diff --git a/flake.nix b/flake.nix index 4c213c1..0521b51 100644 --- a/flake.nix +++ b/flake.nix @@ -99,7 +99,6 @@ config.allowUnfree = true; }; in [ - (self: super: { pgadmin4 = nonrecursive-unstable-pkgs.pgadmin4; }) # (self: super: { pcloud = nonrecursive-unstable-pkgs.pcloud; }) osuchan.overlays.default (self: super: { diff --git a/hosts/tsuki/configuration.nix b/hosts/tsuki/configuration.nix index c1e2c09..6430c3c 100644 --- a/hosts/tsuki/configuration.nix +++ b/hosts/tsuki/configuration.nix @@ -20,7 +20,6 @@ ./services/navidrome.nix ./services/nginx ./services/osuchan.nix - ./services/pgadmin.nix ./services/plex.nix ./services/postgres.nix ./services/samba.nix diff --git a/hosts/tsuki/services/nginx/default.nix b/hosts/tsuki/services/nginx/default.nix index 30b9200..64106ed 100644 --- a/hosts/tsuki/services/nginx/default.nix +++ b/hosts/tsuki/services/nginx/default.nix @@ -53,7 +53,6 @@ "kanidm".servers."localhost:8300" = { }; "navidrome".servers."unix:${sa.navidrome.newSocketAddress}" = { }; "osuchan".servers."localhost:${s ports.osuchan}" = { }; - "pgadmin".servers."unix:${srv.uwsgi.instance.vassals.pgadmin.socket}" = { }; "plex".servers."localhost:${s ports.plex}" = { }; "vaultwarden".servers."unix:${sa.vaultwarden.newSocketAddress}" = { }; }; @@ -122,19 +121,6 @@ root = pkgs.writeTextDir "index.html" (lib.fileContents ./temp-website.html); }; }) - (host ["pg"] { - locations."/" = { - extraConfig = '' - include ${pkgs.nginx}/conf/uwsgi_params; - uwsgi_pass pgadmin; - ''; - }; - }) - # (proxy ["pg"] "http://localhost:${s ports.pgadmin}" { - # extraConfig = '' - # proxy_set_header X-CSRF-Token $http_x_pga_csrftoken; - # ''; - # }) # (proxy ["matrix"] "http://localhost:${s ports.matrix.listener}" {}) (host ["matrix"] { enableACME = lib.mkForce false; diff --git a/hosts/tsuki/services/pgadmin.nix b/hosts/tsuki/services/pgadmin.nix deleted file mode 100644 index c6b04fd..0000000 --- a/hosts/tsuki/services/pgadmin.nix +++ /dev/null @@ -1,111 +0,0 @@ -{ config, pkgs, lib, secrets, ... }: let - pgadmin-user = let - username = config.systemd.services.pgadmin.serviceConfig.User; - in config.users.users.${username}; -in { - - sops.secrets = { - "pgadmin/oauth2_secret" = rec { - restartUnits = [ "pgadmin.service" ]; - owner = pgadmin-user.name; - group = pgadmin-user.group; - }; - "pgadmin/initialPassword" = rec { - restartUnits = [ "pgadmin.service" ]; - owner = pgadmin-user.name; - group = pgadmin-user.group; - }; - }; - - services.pgadmin = { - enable = true; - openFirewall = true; - initialEmail = "h7x4@nani.wtf"; - initialPasswordFile = config.sops.secrets."pgadmin/initialPassword".path; - port = secrets.ports.pgadmin; - settings = let - authServerUrl = config.services.kanidm.serverSettings.origin; - in { - # FIXME: pgadmin does not work with NFS by default, because it uses - # some kind of metafiles in its data directory. - # DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin"; - DATA_DIR = "/var/lib/pgadmin"; - - WTF_CSRF_HEADERS = [ - "X-pgA-CSRFToken" - "X-CSRFToken" - "X-CSRF-Token" - ]; - - PROXY_X_FOR_COUNT = 1; - PROXY_X_PROTO_COUNT = 1; - PROXY_X_HOST_COUNT = 1; - PROXY_X_PORT_COUNT = 1; - PROXY_X_PREFIX_COUNT = 1; - - SESSION_COOKIE_HTTPONLY = false; - SESSION_COOKIE_SECURE = true; - - AUTHENTICATION_SOURCES = [ "oauth2" ]; - OAUTH2_AUTO_CREATE_USER = true; - OAUTH2_CONFIG = [ rec { - OAUTH2_NAME = "KaniDM"; - OAUTH2_DISPLAY_NAME = "KaniDM"; - OAUTH2_CLIENT_ID = "pgadmin"; - OAUTH2_API_BASE_URL = "${authServerUrl}/oauth2"; - OAUTH2_TOKEN_URL = "${authServerUrl}/oauth2/token"; - OAUTH2_AUTHORIZATION_URL = "${authServerUrl}/ui/oauth2"; - OAUTH2_USERINFO_ENDPOINT = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/userinfo"; - OAUTH2_SERVER_METADATA_URL = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/.well-known/openid-configuration"; - OAUTH2_SCOPE = "openid email profile"; - OAUTH2_ICON = "fa-lock"; - OAUTH2_BUTTON_COLOR = "#ff6600"; - }]; - }; - }; - - environment.etc."pgadmin/config_system.py".text = let - in '' - with open("${config.sops.secrets."pgadmin/oauth2_secret".path}") as f: - OAUTH2_CONFIG[0]['OAUTH2_CLIENT_SECRET'] = f.read() - ''; - - systemd.services."pgadmin".enable = false; - - users = { - users."pgadmin".uid = 985; - groups = { - "pgadmin" = { - gid = 984; - members = [ - "nginx" - "uwsgi" - ]; - }; - "uwsgi".members = [ pgadmin-user.name ]; - }; - }; - - services.uwsgi = { - enable = false; - plugins = [ "python3" ]; - instance = { - type = "emperor"; - pidfile = "${config.services.uwsgi.runDir}/uwsgi.pid"; - stats = "${config.services.uwsgi.runDir}/stats.sock"; - vassals."pgadmin" = rec { - type = "normal"; - pythonPackages = _: with pkgs; ([ pgadmin4 ] ++ pgadmin4.propagatedBuildInputs); - strict = true; - immediate-uid = pgadmin-user.name; - immediate-gid = pgadmin-user.group; - lazy-apps = true; - enable-threads = true; - # chdir = "${pkgs.pgadmin4}/lib/python3.10/site-packages/pgadmin4"; - module = "pgAdmin4:app"; - socket = "/run/user/${toString pgadmin-user.uid}/pgadmin.sock"; - chmod-socket = 664; - }; - }; - }; -} diff --git a/secrets/default.yaml b/secrets/default.yaml index 76f221e..4050728 100644 --- a/secrets/default.yaml +++ b/secrets/default.yaml @@ -28,9 +28,6 @@ postgres: headscale: ENC[AES256_GCM,data:UVPCZjcpm9j2dMwyAvrPfwOj84JJHrwoU5rs672FEeA=,iv:zq3J4mL/PB3EAl8LHxxC77Y4FMrZWT4QF+DOih+FIGk=,tag:UwfjKnjfJ3a6RwAWg/8BzQ==,type:str] grafana: ENC[AES256_GCM,data:bsxzS/xkNdSJvOSQfZY8RRK03ckfKAoYeiZlgrSxXVqTEQ==,iv:wb8bFITgGLToagEczdm7MwUmXl3tyYmrYqSZOblEz0I=,tag:ZboMGI4QdmOK+LVBDCl2Pg==,type:str] matrix_synapse: ENC[AES256_GCM,data:hLlUeo6glgw1PIo4N9aE7KLg7JV88EcG4IYZwVhs97Y=,iv:c4g33QQ/r54KrBM/zUG/gS9rNQy1OUB4KPSAggkgNvo=,tag:WOezFIPE89+oHKGMrsMSgA==,type:str] -pgadmin: - oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str] - initialPassword: ENC[AES256_GCM,data:y2ADMtiIO+jIjIQhGKZB43yKcJIouaWagZYe/0K9OoKEGUQq+wXXWA==,iv:oeSzHdaxPj5nN3T+WfCxOq1wkcEDPJCgeh7WOOqs3B0=,tag:r81rysqIjsiCOvyzHiAV6Q==,type:str] paperless: password: ENC[AES256_GCM,data:8ut0DX8NajIy/WUwd3eBrFiGwsTMTYKWaPDy7kGytt8=,iv:q2hTmQsS4kBLZ4I7nRljstHlqELsGBYqf5yifFh3vNY=,tag:eJj+DXU898frl6+IoBsSPQ==,type:str] matrix_synapse: @@ -74,8 +71,8 @@ sops: cElPYm5qK2lkTWZ1UGd6TU1NV2h4OTgK8Ecv58Ybnc6iYMjtSKTT1fYbNf4yyFgX rjQ2sU8Rqc04MqixnAkF2zSDaaJ0vqwf22MvbO3bYhpqOHwiTMbRLg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-29T23:29:34Z" - mac: ENC[AES256_GCM,data:LWQjZvheJai3q8ASsN4l3LlbKjWB8/4z4si74D/aly6UIoUEJ8ALsUvWCWb64UCGHOfUfXjFPs5NaoTXcbXpATrl3tN0/hur6fdrHc4n96TpFGTtEj5Dy+SsNg2+oMJV3r5XAMIPhlDD9ZhUb2kyhhema063V3oY1ni7e5d/Kxg=,iv:hzH/JDU5WN5haGpv41jnziPZuXS/CQyGFq4N6Zcg55I=,tag:Q9ujo2azvDyyyTHNnLHQgw==,type:str] + lastmodified: "2024-06-09T13:31:53Z" + mac: ENC[AES256_GCM,data:8fdE/+Z0C7YSljHWtYaX4ceg+MJNKC1FZXnfEZhfMo5EB57OKc6CInMuVpxI1b9CP7Ka+3rr6bZQaa6djD0VAOjVOWaJPW79S8ee0iuxrm9a7ZI/tbM/7GFDF6j80ZkJW1+SUdjc6MneA4EKht6VwwO4RvAL94NwxbEfjFXo1wc=,iv:WDmESFjOr8uIiX//zDsQHDOB7cG7wmbmEhypIE/2hPM=,tag:0jGHxIr0f2iMfgrKBKStLQ==,type:str] pgp: - created_at: "2023-05-08T00:49:52Z" enc: |