diff --git a/nixos/mirai/services/default.nix b/nixos/mirai/services/default.nix index 30dd7731..bf1be660 100644 --- a/nixos/mirai/services/default.nix +++ b/nixos/mirai/services/default.nix @@ -1,11 +1,12 @@ -{...}: { +{ ... }: +{ imports = [ ./atuin.nix ./authelia.nix ./caddy.nix ./fail2ban.nix ./flaresolverr.nix - ./gitea.nix + # ./gitea.nix ./homepage.nix ./immich.nix ./llama.nix diff --git a/nixos/mirai/services/gitea.nix b/nixos/mirai/services/gitea.nix index ba6e80fb..4b044b94 100644 --- a/nixos/mirai/services/gitea.nix +++ b/nixos/mirai/services/gitea.nix @@ -2,15 +2,25 @@ lib, config, ... -}: { +}: +{ virtualisation.docker.enable = true; sops = { # secrets."gitea/registration".owner = config.systemd.services.gitea-actions-mirai.serviceConfig.User; - secrets."gitea/registration" = {}; + secrets."gitea/registration" = { }; + secrets."authelia/oidc/gitea/client_secret" = { + owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + mode = "0440"; + restartUnits = [ + "gitea.service" + "authelia-darksailor.service" + ]; + }; templates = { "GITEA_REGISTRATION_TOKEN.env".content = '' TOKEN=${config.sops.placeholder."gitea/registration"} ''; + }; }; services = { @@ -35,6 +45,11 @@ # LFS_START_SERVER = true; LFS_ALLOW_PURE_SSH = true; }; + oauth2_client = { + ENABLE_AUTO_REGISTRATION = true; + ACCOUNT_LINKING = "auto"; + OPENID_CONNECT_SCOPES = "openid profile email"; + }; }; }; gitea-actions-runner = { @@ -52,27 +67,53 @@ }; caddy = { virtualHosts."git.darksailor.dev".extraConfig = '' - import auth + # import auth reverse_proxy localhost:3000 ''; }; authelia = { instances.darksailor = { settings = { - access_control = { - rules = [ - { - domain = "git.darksailor.dev"; - policy = "bypass"; - resources = [ - "^/api([/?].*)?$" - ]; - } - { - domain = "git.darksailor.dev"; - policy = "one_factor"; - } - ]; + # access_control = { + # rules = [ + # { + # domain = "git.darksailor.dev"; + # policy = "bypass"; + # resources = [ + # "^/api([/?].*)?$" + # ]; + # } + # { + # domain = "git.darksailor.dev"; + # policy = "one_factor"; + # } + # ]; + # }; + identity_providers = { + oidc = { + clients = [ + { + client_name = "gitea"; + client_id = "gitea"; + client_secret = ''{{ secret "${config.sops.secrets."authelia/oidc/gitea/client_secret".path}" }}''; + public = false; + authorization_policy = "one_factor"; + require_pkce = false; + redirect_uris = [ + "https://git.darksailor.dev/user/oauth2/authelia/callback" + ]; + scopes = [ + "openid" + "profile" + "email" + ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + }; }; }; }; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 59a8066a..01c4d590 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -31,6 +31,9 @@ authelia: client_secret: ENC[AES256_GCM,data:aQylVYsqDExbavjGsVAXPlf/rxileM3xLM0EXCKHfiNYxwzXck/f/bvwZl7ChQZ/AHDvZ8mkMkZHyTdyap25Hg==,iv:swSrM8MvhLcq7Gw/lV36j//8fnTzBcs5wU8aj+n9obE=,tag:neaHG+UCVhmZ2HLqVa/jGA==,type:str] nextcloud: client_secret: ENC[AES256_GCM,data:5SZ0A0OVK3emOobuI4KYv4E3l0Q/LwVWExCg1gPoG8AKcf4Pd04SnZE7aDoFnWTv1YhEY4sRaYQW/dn2pl4zsg==,iv:p0qmeYXTqqqX0NI2YK4fpGOK8NArFCMzoSGb/lc3L4w=,tag:Ob6/FyJP1LOkvBcOh6GOJA==,type:str] + gitea: + client_id: ENC[AES256_GCM,data:wxC4eYM=,iv:Opd7H7B5SiEiL7O8bXuy1u/mGRRMRPpxKu9aPZVK62U=,tag:SY2nwph8whqqdVnAh/vOGg==,type:str] + client_secret: ENC[AES256_GCM,data:vhFs7U5KyzWe5hM+H1TFMhw/0QcBWNGE0W6qtWVkVlcL16coAmubMJvRrDEfv8wzbrSXCj6fdyZOuHFb5bTO7A==,iv:529/LBYE6+C65jDLr3IAT4tCz8wH/EG55NQ/feh2Cp0=,tag:mhMFvPatQeiB/tkPfLyZ4A==,type:str] jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str] lldap: jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str] @@ -62,7 +65,7 @@ sops: VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-31T19:58:41Z" - mac: ENC[AES256_GCM,data:B6xCuuzH90mnnpVjRtYOMRuFACvAvEodPs/sYI0BCdrD05eHB/t3BB1y/kI65J41Tj1AY8+3zTBJU1VdhmN1dusu3G6dMqVEiG+09CfjfaSVk6k1zw9IkYCBn0CeovXAZfOjyTbOnVILHriIofsHS7l+F2F0Jo2Nx8OdY7Gy0fY=,iv:wi/1YJVU1OwvzooFHHxt/jSvBafGa9orAYLH66psmfc=,tag:umj/NOtqW/9jLmUZZX2hPA==,type:str] + lastmodified: "2025-08-13T19:39:42Z" + mac: ENC[AES256_GCM,data:tMVQqyaXz8zsdQEVWXNaPPon7ee/YqnRYSAc+kr/Ku7aDsq1aaBE32x3/GgtgQ4tgNfbd+EWiSX8OPU2BDV9JmS98m9KVz5VzjCdSmtg5VG4hO1E+oBlH9rHKAtbQQA8JnRZQ7IfHTkfzCNk1MOteundW/8Sr1xAYEph+O9GPTM=,iv:spCAzV5Q71bQ5NxM17vNUAAsA5kqtWkoYxCWnr9ehsw=,tag:OqX3XnDi0A5w3iGcPH5AyA==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2