nrabulinski/settei
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

Compare commits

base: nrabulinski:main
Branches Tags
nrabulinski:main
nrabulinski:bootstrap
nrabulinski:experiments/nilla
..
compare: nrabulinski:bootstrap
Branches Tags
nrabulinski:main
nrabulinski:bootstrap
nrabulinski:experiments/nilla

3 commits
main ... bootstrap

Author SHA1 Message Date
Nikodem Rabuliński
2c779fbd38
services/kanidm: init 2025-06-22 23:38:34 +02:00
Nikodem Rabuliński
68619bbb1c
modules/system/sane-defaults: enable cgroups 2025-06-22 23:38:34 +02:00
Nikodem Rabuliński
50c9f7a715
modules/home/desktop/qutebrowser: only enable on desktop 2025-06-22 23:10:16 +02:00
8 changed files with 188 additions and 73 deletions
Download patch file Download diff file Expand all files Collapse all files

144
flake.lock generated
View file

@ -30,11 +30,11 @@
"systems": "systems"
},
"locked": {
"lastModified": 1750173260,
"narHash": "sha256-9P1FziAwl5+3edkfFcr5HeGtQUtrSdk/MksX39GieoA=",
"lastModified": 1747575206,
"narHash": "sha256-NwmAFuDUO/PFcgaGGr4j3ozG9Pe5hZ/ogitWhY+D81k=",
"owner": "ryantm",
"repo": "agenix",
"rev": "531beac616433bac6f9e2a19feb8e99a22a66baf",
"rev": "4835b1dc898959d8547a871ef484930675cb47f1",
"type": "github"
},
"original": {
@ -46,15 +46,17 @@
"attic": {
"flake": false,
"locked": {
"lastModified": 1750621880,
"narHash": "sha256-1l1FdnWa77BdBTlXHXxyEPeE+X3p/x9W5bTrirkT5SI=",
"rev": "3b1831a2719a54830a3bf3a10d5a1fee81ca35a3",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/nrabulinski/attic/archive/3b1831a2719a54830a3bf3a10d5a1fee81ca35a3.tar.gz?rev=3b1831a2719a54830a3bf3a10d5a1fee81ca35a3"
"lastModified": 1748777195,
"narHash": "sha256-j3GQS4zm4zc1yo+5hCs0kpIGNDePj7ayRkbqsy3tyYs=",
"ref": "refs/heads/main",
"rev": "ec24c04e345ab02ff35020d99e34f1eda0b82352",
"revCount": 373,
"type": "git",
"url": "https://git.lix.systems/nrabulinski/attic.git"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/nrabulinski/attic/archive/main.tar.gz"
"type": "git",
"url": "https://git.lix.systems/nrabulinski/attic.git"
}
},
"blobs": {
@ -76,11 +78,11 @@
"conduit-src": {
"flake": false,
"locked": {
"lastModified": 1750551437,
"narHash": "sha256-Im9Mht19WldZmQP59mQSbPAnQYYyD8J6aBfuI63L4uY=",
"lastModified": 1748702033,
"narHash": "sha256-W72vGS0qJow1O4jXkuE3px4eNyFJeZqjuMREs6Lb5bU=",
"owner": "famedly",
"repo": "conduit",
"rev": "3248efbe4b50ccc3a34a3e4d0e5ebc13be2b8909",
"rev": "a1886a13967b0471b55428f7aed55087ad357491",
"type": "gitlab"
},
"original": {
@ -93,11 +95,11 @@
"crane": {
"flake": false,
"locked": {
"lastModified": 1750266157,
"narHash": "sha256-tL42YoNg9y30u7zAqtoGDNdTyXTi8EALDeCB13FtbQA=",
"lastModified": 1748047550,
"narHash": "sha256-t0qLLqb4C1rdtiY8IFRH5KIapTY/n3Lqt57AmxEv9mk=",
"owner": "ipetkov",
"repo": "crane",
"rev": "e37c943371b73ed87faf33f7583860f81f1d5a48",
"rev": "b718a78696060df6280196a6f992d04c87a16aef",
"type": "github"
},
"original": {
@ -108,11 +110,11 @@
},
"crane_2": {
"locked": {
"lastModified": 1748970125,
"narHash": "sha256-UDyigbDGv8fvs9aS95yzFfOKkEjx1LO3PL3DsKopohA=",
"lastModified": 1743700120,
"narHash": "sha256-8BjG/P0xnuCyVOXlYRwdI1B8nVtyYLf3oDwPSimqREY=",
"owner": "ipetkov",
"repo": "crane",
"rev": "323b5746d89e04b22554b061522dfce9e4c49b18",
"rev": "e316f19ee058e6db50075115783be57ac549c389",
"type": "github"
},
"original": {
@ -128,11 +130,11 @@
]
},
"locked": {
"lastModified": 1750423559,
"narHash": "sha256-V9CtRGRbi+9qUgbinyfR8lwhDiwg+QtTaT88FLD8Z3Y=",
"lastModified": 1748354048,
"narHash": "sha256-BUUifoC7bipKczvpk8fq+UYrhiK95nt/zhMuPcelzWg=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "f601f02d132b3118f56e013249f4b234c371180d",
"rev": "eb1b636932ba2f19522d3687ba27c6adf3fd5978",
"type": "github"
},
"original": {
@ -149,11 +151,11 @@
]
},
"locked": {
"lastModified": 1750040002,
"narHash": "sha256-KrC9iOVYIn6ukpVlHbqSA4hYCZ6oDyJKrcLqv4c5v84=",
"lastModified": 1748225455,
"narHash": "sha256-AzlJCKaM4wbEyEpV3I/PUq5mHnib2ryEy32c+qfj6xk=",
"owner": "nix-community",
"repo": "disko",
"rev": "7f1857b31522062a6a00f88cbccf86b43acceed1",
"rev": "a894f2811e1ee8d10c50560551e50d6ab3c392ba",
"type": "github"
},
"original": {
@ -242,11 +244,11 @@
]
},
"locked": {
"lastModified": 1749636823,
"narHash": "sha256-WUaIlOlPLyPgz9be7fqWJA5iG6rHcGRtLERSCfUDne4=",
"lastModified": 1742649964,
"narHash": "sha256-DwOTp7nvfi8mRfuL1escHDXabVXFGT1VlPD1JHrtrco=",
"owner": "cachix",
"repo": "git-hooks.nix",
"rev": "623c56286de5a3193aa38891a6991b28f9bab056",
"rev": "dcf5072734cb576d2b0c59b2ac44f5050b5eac82",
"type": "github"
},
"original": {
@ -285,11 +287,11 @@
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1750531852,
"narHash": "sha256-ps4Fa8cq+q13Kb2nj9uxXjIGvsSRBUfcxW5CgquxiQI=",
"lastModified": 1748702599,
"narHash": "sha256-cXzTGHrZsT4wSxlLvw2ZlHPVjC/MA2W0sI/KF1yStbY=",
"owner": "helix-editor",
"repo": "helix",
"rev": "171dfc60e5cda8f9fb6c4f662872f35bbe864a53",
"rev": "2baff46b2578d78d817b9e128e8cc00345541f0b",
"type": "github"
},
"original": {
@ -305,11 +307,11 @@
]
},
"locked": {
"lastModified": 1750614446,
"narHash": "sha256-6WH0aRFay79r775RuTqUcnoZNm6A4uHxU1sbcNIk63s=",
"lastModified": 1748737919,
"narHash": "sha256-5kvBbLYdp+n7Ftanjcs6Nv+UO6sBhelp6MIGJ9nWmjQ=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "7c35504839f915abec86a96435b881ead7eb6a2b",
"rev": "5675a9686851d9626560052a032c4e14e533c1fa",
"type": "github"
},
"original": {
@ -321,15 +323,17 @@
"lix": {
"flake": false,
"locked": {
"lastModified": 1750506763,
"narHash": "sha256-hCbhc9P+UmIlYv81+vs6v3bDqviCUhwPH3XqClZdfSk=",
"rev": "242a228124f77b57c2e3b3aedb259ffb7913cd3c",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/lix/archive/242a228124f77b57c2e3b3aedb259ffb7913cd3c.tar.gz?rev=242a228124f77b57c2e3b3aedb259ffb7913cd3c"
"lastModified": 1748588861,
"narHash": "sha256-bP9MHHCx/6Pi1TlO7Iq8X6AUoQHzyExQJNnSHSOqUUk=",
"ref": "refs/heads/main",
"rev": "3815dd5e64fc374fa4dcc5064470cd7a7d77aaf3",
"revCount": 17966,
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/lix/archive/main.tar.gz"
"type": "git",
"url": "https://git.lix.systems/lix-project/lix.git"
}
},
"lix-module": {
@ -346,13 +350,15 @@
"locked": {
"lastModified": 1747667424,
"narHash": "sha256-7EICjbmG6lApWKhFtwvZovdcdORY1CEe6/K7JwtpYfs=",
"ref": "refs/heads/main",
"rev": "3c23c6ae2aecc1f76ae7993efe1a78b5316f0700",
"type": "tarball",
"url": "https://git.lix.systems/api/v1/repos/lix-project/nixos-module/archive/3c23c6ae2aecc1f76ae7993efe1a78b5316f0700.tar.gz?rev=3c23c6ae2aecc1f76ae7993efe1a78b5316f0700"
"revCount": 144,
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
},
"original": {
"type": "tarball",
"url": "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz"
"type": "git",
"url": "https://git.lix.systems/lix-project/nixos-module.git"
}
},
"mailserver": {
@ -366,11 +372,11 @@
"nixpkgs-25_05": "nixpkgs-25_05"
},
"locked": {
"lastModified": 1750598722,
"narHash": "sha256-mDOWRzp0iEdnNln7Wvg60awdFGNq9hIOdPudMeueB6Q=",
"lastModified": 1748689589,
"narHash": "sha256-ltwdNAsto54HMQFdrCprWXPFhNBfEuiCkj+GS7ZHvww=",
"owner": "simple-nixos-mailserver",
"repo": "nixos-mailserver",
"rev": "cfb3136cf01a3e571b5340c7529b5b4722a08c52",
"rev": "c9f61e02aee97dc8c7d4f3739b012a992183508c",
"type": "gitlab"
},
"original": {
@ -382,11 +388,11 @@
"nh": {
"flake": false,
"locked": {
"lastModified": 1750610317,
"narHash": "sha256-tArf9ek4DoR+5lcDlshGS/CjMjX8vMNfpZ1Ys98UrZM=",
"lastModified": 1748096601,
"narHash": "sha256-ji/9z1pRbosyKVVAIGBazyz6PjWV8bc2Ux2RdQrVDWY=",
"owner": "nix-community",
"repo": "nh",
"rev": "e5dbcf9d48257f4a116bc4746e0c59c78e08e161",
"rev": "1ea27e73a3dcbc9950258e9054377ee677d12b9e",
"type": "github"
},
"original": {
@ -398,11 +404,11 @@
"nilla": {
"flake": false,
"locked": {
"lastModified": 1749389880,
"narHash": "sha256-15lwhWcMonJH6UholMMHDc+p2BoSpGA4AYGrsXQA9Do=",
"lastModified": 1748686039,
"narHash": "sha256-7iLzbTLtgdFtm9em3xxHO9BunN2YpgYquMLKXh5hEpQ=",
"owner": "nilla-nix",
"repo": "nilla",
"rev": "2e98ae315a592ad6b6de44670514c048dcc88dc7",
"rev": "4e6038f4ebc89487194013af6a1e077dfeb00359",
"type": "github"
},
"original": {
@ -413,11 +419,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1750386251,
"narHash": "sha256-1ovgdmuDYVo5OUC5NzdF+V4zx2uT8RtsgZahxidBTyw=",
"lastModified": 1748662220,
"narHash": "sha256-7gGa49iB9nCnFk4h/g9zwjlQAyjtpgcFkODjcOQS0Es=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "076e8c6678d8c54204abcb4b1b14c366835a58bb",
"rev": "59138c7667b7970d205d6a05a8bfa2d78caa3643",
"type": "github"
},
"original": {
@ -429,11 +435,11 @@
},
"nixpkgs-25_05": {
"locked": {
"lastModified": 1749727998,
"narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=",
"lastModified": 1747610100,
"narHash": "sha256-rpR5ZPMkWzcnCcYYo3lScqfuzEw5Uyfh+R0EKZfroAc=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd",
"rev": "ca49c4304acf0973078db0a9d200fd2bae75676d",
"type": "github"
},
"original": {
@ -516,11 +522,11 @@
]
},
"locked": {
"lastModified": 1749436897,
"narHash": "sha256-OkDtaCGQQVwVFz5HWfbmrMJR99sFIMXHCHEYXzUJEJY=",
"lastModified": 1743682350,
"narHash": "sha256-S/MyKOFajCiBm5H5laoE59wB6w0NJ4wJG53iAPfYW3k=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "e7876c387e35dc834838aff254d8e74cf5bd4f19",
"rev": "c4a8327b0f25d1d81edecbb6105f74d7cf9d7382",
"type": "github"
},
"original": {
@ -581,11 +587,11 @@
]
},
"locked": {
"lastModified": 1749194973,
"narHash": "sha256-eEy8cuS0mZ2j/r/FE0/LYBSBcIs/MKOIVakwHVuqTfk=",
"lastModified": 1748243702,
"narHash": "sha256-9YzfeN8CB6SzNPyPm2XjRRqSixDopTapaRsnTpXUEY8=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "a05be418a1af1198ca0f63facb13c985db4cb3c5",
"rev": "1f3f7b784643d488ba4bf315638b2b0a4c5fb007",
"type": "github"
},
"original": {
@ -651,11 +657,11 @@
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1750360050,
"narHash": "sha256-/BT5MJqy+e0jHjALBNL8YT4kQ9wlaSedxPapYvKyeyw=",
"lastModified": 1745230073,
"narHash": "sha256-OER99U7MiqQ47myvbsiljsax7OsK19NMds4NBM9XXLs=",
"owner": "dj95",
"repo": "zjstatus",
"rev": "857ada14fc8f652300571272c6db7c12620c33c0",
"rev": "a819e3bfe6bfef0438d811cdbb1bcfdc29912c62",
"type": "github"
},
"original": {

6
flake.nix
View file

@ -48,7 +48,7 @@
flake = false;
};
attic = {
url = "https://git.lix.systems/nrabulinski/attic/archive/main.tar.gz";
url = "git+https://git.lix.systems/nrabulinski/attic.git";
flake = false;
};
crane = {
@ -64,11 +64,11 @@
inputs.nixpkgs.follows = "nixpkgs";
};
lix = {
url = "https://git.lix.systems/lix-project/lix/archive/main.tar.gz";
url = "git+https://git.lix.systems/lix-project/lix.git";
flake = false;
};
lix-module = {
url = "https://git.lix.systems/lix-project/nixos-module/archive/main.tar.gz";
url = "git+https://git.lix.systems/lix-project/nixos-module.git";
inputs.nixpkgs.follows = "nixpkgs";
inputs.lix.follows = "lix";
};

2
hosts/kazuki/mail.nix
View file

@ -38,7 +38,7 @@
certificateScheme = "acme-nginx";
stateVersion = 3;
stateVersion = 2;
};
# TODO: Remove once SNM gets their shit together

7
secrets/kanidm-admin-pass.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 84j9mw W4+Z4WjOyUl4mWPqVykNWRhf2/8qfVOSM7QCFPNMZTA
0ndQjslMwjQqguN25nBQtCchpCLhoD/vrxh1yNVeTNw
-> ssh-ed25519 GKhvwg H8XcFJDZTA3IzxmK6wbB+PVM2gCZ4ysAPjL5j0LgeE0
kehTMRIVOZ5ubtO7w8WF+gU3sjYXMQtd5hH+wcv3uSE
--- 72ntrRbWq8pdkk/GrsVupTttfY9t+w3l+2KQbQyNn/I
iydìû$vVl TK$4G[€â· ©âMI[™#t—¹ °ôz:‰ñÍÙr9~½ESÃA»6Œ}×µ

8
secrets/kanidm-idm-admin-pass.age Normal file
View file

@ -0,0 +1,8 @@
age-encryption.org/v1
-> ssh-ed25519 84j9mw 8zYeVXx36dpC8TxMdoM1GdERoNNj902KwTF4h/r4inM
n3mYra0BeM4gWsZ7Roilu14o/GajX1iWw0fcy0q31yc
-> ssh-ed25519 GKhvwg cqd7YmVpbxqZxaVluHDZ8Yw0gNfJCKMmoWa4mEoXym8
Gbcj+PJaqyPRRGX4olr7mmJ5IoEGlQaogYbj7i9E/98
--- LoQPWI+m8s3NjalUh0+xdW54c8lgddBmhPoIiPbmR8I
ê¢èÒ–Æœ܉ ÈY
ž9˜ä­Å!4<>šÞ2DV³£P²·9¡N<C2A1>]G;ÎÏ?ˆÐ‰S± '

8
secrets/secrets.nix
View file

@ -93,4 +93,12 @@ in
keys.system.youko
keys.other.bootstrap
];
"kanidm-admin-pass.age".publicKeys = [
keys.system.kazuki
keys.other.bootstrap
];
"kanidm-idm-admin-pass.age".publicKeys = [
keys.system.kazuki
keys.other.bootstrap
];
}

1
services/default.nix
View file

@ -4,5 +4,6 @@
./forgejo-runner.nix
./forgejo.nix
./paperless.nix
./kanidm.nix
];
}

85
services/kanidm.nix Normal file
View file

@ -0,0 +1,85 @@
{
config.services.kanidm =
let
port = 8443;
domain = "auth.rabulinski.com";
in
{
host = "kazuki";
ports = [ port ];
module =
{ config, pkgs, ... }:
let
cert = config.security.acme.certs.${domain};
in
{
age.secrets.rabulinski-com-cf = {
file = ../secrets/rabulinski-com-cf.age;
owner = config.services.nginx.user;
};
age.secrets.kanidm-admin-pass = {
file = ../secrets/kanidm-admin-pass.age;
owner = "kanidm";
};
age.secrets.kanidm-idm-admin-pass = {
file = ../secrets/kanidm-idm-admin-pass.age;
owner = "kanidm";
};
services.kanidm = {
enableServer = true;
package = pkgs.kanidmWithSecretProvisioning;
serverSettings = {
bindaddress = "127.0.0.1:${toString port}";
inherit domain;
origin = "https://${domain}";
trust_x_forward_for = true;
tls_chain = "${cert.directory}/fullchain.pem";
tls_key = "${cert.directory}/key.pem";
};
provision = {
enable = true;
idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-pass.path;
adminPasswordFile = config.age.secrets.kanidm-admin-pass.path;
};
};
systemd.services.kanidm.serviceConfig = {
SupplementaryGroups = [ cert.group ];
};
users.users.nginx.extraGroups = [ "acme" ];
networking.firewall.allowedTCPPorts = [
80
443
];
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedTlsSettings = true;
virtualHosts."auth.rabulinski.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "https://localhost:${toString port}";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_verify off;
proxy_ssl_name ${domain};
'';
};
};
};
security.acme.certs.${domain} = {
dnsProvider = "cloudflare";
credentialsFile = config.age.secrets.rabulinski-com-cf.path;
reloadServices = [ "kanidm" ];
};
};
};
}