chore:update flake

2026-04-14 13:19:09 +02:00 · 2026-02-03 13:00:32 +01:00 · 2026-02-03 13:00:32 +01:00 · a343de7a90
commit a343de7a90
parent 52554d4f92
11 changed files with 204 additions and 176 deletions
--- a/modules/nixos/server/firezone.nix
+++ b/modules/nixos/server/firezone.nix
@ -345,6 +345,10 @@ in
              };
            };

+            environment.persistence."/persist".directories = lib.mkIf nodeCfg.swarselsystems.isImpermanence [
+              { directory = "${serviceDir}-gateway"; mode = "0700"; }
+            ];
+
            boot.kernel.sysctl = {
              "net.core.wmem_max" = 16777216;
              "net.core.rmem_max" = 134217728;
@ -366,8 +370,8 @@ in
        ${idmServer} =
          let
            nodeCfg = nodes.${idmServer}.config;
-            accountId = "6b3c6ba7-5240-4684-95ce-f40fdae45096";
-            externalId = "08d714e9-1ab9-4133-a39d-00e843a960cc";
+            accountId = "3e996ad9-c100-40e8-807a-282a5c5e8b6c";
+            externalId = "31e7f702-28a7-4bbc-9690-b6db9d4a162a";
          in
          {
            sops.secrets.kanidm-firezone = { inherit (nodeCfg.swarselsystems) sopsFile; owner = "kanidm"; group = "kanidm"; mode = "0440"; };
--- a/modules/nixos/server/oauth2-proxy.nix
+++ b/modules/nixos/server/oauth2-proxy.nix
@ -1,4 +1,4 @@
-{ lib, config, globals, dns, confLib, ... }:
+{ lib, config, pkgs, globals, dns, confLib, ... }:
 let
  inherit (confLib.gen { name = "oauth2-proxy"; port = 3004; }) servicePort serviceName serviceUser serviceGroup serviceDomain serviceAddress proxyAddress4 proxyAddress6;
  inherit (confLib.static) isHome isProxied webProxy homeWebProxy dnsServer homeProxyIf webProxyIf oauthServer nginxAccessRules homeServiceAddress;
@ -165,6 +165,7 @@ in
    services = {
      ${serviceName} = {
        enable = true;
+        package = pkgs.dev.oauth2-proxy;
        cookie = {
          domain = ".${mainDomain}";
          secure = true;
@ -176,13 +177,16 @@ in
        httpAddress = "0.0.0.0:${builtins.toString servicePort}";
        redirectURL = "https://${serviceDomain}/oauth2/callback";
        setXauthrequest = true;
+        upstream = [
+          "static://202"
+        ];
+
        extraConfig = {
          code-challenge-method = "S256";
          whitelist-domain = ".${mainDomain}";
          set-authorization-header = true;
          pass-access-token = true;
          skip-jwt-bearer-tokens = true;
-          upstream = "static://202";
          oidc-issuer-url = "https://${kanidmDomain}/oauth2/openid/oauth2-proxy";
          provider-display-name = "Kanidm";
        };