diff --git a/hosts/koi/configuration.nix b/hosts/koi/configuration.nix index 951adc4..8813f49 100755 --- a/hosts/koi/configuration.nix +++ b/hosts/koi/configuration.nix @@ -30,8 +30,7 @@ ./containers/navidrome ./containers/conduwuit ./containers/zond - ./containers/authentik - ./containers/outline-wiki + ./containers/kanidm ./containers/siyuan ./containers/teisu.nix ./containers/bots/pcre-sub-bot.nix diff --git a/hosts/koi/containers/authentik/default.nix b/hosts/koi/containers/authentik/default.nix deleted file mode 100644 index b0236e8..0000000 --- a/hosts/koi/containers/authentik/default.nix +++ /dev/null @@ -1,77 +0,0 @@ -{ abs, pkgs, config, ... }@inputs: - -let - secrets = import (abs "lib/secrets.nix"); - - UID = 1110; - sharedConfig = { - image = "ghcr.io/goauthentik/server:2024.8.2"; - dependsOn = [ "authentik-redis" ]; - environment = { - AUTHENTIK_POSTGRESQL__HOST = "172.17.0.1"; - AUTHENTIK_POSTGRESQL__USER = "authentik"; - AUTHENTIK_POSTGRESQL__PASSWORD = "authentik"; - AUTHENTIK_POSTGRESQL__NAME = "authentik"; - AUTHENTIK_REDIS__HOST = "authentik-redis.docker"; - }; - volumes = [ - "/mnt/puffer/authentik/media:/media" - "/mnt/puffer/authentik/templates:/templates" - ]; - user = builtins.toString UID; - environmentFiles = [ - (secrets.file config "authentik-env") - ]; - }; -in { - imports = [ - # email related + AUTHENTIK_SECRET_KEY - (secrets.declare [{ - name = "authentik-env"; - owner = "authentik"; - }]) - ]; - - users.users.authentik = { - isNormalUser = true; - uid = UID; - }; - - services.postgresql.ensureUsers = [ - { name = "authentik"; ensureDBOwnership = true; } - ]; - services.postgresql.ensureDatabases = [ "authentik" ]; - desu.postgresql.ensurePasswords.authentik = "authentik"; - - virtualisation.oci-containers.containers.authentik-redis = { - image = "docker.io/redis:7.0-alpine"; - volumes = [ - "/mnt/puffer/authentik/redis:/data" - ]; - user = builtins.toString UID; - }; - - virtualisation.oci-containers.containers.authentik-server = sharedConfig // { - cmd = [ "server" ]; - }; - systemd.services.docker-authentik-server.after = [ "postgresql.service" ]; - - virtualisation.oci-containers.containers.authentik-worker = sharedConfig // { - cmd = [ "worker" ]; - }; - systemd.services.docker-authentik-worker.after = [ "postgresql.service" ]; - - systemd.tmpfiles.rules = [ - "d /mnt/puffer/authentik 0777 root root -" - ]; - - services.nginx.virtualHosts."id.stupid.fish" = { - forceSSL = true; - useACMEHost = "stupid.fish"; - - locations."/" = { - proxyPass = "http://authentik-server.docker:9000$request_uri"; - proxyWebsockets = true; - }; - }; -} \ No newline at end of file diff --git a/hosts/koi/containers/kanidm/default.nix b/hosts/koi/containers/kanidm/default.nix new file mode 100644 index 0000000..cb899ab --- /dev/null +++ b/hosts/koi/containers/kanidm/default.nix @@ -0,0 +1,51 @@ +{ abs, pkgs, config, ... }@inputs: + +let + secrets = import (abs "lib/secrets.nix"); + + UID = 1111; +in { + imports = [ + (secrets.declare [ + { + name = "kanidm-tls-key"; + owner = "kanidm"; + } + { + name = "kanidm-tls-cert"; + owner = "kanidm"; + } + ]) + ./proxy.nix + ]; + users.users.kanidm = { + isNormalUser = true; + uid = UID; + }; + + virtualisation.oci-containers.containers.kanidm = { + image = "kanidm/server:1.3.3"; + volumes = [ + "/srv/kanidm/data:/data/db" + "${./server.toml}:/data/server.toml" + "${(secrets.file config "kanidm-tls-key")}:/data/key.pem" + "${(secrets.file config "kanidm-tls-cert")}:/data/chain.pem" + ]; + + user = "${builtins.toString UID}:60"; + }; + + systemd.tmpfiles.rules = [ + "d /srv/kanidm/data 0700 ${builtins.toString UID} ${builtins.toString UID} -" + ]; + + services.nginx.virtualHosts."id.stupid.fish" = { + forceSSL = true; + useACMEHost = "stupid.fish"; + + locations."/" = { + proxyPass = "https://kanidm.docker:8443$request_uri"; + proxyWebsockets = true; + }; + }; +} \ No newline at end of file diff --git a/hosts/koi/containers/kanidm/proxy.nix b/hosts/koi/containers/kanidm/proxy.nix new file mode 100644 index 0000000..6f0104c --- /dev/null +++ b/hosts/koi/containers/kanidm/proxy.nix @@ -0,0 +1,69 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.desu.openid-proxy; +in { + options.desu.openid-proxy = with lib; { + services = mkOption { + type = types.attrsOf (types.submodule ({ ... }: { + options = { + clientId = mkOption { + type = types.str; + description = "oauth2 client id"; + }; + domain = mkOption { + type = types.str; + description = "domain that the service will be hosted on"; + }; + upstream = mkOption { + type = types.str; + description = "upstream address"; + }; + envSecret = mkOption { + type = types.str; + description = "name of the secret that contains the env vars (OAUTH2_PROXY_COOKIE_SECRET, OAUTH2_PROXY_CLIENT_SECRET)"; + }; + extra = mkOption { + type = types.listOf types.str; + description = "extra arguments that will be passed to the service"; + default = []; + }; + uid = mkOption { + type = types.int; + description = "uid of the user that will run the service"; + }; + }; + })); + default = {}; + }; + }; + + config = lib.mkIf (cfg.services != {}) { + virtualisation.oci-containers.containers = builtins.listToAttrs ( + map (name: let + service = cfg.services.${name}; + in { + name = "${name}-oidc"; + value = { + image = "quay.io/oauth2-proxy/oauth2-proxy:v7.7.1-amd64"; + user = "${builtins.toString service.uid}"; + environmentFiles = [ + config.age.secrets.${service.envSecret}.path + ]; + + cmd = [ + "--reverse-proxy=true" + "--http-address=0.0.0.0:80" + "--skip-provider-button=true" + "--provider=oidc" + "--email-domain=*" + "--client-id=${service.clientId}" + "--upstream=${service.upstream}" + "--redirect-url=https://${service.domain}/oauth2/callback" + "--oidc-issuer-url=https://id.stupid.fish/oauth2/openid/${service.clientId}" + ] ++ service.extra; + }; + }) (builtins.attrNames cfg.services) + ); + }; +} \ No newline at end of file diff --git a/hosts/koi/containers/kanidm/server.toml b/hosts/koi/containers/kanidm/server.toml new file mode 100644 index 0000000..6c857e6 --- /dev/null +++ b/hosts/koi/containers/kanidm/server.toml @@ -0,0 +1,9 @@ +bindaddress = "0.0.0.0:8443" +adminbindpath = "/tmp/kanidm.sock" +trust_x_forward_for = true +db_path = "/data/db/kanidm.db" +tls_chain = "/data/chain.pem" +tls_key = "/data/key.pem" + +domain = "id.stupid.fish" +origin = "https://id.stupid.fish" \ No newline at end of file diff --git a/hosts/koi/containers/siyuan/default.nix b/hosts/koi/containers/siyuan/default.nix index d3d3b92..9235f74 100644 --- a/hosts/koi/containers/siyuan/default.nix +++ b/hosts/koi/containers/siyuan/default.nix @@ -9,7 +9,7 @@ let in { imports = [ (secrets.declare [{ - name = "siyuan-teidesu-authentik-env"; + name = "siyuan-teidesu-proxy-env"; owner = "siyuan-teidesu"; }]) ]; @@ -30,33 +30,30 @@ in { ]; cmd = [ "--workspace=/data" ]; environment = { - # we manage auth via authentik + # we manage auth via openid-proxy SIYUAN_ACCESS_AUTH_CODE_BYPASS = "true"; }; user = builtins.toString UID; }; - virtualisation.oci-containers.containers.siyuan-teidesu-authentik = { - image = "ghcr.io/goauthentik/proxy"; - environment = { - AUTHENTIK_HOST = "https://id.stupid.fish"; - }; - user = builtins.toString UID; - environmentFiles = [ - (secrets.file config "siyuan-teidesu-authentik-env") - ]; - }; - systemd.tmpfiles.rules = [ "d /srv/siyuan-teidesu 0700 ${builtins.toString UID} ${builtins.toString UID} -" ]; + desu.openid-proxy.services.siyuan-teidesu = { + clientId = "teidesu-siyuan"; + domain = "siyuan.tei.su"; + upstream = "http://siyuan-teidesu.docker:6806"; + envSecret = "siyuan-teidesu-proxy-env"; + uid = UID; + }; + services.nginx.virtualHosts."siyuan.tei.su" = { forceSSL = true; useACMEHost = "tei.su"; locations."/" = { - proxyPass = "http://siyuan-teidesu-authentik.docker:9000$request_uri"; + proxyPass = "http://siyuan-teidesu-oidc.docker$request_uri"; proxyWebsockets = true; }; }; diff --git a/secrets/kanidm-tls-cert.age b/secrets/kanidm-tls-cert.age new file mode 100644 index 0000000..89828f5 Binary files /dev/null and b/secrets/kanidm-tls-cert.age differ diff --git a/secrets/kanidm-tls-key.age b/secrets/kanidm-tls-key.age new file mode 100644 index 0000000..9cd0dfd Binary files /dev/null and b/secrets/kanidm-tls-key.age differ diff --git a/secrets/openid-proxy-env.age b/secrets/openid-proxy-env.age new file mode 100644 index 0000000..810e4b5 --- /dev/null +++ b/secrets/openid-proxy-env.age @@ -0,0 +1,6 @@ +age-encryption.org/v1 +-> ssh-ed25519 sj88Xw em5uDRlc3WU8cHrelbBNgb1TY4DQna/GC4MvhRVCJ3U +eqyrs56AvN4+wVjH58meq8milx1wnXRhF6bd122tlmQ +--- U9jh49an0uX5qumssc7TXc9n+yO7b2dtZ3Y7NmjsaIE +f܎ceu7<P_{bTbԋN ssh-ed25519 sj88Xw K4t0UbmCo9hVvB3k0ut17zjnN/SrqjiCRokNy4CSvi4 -b067KvwE3J3NrXY5ZANkoUdS0UTTbkWWrCpsWtS0eP8 ---- 7cx4kHSwSvsAlAMvfM/lGr3B2QhmD6vhNdFSzLAnUuo -frrx/E!~ZMTj@'EcnVsqyq