Compare commits
7 commits
e62fbfea71
...
f84eb995cd
| Author | SHA1 | Date | |
|---|---|---|---|
| f84eb995cd | |||
| 8938d311a5 | |||
| 5dd4589459 | |||
| 7067120b9a | |||
| c53745df89 | |||
| 81e44bf522 | |||
| af1cd6e0b6 |
11 changed files with 49 additions and 65 deletions
|
|
@ -15,6 +15,7 @@ in
|
|||
|
||||
services.atticd = {
|
||||
enable = true;
|
||||
package = depot.inputs.attic.packages.attic-server;
|
||||
|
||||
credentialsFile = secrets.serverToken.path;
|
||||
|
||||
|
|
|
|||
5
cluster/services/idm/common.nix
Normal file
5
cluster/services/idm/common.nix
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
{ depot, ... }:
|
||||
|
||||
{
|
||||
services.kanidm.package = depot.packages.kanidm;
|
||||
}
|
||||
|
|
@ -22,8 +22,12 @@
|
|||
client-soda = [ "soda" ];
|
||||
};
|
||||
nixos = {
|
||||
server = ./server.nix;
|
||||
server = [
|
||||
./common.nix
|
||||
./server.nix
|
||||
];
|
||||
client = [
|
||||
./common.nix
|
||||
./client.nix
|
||||
./modules/idm-nss-ready.nix
|
||||
./modules/idm-tmpfiles.nix
|
||||
|
|
|
|||
|
|
@ -1,40 +0,0 @@
|
|||
{ config, lib, depot, ... }:
|
||||
let
|
||||
inherit (depot.lib.meta) domain;
|
||||
apiAddr = "api.${domain}";
|
||||
proxyTarget = config.links.api.url;
|
||||
proxy = depot.lib.nginx.vhosts.proxy proxyTarget;
|
||||
in
|
||||
{
|
||||
# n8n uses "Sustainable Use License"
|
||||
nixpkgs.config.allowUnfree = true;
|
||||
|
||||
links.api.protocol = "http";
|
||||
|
||||
services.n8n = {
|
||||
enable = true;
|
||||
webhookUrl = "https://${apiAddr}";
|
||||
settings = {
|
||||
inherit (config.links.api) port;
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.n8n.environment = {
|
||||
N8N_LISTEN_ADDRESS = "127.0.0.1";
|
||||
N8N_ENDPOINT_WEBHOOK = "api";
|
||||
N8N_ENDPOINT_WEBHOOK_TEST = "test";
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."${apiAddr}" = lib.recursiveUpdate proxy {
|
||||
locations."/api" = {
|
||||
proxyPass = proxyTarget;
|
||||
extraConfig = "auth_request off;";
|
||||
};
|
||||
locations."/test" = {
|
||||
proxyPass = proxyTarget;
|
||||
extraConfig = "auth_request off;";
|
||||
};
|
||||
};
|
||||
|
||||
services.oauth2-proxy.nginx.virtualHosts.${apiAddr} = { };
|
||||
}
|
||||
|
|
@ -15,7 +15,6 @@
|
|||
depot.inputs.mms.module
|
||||
|
||||
# Services
|
||||
./services/api
|
||||
./services/backbone-routing
|
||||
./services/bitwarden
|
||||
./services/cdn-shield
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ config, lib, ... }:
|
||||
{ config, lib, withSystem, ... }:
|
||||
|
||||
let
|
||||
inherit (lib) mapAttrs nixosSystem;
|
||||
|
|
@ -6,8 +6,12 @@ let
|
|||
|
||||
mkNixOS = name: host: nixosSystem {
|
||||
specialArgs = config.lib.summon name lib.id;
|
||||
inherit (host) system;
|
||||
modules = [ host.nixos ] ++ config.cluster.config.out.injectNixosConfig name;
|
||||
modules = [
|
||||
host.nixos
|
||||
(withSystem host.system ({ config, pkgs, ... }: {
|
||||
nixpkgs.pkgs = pkgs // config.shadows;
|
||||
}))
|
||||
] ++ config.cluster.config.out.injectNixosConfig name;
|
||||
};
|
||||
in {
|
||||
flake.nixosConfigurations = mapAttrs mkNixOS (gods.fromLight // gods.fromFlesh);
|
||||
|
|
|
|||
|
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
nixpkgs.overlays = [
|
||||
(self: super:
|
||||
(let
|
||||
patched = import ../../packages/patched-derivations.nix super;
|
||||
in {
|
||||
|
||||
inherit (patched)
|
||||
kanidm
|
||||
prometheus-jitsi-exporter
|
||||
;
|
||||
|
||||
jre_headless = patched.jre17_standard;
|
||||
|
||||
})
|
||||
)
|
||||
];
|
||||
}
|
||||
9
modules/nixpkgs-config/default.nix
Normal file
9
modules/nixpkgs-config/default.nix
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
{ depot, lib, ... }:
|
||||
|
||||
{
|
||||
imports = [
|
||||
depot.inputs.nixpkgs.nixosModules.readOnlyPkgs
|
||||
];
|
||||
|
||||
nixpkgs.overlays = lib.mkForce [];
|
||||
}
|
||||
|
|
@ -6,7 +6,6 @@ in
|
|||
|
||||
{
|
||||
flake.nixosModules = with config.flake.nixosModules; {
|
||||
autopatch = ./autopatch;
|
||||
ascensions = ./ascensions;
|
||||
consul-distributed-services = ./consul-distributed-services;
|
||||
consul-service-registry = ./consul-service-registry;
|
||||
|
|
@ -23,6 +22,7 @@ in
|
|||
networking = ./networking;
|
||||
nix-builder = ./nix-builder;
|
||||
nix-config-server = ./nix-config/server.nix;
|
||||
nixpkgs-config = ./nixpkgs-config;
|
||||
nix-register-flakes = ./nix-register-flakes;
|
||||
patroni = ./patroni;
|
||||
port-magic = ./port-magic;
|
||||
|
|
@ -34,10 +34,10 @@ in
|
|||
tested = ./tested;
|
||||
|
||||
machineBase = group [
|
||||
autopatch
|
||||
enterprise
|
||||
maintenance
|
||||
minimal
|
||||
nixpkgs-config
|
||||
port-magic
|
||||
ssh
|
||||
systemd-extras
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ in {
|
|||
./projects.nix
|
||||
./patched-inputs.nix
|
||||
./catalog
|
||||
./shadows.nix
|
||||
];
|
||||
perSystem = { pkgs, self', system, ... }: let
|
||||
patched-derivations = import ./patched-derivations.nix (pkgs // { flakePackages = self'.packages; });
|
||||
|
|
|
|||
19
packages/shadows.nix
Normal file
19
packages/shadows.nix
Normal file
|
|
@ -0,0 +1,19 @@
|
|||
{ lib, ... }:
|
||||
|
||||
{
|
||||
perSystem = { inputs', self', ... }: {
|
||||
# much like overlays, shadows can *shadow* packages in nixpkgs
|
||||
# unlike overlays, shadows don't cause a nixpkgs re-evaluation
|
||||
# this is a hack for dealing with poorly written NixOS modules
|
||||
# that don't provide a `package` option to perform overrides
|
||||
|
||||
options.shadows = lib.mkOption {
|
||||
type = with lib.types; lazyAttrsOf package;
|
||||
default = {
|
||||
inherit (self'.packages)
|
||||
kanidm
|
||||
;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
Loading…
Reference in a new issue