nix/machines
1
0
Fork 0
Code Issues Releases Packages Activity Actions

Get kas.codes minimally functioning
Some checks failed
/ systems (push) Successful in 31m26s
Details
/ dev-shell (push) Successful in 1m48s
Details
/ rust-packages (push) Successful in 4m13s
Details
/ check (push) Failing after 5m8s
Details
/ terraform-providers (push) Successful in 11m14s
Details

Browse source
This commit is contained in:
Kaare Hoff Skovgaard 2025-07-18 23:42:46 +02:00
parent dec0048a7b
commit 9bd9eb328b
Signed by: khs
GPG key ID: C7D890804F01E9F0
3 changed files with 28 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

4
nix/systems/aarch64-linux/kas.codes/forgejo/default.nix
View file

@ -87,8 +87,8 @@ in
mailer = { mailer = {
ENABLED = true; ENABLED = true;
SMTP_ADDR = "kas.codes"; SMTP_ADDR = "kas.codes";
FROM = "forgejo@khs.codes"; FROM = "forgejo@kas.codes";
USER = "forgejo@khs.codes"; USER = "forgejo@kas.codes";
}; };
"ui.meta" = { "ui.meta" = {
AUTHOR = "Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>"; AUTHOR = "Kaare Hoff Skovgaard <kaare@kaareskovgaard.net>";

32
nix/systems/aarch64-linux/kas.codes/forgejo/oauth.nix
View file

@ -16,22 +16,28 @@ let
config="${config.services.forgejo.stateDir}/custom/conf/app.ini" config="${config.services.forgejo.stateDir}/custom/conf/app.ini"
secret="$(cat ${oauthSecretIdFile})" secret="$(cat ${oauthSecretIdFile})"
options=(
"--name" "Kanidm" \
"--key" "forgejo" \
"--secret" "$secret" \
"--auto-discover-url" https://login.kaareskovgaard.net/oauth2/openid/forgejo/.well-known/openid-configuration \
"--scopes" "email profile" \
"--skip-local-2fa" \
"--provider" openidConnect \
"--group-claim-name" "groups" \
"--admin-group" "admin" \
"--group-team-map-removal" \
"--group-team-map" '{"nix": {"nix": [] }, "actions": { "actons": [] }}'
)
if gitea "--config=$config" admin auth list | grep -q "Kanidm" 2> /dev/null; then if gitea "--config=$config" admin auth list | grep -q "Kanidm" 2> /dev/null; then
echo "Oauth2 app already exists, updating not yet implemented" id="$(gitea "--config=$config" admin auth list | grep "Kanidm" | cut -d$'\t' -f1)"
exit 0 gitea "--config=$config" admin auth update-oauth \
--id "$id" \
"''${options[@]}"
else else
gitea "--config=$config" admin auth add-oauth \ gitea "--config=$config" admin auth add-oauth \
--name "Kanidm" \ "''${options[@]}"
--key "forgejo" \
--secret "$secret" \
--auto-discover-url https://login.kaareskovgaard.net/oauth2/openid/forgejo/.well-known/openid-configuration \
--scopes "email profile" \
--skip-local-2fa \
--provider openidConnect \
--group-claim-name groups \
--admin-group admin \
--group-team-map-removal \
--group-team-map '{"nix": ["nix"], "actions": ["actons"]}'
fi fi
''; '';
}; };

7
nix/systems/aarch64-linux/security.kaareskovgaard.net/kanidm.nix
View file

@ -79,6 +79,10 @@ in
present = true; present = true;
members = [ "khs" ]; members = [ "khs" ];
}; };
groups.forgejo_admin = {
present = true;
members = [ "khs" ];
};
# We cannot add oauth2 apps before the secrets for them are generated. # We cannot add oauth2 apps before the secrets for them are generated.
systems.oauth2 = lib.mkIf (!bootstrapping) { systems.oauth2 = lib.mkIf (!bootstrapping) {
openbao = { openbao = {
@ -167,6 +171,9 @@ in
"forgejo_comitter" = [ "forgejo_comitter" = [
"comitter" "comitter"
]; ];
"forgejo_admin" = [
"admin"
];
}; };
}; };
}; };