feat: move some services to other domain

hosts/sentinel/net.nix

@@ -1,6 +1,6 @@
 {config, ...}: {
   networking.hostId = config.repo.secrets.local.networking.hostId;
-  networking.domain = config.repo.secrets.local.personalDomain;
+  networking.domain = config.repo.secrets.global.domains.me;
 
   # Forwarding required for forgejo 9922->22
   boot.kernel.sysctl."net.ipv4.ip_forward" = 1;

hosts/sentinel/oauth2.nix

@@ -5,8 +5,8 @@
 }: {
   meta.oauth2_proxy = {
     enable = true;
-    cookieDomain = config.repo.secrets.local.personalDomain;
-    portalDomain = "oauth2.${config.repo.secrets.local.personalDomain}";
+    cookieDomain = config.repo.secrets.global.domains.me;
+    portalDomain = "oauth2.${config.repo.secrets.global.domains.me}";
     # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services")
   };
 

hosts/sire/guests/grafana.nix

@@ -4,7 +4,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  grafanaDomain = "grafana.${sentinelCfg.repo.secrets.local.personalDomain}";
+  grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port];
 
@@ -124,7 +124,7 @@ in {
         use_pkce = true;
         # Allow mapping oauth2 roles to server admin
         allow_assign_grafana_admin = true;
-        role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'";
+        role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'";
       };
     };
 

hosts/sire/guests/immich.nix

@@ -5,7 +5,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  immichDomain = "immich.${sentinelCfg.repo.secrets.local.personalDomain}";
+  immichDomain = "immich.${config.repo.secrets.global.domains.me}";
 
   ipImmichMachineLearning = "10.89.0.10";
   ipImmichMicroservices = "10.89.0.11";
@@ -74,9 +74,6 @@
         lightStyle = "";
       };
       newVersionCheck.enabled = true;
-      # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run:
-      # kanidm system oauth2 warning-insecure-client-disable-pkce immich
-      # kanidm system oauth2 warning-enable-legacy-crypto immich
       oauth = rec {
         enabled = true;
         autoLaunch = false;

hosts/sire/guests/influxdb.nix

@@ -6,7 +6,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}";
+  influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}";
   influxdbPort = 8086;
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [influxdbPort];

hosts/sire/guests/loki.nix

@@ -4,7 +4,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  lokiDomain = "loki.${sentinelCfg.repo.secrets.local.personalDomain}";
+  lokiDomain = "loki.${config.repo.secrets.global.domains.me}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port];
 

hosts/sire/guests/paperless.nix

@@ -5,7 +5,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}";
+  paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}";
   paperlessBackupDir = "/var/cache/paperless-backup";
 in {
   microvm.mem = 1024 * 9;

hosts/ward/guests/adguardhome.nix

@@ -5,8 +5,7 @@
   pkgs,
   ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
-  adguardhomeDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}";
+  adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port];
 
@@ -81,8 +80,8 @@ in {
         # wireguard address for influxdb
         rewrites = [
           {
-            domain = sentinelCfg.networking.providedDomains.influxdb;
-            answer = sentinelCfg.repo.secrets.local.personalDomain;
+            domain = nodes.sentinel.config.networking.providedDomains.influxdb;
+            answer = config.repo.secrets.global.domains.me;
           }
         ];
         filters = [

hosts/ward/guests/forgejo.nix

@@ -6,8 +6,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  # XXX: other domain on other proxy?
-  forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}";
+  forgejoDomain = "git.${config.repo.secrets.global.domains.me}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [
     config.services.forgejo.settings.server.HTTP_PORT

hosts/ward/guests/kanidm.nix

@@ -3,9 +3,9 @@
   nodes,
   ...
 }: let
-  inherit (sentinelCfg.repo.secrets.local) personalDomain;
+  inherit (config.repo.secrets.global) domains;
   sentinelCfg = nodes.sentinel.config;
-  kanidmDomain = "auth.${personalDomain}";
+  kanidmDomain = "auth.${domains.me}";
   kanidmPort = 8300;
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort];
@@ -122,24 +122,29 @@ in {
         displayName = "Immich";
         originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path;
+        preferShortUsername = true;
+        # XXX: PKCE is currently not supported by immich
+        allowInsecureClientDisablePkce = true;
         scopeMaps."immich.access" = ["openid" "email" "profile"];
       };
 
       # Grafana
       groups."grafana.access" = {};
-      groups."grafana.admins" = {};
       groups."grafana.editors" = {};
+      groups."grafana.admins" = {};
       groups."grafana.server-admins" = {};
       systems.oauth2.grafana = {
         displayName = "Grafana";
         originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path;
         scopeMaps."grafana.access" = ["openid" "email" "profile"];
-        # FIXME: use new group claims k thx
-        supplementaryScopeMaps = {
-          "grafana.admins" = ["admin"];
-          "grafana.editors" = ["editor"];
-          "grafana.server-admins" = ["server_admin"];
+        claimMaps.groups = {
+          joinType = "array";
+          valuesByGroup = {
+            "grafana.editors" = ["editor"];
+            "grafana.admins" = ["admin"];
+            "grafana.server-admins" = ["server_admin"];
+          };
         };
       };
 
@@ -167,7 +172,7 @@ in {
       groups."web-sentinel.influxdb" = {};
       systems.oauth2.web-sentinel = {
         displayName = "Web Sentinel";
-        originUrl = "https://oauth2.${personalDomain}/";
+        originUrl = "https://oauth2.${domains.me}/";
         basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path;
         scopeMaps."web-sentinel.access" = ["openid" "email"];
         claimMaps.groups = {

hosts/ward/guests/radicale.nix

@@ -1,10 +1,5 @@
-{
-  config,
-  nodes,
-  ...
-}: let
-  sentinelCfg = nodes.sentinel.config;
-  radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}";
+{config, ...}: let
+  radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [
     8000

hosts/ward/guests/vaultwarden.nix

@@ -1,11 +1,9 @@
 {
   config,
   lib,
-  nodes,
   ...
 }: let
-  sentinelCfg = nodes.sentinel.config;
-  vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}";
+  vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [
     config.services.vaultwarden.config.rocketPort

hosts/zackbiene/home-assistant.nix

@@ -5,7 +5,7 @@
   ...
 }: let
   sentinelCfg = nodes.sentinel.config;
-  homeDomain = "home.${sentinelCfg.repo.secrets.local.personalDomain}";
+  homeDomain = "home.${sentinelCfg.repo.secrets.global.domains.personal}";
 in {
   meta.wireguard-proxy.sentinel.allowedTCPPorts = [80];