From 7d59f3cdb1053f2b277cbca2d699654e071405cc Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:18:39 +0200 Subject: [PATCH 01/14] server zitadel: init --- secrets/default.nix | 1 + secrets/secrets.nix | 1 + secrets/zitadel.age | 15 +++++++++++++++ system/server/default.nix | 1 + system/server/zitadel.nix | 26 ++++++++++++++++++++++++++ 5 files changed, 44 insertions(+) create mode 100644 secrets/zitadel.age create mode 100644 system/server/zitadel.nix diff --git a/secrets/default.nix b/secrets/default.nix index 99356d8..3aa47f4 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -36,5 +36,6 @@ in { # else "root"; file = ./mail-admin.age; }; + zitadel.file = ./zitadel.age; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2db3699..1ed79c2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,4 +20,5 @@ in { "matrix-registration.age".publicKeys = keys; "cloudflare-acme.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; + "zitadel.age".publicKeys = keys; } diff --git a/secrets/zitadel.age b/secrets/zitadel.age new file mode 100644 index 0000000..9a647df --- /dev/null +++ b/secrets/zitadel.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA fz19CbZPbHDcTz3uKZwJPn5ZN4cvl7GcED5eG0D+ElM +HHCdqkDUcqK4Oo+AGp04q3nVJs2KpeIM3ZwKwOsPWYo +-> ssh-ed25519 MfR7VA IXjIOdECEgdKvxs3K2lYVhqHa6IbGYhciFlPamEl9AQ +HVDNbo0Y8rAHy2nUiiP11XKcJ5AdEGhQQt30GCdve1E +-> ssh-ed25519 +cvRTg ipfUrJdALMna/5EQfLzAo28r65e1W62P5FzSxqSkYCI +qzhYJjzB6NsHa0obHsyD3nylsucBcIcWFcJ8g/P1HHo +-> ssh-ed25519 WCPLrA fAWkqW/ucxI8d+92obW2j1X3+FC/HfR32JGl/jEbUwQ +CVxiMB5COMiikBiubXJlzNAmq2KIpiqBUPgks5bD/3Y +-> ssh-ed25519 7/ziYw vdFHVmAee1B7y7dG9JsV0Q5oJAHkARCwcjZAyAzCuRY +8BMNoikJKNPdxxk61A/zgRykiFGgNu7JUCm+Hhdy9Vw +-> ssh-ed25519 VQy60Q SUSqfYDbeljqVLip253DQtxcag48UYVkUQDZ+6mA1n4 +j3zzmyOADOQprP8/db/Q8iswQucbjgylpt3s4GnHR2A +--- v9F0L3av1OwiVGZfhdGzM0NCsg9j611ihVaKlmHpdoY +ƺB2ҕ_bw2"roc \ No newline at end of file diff --git a/system/server/default.nix b/system/server/default.nix index 001c25f..55ee537 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -10,6 +10,7 @@ ./matrix.nix ./seafile.nix ./temp.nix + ./zitadel.nix ]; options.niksos.server = lib.mkEnableOption "server servcies (such as caddy)."; #TODO: per service option. } diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix new file mode 100644 index 0000000..f3fd8e0 --- /dev/null +++ b/system/server/zitadel.nix @@ -0,0 +1,26 @@ +{ + config, + lib, + ... +}: let + ExternalDomain = "z.jsw.tf"; + Port = 9000; +in { + config = + lib.mkIf config.niksos.server + { + services.caddy.virtualHosts.${ExternalDomain}.extraConfig = '' + reverse_proxy localhost:${builtins.toString Port} + ''; + + services.zitadel = { + enable = true; + masterKeyFile = "/etc/default/zitadel"; + settings = { + inherit Port ExternalDomain; + ExternalPort = 443; + }; + extraSettingsPaths = [config.age.secrets.zitadel.path]; + }; + }; +} From 53fb8e06dc22442db40e2d3e00ee63cffc985f1c Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:34:59 +0200 Subject: [PATCH 02/14] Added zitadel masterkey + rewritten agenix secrets module. --- .locksverify | 0 secrets/default.nix | 64 +++++++++++++++++++-------------------- secrets/secrets.nix | 2 +- secrets/zitadel-key.age | 15 +++++++++ system/server/zitadel.nix | 2 +- 5 files changed, 49 insertions(+), 34 deletions(-) create mode 100644 .locksverify create mode 100644 secrets/zitadel-key.age diff --git a/.locksverify b/.locksverify new file mode 100644 index 0000000..e69de29 diff --git a/secrets/default.nix b/secrets/default.nix index 3aa47f4..642ae61 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -1,41 +1,41 @@ -{config, ...}: let +{ + config, + lib, + ... +}: let + inherit (lib) mkIf; + inherit (config.niksos) server; + serviceUser = x: config.systemd.services.${x}.serviceConfig.User; + abstrServiceUser = x: config.services.${x}.user; in { age.secrets = { - transferSh = { - file = ./transfer-sh.age; - owner = "jsw"; - }; - dcbot = { - file = ./dcbot.age; - owner = - if config.niksos.server - then serviceUser "dcbot" # "dcbot" doesn't exist on e.g laptop. - else "root"; - }; - bread-dcbot = { - file = ./bread-dcbot.age; - owner = - if config.niksos.server - then serviceUser "bread-dcbot" # "dcbot" doesn't exist on e.g laptop. - else "root"; - }; password.file = ./password.age; - matrix-registration = { - file = ./matrix-registration.age; - owner = - if config.niksos.server - then config.services.matrix-continuwuity.user - else "root"; + + # NOTE: server things + dcbot = mkIf server { + file = ./dcbot.age; + owner = serviceUser "dcbot"; # }; - cloudflare-acme.file = ./cloudflare-acme.age; - mail-admin = { - # owner = #FIXME: revert when stopped using docker for stalwart. - # if config.niksos.server - # then serviceUser "stalwart-mail" - # else "root"; + bread-dcbot = mkIf server { + file = ./bread-dcbot.age; + owner = "bread-dcbot"; + }; + matrix-registration = mkIf server { + file = ./matrix-registration.age; + owner = abstrServiceUser "matrix-continuwuity"; + }; + mail-admin = mkIf server { + # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. file = ./mail-admin.age; }; - zitadel.file = ./zitadel.age; + zitadel = mkIf server { + file = ./zitadel.age; + owner = abstrServiceUser "zitadel"; + }; + zitadel-key = mkIf server { + file = ./zitadel-key.age; + owner = abstrServiceUser "zitadel"; + }; }; } diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 1ed79c2..032f1bb 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -18,7 +18,7 @@ in { "dcbot.age".publicKeys = keys; "bread-dcbot.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; - "cloudflare-acme.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; "zitadel.age".publicKeys = keys; + "zitadel-key.age".publicKeys = keys; } diff --git a/secrets/zitadel-key.age b/secrets/zitadel-key.age new file mode 100644 index 0000000..2eba485 --- /dev/null +++ b/secrets/zitadel-key.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA 8s7XBtsT4aMey1VsjyPuiR9A23iGVgJlG2Dkw5Bvozo +0GWZoueNk/hDnytLuHHFY2k+iL+Ine1wIYwQFiq7KCs +-> ssh-ed25519 MfR7VA dzd732h24b07RcrrRc+P0X1NK976C3K3oU2qDmq9QG0 +6OeYdwuHemkFHrjbOQ/RFmMdsEt8OqIq5vgILNFTI6c +-> ssh-ed25519 +cvRTg /KyYAI4kuFrZ6kr8tRBe9RSyrWIpzk7zJWshoYm+k10 +Eouuif3FzeKtCldyWDzD/eEj4A1lUrXFw3R/oEm8VgE +-> ssh-ed25519 WCPLrA Z3Pw+BpqAB41FatChu2fTa7WEf1Px1aCyfQ3hgQpxS0 +CeooAiiIKhMT+apVorjV4bmbupESh3g4oSijGQqe1jA +-> ssh-ed25519 7/ziYw 8v7lxtYQ++YPwxsvz7AokGHc1TBoF+NLon9BbvK+w3c +SIlKY5qwo1jsKnP1jfoQjHU77XWfJ5Emy5Nni2qPx5E +-> ssh-ed25519 VQy60Q teT6TQxAYDs09h8T9BnofmInTLQQ2PWN7qeS8CYDfHE +7KE9Fpdd+OBVs4F5wp+lBRSJTLZHbrxy8rz+2pbbZ34 +--- aRYzmVbztYklpEcpALzft6JXe4ehgRMo9JfgloHP69s +F9Yay|Wު5Z9kL$;L%zklSIZdyG;ȖB o \ No newline at end of file diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix index f3fd8e0..646b8d2 100644 --- a/system/server/zitadel.nix +++ b/system/server/zitadel.nix @@ -15,7 +15,7 @@ in { services.zitadel = { enable = true; - masterKeyFile = "/etc/default/zitadel"; + masterKeyFile = config.age.secrets.zitadel-key.path; settings = { inherit Port ExternalDomain; ExternalPort = 443; From e8915cfded74ef520392ce92e8dd5cbfe75bf35d Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:49:11 +0200 Subject: [PATCH 03/14] Added zitadel database and default user. Removed zitadel encrypted config file --- secrets/default.nix | 4 --- secrets/secrets.nix | 1 - secrets/zitadel.age | 15 -------- system/server/zitadel.nix | 74 +++++++++++++++++++++++++++++++++++---- 4 files changed, 67 insertions(+), 27 deletions(-) delete mode 100644 secrets/zitadel.age diff --git a/secrets/default.nix b/secrets/default.nix index 642ae61..2e96df6 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -29,10 +29,6 @@ in { # owner = serviceUser "stalwart-mail"; #FIXME: revert when stopped using docker for stalwart. file = ./mail-admin.age; }; - zitadel = mkIf server { - file = ./zitadel.age; - owner = abstrServiceUser "zitadel"; - }; zitadel-key = mkIf server { file = ./zitadel-key.age; owner = abstrServiceUser "zitadel"; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 032f1bb..5f4df5c 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -19,6 +19,5 @@ in { "bread-dcbot.age".publicKeys = keys; "matrix-registration.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; - "zitadel.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; } diff --git a/secrets/zitadel.age b/secrets/zitadel.age deleted file mode 100644 index 9a647df..0000000 --- a/secrets/zitadel.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 GQzYWA fz19CbZPbHDcTz3uKZwJPn5ZN4cvl7GcED5eG0D+ElM -HHCdqkDUcqK4Oo+AGp04q3nVJs2KpeIM3ZwKwOsPWYo --> ssh-ed25519 MfR7VA IXjIOdECEgdKvxs3K2lYVhqHa6IbGYhciFlPamEl9AQ -HVDNbo0Y8rAHy2nUiiP11XKcJ5AdEGhQQt30GCdve1E --> ssh-ed25519 +cvRTg ipfUrJdALMna/5EQfLzAo28r65e1W62P5FzSxqSkYCI -qzhYJjzB6NsHa0obHsyD3nylsucBcIcWFcJ8g/P1HHo --> ssh-ed25519 WCPLrA fAWkqW/ucxI8d+92obW2j1X3+FC/HfR32JGl/jEbUwQ -CVxiMB5COMiikBiubXJlzNAmq2KIpiqBUPgks5bD/3Y --> ssh-ed25519 7/ziYw vdFHVmAee1B7y7dG9JsV0Q5oJAHkARCwcjZAyAzCuRY -8BMNoikJKNPdxxk61A/zgRykiFGgNu7JUCm+Hhdy9Vw --> ssh-ed25519 VQy60Q SUSqfYDbeljqVLip253DQtxcag48UYVkUQDZ+6mA1n4 -j3zzmyOADOQprP8/db/Q8iswQucbjgylpt3s4GnHR2A ---- v9F0L3av1OwiVGZfhdGzM0NCsg9j611ihVaKlmHpdoY -ƺB2ҕ_bw2"roc \ No newline at end of file diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix index 646b8d2..1484a25 100644 --- a/system/server/zitadel.nix +++ b/system/server/zitadel.nix @@ -13,14 +13,74 @@ in { reverse_proxy localhost:${builtins.toString Port} ''; - services.zitadel = { - enable = true; - masterKeyFile = config.age.secrets.zitadel-key.path; - settings = { - inherit Port ExternalDomain; - ExternalPort = 443; + # services.zitadel = { + # enable = true; + # masterKeyFile = config.age.secrets.zitadel-key.path; + # settings = { + # inherit Port ExternalDomain; + # ExternalPort = 443; + # }; + # extraSettingsPaths = [config.age.secrets.zitadel.path]; + # }; + systemd.services.zitadel = { + requires = ["postgresql.service"]; + after = ["postgresql.service"]; + }; + + services = { + zitadel = { + enable = true; + masterKeyFile = config.age.secrets.zitadel-key.path; + settings = { + inherit Port ExternalDomain; + ExternalPort = 443; + Database.postgres = { + Host = "/var/run/postgresql/"; + Port = 5432; + Database = "zitadel"; + User = { + Username = "zitadel"; + SSL.Mode = "disable"; + }; + Admin = { + Username = "zitadel"; + SSL.Mode = "disable"; + ExistingDatabase = "zitadel"; + }; + }; + ExternalSecure = true; + }; + steps.FirstInstance = { + InstanceName = "jsw"; + Org = { + Name = "jsw"; + Human = { + UserName = "jsw@jsw.tf"; + FirstName = "Jurn"; + LastName = "Wubben"; + Email.Verified = true; + Password = "changeme"; + PasswordChangeRequired = true; + }; + }; + LoginPolicy.AllowRegister = false; + }; + openFirewall = true; + }; + + postgresql = { + enable = true; + enableJIT = true; + ensureDatabases = ["zitadel"]; + ensureUsers = [ + { + name = "zitadel"; + ensureDBOwnership = true; + ensureClauses.login = true; + ensureClauses.superuser = true; + } + ]; }; - extraSettingsPaths = [config.age.secrets.zitadel.path]; }; }; } From a0905f93b1d9f788ab3762f8aaa120ec97beecb4 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 15:54:50 +0200 Subject: [PATCH 04/14] Updated zitadel key --- secrets/zitadel-key.age | 28 ++++++++++++++-------------- 1 file changed, 14 insertions(+), 14 deletions(-) diff --git a/secrets/zitadel-key.age b/secrets/zitadel-key.age index 2eba485..f5751e4 100644 --- a/secrets/zitadel-key.age +++ b/secrets/zitadel-key.age @@ -1,15 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 GQzYWA 8s7XBtsT4aMey1VsjyPuiR9A23iGVgJlG2Dkw5Bvozo -0GWZoueNk/hDnytLuHHFY2k+iL+Ine1wIYwQFiq7KCs --> ssh-ed25519 MfR7VA dzd732h24b07RcrrRc+P0X1NK976C3K3oU2qDmq9QG0 -6OeYdwuHemkFHrjbOQ/RFmMdsEt8OqIq5vgILNFTI6c --> ssh-ed25519 +cvRTg /KyYAI4kuFrZ6kr8tRBe9RSyrWIpzk7zJWshoYm+k10 -Eouuif3FzeKtCldyWDzD/eEj4A1lUrXFw3R/oEm8VgE --> ssh-ed25519 WCPLrA Z3Pw+BpqAB41FatChu2fTa7WEf1Px1aCyfQ3hgQpxS0 -CeooAiiIKhMT+apVorjV4bmbupESh3g4oSijGQqe1jA --> ssh-ed25519 7/ziYw 8v7lxtYQ++YPwxsvz7AokGHc1TBoF+NLon9BbvK+w3c -SIlKY5qwo1jsKnP1jfoQjHU77XWfJ5Emy5Nni2qPx5E --> ssh-ed25519 VQy60Q teT6TQxAYDs09h8T9BnofmInTLQQ2PWN7qeS8CYDfHE -7KE9Fpdd+OBVs4F5wp+lBRSJTLZHbrxy8rz+2pbbZ34 ---- aRYzmVbztYklpEcpALzft6JXe4ehgRMo9JfgloHP69s -F9Yay|Wު5Z9kL$;L%zklSIZdyG;ȖB o \ No newline at end of file +-> ssh-ed25519 GQzYWA YUoGdx518q+GhqnOVeuHxWE4//2KgVTXJCu4ULUkly8 +XIxa/FaGC5XBcrsvhZq5rOgX5vNDfFvcDCsamN7vHJ8 +-> ssh-ed25519 MfR7VA 9btD5WmqZdQ54uJYVNwU3Z5DBIlACbYfqGe1wPZwd30 +QecwT2R+BkQrGmorYcMuXHyy/TG7JjBdH2fp3W9zCBU +-> ssh-ed25519 +cvRTg UZnkgS+9oRLgEI/vdLFIAPbUG4V5iAuB4Z74D/quXzE +vxWJZI/SZKH1j8bnI4xC8+TIIANqMOkIDej+BWzDJwE +-> ssh-ed25519 WCPLrA OVnublQtCOFFo7+vcKGmCY3B3FkvLvQ6GaU7xMx8uQY +PuMamZqF3vCqgmpcTGQinIdbjOOpHtrmKfOXlL924Rk +-> ssh-ed25519 7/ziYw nYxpO5kaGDOyGUEFxryEhT0XqWf0Oc1RgprYaPjC33c +UseYaBeWvetviCf1FHncVNko86ji+GX9AdyDic2A1Og +-> ssh-ed25519 VQy60Q ok1oP3f7nWBd/6DyJFDnsv/Lb2/bwHY0cvmHI386IFM +t5rIZBUz5jav6tUo01ASMzYtHoW4+cKBZ2lzmxSI7IA +--- NZ9UXYlEIcw3VPFqDswXhSecW1zqcCeKivJoHC1zKA8 +JqU0]D_Տz =1׶S!-.t="緿e Date: Sun, 20 Jul 2025 15:58:47 +0200 Subject: [PATCH 05/14] Zitadel: default changeme password wasn't strong enough --- system/server/zitadel.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/system/server/zitadel.nix b/system/server/zitadel.nix index 1484a25..7bd32a7 100644 --- a/system/server/zitadel.nix +++ b/system/server/zitadel.nix @@ -59,7 +59,7 @@ in { FirstName = "Jurn"; LastName = "Wubben"; Email.Verified = true; - Password = "changeme"; + Password = "Changeme1!"; PasswordChangeRequired = true; }; }; From 657211eb26de7a76aa82919e22ec419e28fb8d1c Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 17:04:59 +0200 Subject: [PATCH 06/14] Disabled forgejo internal signin so that it uses zitade. --- system/server/forgejo.nix | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/system/server/forgejo.nix b/system/server/forgejo.nix index 17086b6..9d93e8a 100644 --- a/system/server/forgejo.nix +++ b/system/server/forgejo.nix @@ -26,7 +26,10 @@ in { ROOT_URL = "https://${DOMAIN}/"; HTTP_PORT = 9004; }; - service.DISABLE_REGISTRATION = true; + service = { + DISABLE_REGISTRATION = true; + EnableInternalSignIn = false; + }; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "github"; From 713ea0cf68666a56919ef0687582a6bbbfd8d50c Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 18:27:09 +0200 Subject: [PATCH 07/14] Forgejo: disabled login screen for oauth + added mailserver + renamed some things --- secrets/default.nix | 4 ++++ secrets/forgejo-mailpass.age | 15 +++++++++++++++ secrets/secrets.nix | 1 + system/server/forgejo.nix | 22 ++++++++++++++++++++-- 4 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 secrets/forgejo-mailpass.age diff --git a/secrets/default.nix b/secrets/default.nix index 2e96df6..b04140e 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -33,5 +33,9 @@ in { file = ./zitadel-key.age; owner = abstrServiceUser "zitadel"; }; + forgejo-mailpass = mkIf server { + file = ./forgejo-mailpass.age; + owner = abstrServiceUser "forgejo"; + }; }; } diff --git a/secrets/forgejo-mailpass.age b/secrets/forgejo-mailpass.age new file mode 100644 index 0000000..eed7f49 --- /dev/null +++ b/secrets/forgejo-mailpass.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA j5yj1cq9FbYSW767zObF4RbJ7Jhx0818BryvWGWwnSw +LelnyL/SIat9BKl4hsz0n6rl8xPgchk+nQmfb1xkXkU +-> ssh-ed25519 MfR7VA sVGSrPd10dOdnDNROMGW1gLuczlVwMLpymgx6+cCJRE +8vf0ubRiRUWfc6Mgt0bNq99SgrY4pYJ0f4BHVRn+lYU +-> ssh-ed25519 +cvRTg VK4bHTmw+Oz7JLdP0zEbfKTjNUBtVxcbHX4zyZrQxx4 +1BjqL4TuNJO8VH9c2MT24ZlGz8ifniUZaK4AkK4VjM4 +-> ssh-ed25519 WCPLrA lD5KmpPXdvmTGMXMhye/ivnkbb0+XRCpUA4i6JBsK2w +0LKCxV8vSewkNOLJa+xEZp4w+qIRAVezv37g6hExpb0 +-> ssh-ed25519 7/ziYw Yq6qqosp/yOekCO7NBpNTJQVv8NciaSLiDFNuLaOjyA +8Joor9/H+ExdOQBavTMH13SI9MZgBKQQA2HPxKAF9uU +-> ssh-ed25519 VQy60Q /+R2djdRbYoWq1GzMFSj+gwXGf085axPJHOa0tIeFTs +dBVQQ7yucfpbmeR82Fp6MR1/IiQun3bqNVCm9qegL2g +--- fHjHEH5JtSZnKnJFC/KDQELHDwVsExA5aeuKN7DvL1M +AH? 'ahǒP>"/yRƄ!I= G4ٺ^iX}a: \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 5f4df5c..9caab40 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -20,4 +20,5 @@ in { "matrix-registration.age".publicKeys = keys; "mail-admin.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; + "forgejo-mailpass.age".publicKeys = keys; } diff --git a/system/server/forgejo.nix b/system/server/forgejo.nix index 9d93e8a..9560944 100644 --- a/system/server/forgejo.nix +++ b/system/server/forgejo.nix @@ -27,13 +27,31 @@ in { HTTP_PORT = 9004; }; service = { - DISABLE_REGISTRATION = true; - EnableInternalSignIn = false; + ENABLE_INTERNAL_SIGNIN = false; + # DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + }; + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + }; + "ui.meta" = { + AUTHOR = "JSW Git"; + DESCRIPTION = "Personal GIT-Forgejo instance."; }; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "github"; }; + mailer = { + ENABLED = true; + SUBJECT_PREFIX = "JSWGit"; + PROTOCOL = "smtps"; + SMTP_ADDR = "mail.jsw.tf"; + SMTP_PORT = 465; + FROM = "git@jsw.tf"; + USER = "git"; + PASSWD_URI = "file:${config.age.secrets.forgejo-mailpass.path}"; + }; }; }; }; From 488cb7fad8a03441c5ed3e2cb943871b0a993779 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 20:44:08 +0200 Subject: [PATCH 08/14] Immich: added openid login --- secrets/default.nix | 4 ++ secrets/immich-oidc.age | 15 +++++ secrets/secrets.nix | 1 + system/server/forgejo.nix | 2 +- system/server/immich.nix | 133 ++++++++++++++++++++++++-------------- 5 files changed, 106 insertions(+), 49 deletions(-) create mode 100644 secrets/immich-oidc.age diff --git a/secrets/default.nix b/secrets/default.nix index b04140e..141308e 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -37,5 +37,9 @@ in { file = ./forgejo-mailpass.age; owner = abstrServiceUser "forgejo"; }; + immich-oidc = mkIf server { + file = ./immich-oidc.age; + owner = abstrServiceUser "immich"; + }; }; } diff --git a/secrets/immich-oidc.age b/secrets/immich-oidc.age new file mode 100644 index 0000000..11c301f --- /dev/null +++ b/secrets/immich-oidc.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA MbczMCSPu7pJru1rmOsFuloCYLKlh7koC5drXcKlwiw +ZghUrcs7YT3ciwqOkrPDEzlZe3qN9ypBw3xRGYWNPaY +-> ssh-ed25519 MfR7VA KB6RE2QZ//Z6xoyQC502dJeg79rYXFJJdOwV+c6tOWo +e1zIz2nsV9JbBaadTnONrPLI5Ztyv9vf4Ewzd9uSHnU +-> ssh-ed25519 +cvRTg GntHLoUwpIrxm3FcVw+Bavaq6kLaZpVdTRLoMMVfpAY +abE1ZkhS39vylBg8bZ5K3vgnXr70Vbk1bLCKsCFlUvU +-> ssh-ed25519 WCPLrA +/GlB5CbM/1FwI5JE63DJVUChADjJfD3jJY3Y2KmXEU +pPqBhV49/wg/hWffFm2XFRGC9p1nQ57tj1YK7pPkQ3U +-> ssh-ed25519 7/ziYw lxlJVNMIqfoMPj6VGTt2V4PxFi+6WRMfOYcv1hpEMkM +kd8CI7RECJA5uPJu33D61OEnqWwZuNQ6VmYLqXew6gc +-> ssh-ed25519 VQy60Q YSgYVPPN7QutKhbv6/1vmoRnh14KXs0g2k9qxKuvQ2U +FL3fImxWoBeHrCLd+jp/a1oRd/Acgi6sV/g40dCRrTA +--- TipdjwDPkRxiV/R1FUYCm/tcD6M+XEaZhQjrzwMxiuA +E%ZDTs,5 jLOzﻸT _Hn*xQ7$Cv`Wqt%N6 5 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9caab40..df90563 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -21,4 +21,5 @@ in { "mail-admin.age".publicKeys = keys; "zitadel-key.age".publicKeys = keys; "forgejo-mailpass.age".publicKeys = keys; + "immich-oidc.age".publicKeys = keys; } diff --git a/system/server/forgejo.nix b/system/server/forgejo.nix index 9560944..df2c29a 100644 --- a/system/server/forgejo.nix +++ b/system/server/forgejo.nix @@ -46,7 +46,7 @@ in { ENABLED = true; SUBJECT_PREFIX = "JSWGit"; PROTOCOL = "smtps"; - SMTP_ADDR = "mail.jsw.tf"; + SMTP_ADDR = "mail.jsw.tf"; #FIXME: replace with config... to stalwart setting once using stalwart nixos module. SMTP_PORT = 465; FROM = "git@jsw.tf"; USER = "git"; diff --git a/system/server/immich.nix b/system/server/immich.nix index 216b8d2..312f527 100644 --- a/system/server/immich.nix +++ b/system/server/immich.nix @@ -1,61 +1,98 @@ { config, lib, + pkgs, ... }: let + inherit (lib) mkIf mkForce mkDefault; + cfg = config.niksos.server; + oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*"; + config-dir = "/run/immich-conf"; in { - services.immich = { - enable = cfg; + config = + mkIf cfg + { + users.users.${config.services.immich.user}.extraGroups = ["video" "render"]; + services.caddy.virtualHosts."photos.jsw.tf".extraConfig = '' + reverse_proxy localhost:9002 + ''; - port = 9002; - machine-learning.enable = false; + services.immich = mkIf cfg { + enable = true; - settings = { - server.externalDomain = "https://photos.jsw.tf"; - ffmpeg = { - crf = 23; - threads = 0; - preset = "ultrafast"; - targetVideoCodec = "h264"; - acceptedVideoCodecs = [ - "h264" + port = 9002; + machine-learning.enable = false; + + accelerationDevices = mkDefault null; + + #NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs.. + environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json"; + settings = { + server.externalDomain = "https://photos.jsw.tf"; + oauth = { + enabled = true; + autoLaunch = true; + autoRegister = true; + buttonText = "Login with JSWAuth"; + clientId = "329735769805619570"; + clientSecret = oidcSubstitute; + issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration"; + }; + passwordLogin.enabled = false; + ffmpeg = { + crf = 23; + threads = 0; + preset = "ultrafast"; + targetVideoCodec = "h264"; + acceptedVideoCodecs = [ + "h264" + ]; + targetAudioCodec = "aac"; + acceptedAudioCodecs = [ + "aac" + "mp3" + "libopus" + "pcm_s16le" + ]; + acceptedContainers = [ + "mov" + "ogg" + "webm" + ]; + targetResolution = "720"; + maxBitrate = "0"; + bframes = -1; + refs = 0; + gopSize = 0; + temporalAQ = false; + cqMode = "auto"; + twoPass = false; + preferredHwDevice = lib.mkDefault "auto"; + transcode = "all"; + tonemap = "hable"; + accel = lib.mkDefault "vaapi"; + accelDecode = true; + }; + }; + }; + + systemd = { + services.immich-server = { + preStart = let + refConfig = (pkgs.formats.json {}).generate "immich.json" config.services.immich.settings; + newConfig = "${config-dir}/immich.json"; + replaceSecretBin = "${pkgs.replace-secret}/bin/replace-secret"; + in '' + umask 077 + cp -f '${refConfig}' '${newConfig}' + chmod u+w '${newConfig}' + ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.immich-oidc.path}' '${newConfig}' + ''; + }; + tmpfiles.rules = [ + "d ${config-dir} 0700 immich immich" ]; - targetAudioCodec = "aac"; - acceptedAudioCodecs = [ - "aac" - "mp3" - "libopus" - "pcm_s16le" - ]; - acceptedContainers = [ - "mov" - "ogg" - "webm" - ]; - targetResolution = "720"; - maxBitrate = "0"; - bframes = -1; - refs = 0; - gopSize = 0; - temporalAQ = false; - cqMode = "auto"; - twoPass = false; - preferredHwDevice = lib.mkDefault "auto"; - transcode = "all"; - tonemap = "hable"; - accel = lib.mkDefault "vaapi"; - accelDecode = true; }; }; - - accelerationDevices = lib.mkDefault null; - }; - users.users.immich = lib.mkIf cfg {extraGroups = ["video" "render"];}; #NOTE: was first groups = lib.mkIf.. but then users.immich gets set even when server is disabled. - - services.caddy.virtualHosts."photos.jsw.tf" = { - extraConfig = '' - reverse_proxy localhost:9002 - ''; - }; } From 87bef5a352b1c58d1a2e0191ca548391aa558b68 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Sun, 20 Jul 2025 21:20:48 +0200 Subject: [PATCH 09/14] Server: immich mobile support login oauth --- system/server/immich.nix | 8 ++++++-- system/server/seafile.nix | 40 ++++++++++++++++++++++++++++++++------- 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/system/server/immich.nix b/system/server/immich.nix index 312f527..3554292 100644 --- a/system/server/immich.nix +++ b/system/server/immich.nix @@ -9,12 +9,14 @@ cfg = config.niksos.server; oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*"; config-dir = "/run/immich-conf"; + url = "photos.jsw.tf"; + httpsUrl = "https://" + url; in { config = mkIf cfg { users.users.${config.services.immich.user}.extraGroups = ["video" "render"]; - services.caddy.virtualHosts."photos.jsw.tf".extraConfig = '' + services.caddy.virtualHosts.${url}.extraConfig = '' reverse_proxy localhost:9002 ''; @@ -29,7 +31,7 @@ in { #NOTE: immich doesn't support variables in their config file, so we have to subsitute ourselfs.. environment.IMMICH_CONFIG_FILE = mkForce "${config-dir}/immich.json"; settings = { - server.externalDomain = "https://photos.jsw.tf"; + server.externalDomain = httpsUrl; oauth = { enabled = true; autoLaunch = true; @@ -38,6 +40,8 @@ in { clientId = "329735769805619570"; clientSecret = oidcSubstitute; issuerUrl = "https://${config.services.zitadel.settings.ExternalDomain}/.well-known/openid-configuration"; + mobileRedirectUri = "${httpsUrl}/api/oauth/mobile-redirect"; + mobileOverrideEnabled = true; }; passwordLogin.enabled = false; ffmpeg = { diff --git a/system/server/seafile.nix b/system/server/seafile.nix index ac18412..914d683 100644 --- a/system/server/seafile.nix +++ b/system/server/seafile.nix @@ -3,25 +3,52 @@ inputs, pkgs, ... -}: { +}: let + url = "files.jsw.tf"; + httpsUrl = "https://" + url; + authUrl = config.services.zitadel.settings.ExternalDomain; + httpsAuthUrl = "https://" + authUrl; + oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*"; + config-dir = "/run/immich-conf"; +in { services.seafile = { enable = config.niksos.server; seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub; - adminEmail = "jurnwubben@gmail.com"; + adminEmail = "jsw@jsw.tf"; initialAdminPassword = "ChangeMeTheFuckNow!"; gc.enable = true; - ccnetSettings.General.SERVICE_URL = "https://files.jsw.tf"; + ccnetSettings.General.SERVICE_URL = httpsUrl; seahubExtraConf = '' - ALLOWED_HOSTS = ['.files.jsw.tf'] + ALLOWED_HOSTS = ['.${url}'] CSRF_COOKIE_SECURE = True CSRF_COOKIE_SAMESITE = 'Strict' - CSRF_TRUSTED_ORIGINS = ['https://files.jsw.tf', 'https://www.files.jsw.tf'] + CSRF_TRUSTED_ORIGINS = ['${httpsUrl}'] SITE_NAME = "JSW Cloud" SITE_TITLE = "JSW Cloud" + + ENABLE_OAUTH = True + OAUTH_CREATE_UNKNOWN_USER = True + OAUTH_ACTIVATE_USER_AFTER_CREATION = True + OAUTH_ENABLE_INSECURE_TRANSPORT = False + OAUTH_CLIENT_ID = "329743411726844274" + OAUTH_CLIENT_SECRET = "${oidcSubstitute}" + OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/' + OAUTH_PROVIDER_DOMAIN = '${authUrl}' + OAUTH_PROVIDER = 'JSW Auth' + OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize' + OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token' + OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo' + OAUTH_SCOPE = ["user",] + OAUTH_ATTRIBUTE_MAP = { + "id": (True, "email"), + "name": (False, "name"), + "email": (False, "contact_email"), + "uid": (True, "uid"), + } ''; seafileSettings = { quota.default = 30; @@ -35,8 +62,7 @@ }; }; - services.caddy.virtualHosts."files.jsw.tf" = { - # serverAliases = ["www.share.jsw.tf"]; + services.caddy.virtualHosts.${url} = { extraConfig = '' handle_path /seafhttp/* { reverse_proxy * unix//run/seafile/server.sock From fa35e153c65269ed4370693e537777ff4bdd5732 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Mon, 21 Jul 2025 08:19:31 +0200 Subject: [PATCH 10/14] Converted seafile to openid login --- secrets/default.nix | 4 ++ secrets/seafile-oidc.age | 16 +++++ secrets/secrets.nix | 1 + system/server/seafile.nix | 143 ++++++++++++++++++++++++-------------- 4 files changed, 110 insertions(+), 54 deletions(-) create mode 100644 secrets/seafile-oidc.age diff --git a/secrets/default.nix b/secrets/default.nix index 141308e..e808f6b 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -41,5 +41,9 @@ in { file = ./immich-oidc.age; owner = abstrServiceUser "immich"; }; + seafile-oidc = mkIf server { + file = ./seafile-oidc.age; + owner = abstrServiceUser "seafile"; + }; }; } diff --git a/secrets/seafile-oidc.age b/secrets/seafile-oidc.age new file mode 100644 index 0000000..d17d8b3 --- /dev/null +++ b/secrets/seafile-oidc.age @@ -0,0 +1,16 @@ +age-encryption.org/v1 +-> ssh-ed25519 GQzYWA bJyIAsI/6hAeQQ9gFYIEY3bYkSZ/1aC+8w3rBYWVHCU +H38Px7xdB/MFhXdBZxu016/7tuzuk7+mRTv1wyQT+d4 +-> ssh-ed25519 MfR7VA +iGb3WpMd0LbGj8wLBWJOHtiDAcuhxNaKboABUJjqlk +y6Q1+lV4Zg3Bzz4VvTW+/4SxAy5A5tzOL7O/ra9V0ns +-> ssh-ed25519 +cvRTg sFXk188eoPOlJdh2LicBCwTvgRerU+Ou5JNvAawfPmU +elcMDCCJWkPWpmGMHTNgOMoZIAGqZmw3V4J2Q1opyU0 +-> ssh-ed25519 WCPLrA mQMjG0AtKkKIQlSV5FDMhKiLovREAvFmEAye3pfAbSg +GK8mibNENVSXiQjmKqVuuyAe7b3VpPQ5tqbj/70vwOk +-> ssh-ed25519 7/ziYw U61nqCBxz9bH4aljZqD2zPd7kJxBQlK8O8eH0QD+8Cc +CCrpXNbLeNkRSeMmMjlEQK4ffyWm/bTozNZ5yfnXssw +-> ssh-ed25519 VQy60Q CiiIktgZ0Q5KPSGu/jwPHwNAVaD7dA7T/FKw8H0K3ws +ZeTiGA0sSeGS1IJrQMBIh28vUnHupYUrnZBsz+9I4yM +--- qMzO4grI7h5bkEI4d/ruuyMS7RVvZtFsfJT07M8W9W0 +>q@|6b1 Date: Mon, 21 Jul 2025 08:23:52 +0200 Subject: [PATCH 11/14] Temporary revert seafile changes --- system/server/seafile.nix | 34 +++++++++++++++++----------------- 1 file changed, 17 insertions(+), 17 deletions(-) diff --git a/system/server/seafile.nix b/system/server/seafile.nix index ff9634a..124c581 100644 --- a/system/server/seafile.nix +++ b/system/server/seafile.nix @@ -87,24 +87,24 @@ in { sfCfg = config.services.seafile; in { seaf-server = { - preStart = '' - umask 077 - cp -f '/etc/seafile' '${config-dir}' - chmod u+w -R '${config-dir}' - ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.seafile-oidc.path}' '${config-dir}/seahub_settings.py' - ''; - serviceConfig.ExecStart = mkForce '' - ${lib.getExe sfCfg.seahubPackage.seafile-server} \ - --foreground \ - -F '${config-dir} \ - -c ${ccnetDir} \ - -d ${sfCfg.dataDir} \ - -l /var/log/seafile/server.log \ - -P /run/seafile/server.pid \ - -p /run/seafile - ''; + # preStart = '' + # umask 077 + # cp -f '/etc/seafile' '${config-dir}' + # chmod u+w -R '${config-dir}' + # ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.seafile-oidc.path}' '${config-dir}/seahub_settings.py' + # ''; + # serviceConfig.ExecStart = mkForce '' + # ${lib.getExe sfCfg.seahubPackage.seafile-server} \ + # --foreground \ + # -F '${config-dir} \ + # -c ${ccnetDir} \ + # -d ${sfCfg.dataDir} \ + # -l /var/log/seafile/server.log \ + # -P /run/seafile/server.pid \ + # -p /run/seafile + # ''; }; - seahub.environment.SEAFILE_CENTRAL_CONF_DIR = mkForce config-dir; + # seahub.environment.SEAFILE_CENTRAL_CONF_DIR = mkForce config-dir; }; }; } From 5fdfd7f0048518af374b3bcc252ce66458a209bd Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Mon, 21 Jul 2025 13:04:04 +0200 Subject: [PATCH 12/14] Seafile: read secret using python --- secrets/default.nix | 2 ++ secrets/seafile-oidc.age | 29 ++++++++++++++--------------- system/server/seafile.nix | 25 ++++++++++++++++--------- 3 files changed, 32 insertions(+), 24 deletions(-) diff --git a/secrets/default.nix b/secrets/default.nix index e808f6b..319a835 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -8,6 +8,7 @@ serviceUser = x: config.systemd.services.${x}.serviceConfig.User; abstrServiceUser = x: config.services.${x}.user; + abstrServiceGroup = x: config.services.${x}.group; in { age.secrets = { password.file = ./password.age; @@ -44,6 +45,7 @@ in { seafile-oidc = mkIf server { file = ./seafile-oidc.age; owner = abstrServiceUser "seafile"; + mode = "400"; }; }; } diff --git a/secrets/seafile-oidc.age b/secrets/seafile-oidc.age index d17d8b3..70db7a2 100644 --- a/secrets/seafile-oidc.age +++ b/secrets/seafile-oidc.age @@ -1,16 +1,15 @@ age-encryption.org/v1 --> ssh-ed25519 GQzYWA bJyIAsI/6hAeQQ9gFYIEY3bYkSZ/1aC+8w3rBYWVHCU -H38Px7xdB/MFhXdBZxu016/7tuzuk7+mRTv1wyQT+d4 --> ssh-ed25519 MfR7VA +iGb3WpMd0LbGj8wLBWJOHtiDAcuhxNaKboABUJjqlk -y6Q1+lV4Zg3Bzz4VvTW+/4SxAy5A5tzOL7O/ra9V0ns --> ssh-ed25519 +cvRTg sFXk188eoPOlJdh2LicBCwTvgRerU+Ou5JNvAawfPmU -elcMDCCJWkPWpmGMHTNgOMoZIAGqZmw3V4J2Q1opyU0 --> ssh-ed25519 WCPLrA mQMjG0AtKkKIQlSV5FDMhKiLovREAvFmEAye3pfAbSg -GK8mibNENVSXiQjmKqVuuyAe7b3VpPQ5tqbj/70vwOk --> ssh-ed25519 7/ziYw U61nqCBxz9bH4aljZqD2zPd7kJxBQlK8O8eH0QD+8Cc -CCrpXNbLeNkRSeMmMjlEQK4ffyWm/bTozNZ5yfnXssw --> ssh-ed25519 VQy60Q CiiIktgZ0Q5KPSGu/jwPHwNAVaD7dA7T/FKw8H0K3ws -ZeTiGA0sSeGS1IJrQMBIh28vUnHupYUrnZBsz+9I4yM ---- qMzO4grI7h5bkEI4d/ruuyMS7RVvZtFsfJT07M8W9W0 ->q@|6b1 ssh-ed25519 GQzYWA N2jnATED5CQTDflLzW2wnIarM0nc8hTJAQ9G9Q5M+2U +jV9R8GqaqQe4TeXa6mqhZGLWAVPoGpTHuh42tCnTwds +-> ssh-ed25519 MfR7VA VAlild/90Vofo0zXd42NapS1sHluYLPGP5lMC+JSIFo +VdPZvpRpC0JA8ba+HI5F3lOuR8qZAlFZt8AQEytqOEs +-> ssh-ed25519 +cvRTg hW1dt51t+g4MOCPxwP2o7RuIpi16q0b7c5CA4EAxs3o +UwDgBrgetix+6FuAowZaG6Aq+J1CDZdsjIn9v38g9I8 +-> ssh-ed25519 WCPLrA QksEezxLik0zl+3YiDtM95LQqNeZKAHaqdlmKTOj0XY +Thj7Gbkw5uti1pzMd0jZ2d4EzIY4QA7MJbC/gPdvIbo +-> ssh-ed25519 7/ziYw kffVPB2i78R1mlidzoBV15sDVeEWWt40bhrIgtm/Zws +fFukgot++DcOQd8qrkzD6xh6zFhVnZNmqNF4i33vLLw +-> ssh-ed25519 VQy60Q 84xB7sxEOT3B8CUb7GZCsbJd69gy0yaBYjgrPN8xox0 +qE+5vjNdy67rZPc8QynIvLZzTqyoofMSMnFC3z7hoXQ +--- 7mWx4K+zrpZqGRcoLBWXF+Sod/EmnodV74lvYrc4+d4 +:('0v2s _[X r77wVƽjb݉H's+oCdXGWS~4HA\JMx.451 \ No newline at end of file diff --git a/system/server/seafile.nix b/system/server/seafile.nix index 124c581..50234c2 100644 --- a/system/server/seafile.nix +++ b/system/server/seafile.nix @@ -12,7 +12,6 @@ httpsUrl = "https://" + url; authUrl = config.services.zitadel.settings.ExternalDomain; httpsAuthUrl = "https://" + authUrl; - oidcSubstitute = "*@#OPENIDCLIENTSECRET#@*"; in { config = mkIf cfg { services.caddy.virtualHosts.${url}.extraConfig = '' @@ -48,19 +47,20 @@ in { OAUTH_ACTIVATE_USER_AFTER_CREATION = True OAUTH_ENABLE_INSECURE_TRANSPORT = False OAUTH_CLIENT_ID = "329743411726844274" - OAUTH_CLIENT_SECRET = "${oidcSubstitute}" + + with open("${config.age.secrets.seafile-oidc.path}") as f: + OAUTH_CLIENT_SECRET = f.read() + OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/' - OAUTH_PROVIDER_DOMAIN = '${authUrl}' - OAUTH_PROVIDER = 'JSW Auth' + OAUTH_PROVIDER = '${authUrl}' OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize' OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token' OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo' - OAUTH_SCOPE = ["user",] + OAUTH_SCOPE = ["openid", "profile", "email"] OAUTH_ATTRIBUTE_MAP = { - "id": (True, "email"), - "name": (False, "name"), - "email": (False, "contact_email"), - "uid": (True, "uid"), + "sub": (True, "uid"), + "name": (True, "name"), + "email": (True, "contact_email") } ''; seafileSettings = { @@ -75,6 +75,13 @@ in { }; }; + # environment.etc."seafile/seahub_settings.py" = { + # text = mkForce null; # NOTE: If breaky, check https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/seafile.nix#L22. Using hardcoded values instead of the ones in the module so if there changes, things might break. + # source = config.age.secrets.seafile-seahubconf.path; + # user = "seafile"; + # group = "seafile"; + # }; + #NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things: ## * If seafile still uses seafile_settings.py to store openid settings.systemd ## * If the service scripts / settings have changed.systemd From c22571ac834133a6da1aca0abc313d3321030ae7 Mon Sep 17 00:00:00 2001 From: jsw Date: Wed, 23 Jul 2025 10:47:55 +0000 Subject: [PATCH 13/14] Getting desperate fixing seafile --- system/server/seafile.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/system/server/seafile.nix b/system/server/seafile.nix index 50234c2..a8e4601 100644 --- a/system/server/seafile.nix +++ b/system/server/seafile.nix @@ -53,9 +53,9 @@ in { OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/' OAUTH_PROVIDER = '${authUrl}' - OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize' - OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token' - OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo' + OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize/' + OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token/' + OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo/' OAUTH_SCOPE = ["openid", "profile", "email"] OAUTH_ATTRIBUTE_MAP = { "sub": (True, "uid"), From a6ab36252a1fbe8c7a657e25ee117b94aed90f82 Mon Sep 17 00:00:00 2001 From: Jurn Wubben Date: Thu, 24 Jul 2025 23:34:42 +0200 Subject: [PATCH 14/14] Removal of seafile --- secrets/default.nix | 5 -- secrets/seafile-oidc.age | 15 ----- secrets/secrets.nix | 1 - system/server/default.nix | 1 - system/server/seafile.nix | 117 -------------------------------------- 5 files changed, 139 deletions(-) delete mode 100644 secrets/seafile-oidc.age delete mode 100644 system/server/seafile.nix diff --git a/secrets/default.nix b/secrets/default.nix index 319a835..b2ffdcc 100644 --- a/secrets/default.nix +++ b/secrets/default.nix @@ -42,10 +42,5 @@ in { file = ./immich-oidc.age; owner = abstrServiceUser "immich"; }; - seafile-oidc = mkIf server { - file = ./seafile-oidc.age; - owner = abstrServiceUser "seafile"; - mode = "400"; - }; }; } diff --git a/secrets/seafile-oidc.age b/secrets/seafile-oidc.age deleted file mode 100644 index 70db7a2..0000000 --- a/secrets/seafile-oidc.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> ssh-ed25519 GQzYWA N2jnATED5CQTDflLzW2wnIarM0nc8hTJAQ9G9Q5M+2U -jV9R8GqaqQe4TeXa6mqhZGLWAVPoGpTHuh42tCnTwds --> ssh-ed25519 MfR7VA VAlild/90Vofo0zXd42NapS1sHluYLPGP5lMC+JSIFo -VdPZvpRpC0JA8ba+HI5F3lOuR8qZAlFZt8AQEytqOEs --> ssh-ed25519 +cvRTg hW1dt51t+g4MOCPxwP2o7RuIpi16q0b7c5CA4EAxs3o -UwDgBrgetix+6FuAowZaG6Aq+J1CDZdsjIn9v38g9I8 --> ssh-ed25519 WCPLrA QksEezxLik0zl+3YiDtM95LQqNeZKAHaqdlmKTOj0XY -Thj7Gbkw5uti1pzMd0jZ2d4EzIY4QA7MJbC/gPdvIbo --> ssh-ed25519 7/ziYw kffVPB2i78R1mlidzoBV15sDVeEWWt40bhrIgtm/Zws -fFukgot++DcOQd8qrkzD6xh6zFhVnZNmqNF4i33vLLw --> ssh-ed25519 VQy60Q 84xB7sxEOT3B8CUb7GZCsbJd69gy0yaBYjgrPN8xox0 -qE+5vjNdy67rZPc8QynIvLZzTqyoofMSMnFC3z7hoXQ ---- 7mWx4K+zrpZqGRcoLBWXF+Sod/EmnodV74lvYrc4+d4 -:('0v2s _[X r77wVƽjb݉H's+oCdXGWS~4HA\JMx.451 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index d60c431..df90563 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -22,5 +22,4 @@ in { "zitadel-key.age".publicKeys = keys; "forgejo-mailpass.age".publicKeys = keys; "immich-oidc.age".publicKeys = keys; - "seafile-oidc.age".publicKeys = keys; } diff --git a/system/server/default.nix b/system/server/default.nix index 55ee537..c6ac1c8 100644 --- a/system/server/default.nix +++ b/system/server/default.nix @@ -8,7 +8,6 @@ ./index ./mail.nix ./matrix.nix - ./seafile.nix ./temp.nix ./zitadel.nix ]; diff --git a/system/server/seafile.nix b/system/server/seafile.nix deleted file mode 100644 index a8e4601..0000000 --- a/system/server/seafile.nix +++ /dev/null @@ -1,117 +0,0 @@ -{ - config, - inputs, - pkgs, - lib, - ... -}: let - inherit (lib) mkIf mkForce; - cfg = config.niksos.server; - - url = "files.jsw.tf"; - httpsUrl = "https://" + url; - authUrl = config.services.zitadel.settings.ExternalDomain; - httpsAuthUrl = "https://" + authUrl; -in { - config = mkIf cfg { - services.caddy.virtualHosts.${url}.extraConfig = '' - handle_path /seafhttp/* { - reverse_proxy * unix//run/seafile/server.sock - } - handle_path /* { - reverse_proxy * unix//run/seahub/gunicorn.sock - } - ''; - - services.seafile = { - enable = config.niksos.server; - seahubPackage = inputs.nixpkgs-stable.legacyPackages.${pkgs.system}.seahub; - - adminEmail = "jsw@jsw.tf"; - initialAdminPassword = "ChangeMeTheFuckNow!"; - - gc.enable = true; - - ccnetSettings.General.SERVICE_URL = httpsUrl; - seahubExtraConf = '' - ALLOWED_HOSTS = ['.${url}'] - CSRF_COOKIE_SECURE = True - CSRF_COOKIE_SAMESITE = 'Strict' - CSRF_TRUSTED_ORIGINS = ['${httpsUrl}'] - - SITE_NAME = "JSW Cloud" - SITE_TITLE = "JSW Cloud" - - ENABLE_OAUTH = True - OAUTH_CREATE_UNKNOWN_USER = True - OAUTH_ACTIVATE_USER_AFTER_CREATION = True - OAUTH_ENABLE_INSECURE_TRANSPORT = False - OAUTH_CLIENT_ID = "329743411726844274" - - with open("${config.age.secrets.seafile-oidc.path}") as f: - OAUTH_CLIENT_SECRET = f.read() - - OAUTH_REDIRECT_URL = '${httpsUrl}/oauth/callback/' - OAUTH_PROVIDER = '${authUrl}' - OAUTH_AUTHORIZATION_URL = '${httpsAuthUrl}/oauth/v2/authorize/' - OAUTH_TOKEN_URL = '${httpsAuthUrl}/oauth/v2/token/' - OAUTH_USER_INFO_URL = '${httpsAuthUrl}/oidc/v1/userinfo/' - OAUTH_SCOPE = ["openid", "profile", "email"] - OAUTH_ATTRIBUTE_MAP = { - "sub": (True, "uid"), - "name": (True, "name"), - "email": (True, "contact_email") - } - ''; - seafileSettings = { - quota.default = 30; - history.keep_days = 40; - library_trash.expire_days = 14; - fileserver = { - host = "unix:/run/seafile/server.sock"; - web_token_expire_time = 14400; # 4 hours - max_download_dir_size = 100000; # 100gb max download size. - }; - }; - }; - - # environment.etc."seafile/seahub_settings.py" = { - # text = mkForce null; # NOTE: If breaky, check https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/services/networking/seafile.nix#L22. Using hardcoded values instead of the ones in the module so if there changes, things might break. - # source = config.age.secrets.seafile-seahubconf.path; - # user = "seafile"; - # group = "seafile"; - # }; - - #NOTE: Overwriting parts of services so that it uses a different root. When upgrading. Please check the following two things: - ## * If seafile still uses seafile_settings.py to store openid settings.systemd - ## * If the service scripts / settings have changed.systemd - ## * Better even, rewrite this entire part. - systemd.services = let - config-dir = "/run/seafile"; - replaceSecretBin = lib.getExe pkgs.replace-secret; - seafRoot = "/var/lib/seafile"; - ccnetDir = "${seafRoot}/ccnet"; - sfCfg = config.services.seafile; - in { - seaf-server = { - # preStart = '' - # umask 077 - # cp -f '/etc/seafile' '${config-dir}' - # chmod u+w -R '${config-dir}' - # ${replaceSecretBin} '${oidcSubstitute}' '${config.age.secrets.seafile-oidc.path}' '${config-dir}/seahub_settings.py' - # ''; - # serviceConfig.ExecStart = mkForce '' - # ${lib.getExe sfCfg.seahubPackage.seafile-server} \ - # --foreground \ - # -F '${config-dir} \ - # -c ${ccnetDir} \ - # -d ${sfCfg.dataDir} \ - # -l /var/log/seafile/server.log \ - # -P /run/seafile/server.pid \ - # -p /run/seafile - # ''; - }; - # seahub.environment.SEAFILE_CENTRAL_CONF_DIR = mkForce config-dir; - }; - }; -}