diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix index 5ba010b..006beda 100644 --- a/hosts/sentinel/net.nix +++ b/hosts/sentinel/net.nix @@ -1,6 +1,6 @@ {config, ...}: { networking.hostId = config.repo.secrets.local.networking.hostId; - networking.domain = config.repo.secrets.local.personalDomain; + networking.domain = config.repo.secrets.global.domains.me; # Forwarding required for forgejo 9922->22 boot.kernel.sysctl."net.ipv4.ip_forward" = 1; diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix index 3fc580e..7e80012 100644 --- a/hosts/sentinel/oauth2.nix +++ b/hosts/sentinel/oauth2.nix @@ -5,8 +5,8 @@ }: { meta.oauth2_proxy = { enable = true; - cookieDomain = config.repo.secrets.local.personalDomain; - portalDomain = "oauth2.${config.repo.secrets.local.personalDomain}"; + cookieDomain = config.repo.secrets.global.domains.me; + portalDomain = "oauth2.${config.repo.secrets.global.domains.me}"; # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services") }; diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age index 5575df7..e6ade60 100644 Binary files a/hosts/sentinel/secrets/local.nix.age and b/hosts/sentinel/secrets/local.nix.age differ diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index 8237c07..9a2f5ab 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -4,7 +4,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - grafanaDomain = "grafana.${sentinelCfg.repo.secrets.local.personalDomain}"; + grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; @@ -124,7 +124,7 @@ in { use_pkce = true; # Allow mapping oauth2 roles to server admin allow_assign_grafana_admin = true; - role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'"; + role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"; }; }; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index d9dbe8d..5ccf41c 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -5,7 +5,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - immichDomain = "immich.${sentinelCfg.repo.secrets.local.personalDomain}"; + immichDomain = "immich.${config.repo.secrets.global.domains.me}"; ipImmichMachineLearning = "10.89.0.10"; ipImmichMicroservices = "10.89.0.11"; @@ -74,9 +74,6 @@ lightStyle = ""; }; newVersionCheck.enabled = true; - # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run: - # kanidm system oauth2 warning-insecure-client-disable-pkce immich - # kanidm system oauth2 warning-enable-legacy-crypto immich oauth = rec { enabled = true; autoLaunch = false; diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index 1355d5b..f241b71 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -6,7 +6,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}"; + influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}"; influxdbPort = 8086; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [influxdbPort]; diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix index 3935f89..542d779 100644 --- a/hosts/sire/guests/loki.nix +++ b/hosts/sire/guests/loki.nix @@ -4,7 +4,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - lokiDomain = "loki.${sentinelCfg.repo.secrets.local.personalDomain}"; + lokiDomain = "loki.${config.repo.secrets.global.domains.me}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port]; diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index a221916..cc96bb9 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -5,7 +5,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}"; + paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}"; paperlessBackupDir = "/var/cache/paperless-backup"; in { microvm.mem = 1024 * 9; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 6750e94..8da43d9 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -5,8 +5,7 @@ pkgs, ... }: let - sentinelCfg = nodes.sentinel.config; - adguardhomeDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}"; + adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port]; @@ -81,8 +80,8 @@ in { # wireguard address for influxdb rewrites = [ { - domain = sentinelCfg.networking.providedDomains.influxdb; - answer = sentinelCfg.repo.secrets.local.personalDomain; + domain = nodes.sentinel.config.networking.providedDomains.influxdb; + answer = config.repo.secrets.global.domains.me; } ]; filters = [ diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index 467abf2..8d89481 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -6,8 +6,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - # XXX: other domain on other proxy? - forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}"; + forgejoDomain = "git.${config.repo.secrets.global.domains.me}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [ config.services.forgejo.settings.server.HTTP_PORT diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index e9666cb..e319c30 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -3,9 +3,9 @@ nodes, ... }: let - inherit (sentinelCfg.repo.secrets.local) personalDomain; + inherit (config.repo.secrets.global) domains; sentinelCfg = nodes.sentinel.config; - kanidmDomain = "auth.${personalDomain}"; + kanidmDomain = "auth.${domains.me}"; kanidmPort = 8300; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort]; @@ -122,24 +122,29 @@ in { displayName = "Immich"; originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; + preferShortUsername = true; + # XXX: PKCE is currently not supported by immich + allowInsecureClientDisablePkce = true; scopeMaps."immich.access" = ["openid" "email" "profile"]; }; # Grafana groups."grafana.access" = {}; - groups."grafana.admins" = {}; groups."grafana.editors" = {}; + groups."grafana.admins" = {}; groups."grafana.server-admins" = {}; systems.oauth2.grafana = { displayName = "Grafana"; originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path; scopeMaps."grafana.access" = ["openid" "email" "profile"]; - # FIXME: use new group claims k thx - supplementaryScopeMaps = { - "grafana.admins" = ["admin"]; - "grafana.editors" = ["editor"]; - "grafana.server-admins" = ["server_admin"]; + claimMaps.groups = { + joinType = "array"; + valuesByGroup = { + "grafana.editors" = ["editor"]; + "grafana.admins" = ["admin"]; + "grafana.server-admins" = ["server_admin"]; + }; }; }; @@ -167,7 +172,7 @@ in { groups."web-sentinel.influxdb" = {}; systems.oauth2.web-sentinel = { displayName = "Web Sentinel"; - originUrl = "https://oauth2.${personalDomain}/"; + originUrl = "https://oauth2.${domains.me}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path; scopeMaps."web-sentinel.access" = ["openid" "email"]; claimMaps.groups = { diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix index 8e4afa9..bb66532 100644 --- a/hosts/ward/guests/radicale.nix +++ b/hosts/ward/guests/radicale.nix @@ -1,10 +1,5 @@ -{ - config, - nodes, - ... -}: let - sentinelCfg = nodes.sentinel.config; - radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}"; +{config, ...}: let + radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [ 8000 diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix index 15706c8..a1f40d5 100644 --- a/hosts/ward/guests/vaultwarden.nix +++ b/hosts/ward/guests/vaultwarden.nix @@ -1,11 +1,9 @@ { config, lib, - nodes, ... }: let - sentinelCfg = nodes.sentinel.config; - vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}"; + vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [ config.services.vaultwarden.config.rocketPort diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index 3faeca5..f61ca0b 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -5,7 +5,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - homeDomain = "home.${sentinelCfg.repo.secrets.local.personalDomain}"; + homeDomain = "home.${sentinelCfg.repo.secrets.global.domains.personal}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [80]; diff --git a/secrets/global.nix.age b/secrets/global.nix.age index fad7907..ac37e45 100644 Binary files a/secrets/global.nix.age and b/secrets/global.nix.age differ