Configure SSO for Grafana

Restore Hedgedoc
Configure Kanidm
2026-02-18 10:10:13 +01:00 · 2026-02-18 10:07:53 +01:00 · 2026-02-18 10:05:29 +01:00 · 2026-02-18 02:00:53 +01:00 · 2026-02-18 01:55:38 +01:00 · 2026-02-18 01:52:27 +01:00
13 changed files with 225 additions and 102 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1,4 +1,3 @@
 .DS_Store
-secrets/gpg-secret
 secrets/id_ed25519-nix-builder
 .direnv
--- a/README.md
+++ b/README.md
@ -18,11 +18,7 @@
 - rsync state:
  - `/var/lib`:
    - `acme/.lego`
-    - `bin_rs`
    - `fail2ban`
-    - `grafana`
-    - `headscale`
-    - `hedgedoc`
    - `mastodon`
      - dump and import Postgres and Redis DBs
    - `matterbridge`
@ -33,6 +29,17 @@
    - `prometheus2`
    - `prosody`
  - `/home/ftp`  
+### synchronicity-ii:
+- `nh os switch --target-host root@synchronicity-ii -H synchronicity-ii` - deploy config
+- `passwd` - set user passwords
+- rsync state:
+  - `/var/lib`:
+    - `acme/.lego`
+    - `bin_rs`
+    - `grafana`
+    - `headscale`
+    - `hedgedoc`
+    - `prometheus2`

 ### penrose/sierpinski:
 - `nh darwin switch` - deploy config
--- a/common/fragments/bittorrent.nix
+++ b/common/fragments/bittorrent.nix
@ -84,21 +84,4 @@
      ];
    };
  };
-
-  # SMB Share
-  services.samba = {
-    enable = true;
-    openFirewall = true;
-    settings.global = {
-      "server string" = "Synchronicity-II";
-      "guest account" = "nobody";
-      "map to guest" = "bad user";
-    };
-    settings.Library = {
-      path = "/mnt/library";
-      browseable = "yes";
-      "read only" = "no";
-      "guest ok" = "yes";
-    };
-  };
 }
--- a/common/fragments/grafana.nix
+++ b/common/fragments/grafana.nix
@ -1,17 +1,59 @@
 { config, ... }:
 {
+  sops.secrets.grafana-key = {
+    owner = config.users.users.grafana.name;
+  };
+  sops.secrets.grafana-oauth = {
+    owner = config.users.users.grafana.name;
+  };
  services.grafana = {
    enable = true;
    settings.server = {
-      domain = "grafana.technogothic.net";
+      root_url = "https://grafana.technogothic.net";
      http_port = 2342;
      http_addr = "127.0.0.1";
    };
-    settings."auth.anonymous" = {
+    settings = {
+      "auth.anonymous" = {
        enabled = true;
        org_name = "Main Org.";
        org_role = "Viewer";
      };
+      "auth.generic_oauth" =
+        let
+          authServerUrl = config.services.kanidm.serverSettings.origin;
+        in
+        {
+          enabled = true;
+          name = "Kanidm";
+          allow_sign_up = true;
+
+          client_id = "grafana";
+          client_secret = "$__file{${config.sops.secrets.grafana-oauth.path}}";
+          scopes = "openid profile email groups";
+          use_pkce = true;
+          use_refresh_token = true;
+
+          auth_url = "${authServerUrl}/ui/oauth2";
+          token_url = "${authServerUrl}/oauth2/token";
+          api_url = "${authServerUrl}/oauth2/openid/grafana/userinfo";
+
+          groups_attribute_path = "groups";
+          role_attribute_path = builtins.concatStringsSep " || " [
+            "contains(grafana_role[*], 'GrafanaAdmin') && 'GrafanaAdmin'"
+            "contains(grafana_role[*], 'Admin') && 'Admin'"
+            "contains(grafana_role[*], 'Editor') && 'Editor'"
+            "'Viewer'"
+          ];
+          login_attribute_path = "preferred_username";
+          allow_assign_grafana_admin = true;
+        };
+      security = {
+        disable_initial_admin_creation = true;
+        secret_key = "$__file{${config.sops.secrets.grafana-key.path}}";
+        cookie_secure = true;
+      };
+    };
  };

  services.nginx.virtualHosts."grafana.technogothic.net" = {
--- a/common/fragments/hedgedoc.nix
+++ b/common/fragments/hedgedoc.nix
@ -1,11 +1,55 @@
+{ config, ... }:
 {
+  sops.secrets.hedgedoc-oauth = {
+    sopsFile = ../../secrets/hedgedoc-oauth.env;
+    format = "dotenv";
+    owner = config.users.users.hedgedoc.name;
+  };
  services.hedgedoc = {
    enable = true;
+    environmentFile = config.sops.secrets.hedgedoc-oauth.path;
    settings = {
      domain = "hedgedoc.technogothic.net";
      protocolUseSSL = true;
-      allowOrigin = [ "localhost" "hedgedoc.technogothic.net" ];
-      allowEmailRegister = false;
+      allowOrigin = [
+        "localhost"
+        "hedgedoc.technogothic.net"
+      ];
+      email = false;
+      oauth2 =
+        let
+          authServerUrl = config.services.kanidm.serverSettings.origin;
+        in
+        {
+          baseURL = "${authServerUrl}/oauth2";
+          tokenURL = "${authServerUrl}/oauth2/token";
+          authorizationURL = "${authServerUrl}/ui/oauth2";
+          userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo";
+
+          clientID = "hedgedoc";
+          scope = "openid email profile groups";
+          userProfileUsernameAttr = "name";
+          userProfileEmailAttr = "email";
+          userProfileDisplayNameAttr = "displayname";
+          pkce = true;
+
+          providerName = "Kanidm";
+          rolesClaim = "roles";
+          accessRole = "hedgedoc_users";
+        };
+
+    };
+  };
+
+  services.nginx.virtualHosts."hedgedoc.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/".proxyPass = "http://localhost:3000";
+    locations."/socket.io/" = {
+      proxyPass = "http://localhost:3000";
+      proxyWebsockets = true;
+      extraConfig = "proxy_ssl_server_name on;";
    };
  };
 }
--- a/common/fragments/kanidm.nix
+++ b/common/fragments/kanidm.nix
@ -0,0 +1,41 @@
+{ pkgs, config, ... }:
+let
+  cfg = config.services.kanidm;
+in
+{
+  services.kanidm = {
+    package = pkgs.kanidm_1_8;
+    enableServer = true;
+    serverSettings = {
+      origin = "https://${cfg.serverSettings.domain}";
+      domain = "aphex.technogothic.net";
+
+      # otel_grpc_url = "http://localhost:9008";
+
+      tls_chain = "${config.security.acme.certs."technogothic.net".directory}/fullchain.pem";
+      tls_key = "${config.security.acme.certs."technogothic.net".directory}/key.pem";
+    };
+
+    enableClient = true;
+    clientSettings = {
+      uri = cfg.serverSettings.origin;
+    };
+  };
+
+  users.users.kanidm.extraGroups = [
+    "acme"
+    "nginx"
+  ];
+
+  services.nginx.virtualHosts."${cfg.serverSettings.domain}" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    locations."/" = {
+      proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}";
+      extraConfig = ''
+        proxy_ssl_verify off;
+      '';
+    };
+  };
+}
--- a/common/fragments/vsftpd.nix
+++ b/common/fragments/vsftpd.nix
@ -1,14 +1,25 @@
-{ config, ... }: {
+{ config, ... }:
+{
+  networking.firewall = {
+    allowedTCPPorts = [
+      20
+      21
+    ];
+    allowedTCPPortRanges = [
+      {
+        from = 40000;
+        to = 40200;
+      }
+    ];
+  };
+
  services.vsftpd = {
    enable = true;
    anonymousUser = true;
    anonymousUserNoPassword = true;

-    rsaCertFile = "${
-        config.security.acme.certs."technogothic.net".directory
-      }/fullchain.pem";
-    rsaKeyFile =
-      "${config.security.acme.certs."technogothic.net".directory}/key.pem";
+    rsaCertFile = "${config.security.acme.certs."technogothic.net".directory}/fullchain.pem";
+    rsaKeyFile = "${config.security.acme.certs."technogothic.net".directory}/key.pem";

    forceLocalLoginsSSL = true;
    forceLocalDataSSL = true;
@ -22,4 +33,17 @@
      ssl_ciphers=HIGH
    '';
  };
+
+  security.acme.defaults.reloadServices = [ "vsftpd" ];
+
+  services.nginx.virtualHosts."ftp.technogothic.net" = {
+    useACMEHost = "technogothic.net";
+    forceSSL = true;
+
+    root = "/home/ftp";
+
+    locations."/" = {
+      extraConfig = "autoindex on;";
+    };
+  };
 }
--- a/common/users/default.nix
+++ b/common/users/default.nix
@ -8,6 +8,7 @@
        "networkmanager"
        "wheel"
        "docker"
+        "vsftpd"
      ];
      shell = pkgs.fish;

--- a/flake.lock
+++ b/flake.lock
@ -59,11 +59,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765605144,
-        "narHash": "sha256-RM2xs+1HdHxesjOelxoA3eSvXShC8pmBvtyTke4Ango=",
+        "lastModified": 1770260404,
+        "narHash": "sha256-3iVX1+7YUIt23hBx1WZsUllhbmP2EnXrV8tCRbLxHc8=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "90b62096f099b73043a747348c11dbfcfbdea949",
+        "rev": "0d782ee42c86b196acff08acfbf41bb7d13eed5b",
        "type": "github"
      },
      "original": {
@ -202,11 +202,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1765066094,
-        "narHash": "sha256-0YSU35gfRFJzx/lTGgOt6ubP8K6LeW0vaywzNNqxkl4=",
+        "lastModified": 1767634391,
+        "narHash": "sha256-owcSz2ICqTSvhBbhPP+1eWzi88e54rRZtfCNE5E/wwg=",
        "owner": "LnL7",
        "repo": "nix-darwin",
-        "rev": "688427b1aab9afb478ca07989dc754fa543e03d5",
+        "rev": "08585aacc3d6d6c280a02da195fdbd4b9cf083c2",
        "type": "github"
      },
      "original": {
@ -232,11 +232,11 @@
    },
    "nixpkgs-darwin": {
      "locked": {
-        "lastModified": 1765676008,
-        "narHash": "sha256-jm7jhNnicKaFxetVii3pS04wsiFIUKqqVHc1jVf8z50=",
+        "lastModified": 1770746255,
+        "narHash": "sha256-ZzMQ1deN/Ca0GapjGtvlCXPop/ZzFtolpb37KrDTgWo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "988649b2eac5c348b229ab340ba7e40382f77483",
+        "rev": "78d26d24b115f5df93835994696a30b20bb38c83",
        "type": "github"
      },
      "original": {
@ -264,11 +264,11 @@
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1765425892,
-        "narHash": "sha256-jlQpSkg2sK6IJVzTQBDyRxQZgKADC2HKMRfGCSgNMHo=",
+        "lastModified": 1770843696,
+        "narHash": "sha256-LovWTGDwXhkfCOmbgLVA10bvsi/P8eDDpRudgk68HA8=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "5d6bdbddb4695a62f0d00a3620b37a15275a5093",
+        "rev": "2343bbb58f99267223bc2aac4fc9ea301a155a16",
        "type": "github"
      },
      "original": {
@ -296,11 +296,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1765762245,
-        "narHash": "sha256-3iXM/zTqEskWtmZs3gqNiVtRTsEjYAedIaLL0mSBsrk=",
+        "lastModified": 1770770419,
+        "narHash": "sha256-iKZMkr6Cm9JzWlRYW/VPoL0A9jVKtZYiU4zSrVeetIs=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "c8cfcd6ccd422e41cc631a0b73ed4d5a925c393d",
+        "rev": "6c5e707c6b5339359a9a9e215c5e66d6d802fd7a",
        "type": "github"
      },
      "original": {
@ -348,11 +348,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1768863606,
-        "narHash": "sha256-1IHAeS8WtBiEo5XiyJBHOXMzECD6aaIOJmpQKzRRl64=",
+        "lastModified": 1770683991,
+        "narHash": "sha256-xVfPvXDf9QN3Eh9dV+Lw6IkWG42KSuQ1u2260HKvpnc=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "c7067be8db2c09ab1884de67ef6c4f693973f4a2",
+        "rev": "8b89f44c2cc4581e402111d928869fe7ba9f7033",
        "type": "github"
      },
      "original": {
@ -430,11 +430,11 @@
        "utils": "utils_3"
      },
      "locked": {
-        "lastModified": 1734618283,
-        "narHash": "sha256-QFYFxw58d3WOU6SYDiazyaSz+mSJwgABsMEf1joM2FE=",
+        "lastModified": 1766323809,
+        "narHash": "sha256-lS9M7v8w7ruYz/ylom0ZIfK45vkFZQ3X98a/Is8BOTY=",
        "owner": "AgathaSorceress",
        "repo": "url-eater",
-        "rev": "96af6b75a3605043141db6bf80ad60866c10c827",
+        "rev": "d617007eba79f9760db084aefda6c02c80ad7971",
        "type": "github"
      },
      "original": {
--- a/hosts/bloodletting/configuration.nix
+++ b/hosts/bloodletting/configuration.nix
@ -10,7 +10,6 @@
    ../../common
    ../../common/linux-specific.nix
    ../../common/fragments/fail2ban.nix
-    ../../common/fragments/hedgedoc.nix
    ../../common/fragments/mastodon-ebooks.nix
    ../../common/fragments/mastodon.nix
    ../../common/fragments/matrix-ril100.nix
@ -22,7 +21,6 @@
    ../../common/fragments/prometheus.nix
    ../../common/fragments/prosody.nix
    ../../common/fragments/sops.nix
-    ../../common/fragments/vsftpd.nix
    ../../common/home_manager/common.nix
  ];

@ -71,19 +69,11 @@
  # Open ports in the firewall.
  networking.firewall = {
    allowedTCPPorts = [
-      20
-      21
      22
      80
      443
      990
    ];
-    allowedTCPPortRanges = [
-      {
-        from = 40000;
-        to = 40200;
-      }
-    ];
    trustedInterfaces = [ "podman0" ];
  };

@ -107,13 +97,12 @@
      "*.argent.technogothic.net"
    ];
    dnsProvider = "hurricane";
-    credentialsFile = config.sops.secrets.hurricane-tokens.path;
+    environmentFile = config.sops.secrets.hurricane-tokens.path;
    group = "nginx";
  };

  security.acme.defaults.reloadServices = [
    "nginx"
-    "vsftpd"
    "prosody"
  ];
  systemd.services.nginx.serviceConfig.ProtectHome = "read-only";
@ -181,17 +170,6 @@
      globalRedirect = "technogothic.net";
    };

-    virtualHosts."ftp.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      root = "/home/ftp";
-
-      locations."/" = {
-        extraConfig = "autoindex on;";
-      };
-    };
-
    virtualHosts."fv.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
@ -224,18 +202,6 @@
      extraConfig = "client_max_body_size 64M;";
    };

-    virtualHosts."hedgedoc.technogothic.net" = {
-      useACMEHost = "technogothic.net";
-      forceSSL = true;
-
-      locations."/".proxyPass = "http://localhost:3000";
-      locations."/socket.io/" = {
-        proxyPass = "http://localhost:3000";
-        proxyWebsockets = true;
-        extraConfig = "proxy_ssl_server_name on;";
-      };
-    };
-
    virtualHosts."jellyfin.technogothic.net" = {
      useACMEHost = "technogothic.net";
      forceSSL = true;
--- a/hosts/synchronicity/configuration.nix
+++ b/hosts/synchronicity/configuration.nix
@ -13,9 +13,12 @@
    ../../common/fragments/bittorrent.nix
    ../../common/fragments/grafana.nix
    ../../common/fragments/headscale.nix
+    ../../common/fragments/hedgedoc.nix
+    ../../common/fragments/kanidm.nix
    ../../common/fragments/prometheus.nix
    ../../common/fragments/sops.nix
    ../../common/fragments/storage.nix
+    ../../common/fragments/vsftpd.nix
    ../../common/home_manager/common.nix
  ];

@ -27,19 +30,11 @@
  # Open ports in the firewall.
  networking.firewall = {
    allowedTCPPorts = [
-      20
-      21
      22
      80
      443
      990
    ];
-    allowedTCPPortRanges = [
-      {
-        from = 40000;
-        to = 40200;
-      }
-    ];
    trustedInterfaces = [ "podman0" ];
  };

@ -62,7 +57,7 @@
      "technogothic.net"
    ];
    dnsProvider = "hurricane";
-    credentialsFile = config.sops.secrets.hurricane-tokens.path;
+    environmentFile = config.sops.secrets.hurricane-tokens.path;
    group = "nginx";
  };

@ -82,6 +77,14 @@
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
+
+    virtualHosts._ = {
+      default = true;
+      useACMEHost = "technogothic.net";
+      forceSSL = true;
+
+      extraConfig = "return 404;";
+    };
  };

  # This value determines the NixOS release from which the default
--- a/secrets/hedgedoc-oauth.env
+++ b/secrets/hedgedoc-oauth.env
@ -0,0 +1,11 @@
+CMD_OAUTH2_CLIENT_SECRET=ENC[AES256_GCM,data:99VzpdiJOmKmyRyPd28tVYBNYuTVZg0z5dqp0gZqIp++hqwneOslDkLwStoJ/i5m,iv:hlHOcgTh8DttrSI0sz3pv19x5LuRURZ//UBWEs5FpGg=,tag:pAPS4NYXNQ6omgVWLR4S8A==,type:str]
+sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHBpdi1wMjU2IFdhNW5ydyBBOFlwTU5E\nOFZVOTlxMWU5bDVxKzZCUVdxSzg0d2xaR21uWmM0QVJGeHY3Mwpheml0TS9lejRU\nSWtybEhQT3lBc1h3b2Vkd0w0SXZETXJrQzZENVBaOFJVCi0tLSBSMHViVHlrbFdt\nTDJWc3puWm1OWDQzbEpSNHI5TWdMQXNuVTZGVy83TEVFCprclQ3Na/0zCTuOKHSH\nd4V2IiMHxwn3mcoKrEDB8+gILanNnhJwKvqYDpMYEqDzGy48HK9MGcQ9YSY/YbYB\nvKM=\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_0__map_recipient=age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
+sops_age__list_1__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SCt4WC9rNG5pQ1RFVHdB\nalZ0Q0ZjNEN4eFNPY240VEFsS1BDYXFFS2dRCm1BSGZKUmUrNmZhaytiUVp0RXo4\nRDlYanBEaWlYN1ZJRHl4dkY5a0QxLzAKLS0tIGNIRlI5aXl5TGczc3R0bW44TUlx\nWEI5YlpvblNpUU9FTitNTTFlb0JmR2sKzSavj1koSJCu2e51jBigqNfFmHNv/x3r\nZwZ/R8JPglqKlzdhDYYvrdwqlAdL5QU8bVzWFsZwCag5eEgLJaU1kQ==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_1__map_recipient=age1kjnrt7vnwhqzryxrgakd7tdga9sxvjrlgtj0j8xz0sah798atvxquvpqla
+sops_age__list_2__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCRHRxRTEvZjgza0VtRi9X\nTlVSc2h0andqSllzOGZ4SU9jL1R1TGRGL1VjCkZLUGFGRTR6SVgwUEZxU3BFb1ZN\nQnIvNlNteVozWDdsRzRqV0hmU3RVVUEKLS0tIGoydFc4SFYvQ09LY2kvZ1ljY3pr\nOHF2Z3VORzU2MXNHd0QyL1NrTnpQb00KaTK2sy8IztMPaYfruiQYKV+hGUcos22q\nKDt53HysD5Q/zQJyFomKGsBWPTqSfK2UnoI+PN9PkZkX/vE4Xp7y0g==\n-----END AGE ENCRYPTED FILE-----\n
+sops_age__list_2__map_recipient=age1nhs7nhvkqhw8qgdyxwmgts044ce3t7jsgesea5l5mfz4ex6jsgyq76cfsy
+sops_lastmodified=2026-02-08T00:41:43Z
+sops_mac=ENC[AES256_GCM,data:hCGTiM/g66uRkYVlm4Ejp4wFphWcumVAWXXSAqTKOnKXG6L0rT9V4oTcM5W4h76l9YB8wlSmjvp+2Zc7G8kLXT2oYLZXT8lrDOkVNhjUASG80uWxdjJTUdj/naqkfpjXmSFmVjCVLTBCT9/rIb4usuu7+gUl3GgpGmekUAsPWxk=,iv:lfGtxhxEMaVUyg7lUp7QhDBjJt38FpHF3x/4VvAeJ6I=,tag:iEC3+8VZqbFe12OeStqEEw==,type:str]
+sops_unencrypted_suffix=_unencrypted
+sops_version=3.11.0
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@ -2,6 +2,8 @@ gocryptfs-pass: ENC[AES256_GCM,data:9kNFGfTBdOGoXDfSQmnrkihnXmF2Qx0U,iv:lzPqXHbn
 restic-pass: ENC[AES256_GCM,data:URCa2YXY103XnZmyY0Wp5RrzHPj5MvCvDcRurtfDPMU=,iv:0XvodvaSV3AkbDnXqHhRbvt1IcB0goeQBClwwzdxH7Q=,tag:huH+5YPARPAueMNmzI3Aig==,type:str]
 create-ap-pass: ENC[AES256_GCM,data:iIq0ZUCWKYKZWNmvTjon0D8HkzxL9iqX5rJj6VBkkwI=,iv:KGkYVwErmb5ra+HTv6MAgOW0Fs8vWx/Kz8PWD4Xx9I8=,tag:GOtcKfSe+61SGoh1PRGNWg==,type:str]
 qbittorrent-pass: ENC[AES256_GCM,data:J5m9y2pX5oI6ziIkhlMXXgszDum+rfQFfAQoImawW48=,iv:FqOYreDUX0CATPugra/dTlx2yMS4UMN0o8NesueRu3k=,tag:neKoHJhwdUdl/2mJKWkslg==,type:str]
+grafana-key: ENC[AES256_GCM,data:m/MJnidxdqnGk2GO6JXQ9Gw36a5gIWkVumggOx6NjZE=,iv:aCArsPNlDsp1b0+CAYRqAHV5n69wwUccSgvTXpKhEwQ=,tag:10rM/WytKNS3HqHMht4sMw==,type:str]
+grafana-oauth: ENC[AES256_GCM,data:en+OyzGDfNKYisyQxvlIRVrCXPNgyOgCIngtoEsJNTnO9RHqW4ny+rfKhZz0IZfl,iv:tI1q9UYI8ddi4KkSi/NiNJ50Eo21yi+vSHs9KZUsm58=,tag:SeGw6fJVshVAvuMfYcnDqg==,type:str]
 sops:
    age:
        - recipient: age1se1q089cm462yku3md4xyk9lc4ck2x429awx9gh75lg6tpcaeyumcpnud7nht9
@ -32,7 +34,7 @@ sops:
            RGtjY1V6U2tla3ZaS09haXYrYUNrVDgK0e3UVPshSTB7kwYzm4uVUDif2PwiIGg4
            Qb4P3L13Lg6tT0a1SBEs2gedbNVcWyA0YgGTWouWvZIhBmSCOvHYVQ==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-01-30T13:08:33Z"
-    mac: ENC[AES256_GCM,data:uLkpRbQSwRY9JWXMeoTspoZHKyCaIwkCYzUE+R3Uwooft2VuvaPOQ+n9R9XpK4QWWKGQ86iRSBAhqX0Zc0xuvtMDZBIdjI1968U5JFSQoRI5Y68byQw+AayI+j/wrC4K/OPly/ain0soiHbtBh8WmHpSVGk+gVSrnHNgeLXMtxw=,iv:BVOYNlLGqTNRQB134ETNsLmkHO7eSiVimAqF2fHoC2Y=,tag:bqYoeCmGtzwL33BK6Q+U8w==,type:str]
+    lastmodified: "2026-02-08T00:40:49Z"
+    mac: ENC[AES256_GCM,data:erZf2eNF422UBzmRDgviq+X+ghs+CfP6gKSCJQsYR/AMr2QYuewzAfPEQ9UKcw8LNRmdlRCcqp7CV0qpUk+38j4m54ETDMqUBS3bwRjaKD/RocJ/5VB3Paq8rt5eiNH0KK4deFmm6ZHp5bccJwH45ne/ys2tLGbp+EiDCjGkud0=,iv:AzzlewHvkTcAO9KLM1+lS4mvb8A75gPgquTNLzXEDvw=,tag:LY0+FTisigltO+pmrTzxgQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.11.0
Author	SHA1	Message	Date
Agatha Lovelace	27dba00336	Configure SSO for Grafana	2026-02-18 10:10:13 +01:00
Agatha Lovelace	1c8a04a051	Restore Hedgedoc	2026-02-18 10:07:53 +01:00
Agatha Lovelace	3d397f7759	Configure Kanidm	2026-02-18 10:05:29 +01:00
Agatha Lovelace	02c54eaa8b	Restore FTP server	2026-02-18 02:00:53 +01:00
Agatha Lovelace	9fe16027e8	SMB shares considered harmful TODO: Maybe replace with NFS once the great storage migration happens	2026-02-18 01:55:38 +01:00
Agatha Lovelace	9eb64574a8	Replace hardcoded secret in grafana config	2026-02-18 01:52:27 +01:00
Agatha Lovelace	2f9a36bd9b	Fix nginx falling back to first available service on unused subdomains	2026-02-09 14:50:17 +01:00
Agatha Lovelace	de41595019	Update README	2026-02-06 12:39:21 +01:00