thinkpad: add wine

flake.lock

@@ -12,11 +12,11 @@
         "systems": "systems"
       },
       "locked": {
-        "lastModified": 1712079060,
+        "lastModified": 1714136352,
-        "narHash": "sha256-/JdiT9t+zzjChc5qQiF+jhrVhRt8figYH29rZO7pFe4=",
+        "narHash": "sha256-BtWQ2Th/jamO1SlD+2ASSW5Jaf7JhA/JLpQHk0Goqpg=",
         "owner": "ryantm",
         "repo": "agenix",
-        "rev": "1381a759b205dff7a6818733118d02253340fd5e",
+        "rev": "24a7ea390564ccd5b39b7884f597cfc8d7f6f44e",
         "type": "github"
       },
       "original": {
@@ -216,11 +216,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1714042918,
+        "lastModified": 1714203603,
-        "narHash": "sha256-4AItZA3EQIiSNAxliuYEJumw/LaVfrMv84gYyrs0r3U=",
+        "narHash": "sha256-eT7DENhYy7EPLOqHI9zkIMD9RvMCXcqh6gGqOK5BWYQ=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "0c5704eceefcb7bb238a958f532a86e3b59d76db",
+        "rev": "c1609d584a6b5e9e6a02010f51bd368cb4782f8e",
         "type": "github"
       },
       "original": {
@@ -332,11 +332,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1713895582,
+        "lastModified": 1714076141,
-        "narHash": "sha256-cfh1hi+6muQMbi9acOlju3V1gl8BEaZBXBR9jQfQi4U=",
+        "narHash": "sha256-Drmja/f5MRHZCskS6mvzFqxEaZMeciScCTFxWVLqWEY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "572af610f6151fd41c212f897c71f7056e3fb518",
+        "rev": "7bb2ccd8cdc44c91edba16c48d2c8f331fb3d856",
         "type": "github"
       },
       "original": {

hosts/nuc/modules/seafile/default.nix

@@ -3,13 +3,38 @@ let
   domain = "seafile.${config.networking.domain}";
 in
 {
+  age.secrets."seafile/oidc-secret" = {
+    file = ../../../../secrets/nuc/seafile/oidc-secret.age;
+    mode = "0440";
+    group = "seafile";
+  };
   services.seafile = {
     enable = true;
-    adminEmail = "rouven@rfive.de";
+    adminEmail = "admin@rfive.de";
     initialAdminPassword = "unused garbage";
     ccnetSettings.General.SERVICE_URL = "https://${domain}";
     ccnetSettings.General.FILE_SERVER_ROOT = "https://${domain}/seafhttp";
     seafileSettings.fileserver.port = 8083;
+    seahubExtraConf = ''
+      ENABLE_OAUTH = True
+      OAUTH_ENABLE_INSECURE_TRANSPORT = True
+
+      OAUTH_CLIENT_ID = "seafile"
+      with open('${config.age.secrets."seafile/oidc-secret".path}') as f:
+        OAUTH_CLIENT_SECRET = f.readline().rstrip()
+      OAUTH_REDIRECT_URL = 'https://seafile.rfive.de/oauth/callback/'
+ 
+      OAUTH_PROVIDER_DOMAIN   = 'seafile.rfive.de'
+      OAUTH_AUTHORIZATION_URL = 'https://auth.rfive.de/realms/master/protocol/openid-connect/auth'
+      OAUTH_TOKEN_URL         = 'https://auth.rfive.de/realms/master/protocol/openid-connect/token'
+      OAUTH_USER_INFO_URL     = 'https://auth.rfive.de/realms/master/protocol/openid-connect/userinfo'
+      OAUTH_SCOPE = [ "openid", "profile", "email"]
+      OAUTH_ATTRIBUTE_MAP = {
+          "id":    (False, "not used"),
+          "name":  (False, "full name"),
+          "email": (True, "email"),
+      }
+    '';
   };
   services.nginx.virtualHosts."${domain}" = {
     locations."/" = {
@@ -24,5 +49,8 @@ in
     locations."/media" = {
       root = pkgs.seahub;
     };
+    locations."/accounts/login" = {
+      return = "301 /oauth/login";
+    };
   };
 }

secrets.nix

@@ -22,6 +22,7 @@ in
   "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
+  "secrets/nuc/seafile/oidc-secret.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
   "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];
 

users/rouven/modules/packages.nix

@@ -43,6 +43,7 @@
     mosh
     typst
     hut
+    wine
 
     # programming languages
     cargo