sets up a new NixOS host remotely. It also takes care of secret man rm modules/home/common/yubikey.nix rm modules/nixos/server/restic.nix rm modules/nixos/common/home-manager-extra.nix + rm hosts/nixos/sync/default.nix + rm -rf modules/nixos/server + rm -rf modules/home/server nix flake update vbc-nix git add . else @@ -3025,219 +3106,220 @@ This program sets up a new NixOS host remotely. It also takes care of secret man Autoformatting always puts the =EOF= with indentation, which makes shfmt check fail. When editing this block, unindent them manually. #+begin_src shell :tangle scripts/swarsel-install.sh -set -eo pipefail + set -eo pipefail -target_config="chaostheatre" -target_hostname="chaostheatre" -target_user="swarsel" -persist_dir="" -target_disk="/dev/vda" -disk_encryption=0 + target_config="chaostheatre" + target_hostname="chaostheatre" + target_user="swarsel" + persist_dir="" + target_disk="/dev/vda" + disk_encryption=0 -function help_and_exit() { - echo - echo "Locally installs SwarselSystem on this machine." - echo - echo "USAGE: $0 -n -d [OPTIONS]" - echo - echo "ARGS:" - echo " -n specify the nixos config to deploy." - echo " Default: chaostheatre" - echo " -d specify disk to install on." - echo " Default: /dev/vda" - echo " -u specify user to deploy for." - echo " Default: swarsel" - echo " -h | --help Print this help." - exit 0 -} + function help_and_exit() { + echo + echo "Locally installs SwarselSystem on this machine." + echo + echo "USAGE: $0 -n -d [OPTIONS]" + echo + echo "ARGS:" + echo " -n specify the nixos config to deploy." + echo " Default: chaostheatre" + echo " -d specify disk to install on." + echo " Default: /dev/vda" + echo " -u specify user to deploy for." + echo " Default: swarsel" + echo " -h | --help Print this help." + exit 0 + } -function red() { - echo -e "\x1B[31m[!] $1 \x1B[0m" - if [ -n "${2-}" ]; then - echo -e "\x1B[31m[!] $($2) \x1B[0m" - fi -} -function green() { - echo -e "\x1B[32m[+] $1 \x1B[0m" - if [ -n "${2-}" ]; then - echo -e "\x1B[32m[+] $($2) \x1B[0m" - fi -} -function yellow() { - echo -e "\x1B[33m[*] $1 \x1B[0m" - if [ -n "${2-}" ]; then - echo -e "\x1B[33m[*] $($2) \x1B[0m" - fi -} + function red() { + echo -e "\x1B[31m[!] $1 \x1B[0m" + if [ -n "${2-}" ]; then + echo -e "\x1B[31m[!] $($2) \x1B[0m" + fi + } + function green() { + echo -e "\x1B[32m[+] $1 \x1B[0m" + if [ -n "${2-}" ]; then + echo -e "\x1B[32m[+] $($2) \x1B[0m" + fi + } + function yellow() { + echo -e "\x1B[33m[*] $1 \x1B[0m" + if [ -n "${2-}" ]; then + echo -e "\x1B[33m[*] $($2) \x1B[0m" + fi + } -while [[ $# -gt 0 ]]; do - case "$1" in - -n) - shift - target_config=$1 - target_hostname=$1 - ;; - -u) - shift - target_user=$1 - ;; - -d) - shift - target_disk=$1 - ;; - -h | --help) help_and_exit ;; - ,*) - echo "Invalid option detected." - help_and_exit - ;; - esac - shift -done + while [[ $# -gt 0 ]]; do + case "$1" in + -n) + shift + target_config=$1 + target_hostname=$1 + ;; + -u) + shift + target_user=$1 + ;; + -d) + shift + target_disk=$1 + ;; + -h | --help) help_and_exit ;; + ,*) + echo "Invalid option detected." + help_and_exit + ;; + esac + shift + done -function cleanup() { - sudo rm -rf .cache/nix - sudo rm -rf /root/.cache/nix -} -trap cleanup exit + function cleanup() { + sudo rm -rf .cache/nix + sudo rm -rf /root/.cache/nix + } + trap cleanup exit -green "~SwarselSystems~ local installer" + green "~SwarselSystems~ local installer" -cd /home/"$target_user" + cd /home/"$target_user" -sudo rm -rf /root/.cache/nix -sudo rm -rf .cache/nix -sudo rm -rf .dotfiles + sudo rm -rf /root/.cache/nix + sudo rm -rf .cache/nix + sudo rm -rf .dotfiles -green "Cloning repository from GitHub" -git clone https://github.com/Swarsel/.dotfiles.git + green "Cloning repository from GitHub" + git clone https://github.com/Swarsel/.dotfiles.git -local_keys=$(ssh-add -L || true) -pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) -read -ra pub_arr <<< "$pub_key" + local_keys=$(ssh-add -L || true) + pub_key=$(cat /home/"$target_user"/.dotfiles/secrets/keys/ssh/yubikey.pub) + read -ra pub_arr <<< "$pub_key" -cd .dotfiles -if [[ $local_keys != *"${pub_arr[1]}"* ]]; then - yellow "The ssh key for this configuration is not available." - green "Adjusting flake.nix so that the configuration is buildable ..." - sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix - sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix - sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix - rm modules/home/common/env.nix - rm modules/home/common/gammastep.nix - rm modules/home/common/git.nix - rm modules/home/common/mail.nix - rm modules/home/common/yubikey.nix - rm modules/nixos/server/restic.nix - rm modules/nixos/common/home-manager-extra.nix - rm -rf modules/nixos/server - rm -rf modules/home/server - cat > hosts/nixos/chaostheatre/options.nix << EOF - { self, lib, ... }: - { - options = { - swarselsystems = { - modules = { - home-managerExtra = lib.mkEnableOption "dummy option for chaostheatre"; + cd .dotfiles + if [[ $local_keys != *"${pub_arr[1]}"* ]]; then + yellow "The ssh key for this configuration is not available." + green "Adjusting flake.nix so that the configuration is buildable ..." + sed -i '/nix-secrets = {/,/^[[:space:]]*};/d' flake.nix + sed -i '/vbc-nix = {/,/^[[:space:]]*};/d' flake.nix + sed -i '/[[:space:]]*\/\/ (inputs.vbc-nix.overlays.default final prev)/d' overlays/default.nix + rm modules/home/common/env.nix + rm modules/home/common/gammastep.nix + rm modules/home/common/git.nix + rm modules/home/common/mail.nix + rm modules/home/common/yubikey.nix + rm modules/nixos/server/restic.nix + rm modules/nixos/common/home-manager-extra.nix + rm hosts/nixos/sync/default.nix + rm -rf modules/nixos/server + rm -rf modules/home/server + cat > hosts/nixos/chaostheatre/options.nix << EOF + { self, lib, ... }: + { + options = { + swarselsystems = { + modules = { + home-managerExtra = lib.mkEnableOption "dummy option for chaostheatre"; + }; + }; + }; + } + EOF + cat > hosts/nixos/chaostheatre/options-home.nix << EOF + { self, lib, ... }: + { + options = { + swarselsystems = { + modules = { + yubikey = lib.mkEnableOption "dummy option for chaostheatre"; + env = lib.mkEnableOption "dummy option for chaostheatre"; + git = lib.mkEnableOption "dummy option for chaostheatre"; + mail = lib.mkEnableOption "dummy option for chaostheatre"; + gammastep = lib.mkEnableOption "dummy option for chaostheatre"; + }; }; }; - }; - } -EOF - cat > hosts/nixos/chaostheatre/options-home.nix << EOF - { self, lib, ... }: - { - options = { - swarselsystems = { - modules = { - yubikey = lib.mkEnableOption "dummy option for chaostheatre"; - env = lib.mkEnableOption "dummy option for chaostheatre"; - git = lib.mkEnableOption "dummy option for chaostheatre"; - mail = lib.mkEnableOption "dummy option for chaostheatre"; - gammastep = lib.mkEnableOption "dummy option for chaostheatre"; - }; - }; - }; - } -EOF - nix flake update vbc-nix - git add . -else - green "Valid SSH key found! Continuing with installation" -fi + } + EOF + nix flake update vbc-nix + git add . + else + green "Valid SSH key found! Continuing with installation" + fi -green "Reading system information for $target_config ..." -DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)" -green "Root Disk in config: $DISK - Root Disk passed in cli: $target_disk" + green "Reading system information for $target_config ..." + DISK="$(nix eval --raw ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.rootDisk)" + green "Root Disk in config: $DISK - Root Disk passed in cli: $target_disk" -CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)" -if [[ $CRYPTED == "true" ]]; then - green "Encryption: ✓" - disk_encryption=1 -else - red "Encryption: X" - disk_encryption=0 -fi + CRYPTED="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isCrypted)" + if [[ $CRYPTED == "true" ]]; then + green "Encryption: ✓" + disk_encryption=1 + else + red "Encryption: X" + disk_encryption=0 + fi -IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)" -if [[ $IMPERMANENCE == "true" ]]; then - green "Impermanence: ✓" - persist_dir="/persist" -else - red "Impermanence: X" - persist_dir="" -fi + IMPERMANENCE="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isImpermanence)" + if [[ $IMPERMANENCE == "true" ]]; then + green "Impermanence: ✓" + persist_dir="/persist" + else + red "Impermanence: X" + persist_dir="" + fi -SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)" -if [[ $SWAP == "true" ]]; then - green "Swap: ✓" -else - red "Swap: X" -fi + SWAP="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSwap)" + if [[ $SWAP == "true" ]]; then + green "Swap: ✓" + else + red "Swap: X" + fi -SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)" -if [[ $SECUREBOOT == "true" ]]; then - green "Secure Boot: ✓" -else - red "Secure Boot: X" -fi + SECUREBOOT="$(nix eval ~/.dotfiles#nixosConfigurations."$target_hostname".config.swarselsystems.isSecureBoot)" + if [[ $SECUREBOOT == "true" ]]; then + green "Secure Boot: ✓" + else + red "Secure Boot: X" + fi -if [ "$disk_encryption" -eq 1 ]; then - while true; do - green "Set disk encryption passphrase:" - read -rs luks_passphrase - green "Please confirm passphrase:" - read -rs luks_passphrase_confirm - if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then - echo "$luks_passphrase" > /tmp/disko-password - break - else - red "Passwords do not match" - fi - done -fi + if [ "$disk_encryption" -eq 1 ]; then + while true; do + green "Set disk encryption passphrase:" + read -rs luks_passphrase + green "Please confirm passphrase:" + read -rs luks_passphrase_confirm + if [[ $luks_passphrase == "$luks_passphrase_confirm" ]]; then + echo "$luks_passphrase" > /tmp/disko-password + break + else + red "Passwords do not match" + fi + done + fi -green "Setting up disk ..." -if [[ $target_config == "chaostheatre" ]]; then - sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/v1.10.0 -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks --arg diskDevice "$target_disk" -else - sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks -fi -sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/ -sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/ -sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user" + green "Setting up disk ..." + if [[ $target_config == "chaostheatre" ]]; then + sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/v1.10.0 -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks --arg diskDevice "$target_disk" + else + sudo nix --experimental-features "nix-command flakes" run github:nix-community/disko/latest -- --mode destroy,format,mount --flake .#"$target_config" --yes-wipe-all-disks + fi + sudo mkdir -p /mnt/"$persist_dir"/home/"$target_user"/ + sudo cp -r /home/"$target_user"/.dotfiles /mnt/"$persist_dir"/home/"$target_user"/ + sudo chown -R 1000:100 /mnt/"$persist_dir"/home/"$target_user" -green "Generating hardware configuration ..." -sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ + green "Generating hardware configuration ..." + sudo nixos-generate-config --root /mnt --no-filesystems --dir /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/ -green "Injecting initialSetup ..." -sudo sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix + green "Injecting initialSetup ..." + sudo sed -i '/ boot.extraModulePackages /a \ swarselsystems.initialSetup = true;' /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix -git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix -sudo mkdir -p /root/.local/share/nix/ -printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null -green "Installing flake $target_config" -sudo nixos-install --flake .#"$target_config" -green "Installation finished! Reboot to see changes" + git add /home/"$target_user"/.dotfiles/hosts/nixos/"$target_config"/hardware-configuration.nix + sudo mkdir -p /root/.local/share/nix/ + printf '{\"extra-substituters\":{\"https://nix-community.cachix.org\":true,\"https://nix-community.cachix.org https://cache.ngi0.nixos.org/\":true},\"extra-trusted-public-keys\":{\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=\":true,\"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= cache.ngi0.nixos.org-1:KqH5CBLNSyX184S9BKZJo1LxrxJ9ltnY2uAs5c/f1MA=\":true}}' | sudo tee /root/.local/share/nix/trusted-settings.json > /dev/null + green "Installing flake $target_config" + sudo nixos-install --flake .#"$target_config" + green "Installation finished! Reboot to see changes" #+end_src @@ -8177,15 +8259,36 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as :END: #+begin_src nix :tangle modules/nixos/server/forgejo.nix - { lib, config, ... }: + { lib, config, pkgs, ... }: + let + forgejoDomain = "swagit.swarsel.win"; + in { options.swarselsystems.modules.server.forgejo = lib.mkEnableOption "enable forgejo on server"; config = lib.mkIf config.swarselsystems.modules.server.forgejo { networking.firewall.allowedTCPPorts = [ 3000 ]; + users.users.forgejo = { + group = "forgejo"; + isSystemUser = true; + }; + + users.groups.forgejo = { }; + + sops.secrets = { + kanidm-forgejo-client = { + owner = "forgejo"; + group = "forgejo"; + mode = "440"; + }; + }; + services.forgejo = { enable = true; + user = "forgejo"; + group = "forgejo"; + lfs.enable = lib.mkDefault true; settings = { DEFAULT = { APP_NAME = "~SwaGit~"; @@ -8194,16 +8297,91 @@ It serves both a Greader API at https://signpost.swarsel.win/api/greader.php, as PROTOCOL = "http"; HTTP_PORT = 3000; HTTP_ADDR = "0.0.0.0"; - DOMAIN = "swagit.swarsel.win"; - ROOT_URL = "https://swagit.swarsel.win"; + DOMAIN = forgejoDomain; + ROOT_URL = "https://${forgejoDomain}"; }; + # federation.ENABLED = true; service = { - DISABLE_REGISTRATION = true; + DISABLE_REGISTRATION = false; + ALLOW_ONLY_INTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; + session.COOKIE_SECURE = true; + oauth2_client = { + # Never use auto account linking with this, otherwise users cannot change + # their new user name and they could potentially overtake other users accounts + # by setting their email address to an existing account. + # With "login" linking the user must choose a non-existing username first or login + # with the existing account to link. + ACCOUNT_LINKING = "login"; + USERNAME = "nickname"; + # This does not mean that you cannot register via oauth, but just that there should + # be a confirmation dialog shown to the user before the account is actually created. + # This dialog allows changing user name and email address before creating the account. + ENABLE_AUTO_REGISTRATION = false; + REGISTER_EMAIL_CONFIRM = false; + UPDATE_AVATAR = true; + }; }; }; + systemd.services.forgejo = { + serviceConfig.RestartSec = "60"; # Retry every minute + preStart = + let + exe = lib.getExe config.services.forgejo.package; + providerName = "kanidm"; + clientId = "forgejo"; + args = lib.escapeShellArgs ( + lib.concatLists [ + [ + "--name" + providerName + ] + [ + "--provider" + "openidConnect" + ] + [ + "--key" + clientId + ] + [ + "--auto-discover-url" + "https://sso.swarsel.win/oauth2/openid/${clientId}/.well-known/openid-configuration" + ] + [ + "--scopes" + "email" + ] + [ + "--scopes" + "profile" + ] + [ + "--group-claim-name" + "groups" + ] + [ + "--admin-group" + "admin" + ] + [ "--skip-local-2fa" ] + ] + ); + in + lib.mkAfter '' + provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1) + SECRET="$(< ${config.sops.secrets.kanidm-forgejo-client.path})" + if [[ -z "$provider_id" ]]; then + ${exe} admin auth add-oauth ${args} --secret "$SECRET" + else + ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET" + fi + ''; + }; + services.nginx = { virtualHosts = { "swagit.swarsel.win" = { diff --git a/flake.lock b/flake.lock index cf0fd72..cc8d472 100644 --- a/flake.lock +++ b/flake.lock @@ -801,10 +801,10 @@ "nix-secrets": { "flake": false, "locked": { - "lastModified": 1748102838, - "narHash": "sha256-o8ACYonrWdDSbb30v1xUhl8BuYuLJsAYH9VMRJ/HSKY=", + "lastModified": 1749481004, + "narHash": "sha256-UmA5Dx+tzYXaqPMtKucijTwV7l+U2/+fD0Twb/edcxY=", "ref": "main", - "rev": "3c3d7b593f4b295a1cdf8c4448b4c7ff6c5614ab", + "rev": "f7e7b03ea03dbfc8471689f0ba7a7221240e93df", "shallow": true, "type": "git", "url": "ssh://git@github.com/Swarsel/nix-secrets.git" diff --git a/hosts/nixos/sync/default.nix b/hosts/nixos/sync/default.nix index d233fdd..98a6001 100644 --- a/hosts/nixos/sync/default.nix +++ b/hosts/nixos/sync/default.nix @@ -1,9 +1,15 @@ -{ lib, primaryUser, ... }: +{ lib, primaryUser, inputs, ... }: let sharedOptions = { isBtrfs = false; isLinux = true; }; + secretsDirectory = builtins.toString inputs.nix-secrets; + workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname"; + dev1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev1"; + dev2 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev2"; + dev3 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev3"; + loc1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/loc1"; in { imports = [ @@ -26,7 +32,7 @@ in enableIPv6 = false; domain = "subnet03112148.vcn03112148.oraclevcn.com"; firewall = { - allowedTCPPorts = [ 8384 22000 ]; + allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ]; allowedUDPPorts = [ 21027 22000 ]; extraCommands = '' iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT @@ -42,7 +48,7 @@ in }; }; - system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change + system.stateVersion = "23.11"; services = { nginx = { @@ -63,11 +69,83 @@ in }; }; - # do not manage OCI syncthing through nix config syncthing = { enable = true; guiAddress = "0.0.0.0:8384"; openDefaultPorts = true; + relay.enable = false; + settings = { + urAccepted = -1; + devices = { + "magicant" = { + id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO"; + }; + "winters" = { + id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA"; + }; + "${workHostName}" = { + id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB"; + }; + "${dev1}" = { + id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7"; + }; + "${dev2}" = { + id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH"; + }; + "${dev3}" = { + id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR"; + }; + }; + folders = { + "Default Folder" = lib.mkForce { + path = "/var/lib/syncthing/Sync"; + type = "receiveonly"; + versioning = null; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "default"; + }; + "Obsidian" = { + path = "/var/lib/syncthing/Obsidian"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "yjvni-9eaa7"; + }; + "Org" = { + path = "/var/lib/syncthing/Org"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "a7xnl-zjj3d"; + }; + "Vpn" = { + path = "/var/lib/syncthing/Vpn"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "5"; + }; + devices = [ "winters" "magicant" "${workHostName}" ]; + id = "hgp9s-fyq3p"; + }; + "${loc1}" = { + path = "/var/lib/syncthing/${loc1}"; + type = "receiveonly"; + versioning = { + type = "simple"; + params.keep = "3"; + }; + devices = [ dev1 dev2 dev3 ]; + id = "5gsxv-rzzst"; + }; + }; + }; }; }; diff --git a/index.html b/index.html index 6f88df0..e2b647c 100644 --- a/index.html +++ b/index.html @@ -3,7 +3,7 @@ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> - + SwarselSystems: NixOS + Emacs Configuration @@ -263,9 +263,9 @@
  • 3.1.4.3. Home-manager only (default non-NixOS)
  • 3.1.4.4. ChaosTheatre (Demo Physical/VM)
    • @@ -305,7 +305,7 @@
  • 3.2.1.27. fhs
  • 3.2.1.28. swarsel-displaypower
  • 3.2.1.29. swarsel-mgba
    • -
  • 3.2.1.30. sshrm
    • +
  • 3.2.1.30. sshrm
  • 3.2.2. Overlays (additions, overrides, nixpkgs-stable)
    • @@ -313,28 +313,28 @@ @@ -379,7 +379,7 @@
  • 3.3.1.22.3. enable GVfs
  • 3.3.1.22.4. interception-tools: Make CAPS work as ESC/CTRL
  • 3.3.1.22.5. power-profiles-daemon
    • -
  • 3.3.1.22.6. SwayOSD
    • +
  • 3.3.1.22.6. SwayOSD
  • 3.3.1.23. Hardware compatibility settings (Yubikey, Ledger, Keyboards) - udev rules @@ -431,7 +431,7 @@
  • 3.3.2.24. FreshRSS
  • 3.3.2.25. forgejo (git server)
  • 3.3.2.26. Anki Sync Server
    • -
  • 3.3.2.27. kanidm
    • +
  • 3.3.2.27. kanidm
  • 3.3.3. Darwin @@ -446,11 +446,11 @@
  • 3.3.4.3. VmWare
  • 3.3.4.4. Auto-login
  • 3.3.4.5. nswitch-rcm
    • -
  • 3.3.4.6. Framework
    • -
  • 3.3.4.7. AMD CPU
    • -
  • 3.3.4.8. AMD GPU
    • -
  • 3.3.4.9. Hibernation
    • -
  • 3.3.4.10. BTRFS
    • +
  • 3.3.4.6. Framework
    • +
  • 3.3.4.7. AMD CPU
    • +
  • 3.3.4.8. AMD GPU
    • +
  • 3.3.4.9. Hibernation
    • +
  • 3.3.4.10. BTRFS
  • 3.3.4.11. work
  • 3.3.4.12. Minimal Install
    • @@ -499,7 +499,7 @@
  • 3.4.1.29.1. gnome-keyring
  • 3.4.1.29.2. KDE Connect
  • 3.4.1.29.3. Mako
    • -
  • 3.4.1.29.4. SwayOSD
    • +
  • 3.4.1.29.4. SwayOSD
  • 3.4.1.29.5. yubikey-touch-detector
    • @@ -524,7 +524,7 @@ @@ -702,7 +702,7 @@ @@ -711,7 +711,7 @@

    -This file has 63503 words spanning 16708 lines and was last revised on 2025-06-09 12:45:18 +0200. +This file has 64040 words spanning 16886 lines and was last revised on 2025-06-09 17:08:15 +0200.

    @@ -764,7 +764,7 @@ This section defines my Emacs configuration. For a while, I considered to use ry

    -My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 12:45:18 +0200) +My emacs is built using the emacs-overlay nix flake, which builds a bleeding edge emacs on wayland (pgtk) with utilities like treesitter support. By executing the below source block, the current build setting can be updated at any time, and you can see my most up-to-date build options (last updated: 2025-06-09 17:08:15 +0200)

    @@ -2247,12 +2247,18 @@ All of these are processes that use little cpu but can take a lot of storage. Fo
    -
    { lib, primaryUser, ... }:
+
    { lib, primaryUser, inputs, ... }:
 let
   sharedOptions = {
     isBtrfs = false;
     isLinux = true;
   };
+  secretsDirectory = builtins.toString inputs.nix-secrets;
+  workHostName = lib.swarselsystems.getSecret "${secretsDirectory}/work/worklaptop-hostname";
+  dev1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev1";
+  dev2 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev2";
+  dev3 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/dev3";
+  loc1 = lib.swarselsystems.getSecret "${secretsDirectory}/oci/sync/syncthing/loc1";
 in
 {
   imports = [
@@ -2275,7 +2281,7 @@ in
     enableIPv6 = false;
     domain = "subnet03112148.vcn03112148.oraclevcn.com";
     firewall = {
-      allowedTCPPorts = [ 8384 22000 ];
+      allowedTCPPorts = [ 80 443 8384 9812 22000 27701 ];
       allowedUDPPorts = [ 21027 22000 ];
       extraCommands = ''
         iptables -I INPUT -m state --state NEW -p tcp --dport 80 -j ACCEPT
@@ -2291,7 +2297,7 @@ in
     };
   };
 
-  system.stateVersion = "23.11"; # TEMPLATE - but probably no need to change
+  system.stateVersion = "23.11";
 
   services = {
     nginx = {
@@ -2312,11 +2318,83 @@ in
       };
     };
 
-    # do not manage OCI syncthing through nix config
     syncthing = {
       enable = true;
       guiAddress = "0.0.0.0:8384";
       openDefaultPorts = true;
+      relay.enable = false;
+      settings = {
+        urAccepted = -1;
+        devices = {
+          "magicant" = {
+            id = "VMWGEE2-4HDS2QO-KNQOVGN-LXLX6LA-666E4EK-ZBRYRRO-XFEX6FB-6E3XLQO";
+          };
+          "winters" = {
+            id = "O7RWDMD-AEAHPP7-7TAVLKZ-BSWNBTU-2VA44MS-EYGUNBB-SLHKB3C-ZSLMOAA";
+          };
+          "${workHostName}" = {
+            id = "YAPV4BV-I26WPTN-SIP32MV-SQP5TBZ-3CHMTCI-Z3D6EP2-MNDQGLP-53FT3AB";
+          };
+          "${dev1}" = {
+            id = "OCCDGDF-IPZ6HHQ-5SSLQ3L-MSSL5ZW-IX5JTAM-PW4PYEK-BRNMJ7E-Q7YDMA7";
+          };
+          "${dev2}" = {
+            id = "LPCFIIB-ENUM2V6-F2BWVZ6-F2HXCL2-BSBZXUF-TIMNKYB-7CATP7H-YU5D3AH";
+          };
+          "${dev3}" = {
+            id = "LAUT2ZP-KEZY35H-AHR3ARD-URAREJI-2B22P5T-PIMUNWW-PQRDETU-7KIGNQR";
+          };
+        };
+        folders = {
+          "Default Folder" = lib.mkForce {
+            path = "/var/lib/syncthing/Sync";
+            type = "receiveonly";
+            versioning = null;
+            devices = [ "winters" "magicant" "${workHostName}" ];
+            id = "default";
+          };
+          "Obsidian" = {
+            path = "/var/lib/syncthing/Obsidian";
+            type = "receiveonly";
+            versioning = {
+              type = "simple";
+             params.keep = "5";
+            };
+            devices = [ "winters" "magicant" "${workHostName}" ];
+            id = "yjvni-9eaa7";
+          };
+          "Org" = {
+            path = "/var/lib/syncthing/Org";
+            type = "receiveonly";
+            versioning = {
+              type = "simple";
+              params.keep = "5";
+            };
+            devices = [ "winters" "magicant" "${workHostName}" ];
+            id = "a7xnl-zjj3d";
+          };
+          "Vpn" = {
+            path = "/var/lib/syncthing/Vpn";
+            type = "receiveonly";
+            versioning = {
+              type = "simple";
+              params.keep = "5";
+            };
+            devices = [ "winters" "magicant" "${workHostName}" ];
+            id = "hgp9s-fyq3p";
+          };
+          "${loc1}" = {
+            path = "/var/lib/syncthing/${loc1}";
+            type = "receiveonly";
+            versioning = {
+              type = "simple";
+              params.keep = "3";
+            };
+            devices = [ dev1 dev2 dev3 ];
+            id = "5gsxv-rzzst";
+          };
+        };
+      };
     };
   };
 
@@ -2803,8 +2881,8 @@ This is just a demo host. It applies all the configuration found in the common p
 I also set the WLR_RENDERER_ALLOW_SOFTWARE=1 to allow this configuration to run in a virtualized environment. I also enable qemuGuest for a smoother experience when testing on QEMU.
    -
    -
    3.1.4.4.1. Main configuration
    +
    +
    3.1.4.4.1. Main configuration
    { self, inputs, config, pkgs, lib, primaryUser, ... }:
@@ -2883,8 +2961,8 @@ in
    -
    -
    3.1.4.4.2. NixOS dummy options configuration
    +
    +
    3.1.4.4.2. NixOS dummy options configuration
    _:
@@ -2894,8 +2972,8 @@ in
    -
    -
    3.1.4.4.3. home-manager dummy options configuration
    +
    +
    3.1.4.4.3. home-manager dummy options configuration
    _:
@@ -4054,6 +4132,9 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/yubikey.nix
     rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
+    rm hosts/nixos/sync/default.nix
+    rm -rf modules/nixos/server
+    rm -rf modules/home/server
     nix flake update vbc-nix
     git add .
 else
@@ -4193,35 +4274,36 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/yubikey.nix
     rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
+    rm hosts/nixos/sync/default.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server
     cat > hosts/nixos/chaostheatre/options.nix << EOF
-      { self, lib, ... }:
-      {
+        { self, lib, ... }:
+        {
+          options = {
+            swarselsystems = {
+              modules = {
+                home-managerExtra = lib.mkEnableOption "dummy option for chaostheatre";
+              };
+            };
+          };
+        }
+EOF
+    cat > hosts/nixos/chaostheatre/options-home.nix << EOF
+        { self, lib, ... }:
+        {
         options = {
           swarselsystems = {
             modules = {
-              home-managerExtra = lib.mkEnableOption "dummy option for chaostheatre";
+              yubikey = lib.mkEnableOption "dummy option for chaostheatre";
+              env = lib.mkEnableOption "dummy option for chaostheatre";
+              git = lib.mkEnableOption "dummy option for chaostheatre";
+              mail = lib.mkEnableOption "dummy option for chaostheatre";
+              gammastep = lib.mkEnableOption "dummy option for chaostheatre";
             };
           };
         };
-      }
-EOF
-    cat > hosts/nixos/chaostheatre/options-home.nix << EOF
-      { self, lib, ... }:
-      {
-      options = {
-        swarselsystems = {
-          modules = {
-            yubikey = lib.mkEnableOption "dummy option for chaostheatre";
-            env = lib.mkEnableOption "dummy option for chaostheatre";
-            git = lib.mkEnableOption "dummy option for chaostheatre";
-            mail = lib.mkEnableOption "dummy option for chaostheatre";
-            gammastep = lib.mkEnableOption "dummy option for chaostheatre";
-          };
-        };
-      };
-      }
+        }
 EOF
     nix flake update vbc-nix
     git add .
@@ -4672,8 +4754,8 @@ appimageTools.wrapType2 {
    -
    -
    3.2.1.30. sshrm
    +
    +
    3.2.1.30. sshrm

    This programs simply runs ssh-keygen on the last host that I tried to ssh into. I need this frequently when working with cloud-init usually. @@ -4830,8 +4912,8 @@ in

    -
    -
    3.2.3.1.1. Personal
    +
    +
    3.2.3.1.1. Personal
    { lib, config, ... }:
@@ -4898,8 +4980,8 @@ in
    -
    -
    3.2.3.1.2. Chaostheatre
    +
    +
    3.2.3.1.2. Chaostheatre
    { lib, config, ... }:
@@ -4963,8 +5045,8 @@ in
    -
    -
    3.2.3.1.3. toto
    +
    +
    3.2.3.1.3. toto
    { lib, config, ... }:
@@ -4996,8 +5078,8 @@ in
    -
    -
    3.2.3.1.4. Work
    +
    +
    3.2.3.1.4. Work
    { lib, config, ... }:
@@ -5018,8 +5100,8 @@ in
    -
    -
    3.2.3.1.5. Framework
    +
    +
    3.2.3.1.5. Framework
    { lib, config, ... }:
@@ -5040,8 +5122,8 @@ in
    -
    -
    3.2.3.1.6. AMD CPU
    +
    +
    3.2.3.1.6. AMD CPU
    { lib, config, ... }:
@@ -5062,8 +5144,8 @@ in
    -
    -
    3.2.3.1.7. AMD GPU
    +
    +
    3.2.3.1.7. AMD GPU
    { lib, config, ... }:
@@ -5084,8 +5166,8 @@ in
    -
    -
    3.2.3.1.8. Hibernation
    +
    +
    3.2.3.1.8. Hibernation
    { lib, config, ... }:
@@ -5106,8 +5188,8 @@ in
    -
    -
    3.2.3.1.9. BTRFS
    +
    +
    3.2.3.1.9. BTRFS
    { lib, config, ... }:
@@ -5128,8 +5210,8 @@ in
    -
    -
    3.2.3.1.10. Local Server
    +
    +
    3.2.3.1.10. Local Server
    { lib, config, ... }:
@@ -5182,8 +5264,8 @@ in
    -
    -
    3.2.3.1.11. OCI Sync Server
    +
    +
    3.2.3.1.11. OCI Sync Server
    { lib, config, ... }:
@@ -5240,8 +5322,8 @@ in
    -
    -
    3.2.3.2.1. Personal
    +
    +
    3.2.3.2.1. Personal
    { lib, config, ... }:
@@ -5298,8 +5380,8 @@ in
    -
    -
    3.2.3.2.2. Chaostheatre
    +
    +
    3.2.3.2.2. Chaostheatre
    { lib, config, ... }:
@@ -5351,8 +5433,8 @@ in
    -
    -
    3.2.3.2.3. toto
    +
    +
    3.2.3.2.3. toto
    { lib, config, ... }:
@@ -5372,8 +5454,8 @@ in
    -
    -
    3.2.3.2.4. Work
    +
    +
    3.2.3.2.4. Work
    { lib, config, ... }:
@@ -5393,8 +5475,8 @@ in
    -
    -
    3.2.3.2.5. Framework
    +
    +
    3.2.3.2.5. Framework
    { lib, config, ... }:
@@ -5415,8 +5497,8 @@ in
    -
    -
    3.2.3.2.6. Darwin
    +
    +
    3.2.3.2.6. Darwin
    { lib, config, ... }:
@@ -5434,8 +5516,8 @@ in
    -
    -
    3.2.3.2.7. Local Server
    +
    +
    3.2.3.2.7. Local Server
    { lib, config, ... }:
@@ -6968,8 +7050,8 @@ Most of the time I am using power-saver, however, it is good to be
    -
    -
    3.3.1.22.6. SwayOSD
    +
    +
    3.3.1.22.6. SwayOSD
    { lib, pkgs, config, ... }:
@@ -9480,15 +9562,36 @@ It serves both a Greader API at 3.3.2.25. forgejo (git server)
 
    
 
    
-
    { lib, config, ... }:
+
    { lib, config, pkgs, ... }:
+let
+  forgejoDomain = "swagit.swarsel.win";
+in
 {
   options.swarselsystems.modules.server.forgejo = lib.mkEnableOption "enable forgejo on server";
   config = lib.mkIf config.swarselsystems.modules.server.forgejo {
 
     networking.firewall.allowedTCPPorts = [ 3000 ];
 
+    users.users.forgejo = {
+      group = "forgejo";
+      isSystemUser = true;
+    };
+
+    users.groups.forgejo = { };
+
+    sops.secrets = {
+      kanidm-forgejo-client = {
+        owner = "forgejo";
+        group = "forgejo";
+        mode = "440";
+      };
+    };
+
     services.forgejo = {
       enable = true;
+      user = "forgejo";
+      group = "forgejo";
+      lfs.enable = lib.mkDefault true;
       settings = {
         DEFAULT = {
           APP_NAME = "~SwaGit~";
@@ -9497,16 +9600,91 @@ It serves both a Greader API at 
-
    3.3.2.27. kanidm
    
+
    
+
    3.3.2.27. kanidm
    
 
    
 
    
 
    { self, lib, pkgs, config, ... }:
@@ -9971,8 +10149,8 @@ This smashes Atmosphere 1.3.2 on the switch, which is what I am currenty using.
 
    
 
    
 
    
-
    
-
    3.3.4.6. Framework
    
+
    
+
    3.3.4.6. Framework
    
 
    
 
    
 This holds configuration that is specific to framework laptops.
@@ -10010,8 +10188,8 @@ This holds configuration that is specific to framework laptops.
 
    
 
    
 
    
-
    
-
    3.3.4.7. AMD CPU
    
+
    
+
    3.3.4.7. AMD CPU
    
 
    
 
    
 
    { lib, config, ... }:
@@ -10027,8 +10205,8 @@ This holds configuration that is specific to framework laptops.
 
    
 
    
 
    
-
    
-
    3.3.4.8. AMD GPU
    
+
    
+
    3.3.4.8. AMD GPU
    
 
    
 
    
 
    { lib, config, ... }:
@@ -10050,8 +10228,8 @@ This holds configuration that is specific to framework laptops.
 
    
 
    
 
    
-
    
-
    3.3.4.9. Hibernation
    
+
    
+
    3.3.4.9. Hibernation
    
 
    
 
    
 
    { lib, config, ... }:
@@ -10082,8 +10260,8 @@ This holds configuration that is specific to framework laptops.
 
    
 
    
 
    
-
    
-
    3.3.4.10. BTRFS
    
+
    
+
    3.3.4.10. BTRFS
    
 
    
 
    
 
    { lib, config, ... }:
@@ -13031,8 +13209,8 @@ The `extraConfig` section here CANNOT be reindented. This has something to do wi
 
    
 
    
 
    
-
    
-
    3.4.1.29.4. SwayOSD
    
+
    
+
    3.4.1.29.4. SwayOSD
    
 
    
 
    
 
    { lib, config, ... }:
@@ -14281,8 +14459,8 @@ in
 
    
 
    
 
    
-
    
-
    3.4.4.3. Framework
    
+
    
+
    3.4.4.3. Framework
    
 
    
 
    
 This holds configuration that is specific to framework laptops.
@@ -18122,8 +18300,8 @@ autocmd DocStart vc-impimba-1.m.imp.ac.at/ui/webconsole mode ignore
 
    
 
    
 
    
-
    
-
    6.3. tridactyl theme
    
+
    
+
    6.3. tridactyl theme
    
 
    
 
    
 
    @@ -18620,7 +18798,7 @@ sync USER HOST:
 
    
 
    
 
    Author: Leon Schwarzäugl
    
-
    Created: 2025-06-09 Mo 12:45
    
+
    Created: 2025-06-09 Mo 17:08
    
 
    Validate
    
 
    
 
diff --git a/modules/nixos/server/forgejo.nix b/modules/nixos/server/forgejo.nix
index 7d67777..c6ad306 100644
--- a/modules/nixos/server/forgejo.nix
+++ b/modules/nixos/server/forgejo.nix
@@ -1,12 +1,33 @@
-{ lib, config, ... }:
+{ lib, config, pkgs, ... }:
+let
+  forgejoDomain = "swagit.swarsel.win";
+in
 {
   options.swarselsystems.modules.server.forgejo = lib.mkEnableOption "enable forgejo on server";
   config = lib.mkIf config.swarselsystems.modules.server.forgejo {
 
     networking.firewall.allowedTCPPorts = [ 3000 ];
 
+    users.users.forgejo = {
+      group = "forgejo";
+      isSystemUser = true;
+    };
+
+    users.groups.forgejo = { };
+
+    sops.secrets = {
+      kanidm-forgejo-client = {
+        owner = "forgejo";
+        group = "forgejo";
+        mode = "440";
+      };
+    };
+
     services.forgejo = {
       enable = true;
+      user = "forgejo";
+      group = "forgejo";
+      lfs.enable = lib.mkDefault true;
       settings = {
         DEFAULT = {
           APP_NAME = "~SwaGit~";
@@ -15,16 +36,91 @@
           PROTOCOL = "http";
           HTTP_PORT = 3000;
           HTTP_ADDR = "0.0.0.0";
-          DOMAIN = "swagit.swarsel.win";
-          ROOT_URL = "https://swagit.swarsel.win";
+          DOMAIN = forgejoDomain;
+          ROOT_URL = "https://${forgejoDomain}";
         };
+        # federation.ENABLED = true;
         service = {
-          DISABLE_REGISTRATION = true;
+          DISABLE_REGISTRATION = false;
+          ALLOW_ONLY_INTERNAL_REGISTRATION = false;
+          ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
           SHOW_REGISTRATION_BUTTON = false;
         };
+        session.COOKIE_SECURE = true;
+        oauth2_client = {
+          # Never use auto account linking with this, otherwise users cannot change
+          # their new user name and they could potentially overtake other users accounts
+          # by setting their email address to an existing account.
+          # With "login" linking the user must choose a non-existing username first or login
+          # with the existing account to link.
+          ACCOUNT_LINKING = "login";
+          USERNAME = "nickname";
+          # This does not mean that you cannot register via oauth, but just that there should
+          # be a confirmation dialog shown to the user before the account is actually created.
+          # This dialog allows changing user name and email address before creating the account.
+          ENABLE_AUTO_REGISTRATION = false;
+          REGISTER_EMAIL_CONFIRM = false;
+          UPDATE_AVATAR = true;
+        };
       };
     };
 
+    systemd.services.forgejo = {
+      serviceConfig.RestartSec = "60"; # Retry every minute
+      preStart =
+        let
+          exe = lib.getExe config.services.forgejo.package;
+          providerName = "kanidm";
+          clientId = "forgejo";
+          args = lib.escapeShellArgs (
+            lib.concatLists [
+              [
+                "--name"
+                providerName
+              ]
+              [
+                "--provider"
+                "openidConnect"
+              ]
+              [
+                "--key"
+                clientId
+              ]
+              [
+                "--auto-discover-url"
+                "https://sso.swarsel.win/oauth2/openid/${clientId}/.well-known/openid-configuration"
+              ]
+              [
+                "--scopes"
+                "email"
+              ]
+              [
+                "--scopes"
+                "profile"
+              ]
+              [
+                "--group-claim-name"
+                "groups"
+              ]
+              [
+                "--admin-group"
+                "admin"
+              ]
+              [ "--skip-local-2fa" ]
+            ]
+          );
+        in
+        lib.mkAfter ''
+          provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
+          SECRET="$(< ${config.sops.secrets.kanidm-forgejo-client.path})"
+          if [[ -z "$provider_id" ]]; then
+            ${exe} admin auth add-oauth ${args} --secret "$SECRET"
+          else
+            ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
+          fi
+        '';
+    };
+
     services.nginx = {
       virtualHosts = {
         "swagit.swarsel.win" = {
diff --git a/scripts/swarsel-install.sh b/scripts/swarsel-install.sh
index e3258fc..358191e 100644
--- a/scripts/swarsel-install.sh
+++ b/scripts/swarsel-install.sh
@@ -102,35 +102,36 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/yubikey.nix
     rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
+    rm hosts/nixos/sync/default.nix
     rm -rf modules/nixos/server
     rm -rf modules/home/server
     cat > hosts/nixos/chaostheatre/options.nix << EOF
-      { self, lib, ... }:
-      {
+        { self, lib, ... }:
+        {
+          options = {
+            swarselsystems = {
+              modules = {
+                home-managerExtra = lib.mkEnableOption "dummy option for chaostheatre";
+              };
+            };
+          };
+        }
+EOF
+    cat > hosts/nixos/chaostheatre/options-home.nix << EOF
+        { self, lib, ... }:
+        {
         options = {
           swarselsystems = {
             modules = {
-              home-managerExtra = lib.mkEnableOption "dummy option for chaostheatre";
+              yubikey = lib.mkEnableOption "dummy option for chaostheatre";
+              env = lib.mkEnableOption "dummy option for chaostheatre";
+              git = lib.mkEnableOption "dummy option for chaostheatre";
+              mail = lib.mkEnableOption "dummy option for chaostheatre";
+              gammastep = lib.mkEnableOption "dummy option for chaostheatre";
             };
           };
         };
-      }
-EOF
-    cat > hosts/nixos/chaostheatre/options-home.nix << EOF
-      { self, lib, ... }:
-      {
-      options = {
-        swarselsystems = {
-          modules = {
-            yubikey = lib.mkEnableOption "dummy option for chaostheatre";
-            env = lib.mkEnableOption "dummy option for chaostheatre";
-            git = lib.mkEnableOption "dummy option for chaostheatre";
-            mail = lib.mkEnableOption "dummy option for chaostheatre";
-            gammastep = lib.mkEnableOption "dummy option for chaostheatre";
-          };
-        };
-      };
-      }
+        }
 EOF
     nix flake update vbc-nix
     git add .
diff --git a/scripts/swarsel-rebuild.sh b/scripts/swarsel-rebuild.sh
index 9ce5291..6ca9558 100644
--- a/scripts/swarsel-rebuild.sh
+++ b/scripts/swarsel-rebuild.sh
@@ -84,6 +84,9 @@ if [[ $local_keys != *"${pub_arr[1]}"* ]]; then
     rm modules/home/common/yubikey.nix
     rm modules/nixos/server/restic.nix
     rm modules/nixos/common/home-manager-extra.nix
+    rm hosts/nixos/sync/default.nix
+    rm -rf modules/nixos/server
+    rm -rf modules/home/server
     nix flake update vbc-nix
     git add .
 else
diff --git a/secrets/sync/secrets.yaml b/secrets/sync/secrets.yaml
index 070d2ab..63b9413 100644
--- a/secrets/sync/secrets.yaml
+++ b/secrets/sync/secrets.yaml
@@ -1,11 +1,8 @@
 swarsel: ENC[AES256_GCM,data:WzMlNzg5iAu823s=,iv:U8ZutlrzBqq7z445kSnvluejtta4X/0YMIIOdcQuftg=,tag:IE0WMuXlNwnBHzXtrbVHKA==,type:str]
 dnstokenfull: ENC[AES256_GCM,data:hxgxSm6pcXOEHZHdSwQkfZryFccQXrCu9idULJhWK/tQ44FyRIU4Yg==,iv:ObKf1M1qkgCltkKJX+URaPSiK5Itd3xlfBXPjf1iVak=,tag:PASR0pgBdcDYjdTZ2eEUCg==,type:str]
 swarseluser: ENC[AES256_GCM,data:e/p76dBuM7eLIrO0HBeJMs8eMCAGAklGcA==,iv:r+e9GGMDCCjh1eWnB4AJMFdMuXbVXxoLMefooq0SOlE=,tag:auRo+JnwH+EardJQbKek0A==,type:str]
+kanidm-forgejo-client: ENC[AES256_GCM,data:LuOFq+bj9TIbaN6Arz/etcjEO0WnjswJNw==,iv:eqACcjjr7usTl7Dv8HTqH53cHDa0+HV5IYN8Rh5aChg=,tag:upBfWOUOEoZRPgUtlMZE4Q==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
     age:
         - recipient: age1glge4e97vgqzh332mqs5990vteezu2m8k4wq3z35jk0q8czw3gks2d7a3h
           enc: |
@@ -16,8 +13,8 @@ sops:
             cUUxYkVGN0hVZ3UrNHdmSXBQbVpkNTQK7yfeX133PekxsK/2BXxsx0pxmWBcZkZY
             UO4ZHCcZQQKMg22BY/3pPz/Ui+uUfZ7AIdLjQb6WQvUbmgz5Lb0M9w==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-16T17:08:33Z"
-    mac: ENC[AES256_GCM,data:+2WUsrKqCEviPWhNo+Rx818gkaVLJUsCnnR+kdCgIQ0il9I3Kc3e8ZdA1TYX0cIe8D3pGswBx0PecnNiduSeVMAQL65AFUSzFbX9OA03Xs+SVVpmfuzK1xaRNRrl4ILsGyQV+qHGSjVHILoEM+r4rBQ/iwQV9zj6Px9Zs8qdVcY=,iv:Qlm1LXXmE+y96JP55dsKELgDcyz7+Hm1HbOXktsyzuI=,tag:C6TWZSgpw/wX2jGC8/kmjg==,type:str]
+    lastmodified: "2025-06-09T14:53:33Z"
+    mac: ENC[AES256_GCM,data:SphJHK+OP0IyBWAAr5FDWhg7VBdD8isL0QsswGI6bpSV/7FTRpd6Ehp+kvmCPcdTwpQlmVIyA5r7DpL0F+F0BQGFtMDnESXVldmsBVpvYL/Q62zvlCq1hsm24tLxHbBssSCCpDNq8b5uCp3qklCQCISBYEFeI28dnFapxl5YI/g=,iv:MbMYmCqhQw9O6VdjjBULa2PBciiNk7AJzSrFTnDhMaI=,tag:2VaUX28dyxhyxYVHinESzA==,type:str]
     pgp:
         - created_at: "2024-12-17T11:38:27Z"
           enc: |-
@@ -51,4 +48,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 4BE7925262289B476DBBC17B76FD3810215AE097
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.10.2
diff --git a/secrets/winters/secrets.yaml b/secrets/winters/secrets.yaml
index f8d8295..582508b 100644
--- a/secrets/winters/secrets.yaml
+++ b/secrets/winters/secrets.yaml
@@ -40,6 +40,8 @@ kanidm-grafana-client: ENC[AES256_GCM,data:tV25k0XoFZ9wLF0UWvAabgigayowr3wo0g==,
 prometheusadminpass: ENC[AES256_GCM,data:NYUbSnAl0f3FUtvCjvJHFr2wMRsVsbVIeg==,iv:TP4NMwJsft8aEixxJBJCX/0I6BJVBnltFYJDKuXq1hM=,tag:yMY+KZsRjbn8ItgKgjzqSA==,type:str]
 #ENC[AES256_GCM,data:QnIF/xhWguX5tw==,iv:yTUBtPaZk6BXi+SC1P/OOtnc2x9UZ/jXirD5oaxhyQY=,tag:c33L5r5BaPZN6zkwduBCwQ==,type:comment]
 fresh: ENC[AES256_GCM,data:aPF8D96BvgDXhcc=,iv:Ubq3/sUmBipRanLgkAXXeAfXAz51AuR+NojMifsy8S0=,tag:mHf0YYYxulLXAIByqmnOsA==,type:str]
+#ENC[AES256_GCM,data:+lbLElpVOYo=,iv:DaVuudlnW+vy2PZOs9eiwZhOyILnqEX9KUehFlX2gWE=,tag:lvM6r0JM0DZir4y7iVTeKg==,type:comment]
+kanidm-forgejo-client: ENC[AES256_GCM,data:pitJ6re5xm2w1MSs5Ul7Tl1/H1KSR7Ps7w==,iv:4k8/cxpLqWxCgJuk/y9K3OAMCkzu8gb8CDxY+gUuOvg=,tag:OocTFS54teDUfHaHAHZiHw==,type:str]
 #ENC[AES256_GCM,data:Ur0/rfBv5g==,iv:eH+KbbkmtBWbobqAIUFF0jIrGhbHnk9g8hLZoxE3swI=,tag:3dnoA+O5GXW5Dvxcx4jiTw==,type:comment]
 resticpw: ENC[AES256_GCM,data:0oHhUFH+2W7FONA=,iv:jT6o3H4pIkGTANriDVCBvnOsc/XITEGCayb6A86NlGg=,tag:qU3tAvIWFSFIf1krWAJ0+Q==,type:str]
 resticaccesskey: ENC[AES256_GCM,data:3EshJOZpoHqGrKdERYBtUcQZ6taZEe8PBA==,iv:3np3ASFhJrYT1ig3uSpb48lSdZOFl9kFyLJSkYHBnqo=,tag:TqjgnO1XRPZUGjLI20FqUg==,type:str]
@@ -62,8 +64,8 @@ sops:
             MEZ1UWw3alF1WnJZMFZvMFBpbDFJZlUKGRnoEEgjgJ9SSblmldtY6d8MdAy01yxl
             qkvEIoXbL+ky2ira7EgjD0legThzCnmlXUlcSn3SpwbkAGgcfd2kWA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-09T02:48:48Z"
-    mac: ENC[AES256_GCM,data:hHoWSuoIweKC/l/27aTOtn6A3qvlsFpHjoCnx2QtQrSUKvaHCeGnnv9U71hK56GW2OyL9fEfjfTNn7fZR5jQnjlZrwQAtFiXDaUMKT90QtHsZj87RBYmGKLdSpOSGrnimywGivAbJp2yWLQ8WnwnD0LwkYpylSUFOgiGD5W62cA=,iv:QYqCcbfL4x310InrMtTY8gdUpgqxcB85nbBKHLFltLA=,tag:fIV7PAY7hJCTEkEWcoq15g==,type:str]
+    lastmodified: "2025-06-09T14:21:21Z"
+    mac: ENC[AES256_GCM,data:6CPsA5krx40G1FoKNQsOFvw3KPX5orSmtYeXeLj0PuDP6l+Pus6LNGxhMyLkL5b/QUx/48ocFwFguRjvREH/qh7K0p6+QJgcJHzE7VLAQw7vZA9m2MB3d3z4LlC7YSUrqlTd67BOt68Jdf1/jpvf71YYcWMC1v1pcVmsoQTR4S4=,iv:ZqO+gqrJLp/XgLzyxE3/zV6Ef9HY2ICgd5vX1CSDVGs=,tag:zsP2y46vscb9xnfWIwiPKw==,type:str]
     pgp:
         - created_at: "2024-12-17T16:24:32Z"
           enc: |-