diff --git a/.gitignore b/.gitignore index b2be92b..9885c2c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ result +/secrets_tmp/ diff --git a/hosts/voyager/configuration.nix b/hosts/voyager/configuration.nix index 35f9a38..7e45ab1 100644 --- a/hosts/voyager/configuration.nix +++ b/hosts/voyager/configuration.nix @@ -3,16 +3,18 @@ { imports = [ - ../../base.nix + ../../base.nix ../../common/metrics-exporters.nix ./hardware-configuration.nix ./filesystems.nix - ./vms.nix + #./vms.nix ./services/nginx + ./services/kanidm.nix + ./services/jellyfin.nix ./services/metrics ./services/flame.nix - ./services/jellyfin.nix + #./services/hedgedoc.nix ./services/code-server.nix # TODO: # x Boot @@ -26,7 +28,8 @@ # - NFS exports # - FreeBSD VM # - Kali VM - # - Kerberos / IPA / Kanidm + # x Kerberos / IPA / Kanidm + # - Backup system ]; networking = { diff --git a/hosts/voyager/services/hedgedoc.nix b/hosts/voyager/services/hedgedoc.nix new file mode 100644 index 0000000..3828ede --- /dev/null +++ b/hosts/voyager/services/hedgedoc.nix @@ -0,0 +1,51 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.hedgedoc.settings; + domain = "md.feal.no"; + port = 3000; + host = "0.0.0.0"; +in { + services.hedgedoc = { + enable = true; + + settings = { + inherit domain port host; + protocolUseSSL = true; + db = { + dialect = "sqlite"; + storage = "/var/lib/hedgedoc/db.hedgedoc.sqlite"; + }; + email = false; + oauth2 = let + authServerUrl = config.services.kanidm.serverSettings.origin; + in { + baseURL = "${authServerUrl}/oauth2"; + tokenURL = "${authServerUrl}/oauth2/token"; + authorizationURL = "${authServerUrl}/ui/oauth2"; + userProfileURL = "${authServerUrl}/oauth2/openid/hedgedoc/userinfo"; + + clientID = "hedgedoc"; + scope = "openid email profile"; + userProfileUsernameAttr = "name"; + userProfileEmailAttr = "email"; + userProfileDisplayNameAttr = "displayname"; + + providerName = "KaniDM"; + # rolesClaim = "roles"; + # accessRole = "hedgedoc_users"; + }; + + }; + }; + #networking.firewall.allowedTCPPorts = [ port ]; + services.nginx.virtualHosts.${domain} = { + locations."/" = { + proxyPass = "http://${host}:${toString port}/"; + }; + + locations."/socket.io/" = { + proxyPass = "http://${host}:${toString port}/"; + proxyWebsockets = true; + }; + }; +} diff --git a/hosts/voyager/services/kanidm.nix b/hosts/voyager/services/kanidm.nix new file mode 100644 index 0000000..c95c8e5 --- /dev/null +++ b/hosts/voyager/services/kanidm.nix @@ -0,0 +1,47 @@ +{ config, pkgs, lib, ... }: +let + cfg = config.services.kanidm; + certPath = "/etc/ssl-snakeoil/auth_feal_no"; + ldapbindaddress = "0.0.0.0:636"; +in { + # Kanidm - Identity management / auth provider + services.kanidm = { + enableServer = true; + serverSettings = { + origin = "https://${cfg.serverSettings.domain}"; + domain = "auth.feal.no"; + bindaddress = "127.0.1.2:8300"; + inherit ldapbindaddress; + + tls_chain = "/run/credentials/kanidm.service/cert.crt"; + tls_key = "/run/credentials/kanidm.service/cert.key"; + }; + }; + + systemd.services.kanidm = { + serviceConfig.LoadCredential = [ + "cert.crt:${certPath}.crt" + "cert.key:${certPath}.key" + ]; + }; + + + services.nginx.virtualHosts."${cfg.serverSettings.domain}" = { + forceSSL = true; + sslCertificate = "${certPath}.crt"; + sslCertificateKey = "${certPath}.key"; + locations."/" = { + proxyPass = "https://${cfg.serverSettings.bindaddress}"; + extraConfig = '' + proxy_ssl_verify off; + ''; + }; + }; + + environment = { + systemPackages = [ pkgs.kanidm ]; + etc."kanidm/config".text = '' + uri="${cfg.serverSettings.origin}" + ''; + }; + }