raphael/nixos
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: raphael:b9ed7f1eb8f10ce2677d3c937d38e73d19f30b03
Branches Tags
raphael:master
..
compare: raphael:3115fbb41c06dc4748df65269a85d57dad1a6f53
Branches Tags
raphael:master

No commits in common. "b9ed7f1eb8f10ce2677d3c937d38e73d19f30b03" and "3115fbb41c06dc4748df65269a85d57dad1a6f53" have entirely different histories.
b9ed7f1eb8 ... 3115fbb41c

8 changed files with 97 additions and 295 deletions
Download patch file Download diff file Expand all files Collapse all files

6
hosts/server/configuration.nix
View file

@ -6,9 +6,6 @@
... ...
}: }:
let
sshKeyMac = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKbHk7YasSMK5FBCArKLeqIoaGXsN+WlgVquObyC5Zec raphael@MacBook-Pro-de-raphael.local";
in
{ {
imports = [ imports = [
../global.nix ../global.nix
@ -125,9 +122,6 @@ in
efi.canTouchEfiVariables = true; efi.canTouchEfiVariables = true;
}; };
users.users.raphael.openssh.authorizedKeys.keys = [
sshKeyMac
];
services = { services = {
seatd.enable = true; seatd.enable = true;
xserver = { xserver = {

7
hosts/server/secrets.nix
View file

@ -39,13 +39,6 @@
mode = "0440"; mode = "0440";
}; };
age.secrets."forgejo-oidc-secret" = {
file = ../../secrets/forgejo-oidc-secret.age;
owner = "kanidm";
group = "forgejo";
mode = "0440";
};
age.secrets."nextcloud-database" = { age.secrets."nextcloud-database" = {
file = ../../secrets/nextcloud-database.age; file = ../../secrets/nextcloud-database.age;
owner = "nextcloud"; owner = "nextcloud";

BIN
secrets/forgejo-oidc-secret.age
View file

Binary file not shown.

1
secrets/secrets.nix
View file

@ -16,7 +16,6 @@ in
"nextcloud-database.age".publicKeys = users ++ systems; "nextcloud-database.age".publicKeys = users ++ systems;
"nextcloud-oidc-secret.age".publicKeys = users ++ systems; "nextcloud-oidc-secret.age".publicKeys = users ++ systems;
"grafana-oidc-secret.age".publicKeys = users ++ systems; "grafana-oidc-secret.age".publicKeys = users ++ systems;
"forgejo-oidc-secret.age".publicKeys = users ++ systems;
"kandim-admin.age".publicKeys = users ++ systems; "kandim-admin.age".publicKeys = users ++ systems;
"kandim-idmAdmin.age".publicKeys = users ++ systems; "kandim-idmAdmin.age".publicKeys = users ++ systems;
} }

46
services/self_host/git.nix
View file

@ -1,20 +1,20 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
gitDomain = "git.enium.eu"; giteaDomain = "git.enium.eu";
in in
{ {
services = { services.gitea = {
forgejo = {
enable = true; enable = true;
database.type = "postgres"; appName = "Enium Git";
user = "gitea";
group = "gitea";
database.type = "sqlite3";
settings = { settings = {
server = { server = {
"DEFAULT.APP_NAME" = "Enium Git"; DOMAIN = giteaDomain;
"DEFAULT.APP_SLOGAN" = "Born2Code"; ROOT_URL = "https://${giteaDomain}/";
DOMAIN = gitDomain;
ROOT_URL = "https://${gitDomain}/";
SSH_PORT = 42131; SSH_PORT = 42131;
HTTP_ADDR = "127.0.0.1"; HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3042; HTTP_PORT = 3042;
@ -24,34 +24,26 @@ in
DISABLE_REGULAR_LOGIN = true; DISABLE_REGULAR_LOGIN = true;
}; };
oauth2 = { service = {
ENABLED = true; DISABLE_REGISTRATION = true;
NAME = "Enium"; ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
CLIENT_ID = "forgejo"; };
CLIENT_SECRET = "${config.age.secrets.forgejo-oidc-secret.path}";
SCOPES = "openid email profile groups"; web = {
LOGIN_ATTRIBUTE_PATH = "preferred_username"; DISABLE_LOCAL_LOGIN = true;
AUTH_URL = "https://git.enium.eu/ui/oauth2"; };
TOKEN_URL = "https://git.enium.eu/oauth2/token";
API_URL = "https://git.enium.eu/oauth2/openid/forgejo/userinfo"; oauth2_client = {
CODE_CHALLENGE_METHOD = "S256";
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;
UPDATE_AVATAR = true;
};
security = {
LOGIN_REMEMBER_DAYS = 14;
}; };
}; };
}; };
nginx.virtualHosts."${gitDomain}" = { services.nginx.virtualHosts."${giteaDomain}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:3042"; proxyPass = "http://127.0.0.1:3042";
proxyWebsockets = true;
};
}; };
}; };
} }

18
services/self_host/mail.nix
View file

@ -77,6 +77,11 @@ in
smtpd_tls_cert_file = "/var/lib/acme/mail.enium.eu/fullchain.pem"; smtpd_tls_cert_file = "/var/lib/acme/mail.enium.eu/fullchain.pem";
smtpd_tls_key_file = "/var/lib/acme/mail.enium.eu/key.pem"; smtpd_tls_key_file = "/var/lib/acme/mail.enium.eu/key.pem";
smtpd_milters = "unix:/run/rspamd/rspamd.sock";
non_smtpd_milters = "unix:/run/rspamd/rspamd.sock";
milter_protocol = "6";
milter_default_action = "accept";
milter_mail_macros = "i {mail_addr} {client_addr} {client_name} {auth_authen}";
}; };
master."submission" = { master."submission" = {
type = "inet"; type = "inet";
@ -102,7 +107,7 @@ in
systemd.services.postfix.preStart = lib.mkMerge [ systemd.services.postfix.preStart = lib.mkMerge [
(lib.mkAfter '' (lib.mkAfter ''
umask 077 umask 077
echo "[in-v3.mailjet.com]:587 $(cat ${mailjet-user}):$(cat ${mailjet-pass})" > /var/lib/postfix/sasl_passwd echo "[in-v3.mailjet.com]:587 $(cat ${mailjet-pass}):$(cat ${mailjet-pass})" > /var/lib/postfix/sasl_passwd
chown postfix:postfix /var/lib/postfix/sasl_passwd chown postfix:postfix /var/lib/postfix/sasl_passwd
chmod 600 /var/lib/postfix/sasl_passwd chmod 600 /var/lib/postfix/sasl_passwd
${pkgs.postfix}/bin/postmap /var/lib/postfix/sasl_passwd ${pkgs.postfix}/bin/postmap /var/lib/postfix/sasl_passwd
@ -138,7 +143,7 @@ in
extraConfig = '' extraConfig = ''
protocols = imap lmtp protocols = imap lmtp
auth_mechanisms = plain login auth_mechanisms = plain login
disable_plaintext_auth = no disable_plaintext_auth = yes
base_dir = /run/dovecot base_dir = /run/dovecot
userdb { userdb {
@ -235,7 +240,6 @@ in
services.rspamd = { services.rspamd = {
enable = true; enable = true;
postfix.enable = true;
extraConfig = '' extraConfig = ''
worker "controller" { worker "controller" {
bind_socket = "127.0.0.1:11334"; bind_socket = "127.0.0.1:11334";
@ -261,6 +265,13 @@ in
greylist = 4; greylist = 4;
}; };
milter {
unix_socket = "/run/rspamd/milter.sock";
unix_permissions = 0660;
user = "rspamd";
group = "postfix";
};
classifier "bayes" { classifier "bayes" {
backend = "redis"; backend = "redis";
servers = "127.0.0.1:6381"; servers = "127.0.0.1:6381";
@ -307,7 +318,6 @@ EOD;
}; };
security.acme.certs."mail.enium.eu" = { security.acme.certs."mail.enium.eu" = {
listenHTTP = ":80"; listenHTTP = ":80";
group = "dovecot2";
}; };
}; };
} }

61
services/self_host/monitor.nix
View file

@ -7,7 +7,6 @@
let let
cfg = config.service.selfhost.monitor; cfg = config.service.selfhost.monitor;
dashboardsDir = ../../assets/grafana_dashboards;
monitored = [ monitored = [
"nginx" "nginx"
"grafana" "grafana"
@ -19,36 +18,7 @@ in
enable = true; enable = true;
package = pkgs.grafana; package = pkgs.grafana;
dataDir = "/var/lib/grafana"; dataDir = "/var/lib/grafana";
provision = {
dashboards.settings.providers = [
{
name = "nixos-dashboards";
type = "file";
updateIntervalSeconds = 30;
editable = false;
options = {
path = "/etc/grafana/dashboards";
foldersFromFilesStructure = false;
};
}
];
datasources.settings.datasources = [
{
name = "Prometheus";
type = "prometheus";
uid = "prometheus";
access = "proxy";
url = "http://127.0.0.1:9090";
isDefault = true;
editable = false;
jsonData = {
httpMethod = "POST";
timeInterval = "15s";
};
}
];
};
settings = { settings = {
server = { server = {
root_url = "https://monitor.enium.eu"; root_url = "https://monitor.enium.eu";
@ -56,36 +26,17 @@ in
serve_from_sub_path = false; serve_from_sub_path = false;
}; };
"auth.generic_oauth" = { users = {
enabled = true; auto_assign_org = true;
name = "Enium"; auto_assign_org_role = "Viewer";
allow_sign_up = true;
client_id = "grafana";
client_secret = "$__file{${config.age.secrets.grafana-oidc-secret.path}}";
scopes = "openid profile email groups";
auth_url = "https://auth.enium.eu/ui/oauth2";
token_url = "https://auth.enium.eu/oauth2/token";
api_url = "https://auth.enium.eu/oauth2/openid/grafana/userinfo";
redirect_uri = "https://monitor.enium.eu/login/generic_oauth";
use_pkce = true;
use_refresh_token = true;
login_attribute_path = "preferred_username";
name_attribute_path = "name";
email_attribute_path = "email";
groups_attribute_path = "groups";
role_attribute_path = "contains(groups, 'grafana_superadmins@enium.eu') && 'GrafanaAdmin' || contains(groups, 'grafana_admins@enium.eu') && 'Admin' || contains(groups, 'grafana_editors@enium.eu') && 'Editor' || 'Viewer'";
allow_assign_grafana_admin = true;
role_attribute_strict = false;
skip_org_role_sync = false;
}; };
log.level = "debug";
auth = { auth = {
disable_login_form = true; disable_login_form = true;
disable_signout_menu = false; disable_signout_menu = false;
}; };
security = { security = {
cookie_secure = true;
cookie_samesite = "none";
allow_embedding = true; allow_embedding = true;
}; };
}; };
@ -206,8 +157,6 @@ in
ruleFiles = lib.mkForce [ "/etc/prometheus/services.rules" ]; ruleFiles = lib.mkForce [ "/etc/prometheus/services.rules" ];
}; };
environment.etc."grafana/dashboards".source = dashboardsDir;
environment.etc."prometheus/services.rules".text = '' environment.etc."prometheus/services.rules".text = ''
groups: groups:
- name: services - name: services

137
services/self_host/sso.nix
View file

@ -9,22 +9,6 @@ let
cfg = config.service.selfhost.sso; cfg = config.service.selfhost.sso;
kanidm-admin = config.age.secrets."kanidm-admin".path; kanidm-admin = config.age.secrets."kanidm-admin".path;
kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path; kanidm-idmAdmin = config.age.secrets."kanidm-idmAdmin".path;
imagesDir = "/user/share/kanidm/assets";
kanidmLogo = pkgs.fetchurl {
url = "https://raw.githubusercontent.com/doc-sheet/forgejo/refs/heads/forgejo/assets/logo.svg";
name = "kanidm.svg";
sha256 = "sha256-rP7aZURtHBfF2OYuGLcKZhbvIN+B596T/3kaOxHUvig=";
};
grafanaLogo = pkgs.fetchurl {
url = "https://upload.wikimedia.org/wikipedia/commons/a/a1/Grafana_logo.svg";
name = "grafana.svg";
sha256 = "sha256-UjE6ArLCa52o3XGUmpqPoakbEOeFi+zfsnATi1FtWmQ=";
};
nextcloudLogo = pkgs.fetchurl {
url = "https://upload.wikimedia.org/wikipedia/commons/6/60/Nextcloud_Logo.svg";
name = "nextcloud.svg";
sha256 = "sha256-hL51zJkFxUys1CoM8yUxiH8BDw111wh3Qv7eTLm+XYo=";
};
in in
{ {
config = lib.mkIf cfg { config = lib.mkIf cfg {
@ -42,6 +26,7 @@ in
package = pkgs.kanidmWithSecretProvisioning_1_8; package = pkgs.kanidmWithSecretProvisioning_1_8;
enableServer = true; enableServer = true;
serverSettings = { serverSettings = {
role = "WriteReplica";
domain = "enium.eu"; domain = "enium.eu";
origin = "https://auth.enium.eu"; origin = "https://auth.enium.eu";
bindaddress = "127.0.0.1:9000"; bindaddress = "127.0.0.1:9000";
@ -62,137 +47,17 @@ in
mailAddresses = [ mailAddresses = [
"raphael@enium.eu" "raphael@enium.eu"
]; ];
groups = [
"grafana_superadmins"
"forgejo_admins"
"nextcloud_user"
];
}; };
}; };
groups = { groups = {
grafana_superadmins = {
present = true;
};
grafana_admins = {
present = true;
};
grafana_editors = {
present = true;
};
grafana_users = {
present = true;
};
forgejo_admins = {
present = true;
};
forgejo_users = {
present = true;
};
nextcloud_user = { nextcloud_user = {
present = true; present = true;
}; };
}; };
systems.oauth2 = { systems.oauth2 = {
forgejo = {
present = true;
displayName = "Forjego";
originUrl = "https://git.enium.eu";
imageFile = kanidmLogo;
originLanding = "https://git.enium.eu/user/oauth2/Enium/callback";
basicSecretFile = config.age.secrets.forgejo-oidc-secret.path;
public = false;
enableLocalhostRedirects = false;
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
scopeMaps = {
forgejo_admins = [
"email"
"openid"
"profile"
"groups"
];
forgejo_users = [
"email"
"openid"
"profile"
"groups"
];
};
claimMaps = {
groups = {
joinType = "array";
valuesByGroup = {
forgejo_admins = [
"forgejo_admins"
];
forgejo_users = [
"forgejo_users"
];
};
};
};
};
grafana = {
present = true;
displayName = "Grafana";
imageFile = grafanaLogo;
originUrl = "https://monitor.enium.eu";
originLanding = "https://monitor.enium.eu/login/generic_oauth";
basicSecretFile = config.age.secrets.grafana-oidc-secret.path;
public = false;
enableLocalhostRedirects = false;
allowInsecureClientDisablePkce = false;
preferShortUsername = true;
scopeMaps = {
grafana_superadmins = [
"email"
"openid"
"profile"
"groups"
];
grafana_admins = [
"email"
"openid"
"profile"
"groups"
];
grafana_editors = [
"email"
"openid"
"profile"
"groups"
];
grafana_users = [
"email"
"openid"
"profile"
"groups"
];
};
claimMaps = {
groups = {
joinType = "array";
valuesByGroup = {
grafana_superadmins = [
"grafana_superadmins"
];
grafana_admins = [
"grafana_admins"
];
grafana_editors = [
"grafana_editors"
];
grafana_users = [
"grafana_users"
];
};
};
};
};
nextcloud = { nextcloud = {
present = true; present = true;
displayName = "Nextcloud"; displayName = "Nextcloud";
imageFile = nextcloudLogo;
originUrl = "https://nextcloud.enium.eu"; originUrl = "https://nextcloud.enium.eu";
originLanding = "https://nextcloud.enium.eu/login"; originLanding = "https://nextcloud.enium.eu/login";
basicSecretFile = config.age.secrets.nextcloud-oidc-secret.path; basicSecretFile = config.age.secrets.nextcloud-oidc-secret.path;