isabelroses.com
my over complex system configurations
dotfiles.isabelroses.com/
nixos
nix
flake
dotfiles
linux
nixos/services/hostling: init
+191
-2
+21
flake.lock
+21
flake.lock
···
205
205
"type": "github"
206
206
}
207
207
},
208
+
"hostling": {
209
+
"inputs": {
210
+
"nixpkgs": [
211
+
"nixpkgs"
212
+
]
213
+
},
214
+
"locked": {
215
+
"lastModified": 1769186374,
216
+
"narHash": "sha256-oNRJ2nYYsE+AI9lLUOK4HOwDOwOLtwDmHkWuQKFs+3Y=",
217
+
"owner": "BatteredBunny",
218
+
"repo": "hostling",
219
+
"rev": "72496221490e0e2af8d9c4796fc33db524c7bdae",
220
+
"type": "github"
221
+
},
222
+
"original": {
223
+
"owner": "BatteredBunny",
224
+
"repo": "hostling",
225
+
"type": "github"
226
+
}
227
+
},
208
228
"izlix": {
209
229
"inputs": {
210
230
"nixpkgs": [
···
334
354
"flake-parts": "flake-parts",
335
355
"home-manager": "home-manager",
336
356
"homebrew": "homebrew",
357
+
"hostling": "hostling",
337
358
"izlix": "izlix",
338
359
"izvim": "izvim",
339
360
"lanzaboote": "lanzaboote",
+7
flake.nix
+7
flake.nix
···
115
115
inputs.nixpkgs.follows = "nixpkgs";
116
116
};
117
117
118
+
hostling = {
119
+
type = "github";
120
+
owner = "BatteredBunny";
121
+
repo = "hostling";
122
+
inputs.nixpkgs.follows = "nixpkgs";
123
+
};
124
+
118
125
### misc
119
126
# declarative theme management
120
127
catppuccin = {
+1
modules/nixos/services/default.nix
+1
modules/nixos/services/default.nix
+56
modules/nixos/services/hostling.nix
+56
modules/nixos/services/hostling.nix
···
1
+
{
2
+
lib,
3
+
self,
4
+
config,
5
+
inputs,
6
+
...
7
+
}:
8
+
let
9
+
inherit (lib) mkIf;
10
+
inherit (self.lib) mkServiceOption mkSecret;
11
+
12
+
cfg = config.garden.services.hostling;
13
+
in
14
+
{
15
+
options.garden.services.hostling = mkServiceOption "hostling" {
16
+
port = 3025;
17
+
host = "127.0.0.1";
18
+
domain = "cdn.${config.networking.domain}";
19
+
};
20
+
21
+
imports = [ inputs.hostling.nixosModules.default ];
22
+
23
+
config = mkIf cfg.enable {
24
+
sops.secrets.hostling = mkSecret {
25
+
file = "hostling";
26
+
key = "env";
27
+
};
28
+
29
+
services = {
30
+
hostling = {
31
+
enable = true;
32
+
createDbLocally = true;
33
+
34
+
environmentFile = config.sops.secrets.hostling.path;
35
+
36
+
settings = {
37
+
inherit (cfg) port;
38
+
behind_reverse_proxy = true;
39
+
trusted_proxy = cfg.host;
40
+
public_url = "https://${cfg.domain}";
41
+
42
+
s3 = {
43
+
bucket = "isa-cdn";
44
+
region = "europe-1";
45
+
endpoint = "in64u.upcloudobjects.com";
46
+
proxyfiles = true;
47
+
};
48
+
};
49
+
};
50
+
51
+
nginx.virtualHosts.${cfg.domain} = {
52
+
locations."/".proxyPass = "http://${cfg.host}:${toString cfg.port}";
53
+
};
54
+
};
55
+
};
56
+
}
+25
modules/nixos/services/kanidm.nix
+25
modules/nixos/services/kanidm.nix
···
73
73
group = "kanidm";
74
74
mode = "440";
75
75
};
76
+
kanidm-oauth2-hostling = mkSecret {
77
+
file = "kanidm";
78
+
key = "oauth2-hostling";
79
+
owner = "kanidm";
80
+
group = "kanidm";
81
+
mode = "440";
82
+
};
76
83
};
77
84
78
85
services = {
···
113
120
"linkwarden.access"
114
121
"wakapi.access"
115
122
"immich.access"
123
+
"hostling.access"
116
124
];
117
125
};
118
126
···
125
133
"wakapi.access" = { };
126
134
127
135
"immich.access" = { };
136
+
137
+
"hostling.access" = { };
128
138
};
129
139
130
140
systems.oauth2 = {
···
191
201
"profile"
192
202
];
193
203
};
204
+
205
+
hostling = {
206
+
displayName = "hostling";
207
+
originUrl = "https://${cfg'.hostling.domain}/api/auth/login/openid-connect/callback";
208
+
originLanding = "https://${cfg'.hostling.domain}/";
209
+
basicSecretFile = config.sops.secrets.kanidm-oauth2-hostling.path;
210
+
allowInsecureClientDisablePkce = true;
211
+
preferShortUsername = true;
212
+
scopeMaps."hostling.access" = [
213
+
"openid"
214
+
"email"
215
+
"profile"
216
+
];
217
+
};
218
+
194
219
};
195
220
};
196
221
};
+77
secrets/services/hostling.yaml
+77
secrets/services/hostling.yaml
···
1
+
env: ENC[AES256_GCM,data:4LMQbgriQJ1wBY1FUQ25RJYWGYGw2nnTCi/T8KXIE3a1HpMGhWUqlEfTe723FMms59szDlxnE1RsXLe2hRbruJg33c25gXDLP/40he8x3S4uXRtBK84XOjcg8ZRCXw/DaFguyb1KeKpJFmTPnZDJ8BAVCk8aoTw/6K1lFrTCxyH7Sna058TXCTLDrpxyCX+CbAs7XG4exvJ3Ur0ZAeeQpD+Tu6tbF0mAIDGm7taNagMAxgk+iTdfaw8hjtEagVOg3bRdOYMNOEju26OnOXr7HOrozBecJAyoO/zMpKUnjDP21Hv4pVnNlk3fR+Uc0F61bzhoLH4b9oLKWVl0m/jktwH+/DrxE6IHGgSEdOuWilnHxl5q9u4kI3hQGZYegjpwxSDfSxgXEfSw0pL0NZeji/vLXtjQLKtYPBWqjIT8enrWowwJSnbDOhY=,iv:5XMDR1wcrSy6bUx57xl/vz68J87zs7OmrhV18e6dTOE=,tag:8lEn2Aa93wqfuPmGrqQNGg==,type:str]
2
+
sops:
3
+
age:
4
+
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQDiHbMSinj8twL9cTgPOfI6OMexrTZyHX27T8gnMj2
5
+
enc: |
6
+
-----BEGIN AGE ENCRYPTED FILE-----
7
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDk1NDQzZyBZeGFC
8
+
amtmZ08yakNxT09IVzIvNG9jVEc2TG5Kek4xZWRJOHdIV3pFN2xnCjF0K2xaNXVl
9
+
UGxsNUNkbUZpeE96b0g0emJKTkVaVmFqV3grSklLSjNjVkkKLS0tIGpCYzVZOGIw
10
+
V3gySU1SeEp5eEh5Wmg4a3MyUS9ORW5sc3VkZ1krQ2Y4T28KdfskDVaCNGOK9TKy
11
+
IRt9vhNPcZJu5lqCti7mE6T44Q1Y/3jcK94FgHq8Tf1hz9CJj7nf4xyZaSVUvsRW
12
+
j0z54Q==
13
+
-----END AGE ENCRYPTED FILE-----
14
+
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAomF8O3ZqZBpLRlAkS1+FwRllSMrREHtndw07trrfcA
15
+
enc: |
16
+
-----BEGIN AGE ENCRYPTED FILE-----
17
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IENXL2NhQSA0SVNI
18
+
YVBMVXoxNDJKL3BCb3N4NnhMTXNqdUhrUDdjMTdTcEsxbVpGL1FFCjRjb0w3cWph
19
+
TG5uZ285SWthR0wvbjhCMnJmdlRERnlxWGJCaXlnbHJOL1EKLS0tIGVSRnBrb1lD
20
+
N1FIUDZSQnRjMXdKdW1iL3VUZElleWg3NlI1R0JFLzlVMWsKt821rKpZNqkDzWUU
21
+
CAOjfknx45+l47V4JegWlUJYgrc/oZHW6VhNAEVab/7p16kT0cxR2qQEpu8hHCkq
22
+
Nn9v8Q==
23
+
-----END AGE ENCRYPTED FILE-----
24
+
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKV3N2r1cX3kZMHxuJYaFsjWJRtik/2b/KZ5ru38IqAT
25
+
enc: |
26
+
-----BEGIN AGE ENCRYPTED FILE-----
27
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFh6aDdpUSBnVUFH
28
+
Zms2ZEVneGJOa3RGZjVrQnBjT0lkTFFYMFRBUjQrNmw1cDcyRGdZCjEzT292cktv
29
+
NmJ0TDlNM2JLMGJZSm9lNFd0Q1dRdmp0R016ejVTTUV6ZE0KLS0tIDl5U3dMVkRo
30
+
WG9XUnpxUXpFTWxjdDVXdHJreUVyelV6NzhMaG5nTHU5dzAKWojiW3Hs/1rG/1+u
31
+
ELxAcE7Yfykk2KIE3bny2YBEN9Q7GS/WmoPtg8EvBBATDrghm4Z2ChkmNp0HUrmF
32
+
xDy5ow==
33
+
-----END AGE ENCRYPTED FILE-----
34
+
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN2pZDnEwnOsrf9aPUVkBigeFwAirWPVGliSs5AgcEFr
35
+
enc: |
36
+
-----BEGIN AGE ENCRYPTED FILE-----
37
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IFZTUGdBUSBVT2Y3
38
+
WitySGRUcnRjLytsNCtsdEo0eG1DRFRUUnl0bUg2OUxaR2E5SUdnClNmK3hRTHM1
39
+
aFc3OEgxVGxjSzJsbmFUU1JISHFodFNGbUVEZFUrQUl6Wm8KLS0tIExHZW9sYVVj
40
+
VEVBTERwWFozUXU5SnZ4RDNEcWE5RTl2bGhEa0lzbnJCNVkKjZTky9WeA0hPUSaR
41
+
gEva9lMUWpD7WwEEwWW6qqacBH9KS/4aXDpKRWoLKBDWTz8jASIQTp1Kbh8bnY++
42
+
9MZmeQ==
43
+
-----END AGE ENCRYPTED FILE-----
44
+
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICOXg0Qq1bdnrYp+KL6tfLZsMf3KHFfpaP2GMjwmpug2
45
+
enc: |
46
+
-----BEGIN AGE ENCRYPTED FILE-----
47
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IGRaVG9vQSBPQWlU
48
+
U2dLVFBuRnhzMm4wYWJMajA3ak01RVVBNUd0K1dtRFliZ21jVTB3CndTQnpMQUhh
49
+
ekxFUmJpalF4LzI0b2g2bTZ2WkJlNTJDVVRzZE5LaU9LeXMKLS0tIHRjZUpiU0tO
50
+
elphbHlhN2dDQnV4Zy9NZ1IrSXpsTDNGMFgyY0V4TUZaak0KzZZjFFiLvsQkJ5/f
51
+
F+D9gggE782NUNtlLDMw+jDQoZ4hwWOLtVMs6u4HhIV8YlUXNUvbv4eH8kFvXnRj
52
+
amJUYg==
53
+
-----END AGE ENCRYPTED FILE-----
54
+
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFecrTXoINyGQkeOLQetR5BC6s9VlJHlCbY02WY5FAnJ
55
+
enc: |
56
+
-----BEGIN AGE ENCRYPTED FILE-----
57
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IDgrRFVnUSBpQ0p5
58
+
R2Z3STFLT1lEU3Q4YTBGUVBmb1g5YXNLMDVLZm5IVG9Sa1RRUUJvClo2Q3Y0ZUw2
59
+
by9NWXhqYTFaaHZYVWVZVXhNZUZzektwNEJQNnVCckhPcEUKLS0tIDBFMTF1aktt
60
+
N2Z3dDQra3ZLeEUvdnVXWjVnSFgzb0c0ZVZGa0hIRzlCQ1EKwqtG+us9kyK2aHNq
61
+
1UgDizAWi/HjJXfMQ71dZ31KFPIht6xZbNmLsl897kdngRqaX0PirGdyvhB/zsN8
62
+
LjUbqA==
63
+
-----END AGE ENCRYPTED FILE-----
64
+
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIErl+4GkgJOoaUUOU9gblWJ6FpIls/adHx0YpOUXXxJA
65
+
enc: |
66
+
-----BEGIN AGE ENCRYPTED FILE-----
67
+
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IEptYzFtUSBmOFI2
68
+
d2dIbTkwYnlpVmF4UFR5Z1FTcXJRMVNra2Qxc2JCVXNmbWx6N1JvClBSVUhFMUlB
69
+
Y1gzTWlMMGNGN2IwakxHY2grMG5idUpmMjZyam9UUE9QR0EKLS0tIEU2Z1c1UVQr
70
+
R0dTVGVGd0FEWXA4cGpUUmNnZUM3R0Y4NTBlS0VDQlJ3U1UKe6mLYY8N1rucWqrg
71
+
kKJ4mLSM4ttM34bmK05pGh4Sz+kVf+hB9+TgWSmZE85TAtyVDljz25TuNMkT4Rr2
72
+
2hgY5w==
73
+
-----END AGE ENCRYPTED FILE-----
74
+
lastmodified: "2026-01-22T20:56:44Z"
75
+
mac: ENC[AES256_GCM,data:n59xb1htiLiHcCasgE1c7sRjt5N1iRNl6NC4gPe4WaOsRQN5iKt90ndj1gBpek2gUG1IstbRshV1gGm5JmbL0wRPN1mWW7lelMhjo9Y2BLOZbFPCN1kA1fP0AHLwUryEGv44SEYEBMApwHYsig6ZSka9MTAFVnQnWdA7YT0M7Hg=,iv:T1saLQp2RYFrwivnfqpxfJ3PtXXkxkwFskX5tgdMMEU=,tag:SBx8FhkwIOStsvI3qDtpSw==,type:str]
76
+
unencrypted_suffix: _unencrypted
77
+
version: 3.11.0
+3
-2
secrets/services/kanidm.yaml
+3
-2
secrets/services/kanidm.yaml
···
5
5
oauth2-linkwarden: ENC[AES256_GCM,data:9Qva6+boTYp+2H4FoP6uO8uphGuMRq845pFRKaFaSZ9BAPyJndHgqVpSAxbXS6MT,iv:mMQdW5rBddSOa+O6Al0M2/6tP8ECHpQfqzxKx3UO22s=,tag:52F1oJjEHfG8IoKWr00nRA==,type:str]
6
6
oauth2-wakapi: ENC[AES256_GCM,data:2qJ1Cn9wnrpepf8O53PuUtaZueLd6mC8WRIEoRcTH8W0ZALBOsrVA5rgu++373XO,iv:KJ8FThCGmbSfUmIhtisCOowSWpDd6qW5vNmfrGHWe54=,tag:Xs3oNOin3mAvvJBHfdRc8w==,type:str]
7
7
oauth2-immich: ENC[AES256_GCM,data:6Or046zQXUWUytAYXG6hnvCn7E0MTq+9vsqrfGxsbzVYFENblsUoGiKwoQUfBB1V,iv:LtduTwFIZsPAbxeR6GEteND28yz2/UvGwohNhMTnYxk=,tag:mUTgZSrg2F5a/WeGoWRyGA==,type:str]
8
+
oauth2-hostling: ENC[AES256_GCM,data:DAE8jDuqGvqf6xAUUEJH+E58y7JbH2Uqn2rY+dBrM2uZJ76BL43Z9y9ZK0jES9o2,iv:cOTXVNRUfO/on0EAe4zWLCHtfqY/6T+zfshvccwZVs0=,tag:YfKi+t5ynGvvYIM3bHweDg==,type:str]
8
9
sops:
9
10
age:
10
11
- recipient: ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMQDiHbMSinj8twL9cTgPOfI6OMexrTZyHX27T8gnMj2
···
77
78
W8XAE4/Jgr2rWQWhfXQGNY1nQIib6RNJuvuoqnisRru34jhEb+uK7gPZN65ZpFFY
78
79
Ecy6rA==
79
80
-----END AGE ENCRYPTED FILE-----
80
-
lastmodified: "2025-12-17T22:10:38Z"
81
-
mac: ENC[AES256_GCM,data:fIXWKRMGrk3LqLpXOhd7fMb9Jkpay+DTFAZL/J2NItuXD/alI/wLtLb3NVphRhXHv4ZbjqXW9lbNgXomfHN2cFKYajKw8RoVql4QOpjrcWCK3FVTS+YRB3YiecxepVcv0hLg5thV8X6bSgrNmgeZKb3lPaNFmWV9wlfCVA2t/zc=,iv:OLGmXhTmZp3yWGD5uz5iazem/jT+Ckh58l+PsWq6NYY=,tag:SkIVU7Pme07g6STVQVhjPA==,type:str]
81
+
lastmodified: "2026-01-22T20:00:33Z"
82
+
mac: ENC[AES256_GCM,data:GD45/UxVFbss72OYXiWh5kK2MEVExDqNgXRQydKzQ36/nj/cNFZlQd3FVVHOkvFPuTZfwt2nv8o3JM6YYdeSTRtGF+Bg2kpHmZo2gwFMBbTCMweZoEqgKl9zaRkjqstn5Eqo3SdLuP9mkEzarYCflHyrIVbEaOfDj8PYMsrTKUI=,iv:68KK4Lr0XDBAC0hfu5v0cf+1Dkro7z/t8YKyGGrL9OM=,tag:Ja5t0T+ogShAgP4awJ552w==,type:str]
82
83
unencrypted_suffix: _unencrypted
83
84
version: 3.11.0