From bacb1e97be401c5dd588a4e259b4e8c020f6ff92 Mon Sep 17 00:00:00 2001
From: isabel <isabel@isabelroses.com>
Date: Tue, 14 Jan 2025 21:45:13 +0000
Subject: [PATCH] feat: robin can have some infra access

---
 modules/nixos/services/selfhosted/kanidm.nix  | 20 +++++++++++++------
 .../nixos/services/selfhosted/mailserver.nix  | 14 +++++++++++++
 secrets/mailserver/robin.age                  | 12 +++++++++++
 secrets/secrets.nix                           |  4 +++-
 4 files changed, 43 insertions(+), 7 deletions(-)
 create mode 100644 secrets/mailserver/robin.age

diff --git a/modules/nixos/services/selfhosted/kanidm.nix b/modules/nixos/services/selfhosted/kanidm.nix
index 157fe1dd..3263df06 100644
--- a/modules/nixos/services/selfhosted/kanidm.nix
+++ b/modules/nixos/services/selfhosted/kanidm.nix
@@ -19,8 +19,6 @@ let
 
   cfg = config.garden.services.kanidm;
   cfg' = config.garden.services;
-
-  inherit (config.garden.system) mainUser;
 in
 {
   options.garden.services.kanidm = mkServiceOption "kanidm" {
@@ -89,10 +87,10 @@ in
           idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path;
 
           persons = {
-            ${mainUser} = {
-              displayName = mainUser;
-              legalName = mainUser;
-              mailAddresses = [ "${mainUser}@${rdomain}" ];
+            isabel = {
+              displayName = "isabel";
+              legalName = "isabel";
+              mailAddresses = [ "isabel@${rdomain}" ];
               groups = [
                 "grafana.access"
                 "grafana.admins"
@@ -100,6 +98,16 @@ in
                 "forgejo.admins"
               ];
             };
+
+            robin = {
+              displayName = "robin";
+              legalName = "robin";
+              mailAddresses = [ "robin@${rdomain}" ];
+              groups = [
+                "grafana.access"
+                "forgejo.access"
+              ];
+            };
           };
 
           groups = {
diff --git a/modules/nixos/services/selfhosted/mailserver.nix b/modules/nixos/services/selfhosted/mailserver.nix
index 5abe175d..e11b6c3e 100644
--- a/modules/nixos/services/selfhosted/mailserver.nix
+++ b/modules/nixos/services/selfhosted/mailserver.nix
@@ -28,6 +28,7 @@ in
 
     age.secrets = {
       mailserver-isabel = mkSecret { file = "mailserver/isabel"; };
+      mailserver-robin = mkSecret { file = "mailserver/robin"; };
       mailserver-vaultwarden = mkSecret { file = "mailserver/vaultwarden"; };
       mailserver-database = mkSecret { file = "mailserver/database"; };
       mailserver-grafana = mkSecret { file = "mailserver/grafana"; };
@@ -103,6 +104,19 @@ in
           ];
         };
 
+        "robin@${rdomain}" = {
+          hashedPasswordFile = config.age.secrets.mailserver-robin.path;
+          aliases = [
+            "robin"
+            "robinwobin"
+            "robinwobin@${rdomain}"
+            "comfy"
+            "comfy@${rdomain}"
+            "comfysage"
+            "comfysage@${rdomain}"
+          ];
+        };
+
         "git@${rdomain}" = {
           aliases = [
             "git"
diff --git a/secrets/mailserver/robin.age b/secrets/mailserver/robin.age
new file mode 100644
index 00000000..9c2ea999
--- /dev/null
+++ b/secrets/mailserver/robin.age
@@ -0,0 +1,12 @@
+age-encryption.org/v1
+-> ssh-ed25519 +i3g8Q 8EHEZvrUS/E/YqoozZzs3NfNKd5IHui9WL6xnY6nnF4
+rpMhNxbHKRHS/rs2aNckxUblQIf59yT0cWv5Mh+QFoI
+-> ssh-ed25519 i6kcDQ IsCsZSDUK7+leOjaYEF4borZ6gMXTYrnZXQQmxPnwF4
+HtVBgkd+N6vNzSUUs5rc4caYqYB8oNxAvIXM4F0Po10
+-> ssh-ed25519 95443g 34rFAkuKdOEDy4yr+lUK1QG9yfn5E8tRzpkwkJj8mzE
+ZEZ657apb2FOsrdZmcjHDKnY+bBNZOo7v4CqJi52X0Q
+-> ssh-ed25519 YLWSMA y0mpHrBQ55HJqttitH5RVCIrs7JhrPKii2VemDmN40U
+afXVWviwNc3oAa6i1GARd4ug4LEuKpdTN57kO0CemYo
+--- fAcmE43B5I6EndW91iuY2ARH7en+jTDd3dCF60n0CVA
+®öll$ñtEÆmÔÆ›5ý|äˆ¬)™AÆõO›Ï-‡jõ}f¡öa…ê?Ù¡É{{K¦v¼I[LcÔðs{Ês¡þ$—GQ
+ÿÎ¶KÅV:däVw‹loÁp×
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index abe4ec93..17c33221 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -62,6 +62,7 @@ let
 
   defAccessIsabel = list: defAccess list [ "isabel" ];
   defAccessRobin = list: defAccess list [ "robin" ];
+  defAccessAll = list: defAccess list (builtins.attrNames users);
 in
 {
   # isabel's secrets
@@ -92,6 +93,7 @@ in
 
   # mailserver
   "mailserver/isabel.age" = defAccessIsabel types.servers;
+  "mailserver/robin.age" = defAccessAll types.servers;
   "mailserver/vaultwarden.age" = defAccessIsabel types.servers;
   "mailserver/database.age" = defAccessIsabel types.servers;
   "mailserver/grafana.age" = defAccessIsabel types.servers;
@@ -124,7 +126,7 @@ in
   "plausible/key.age" = defAccessIsabel types.servers;
   "plausible/admin.age" = defAccessIsabel types.servers;
 
-  #wakapi
+  # wakapi
   "wakapi.age" = defAccessIsabel types.servers;
   "wakapi-mailer.age" = defAccessIsabel types.servers;