tsuki: setup oauth2 for pgadmin
This commit also changes the pgadmin package from `22.11` to `unstable`
This commit is contained in:
parent
5e2a5a939b
commit
df3aa7c10e
@ -99,8 +99,11 @@
|
||||
android_sdk.accept_license = true;
|
||||
};
|
||||
|
||||
overlays = [
|
||||
(self: super: { kanidm = unstable-pkgs.callPackage ./package-overrides/kanidm.nix {}; })
|
||||
overlays = let
|
||||
nonrecursive-unstable-pkgs = nixpkgs-unstable.legacyPackages.${system};
|
||||
in [
|
||||
(self: super: { kanidm = super.callPackage ./package-overrides/kanidm.nix {}; })
|
||||
(self: super: { pgadmin4 = nonrecursive-unstable-pkgs.pgadmin4; })
|
||||
osuchan.overlays.default
|
||||
];
|
||||
};
|
||||
|
@ -14,17 +14,56 @@
|
||||
# settings = {};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"pgadmin/oauth2_secret" = rec {
|
||||
restartUnits = [ "pgadmin.service" ];
|
||||
owner = config.systemd.services.pgadmin.serviceConfig.User;
|
||||
group = config.users.users.${owner}.group;
|
||||
};
|
||||
"pgadmin/initialPassword" = rec {
|
||||
restartUnits = [ "pgadmin.service" ];
|
||||
owner = config.systemd.services.pgadmin.serviceConfig.User;
|
||||
group = config.users.users.${owner}.group;
|
||||
};
|
||||
};
|
||||
|
||||
services.pgadmin = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
initialEmail = "h7x4@nani.wtf";
|
||||
initialPasswordFile = "${config.machineVars.dataDrives.default}/keys/pgadmin_pass";
|
||||
initialPasswordFile = config.sops.secrets."pgadmin/initialPassword".path;
|
||||
port = secrets.ports.pgadmin;
|
||||
settings = {
|
||||
DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin";
|
||||
settings = let
|
||||
authServerUrl = config.services.kanidm.serverSettings.origin;
|
||||
in {
|
||||
# FIXME: pgadmin does not work with NFS by default, because it uses
|
||||
# some kind of metafiles in its data directory.
|
||||
# DATA_DIR = "${config.machineVars.dataDrives.default}/var/pgadmin";
|
||||
DATA_DIR = "/var/lib/pgadmin";
|
||||
AUTHENTICATION_SOURCES = [ "oauth2" ];
|
||||
OAUTH2_AUTO_CREATE_USER = true;
|
||||
OAUTH2_CONFIG = [ rec {
|
||||
OAUTH2_NAME = "KaniDM";
|
||||
OAUTH2_DISPLAY_NAME = "KaniDM";
|
||||
OAUTH2_CLIENT_ID = "pgadmin";
|
||||
OAUTH2_API_BASE_URL = "${authServerUrl}/oauth2";
|
||||
OAUTH2_TOKEN_URL = "${authServerUrl}/oauth2/token";
|
||||
OAUTH2_AUTHORIZATION_URL = "${authServerUrl}/ui/oauth2";
|
||||
OAUTH2_USERINFO_ENDPOINT = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/userinfo";
|
||||
OAUTH2_SERVER_METADATA_URL = "${authServerUrl}/oauth2/openid/${OAUTH2_CLIENT_ID}/.well-known/openid-configuration";
|
||||
OAUTH2_SCOPE = "openid email profile";
|
||||
OAUTH2_ICON = "fa-lock";
|
||||
OAUTH2_BUTTON_COLOR = "#ff6600";
|
||||
}];
|
||||
};
|
||||
};
|
||||
|
||||
environment.etc."pgadmin/config_system.py".text = let
|
||||
in ''
|
||||
with open("${config.sops.secrets."pgadmin/oauth2_secret".path}") as f:
|
||||
OAUTH2_CONFIG[0]['OAUTH2_CLIENT_SECRET'] = f.read()
|
||||
'';
|
||||
|
||||
services.postgresqlBackup = {
|
||||
enable = true;
|
||||
location = "${config.machineVars.dataDrives.drives.backup}/postgres";
|
||||
|
@ -1,5 +1,5 @@
|
||||
headscale:
|
||||
oauth_secret: ""
|
||||
oauth2_secret: ENC[AES256_GCM,data:Ois+s0O9wgL3zWpgk6E35o5HczIW/4wnSq2KU+F59u4FBFPAtbl/WD0N4AKgWMrm,iv:UX8vhNvHvA5BmNmx5eW8ugce+yZCE1lt2ux8sJajZ8Q=,tag:xOpdLLryt8MptiVsKibNew==,type:str]
|
||||
hedgedoc:
|
||||
env: ENC[AES256_GCM,data:4i2I7S5hKp3mjROMwa3WQinbgmxXhKzSaWspzF12TIDm9g3Bgie0jfSxbDuPjJYq1mZ8oQ2Jzdi2N+Q4blOk9fZO3VREoU0qFrfqm8RqBw3a7hpisXzu9okYnzrW2JiVxNGWwZbuiCG1SzdMOMHq/ZqLEJdu7Pxm9cY9xBSZthap1DCFyr7dmjHt3AnEQemsDpxSaWKD2Dfs1gyA23rLAFBd,iv:lfB6uaXULUNme7cGyN+bKuXPsbgpjMrxrRy2L96HltY=,tag:uu37bZ4g/PA2mgzs3ioLCQ==,type:str]
|
||||
cloudflare:
|
||||
@ -9,6 +9,9 @@ drives:
|
||||
credentials: ENC[AES256_GCM,data:ypMZhs7dQw/IlcLwHwFcIZw0N+kCzvFGLe3gEqZVe1hj0lzK8MCfxAR8GpA=,iv:by5ljMzOuuY4b6BDUQNLhp8/gcXDNe+rHkqhFzjNA6c=,tag:3C5iYsxEWwAKs9Blgr5o6g==,type:str]
|
||||
postgres:
|
||||
gitea: ENC[AES256_GCM,data:HyYgEgOzeOnaEvPDEXoL+fRhrnqCeGbb/wOYf2kHulxrU9PKIAcRzmNljsc=,iv:1N/N2RUQ++rAWw4VNQzhee2aV9LzOJym6cyM6CAnZUU=,tag:o7dblJrIAPd4/S8X2LKdcQ==,type:str]
|
||||
pgadmin:
|
||||
oauth2_secret: ENC[AES256_GCM,data:A1Upe1Ja76++ZdOx5YhuKjpaont4m5ChRzn/YVpJbnFzWy1tFlBkOr6UgBj7Wopg,iv:hY+b7AVSrSgHu/10reIjUjJ8+yR4FrZe2JgGiAowfGs=,tag:thy6O1Y3FGTWaQXqlU9aYg==,type:str]
|
||||
initialPassword: ENC[AES256_GCM,data:674lqcGTDCOYBNocf0LQuQB1cbMus0iZOcvwbadpAXrF4DPQSetqrg==,iv:y8hfzLh6i7LxR11fmM9T0z2t7202JMAiZzi/1iCWPvM=,tag:lHwCBWaWsArrAJ0rZ8Xk/w==,type:str]
|
||||
sops:
|
||||
kms: []
|
||||
gcp_kms: []
|
||||
@ -24,8 +27,8 @@ sops:
|
||||
UE1YWkplaFBhV01CU0FDYTQ3NlkwVkUKMJyCfyh/vcj/VU7shtFF4YRRVaWdcMNh
|
||||
rp9lZmRZpc9mARXYAj9RlkI/uuSzxshtqb5AGXKmSV0hncazxu75kg==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2023-03-08T14:35:20Z"
|
||||
mac: ENC[AES256_GCM,data:V3LhoWRReZkj16s7/90zvS4GaAXDf7gY3qKGAoYRKPKrbBVDHS3Z6Vd+HZVTNcGZ0gfsJUeI8PXP2CnevN06/NKSIgyGP/8fDYSXCr2Qs3ccOnsWArAT6v83+xFxESIhlC9ww5plbAqCXPfUEHTg3SX7wa3vOQagOBjphKtPYD8=,iv:fYbmMGwbaMpyV7i8/rSTyOdK2TS0u4/0MUAPFZBV4E8=,tag:OIimZjzn6rvuweZVEmsnvw==,type:str]
|
||||
lastmodified: "2023-03-16T22:23:30Z"
|
||||
mac: ENC[AES256_GCM,data:WhmY8htyrpTsAHuA8Q6RquBSafTZR/ocyB/OvLRhIV4gksSbzCWeMR+5Jwvvr8XYkwzD3rpCgCiqpA6R8ibxfdhHYZwHKMJNrAlpBdXSom67q9RUvDJjiCEQyJpcsvjJmT1mM9J3E6iVymoI0h2WW+rGzN3vgONBIr86p0nknKI=,iv:JdHn/qSzPCwkaBL81Wax0ThXFtSGrb26shA1tfXy/aI=,tag:dZLtLJM5mNCO6OOWLtQwXg==,type:str]
|
||||
pgp:
|
||||
- created_at: "2023-03-07T12:32:53Z"
|
||||
enc: |
|
||||
|
Loading…
Reference in New Issue
Block a user