lots of things

nix/machines/default.nix

@@ -105,6 +105,7 @@ in {
           programs.home-manager
           # programs.qt
           programs.adb
+          programs.kanidm
           programs.tools
           programs.thunar
 

nix/machines/hopper/default.nix

@@ -3,6 +3,7 @@
     common-cpu-intel
 
     inputs.vpn-confinement.nixosModules.default
+    inputs.authentik-nix.nixosModules.default
 
     ./hardware.nix
     ./newlab.nix

nix/machines/hopper/newlab.nix

@@ -13,8 +13,9 @@
   slskdUiPort = 23488;
   caddyLocal = 8562;
   ncPort = 46523;
-  # kanidmPort = 8300;
+  kanidmPort = 8300;
 in {
+  ## TODO use kanidm
   ## TODO use impermanence
   ## TODO setup fail2ban mayb
 
@@ -35,9 +36,48 @@ in {
         credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
         extraDomainNames = [domain];
       };
+      "kanidm.${domain}" = {
+        domain = "kanidm.${domain}";
+        group = "kanidm";
+        dnsProvider = "cloudflare";
+        reloadServices = ["caddy.service" "kanidm.service"];
+        credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
+      };
     };
   };
 
+  ## make sure vpn connection is reasonably fast
+  ## god, there has to be a proper, not horrible way of doing this
+  ## TODO fix this and uhh make sure it works and stuff
+  # systemd.services."wg-speedcheck" = {
+  #   requires = ["wg.service"];
+  #   enable = false;
+  #   serviceConfig = {
+  #     Type = "oneshot";
+  #     ExecStart = pkgs.writers.writeBash "wg-speedcheck.sh" ''
+  #       echo "running test in netns"
+  #       vpn_result=$( ${pkgs.iproute2}/bin/ip netns exec wg ${pkgs.speedtest-cli}/bin/speedtest --json )
+  #       vpn_download=$( echo "$vpn_result" | ${l.getExe pkgs.jq} '.download' )
+  #       vpn_upload=$( echo "$vpn_result" | ${l.getExe pkgs.jq} '.upload' )
+  #
+  #       echo "running test outside of netns"
+  #       normal_result=$( ${pkgs.speedtest-cli}/bin/speedtest --json )
+  #       normal_download=$( echo "$normal_result" | ${l.getExe pkgs.jq} '.download' )
+  #       normal_upload=$( echo "$normal_result" | ${l.getExe pkgs.jq} '.upload' )
+  #
+  #       download_ratio_is_more_than_half=$( echo "$vpn_download / $normal_download > 0.5" | ${l.getExe pkgs.bc} -l | tr -d '\n' )
+  #       upload_ratio_is_more_than_half=$( echo "$vpn_upload / $normal_upload > 0.5" | ${l.getExe pkgs.bc} -l | tr -d '\n' )
+  #
+  #       if [[ "$upload_ratio_is_more_than_half" == "0" || "$download_ratio_is_more_than_half" == "0" ]]; then
+  #         echo "ratio is insufficient, restarting vpn"
+  #         systemctl restart wg.service
+  #         exit
+  #       fi
+  #       echo "ratio is sufficient"
+  #     '';
+  #   };
+  # };
+
   vpnNamespaces."wg" = {
     enable = true;
     wireguardConfigFile = config.sops.secrets.wireguard.path;
@@ -105,7 +145,19 @@ in {
       }
       // v) {
       jellyfin.extraConfig = "reverse_proxy localhost:8096"; # TODO setup proper auth
-      # kanidm.extraConfig = "reverse_proxy localhost:${toString kanidmPort}";
+      kanidm = {
+        useACMEHost = null;
+        # hostName = "kanidm.xunuwu.xyz:${toString caddyPort}";
+        extraConfig = ''
+          reverse_proxy https://127.0.0.1:${toString kanidmPort} {
+            header_up Host {upstream_hostport}
+            header_down Access-Control-Allow-Origin "*"
+            transport http {
+              tls_server_name ${config.services.kanidm.serverSettings.domain}
+            }
+          }
+        '';
+      };
       slskd = {
         useACMEHost = null;
         hostName = ":${toString slskdUiPort}";
@@ -130,6 +182,32 @@ in {
     };
   };
 
+  # systemd.services.authentik.vpnConfinement = {
+  #   enable = true;
+  #   vpnNamespace = "wg";
+  # };
+  # services = {
+  #   authentik = {
+  #     enable = true;
+  #     environmentFile = config.sops.secrets.authentik.path;
+  #     settings = {
+  #       disable_startup_analytics = true;
+  #       avatars = "initials";
+  #     };
+  #   };
+  #   authentik-ldap = {
+  #     enable = true;
+  #   };
+  # };
+
+  # services.keycloak = {
+  #   enable = true;
+  #   settings = {
+  #     hostname = "keycloak.${domain}";
+  #   };
+  #   database.passwordFile = config.sops.secrets."keycloak/db".path;
+  # };
+
   # needed for deploying secrets
   users.users.lldap = {
     group = "lldap";
@@ -422,6 +500,43 @@ in {
   #   group = config.services.caddy.group;
   # };
 
+  systemd.services.kanidm = {
+    vpnConfinement = {
+      enable = true;
+      vpnNamespace = "wg";
+    };
+    serviceConfig = {
+      InaccessiblePaths = lib.mkForce [];
+    };
+  };
+  boot.kernel.sysctl."fs.inotify.max_user_watches" = 524288;
+  services.kanidm = {
+    package = pkgs.kanidm_1_4.override {enableSecretProvisioning = true;};
+    enableServer = true;
+    serverSettings = {
+      domain = "kanidm.${domain}";
+      origin = "https://kanidm.${domain}";
+      bindaddress = "127.0.0.1:${toString kanidmPort}";
+      ldapbindaddress = "[::1]:3636";
+      trust_x_forward_for = true;
+      tls_chain = "${config.security.acme.certs."kanidm.${domain}".directory}/fullchain.pem";
+      tls_key = "${config.security.acme.certs."kanidm.${domain}".directory}/key.pem";
+    };
+    provision = {
+      enable = true;
+      adminPasswordFile = config.sops.secrets."kanidm/admin_pass".path;
+      idmAdminPasswordFile = config.sops.secrets."kanidm/idm_admin_pass".path;
+      persons = {
+        "xun" = {
+          displayName = "xun";
+          legalName = "xun";
+          mailAddresses = ["xunuwu@gmail.com"];
+          groups = [];
+        };
+      };
+    };
+  };
+
   # systemd.services.kanidm = {
   #   vpnConfinement = {
   #     enable = true;

nix/machines/nixdesk/default.nix

@@ -24,6 +24,7 @@
       builtins.elem (lib.getName pkg) [
         "discord"
         "steam"
+        "obsidian"
         "steam-unwrapped"
         "rider"
       ];

nix/systemProfiles/programs/fonts.nix

@@ -13,8 +13,17 @@ _: {
       source-code-pro
       iosevka
 
-      nerdfonts
-      #(nerdfonts.override {fonts = ["NerdFontsSymbolsOnly"];})
+      nerd-fonts.symbols-only
+      nerd-fonts.sauce-code-pro
+      nerd-fonts.jetbrains-mono
+      nerd-fonts.iosevka-term
+      nerd-fonts.iosevka
+      nerd-fonts.inconsolata
+      nerd-fonts.fira-code
+      nerd-fonts.dejavu-sans-mono
+      nerd-fonts.blex-mono
+      nerd-fonts._0xproto
+
       self.packages.${pkgs.system}.cartograph-cf
     ];
 

nix/systemProfiles/programs/kanidm.nix

@@ -0,0 +1,7 @@
+_: {pkgs, ...}: {
+  services.kanidm = {
+    enableClient = true;
+    package = pkgs.kanidm_1_4;
+    clientSettings.uri = "https://kanidm.xunuwu.xyz";
+  };
+}

nix/systemProfiles/programs/tools.nix

@@ -22,5 +22,6 @@
     jq
     openssl # for generating passwords
     yt-dlp
+    inotify-tools
   ];
 }

nix/systemProfiles/secrets/hopper/authentik

@@ -0,0 +1,24 @@
+{
+	"data": "ENC[AES256_GCM,data:fxTl3v/kAs4ZP8TR8UKzI+GcgUH1v+ieoKFF2FCGxSNT37l9zAr7MCnFgarxxfw9quMofg//PdFYPbboHmwRl1B2,iv:jj7hRM+OOqOoM2wvskCBtYawq5+0RojJcUe9d8bCr/8=,tag:QrI/Y/TTPzvhMi6n7UeIbQ==,type:str]",
+	"sops": {
+		"kms": null,
+		"gcp_kms": null,
+		"azure_kv": null,
+		"hc_vault": null,
+		"age": [
+			{
+				"recipient": "age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5N1pRYTdVUmUrZzF1Rmd2\nTnArVWRrYU45NWlmRlBrYitycXpXQVBSWHpjCjc5Yy80UzhmZkIxUEJkTms1TkFn\nUm9WVG5lQVp4YXk1aWVxSmhSOWtXdzgKLS0tIDQyYmxPV0x3cTBRMGJxdlc3L1pi\nd1N5b0xjRVloOStPN2VEbFpUL3RmZEUK77mnYZQ0dsVrqPFU/SPVMjj0ck5Qgd7u\na/Sw+dUQnVOokvbtYGMLt9K3wbRq/HWLBumZc9Y5sjALF5uBFw6XOA==\n-----END AGE ENCRYPTED FILE-----\n"
+			},
+			{
+				"recipient": "age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhd2FRL29rOUExa3RLVkE5\nNUxmeVVqRDlPSjNyS0d2MG9jYTlnSms1TFV3CjdIYWc1WExmaEJla1NsTGY0NW5E\nWnBxZ0pnaU9yS2lLTENieVBFeUlQbnMKLS0tIFprYVZoNjNwclYrdVQzZVgzSjFn\nMGV5bCtVSDRqYnlJL3BGOWpVaFRCSmsKh7D5NrErKlZPVseq0keoineIdaKAQeaw\nEu0DW3httU5wS1fHFwYChBaGsZie9GykW5Fvpq73o5TZRz2u8dmf6A==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2024-11-27T08:04:50Z",
+		"mac": "ENC[AES256_GCM,data:Weq2W0PFoCVMzP6CssTXoPQLA1sd1kTp51Wm5Yu0YkcFHrYfGaoiPE7n5tbsKWm3GpCqwVmU6W4lKrOlIkPe3flgO7qA3w+NtnCBkIhJstXgrDlCoHzwiP7FT0szXUDDFn8ALiA7dvd1zG3NCaymjt2zARrdFzBwA/kJBm/Vrcc=,iv:3ufxRlUlGT7O6/q0pn5ifSPCPvTZJIRNweSJKtHb+eY=,tag:jid9ltE//PrenBSjouz4Fw==,type:str]",
+		"pgp": null,
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.9.1"
+	}
+}

nix/systemProfiles/secrets/hopper/default.nix

@@ -41,6 +41,25 @@ in {
       sopsFile = ./transmission;
     };
 
+    authentik = {
+      format = "binary";
+      sopsFile = ./authentik;
+    };
+
+    "kanidm/admin_pass" = {
+      sopsFile = ./kanidm.yaml;
+      owner = "kanidm";
+    };
+    "kanidm/idm_admin_pass" = {
+      sopsFile = ./kanidm.yaml;
+      owner = "kanidm";
+    };
+
+    # "keycloak/db" = {
+    #   sopsFile = ./keycloak.yaml;
+    #   owner = "keycloak";
+    # };
+    #
     "lldap/jwt" = {
       sopsFile = ./lldap.yaml;
       owner = "lldap";

nix/systemProfiles/secrets/hopper/kanidm.yaml

@@ -0,0 +1,32 @@
+kanidm:
+    admin_pass: ENC[AES256_GCM,data:FjF48e3KmP/I0Mb4/tfdI9jNRIrqlqVQ3JvDC2c+i+hE+omIQeKYxuU2cjaIBRO9B5CfGBhoip14fhe7Ubtga4IXiJLdnRczk6fQOIKrgDMjDSJvs06i04jeqg7lx9BChK5AzE+aRzSyuu95dyTmlPKUyf4D/G5x99B1KtRf/hY=,iv:no8/rZz30EdVwfc5r6lm/SuAA02JJaIPyHEWQEjOFus=,tag:6ValsFgRNmi9O01qZyUk8Q==,type:str]
+    idm_admin_pass: ENC[AES256_GCM,data:sCtefK4kxzMw7s+3f48PAnGNYQYum4DyjgeyYLUCPhq1vOHGBzgDcFaYrGvf5ID2/0kEUlT7lYKgtSU37DGY5zCGEbG5diD2lMBZ6BW64f1qpgx+0opOQjcAkKPrVtmHYm9iCvU8pZXvha0nDzS0Z2ZJM3ejUCW7omLTSLHzKFs=,iv:X88hU0Sd22Iky3cZTh/m1AjZybGe4MAIBJ1isnYQEPk=,tag:UTw98CWvj8+xRrYuifU/Tw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFTWxhUzF0QXZmME1jcUR0
+            TUZ3WFFDT0VmdE1mUTZsTXlwZGlncHNuS1cwCjRpR1ZsMlFEQWNVd2VLMVlaMlVB
+            ZUp0Y2FEQTU3Yk1TR3ZzeE0rdmVJM1kKLS0tIDZZbjl0VHhiNzRta0MvUUtla3Y0
+            OW96QUl3dTM4Ynhab1ZlclZ5S0wvL0kKw+VSMQNTYB+7dJxhGttf7/Ol/rWhM56r
+            ga6NOMewGceUwiX9WEH89dsbRpnRq72SXmkt70w4dUVTdrwLm5oXqg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIQi9rV0Ivdk52eEh4OTVG
+            bmtmdHhtYVRvYzc5WDRmSy9qNFNLQzZpZ25FCjNzVWJ5U2pDU1hYTThzK1BQWms5
+            TUxhdDhrblN3YVYrZDVERGRqSzNBZUUKLS0tIFg2Rkc1bFBTVEhXa0FVbzZhZyts
+            eERtNXRlV0RTb2xyc1cvNm9oN2RGeWcK6f6acq1P3Ds/SS7vrye2gE1/bUvEqe2D
+            gXkYQGsNWxyT3MAXTK09m59D4TqHEfYUykO5pCmAH8tiHN3pxJXEZw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-27T09:47:11Z"
+    mac: ENC[AES256_GCM,data:EDCfpkGnl06wOXwbcg8cQBlj+OV7/KsiVhGzx0Qm8/kOB8CVvjumK/LQZC6FG+oJDs5TBDRGlM8uJIJL54wpDn7F3YgO6KR9d2hmorL2mza8rsxHH1T9BpQCXp0ENPiQKN2EZ5vLnjTOvYRJK1w/pMDKr6tdwILlcEYlWfSUuEo=,iv:OxANZ49WSfh31H9FxLkJSg22oTfZctWazEEv941orlw=,tag:xouSzvJATMzua7q0Eq07uQ==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1

nix/systemProfiles/secrets/hopper/keycloak.yaml

@@ -0,0 +1,30 @@
+db: ENC[AES256_GCM,data:aO/UVjVSJTk0XhDf2M+B9WzO1PkRv2Y0oFtj/kZBFv+hmhsCy4l7tg/FtpduZWK9SueWAX+k7a52UwV5YXDbLt7ldW9gS8bN6XZZbiDj/rBNgiJBF/ILrA==,iv:5KzLZ456gdD7L87NAMXWdZ/LyQW0SzKqdvMZ7BbaMic=,tag:0mD1tXDO4Hc2Y0LmrFWWwg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age17pdqkpfh6kc6wm7gxzdnwf6vphlwddv9yfpdu3j76e24y3amd9tq3avfc8
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQelJoTzZ6YzJsQS9UVkxG
+            QzVIVTBtdmZpWTlwcFNwMm0yYzFvOHVIRjNvCjc5bmJxVkVmR2hSUDAybVZzOEQr
+            OEZ6bU4xNnhpcnFjM1I3MXh6elloMGMKLS0tIHZXODNIc2dIeWlxYmJNbTdDZHJP
+            SG5BVXc1UFQrdWxaa0xRZUdDdVVJS3cK3XATi+vFRe+0p977oCkprA+c+GkDIWNb
+            9+sAS789Bgjf/z9s2TOKyBWFawZWHDbhwz+4MG0d5ELQIhdoma9RAg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age15mgf89h220puhz48rjpwxwu4n2h4edur60w6cd8gku2hh4e5kqpsghvnyw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQlVscjh0SEx0V3dWV1Fw
+            aUxLNndnYkNGMHJUczJ2djgxczdMNW5DZWhRCkZYdTBJbTF5MWVTRzcyb0tGL3Nu
+            UlFpSzlzVVNoTVprRTd0Rjc1ZUhraGsKLS0tIFJ5S3cvaDJoSHNmamtrdFdxYklo
+            Rlhtd21GUUl6WkRaV0NtNWlqMy9sSzgKBF3Gj10sIuLdWrSphZfoVnjdQbIiy9IO
+            3rQAuIw1osKIf6TA2qJ0P8RGX4OgfhM8Ofst0S7+SqgglOl0LkXS+w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-27T08:56:28Z"
+    mac: ENC[AES256_GCM,data:gf+TwvZXThH9B5sQGhb49dDfQwpZy3kIwlVfLn6qCbe46evwsXPucp657KBWju+i0p8ByR7IhALEK/U/GX9FBK4Qspw9y0NRMRvyk3zVRszUxUz3z32IEnYvTCapP7lIdeAVppUow6tL3XdgZGyni2H3liUilqiZ6NGw0VlvtpU=,iv:wTMAaiB0Wd5szU9g7Pd0OV04ddlnn/p50lbO1rmmAZU=,tag:huRsSwiBThgxm3SX5k0U/A==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.9.1