feat(neovim): enable on tako device

feat(authelia): configure port and reverse proxy feat(lldap): force password reset and update settings fix(nixos): remove root from trusted users on ryu and tako fix(immich): disable auto launch and enable password login refactor(tako): enable authelia, immich, and lldap services chore(secrets): update lldap seed and metadata timestamps
2025-11-27 20:51:34 +05:30
parent f9970ce3af
commit a9616c8564
10 changed files with 26 additions and 21 deletions
--- a/nixos/mirai/configuration.nix
+++ b/nixos/mirai/configuration.nix
@@ -42,7 +42,7 @@
      cores = 8;
      auto-optimise-store = true;
      extra-experimental-features = "nix-command flakes auto-allocate-uids";
-      trusted-users = ["root" device.user "remotebuilder"];
+      trusted-users = [device.user "remotebuilder"];
      trusted-substituters = [
        "https://nix-community.cachix.org"
        "https://nixos-raspberrypi.cachix.org"
--- a/nixos/ryu/configuration.nix
+++ b/nixos/ryu/configuration.nix
@@ -43,7 +43,7 @@
      cores = 24;
      auto-optimise-store = true;
      extra-experimental-features = "nix-command flakes auto-allocate-uids";
-      trusted-users = ["root" device.user];
+      trusted-users = [device.user];
      trusted-substituters = [
        "https://nix-community.cachix.org"
        "https://nixos-raspberrypi.cachix.org"
--- a/nixos/tako/configuration.nix
+++ b/nixos/tako/configuration.nix
@@ -42,7 +42,7 @@
      cores = 8;
      auto-optimise-store = true;
      extra-experimental-features = "nix-command flakes auto-allocate-uids";
-      trusted-users = ["root" device.user "remotebuilder"];
+      trusted-users = [device.user "remotebuilder"];
      trusted-substituters = [
        "https://nix-community.cachix.org"
        "https://nixos-raspberrypi.cachix.org"
--- a/nixos/tako/services/authelia.nix
+++ b/nixos/tako/services/authelia.nix
@@ -1,4 +1,6 @@
-{config, ...}: {
+{config, ...}: let
+  port = 5555;
+in {
  sops = {
    secrets = let
      user = config.systemd.services.authelia-darksailor.serviceConfig.User;
@@ -71,7 +73,7 @@
          theme = "dark";
          notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log";
          server = {
-            address = "0.0.0.0:5555";
+            address = "0.0.0.0:${toString port}";
            endpoints.authz = {
              forward-auth = {
                implementation = "ForwardAuth";
@@ -96,7 +98,7 @@
    };
    caddy = {
      virtualHosts."auth.darksailor.dev".extraConfig = ''
-        reverse_proxy localhost:5555 {
+        reverse_proxy localhost:${toString port} {
            # header_up Host {http.request.header.X-Forwarded-Host}
            # header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
            # header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}
--- a/nixos/tako/services/default.nix
+++ b/nixos/tako/services/default.nix
@@ -1,6 +1,5 @@
 {...}: {
  imports = [
-    # ./caddy.nix
    # ./excalidraw.nix
    # ./fail2ban.nix
    # ./flaresolverr.nix
@@ -17,9 +16,10 @@
    # ./headscale.nix
    # ./shitpost.nix
    ./atuin.nix
-    # ./immich.nix
-    # ./lldap.nix
-    # ./authelia.nix
+    ./caddy.nix
+    ./authelia.nix
+    ./immich.nix
+    ./lldap.nix
    ./openssh.nix
    ./tailscale.nix
  ];
--- a/nixos/tako/services/immich.nix
+++ b/nixos/tako/services/immich.nix
@@ -26,14 +26,14 @@
                "clientId": "${config.sops.placeholder."authelia/oidc/immich/client_id"}",
                "clientSecret": "${config.sops.placeholder."authelia/oidc/immich/client_secret"}",
                "enabled": true,
-                "autoLaunch": true,
+                "autoLaunch": false,
                "autoRegister": true,
                "buttonText": "Login with Authelia",
                "scope": "openid email profile",
                "issuerUrl": "https://auth.darksailor.dev"
              },
              "passwordLogin" : {
-                "enabled": false
+                "enabled": true
              },
              "server": {
                "externalDomain": "https://photos.darksailor.dev"
--- a/nixos/tako/services/lldap.nix
+++ b/nixos/tako/services/lldap.nix
@@ -6,6 +6,7 @@
  services.lldap = {
    enable = true;
    settings = {
+      force_ldap_user_pass_reset = "always";
      ldap_user_dn = "admin";
      ldap_base_dn = "dc=darksailor,dc=dev";
      ldap_user_email = "admin@darksailor.dev";
@@ -14,10 +15,12 @@
      ldap_port = 389;
      ldap_host = "::";
      ldap_user_pass_file = config.sops.secrets."lldap/admin".path;
-      environmentFile = ''
-        LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path};
-        LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path};
-      '';
+      jwt_secret_file = "${config.sops.secrets."lldap/jwt".path}";
+    };
+    environment = {
+      LLDAP_JWT_SECRET_FILE = "${config.sops.secrets."lldap/jwt".path}";
+      # LLDAP_FORCE_UPDATE_PRIVATE_KEY = "true";
+      # LLDAP_KEY_SEED_FILE = "${config.sops.secrets."lldap/seed".path}";
    };
  };
  users.users.lldap = {
--- a/nixos/tsuba/configuration.nix
+++ b/nixos/tsuba/configuration.nix
@@ -41,8 +41,8 @@
    distributedBuilds = true;
    buildMachines = [
      ../../builders/tako.nix
+      ../../builders/mirai.nix
      ../../builders/shiro.nix
-      ../../builders/tsuba.nix
    ];
  };
  users.users.${device.user} = {