patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: switch to kanidm instead

Browse source
This commit is contained in:
Patrick 2024-03-05 00:34:50 +01:00
parent f20a32ab6c
commit 0ebe35e701
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
12 changed files with 60 additions and 14 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
hosts/elisabeth/guests.nix
View file

@ -17,7 +17,7 @@
vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}"; vaultwardendomain = "pw.${config.secrets.secrets.global.domains.web}";
spotifydomain = "spotify.${config.secrets.secrets.global.domains.web}"; spotifydomain = "spotify.${config.secrets.secrets.global.domains.web}";
apispotifydomain = "api.spotify.${config.secrets.secrets.global.domains.web}"; apispotifydomain = "api.spotify.${config.secrets.secrets.global.domains.web}";
autheliadomain = "auth.${config.secrets.secrets.global.domains.web}"; kanidmdomain = "auth.${config.secrets.secrets.global.domains.web}";
ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4; ipOf = hostName: lib.net.cidr.host config.secrets.secrets.global.net.ips."${config.guests.${hostName}.nodeName}" config.secrets.secrets.global.net.privateSubnetv4;
in { in {
services.nginx = { services.nginx = {
@ -214,20 +214,20 @@ in {
''; '';
}; };
upstreams.authelia = { upstreams.kanidm = {
servers."${ipOf "authelia"}:${toString nodes.elisabeth-authelia.config.services.authelia.instances.main.settings.server.port}" = {}; servers."${ipOf "kanidm"}:3000" = {};
extraConfig = '' extraConfig = ''
zone authelia 64k ; zone kanidm 64k ;
keepalive 5 ; keepalive 5 ;
''; '';
}; };
virtualHosts.${autheliadomain} = { virtualHosts.${kanidmdomain} = {
forceSSL = true; forceSSL = true;
useACMEHost = "web"; useACMEHost = "web";
locations."/".proxyPass = "http://authelia"; locations."/".proxyPass = "https://kanidm";
extraConfig = '' extraConfig = ''
client_max_body_size 4G ; proxy_ssl_verify off ;
''; '';
}; };
}; };
@ -268,7 +268,7 @@ in {
../../modules/config ../../modules/config
../../modules/services/${guestName}.nix ../../modules/services/${guestName}.nix
{ {
node.secretsDir = ./secrets/${guestName}; node.secretsDir = config.node.secretsDir + "/${guestName}";
systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = { systemd.network.networks."10-${config.guests.${guestName}.networking.mainLinkName}" = {
DHCP = lib.mkForce "no"; DHCP = lib.mkForce "no";
address = [ address = [
@ -319,7 +319,7 @@ in {
// mkContainer "ollama" {} // mkContainer "ollama" {}
// mkContainer "ttrss" {} // mkContainer "ttrss" {}
// mkContainer "yourspotify" {} // mkContainer "yourspotify" {}
// mkContainer "authelia" {} // mkContainer "kanidm" {}
// mkContainer "nextcloud" { // mkContainer "nextcloud" {
enablePanzer = true; enablePanzer = true;
} }

BIN
hosts/elisabeth/secrets/gitea/generated/openid-secret.age
View file

Binary file not shown.

BIN
hosts/elisabeth/secrets/kanidm/cert.age Normal file
View file

Binary file not shown.

1
hosts/elisabeth/secrets/kanidm/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIITsf7dXoAEyYeT2c95jRKKyUdMAT5dAovGVnbFOtyH3

BIN
hosts/elisabeth/secrets/kanidm/key.age Normal file
View file

Binary file not shown.

1
modules/config/users.nix
View file

@ -30,6 +30,7 @@
freshrss = uidGid 220; freshrss = uidGid 220;
mongodb = uidGid 221; mongodb = uidGid 221;
authelia-main = uidGid 222; authelia-main = uidGid 222;
kanidm = uidGid 223;
paperless = uidGid 315; paperless = uidGid 315;
systemd-oom = uidGid 300; systemd-oom = uidGid 300;
systemd-coredump = uidGid 301; systemd-coredump = uidGid 301;

2
modules/services/ddclient.nix
View file

@ -1,6 +1,6 @@
{config, ...}: { {config, ...}: {
age.secrets.cloudflare_token_dns = { age.secrets.cloudflare_token_dns = {
rekeyFile = "${config.node.secretsDir}/cloudflare_api_token.age"; rekeyFile = config.node.secretsDir + "/cloudflare_api_token.age";
mode = "440"; mode = "440";
}; };
# So we only update the A record # So we only update the A record

6
modules/services/gitea.nix
View file

@ -88,6 +88,7 @@ in {
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;
REGISTER_EMAIL_CONFIRM = false; REGISTER_EMAIL_CONFIRM = false;
UPDATE_AVATAR = true; UPDATE_AVATAR = true;
USERNAME = "email";
}; };
# packages.ENABLED = true; # packages.ENABLED = true;
repository = { repository = {
@ -107,7 +108,8 @@ in {
# port forwarding in elisabeth # port forwarding in elisabeth
}; };
service = { service = {
DISABLE_REGISTRATION = false; DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = true; SHOW_REGISTRATION_BUTTON = true;
REGISTER_EMAIL_CONFIRM = false; REGISTER_EMAIL_CONFIRM = false;
ENABLE_NOTIFY_MAIL = true; ENABLE_NOTIFY_MAIL = true;
@ -140,7 +142,7 @@ in {
"--key" "--key"
clientId clientId
"--auto-discover-url" "--auto-discover-url"
"https://auth.${config.secrets.secrets.global.domains.web}/.well-known/openid-configuration" "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/${clientId}/.well-known/openid-configuration"
"--required-claim-name" "--required-claim-name"
"groups" "groups"
"--scopes" "--scopes"

42
modules/services/kanidm.nix Normal file
View file

@ -0,0 +1,42 @@
{config, ...}: let
kanidmdomain = "auth.${config.secrets.secrets.global.domains.web}";
in {
networking.firewall.allowedTCPPorts = [3000];
environment.persistence."/persist".directories = [
{
directory = "/var/lib/kanidm";
user = "kanidm";
group = "kanidm";
mode = "0700";
}
];
age.secrets = {
kanidm-cert = {
rekeyFile = config.node.secretsDir + "/cert.age";
group = "kanidm";
mode = "440";
};
kanidm-key = {
rekeyFile = config.node.secretsDir + "/key.age";
group = "kanidm";
mode = "440";
};
};
services.kanidm = {
enableServer = true;
serverSettings = {
domain = kanidmdomain;
origin = "https://${kanidmdomain}";
tls_chain = config.age.secrets.kanidm-cert.path;
tls_key = config.age.secrets.kanidm-key.path;
bindaddress = "0.0.0.0:3000";
trust_x_forward_for = true;
};
enableClient = true;
clientSettings = {
uri = config.services.kanidm.serverSettings.origin;
verify_ca = true;
verify_hostnames = true;
};
};
}

2
modules/services/yourspotify.nix
View file

@ -3,7 +3,7 @@
age.secrets.spotify = { age.secrets.spotify = {
owner = "your_spotify"; owner = "your_spotify";
mode = "440"; mode = "440";
rekeyFile = "${config.node.secretsDir}/yourspotify.age"; rekeyFile = config.node.secretsDir + "/yourspotify.age";
}; };
services.your_spotify = { services.your_spotify = {
#enable = true; #enable = true;

2
nix/hosts.nix
View file

@ -32,7 +32,7 @@ inputs: let
nixpkgs.overlays = pkgs.overlays; nixpkgs.overlays = pkgs.overlays;
nixpkgs.config = pkgs.config; nixpkgs.config = pkgs.config;
node.name = name; node.name = name;
node.secretsDir = ../hosts/${name}/secrets; node.secretsDir = ../. + "/hosts/${name}/secrets";
} }
../hosts/${name} ../hosts/${name}
]; ];

BIN
secrets/secrets.nix.age
View file

Binary file not shown.