diff --git a/flake.lock b/flake.lock index da13959..1a7a827 100644 --- a/flake.lock +++ b/flake.lock @@ -352,11 +352,11 @@ ] }, "locked": { - "lastModified": 1705540973, - "narHash": "sha256-kNt/qAEy7ueV7NKbVc8YMHWiQAAgrir02MROYNI8fV0=", + "lastModified": 1705890365, + "narHash": "sha256-MObB+fipA/2Ai3uMuNouxcwz0cqvELPpJ+hfnhSaUeA=", "owner": "nix-community", "repo": "disko", - "rev": "0033adc6e3f1ed076f3ed1c637ef1dfe6bef6733", + "rev": "9fcdf3375e01e2938a49df103af9fd21bd0f89d9", "type": "github" }, "original": { @@ -454,21 +454,6 @@ } }, "flake-compat_5": { - "locked": { - "lastModified": 1688025799, - "narHash": "sha256-ktpB4dRtnksm9F5WawoIkEneh1nrEvuxb5lJFt1iOyw=", - "owner": "nix-community", - "repo": "flake-compat", - "rev": "8bf105319d44f6b9f0d764efa4fdef9f1cc9ba1c", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "flake-compat", - "type": "github" - } - }, - "flake-compat_6": { "flake": false, "locked": { "lastModified": 1696426674, @@ -484,7 +469,7 @@ "type": "github" } }, - "flake-compat_7": { + "flake-compat_6": { "flake": false, "locked": { "lastModified": 1673956053, @@ -501,28 +486,6 @@ } }, "flake-parts": { - "inputs": { - "nixpkgs-lib": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1701473968, - "narHash": "sha256-YcVE5emp1qQ8ieHUnxt1wCZCC3ZfAS+SRRWZ2TMda7E=", - "owner": "hercules-ci", - "repo": "flake-parts", - "rev": "34fed993f1674c8d06d58b37ce1e0fe5eebcb9f5", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "flake-parts", - "type": "github" - } - }, - "flake-parts_2": { "inputs": { "nixpkgs-lib": [ "nixvim", @@ -543,9 +506,9 @@ "type": "github" } }, - "flake-parts_3": { + "flake-parts_2": { "inputs": { - "nixpkgs-lib": "nixpkgs-lib_2" + "nixpkgs-lib": "nixpkgs-lib" }, "locked": { "lastModified": 1704982712, @@ -637,24 +600,6 @@ "inputs": { "systems": "systems_8" }, - "locked": { - "lastModified": 1705309234, - "narHash": "sha256-uNRRNRKmJyCRC/8y1RqBkqWBLM034y4qN7EprSdmgyA=", - "owner": "numtide", - "repo": "flake-utils", - "rev": "1ef2e671c3b0c19053962c07dbda38332dcebf26", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "flake-utils", - "type": "github" - } - }, - "flake-utils_6": { - "inputs": { - "systems": "systems_9" - }, "locked": { "lastModified": 1681202837, "narHash": "sha256-H+Rh19JDwRtpVPAWp64F+rlEtxUWBAQW28eAi3SRSzg=", @@ -779,11 +724,11 @@ ] }, "locked": { - "lastModified": 1705535278, - "narHash": "sha256-V5+XKfNbiY0bLKLQlH+AXyhHttEL7XcZBH9iSbxxexA=", + "lastModified": 1705879479, + "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=", "owner": "nix-community", "repo": "home-manager", - "rev": "b84191db127c16a92cbdf7f7b9969d58bb456699", + "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913", "type": "github" }, "original": { @@ -800,11 +745,11 @@ ] }, "locked": { - "lastModified": 1705104164, - "narHash": "sha256-pllCu3Hcm1wP/B0SUxgUXvHeEd4w8s2aVrEQRdIL1yo=", + "lastModified": 1705879479, + "narHash": "sha256-ZIohbyly1KOe+8I3gdyNKgVN/oifKdmeI0DzMfytbtg=", "owner": "nix-community", "repo": "home-manager", - "rev": "0912d26b30332ae6a90e1b321ff88e80492127dd", + "rev": "2d47379ad591bcb14ca95a90b6964b8305f6c913", "type": "github" }, "original": { @@ -828,25 +773,6 @@ "type": "github" } }, - "lib-aggregate": { - "inputs": { - "flake-utils": "flake-utils_5", - "nixpkgs-lib": "nixpkgs-lib" - }, - "locked": { - "lastModified": 1705423846, - "narHash": "sha256-PULm77CvMZ9cQ4MaTXgvJom2ePB9c38p39JB4TFXEdw=", - "owner": "nix-community", - "repo": "lib-aggregate", - "rev": "1d0951ca1b3721ff4e6049c3a37df56c78c60c65", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "lib-aggregate", - "type": "github" - } - }, "lib-net": { "flake": false, "locked": { @@ -871,11 +797,11 @@ "spectrum": "spectrum" }, "locked": { - "lastModified": 1705592620, - "narHash": "sha256-97/yDm6n9C6fma0pSM/mMQeMLfmEOZPGbpKARNoKeG4=", + "lastModified": 1705802752, + "narHash": "sha256-0EY+M5vnXcm/0bQQo9Yu2k+NF69qoLdpa6Vb2ARa1Zw=", "owner": "astro", "repo": "microvm.nix", - "rev": "ccf44d60393a571b549448167fa03882693a5a3d", + "rev": "f07dd64526ee203d25329c517eec3b697860fa6b", "type": "github" }, "original": { @@ -892,11 +818,11 @@ ] }, "locked": { - "lastModified": 1704277720, - "narHash": "sha256-meAKNgmh3goankLGWqqpw73pm9IvXjEENJloF0coskE=", + "lastModified": 1705915768, + "narHash": "sha256-+Jlz8OAqkOwJlioac9wtpsCnjgGYUhvLpgJR/5tP9po=", "owner": "lnl7", "repo": "nix-darwin", - "rev": "0dd382b70c351f528561f71a0a7df82c9d2be9a4", + "rev": "1e706ef323de76236eb183d7784f3bd57255ec0b", "type": "github" }, "original": { @@ -905,49 +831,6 @@ "type": "github" } }, - "nix-eval-jobs": { - "inputs": { - "flake-parts": "flake-parts", - "nix-github-actions": "nix-github-actions", - "nixpkgs": "nixpkgs_2", - "treefmt-nix": "treefmt-nix" - }, - "locked": { - "lastModified": 1705242886, - "narHash": "sha256-TLj334vRwFtSym3m+NnKcNCnKKPNoTC/TDZL40vmOso=", - "owner": "nix-community", - "repo": "nix-eval-jobs", - "rev": "6b03a93296faf174b97546fd573c8b379f523a8d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-eval-jobs", - "type": "github" - } - }, - "nix-github-actions": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1701208414, - "narHash": "sha256-xrQ0FyhwTZK6BwKhahIkUVZhMNk21IEI1nUcWSONtpo=", - "owner": "nix-community", - "repo": "nix-github-actions", - "rev": "93e39cc1a087d65bcf7a132e75a650c44dd2b734", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nix-github-actions", - "type": "github" - } - }, "nix-index-database": { "inputs": { "nixpkgs": [ @@ -955,11 +838,11 @@ ] }, "locked": { - "lastModified": 1705282324, - "narHash": "sha256-LnURMA7yCM5t7et9O2+2YfGQh0FKAfE5GyahNDDzJVM=", + "lastModified": 1705806513, + "narHash": "sha256-FcOmNjhHFfPz2udZbRpZ1sfyhVMr+C2O8kOxPj+HDDk=", "owner": "Mic92", "repo": "nix-index-database", - "rev": "49aaeecf41ae0a0944e2c627cb515bcde428a1d1", + "rev": "f8e04fbcebcc24cebc91989981bd45f69b963ed7", "type": "github" }, "original": { @@ -1068,11 +951,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1705496572, - "narHash": "sha256-rPIe9G5EBLXdBdn9ilGc0nq082lzQd0xGGe092R/5QE=", + "lastModified": 1705856552, + "narHash": "sha256-JXfnuEf5Yd6bhMs/uvM67/joxYKoysyE3M2k6T3eWbg=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "842d9d80cfd4560648c785f8a4e6f3b096790e19", + "rev": "612f97239e2cc474c13c9dafa0df378058c5ad8d", "type": "github" }, "original": { @@ -1083,21 +966,6 @@ } }, "nixpkgs-lib": { - "locked": { - "lastModified": 1705193289, - "narHash": "sha256-oL5EAaZHiA3ABLdyKag/DgT+457vmELv8A+eaox2xsI=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "da839f74dc77c9826fa333b1bc2c8258fd6ffcbe", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixpkgs-lib_2": { "locked": { "dir": "lib", "lastModified": 1703961334, @@ -1179,46 +1047,7 @@ "type": "github" } }, - "nixpkgs-wayland": { - "inputs": { - "flake-compat": "flake-compat_5", - "lib-aggregate": "lib-aggregate", - "nix-eval-jobs": "nix-eval-jobs", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1705585910, - "narHash": "sha256-5pvcEdTiVn5F+6gpyQbTxeLhcRlV/oN8nNiwjgLqigs=", - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "rev": "5b2b874c87882a5fc7f30be353410432e685ca0d", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs-wayland", - "type": "github" - } - }, "nixpkgs_2": { - "locked": { - "lastModified": 1703134684, - "narHash": "sha256-SQmng1EnBFLzS7WSRyPM9HgmZP2kLJcPAz+Ug/nug6o=", - "owner": "NixOS", - "repo": "nixpkgs", - "rev": "d6863cbcbbb80e71cecfc03356db1cda38919523", - "type": "github" - }, - "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", - "repo": "nixpkgs", - "type": "github" - } - }, - "nixpkgs_3": { "locked": { "lastModified": 1681358109, "narHash": "sha256-eKyxW4OohHQx9Urxi7TQlFBTDWII+F+x2hklDOQPB50=", @@ -1236,7 +1065,7 @@ }, "nixvim": { "inputs": { - "flake-parts": "flake-parts_2", + "flake-parts": "flake-parts", "home-manager": "home-manager_2", "nix-darwin": "nix-darwin", "nixpkgs": [ @@ -1247,11 +1076,11 @@ ] }, "locked": { - "lastModified": 1705581923, - "narHash": "sha256-ms+6X+Sbx7Je8vMzux4ricuUR6JNHGoMZJLqhjGLxn8=", + "lastModified": 1705927744, + "narHash": "sha256-ESHLUjPRApElOJuyXidapwredduuUmJlJ7EAmlFePSY=", "owner": "nix-community", "repo": "nixvim", - "rev": "df7a90127b079a39bfaba3eae1885ce6ab3a062a", + "rev": "86d6ce5029c99362c96ccead428b366f81d5b8f0", "type": "github" }, "original": { @@ -1346,7 +1175,7 @@ }, "pre-commit-hooks_4": { "inputs": { - "flake-compat": "flake-compat_6", + "flake-compat": "flake-compat_5", "flake-utils": [ "flake-utils" ], @@ -1357,11 +1186,11 @@ "nixpkgs-stable": "nixpkgs-stable_4" }, "locked": { - "lastModified": 1705229514, - "narHash": "sha256-itILy0zimR/iyUGq5Dgg0fiW8plRDyxF153LWGsg3Cw=", + "lastModified": 1705757126, + "narHash": "sha256-Eksr+n4Q8EYZKAN0Scef5JK4H6FcHc+TKNHb95CWm+c=", "owner": "cachix", "repo": "pre-commit-hooks.nix", - "rev": "ffa9a5b90b0acfaa03b1533b83eaf5dead819a05", + "rev": "f56597d53fd174f796b5a7d3ee0b494f9e2285cc", "type": "github" }, "original": { @@ -1387,7 +1216,6 @@ "nixos-hardware": "nixos-hardware", "nixos-nftables-firewall": "nixos-nftables-firewall", "nixpkgs": "nixpkgs", - "nixpkgs-wayland": "nixpkgs-wayland", "nixvim": "nixvim", "pre-commit-hooks": "pre-commit-hooks_4", "stylix": "stylix", @@ -1424,8 +1252,8 @@ }, "rust-overlay_2": { "inputs": { - "flake-utils": "flake-utils_6", - "nixpkgs": "nixpkgs_3" + "flake-utils": "flake-utils_5", + "nixpkgs": "nixpkgs_2" }, "locked": { "lastModified": 1705112162, @@ -1468,7 +1296,7 @@ "base16-kitty": "base16-kitty", "base16-tmux": "base16-tmux", "base16-vim": "base16-vim", - "flake-compat": "flake-compat_7", + "flake-compat": "flake-compat_6", "home-manager": [ "home-manager" ], @@ -1477,11 +1305,11 @@ ] }, "locked": { - "lastModified": 1705504375, - "narHash": "sha256-oRVxuJ6sCljsgfoWb+SsIK2MvUjsxrXQHRoVTUDVC40=", + "lastModified": 1705668784, + "narHash": "sha256-U/1Qol9H5nb8FtWSXSiHY8T4Y7TOIo7NHuqe4uuiBec=", "owner": "danth", "repo": "stylix", - "rev": "2d59480b4531ce8d062d20a42560a266cb42b9d0", + "rev": "a9e3ce064a778b386fb88fb152c02ae95aa2cbd2", "type": "github" }, "original": { @@ -1610,28 +1438,13 @@ "type": "github" } }, - "systems_9": { - "locked": { - "lastModified": 1681028828, - "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=", - "owner": "nix-systems", - "repo": "default", - "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e", - "type": "github" - }, - "original": { - "owner": "nix-systems", - "repo": "default", - "type": "github" - } - }, "templates": { "locked": { - "lastModified": 1704737624, - "narHash": "sha256-ypprYGtIL/DbV7D0zNA36gRdMqcv8LHgoxHjwTm7EGY=", + "lastModified": 1705684105, + "narHash": "sha256-R5PhRrDRuhHzo6zjrh3buGTBuWlY4UvM3+gJF9Hnhrs=", "owner": "NixOS", "repo": "templates", - "rev": "105b28c09033d1c137704cab544ed3cc4bc9ac40", + "rev": "35355cc7ba4822de499744bb3f3552008ea68970", "type": "github" }, "original": { @@ -1640,31 +1453,9 @@ "type": "github" } }, - "treefmt-nix": { - "inputs": { - "nixpkgs": [ - "nixpkgs-wayland", - "nix-eval-jobs", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1702979157, - "narHash": "sha256-RnFBbLbpqtn4AoJGXKevQMCGhra4h6G2MPcuTSZZQ+g=", - "owner": "numtide", - "repo": "treefmt-nix", - "rev": "2961375283668d867e64129c22af532de8e77734", - "type": "github" - }, - "original": { - "owner": "numtide", - "repo": "treefmt-nix", - "type": "github" - } - }, "wired-notify": { "inputs": { - "flake-parts": "flake-parts_3", + "flake-parts": "flake-parts_2", "nixpkgs": [ "nixpkgs" ], diff --git a/flake.nix b/flake.nix index c08381c..3623e8e 100644 --- a/flake.nix +++ b/flake.nix @@ -69,11 +69,6 @@ nixpkgs.url = "github:NixOS/nixpkgs/nixos-unstable"; - nixpkgs-wayland = { - url = "github:nix-community/nixpkgs-wayland"; - inputs.nixpkgs.follows = "nixpkgs"; - }; - nixvim = { url = "github:nix-community/nixvim"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index be30f4d..8237c07 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -117,7 +117,7 @@ in { client_id = "grafana"; client_secret = "$__file{${config.age.secrets.grafana-oauth2-client-secret.path}}"; scopes = "openid email profile"; - login_attribute_path = "prefered_username"; + login_attribute_path = "preferred_username"; auth_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/ui/oauth2"; token_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/token"; api_url = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/grafana/userinfo"; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index 3064db8..f30fb7b 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -12,6 +12,112 @@ ipImmichPostgres = "10.89.0.12"; ipImmichRedis = "10.89.0.13"; ipImmichServer = "10.89.0.14"; + configFile = pkgs.writeText "immich.config.json" ( + builtins.toJSON { + ffmpeg = { + accel = "disabled"; + bframes = -1; + cqMode = "auto"; + crf = 23; + gopSize = 0; + maxBitrate = "0"; + npl = 0; + preset = "ultrafast"; + refs = 0; + targetAudioCodec = "aac"; + targetResolution = "720"; + targetVideoCodec = "h264"; + temporalAQ = false; + threads = 0; + tonemap = "hable"; + transcode = "required"; + twoPass = false; + }; + job = { + backgroundTask.concurrency = 5; + faceDetection.concurrency = 10; + library.concurrency = 5; + metadataExtraction.concurrency = 10; + migration.concurrency = 5; + search.concurrency = 5; + sidecar.concurrency = 5; + smartSearch.concurrency = 10; + thumbnailGeneration.concurrency = 10; + videoConversion.concurrency = 5; + }; + library.scan = { + enabled = true; + cronExpression = "0 0 * * *"; + }; + logging = { + enabled = true; + level = "log"; + }; + machineLearning = { + clip = { + enabled = true; + modelName = "ViT-B-32__openai"; + }; + enabled = true; + facialRecognition = { + enabled = true; + maxDistance = 0.6; + minFaces = 3; + minScore = 0.7; + modelName = "buffalo_l"; + }; + url = "http://${ipImmichMachineLearning}:3003"; + }; + map = { + enabled = true; + darkStyle = ""; + lightStyle = ""; + }; + newVersionCheck.enabled = true; + # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run: + # kanidm system oauth2 warning-insecure-client-disable-pkce immich + # kanidm system oauth2 warning-enable-legacy-crypto immich + oauth = rec { + enabled = true; + autoLaunch = false; + autoRegister = true; + buttonText = "Login with Kanidm"; + + mobileOverrideEnabled = true; + mobileRedirectUri = "https://${immichDomain}/api/oauth/mobile-redirect"; + + clientId = "immich"; + # clientSecret will be dynamically added in activation script + issuerUrl = "https://${sentinelCfg.networking.providedDomains.kanidm}/oauth2/openid/${clientId}"; + scope = "openid email profile"; + storageLabelClaim = "preferred_username"; + }; + passwordLogin.enabled = true; + reverseGeocoding.enabled = true; + server = { + externalDomain = "https://${immichDomain}"; + loginPageMessage = "Besser im Stuhl einschlafen als im Schlaf einstuhlen."; + }; + storageTemplate = { + enabled = true; + hashVerificationEnabled = true; + template = "{{y}}/{{MM}}/{{filename}}"; + }; + theme.customCss = ""; + thumbnail = { + colorspace = "p3"; + jpegSize = 1440; + quality = 80; + webpSize = 250; + }; + trash = { + days = 30; + enabled = true; + }; + } + ); + + processedConfigFile = "/run/agenix/immich.config.json"; version = "v1.93.3"; environment = { @@ -24,6 +130,7 @@ IMMICH_SERVER_URL = "http://${ipImmichServer}:3001/"; IMMICH_MACHINE_LEARNING_URL = "http://${ipImmichMachineLearning}:3003"; REDIS_HOSTNAME = ipImmichRedis; + IMMICH_CONFIG_FILE = "/immich.config.json"; }; upload_folder = "/storage/immich"; @@ -41,10 +148,30 @@ in { microvm.mem = 1024 * 12; microvm.vcpu = 16; + # Mirror the original oauth2 secret + age.secrets.immich-oauth2-client-secret = { + inherit (nodes.ward-kanidm.config.age.secrets.kanidm-oauth2-immich) rekeyFile; + mode = "440"; + group = "root"; + }; + + system.activationScripts.agenixRooterDerivedSecrets = { + # Run after agenix has generated secrets + deps = ["agenix"]; + text = '' + immichClientSecret=$(< ${config.age.secrets.immich-oauth2-client-secret.path}) + ${pkgs.jq}/bin/jq --arg immichClientSecret "$immichClientSecret" '.oauth.clientSecret = $immichClientSecret' ${configFile} > ${processedConfigFile} + chmod 444 ${processedConfigFile} + ''; + }; + meta.wireguard-proxy.sentinel.allowedTCPPorts = [2283]; networking.nftables.chains.forward.into-immich-container = { after = ["conntrack"]; - rules = ["iifname proxy-sentinel ip saddr 10.43.0.29 tcp dport 3001 accept"]; + rules = [ + "iifname proxy-sentinel ip saddr 10.43.0.29 tcp dport 3001 accept" + "iifname podman1 oifname lan accept" + ]; }; nodes.sentinel = { @@ -61,8 +188,6 @@ in { virtualHosts.${immichDomain} = { forceSSL = true; useACMEWildcardHost = true; - oauth2.enable = true; - oauth2.allowedGroups = ["access_immich"]; locations."/" = { proxyPass = "http://immich"; proxyWebsockets = true; @@ -91,18 +216,19 @@ in { age.secrets.postgres_password.generator.script = "alnum"; # Runtime + virtualisation.oci-containers.backend = "podman"; virtualisation.podman = { enable = true; autoPrune.enable = true; dockerCompat = true; }; - virtualisation.oci-containers.backend = "podman"; # Containers virtualisation.oci-containers.containers."immich_machine_learning" = { image = "ghcr.io/immich-app/immich-machine-learning:${version}"; inherit environment; volumes = [ + "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro" "${model_folder}:/cache:rw" ]; log-driver = "journald"; @@ -117,6 +243,7 @@ in { image = "ghcr.io/immich-app/immich-server:${version}"; inherit environment; volumes = [ + "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro" "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro" "/etc/localtime:/etc/localtime:ro" "${upload_folder}:/usr/src/app/upload:rw" @@ -174,6 +301,7 @@ in { image = "ghcr.io/immich-app/immich-server:${version}"; inherit environment; volumes = [ + "${processedConfigFile}:${environment.IMMICH_CONFIG_FILE}:ro" "${config.age.secrets.postgres_password.path}:${config.age.secrets.postgres_password.path}:ro" "/etc/localtime:/etc/localtime:ro" "${upload_folder}:/usr/src/app/upload:rw" diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index 0ea07ce..be2e22a 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -35,6 +35,13 @@ in { group = "kanidm"; }; + age.secrets.kanidm-oauth2-immich = { + generator.script = "alnum"; + generator.tags = ["oauth2"]; + mode = "440"; + group = "kanidm"; + }; + age.secrets.kanidm-oauth2-grafana = { generator.script = "alnum"; generator.tags = ["oauth2"]; @@ -114,6 +121,15 @@ in { inherit (config.repo.secrets.global.kanidm) persons; + # Immich + groups.immich = {}; + systems.oauth2.immich = { + displayName = "Immich"; + originUrl = "https://${sentinelCfg.networking.providedDomains.immich}"; + basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; + scopeMaps.immich = ["openid" "email" "profile"]; + }; + # Grafana groups.grafana = {}; groups."grafana.admins" = {}; @@ -148,7 +164,6 @@ in { groups.web-sentinel = {}; groups."web-sentinel.adguardhome" = {}; groups."web-sentinel.influxdb" = {}; - groups."web-sentinel.immich" = {}; systems.oauth2.web-sentinel = { displayName = "Web Sentinel"; originUrl = "https://oauth2.${personalDomain}"; @@ -157,7 +172,6 @@ in { supplementaryScopeMaps = { "web-sentinel.adguardhome" = ["access_adguardhome"]; "web-sentinel.influxdb" = ["access_influxdb"]; - "web-sentinel.immich" = ["access_immich"]; }; }; }; diff --git a/modules/config/nix.nix b/modules/config/nix.nix index 99b956b..a3f4e66 100644 --- a/modules/config/nix.nix +++ b/modules/config/nix.nix @@ -17,13 +17,11 @@ "https://cache.nixos.org" "https://nix-community.cachix.org" "https://nix-config.cachix.org" - "https://nixpkgs-wayland.cachix.org" ]; trusted-public-keys = [ "cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY=" "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" "nix-config.cachix.org-1:Vd6raEuldeIZpttVQfrUbLvXJHzzzkS0pezXCVVjDG4=" - "nixpkgs-wayland.cachix.org-1:3lwxaILxMRkVhehr5StQprHdEo4IrE8sRho9R9HOLYA=" ]; cores = 0; max-jobs = "auto"; diff --git a/modules/default.nix b/modules/default.nix index 46bf981..dda1c11 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -44,7 +44,6 @@ ]; nixpkgs.overlays = [ - inputs.nixpkgs-wayland.overlay inputs.nixvim.overlays.default inputs.wired-notify.overlays.default ]; diff --git a/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age b/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age new file mode 100644 index 0000000..231b353 --- /dev/null +++ b/secrets/generated/ward-kanidm/kanidm-oauth2-immich.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> X25519 Ty4SRY71eyfLWJGIC0cv89Rg+PEJr1LTyJQgIvj8mRg +3z6gLE56zvPRWWFpCkAx6GdFwAztMgBZnfI/OJfCtzU +-> piv-p256 xqSe8Q AyEmhugnXJ33KHAVh/9B0C9oQ1SF3/gFtoAPpThy/4Ef +eEPKdBTKx7Px39zRu7Dtdm6vyZxEzN23SekmsjZ9ILU +-> d^!fR-grease +WjaPB3mvS8+aKj9FKDdeSMrIDRu4cvxT9llTrxZxOD+Ej4o8lCN+LRmrAZ6eb1W8 +BWuUvPLUgyWi4eyDIARjperIrX8ESLgqIg +--- rKC5HveByQdXritRQdLqNgasq6y20rT/nfrQenVmoTo +_ A5N1iBl[ OIpJ;iq,#KOx}K Zs0(!ࣁdY2Mv? \ No newline at end of file diff --git a/secrets/global.nix.age b/secrets/global.nix.age index ade9174..3fb5cc2 100644 Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ