diff --git a/common/services/gitea.nix b/common/services/gitea.nix deleted file mode 100644 index b60a41a..0000000 --- a/common/services/gitea.nix +++ /dev/null @@ -1,63 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkEnableOption mkIf mkOption; - - cfg = config.foehammer.services.forgejo; -in { - options.foehammer.services.forgejo = { - enable = mkEnableOption "Enable Gitea Server"; - - port = mkOption { - type = lib.types.port; - default = 8225; - description = '' - What external port to serve over. - ''; - }; - - ssh-port = mkOption { - type = lib.types.port; - default = 22; - description = '' - Where ssh is available. - ''; - }; - - domain = mkOption { - type = lib.types.str; - }; - - ssh-domain = mkOption { - type = lib.types.str; - default = cfg.domain; - }; - }; - - config = mkIf cfg.enable { - services.forgejo = { - enable = true; - lfs.enable = true; - - settings = { - service = { - DISABLE_REGISTRATION = true; - SHOW_REGISTRATION_BUTTON = false; - }; - ui = { - SHOW_USER_EMAIL = false; - }; - server = { - HTTP_PORT = cfg.port; - DOMAIN = cfg.domain; - ROOT_URL = "https://${cfg.domain}"; - SSH_DOMAIN = cfg.ssh-domain; - SSH_PORT = cfg.ssh-port; - }; - }; - }; - }; -} diff --git a/flake.lock b/flake.lock index 518fe62..1406691 100644 --- a/flake.lock +++ b/flake.lock @@ -1,60 +1,15 @@ { "nodes": { - "alejandra": { - "inputs": { - "fenix": "fenix", - "flakeCompat": "flakeCompat", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1660592437, - "narHash": "sha256-xFumnivtVwu5fFBOrTxrv6fv3geHKF04RGP23EsDVaI=", - "owner": "kamadorueda", - "repo": "alejandra", - "rev": "e7eac49074b70814b542fee987af2987dd0520b5", - "type": "github" - }, - "original": { - "owner": "kamadorueda", - "ref": "3.0.0", - "repo": "alejandra", - "type": "github" - } - }, - "fenix": { - "inputs": { - "nixpkgs": [ - "alejandra", - "nixpkgs" - ], - "rust-analyzer-src": "rust-analyzer-src" - }, - "locked": { - "lastModified": 1657607339, - "narHash": "sha256-HaqoAwlbVVZH2n4P3jN2FFPMpVuhxDy1poNOR7kzODc=", - "owner": "nix-community", - "repo": "fenix", - "rev": "b814c83d9e6aa5a28d0cf356ecfdafb2505ad37d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "fenix", - "type": "github" - } - }, "flake-parts": { "inputs": { "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1765495779, - "narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=", + "lastModified": 1738453229, + "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "5635c32d666a59ec9a55cab87e898889869f7b71", + "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", "type": "github" }, "original": { @@ -63,76 +18,39 @@ "type": "github" } }, - "flakeCompat": { - "flake": false, - "locked": { - "lastModified": 1650374568, - "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", - "owner": "edolstra", - "repo": "flake-compat", - "rev": "b4a34015c698c7793d592d66adbab377907a2be8", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1766736597, - "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", + "lastModified": 1749024892, + "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", + "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1761765539, - "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", - "type": "github" + "lastModified": 1738452942, + "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" }, "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" } }, "root": { "inputs": { - "alejandra": "alejandra", "flake-parts": "flake-parts", "nixpkgs": "nixpkgs" } - }, - "rust-analyzer-src": { - "flake": false, - "locked": { - "lastModified": 1657557289, - "narHash": "sha256-PRW+nUwuqNTRAEa83SfX+7g+g8nQ+2MMbasQ9nt6+UM=", - "owner": "rust-lang", - "repo": "rust-analyzer", - "rev": "caf23f29144b371035b864a1017dbc32573ad56d", - "type": "github" - }, - "original": { - "owner": "rust-lang", - "ref": "nightly", - "repo": "rust-analyzer", - "type": "github" - } } }, "root": "root", diff --git a/flake.nix b/flake.nix index 70eae05..2477894 100644 --- a/flake.nix +++ b/flake.nix @@ -1,42 +1,41 @@ { inputs = { - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; flake-parts.url = "github:hercules-ci/flake-parts"; }; outputs = inputs @ {self, ...}: - inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: { - systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"]; + inputs.flake-parts.lib.mkFlake {inherit inputs;} (toplevel @ {withSystem, ...}: { + systems = ["aarch64-darwin" "aarch64-linux" "x86_64-linux"]; - perSystem = { - config, - self', - inputs', - pkgs, - system, - ... - }: { - _module.args.pkgs = import inputs.nixpkgs { - localSystem = system; - config = { - allowUnfree = true; - allowAliases = true; + perSystem = { + config, + self', + inputs', + pkgs, + system, + ... + }: { + _module.args.pkgs = import inputs.nixpkgs { + localSystem = system; + config = { + allowUnfree = true; + allowAliases = true; + }; + # overlays = [self.overlays.default]; }; - # overlays = [self.overlays.default]; + + # packages = import ./lib/packages.nix pkgs; }; - # packages = import ./lib/packages.nix pkgs; - }; + flake = { + lib = import ./lib inputs.nixpkgs withSystem; + # overlays.default = final: prev: (import ./lib/packages.nix prev); - flake = { - lib = import ./lib inputs.nixpkgs withSystem; - - # overlays.default = final: prev: (import ./lib/packages.nix prev); - - nixosModules.default = {...}: { - imports = self.lib.utils.findNixFiles ./common; + nixosModules.default = {...}: { + imports = self.lib.utils.findNixFiles ./common; + }; }; - }; - }); + }); } diff --git a/machines/lebesgue/config/configuration.nix b/machines/lebesgue/config/configuration.nix index 9df77b6..0b8e21f 100644 --- a/machines/lebesgue/config/configuration.nix +++ b/machines/lebesgue/config/configuration.nix @@ -14,12 +14,6 @@ enable = true; }; - services.forgejo = { - enable = true; - domain = "forge.foehammer.me"; - ssh-domain = "lebesgue"; - }; - services.vaultwarden = { enable = true; domain = "https://passwords.foehammer.me"; @@ -27,6 +21,19 @@ envPath = config.sops.secrets.vaultwarden-env.path; }; + services.authelia = { + enable = true; + domain = "foehammer.me"; + url = "https://auth.foehammer.me"; + jwtSecretFile = config.sops.secrets.authelia-jwtsecret.path; + + userDbFile = config.sops.secrets.authelia-users.path; + # oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-oidc-privkey.path; + # oidcHmacSecretFile = config.sops.secrets.authelia-oidc-hmac.path; + sessionSecretFile = config.sops.secrets.authelia-session-secret.path; + storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption.path; + }; + backups.restic = { enable = true; @@ -34,7 +41,7 @@ environmentFile = config.sops.secrets.restic-env.path; passwordFile = config.sops.secrets.restic-password.path; - paths = ["/var/lib/vaultwarden" "/var/lib/authelia" "/var/lib/forgejo"]; + paths = ["/var/lib/vaultwarden" "/var/lib/authelia"]; }; tailscale = { diff --git a/machines/lebesgue/config/routing.nix b/machines/lebesgue/config/routing.nix index 6d5c70a..d33c36c 100644 --- a/machines/lebesgue/config/routing.nix +++ b/machines/lebesgue/config/routing.nix @@ -8,16 +8,16 @@ reverse_proxy :${toString config.foehammer.services.vaultwarden.port} ''; }; + "auth.foehammer.me" = { + extraConfig = '' + reverse_proxy :${toString config.foehammer.services.authelia.port} + ''; + }; "goatcounter.foehammer.me" = { extraConfig = '' reverse_proxy :${toString config.foehammer.services.goatcounter.port} ''; }; - "forge.foehammer.me" = { - extraConfig = '' - reverse_proxy :${toString config.foehammer.services.forgejo.port} - ''; - }; }; }; } diff --git a/machines/lebesgue/config/secrets.nix b/machines/lebesgue/config/secrets.nix index 89cbc0e..f8538b9 100644 --- a/machines/lebesgue/config/secrets.nix +++ b/machines/lebesgue/config/secrets.nix @@ -3,6 +3,10 @@ defaultSopsFile = ../secrets/main.yaml; secrets = let + autheliaSecret = { + owner = "authelia-main"; + sopsFile = ../secrets/authelia/secrets.yaml; + }; in { admin-password.neededForUsers = true; @@ -13,6 +17,16 @@ restic-env = {owner = "restic";}; restic-password = {owner = "restic";}; restic-repository = {owner = "restic";}; + + authelia-jwtsecret = autheliaSecret; + authelia-oidc-privkey = autheliaSecret; + authelia-oidc-hmac = autheliaSecret; + authelia-session-secret = autheliaSecret; + authelia-storage-encryption = autheliaSecret; + authelia-users = { + owner = "authelia-main"; + sopsFile = ../secrets/authelia/users.yaml; + }; }; }; } diff --git a/machines/lebesgue/config/state.nix b/machines/lebesgue/config/state.nix index 26efd42..98db9fa 100644 --- a/machines/lebesgue/config/state.nix +++ b/machines/lebesgue/config/state.nix @@ -4,7 +4,6 @@ environment.persistence."/persist" = { directories = [ "/var/cache/restic-backups-s3" - "/var/lib/forgejo" "/var/lib/tailscale" "/var/lib/goatcounter" "/var/log" diff --git a/machines/lebesgue/deploy b/machines/lebesgue/deploy index 18858c1..5e6d86a 100755 --- a/machines/lebesgue/deploy +++ b/machines/lebesgue/deploy @@ -1,10 +1,10 @@ #!/usr/bin/env bash function deploy() { - nix develop -c nixos-rebuild $1 --flake .#default --target-host admin@lebesgue --use-remote-sudo --verbose + nixos-rebuild $1 --flake .#default --target-host admin@lebesgue --use-remote-sudo --verbose } -nix flake update common +nix flake lock --update-input common if [[ -n $1 ]]; then deploy $1 diff --git a/machines/lebesgue/flake.lock b/machines/lebesgue/flake.lock index a1eae4a..37ed9f3 100644 --- a/machines/lebesgue/flake.lock +++ b/machines/lebesgue/flake.lock @@ -20,11 +20,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1765495779, - "narHash": "sha256-MhA7wmo/7uogLxiewwRRmIax70g6q1U/YemqTGoFHlM=", + "lastModified": 1738453229, + "narHash": "sha256-7H9XgNiGLKN1G1CgRh0vUL4AheZSYzPm+zmZ7vxbJdo=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "5635c32d666a59ec9a55cab87e898889869f7b71", + "rev": "32ea77a06711b758da0ad9bd6a844c5740a87abd", "type": "github" }, "original": { @@ -50,58 +50,55 @@ }, "nixpkgs": { "locked": { - "lastModified": 1766736597, - "narHash": "sha256-BASnpCLodmgiVn0M1MU2Pqyoz0aHwar/0qLkp7CjvSQ=", + "lastModified": 1749024892, + "narHash": "sha256-OGcDEz60TXQC+gVz5sdtgGJdKVYr6rwdzQKuZAJQpCA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "f560ccec6b1116b22e6ed15f4c510997d99d5852", + "rev": "8f1b52b04f2cb6e5ead50bd28d76528a2f0380ef", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs-lib": { "locked": { - "lastModified": 1761765539, - "narHash": "sha256-b0yj6kfvO8ApcSE+QmA6mUfu8IYG6/uU28OFn4PaC8M=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "719359f4562934ae99f5443f20aa06c2ffff91fc", - "type": "github" + "lastModified": 1738452942, + "narHash": "sha256-vJzFZGaCpnmo7I6i416HaBLpC+hvcURh/BQwROcGIp8=", + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" }, "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" + "type": "tarball", + "url": "https://github.com/NixOS/nixpkgs/archive/072a6db25e947df2f31aab9eccd0ab75d5b2da11.tar.gz" } }, "nixpkgs_2": { "locked": { - "lastModified": 1765838191, - "narHash": "sha256-m5KWt1nOm76ILk/JSCxBM4MfK3rYY7Wq9/TZIIeGnT8=", + "lastModified": 1748889542, + "narHash": "sha256-Hb4iMhIbjX45GcrgOp3b8xnyli+ysRPqAgZ/LZgyT5k=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c6f52ebd45e5925c188d1a20119978aa4ffd5ef6", + "rev": "10d7f8d34e5eb9c0f9a0485186c1ca691d2c5922", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.11", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_3": { "locked": { - "lastModified": 1763618868, - "narHash": "sha256-v5afmLjn/uyD9EQuPBn7nZuaZVV9r+JerayK/4wvdWA=", + "lastModified": 1731763621, + "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "a8d610af3f1a5fb71e23e08434d8d61a466fc942", + "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d", "type": "github" }, "original": { @@ -124,11 +121,11 @@ "nixpkgs": "nixpkgs_3" }, "locked": { - "lastModified": 1764021963, - "narHash": "sha256-1m84V2ROwNEbqeS9t37/mkry23GBhfMt8qb6aHHmjuc=", + "lastModified": 1738291974, + "narHash": "sha256-wkwYJc8cKmmQWUloyS9KwttBnja2ONRuJQDEsmef320=", "owner": "Mic92", "repo": "sops-nix", - "rev": "c482a1c1bbe030be6688ed7dc84f7213f304f1ec", + "rev": "4c1251904d8a08c86ac6bc0d72cc09975e89aef7", "type": "github" }, "original": { diff --git a/machines/lebesgue/flake.nix b/machines/lebesgue/flake.nix index 9c6748f..7392f46 100644 --- a/machines/lebesgue/flake.nix +++ b/machines/lebesgue/flake.nix @@ -2,7 +2,7 @@ inputs = { common.url = "path:../.."; - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; sops-nix = { url = "github:Mic92/sops-nix";