Commit 77156ba

HPCesia <me@hpcesia.com>
2025-07-31 16:26:32
feat(service): add gokapi on pardo
1 parent b3be679
Changed files (6)
hosts
secrets
hosts/chaser-pardofelis/homepage/default.nix
@@ -99,10 +99,10 @@ in {
       };
     };
     "工具" = mapHomepageConf {
-      Vaultwarden = {
-        href = "https://bitwarden.hpcesia.com/";
-        icon = "vaultwarden.svg";
-        siteMonitor = "https://bitwarden.hpcesia.com/";
+      Gokapi = {
+        href = "https://send.hpcesia.com/admin";
+        icon = "sh-gokapi.png";
+        siteMonitor = "https://send.hpcesia.com/";
       };
       Hoppscotch = {
         href = "https://hoppscotch.io/";
hosts/chaser-pardofelis/authelia.nix
@@ -22,6 +22,10 @@
           };
         };
         identity_validation.reset_password.jwt_algorithm = "HS512";
+        identity_providers.oidc.cors = {
+          endpoints = ["authorization" "token" "revocation" "introspection"];
+          allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
+        };
         identity_providers.oidc.clients = [
           {
             # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
@@ -42,6 +46,19 @@
             userinfo_signed_response_alg = "none";
             token_endpoint_auth_method = "client_secret_basic";
           }
+          {
+            # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
+            client_id = "gokapi";
+            client_name = "Tribios";
+            client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
+            public = false;
+            authorization_policy = "one_factor";
+            redirect_uris = [
+              "https://send.hpcesia.com/oauth-callback"
+            ];
+            scopes = ["openid" "email" "profile" "groups"];
+            userinfo_signed_response_alg = "none";
+          }
         ];
         authentication_backend.file = {
           path = "/var/lib/authelia-main/users_database.yaml";
hosts/chaser-pardofelis/caddy.nix
@@ -24,6 +24,7 @@
         }";
         forgejo = "http://localhost:${builtins.toString config.services.forgejo.settings.server.HTTP_PORT}";
         goatcounter = "http://localhost:${builtins.toString config.services.goatcounter.port}";
+        gokapi = "http://localhost:${builtins.toString config.services.gokapi.environment.GOKAPI_PORT}";
         gotosocial = "http://localhost:${builtins.toString config.services.gotosocial.settings.port}";
         grafana = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
         homepage = "http://localhost:${builtins.toString config.services.homepage-dashboard.listenPort}";
@@ -71,6 +72,10 @@
         encode zstd gzip
         reverse_proxy ${localAddress.forgejo}
       '';
+      "send.hpcesia.com".extraConfig = ''
+        encode zstd gzip
+        reverse_proxy ${localAddress.gokapi}
+      '';
       "trin.one".extraConfig = ''
         encode zstd gzip
         reverse_proxy ${localAddress.gotosocial}
hosts/chaser-pardofelis/gokapi.nix
@@ -0,0 +1,65 @@
+{
+  lib,
+  config,
+  ...
+}: {
+  services.gokapi = {
+    enable = true;
+    mutableSettings = true;
+    environment = {
+      GOKAPI_PORT = 53842;
+    };
+    settings = {
+      ServerUrl = "https://send.hpcesia.com/";
+      RedirectUrl = "https://github.com/Forceu/Gokapi/";
+      PublicName = "Tribios";
+      DatabaseUrl = "sqlite:///var/lib/gokapi/data/db.sqlite";
+      UseSsl = false;
+      SaveIp = false;
+      IncludeFilename = true;
+      MaxFileSizeMB = 2048;
+      MaxMemory = 50;
+      ChunkSize = 45;
+      MaxParallelUploads = 4;
+      PicturesAlwaysLocal = false;
+      Encryption = {
+        Level = 0;
+        Cipher = null;
+      };
+      Authentication = {
+        Method = 1;
+        Username = "HPCesia";
+        OauthProvider = "https://authelia.hpcesia.com";
+        OAuthClientId = "gokapi";
+        OAuthRecheckInterval = 12;
+      };
+    };
+    settingsFile = config.sops.templates.gokapi-config.path;
+  };
+
+  systemd.services.gokapi.serviceConfig = {
+    DynamicUser = lib.mkForce false;
+    User = "gokapi";
+    Group = "gokapi";
+  };
+
+  sops.templates.gokapi-config = {
+    content = builtins.toJSON {
+      Authentication = {
+        SaltAdmin = config.sops.placeholder.gokapi-salt-admin;
+        SaltFiles = config.sops.placeholder.gokapi-salt-files;
+        OAuthClientSecret = config.sops.placeholder.gokapi-oauth-secret;
+      };
+    };
+    owner = "root";
+    group = "gokapi";
+    mode = "0440";
+  };
+
+  users.users.gokapi = {
+    isSystemUser = true;
+    useDefaultShell = true;
+    group = "gokapi";
+  };
+  users.groups.gokapi = {};
+}
secrets/hosts/pardofelis/default.nix
@@ -121,6 +121,13 @@ in
             // autheliaMainConf
             // secretFileConf;
         }
+        {
+          name = "authelia-main-client-secrets-gokapi";
+          value =
+            {key = "services/authelia/main/clientSecrets/gokapi";}
+            // autheliaMainConf
+            // secretFileConf;
+        }
         # === Artalk === #
         {
           name = "artalk-akismet-key";
@@ -157,6 +164,19 @@ in
             // artalkConf
             // secretFileConf;
         }
+        # === Gokapi === #
+        {
+          name = "gokapi-salt-admin";
+          value = {key = "services/gokapi/saltAdmin";} // secretFileConf;
+        }
+        {
+          name = "gokapi-salt-files";
+          value = {key = "services/gokapi/saltFiles";} // secretFileConf;
+        }
+        {
+          name = "gokapi-oauth-secret";
+          value = {key = "services/gokapi/oauthSecret";} // secretFileConf;
+        }
       ]
     )
   )
secrets/hosts/pardofelis/secrets.yaml
@@ -19,10 +19,15 @@ services:
         emailPassword: ENC[AES256_GCM,data:u2oITTJX3yIGpkv8xWnoSFQGUv/SUw1G,iv:y0eh74YZ2mA2toYmxTqU6a5sycWQPGwJNgqDhlX9pIQ=,tag:2VjyYKydIrMr8/OjbgzPjw==,type:str]
         githubClientId: ENC[AES256_GCM,data:ju1RHdc5cx99s+NQXfhk/b80jLI=,iv:84ly8arMzezgoxo61Barey/NaEYWF7c9HY5DS7fl2Gg=,tag:r7pf4jKkhsW+GAiGf2CG9A==,type:str]
         githubClientSecret: ENC[AES256_GCM,data:pyt5ddWBtBA2A8MQDkT4toLgwVwa5VnlWGOwEFldMerYCtw4F9X7Ow==,iv:H2YbbmBTGskZ+1yLTZTICO0bzR9LADN+4Bl+/P1s1TE=,tag:DF9WXdE/isxZUNblpRUv5g==,type:str]
+    gokapi:
+        saltAdmin: ENC[AES256_GCM,data:oSOq+fA75Iv4GjFqUlcyA7vB1RHE9hUgVtQp0iw9,iv:h0VB/szqUN2KKmd5T7I6diinygw/d7uRfR4bIpado4w=,tag:CAVs81P23jqhiRy8fJEgcA==,type:str]
+        saltFiles: ENC[AES256_GCM,data:4OYUZFZr4Z89ufEpT7TCOi87Yk0JAIOPpuBFuGXI,iv:gldYRfNAWhdM0EivqgJ8mGtjbq0omBrgI/j5UBw/0bE=,tag:dAmms78ooZUX8OeEzV9E2Q==,type:str]
+        oauthSecret: ENC[AES256_GCM,data:K1rtzHjeJGCKgB0D3kOX3KmrsAkI7nW/EEMjpFEc4tkvY/Fw68VzqvKBPhRnSbiwETEiIvgUm081U+IHFzuI6FEA+okU2jCZ,iv:agXGqOsFvpZF95Zo8YxXcGeet2nIaKWJopxO3ZIGvBo=,tag:BKhcJm5SixS7oYZ+DDYD8w==,type:str]
     authelia:
         main:
             clientSecrets:
                 forgejo: ENC[AES256_GCM,data:UvHmLsPzcpibjh9fJL5TawicsgGfhCi7kNO5LexWwWU3je8qTZmt9uWPUSW+MkJoN7Mx4EWG7T3ZqReK1t6/rMeE8zmNHw+ea6AfIpOhNejxTMd0j1CnMrIKnCvSWnXNgTueo0mYQxT7qnsh8Q+VurrOr1TudvNpIjoXISLIQ5yxABo=,iv:WZm/Z4VwcEZ8Ipd3Bw98PkjZdcWYXFt1Uhgq/+wgUSA=,tag:s/nx+8pWAVkTmRyuP07auQ==,type:str]
+                gokapi: ENC[AES256_GCM,data:kbICBV5SUIHCCL8RU2/0dHQEugrHvl3YP7r/k1tOlKC0mRh6m3XTgcYKpttEgm+Y3PgK3X6/0wQL7k2jWAQq6pMn5kQ4gH7L6BCdjUiE2TxI1wjOFd4LR2koM9x7LTkgb0md23IoCIG+QbpF/a+tRonmqg+FJh2gH0iwpqt9k3cmP8E=,iv:mKJ2AXJ1o/dcRnWiGMVwamWywjk6SwWxhyDXmQaoopE=,tag:/RXJCkpI85aeoUCCbfejDw==,type:str]
             jwtSecret: ENC[AES256_GCM,data:czKoD+m8bu0ioTjXYmGv8ZhQphTgsv3GEAvgY4JsxbhAEDgzR1U/Pm7n3FuoIbCCPI6TQcRN2cB4NrvNNUoqZg==,iv:MZbgnw3GkgkQQNk2i4wNFkqcrsyIqdB1GbfeN+NTlwQ=,tag:MN7dV2BDjXxI3AxOYNie1Q==,type:str]
             oidcHmacSecret: ENC[AES256_GCM,data:BOB1jTSl/yi/rPll1Frd2eFJQdZ+vI2c291Aot50eKZcaLzqA9OwUKY3MlXhyk68RF0p/krFNwRq1c4vhOTrDg==,iv:l5AS24F/Zv2iLf4TYpqR9AOFAzloYEoOVq/SHl2+OuQ=,tag:8nMMAI8TghiMSfDJ+qOYLQ==,type:str]
             sessionSecret: ENC[AES256_GCM,data:kztWuKe/1zcnOypdbKh2SQ5LzS96XdjOngkJGDmtc8JdyJNbDbbAztLvN5FdUtJgo+Ltq6xFMsK5vQfIhmzttg==,iv://+sTH+dyZ18OUP9yJ67xEUhlR7gTLaL6Pich5VT4Qw=,tag:2JEAqUfmIwzSmKEaxBhkAQ==,type:str]
@@ -48,8 +53,8 @@ sops:
             MmVobitCNUxvUGJmRUtWWEhZekdHaEEKcx1nN+bR2wsexYV/B5PC+Pu9Yi9w+KE8
             Kcy2S1Cyu7MEkE8it447yqixIA5l5mbFGRjfTvI8KZXZUGgLecAktQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-31T12:56:51Z"
-    mac: ENC[AES256_GCM,data:8nvliPtSMgYYos0PTHHa8O+THld8IJnCWIPtD8/9YZfMfK7YBXm/yMEgDe7mcOa0y796MjDtwt7TFTZFF3L7bX1tQJ1HWGURPGhROskVlurN9j50qyU83LFOTbI0gGCJjiYWDOfCT0IZxDwJcdOxBD+MZRZwqMH8akefgAODte0=,iv:SyL7R9H0t/WZhUwFqKhc+9x1nKCJX9x44X3XD2+Zjro=,tag:gv+Y4I11ulQKAr9Q2QarBA==,type:str]
+    lastmodified: "2025-07-31T16:20:35Z"
+    mac: ENC[AES256_GCM,data:sUp5iU2DRyCg+X6iCh73hKkCXwE65B8dm73sHu8e9nB032ctaRt4Ymc8zySIDhCj/ehCj2xeZy49TymGJYrsq9APSgquDuEWdC0hDG3D6dEPlgOGh4rolY9s/EtK2ciyA3oA1UfEHKYagblm2WnkECU2oIe4PmXTWlvyQIKOYo4=,iv:vOqJi2At4QGoOLAdsKWqds76viPZJrj9giiY7gMTFi4=,tag:KuOaDP8jui5FpBriayj3lA==,type:str]
     pgp:
         - created_at: "2025-07-15T13:47:27Z"
           enc: |-