forgejo: init

2026-01-19 15:47:16 -05:00 · 2026-01-19 15:47:16 -05:00 · d20c3cade4
commit d20c3cade4
parent 6f9465b890
4 changed files with 92 additions and 2 deletions
--- a/modules/nixos/services/homeserver/kanidm.nix
+++ b/modules/nixos/services/homeserver/kanidm.nix
@ -5,6 +5,7 @@
    "acme/secrets.env" = {};
  }
  // lib.genAttrs [
+    "kanidm/oauth2/forgejo"
    "kanidm/oauth2/grafana"
    "kanidm/oauth2/jellyfin"
    "kanidm/oauth2/nextcloud"
@ -69,28 +70,43 @@
        mailAddresses = [ "wo2w@kanidm.wo2wz.fyi" ];

        groups = [
+          "forgejo_users"
          "grafana_users"
          "jellyfin_users"
          "nextcloud_users"
          "vaultwarden_users"

+          "forgejo_admins"
          "grafana_admins"
          "jellyfin_admins"
        ];
      };

      groups = lib.genAttrs [
+        "forgejo_users"
        "grafana_users"
        "jellyfin_users"
        "nextcloud_users"
        "vaultwarden_users"
      ] (x: {})
      // {
+        forgejo_admins.members = [ "forgejo_users" ];
        grafana_admins.members = [ "grafana_users" ];
        jellyfin_admins.members = [ "jellyfin_users" ];
      };

      systems.oauth2 = {
+        forgejo = {
+          displayName = "Forgejo";
+          originUrl = "https://git.wo2wz.fyi/user/oauth2/Kanidm/callback";
+          originLanding = "https://git.wo2wz.fyi";
+
+          preferShortUsername = true;
+          basicSecretFile = config.sops.secrets."kanidm/oauth2/forgejo".path;
+          scopeMaps.grafana_users = [ "openid" "email" "profile" ];
+          claimMaps.grafana_users.valuesByGroup.forgejo_admins = [ "forgejo_admin" ];
+        };
+
        grafana = {
          displayName = "Grafana";
          originUrl = "https://grafana.taild5f7e6.ts.net/login/generic_oauth";