···

       
27
       
27
       
 
       
{

     

       
28
       
28
       
 
       
  options.local.fragment.epita.enable = lib.mkEnableOption ''

     

       
29
       
29
       
 
       
    EPITA related

     

       
30
       
30
       
-
       


     

       
31
       
31
       
-
       
    Depends on:

     

       
32
       
32
       
-
       
    - `ssh` program: Mount AFS script needs SSH

     

       
33
       
30
       
 
       
  '';

     

       
34
       
31
       
 
       


     

       
35
       
32
       
 
       
  config = lib.mkIf cfg.enable {

     

       
36
       
36
       
-
       
    assertions = [

     

       
37
       
37
       
-
       
      { assertion = config.programs.ssh.enable; message = "`epita` fragment depends on `ssh` program"; }

     

       
38
       
38
       
-
       
    ];

     

       
33
       
33
       
+
       
    programs.ssh = {

     

       
34
       
34
       
+
       
      package = pkgs.openssh_gssapi;

     

       
39
       
35
       
 
       


     

       
40
       
40
       
-
       
    programs.ssh.package = pkgs.openssh_gssapi;

     

       
41
       
41
       
-
       


     

       
42
       
42
       
-
       
    # Needed for sshfs

     

       
43
       
43
       
-
       
    programs.ssh.matchBlocks."ssh.cri.epita.fr" = {

     

       
44
       
44
       
-
       
      extraOptions = {

     

       
45
       
45
       
-
       
        GSSAPIAuthentication = "yes";

     

       
46
       
46
       
-
       
        GSSAPIDelegateCredentials = "yes";

     

       
36
       
36
       
+
       
      # Needed for sshfs

     

       
37
       
37
       
+
       
      enable = true;

     

       
38
       
38
       
+
       
      matchBlocks."ssh.cri.epita.fr" = {

     

       
39
       
39
       
+
       
        extraOptions = {

     

       
40
       
40
       
+
       
          GSSAPIAuthentication = "yes";

     

       
41
       
41
       
+
       
          GSSAPIDelegateCredentials = "yes";

     

       
42
       
42
       
+
       
        };

     

       
47
       
43
       
 
       
      };

     

       
48
       
44
       
 
       
    };

     

       
49
       
45
       
 
       


     

···

       
128
       
128
       
 
       


     

       
129
       
129
       
 
       
    programs.broot.enable = true;

     

       
130
       
130
       
 
       


     

       
131
       
131
       
-
       
    # TODO: move out

     

       
132
       
132
       
-
       
    programs.ssh = {

     

       
133
       
133
       
-
       
      enable = true;

     

       
134
       
134
       
-
       


     

       
135
       
135
       
-
       
      matchBlocks."weird-row-server" = {

     

       
136
       
136
       
-
       
        hostname = "weird-row.portal.wiro.world";

     

       
137
       
137
       
-
       
        # TODO: reduce automated load on ssh port by changing to a random port

     

       
138
       
138
       
-
       
        # port = ""

     

       
139
       
139
       
-
       
      };

     

       
140
       
140
       
-
       
    };

     

       
141
       
141
       
-
       


     

       
142
       
142
       
-
       
    stylix.targets.qt.enable = false;

     

       
143
       
143
       
-
       


     

       
144
       
131
       
 
       
    programs.go = {

     

       
145
       
132
       
 
       
      enable = true;

     

       
146
       
133
       
 
       
      goPath = ".local/share/go";

     

···

       
21
       
21
       
 
       
  pds-port = 3001;

     

       
22
       
22
       
 
       
  pds-hostname = "pds.wiro.world";

     

       
23
       
23
       
 
       


     

       
24
       
24
       
+
       
  grafana-port = 3002;

     

       
25
       
25
       
+
       
  grafana-hostname = "console.wiro.world";

     

       
26
       
26
       
+
       


     

       
24
       
27
       
 
       
  tangled-owner = "did:plc:xhgrjm4mcx3p5h3y6eino6ti";

     

       
25
       
25
       
-
       
  tangled-knot-port = 3002;

     

       
28
       
28
       
+
       
  tangled-knot-port = 3003;

     

       
26
       
29
       
 
       
  tangled-knot-hostname = "knot.wiro.world";

     

       
27
       
27
       
-
       
  tangled-spindle-port = 3003;

     

       
30
       
30
       
+
       
  tangled-spindle-port = 3004;

     

       
28
       
31
       
 
       
  tangled-spindle-hostname = "spindle.wiro.world";

     

       
29
       
32
       
 
       


     

       
30
       
30
       
-
       
  thelounge-port = 3004;

     

       
33
       
33
       
+
       
  thelounge-port = 3005;

     

       
31
       
34
       
 
       
  thelounge-hostname = "lounge.wiro.world";

     

       
32
       
35
       
 
       


     

       
33
       
33
       
-
       
  headscale-port = 3005;

     

       
36
       
36
       
+
       
  headscale-port = 3006;

     

       
34
       
37
       
 
       
  headscale-hostname = "headscale.wiro.world";

     

       
35
       
38
       
 
       


     

       
36
       
36
       
-
       
  lldap-port = 3006;

     

       
39
       
39
       
+
       
  lldap-port = 3007;

     

       
37
       
40
       
 
       
  lldap-hostname = "ldap.wiro.world";

     

       
38
       
41
       
 
       


     

       
39
       
39
       
-
       
  authelia-port = 3007;

     

       
42
       
42
       
+
       
  authelia-port = 3008;

     

       
40
       
43
       
 
       
  authelia-hostname = "auth.wiro.world";

     

       
41
       
44
       
 
       


     

       
42
       
42
       
-
       
  gerrit-port = 3008;

     

       
43
       
43
       
-
       
  gerrit-hostname = "gerrit.wiro.world";

     

       
44
       
44
       
-
       


     

       
45
       
45
       
-
       
  grafana-port = 9000;

     

       
46
       
46
       
-
       
  grafana-hostname = "console.wiro.world";

     

       
47
       
45
       
 
       
  prometheus-port = 9001;

     

       
48
       
46
       
 
       
  prometheus-node-exporter-port = 9002;

     

       
47
       
47
       
+
       
  headscale-metrics-port = 9003;

     

       
49
       
48
       
 
       
in

     

       
50
       
49
       
 
       
{

     

       
51
       
50
       
 
       
  imports = [

     
···

       
76
       
75
       
 
       
      defaultGateway = { interface = ext-if; address = external-gw; };

     

       
77
       
76
       
 
       
      defaultGateway6 = { interface = ext-if; address = external-gw6; };

     

       
78
       
77
       
 
       


     

       
79
       
79
       
-
       
      # TODO: rely on Hetzner firewall instead?

     

       
80
       
80
       
-
       
      # firewall.enable = false;

     

       
78
       
78
       
+
       
      # Reflect firewall configuration on Hetzner

     

       
81
       
79
       
 
       
      firewall.allowedTCPPorts = [ 22 80 443 ];

     

       
82
       
80
       
 
       
    };

     

       
83
       
81
       
 
       


     

       
82
       
82
       
+
       
    services.qemuGuest.enable = true;

     

       
83
       
83
       
+
       


     

       
84
       
84
       
 
       
    services.openssh.enable = true;

     

       
85
       
85
       
 
       


     

       
86
       
86
       
-
       
    services.qemuGuest.enable = true;

     

       
86
       
86
       
+
       
    services.tailscale.enable = true;

     

       
87
       
87
       
+
       


     

       
88
       
88
       
+
       
    security.sudo.wheelNeedsPassword = false;

     

       
89
       
89
       
+
       


     

       
90
       
90
       
+
       
    local.fragment.nix.enable = true;

     

       
91
       
91
       
+
       


     

       
92
       
92
       
+
       
    programs.fish.enable = true;

     

       
87
       
93
       
 
       


     

       
88
       
94
       
 
       
    services.fail2ban = {

     

       
89
       
95
       
 
       
      enable = true;

     
···

       
100
       
106
       
 
       
      };

     

       
101
       
107
       
 
       


     

       
102
       
108
       
 
       
      jails = { };

     

       
103
       
103
       
-
       
    };

     

       
104
       
104
       
-
       


     

       
105
       
105
       
-
       
    services.tailscale.enable = true;

     

       
106
       
106
       
-
       


     

       
107
       
107
       
-
       
    age.secrets.pds-env.file = ../../secrets/pds-env.age;

     

       
108
       
108
       
-
       
    services.pds = {

     

       
109
       
109
       
-
       
      enable = true;

     

       
110
       
110
       
-
       
      package = upkgs.bluesky-pds;

     

       
111
       
111
       
-
       


     

       
112
       
112
       
-
       
      settings = {

     

       
113
       
113
       
-
       
        PDS_HOSTNAME = "pds.wiro.world";

     

       
114
       
114
       
-
       
        PDS_PORT = pds-port;

     

       
115
       
115
       
-
       
        # is in systemd /tmp subfolder

     

       
116
       
116
       
-
       
        LOG_DESTINATION = "/tmp/pds.log";

     

       
117
       
117
       
-
       
      };

     

       
118
       
118
       
-
       


     

       
119
       
119
       
-
       
      environmentFiles = [

     

       
120
       
120
       
-
       
        config.age.secrets.pds-env.path

     

       
121
       
121
       
-
       
      ];

     

       
122
       
109
       
 
       
    };

     

       
123
       
110
       
 
       


     

       
124
       
111
       
 
       
    services.caddy = {

     

       
125
       
112
       
 
       
      enable = true;

     

       
126
       
126
       
-
       
      package = upkgs.caddy.withPlugins {

     

       
127
       
127
       
-
       
        plugins = [ "github.com/tailscale/caddy-tailscale@v0.0.0-20251016213337-01d084e119cb" ];

     

       
128
       
128
       
-
       
        hash = "sha256-gDNYWwlQQ0Hbg1/TCf421NYcY3LnYWW248RzyGR2f28=";

     

       
129
       
129
       
-
       
      };

     

       
130
       
113
       
 
       


     

       
131
       
114
       
 
       
      globalConfig = ''

     

       
132
       
115
       
 
       
        metrics { per_host }

     
···

       
143
       
126
       
 
       
      #   reverse_proxy http://localhost:${toString website-port}

     

       
144
       
127
       
 
       
      # '';

     

       
145
       
128
       
 
       


     

       
146
       
146
       
-
       
      # Grafana has its own auth

     

       
147
       
129
       
 
       
      virtualHosts.${grafana-hostname}.extraConfig = ''

     

       
148
       
130
       
 
       
        reverse_proxy http://localhost:${toString grafana-port}

     

       
149
       
131
       
 
       
      '';

     
···

       
179
       
161
       
 
       
      virtualHosts.${authelia-hostname}.extraConfig = ''

     

       
180
       
162
       
 
       
        reverse_proxy http://localhost:${toString authelia-port}

     

       
181
       
163
       
 
       
      '';

     

       
182
       
182
       
-
       


     

       
183
       
183
       
-
       
      virtualHosts.${gerrit-hostname}.extraConfig = ''

     

       
184
       
184
       
-
       
        reverse_proxy http://localhost:${toString gerrit-port}

     

       
185
       
185
       
-
       
      '';

     

       
186
       
164
       
 
       
    };

     

       
187
       
165
       
 
       


     

       
188
       
188
       
-
       
    security.sudo.wheelNeedsPassword = false;

     

       
166
       
166
       
+
       
    age.secrets.pds-env.file = ../../secrets/pds-env.age;

     

       
167
       
167
       
+
       
    services.pds = {

     

       
168
       
168
       
+
       
      enable = true;

     

       
169
       
169
       
+
       
      package = upkgs.bluesky-pds;

     

       
189
       
170
       
 
       


     

       
190
       
190
       
-
       
    local.fragment.nix.enable = true;

     

       
171
       
171
       
+
       
      settings = {

     

       
172
       
172
       
+
       
        PDS_HOSTNAME = "pds.wiro.world";

     

       
173
       
173
       
+
       
        PDS_PORT = pds-port;

     

       
174
       
174
       
+
       
        # is in systemd /tmp subfolder

     

       
175
       
175
       
+
       
        LOG_DESTINATION = "/tmp/pds.log";

     

       
176
       
176
       
+
       
      };

     

       
191
       
177
       
 
       


     

       
192
       
192
       
-
       
    programs.fish.enable = true;

     

       
178
       
178
       
+
       
      environmentFiles = [

     

       
179
       
179
       
+
       
        config.age.secrets.pds-env.path

     

       
180
       
180
       
+
       
      ];

     

       
181
       
181
       
+
       
    };

     

       
193
       
182
       
 
       


     

       
194
       
183
       
 
       
    services.tangled-knot = {

     

       
195
       
184
       
 
       
      enable = true;

     
···

       
203
       
192
       
 
       
      };

     

       
204
       
193
       
 
       
    };

     

       
205
       
194
       
 
       


     

       
206
       
206
       
-
       


     

       
207
       
195
       
 
       
    services.tangled-spindle = {

     

       
208
       
196
       
 
       
      enable = true;

     

       
209
       
197
       
 
       


     
···

       
214
       
202
       
 
       
      };

     

       
215
       
203
       
 
       
    };

     

       
216
       
204
       
 
       


     

       
205
       
205
       
+
       
    age.secrets.grafana-oidc-secret = { file = ../../secrets/grafana-oidc-secret.age; owner = "grafana"; };

     

       
217
       
206
       
 
       
    services.grafana = {

     

       
218
       
207
       
 
       
      enable = true;

     

       
219
       
208
       
 
       


     

       
220
       
220
       
-
       
      settings.server = {

     

       
221
       
221
       
-
       
        http_port = grafana-port;

     

       
222
       
222
       
-
       
        domain = grafana-hostname;

     

       
209
       
209
       
+
       
      settings = {

     

       
210
       
210
       
+
       
        server = {

     

       
211
       
211
       
+
       
          http_port = grafana-port;

     

       
212
       
212
       
+
       
          domain = grafana-hostname;

     

       
213
       
213
       
+
       
        };

     

       
214
       
214
       
+
       


     

       
215
       
215
       
+
       
        "auth.generic_auth" = {

     

       
216
       
216
       
+
       
          enable = true;

     

       
217
       
217
       
+
       
          name = "Authelia";

     

       
218
       
218
       
+
       
          icon = "signin";

     

       
219
       
219
       
+
       


     

       
220
       
220
       
+
       
          client_id = "grafana";

     

       
221
       
221
       
+
       
          client_secret_path = config.age.secrets.grafana-oidc-secret.path;

     

       
222
       
222
       
+
       


     

       
223
       
223
       
+
       
          scopes = [ "openid" "profile" "email" "groups" ];

     

       
224
       
224
       
+
       
          auth_url = "https://auth.wiro.world/api/oidc/authorization";

     

       
225
       
225
       
+
       
          token_url = "https://auth.wiro.world/api/oidc/token";

     

       
226
       
226
       
+
       
          api_url = "https://auth.wiro.world/api/oidc/userinfo";

     

       
227
       
227
       
+
       
          login_attribute_path = "preferred_username";

     

       
228
       
228
       
+
       
          groups_attribute_path = "groups";

     

       
229
       
229
       
+
       
          name_attribute_path = "name";

     

       
230
       
230
       
+
       
          use_pkce = true;

     

       
231
       
231
       
+
       
        };

     

       
223
       
232
       
 
       
      };

     

       
224
       
233
       
 
       
    };

     

       
225
       
234
       
 
       


     
···

       
248
       
257
       
 
       
      enable = true;

     

       
249
       
258
       
 
       
      port = thelounge-port;

     

       
250
       
259
       
 
       
      public = false;

     

       
260
       
260
       
+
       


     

       
251
       
261
       
 
       
      extraConfig = {

     

       
252
       
262
       
 
       
        host = "127.0.0.1";

     

       
253
       
263
       
 
       
        reverseProxy = true;

     

       
264
       
264
       
+
       


     

       
265
       
265
       
+
       
        # TODO: use ldap, find a way to hide password

     

       
254
       
266
       
 
       
      };

     

       
255
       
267
       
 
       
    };

     

       
256
       
268
       
 
       


     

       
269
       
269
       
+
       
    age.secrets.headscale-oidc-secret = { file = ../../secrets/headscale-oidc-secret.age; owner = config.services.headscale.user; };

     

       
257
       
270
       
 
       
    services.headscale = {

     

       
258
       
271
       
 
       
      enable = true;

     

       
259
       
272
       
 
       


     

       
260
       
273
       
 
       
      port = headscale-port;

     

       
261
       
274
       
 
       
      settings = {

     

       
262
       
262
       
-
       
        server_url = "https://${headscale-hostname}:443";

     

       
263
       
263
       
-
       
        # metrics_listen_addr = "127.0.0.1:${headscale-port-metrics}";

     

       
275
       
275
       
+
       
        server_url = "https://${headscale-hostname}";

     

       
276
       
276
       
+
       
        metrics_listen_addr = "127.0.0.1:${toString headscale-metrics-port}";

     

       
264
       
277
       
 
       


     

       
265
       
278
       
 
       
        # disable TLS

     

       
266
       
279
       
 
       
        tls_cert_path = null;

     
···

       
268
       
281
       
 
       


     

       
269
       
282
       
 
       
        dns = {

     

       
270
       
283
       
 
       
          magic_dns = true;

     

       
271
       
271
       
-
       
          # TODO: headnet? portal? keep short?

     

       
272
       
272
       
-
       
          base_domain = "p.wiro.world";

     

       
284
       
284
       
+
       
          base_domain = "net.wiro.world";

     

       
273
       
285
       
 
       
        };

     

       
274
       
286
       
 
       


     

       
275
       
275
       
-
       
        oidc = { };

     

       
287
       
287
       
+
       
        oidc = {

     

       
288
       
288
       
+
       
          issuer = "https://auth.wiro.world";

     

       
289
       
289
       
+
       
          client_id = "headscale";

     

       
290
       
290
       
+
       
          client_secret_path = config.age.secrets.headscale-oidc-secret.path;

     

       
291
       
291
       
+
       
          pkce.enable = true;

     

       
292
       
292
       
+
       
        };

     

       
276
       
293
       
 
       
      };

     

       
277
       
294
       
 
       
    };

     

       
278
       
295
       
 
       


     
···

       
288
       
305
       
 
       
      environmentFile = config.age.secrets.lldap-env.path;

     

       
289
       
306
       
 
       
    };

     

       
290
       
307
       
 
       


     

       
291
       
291
       
-
       
    age.secrets.authelia-jwt-secret.file = ../../secrets/authelia-jwt-secret.age;

     

       
292
       
292
       
-
       
    age.secrets.authelia-jwt-secret.owner = config.services.authelia.instances.main.user;

     

       
293
       
293
       
-
       
    age.secrets.authelia-storage-enc-key.file = ../../secrets/authelia-storage-enc-key.age;

     

       
294
       
294
       
-
       
    age.secrets.authelia-storage-enc-key.owner = config.services.authelia.instances.main.user;

     

       
295
       
295
       
-
       
    age.secrets.authelia-ldap-password.file = ../../secrets/authelia-ldap-password.age;

     

       
296
       
296
       
-
       
    age.secrets.authelia-ldap-password.owner = config.services.authelia.instances.main.user;

     

       
297
       
297
       
-
       
    age.secrets.authelia-smtp-password.file = ../../secrets/authelia-smtp-password.age;

     

       
298
       
298
       
-
       
    age.secrets.authelia-smtp-password.owner = config.services.authelia.instances.main.user;

     

       
308
       
308
       
+
       
    age.secrets.authelia-jwt-secret = { file = ../../secrets/authelia-jwt-secret.age; owner = config.services.authelia.instances.main.user; };

     

       
309
       
309
       
+
       
    age.secrets.authelia-issuer-private-key = { file = ../../secrets/authelia-issuer-private-key.age; owner = config.services.authelia.instances.main.user; };

     

       
310
       
310
       
+
       
    age.secrets.authelia-storage-key = { file = ../../secrets/authelia-storage-key.age; owner = config.services.authelia.instances.main.user; };

     

       
311
       
311
       
+
       
    age.secrets.authelia-ldap-password = { file = ../../secrets/authelia-ldap-password.age; owner = config.services.authelia.instances.main.user; };

     

       
312
       
312
       
+
       
    age.secrets.authelia-smtp-password = { file = ../../secrets/authelia-smtp-password.age; owner = config.services.authelia.instances.main.user; };

     

       
299
       
313
       
 
       
    services.authelia.instances.main = {

     

       
300
       
314
       
 
       
      enable = true;

     

       
301
       
315
       
 
       


     

       
302
       
316
       
 
       
      secrets = {

     

       
303
       
317
       
 
       
        jwtSecretFile = config.age.secrets.authelia-jwt-secret.path;

     

       
304
       
304
       
-
       
        # oidcHmacSecretFile = config.age.secrets.authelia-oidc-hmac-secret.path;

     

       
305
       
305
       
-
       
        # oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-pkey.path;

     

       
306
       
306
       
-
       
        # sessionSecretFile = config.age.secrets.authelia-session-secret.path;

     

       
307
       
307
       
-
       
        storageEncryptionKeyFile = config.age.secrets.authelia-storage-enc-key.path;

     

       
318
       
318
       
+
       
        oidcIssuerPrivateKeyFile = config.age.secrets.authelia-issuer-private-key.path;

     

       
319
       
319
       
+
       
        storageEncryptionKeyFile = config.age.secrets.authelia-storage-key.path;

     

       
308
       
320
       
 
       
      };

     

       
309
       
321
       
 
       
      environmentVariables = {

     

       
310
       
322
       
 
       
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path;

     
···

       
312
       
324
       
 
       
      };

     

       
313
       
325
       
 
       
      settings = {

     

       
314
       
326
       
 
       
        server.address = "localhost:${toString authelia-port}";

     

       
315
       
315
       
-
       


     

       
316
       
327
       
 
       
        storage.local.path = "/var/lib/authelia-main/db.sqlite3";

     

       
317
       
328
       
 
       


     

       
318
       
329
       
 
       
        session = {

     
···

       
323
       
334
       
 
       
          }];

     

       
324
       
335
       
 
       
        };

     

       
325
       
336
       
 
       


     

       
326
       
326
       
-
       
        authentication_backend = {

     

       
327
       
327
       
-
       
          ldap = {

     

       
328
       
328
       
-
       
            address = "ldap://localhost:3890";

     

       
329
       
329
       
-
       
            timeout = "5m"; # replace with systemd dependency

     

       
337
       
337
       
+
       
        authentication_backend.ldap = {

     

       
338
       
338
       
+
       
          address = "ldap://localhost:3890";

     

       
339
       
339
       
+
       
          timeout = "5m"; # replace with systemd dependency

     

       
340
       
340
       
+
       


     

       
341
       
341
       
+
       
          user = "uid=authelia,ou=people,dc=wiro,dc=world";

     

       
342
       
342
       
+
       
          # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.

     

       
343
       
343
       
+
       
          # password = "";

     

       
330
       
344
       
 
       


     

       
331
       
331
       
-
       
            base_dn = "dc=wiro,dc=world";

     

       
332
       
332
       
-
       
            users_filter = "(&({username_attribute}={input})(objectClass=person))";

     

       
333
       
333
       
-
       
            groups_filter = "(&(member={dn})(objectClass=groupOfNames))";

     

       
345
       
345
       
+
       
          base_dn = "dc=wiro,dc=world";

     

       
346
       
346
       
+
       
          users_filter = "(&({username_attribute}={input})(objectClass=person))";

     

       
347
       
347
       
+
       
          groups_filter = "(&(member={dn})(objectClass=groupOfNames))";

     

       
334
       
348
       
 
       


     

       
335
       
335
       
-
       
            user = "uid=authelia,ou=people,dc=wiro,dc=world";

     

       
336
       
336
       
-
       
            # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.

     

       
337
       
337
       
-
       
            # password = "";

     

       
338
       
338
       
-
       
          };

     

       
349
       
349
       
+
       
          # attributes = {

     

       
350
       
350
       
+
       
          #   # username = "user_id";

     

       
351
       
351
       
+
       
          #   username = "uid";

     

       
352
       
352
       
+
       
          #   display_name = "display_name";

     

       
353
       
353
       
+
       
          #   mail = "mail";

     

       
354
       
354
       
+
       
          #   group_name = "cn";

     

       
355
       
355
       
+
       
          # };

     

       
339
       
356
       
 
       
        };

     

       
357
       
357
       
+
       


     

       
340
       
358
       
 
       
        access_control = {

     

       
341
       
359
       
 
       
          default_policy = "deny";

     

       
342
       
360
       
 
       
          rules = [

     
···

       
347
       
365
       
 
       
          ];

     

       
348
       
366
       
 
       
        };

     

       
349
       
367
       
 
       


     

       
368
       
368
       
+
       


     

       
369
       
369
       
+
       
        identity_providers.oidc = {

     

       
370
       
370
       
+
       
          # enforce_pkce = "always";

     

       
371
       
371
       
+
       
          clients = [

     

       
372
       
372
       
+
       
            {

     

       
373
       
373
       
+
       
              client_name = "Headscale";

     

       
374
       
374
       
+
       
              client_id = "headscale";

     

       
375
       
375
       
+
       
              client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";

     

       
376
       
376
       
+
       


     

       
377
       
377
       
+
       
              redirect_uris = [ "https://headscale.wiro.world/oidc/callback" ];

     

       
378
       
378
       
+
       
            }

     

       
379
       
379
       
+
       
            {

     

       
380
       
380
       
+
       
              client_name = "Grafana Console";

     

       
381
       
381
       
+
       
              client_id = "grafana";

     

       
382
       
382
       
+
       
              client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";

     

       
383
       
383
       
+
       


     

       
384
       
384
       
+
       
              redirect_uris = [ "https://console.wiro.world/login/generic_oauth" ];

     

       
385
       
385
       
+
       
            }

     

       
386
       
386
       
+
       
          ];

     

       
387
       
387
       
+
       
        };

     

       
388
       
388
       
+
       


     

       
389
       
389
       
+
       


     

       
350
       
390
       
 
       
        notifier.smtp = {

     

       
351
       
391
       
 
       
          address = "smtp://smtp.resend.com:2587";

     

       
352
       
392
       
 
       
          username = "resend";

     
···

       
354
       
394
       
 
       
          # password = "";

     

       
355
       
395
       
 
       
          sender = "authelia@wiro.world";

     

       
356
       
396
       
 
       
        };

     

       
357
       
357
       
-
       
      };

     

       
358
       
358
       
-
       
    };

     

       
359
       
359
       
-
       


     

       
360
       
360
       
-
       
    services.gerrit = {

     

       
361
       
361
       
-
       
      enable = true;

     

       
362
       
362
       
-
       


     

       
363
       
363
       
-
       
      listenAddress = "[::]:${toString gerrit-port}";

     

       
364
       
364
       
-
       
      serverId = "d0b2cbe5-2f32-49af-8609-8be73e4bbbab";

     

       
365
       
365
       
-
       


     

       
366
       
366
       
-
       
      settings = {

     

       
367
       
367
       
-
       
        gerrit.canonicalWebUrl = "https://gerrit.wiro.world/";

     

       
368
       
368
       
-
       
        httpd.listenUrl = "proxy-https://[::]:${toString gerrit-port}";

     

       
369
       
369
       
-
       


     

       
370
       
370
       
-
       
        auth.type = "OpenID";

     

       
371
       
397
       
 
       
      };

     

       
372
       
398
       
 
       
    };

     

       
373
       
399
       
 
       
  };

     

This is a binary file and will not be displayed.

···

       
1
       
1
       
+
       
age-encryption.org/v1

     

       
2
       
2
       
+
       
-> ssh-ed25519 sMF1bg 2+JZ3WMnTgnnNYmJqdqAtOsEIk9pAefHfwLcXZQpqlg

     

       
3
       
3
       
+
       
yE0R9b0mSzoT6mvoWUG829UmkgGkm6vg0i7WLORaTis

     

       
4
       
4
       
+
       
-> ssh-ed25519 SmMcWg c8goAmCIPQ5rsTwoOej9ndGc0uBpWILSn/wy6XJHK14

     

       
5
       
5
       
+
       
ArjlEl4hxi4N6Py1emxgxUFKvSXIwLWsy6HrWNqJUHw

     

       
6
       
6
       
+
       
-> ssh-ed25519 Q8rMFA t72V+A0n5Tnb0VqvBrzt3j75CbcfvQltodKMhF64SXY

     

       
7
       
7
       
+
       
V+Ynzd4tIUI8JPy9uyoi+frW6wJnQxDavHAqnp/lem8

     

       
8
       
8
       
+
       
--- mzRky/dA1MDArnDSSaGyZP9yAQgD2va4MfopbrdM0iU

     

       
9
       
9
       
+
       
��*�٪l����a5�QE£uަ��"�;��3�l.!`	�u
�
_+)$��d��ˤ����ff�F��mѳc�a�EV��Nߧ��,�@����
     

This is a binary file and will not be displayed.

···

       
21
       
21
       
 
       
  "pds-env.age".publicKeys = deploy;

     

       
22
       
22
       
 
       
  # Defines `LLDAP_JWT_SECRET`, `LLDAP_KEY_SEED`.

     

       
23
       
23
       
 
       
  "lldap-env.age".publicKeys = deploy;

     

       
24
       
24
       
+
       
  "headscale-oidc-secret.age".publicKeys = deploy;

     

       
25
       
25
       
+
       
  "grafana-oidc-secret.age".publicKeys = deploy;

     

       
24
       
26
       
 
       
  "authelia-jwt-secret.age".publicKeys = deploy;

     

       
25
       
25
       
-
       
  "authelia-storage-enc-key.age".publicKeys = deploy;

     

       
27
       
27
       
+
       
  "authelia-issuer-private-key.age".publicKeys = deploy;

     

       
28
       
28
       
+
       
  "authelia-storage-key.age".publicKeys = deploy;

     

       
26
       
29
       
 
       
  "authelia-ldap-password.age".publicKeys = deploy;

     

       
27
       
30
       
 
       
  "authelia-smtp-password.age".publicKeys = deploy;

     

       
28
       
31