authentik yay

2025-09-07 00:11:16 +02:00 · 2025-09-07 00:11:16 +02:00 · f2fcbfb679
commit f2fcbfb679
parent d3a93fd115
34 changed files with 612 additions and 363 deletions
--- a/modules/presets/cli.nix
+++ b/modules/presets/cli.nix
@ -38,11 +38,11 @@ in

    nix.settings = {
      substituters = [
-        "https://cache.lix.systems"
+        # "https://cache.lix.systems"
        "https://helix.cachix.org"
      ];
      trusted-public-keys = [
-        "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
+        # "cache.lix.systems:aBnZUw8zA7H35Cz2RyKFVs3H4PlGTLawyY5KRbvJR8o="
        "helix.cachix.org-1:ejp9KQpR1FBI2onstMQ34yogDm4OgU2ru6lIwPvuCVs="
      ];
      trusted-users = lib.mkDefault [
--- a/modules/presets/common.nix
+++ b/modules/presets/common.nix
@ -28,10 +28,6 @@ in
      # ];
    });
    security.polkit.extraConfig = ''
-      polkit.addRule(function(action, subject) {
-    polkit.log("action=" + action);
-    polkit.log("subject=" + subject);
-});
      polkit.addRule(function(action, subject) { // make run0 keep pw for some time (tm)
        if (
          subject.isInGroup("wheel")
--- a/modules/presets/server.nix
+++ b/modules/presets/server.nix
@ -6,22 +6,56 @@
 }:
 let
  cfg = config.xyno.presets.server;
+  msmtpConfigItems = [
+    "host"
+    "port"
+    "from"
+    "user"
+    "password"
+
+  ];
 in
 {
  options.xyno.presets.server.enable =
    lib.mkEnableOption "enables xynos base server config (ssh/smart/email/zed/...)";
  config = lib.mkIf cfg.enable {
    services.openssh.enable = true;
-    users.users.root.openssh.authorizedKeys.keys = ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj"]; # theseus
+    users.users.root.openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID/oMAi5jyQsNohfhcSH2ItisTpBGB0WtYTVxJYKKqhj"
+    ]; # theseus

    environment.etc."msmtprc".enable = false;
-    sops.secrets."msmtp/rc" = {
+    sops.defaultSopsFile = ../../secrets/common.yaml;
+    sops.secrets = lib.mkMerge (
+      [
+        {
+          "msmtp/aliases" = {
+            path = "/etc/aliases";
+          };
+        }
+      ]
+      ++ (map (x: { "msmtp/${x}" = { }; }) msmtpConfigItems)
+    );
+    sops.templates."msmtprc" = {
      path = "/etc/msmtprc";
+      content = ''
+        defaults
+        allow_from_override off
+        set_from_header on
+        auth on
+        tls on
+        tls_starttls off
+
+        account default
+        ${lib.concatStringsSep "\n" (
+          map (x: "${x} ${config.sops.placeholder."msmtp/${x}"}") msmtpConfigItems
+        )}
+        auth on
+
+        aliases /etc/aliases
+      '';
    };
-    sops.secrets."msmtp/aliases" = {
-      path = "/etc/aliases";
-    };
-    
+
    programs.msmtp = {
      enable = true;
    };