swarsel/.dotfiles
1
0
Fork 0
mirror of https://github.com/Swarsel/.dotfiles.git synced 2025-12-06 09:07:21 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat[work,server,client]: add opkssh
Some checks failed
Flake check / Check flake (push) Has been cancelled
Details

Browse source
This commit is contained in:
Leon Schwarzäugl 2025-11-04 15:45:52 +01:00
parent 3b368ec8de
commit c9e7e493d8
Signed by: swarsel
GPG key ID: 26A54C31F2A4FD84
14 changed files with 604 additions and 340 deletions
Download patch file Download diff file Expand all files Collapse all files

18
modules/nixos/server/kanidm.nix
View file

@ -135,6 +135,7 @@ in
"firefly.access" = { };
"radicale.access" = { };
"slink.access" = { };
"opkssh.access" = { };
};
inherit (config.repo.secrets.local) persons;
@ -229,6 +230,23 @@ in
};
};
};
opkssh = {
displayName = "OPKSSH";
originUrl = [
"http://localhost:3000"
"http://localhost:3000/login-callback"
"http://localhost:10001/login-callback"
"http://localhost:11110/login-callback"
];
originLanding = "http://localhost:3000";
public = true;
enableLocalhostRedirects = true;
scopeMaps."opkssh.access" = [
"openid"
"email"
"profile"
];
};
oauth2-proxy = {
displayName = "Oauth2-Proxy";
originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";

38
modules/nixos/server/opkssh.nix Normal file
View file

@ -0,0 +1,38 @@
{ lib, config, globals, ... }:
let
serviceName = "opkssh";
serviceUser = "opksshuser";
serviceGroup = serviceUser;
kanidmDomain = globals.services.kanidm.domain;
inherit (config.swarselsystems) mainUser;
inherit (config.repo.secrets.local) persons;
in
{
options.swarselmodules.server.${serviceName} = lib.mkEnableOption "enable ${serviceName} on server";
config = lib.mkIf config.swarselmodules.server.${serviceName} {
services.${serviceName} = {
enable = true;
user = serviceUser;
group = serviceGroup;
providers = {
kanidm = {
lifetime = "oidc";
issuer = "https://${kanidmDomain}/oauth2/openid/${serviceName}";
clientId = serviceName;
};
};
authorizations = [
{
user = mainUser;
principal = builtins.head persons.${mainUser}.mailAddresses;
inherit (config.services.opkssh.providers.kanidm) issuer;
}
];
};
};
}

12
modules/nixos/server/radicale.nix
View file

@ -76,9 +76,15 @@ in
};
};
systemd.tmpfiles.rules = [
"d ${cfg.settings.storage.filesystem_folder} 0750 ${serviceUser} ${serviceGroup} - -"
];
systemd.tmpfiles.settings."10-radicale" = {
"${cfg.settings.storage.filesystem_folder}" = {
d = {
group = serviceGroup;
user = serviceUser;
mode = "0750";
};
};
};
networking.firewall.allowedTCPPorts = [ servicePort ];

26
modules/nixos/server/shlink.nix
View file

@ -48,13 +48,25 @@ in
];
};
systemd.tmpfiles.rules = [
"d ${serviceDir}/data 0750 1001 root - -"
"d ${serviceDir}/data/cache 0750 1001 root - -"
"d ${serviceDir}/data/locks 0750 1001 root - -"
"d ${serviceDir}/data/log 0750 1001 root - -"
"d ${serviceDir}/data/proxies 0750 1001 root - -"
];
systemd.tmpfiles.settings."11-shlink" = builtins.listToAttrs (
map
(path: {
name = "${serviceDir}/${path}";
value = {
d = {
group = "root";
user = "1001";
mode = "0750";
};
};
}) [
"${serviceDir}/data"
"${serviceDir}/data/cache"
"${serviceDir}/data/locks"
"${serviceDir}/data/log"
"${serviceDir}/data/proxies"
]
);
networking.firewall.allowedTCPPorts = [ servicePort ];

20
modules/nixos/server/slink.nix
View file

@ -29,10 +29,22 @@ in
];
};
systemd.tmpfiles.rules = [
"d ${serviceDir}/var/data 0750 root root - -"
"d ${serviceDir}/images 0750 root root - -"
];
systemd.tmpfiles.settings."12-slink" = builtins.listToAttrs (
map
(path: {
name = "${serviceDir}/${path}";
value = {
d = {
group = "root";
user = "root";
mode = "0750";
};
};
}) [
"${serviceDir}/var/data"
"${serviceDir}/images"
]
);
networking.firewall.allowedTCPPorts = [ servicePort ];