From 79701acc77beb61b08af9cdf4b6c76f3098bd842 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 3 Aug 2025 22:57:21 +0200 Subject: [PATCH 01/10] fix auto login --- modules/home/default.nix | 3 ++- modules/home/terminal/ghostty/default.nix | 1 + modules/nixos/desktop/default.nix | 6 ------ modules/nixos/hardware/bluetooth/default.nix | 3 +++ systems/x86_64-linux/manwe/default.nix | 6 ++++++ 5 files changed, 12 insertions(+), 7 deletions(-) diff --git a/modules/home/default.nix b/modules/home/default.nix index e3185e0..6dc81b5 100644 --- a/modules/home/default.nix +++ b/modules/home/default.nix @@ -37,11 +37,12 @@ in { config = { home.sessionVariables = { + SHELL = cfg.shell; EDITOR = cfg.editor; TERMINAL = cfg.terminal; BROWSER = cfg.browser; }; - # home.shell = pkgs.${cfg.shell}; + # users.defaultUserShell = pkgs.${cfg.shell}; }; } diff --git a/modules/home/terminal/ghostty/default.nix b/modules/home/terminal/ghostty/default.nix index 00d925c..4681b53 100644 --- a/modules/home/terminal/ghostty/default.nix +++ b/modules/home/terminal/ghostty/default.nix @@ -13,6 +13,7 @@ in programs.ghostty = { enable = true; settings = { + command = config.${namespace}.defaults.shell; background-blur-radius = 20; theme = "dark:stylix,light:stylix"; window-theme = (config.${namespace}.themes.polarity or "dark"); diff --git a/modules/nixos/desktop/default.nix b/modules/nixos/desktop/default.nix index f38a28e..9fd9192 100644 --- a/modules/nixos/desktop/default.nix +++ b/modules/nixos/desktop/default.nix @@ -17,18 +17,12 @@ in example = "plasma"; description = "Which desktop to enable"; }; - - autoLogin = mkEnableOption "Enable plasma's auto login feature."; }; config = mkMerge [ ({ services.displayManager = { enable = true; - - autoLogin = mkIf cfg.autoLogin { - enable = true; - }; }; }) diff --git a/modules/nixos/hardware/bluetooth/default.nix b/modules/nixos/hardware/bluetooth/default.nix index 1b99eef..98fc678 100644 --- a/modules/nixos/hardware/bluetooth/default.nix +++ b/modules/nixos/hardware/bluetooth/default.nix @@ -11,6 +11,9 @@ in hardware.bluetooth = { enable = true; powerOnBoot = true; + settings = { + General.Experimental = true; # Show battery charge of Bluetooth devices + }; }; services.pipewire.wireplumber.extraConfig.bluetoothEnhancements = { diff --git a/systems/x86_64-linux/manwe/default.nix b/systems/x86_64-linux/manwe/default.nix index c333f85..76d4e6d 100644 --- a/systems/x86_64-linux/manwe/default.nix +++ b/systems/x86_64-linux/manwe/default.nix @@ -28,5 +28,11 @@ }; }; + + services.displayManager.autoLogin = { + enable = true; + user = "chris"; + }; + system.stateVersion = "23.11"; } From a8783b47097dd64ccf7767d8f61f051868af5420 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Sun, 3 Aug 2025 23:02:21 +0200 Subject: [PATCH 02/10] add some options --- modules/home/application/zen/default.nix | 21 +++++++++++++++++++++ modules/home/desktop/plasma/default.nix | 5 +++++ 2 files changed, 26 insertions(+) diff --git a/modules/home/application/zen/default.nix b/modules/home/application/zen/default.nix index 4723cc3..ad4cb92 100644 --- a/modules/home/application/zen/default.nix +++ b/modules/home/application/zen/default.nix @@ -15,5 +15,26 @@ in home.sessionVariables = { MOZ_ENABLE_WAYLAND = "1"; }; + + programs.zen-browser = { + policies = { + AutofillAddressEnabled = true; + AutofillCreditCardEnabled = false; + DisableAppUpdate = true; + DisableFeedbackCommands = true; + DisableFirefoxStudies = true; + DisablePocket = true; + DisableTelemetry = true; + # DontCheckDefaultBrowser = false; + NoDefaultBookmarks = true; + # OfferToSaveLogins = false; + EnableTrackingProtection = { + Value = true; + Locked = true; + Cryptomining = true; + Fingerprinting = true; + }; + }; + }; }; } diff --git a/modules/home/desktop/plasma/default.nix b/modules/home/desktop/plasma/default.nix index 8614a97..13476fb 100644 --- a/modules/home/desktop/plasma/default.nix +++ b/modules/home/desktop/plasma/default.nix @@ -20,6 +20,11 @@ in panels = import ./panels.nix; powerdevil = import ./power.nix; + kwin = { + edgeBarrier = 0; + cornerBarrier = false; + }; + session = { general.askForConfirmationOnLogout = false; sessionRestore.restoreOpenApplicationsOnLogin = "onLastLogout"; From e011b893e0299c446849f352a048e8252577263e Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 14:09:02 +0200 Subject: [PATCH 03/10] add forgejo --- .../services/development/forgejo/default.nix | 44 +++++++++++++++++++ .../{nextcloud.nix => nextcloud/default.nix} | 0 .../media/{nfs.nix => nfs/default.nix} | 0 systems/x86_64-linux/ulmo/default.nix | 7 +++ 4 files changed, 51 insertions(+) create mode 100644 modules/nixos/services/development/forgejo/default.nix rename modules/nixos/services/media/{nextcloud.nix => nextcloud/default.nix} (100%) rename modules/nixos/services/media/{nfs.nix => nfs/default.nix} (100%) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix new file mode 100644 index 0000000..be71064 --- /dev/null +++ b/modules/nixos/services/development/forgejo/default.nix @@ -0,0 +1,44 @@ +{ config, lib, pkgs, namespace, ... }: +let + inherit (lib) mkIf mkEnableOption; + + cfg = config.${namespace}.services.development.forgejo; + svr = cfg.settings.server; +in +{ + options.${namespace}.services.development.forgejo = { + enable = mkEnableOption "Forgejo"; + }; + + config = mkIf cfg.enable { + services = { + forgejo = { + enable = true; + database.type = "postgres"; + + settings = { + server = { + # DOMAIN = ""; + HTTP_PORT = 5002; + }; + + service.DISABLE_REGISTRATION = true; + + actions = { + ENABLED = true; + DEFAULT_ACTIONS_URL = "forgejo"; + }; + }; + }; + + services.caddy = { + enable = true; + virtualHosts = { + "git.kruining.eu".extraConfig = '' + reverse_proxy http://127.0.0.1:5002 + ''; + }; + }; + }; + }; +} diff --git a/modules/nixos/services/media/nextcloud.nix b/modules/nixos/services/media/nextcloud/default.nix similarity index 100% rename from modules/nixos/services/media/nextcloud.nix rename to modules/nixos/services/media/nextcloud/default.nix diff --git a/modules/nixos/services/media/nfs.nix b/modules/nixos/services/media/nfs/default.nix similarity index 100% rename from modules/nixos/services/media/nfs.nix rename to modules/nixos/services/media/nfs/default.nix diff --git a/systems/x86_64-linux/ulmo/default.nix b/systems/x86_64-linux/ulmo/default.nix index 7a2540f..f47c580 100644 --- a/systems/x86_64-linux/ulmo/default.nix +++ b/systems/x86_64-linux/ulmo/default.nix @@ -7,8 +7,15 @@ sneeuwvlok = { services = { + authentication.authelia.enable = true; + authentication.zitadel.enable = true; + networking.ssh.enable = true; + media.enable = true; + media.nfs.enable = true; + + development.forgejo.enable = true; }; editor = { From 043eded2497049b3592b2efef2f135a9dfa40346 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 14:12:16 +0200 Subject: [PATCH 04/10] fix --- .../services/development/forgejo/default.nix | 21 ++++++++++++++++++- 1 file changed, 20 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index be71064..99b3a28 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -31,7 +31,26 @@ in }; }; - services.caddy = { + gitea-actions-runner = { + package = pkgs.forgejo-actions-runner; + instances.default = { + enable = true; + name = "monolith"; + url = "https://git.kruining.eu"; + # Obtaining the path to the runner token file may differ + # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + tokenFile = config.age.secrets.forgejo-runner-token.path; + labels = [ + "ubuntu-latest:docker://node:16-bullseye" + "ubuntu-22.04:docker://node:16-bullseye" + "ubuntu-20.04:docker://node:16-bullseye" + "ubuntu-18.04:docker://node:16-buster" + "native:host" + ]; + }; + }; + + caddy = { enable = true; virtualHosts = { "git.kruining.eu".extraConfig = '' From f289c3663a436230042cfede11adf50f76d5b08d Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 7 Aug 2025 15:04:12 +0200 Subject: [PATCH 05/10] switch flaresolverr to systemd service --- modules/nixos/services/media/default.nix | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 7d76794..3909cd9 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -78,6 +78,7 @@ in sonarr = serviceConf; bazarr = serviceConf; lidarr = serviceConf; + flaresolverr = serviceConf; jellyseerr = { enable = true; @@ -135,11 +136,11 @@ in backend = "podman"; containers = { - flaresolverr = { - image = "flaresolverr/flaresolverr"; - autoStart = true; - ports = [ "127.0.0.1:8191:8191" ]; - }; + # flaresolverr = { + # image = "flaresolverr/flaresolverr"; + # autoStart = true; + # ports = [ "127.0.0.1:8191:8191" ]; + # }; reiverr = { image = "ghcr.io/aleksilassila/reiverr:v2.2.0"; From f1ffa339766de95ebb61e47d074e580993b8dd03 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Mon, 11 Aug 2025 09:49:06 +0200 Subject: [PATCH 06/10] kaas --- .../nixos/services/authentication/authelia.nix | 17 +++++++++++++++++ .../services/development/forgejo/default.nix | 12 +++++++++++- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia.nix index e706439..9990003 100644 --- a/modules/nixos/services/authentication/authelia.nix +++ b/modules/nixos/services/authentication/authelia.nix @@ -130,6 +130,23 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } + { + client_id = "forgejo"; + client_name = "forgejo"; + # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F + client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; + public = false; + require_pkce = true; + pkce_challenge_method = "S256"; + token_endpoint_auth_method = "client_secret_post"; + authorization_policy = "one_factor"; + userinfo_signed_response_alg = "none"; + consent_mode = "implicit"; + scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; + } ]; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 99b3a28..a773249 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -22,12 +22,20 @@ in HTTP_PORT = 5002; }; - service.DISABLE_REGISTRATION = true; + service = { + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + SHOW_REGISTRATION_BUTTON = false; + }; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "forgejo"; }; + + session = { + COOKIE_SECURE = true; + }; }; }; @@ -54,6 +62,8 @@ in enable = true; virtualHosts = { "git.kruining.eu".extraConfig = '' + import auth + reverse_proxy http://127.0.0.1:5002 ''; }; From 30f17f692c3b58cea67b653a129a0ac246da50b6 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Wed, 13 Aug 2025 08:50:26 +0200 Subject: [PATCH 07/10] fix various bugs --- .../{authelia.nix => authelia/default.nix} | 0 .../nixos/services/authentication/default.nix | 1 - .../default.nix} | 0 .../{zitadel.nix => zitadel/default.nix} | 3 +- .../services/development/forgejo/default.nix | 51 ++++++++++--------- modules/nixos/services/media/default.nix | 6 ++- .../services/media/nextcloud/default.nix | 4 +- modules/nixos/services/media/nfs/default.nix | 4 +- .../nixos/system/security/sops/default.nix | 2 +- .../nixos/system/security/sudo/default.nix | 5 +- 10 files changed, 40 insertions(+), 36 deletions(-) rename modules/nixos/services/authentication/{authelia.nix => authelia/default.nix} (100%) delete mode 100644 modules/nixos/services/authentication/default.nix rename modules/nixos/services/authentication/{himmelblau.nix => himmelblau/default.nix} (100%) rename modules/nixos/services/authentication/{zitadel.nix => zitadel/default.nix} (93%) diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia/default.nix similarity index 100% rename from modules/nixos/services/authentication/authelia.nix rename to modules/nixos/services/authentication/authelia/default.nix diff --git a/modules/nixos/services/authentication/default.nix b/modules/nixos/services/authentication/default.nix deleted file mode 100644 index c157af7..0000000 --- a/modules/nixos/services/authentication/default.nix +++ /dev/null @@ -1 +0,0 @@ -{ ... }: {} diff --git a/modules/nixos/services/authentication/himmelblau.nix b/modules/nixos/services/authentication/himmelblau/default.nix similarity index 100% rename from modules/nixos/services/authentication/himmelblau.nix rename to modules/nixos/services/authentication/himmelblau/default.nix diff --git a/modules/nixos/services/authentication/zitadel.nix b/modules/nixos/services/authentication/zitadel/default.nix similarity index 93% rename from modules/nixos/services/authentication/zitadel.nix rename to modules/nixos/services/authentication/zitadel/default.nix index 6142857..1422b4f 100644 --- a/modules/nixos/services/authentication/zitadel.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -21,7 +21,8 @@ in zitadel = { enable = true; openFirewall = true; - masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + # masterKeyFile = config.sops.secrets."zitadel/masterKey".path; + masterKeyFile = "/var/lib/zitadel/master_key"; tlsMode = "external"; settings = { Port = 9092; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index a773249..baa70cb 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -3,7 +3,7 @@ let inherit (lib) mkIf mkEnableOption; cfg = config.${namespace}.services.development.forgejo; - svr = cfg.settings.server; + domain = "git.kruining.eu"; in { options.${namespace}.services.development.forgejo = { @@ -18,7 +18,8 @@ in settings = { server = { - # DOMAIN = ""; + DOMAIN = domain; + ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; }; @@ -28,10 +29,10 @@ in SHOW_REGISTRATION_BUTTON = false; }; - actions = { - ENABLED = true; - DEFAULT_ACTIONS_URL = "forgejo"; - }; + # actions = { + # ENABLED = true; + # DEFAULT_ACTIONS_URL = "forgejo"; + # }; session = { COOKIE_SECURE = true; @@ -39,29 +40,29 @@ in }; }; - gitea-actions-runner = { - package = pkgs.forgejo-actions-runner; - instances.default = { - enable = true; - name = "monolith"; - url = "https://git.kruining.eu"; - # Obtaining the path to the runner token file may differ - # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd - tokenFile = config.age.secrets.forgejo-runner-token.path; - labels = [ - "ubuntu-latest:docker://node:16-bullseye" - "ubuntu-22.04:docker://node:16-bullseye" - "ubuntu-20.04:docker://node:16-bullseye" - "ubuntu-18.04:docker://node:16-buster" - "native:host" - ]; - }; - }; + # gitea-actions-runner = { + # package = pkgs.forgejo-actions-runner; + # instances.default = { + # enable = true; + # name = "monolith"; + # url = "https://git.kruining.eu"; + # # Obtaining the path to the runner token file may differ + # # tokenFile should be in format TOKEN=, since it's EnvironmentFile for systemd + # tokenFile = config.age.secrets.forgejo-runner-token.path; + # labels = [ + # "ubuntu-latest:docker://node:16-bullseye" + # "ubuntu-22.04:docker://node:16-bullseye" + # "ubuntu-20.04:docker://node:16-bullseye" + # "ubuntu-18.04:docker://node:16-buster" + # "native:host" + # ]; + # }; + # }; caddy = { enable = true; virtualHosts = { - "git.kruining.eu".extraConfig = '' + ${domain}.extraConfig = '' import auth reverse_proxy http://127.0.0.1:5002 diff --git a/modules/nixos/services/media/default.nix b/modules/nixos/services/media/default.nix index 3909cd9..f76e4ae 100644 --- a/modules/nixos/services/media/default.nix +++ b/modules/nixos/services/media/default.nix @@ -78,7 +78,11 @@ in sonarr = serviceConf; bazarr = serviceConf; lidarr = serviceConf; - flaresolverr = serviceConf; + + flaresolverr = { + enable = true; + openFirewall = true; + }; jellyseerr = { enable = true; diff --git a/modules/nixos/services/media/nextcloud/default.nix b/modules/nixos/services/media/nextcloud/default.nix index 658a5b4..14d6863 100644 --- a/modules/nixos/services/media/nextcloud/default.nix +++ b/modules/nixos/services/media/nextcloud/default.nix @@ -6,7 +6,7 @@ let cfg = config.${namespace}.services.media.nextcloud; in { - options.modules.services.nextcloud = { + options.${namespace}.services.media.nextcloud = { enable = mkEnableOption "Nextcloud"; user = mkOption { @@ -40,7 +40,7 @@ in services.nextcloud = { enable = true; - webserver = "caddy"; + # webserver = "caddy"; package = pkgs.nextcloud31; hostName = "localhost"; diff --git a/modules/nixos/services/media/nfs/default.nix b/modules/nixos/services/media/nfs/default.nix index 7674e69..54b58e7 100644 --- a/modules/nixos/services/media/nfs/default.nix +++ b/modules/nixos/services/media/nfs/default.nix @@ -2,10 +2,10 @@ let inherit (lib) mkIf mkEnableOption; - cfg = config.${namespace}.media.nfs; + cfg = config.${namespace}.services.media.nfs; in { - options.${namespace}.media.nfs = { + options.${namespace}.services.media.nfs = { enable = mkEnableOption "Enable NFS"; }; diff --git a/modules/nixos/system/security/sops/default.nix b/modules/nixos/system/security/sops/default.nix index a75856d..68ab4ca 100644 --- a/modules/nixos/system/security/sops/default.nix +++ b/modules/nixos/system/security/sops/default.nix @@ -13,7 +13,7 @@ in environment.systemPackages = with pkgs; [ sops ]; sops = { - defaultSopsFile = ../../../../secrets/secrets.yaml; + defaultSopsFile = ../../../../../_secrets/secrets.yaml; defaultSopsFormat = "yaml"; age.keyFile = "/home/"; diff --git a/modules/nixos/system/security/sudo/default.nix b/modules/nixos/system/security/sudo/default.nix index 6dedf50..b79efbc 100644 --- a/modules/nixos/system/security/sudo/default.nix +++ b/modules/nixos/system/security/sudo/default.nix @@ -14,9 +14,8 @@ in sudo-rs = { enable = true; - extraConfig = '' - Defaults env_keep += "EDITOR PATH DISPLAY" - ''; + execWheelOnly = true; + extraConfig = ''Defaults env_keep += "EDITOR PATH DISPLAY"''; }; }; }; From d305bf6cee32904ca24e09ddd27516e12a8118a4 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 08:28:55 +0200 Subject: [PATCH 08/10] more zitadel work --- .../authentication/zitadel/default.nix | 66 +++++++++++++++---- 1 file changed, 53 insertions(+), 13 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 1422b4f..812e819 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -1,6 +1,6 @@ { config, lib, pkgs, namespace, ... }: let - inherit (lib) mkIf mkEnableOption; + inherit (lib) mkIf mkEnableOption mkForce; cfg = config.${namespace}.services.authentication.zitadel; @@ -26,26 +26,59 @@ in tlsMode = "external"; settings = { Port = 9092; - Database = { - Host = "/run/postgresql"; - # Zitadel will report error if port is not set - Port = 5432; - Database = db_name; - User.Username = db_user; - }; - }; - steps = { - TestInstance = { - InstanceName = "Zitadel test"; + ExternalDomain = "kruining.eu"; + ExternalPort = 443; + + DefaultInstance = { + LoginPolicy.AllowRegister = false; Org = { - Name = "Kruining.eu"; + Name = "Zitadel"; Human = { UserName = "admin"; + FirstName = "Ad"; + LastName = "Min"; + Email = { + Address = "admin@kaas.nl"; + Verified = true; + }; Password = "kaas"; }; }; }; + + Database.postgres = { + Host = "localhost"; + # Zitadel will report error if port is not set + Port = 5432; + Database = db_name; + User = { + Username = db_user; + SSL.Mode = "disable"; + }; + Admin = { + Username = "postgres"; + SSL.Mode = "disable"; + }; + }; }; + # steps = { + # FirstInstance = { + # InstanceName = "Zitadel"; + # Org = { + # Name = "Zitadel"; + # Human = { + # UserName = "admin@zitadel.kruining.eu"; + # FirstName = "Ad"; + # LastName = "Min"; + # Email = { + # Address = "admin@kaas.nl"; + # Verified = true; + # }; + # Password = "kaas"; + # }; + # }; + # }; + # }; }; postgresql = { @@ -57,6 +90,13 @@ in ensureDBOwnership = true; } ]; + authentication = mkForce '' + # Generated file, do not edit! + # TYPE DATABASE USER ADDRESS METHOD + local all all trust + host all all 127.0.0.1/32 trust + host all all ::1/128 trust + ''; }; caddy = { From 7c6c566798ed878d2d2130aae445b6a89f65b523 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 09:38:43 +0200 Subject: [PATCH 09/10] FINALLY, I'm in! --- .../authentication/zitadel/default.nix | 56 +++++++------------ 1 file changed, 20 insertions(+), 36 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 812e819..94915e1 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -26,25 +26,9 @@ in tlsMode = "external"; settings = { Port = 9092; - ExternalDomain = "kruining.eu"; + ExternalDomain = "auth-z.kruining.eu"; ExternalPort = 443; - - DefaultInstance = { - LoginPolicy.AllowRegister = false; - Org = { - Name = "Zitadel"; - Human = { - UserName = "admin"; - FirstName = "Ad"; - LastName = "Min"; - Email = { - Address = "admin@kaas.nl"; - Verified = true; - }; - Password = "kaas"; - }; - }; - }; + ExternalSecure = true; Database.postgres = { Host = "localhost"; @@ -61,24 +45,24 @@ in }; }; }; - # steps = { - # FirstInstance = { - # InstanceName = "Zitadel"; - # Org = { - # Name = "Zitadel"; - # Human = { - # UserName = "admin@zitadel.kruining.eu"; - # FirstName = "Ad"; - # LastName = "Min"; - # Email = { - # Address = "admin@kaas.nl"; - # Verified = true; - # }; - # Password = "kaas"; - # }; - # }; - # }; - # }; + steps = { + FirstInstance = { + InstanceName = "auth-z.kruining.eu"; + Org = { + Name = "Default"; + Human = { + UserName = "chris"; + FirstName = "Chris"; + LastName = "Kruining"; + Email = { + Address = "chris@kruining.eu"; + Verified = true; + }; + Password = "KaasIsAwesome1!"; + }; + }; + }; + }; }; postgresql = { From 06ad805206e5af2deb0dca62a954902fa76efd63 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Thu, 14 Aug 2025 15:33:27 +0200 Subject: [PATCH 10/10] got zitadel and forgejo mostly up and running --- .../authentication/zitadel/default.nix | 16 +++++----- .../services/development/forgejo/default.nix | 31 +++++++++++++++++-- 2 files changed, 37 insertions(+), 10 deletions(-) diff --git a/modules/nixos/services/authentication/zitadel/default.nix b/modules/nixos/services/authentication/zitadel/default.nix index 94915e1..aa1a0dd 100644 --- a/modules/nixos/services/authentication/zitadel/default.nix +++ b/modules/nixos/services/authentication/zitadel/default.nix @@ -90,14 +90,14 @@ in reverse_proxy h2c://127.0.0.1:9092 ''; }; - # extraConfig = '' - # (auth) { - # forward_auth h2c://127.0.0.1:9092 { - # uri /api/authz/forward-auth - # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - # } - # } - # ''; + extraConfig = '' + (auth-z) { + forward_auth h2c://127.0.0.1:9092 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + } + ''; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index baa70cb..5342b56 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -11,24 +11,47 @@ in }; config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ forgejo ]; + services = { forgejo = { enable = true; + useWizard = false; database.type = "postgres"; settings = { + DEFAULT = { + APP_NAME = "Chris' Forge"; + }; + server = { DOMAIN = domain; ROOT_URL = "https://${domain}/"; HTTP_PORT = 5002; }; + security = { + PASSWORD_HASH_ALGO = "argon2"; + }; + service = { + REQUIRE_SIGNIN_VIEW = true; # must be signed in to see anything DISABLE_REGISTRATION = true; - ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; SHOW_REGISTRATION_BUTTON = false; }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "https://auth-z.kruining.eu"; + }; + + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + UPDATE_AVATAR = true; + }; + # actions = { # ENABLED = true; # DEFAULT_ACTIONS_URL = "forgejo"; @@ -63,7 +86,11 @@ in enable = true; virtualHosts = { ${domain}.extraConfig = '' - import auth + # import auth-z + + # stupid dumb way to prevent the login page and go to zitadel instead + # be aware that this does not disable local login at all! + rewrite /user/login /user/oauth2/Zitadel reverse_proxy http://127.0.0.1:5002 '';