qenya/nixfiles
1
0
Fork 0
Code Issues 4 Pull requests Activity Actions

Compare commits

base: qenya:8f8f2556a01ba0de9b9389b4c9afe6761c23bdba
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost
..
compare: qenya:996871782480e10c120b2be8533df53430dd198b
Branches Tags
qenya:main
qenya:flakes
qenya:lix
qenya:multihost

No commits in common. "8f8f2556a01ba0de9b9389b4c9afe6761c23bdba" and "996871782480e10c120b2be8533df53430dd198b" have entirely different histories.
8f8f2556a0 ... 9968717824

5 changed files with 127 additions and 43 deletions
Download patch file Download diff file Expand all files Collapse all files

101
flake.lock generated
View file

@ -86,17 +86,18 @@
}, },
"firefox-addons": { "firefox-addons": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [ "nixpkgs": [
"nixpkgs-unstable" "nixpkgs-unstable"
] ]
}, },
"locked": { "locked": {
"dir": "pkgs/firefox-addons", "dir": "pkgs/firefox-addons",
"lastModified": 1744010161, "lastModified": 1742097805,
"narHash": "sha256-6PNBLb/YXVlx2YaDqtljQYpk2MlE0VRjGXcEg1RN/qw=", "narHash": "sha256-N3/7llBZ93Itf7ndnNtEm7lPoMqSC57B/PNaMB6cL1Q=",
"owner": "rycee", "owner": "rycee",
"repo": "nur-expressions", "repo": "nur-expressions",
"rev": "60f50437003e17137a871686dfa3fc4291edd5e5", "rev": "5a0ac85616aa6b166ea715a41bc1255bb802b189",
"type": "gitlab" "type": "gitlab"
}, },
"original": { "original": {
@ -112,11 +113,11 @@
"nixpkgs-lib": "nixpkgs-lib" "nixpkgs-lib": "nixpkgs-lib"
}, },
"locked": { "locked": {
"lastModified": 1743550720, "lastModified": 1741352980,
"narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=",
"owner": "hercules-ci", "owner": "hercules-ci",
"repo": "flake-parts", "repo": "flake-parts",
"rev": "c621e8422220273271f52058f618c94e405bb0f5", "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -141,6 +142,21 @@
} }
}, },
"flake-utils_2": { "flake-utils_2": {
"locked": {
"lastModified": 1629284811,
"narHash": "sha256-JHgasjPR0/J1J3DRm4KxM4zTyAj4IOJY8vIl75v/kPI=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c5d161cc0af116a2e17f54316f0bf43f0819785c",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_3": {
"inputs": { "inputs": {
"systems": "systems_2" "systems": "systems_2"
}, },
@ -180,11 +196,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1743808813, "lastModified": 1739757849,
"narHash": "sha256-2lDQBOmlz9ggPxcS7/GvcVdzXMIiT+PpMao6FbLJSr0=", "narHash": "sha256-Gs076ot1YuAAsYVcyidLKUMIc4ooOaRGO0PqTY7sBzA=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "a9f8b3db211b4609ddd83683f9db89796c7f6ac6", "rev": "9d3d080aec2a35e05a15cedd281c2384767c2cfe",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -201,11 +217,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1744008831, "lastModified": 1741955947,
"narHash": "sha256-g3mHJLB8ShKuMaBBZxiGuoftJ22f7Boegiw5xBUnS8E=", "narHash": "sha256-2lbURKclgKqBNm7hVRtWh0A7NrdsibD0EaWhahUVhhY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "f463902a3f03e15af658e48bcc60b39188ddf734", "rev": "4e12151c9e014e2449e0beca2c0e9534b96a26b4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -230,7 +246,7 @@
}, },
"lix-module": { "lix-module": {
"inputs": { "inputs": {
"flake-utils": "flake-utils_2", "flake-utils": "flake-utils_3",
"flakey-profile": "flakey-profile", "flakey-profile": "flakey-profile",
"lix": "lix", "lix": "lix",
"nixpkgs": [ "nixpkgs": [
@ -238,24 +254,27 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742943028, "lastModified": 1741892773,
"narHash": "sha256-fprwZKE1uMzO9tiWWOrmLWBW3GPkMayQfb0xOvVFIno=", "narHash": "sha256-8oUT6D7VlsuLkms3zBsUaPBUoxucmFq62QdtyVpjq0Y=",
"rev": "868d97695bab9d21f6070b03957bcace249fbe3c", "ref": "stable",
"type": "tarball", "rev": "ed7a2fa83145868ecb830d6b3c73ebfd81a9e911",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/868d97695bab9d21f6070b03957bcace249fbe3c.tar.gz?rev=868d97695bab9d21f6070b03957bcace249fbe3c" "revCount": 130,
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module"
}, },
"original": { "original": {
"type": "tarball", "ref": "stable",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz" "type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module"
} }
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1743813633, "lastModified": 1741862977,
"narHash": "sha256-BgkBz4NpV6Kg8XF7cmHDHRVGZYnKbvG0Y4p+jElwxaM=", "narHash": "sha256-prZ0M8vE/ghRGGZcflvxCu40ObKaB+ikn74/xQoNrGQ=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "7819a0d29d1dd2bc331bec4b327f0776359b1fa6", "rev": "cdd2ef009676ac92b715ff26630164bb88fec4e0",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -267,11 +286,11 @@
}, },
"nixpkgs-lib": { "nixpkgs-lib": {
"locked": { "locked": {
"lastModified": 1743296961, "lastModified": 1740877520,
"narHash": "sha256-b1EdN3cULCqtorQ4QeWgLMrd5ZGOjLSLemfa00heasc=", "narHash": "sha256-oiwv/ZK/2FhGxrCkQkB83i7GnWXPPLzoqFHpDD3uYpk=",
"owner": "nix-community", "owner": "nix-community",
"repo": "nixpkgs.lib", "repo": "nixpkgs.lib",
"rev": "e4822aea2a6d1cdd36653c134cacfd64c97ff4fa", "rev": "147dee35aab2193b174e4c0868bd80ead5ce755c",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -282,11 +301,11 @@
}, },
"nixpkgs-small": { "nixpkgs-small": {
"locked": { "locked": {
"lastModified": 1743891346, "lastModified": 1742072093,
"narHash": "sha256-QNxnxIi6PJEnwJp7ZXUpxX4/z/cmRJGeIOkIYfYh/8E=", "narHash": "sha256-2aEgxL5RSzNHWFLWEUFXZhkVEYDOuVSXQBiOonzT/Kg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "f27c6099cec4fe9b67c7fbc51d8324dcb4b52694", "rev": "f182029bf7f08a57762b4c762d0917b6803ceff4",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -298,11 +317,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1743827369, "lastModified": 1742069588,
"narHash": "sha256-rpqepOZ8Eo1zg+KJeWoq1HAOgoMCDloqv5r2EAa9TSA=", "narHash": "sha256-C7jVfohcGzdZRF6DO+ybyG/sqpo1h6bZi9T56sxLy+k=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "42a1c966be226125b48c384171c44c651c236c22", "rev": "c80f6a7e10b39afcc1894e02ef785b1ad0b0d7e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -314,11 +333,11 @@
}, },
"nixpkgs-unstable-small": { "nixpkgs-unstable-small": {
"locked": { "locked": {
"lastModified": 1743948488, "lastModified": 1742095305,
"narHash": "sha256-uKcMmNPvGPb58MhAFru/CMDYl69nZRK3A3SLch9ejgA=", "narHash": "sha256-L8qjRx4MbX/juwbo8+4qYbqQy0MFUzUJLV5o8oujvaA=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "da98c5d529f118c82e80a3f9b4fb01fdeba3cf7a", "rev": "f985965fff9d4e5df55df0489ef113d09a6ee08d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -338,11 +357,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1742765550, "lastModified": 1740569341,
"narHash": "sha256-2vVIh2JrL6GAGfgCeY9e6iNKrBjs0Hw3bGQEAbwVs68=", "narHash": "sha256-WV8nY2IOfWdzBF5syVgCcgOchg/qQtpYh6LECYS9XkY=",
"owner": "nix-community", "owner": "nix-community",
"repo": "plasma-manager", "repo": "plasma-manager",
"rev": "b70be387276e632fe51232887f9e04e2b6ef8c16", "rev": "5eeb0172fb74392053b66a8149e61b5e191b2845",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -354,11 +373,11 @@
"randomcat": { "randomcat": {
"flake": false, "flake": false,
"locked": { "locked": {
"lastModified": 1744004743, "lastModified": 1742090267,
"narHash": "sha256-MIWwT/A4IfXmmSMCU3lVVnFJNmkXpYxcK+Fishja6XY=", "narHash": "sha256-A+pimpalPZr9Un1yJaVsc+3J71IHuAPN+NSo5MqHtzM=",
"owner": "randomnetcat", "owner": "randomnetcat",
"repo": "nix-configs", "repo": "nix-configs",
"rev": "335ef83e439cfcb4781d5a8f54f606afb63e9f48", "rev": "a448b9a9ce66f8e1d1a1de1205f384da25574c7b",
"type": "github" "type": "github"
}, },
"original": { "original": {

3
flake.nix
View file

@ -6,8 +6,7 @@
nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small"; nixpkgs-unstable-small.url = "github:NixOS/nixpkgs/nixos-unstable-small";
lix-module = { lix-module = {
# lix haven't figured out automatic updates yet: https://git.lix.systems/lix-project/nixos-module/issues/39 url = "git+https://git.lix.systems/lix-project/nixos-module?ref=stable";
url = "https://git.lix.systems/lix-project/nixos-module/archive/2.92.0-3.tar.gz";
inputs.nixpkgs.follows = "nixpkgs"; inputs.nixpkgs.follows = "nixpkgs";
}; };

6
hosts/kalessin/default.nix
View file

@ -28,6 +28,7 @@ in
randomcat.services.zfs.datasets = { randomcat.services.zfs.datasets = {
"rpool_kalessin/state" = { mountpoint = "none"; }; "rpool_kalessin/state" = { mountpoint = "none"; };
"rpool_kalessin/state/kanidm" = { mountpoint = "/var/lib/kanidm"; };
}; };
services.sanoid.datasets."rpool_kalessin/state" = { services.sanoid.datasets."rpool_kalessin/state" = {
@ -36,5 +37,10 @@ in
process_children_only = true; process_children_only = true;
}; };
fountain.services.kanidm = {
enable = true;
domain = "auth.unspecified.systems";
};
system.stateVersion = "23.11"; system.stateVersion = "23.11";
} }

1
services/default.nix
View file

@ -5,6 +5,7 @@
./distributed-builds.nix ./distributed-builds.nix
./forgejo.nix ./forgejo.nix
./jellyfin.nix ./jellyfin.nix
./kanidm.nix
./navidrome.nix ./navidrome.nix
./remote-builder.nix ./remote-builder.nix
./web-redirect.nix ./web-redirect.nix

59
services/kanidm.nix Normal file
View file

@ -0,0 +1,59 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkOption mkEnableOption types;
cfg = config.fountain.services.kanidm;
in
{
options.fountain.services.kanidm = {
enable = mkEnableOption "Kanidm";
domain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable {
services = {
nginx = {
enable = true;
virtualHosts = {
${cfg.domain} = {
forceSSL = true;
useACMEHost = cfg.domain;
locations."/".proxyPass = "https://[::1]:8443/";
};
};
};
kanidm = {
enableClient = true; # needed for admin configuration
enableServer = true;
package = pkgs.kanidm_1_5;
serverSettings = {
bindaddress = "[::1]:8443";
ldapbindaddress = "[::1]:636";
origin = "https://${cfg.domain}";
domain = cfg.domain;
tls_chain = "${config.security.acme.certs.${cfg.domain}.directory}/fullchain.pem";
tls_key = "${config.security.acme.certs.${cfg.domain}.directory}/key.pem";
online_backup.versions = 7;
trust_x_forward_for = true;
};
clientSettings.uri = config.services.kanidm.serverSettings.origin; # doesn't like connecting through localhost - wants hostname to match
};
};
security.acme.certs.${cfg.domain} = {
webroot = "/var/lib/acme/acme-challenge";
group = "acme_${cfg.domain}";
reloadServices = [ "kanidm.service" ];
};
users.groups."acme_${cfg.domain}".members = [
"kanidm"
config.services.nginx.user
];
networking.firewall.allowedTCPPorts = [ 80 443 636 ];
};
}