rework pocket-id to be more generic
This commit is contained in:
@@ -8,7 +8,6 @@
|
|||||||
{
|
{
|
||||||
clan = {
|
clan = {
|
||||||
modules = {
|
modules = {
|
||||||
pocket-id = ../modules/clan/pocket-id;
|
|
||||||
stirling-pdf = ../modules/clan/stirling-pdf;
|
stirling-pdf = ../modules/clan/stirling-pdf;
|
||||||
actual-budget = ../modules/clan/actual-budget;
|
actual-budget = ../modules/clan/actual-budget;
|
||||||
victoria-metrics = ../modules/clan/victoria-metrics;
|
victoria-metrics = ../modules/clan/victoria-metrics;
|
||||||
|
|||||||
35
machines/b4l/services/pocket-id.nix
Normal file
35
machines/b4l/services/pocket-id.nix
Normal file
@@ -0,0 +1,35 @@
|
|||||||
|
{ config, ... }:
|
||||||
|
let
|
||||||
|
pidDomain = "${config.clan.core.vars.generators.b4l-pocket-id.files.subdomain.value}.${config.networking.fqdn}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
clan.core.vars.generators.b4l-pocket-id = {
|
||||||
|
files.subdomain.secret = false;
|
||||||
|
|
||||||
|
prompts = {
|
||||||
|
subdomain = {
|
||||||
|
persist = true;
|
||||||
|
type = "line";
|
||||||
|
description = "Sub-domain for Pocket-ID app. Default:(auth)";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
script = ''cat $prompts/subdomain || echo -n "auth" > $out/subdomain'';
|
||||||
|
};
|
||||||
|
|
||||||
|
services.pocket-id = {
|
||||||
|
settings = {
|
||||||
|
APP_ENV = "production";
|
||||||
|
APP_URL = "https://${pidDomain}";
|
||||||
|
TRUST_PROXY = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx.virtualHosts."${pidDomain}" = {
|
||||||
|
useACMEHost = "${config.networking.fqdn}";
|
||||||
|
forceSSL = true;
|
||||||
|
locations."/" = {
|
||||||
|
proxyPass = "http://localhost:${builtins.toString config.services.pocket-id.settings.PORT}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,4 +1,4 @@
|
|||||||
{ lib, ... }:
|
{ ... }:
|
||||||
{
|
{
|
||||||
_class = "clan.service";
|
_class = "clan.service";
|
||||||
manifest.name = "pocket-id";
|
manifest.name = "pocket-id";
|
||||||
@@ -6,29 +6,14 @@
|
|||||||
manifest.categories = [ "System" ];
|
manifest.categories = [ "System" ];
|
||||||
|
|
||||||
roles.default = {
|
roles.default = {
|
||||||
interface.options = {
|
|
||||||
domain = lib.mkOption {
|
|
||||||
type = lib.types.str;
|
|
||||||
default = "auth";
|
|
||||||
description = "";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
perInstance =
|
perInstance.nixosModule =
|
||||||
{
|
|
||||||
settings,
|
|
||||||
...
|
|
||||||
}:
|
|
||||||
{
|
|
||||||
nixosModule =
|
|
||||||
{
|
{
|
||||||
config,
|
config,
|
||||||
pkgs,
|
pkgs,
|
||||||
|
lib,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
|
||||||
domain = "${settings.domain}.${config.networking.fqdn}";
|
|
||||||
in
|
|
||||||
{
|
{
|
||||||
clan.core.vars.generators.pocket-id = {
|
clan.core.vars.generators.pocket-id = {
|
||||||
files = {
|
files = {
|
||||||
@@ -43,27 +28,18 @@
|
|||||||
pwgen -s 32 1 > $out/encryption-key
|
pwgen -s 32 1 > $out/encryption-key
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
|
clan.core.state.pocket-id.folders = [ config.services.pocket-id.dataDir ];
|
||||||
|
|
||||||
services.pocket-id = {
|
services.pocket-id = {
|
||||||
enable = true;
|
enable = lib.mkDefault true;
|
||||||
settings = {
|
settings = {
|
||||||
ENCRYPTION_KEY_FILE = config.clan.core.vars.generators.pocket-id.files.encryption-key.path;
|
ENCRYPTION_KEY_FILE = config.clan.core.vars.generators.pocket-id.files.encryption-key.path;
|
||||||
APP_ENV = "production";
|
PORT = lib.mkDefault 1411;
|
||||||
APP_URL = "https://${domain}";
|
ANALYTICS_DISABLED = lib.mkDefault true;
|
||||||
TRUST_PROXY = true;
|
UI_CONFIG_DISABLED = lib.mkDefault true;
|
||||||
PORT = 1411;
|
|
||||||
|
|
||||||
UI_CONFIG_DISABLED = true;
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services.nginx.virtualHosts."${domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
enableACME = true;
|
|
||||||
locations."/" = {
|
|
||||||
proxyPass = "http://localhost:${builtins.toString config.services.pocket-id.settings.PORT}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
19
modules/clan/pocket-id/flake-module.nix
Normal file
19
modules/clan/pocket-id/flake-module.nix
Normal file
@@ -0,0 +1,19 @@
|
|||||||
|
{ lib, ... }:
|
||||||
|
let
|
||||||
|
module = lib.modules.importApply ./default.nix { };
|
||||||
|
in
|
||||||
|
{
|
||||||
|
clan.modules = {
|
||||||
|
pocket-id = module;
|
||||||
|
};
|
||||||
|
|
||||||
|
perSystem =
|
||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
clan.nixosTests.pocket-id = {
|
||||||
|
imports = [ ./tests/vm/default.nix ];
|
||||||
|
|
||||||
|
clan.modules."@clan/pocket-id" = module;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
34
modules/clan/pocket-id/tests/vm/default.nix
Normal file
34
modules/clan/pocket-id/tests/vm/default.nix
Normal file
@@ -0,0 +1,34 @@
|
|||||||
|
{ ... }:
|
||||||
|
{
|
||||||
|
name = "service-pocket-id";
|
||||||
|
|
||||||
|
clan = {
|
||||||
|
directory = ./.;
|
||||||
|
inventory = {
|
||||||
|
machines.server = { };
|
||||||
|
|
||||||
|
instances = {
|
||||||
|
pocket-id-test = {
|
||||||
|
module.name = "@clan/pocket-id";
|
||||||
|
module.input = "self";
|
||||||
|
roles.default.machines."server" = { };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nodes = {
|
||||||
|
server = {
|
||||||
|
services.pocket-id = { };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = ''
|
||||||
|
start_all()
|
||||||
|
|
||||||
|
server.wait_for_unit("pocket-id")
|
||||||
|
|
||||||
|
# Check that garage is running
|
||||||
|
server.succeed("systemctl status pocket-id")
|
||||||
|
'';
|
||||||
|
}
|
||||||
6
modules/clan/pocket-id/tests/vm/sops/machines/server/key.json
Executable file
6
modules/clan/pocket-id/tests/vm/sops/machines/server/key.json
Executable file
@@ -0,0 +1,6 @@
|
|||||||
|
[
|
||||||
|
{
|
||||||
|
"publickey": "age1jvhs79a367ynhupy6gndyafg5f6wzrsa3p3r27d8y4zpvlp5vd6qwysnc2",
|
||||||
|
"type": "age"
|
||||||
|
}
|
||||||
|
]
|
||||||
@@ -0,0 +1,15 @@
|
|||||||
|
{
|
||||||
|
"data": "ENC[AES256_GCM,data:MheRz91AzSqUV0gz3PHdort06igblp8dVku2GIeXbBiTpG3Dnlqzw6QEvTeRVtZ4ol0gHS8CQQ4Lc4H9IyHGiTfJkSUM7pXY/vM=,iv:mMibIfA6gqvJlbau9sKkjRoYrDcqCpTG0b+jrZCHIkE=,tag:MN5I9AO1U7sJfq/9GxSFCg==,type:str]",
|
||||||
|
"sops": {
|
||||||
|
"age": [
|
||||||
|
{
|
||||||
|
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1dnVqRXVibTFYeUlsc09J\nQnRSRVE0NklWWFNlbHZaaWJ3dDlEaTJKVkZnCnJEZHhoSzd3T3NEVjFjY0NkRFNq\nL1owbmR0SENSWVQxOXVlNWJFb0JsSEEKLS0tIHhESEI2Y3MzMU9WRzhYNWZhUUd2\nTVpldG5qbDF6UG9jNnBRTnZRdzAweDAKl4FpFTp7NyTHXJEF7tIO0CnsgTY4maJ2\n7KfQRwQuhW73WqVdzJSZ7i/Xapwglx0ISBvSEDgBTiQhFlBLCMEzYg==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"lastmodified": "2025-07-29T09:50:44Z",
|
||||||
|
"mac": "ENC[AES256_GCM,data:lZ7SAQkkH441L3Ss9nEI1fm6SgcysIcOBg9it0m80CiNhtittsFNcP7l0ApkIBQLhMsan93bLMG3kcDKzqxld3XDRPUwlJkKElh8Dc8q7qqtOqgKNnsFDcx4Zh3HdiTPywyIBnUMYAul4tVPpEzqh1GSD1GF9fsBxLiwxBwalY4=,iv:wmhz1k5LMNNxuacQj+A5FryJwzqxpXf5AnFoeL1TF4k=,tag:cl5OcxGYvC6DGQDRuhqRRw==,type:str]",
|
||||||
|
"unencrypted_suffix": "_unencrypted",
|
||||||
|
"version": "3.10.2"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
../../../users/admin
|
||||||
@@ -0,0 +1,4 @@
|
|||||||
|
{
|
||||||
|
"publickey": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||||
|
"type": "age"
|
||||||
|
}
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
../../../../../../sops/machines/server
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
{
|
||||||
|
"data": "ENC[AES256_GCM,data:o1BHipQXow25uobhojeSIvSaIM4SiOtjfpNBi11E7kRX,iv:mheOssj84dp1+QAG0rpdyaf5O4WWaTWh1y/DC/I9nnA=,tag:M8zSZ4GWwy5rOcOEOBbwIA==,type:str]",
|
||||||
|
"sops": {
|
||||||
|
"age": [
|
||||||
|
{
|
||||||
|
"recipient": "age1jvhs79a367ynhupy6gndyafg5f6wzrsa3p3r27d8y4zpvlp5vd6qwysnc2",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXaXFvL0JES28rUkhNT3Bj\neDVYZlNubC8wV1VGTHN1Vzh6NEV3YWI3L3pJClh2T0FhQURXRkRJSnFVYjVsZkdq\ncWRFL1crVm1EK2NHNUtlc1RMVlZ5aWMKLS0tIFczWUcxTWFMdkhXb2ZTZlRSNDBT\nNmxWak50M1JTV2R3M0FXclRGc0JuVjgKtsxU2a3DNhe9CeJFK+HK7lFhrpV7UuES\nqasLv4crL7+4eJFhmUxVwzT0ubPAuG3CBMbbmrYmAs2CUXWtcmqGMA==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"recipient": "age1qm0p4vf9jvcnn43s6l4prk8zn6cx0ep9gzvevxecv729xz540v8qa742eg",
|
||||||
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0TGwzeUNLbkJ4bFBPVjJy\nd3pLTWRPVytrK1plQ3kzd1ZOMjBtcGJjY25nCk5mNDRxNmJjTHh4a2pBSldvQ0Y5\nUXVPbWZ1WW1QcU03MWtuL29udGFUQ1EKLS0tIHFSY1VZUGJFanhyZmN6WHJKTzEr\nbjBkVDNJUUZNZHhjSDlDZ3Z4Y0d3Q3MKHm3Ar31B2RviANl+tCeNmtYvQp5hVdui\n9Khkd3R6MshF4rZWrWhD9vea1RX9ugJJawCTU3+4zFDEWQ6XQ+tpTw==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
|
}
|
||||||
|
],
|
||||||
|
"lastmodified": "2025-07-29T09:50:44Z",
|
||||||
|
"mac": "ENC[AES256_GCM,data:B3iNE0/ve2EazWNQJ6MhSaa3EAmte5GUJrVjLB7ysIoe+pf7kQy9HE2ObEypFezvbfBYAbXd+XIq8J+jTjh4X11i6/BDNsvFQKuYbTLaK+dqZzeuOQU3ntTQuhyx5qdKyXq5FtHYyJI9XsYvSFRHe2UYy4L5i6LvMoc3ka/vUHI=,iv:mXuhXp63D1UkBJX5U7RY+NqYsU5SkolDABrSDRXegFk=,tag:LJ/BnU9xKMQyr+nAAHnGFA==,type:str]",
|
||||||
|
"unencrypted_suffix": "_unencrypted",
|
||||||
|
"version": "3.10.2"
|
||||||
|
}
|
||||||
|
}
|
||||||
@@ -0,0 +1 @@
|
|||||||
|
../../../../../../sops/users/admin
|
||||||
1
vars/per-machine/b4l/b4l-pocket-id/subdomain/value
Normal file
1
vars/per-machine/b4l/b4l-pocket-id/subdomain/value
Normal file
@@ -0,0 +1 @@
|
|||||||
|
auth
|
||||||
@@ -1,18 +1,18 @@
|
|||||||
{
|
{
|
||||||
"data": "ENC[AES256_GCM,data:yZrojwRKV30K+fdy6htnj/d8cHlphZw02vbeFIq6ETur,iv:ihIwFQ9p0kxhTnooSPg0eVYI4cy9k2Kf/VSI+36IfwU=,tag:/lEQKm0IrnReyr6AzLt4Lw==,type:str]",
|
"data": "ENC[AES256_GCM,data:Z+f/21lCA4byBi52MuwK8K0xs5KkjyZDGJo0pQL1c2pM,iv:pfqOkBOch2n8PhFQxQorC3sY4O5ri1t5lul1UOOPmxg=,tag:L1T5b8MRkNxElXf3jIcEAA==,type:str]",
|
||||||
"sops": {
|
"sops": {
|
||||||
"age": [
|
"age": [
|
||||||
{
|
{
|
||||||
"recipient": "age1hlzrpqqgndcthq5m5yj9egfgyet2fzrxwa6ynjzwx2r22uy6m3hqr3rd06",
|
"recipient": "age1hlzrpqqgndcthq5m5yj9egfgyet2fzrxwa6ynjzwx2r22uy6m3hqr3rd06",
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjSkwwU1dTekhvYUYrV2tU\nOWhTb3NlWWVOeVJvUTVkdGE2V3IyRDlqMWhBCjJqUU5XSWxsVFVteGoycHBjOHlI\nbXpuMHo1R2VxQWVPUHR5MTBlalhVK1kKLS0tIHBFeVRDN1BycUNFa3ZTUDE3S3Jw\nNExYbjBSOUtUQkpOUUFXbHVSOVBjcUUKVP7K2EuoSmUOznpP0+Jdfwd2tfYxADg9\nIbV3lCTeimo5pOBDrVWEmgHfeZFdV892sI062MmP/EqX7iqu34hi/g==\n-----END AGE ENCRYPTED FILE-----\n"
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAwc2VJTWlGUEJnWlBvVHFn\neGFqUE93TmNLQ1NJZnZ1eGYyNGpWUkw1R1RRClV5T0dMVGlQK2VrTlpCQlJBV1ps\nTDFCdmE4cTdUMjZucVVGcGNmUUErWTQKLS0tIHkwODdJMWQxVFFubUV5ZTFneDFS\ndURNay9hWk81QTI5QS9RWS9HVWhNelkK0GXmKGfL2cfsziBKu6pllmHRQno6K0FA\nzHky0yt2H1w1svDfFw2+FyKHfHAwaQs+X2qXXlvIZ7jwtPj+wQXubQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"recipient": "age1sg0rvgyetdcqw7j2x983fh69kdkvqsngpe5x36e5920qa7fze3cqhj4wgx",
|
"recipient": "age1sg0rvgyetdcqw7j2x983fh69kdkvqsngpe5x36e5920qa7fze3cqhj4wgx",
|
||||||
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmd0VmNS9MOEZxTXRtQlVT\ncVpZcUZNRmg0dzI1SGcybUtLNCsxNGViRjBVCkpLUlJXdTJvUlJ2d2o3eVNQelZR\nek9RSHVjSFlZbFBLRnhQS2lCTWlHWmMKLS0tIHk2dGlHZnVpVFJocFVsb1Vza25k\ncllSSkxXaGFzdDBVU3lwcE5LSEdvVzgKAjySzos4BQvf87Sk7m6Fn2b1kJzuaHuS\nlg9+ScPBjDGWVj8Ye1DKuJB44WD0nVCyECjUVNFbjhJh0bMLcIbOEQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoU1BqKy9HZnVrQ2ZudjBK\nWFVNQ0xPUHBOaFB2bEZvRVA0bEVQb1VYM3o0Ck95blBwckUxY3BZVkZZdHdINXlH\nYkZGdHNVQnE3ZmFja0xPaml1Y0tVWE0KLS0tIEVpNmlGanp6L1dRZGd1VVUxclZs\na3dBWmdIcFExbldFeW0zc2ZwRDVCckUKTjmYGY1RqzcijNepBd0wzDuWuywYN6oS\nQGVUhY1Tm2H+SUtIsnuNWkNsLC8LnDBIfx4DCWCYbLrC3HYmalpqPQ==\n-----END AGE ENCRYPTED FILE-----\n"
|
||||||
}
|
}
|
||||||
],
|
],
|
||||||
"lastmodified": "2025-07-14T06:46:06Z",
|
"lastmodified": "2025-07-30T02:42:06Z",
|
||||||
"mac": "ENC[AES256_GCM,data:Arm0JtsTlkiyfCva7MoAVQD/tMUqlS+UZprT/5IYiJli36HISEVlpr8Mc+i9Diia4wxyzq+wQqIrI/d5FG0e4FPcTi4r5X3ZyjyG6j4X+vqpIj/y6WBYjU9izXIDP5rHm7+knyhaXqzo6zXjbfvOuUG8NqdXcybA1O60xBkpq0I=,iv:j7+rlWlXtrhWlykkdygh+Luerr2xrtclgtmSQv8B9ug=,tag:nN/UaJrl/9LCS7IkIHJnrQ==,type:str]",
|
"mac": "ENC[AES256_GCM,data:rD5yrd5omOzzfmsA1NJgRrlP2fJEG0B7p3PrIdPJRKm3RmSHXsN7nBDfbIxMLOjU81V1z2kImnVI6kAqDeQefK6VIaqZT5h6tBMFJmUoqx55KX1PYfgICZ8wRB7nZp2LcEgtrgRnd1sjr4SbHW4s1BUxmE74WCzlDagasqqXM1s=,iv:p1KRZzDJEk3XAk+bVIYqEljqxO9p4Jx/537pQpoRnAA=,tag:WG+JVYlpCyHBXc2xycjZAQ==,type:str]",
|
||||||
"unencrypted_suffix": "_unencrypted",
|
"unencrypted_suffix": "_unencrypted",
|
||||||
"version": "3.10.2"
|
"version": "3.10.2"
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user