teidesu/nixfiles
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

chore(koi): authentik -> kanidm

Browse source
This commit is contained in:
alina 🌸 2024-10-26 22:44:01 +03:00
parent c69d1b8675
commit 11aea04fe5
Signed by: teidesu
SSH key fingerprint: SHA256:uNeCpw6aTSU4aIObXLvHfLkDa82HWH9EiOj9AXOIRpI
11 changed files with 147 additions and 99 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
hosts/koi/configuration.nix
View file

@ -30,8 +30,7 @@
./containers/navidrome
./containers/conduwuit
./containers/zond
./containers/authentik
./containers/outline-wiki
./containers/kanidm
./containers/siyuan
./containers/teisu.nix
./containers/bots/pcre-sub-bot.nix

77
hosts/koi/containers/authentik/default.nix
View file

@ -1,77 +0,0 @@
{ abs, pkgs, config, ... }@inputs:
let
secrets = import (abs "lib/secrets.nix");
UID = 1110;
sharedConfig = {
image = "ghcr.io/goauthentik/server:2024.8.2";
dependsOn = [ "authentik-redis" ];
environment = {
AUTHENTIK_POSTGRESQL__HOST = "172.17.0.1";
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__PASSWORD = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
AUTHENTIK_REDIS__HOST = "authentik-redis.docker";
};
volumes = [
"/mnt/puffer/authentik/media:/media"
"/mnt/puffer/authentik/templates:/templates"
];
user = builtins.toString UID;
environmentFiles = [
(secrets.file config "authentik-env")
];
};
in {
imports = [
# email related + AUTHENTIK_SECRET_KEY
(secrets.declare [{
name = "authentik-env";
owner = "authentik";
}])
];
users.users.authentik = {
isNormalUser = true;
uid = UID;
};
services.postgresql.ensureUsers = [
{ name = "authentik"; ensureDBOwnership = true; }
];
services.postgresql.ensureDatabases = [ "authentik" ];
desu.postgresql.ensurePasswords.authentik = "authentik";
virtualisation.oci-containers.containers.authentik-redis = {
image = "docker.io/redis:7.0-alpine";
volumes = [
"/mnt/puffer/authentik/redis:/data"
];
user = builtins.toString UID;
};
virtualisation.oci-containers.containers.authentik-server = sharedConfig // {
cmd = [ "server" ];
};
systemd.services.docker-authentik-server.after = [ "postgresql.service" ];
virtualisation.oci-containers.containers.authentik-worker = sharedConfig // {
cmd = [ "worker" ];
};
systemd.services.docker-authentik-worker.after = [ "postgresql.service" ];
systemd.tmpfiles.rules = [
"d /mnt/puffer/authentik 0777 root root -"
];
services.nginx.virtualHosts."id.stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
locations."/" = {
proxyPass = "http://authentik-server.docker:9000$request_uri";
proxyWebsockets = true;
};
};
}

51
hosts/koi/containers/kanidm/default.nix Normal file
View file

@ -0,0 +1,51 @@
{ abs, pkgs, config, ... }@inputs:
let
secrets = import (abs "lib/secrets.nix");
UID = 1111;
in {
imports = [
(secrets.declare [
{
name = "kanidm-tls-key";
owner = "kanidm";
}
{
name = "kanidm-tls-cert";
owner = "kanidm";
}
])
./proxy.nix
];
users.users.kanidm = {
isNormalUser = true;
uid = UID;
};
virtualisation.oci-containers.containers.kanidm = {
image = "kanidm/server:1.3.3";
volumes = [
"/srv/kanidm/data:/data/db"
"${./server.toml}:/data/server.toml"
"${(secrets.file config "kanidm-tls-key")}:/data/key.pem"
"${(secrets.file config "kanidm-tls-cert")}:/data/chain.pem"
];
user = "${builtins.toString UID}:60";
};
systemd.tmpfiles.rules = [
"d /srv/kanidm/data 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
services.nginx.virtualHosts."id.stupid.fish" = {
forceSSL = true;
useACMEHost = "stupid.fish";
locations."/" = {
proxyPass = "https://kanidm.docker:8443$request_uri";
proxyWebsockets = true;
};
};
}

69
hosts/koi/containers/kanidm/proxy.nix Normal file
View file

@ -0,0 +1,69 @@
{ pkgs, config, lib, ... }:
let
cfg = config.desu.openid-proxy;
in {
options.desu.openid-proxy = with lib; {
services = mkOption {
type = types.attrsOf (types.submodule ({ ... }: {
options = {
clientId = mkOption {
type = types.str;
description = "oauth2 client id";
};
domain = mkOption {
type = types.str;
description = "domain that the service will be hosted on";
};
upstream = mkOption {
type = types.str;
description = "upstream address";
};
envSecret = mkOption {
type = types.str;
description = "name of the secret that contains the env vars (OAUTH2_PROXY_COOKIE_SECRET, OAUTH2_PROXY_CLIENT_SECRET)";
};
extra = mkOption {
type = types.listOf types.str;
description = "extra arguments that will be passed to the service";
default = [];
};
uid = mkOption {
type = types.int;
description = "uid of the user that will run the service";
};
};
}));
default = {};
};
};
config = lib.mkIf (cfg.services != {}) {
virtualisation.oci-containers.containers = builtins.listToAttrs (
map (name: let
service = cfg.services.${name};
in {
name = "${name}-oidc";
value = {
image = "quay.io/oauth2-proxy/oauth2-proxy:v7.7.1-amd64";
user = "${builtins.toString service.uid}";
environmentFiles = [
config.age.secrets.${service.envSecret}.path
];
cmd = [
"--reverse-proxy=true"
"--http-address=0.0.0.0:80"
"--skip-provider-button=true"
"--provider=oidc"
"--email-domain=*"
"--client-id=${service.clientId}"
"--upstream=${service.upstream}"
"--redirect-url=https://${service.domain}/oauth2/callback"
"--oidc-issuer-url=https://id.stupid.fish/oauth2/openid/${service.clientId}"
] ++ service.extra;
};
}) (builtins.attrNames cfg.services)
);
};
}

9
hosts/koi/containers/kanidm/server.toml Normal file
View file

@ -0,0 +1,9 @@
bindaddress = "0.0.0.0:8443"
adminbindpath = "/tmp/kanidm.sock"
trust_x_forward_for = true
db_path = "/data/db/kanidm.db"
tls_chain = "/data/chain.pem"
tls_key = "/data/key.pem"
domain = "id.stupid.fish"
origin = "https://id.stupid.fish"

25
hosts/koi/containers/siyuan/default.nix
View file

@ -9,7 +9,7 @@ let
in {
imports = [
(secrets.declare [{
name = "siyuan-teidesu-authentik-env";
name = "siyuan-teidesu-proxy-env";
owner = "siyuan-teidesu";
}])
];
@ -30,33 +30,30 @@ in {
];
cmd = [ "--workspace=/data" ];
environment = {
# we manage auth via authentik
# we manage auth via openid-proxy
SIYUAN_ACCESS_AUTH_CODE_BYPASS = "true";
};
user = builtins.toString UID;
};
virtualisation.oci-containers.containers.siyuan-teidesu-authentik = {
image = "ghcr.io/goauthentik/proxy";
environment = {
AUTHENTIK_HOST = "https://id.stupid.fish";
};
user = builtins.toString UID;
environmentFiles = [
(secrets.file config "siyuan-teidesu-authentik-env")
];
};
systemd.tmpfiles.rules = [
"d /srv/siyuan-teidesu 0700 ${builtins.toString UID} ${builtins.toString UID} -"
];
desu.openid-proxy.services.siyuan-teidesu = {
clientId = "teidesu-siyuan";
domain = "siyuan.tei.su";
upstream = "http://siyuan-teidesu.docker:6806";
envSecret = "siyuan-teidesu-proxy-env";
uid = UID;
};
services.nginx.virtualHosts."siyuan.tei.su" = {
forceSSL = true;
useACMEHost = "tei.su";
locations."/" = {
proxyPass = "http://siyuan-teidesu-authentik.docker:9000$request_uri";
proxyPass = "http://siyuan-teidesu-oidc.docker$request_uri";
proxyWebsockets = true;
};
};

BIN
secrets/kanidm-tls-cert.age Normal file
View file

Binary file not shown.

BIN
secrets/kanidm-tls-key.age Normal file
View file

Binary file not shown.

6
secrets/openid-proxy-env.age Normal file
View file

@ -0,0 +1,6 @@
age-encryption.org/v1
-> ssh-ed25519 sj88Xw em5uDRlc3WU8cHrelbBNgb1TY4DQna/GC4MvhRVCJ3U
eqyrs56AvN4+wVjH58meq8milx1wnXRhF6bd122tlmQ
--- U9jh49an0uX5qumssc7TXc9n+yO7b2dtZ3Y7NmjsaIE
f<EFBFBD>ÜŽ¹êcÒôeu7¨àÜ<…Pƒ_{­´b†TbþƒÔ“Næ<ŒõÀgFcò±öeMÐH<C390>h.4¥ZÅ€TIò— ¼¿<>Íß<>ù:»!ºIÚ«Ü?ä€<C3A4>Íä Òî
ÙqÃÇTèMâÙéMñ¢•ÀXô53£{™Ó ¢¿ÑJ=æÒ&7S%„/P)¶­‡É­NJ—s±4Hûkžˆš‘|¨Ý#æ

6
secrets/siyuan-teidesu-authentik-env.age
View file

@ -1,6 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 sj88Xw K4t0UbmCo9hVvB3k0ut17zjnN/SrqjiCRokNy4CSvi4
b067KvwE3J3NrXY5ZANkoUdS0UTTbkWWrCpsWtS0eP8
--- 7cx4kHSwSvsAlAMvfM/lGr3B2QhmD6vhNdFSzLAnUuo
fÁÏr¹rx/E×!~ õZM×Tj¸€ì@'EcnV¤sÍqØy±q<k¬¼±k˜t™w̤~(? _bÝÐ8q ï¿•„bˆÞgÄ4W.†óOâ,¹Çšùy‰º$Û9°(^


BIN
secrets/siyuan-teidesu-proxy-env.age Normal file
View file

Binary file not shown.