nix/README.md

# Xeovalyte Dotfiles with Nix

## New system install guide

### 1. Install Nixos with ISO

[Nixos download](https://nixos.org/download)

### 2. Copy hardware configuration to hosts directory

### 3. Generate ssh-keys

**Archserver**

1. `ssh-keygen -f ~/.ssh/archserver`
2. `ssh-copy-id -i ~/.ssh/archserver 192.168.1.20`

**Gitea**

1. `ssh-keygen -f ~/.ssh/gitea -t ed25519 -C "me+gitea@xeovalyte.dev"`
2. Upload to [Gitea](https://gitea.xeovalyt.dev)
3. Verify ssh key (follow instructions on Gitea)

### 4. Add SSH keys

1. `ssh-add ~/.ssh/gitea`
2. `ssh-add ~/.ssh/archserver`

## Homelab

List over services

| Service        | Description          | Link                                                                   |
| -------------- | -------------------- | ---------------------------------------------------------------------- |
| Caddy          | Reverse proxy        | -                                                                      |
| Kanidm         | Openid provider      | [auth.tbmrs.nl](https://auth.tbmrs.nl)                                 |
| Forgejo        | Git provider         | [git.tbmrs.nl](https://git.tbmrs.nl)                                   |
| Immich         | Photo and videos     | [photos.tbmrs.nl](https://photos.tbmrs.nl)                             |
| Homepage       | Dashboard            | [home.tbmrs.nl](https://home.tbmrs.nl)                                 |
| Uptime Kuma    | Uptime monitor       | [uptime.tbmrs.nl](https://uptime.tbmrs.nl)                             |
| Pingvin share  | Sharing of files     | [share.tbmrs.nl](https://share.tbmrs.nl)                               |
| Vaultwarden    | Password manager     | [vault.local.tbmrs.nl](https://vault.local.tbmrs.nl)                   |
| Paperless NGX  | Documents management | [paperless.local.tbmrs.nl](https://paperless.local.tbmrs.nl)           |
| Beszel         | Resource usage       | [monitor.local.tbmrs.nl](https://monitor.local.tbmrs.nl)               |
| Dufs           | File manager         | [files.tbmrs.nl](https://files.tbmrs.nl)                               |
| Syncthing      | File syncing         | [syncthing.local.tbmrs.nl](https://syncthing.local.tbmrs.nl)           |
| Home Assistant | Home automation      | [home-assistant.local.tbmrs.nl](https://home-assistant.local.tbmrs.nl) |
| Karakeep       | Bookmarking          | [karakeep.local.tbmrs.nl](https://karakeep.local.tbmrs.nl)             |
| Vikunja        | Tasks management     | [vikunja.local.tbmrs.nl](https://vikunja.local.tbmrs.nl)               |
| Stalwart       | Mailserver           | [mail.tbmrs.nl](https://mail.tbmrs.nl)                                 |

### Openid commands

#### Configure new openid client

From: [Kanidm Docs](https://kanidm.github.io/kanidm/master/integrations/oauth2/examples.html)

Replace `<service>` with the name of the service.

1. Create a new Kanidm group, and add your regular account to it:

```bash
$ kanidm group create <service>_users
$ kanidm group add-members <service>_users your_username
```

2. Create a new OAuth2 application configuration in Kanidm, configure the redirect URL, and scope access to the group:

```bash
$ kanidm system oauth2 create <service> <servicename> <service_login_url>
$ kanidm system oauth2 add-redirect-url <service> <redirect_url>
$ kanidm system oauth2 update-scope-map <service> <service>_users email openid profile groups
```

3. (Optional) Disable PKCE

```bash
$ kanidm system oauth2 warning-insecure-client-disable-pkce <service>
```

4. Get the OAuth2 client secret from Kanidm

```bash
$ kanidm system oauth2 show-basic-secret <service>
```