From 7811c95ecf2d4ac28207bd2b9fdc7fa6d7010ac6 Mon Sep 17 00:00:00 2001 From: Rouven Seifert Date: Thu, 23 May 2024 09:25:08 +0200 Subject: [PATCH] nuc: add authentik-ldap --- hosts/nuc/default.nix | 1 - hosts/nuc/modules/authentik/default.nix | 18 ++++---- hosts/nuc/modules/matrix/default.nix | 5 ++- hosts/nuc/modules/nginx/default.nix | 41 ------------------- hosts/nuc/modules/seafile/default.nix | 2 +- secrets.nix | 3 +- .../nuc/{authentik.age => authentik/core.age} | 0 secrets/nuc/authentik/ldap.age | 7 ++++ 8 files changed, 23 insertions(+), 54 deletions(-) delete mode 100644 hosts/nuc/modules/nginx/default.nix rename secrets/nuc/{authentik.age => authentik/core.age} (100%) create mode 100644 secrets/nuc/authentik/ldap.age diff --git a/hosts/nuc/default.nix b/hosts/nuc/default.nix index 5f950c3..d82e999 100644 --- a/hosts/nuc/default.nix +++ b/hosts/nuc/default.nix @@ -15,7 +15,6 @@ ./modules/seafile ./modules/torrent ./modules/vaultwarden - # ./modules/nginx ./modules/caddy ./modules/indexing ]; diff --git a/hosts/nuc/modules/authentik/default.nix b/hosts/nuc/modules/authentik/default.nix index 6354bec..3043588 100644 --- a/hosts/nuc/modules/authentik/default.nix +++ b/hosts/nuc/modules/authentik/default.nix @@ -3,17 +3,19 @@ let domain = "auth.${config.networking.domain}"; in { - age.secrets.authentik = { - file = ../../../../secrets/nuc/authentik.age; + age.secrets.authentik-core = { + file = ../../../../secrets/nuc/authentik/core.age; + }; + age.secrets.authentik-ldap = { + file = ../../../../secrets/nuc/authentik/ldap.age; }; services.authentik = { enable = true; - environmentFile = config.age.secrets.authentik.path; - # nginx = { - # enable = true; - # enableACME = true; - # host = domain; - # }; + environmentFile = config.age.secrets.authentik-core.path; + }; + services.authentik-ldap = { + enable = true; + environmentFile = config.age.secrets.authentik-ldap.path; }; services.caddy.virtualHosts."${domain}".extraConfig = '' reverse_proxy localhost:9000 diff --git a/hosts/nuc/modules/matrix/default.nix b/hosts/nuc/modules/matrix/default.nix index 0b8d08e..67d2ef2 100644 --- a/hosts/nuc/modules/matrix/default.nix +++ b/hosts/nuc/modules/matrix/default.nix @@ -74,7 +74,8 @@ in # element "${domainClient}".extraConfig = '' - root '${pkgs.element-web.override { + file_server browse + root * ${pkgs.element-web.override { conf = { default_server_config = { inherit (clientConfig) "m.homeserver"; @@ -82,7 +83,7 @@ in }; disable_3pid_login = true; }; - }}' + }} ''; }; }; diff --git a/hosts/nuc/modules/nginx/default.nix b/hosts/nuc/modules/nginx/default.nix deleted file mode 100644 index 6719eb6..0000000 --- a/hosts/nuc/modules/nginx/default.nix +++ /dev/null @@ -1,41 +0,0 @@ -{ pkgs, lib, config, ... }: -{ - # set default options for virtualHosts - options = with lib; { - services.nginx.virtualHosts = mkOption { - type = types.attrsOf (types.submodule - ({ name, ... }: { - # split up nginx access logs per vhost - enableACME = true; - forceSSL = true; - # enable http3 for all hosts - quic = true; - http3 = true; - extraConfig = '' - access_log /var/log/nginx/${name}_access.log; - error_log /var/log/nginx/${name}_error.log; - add_header Alt-Svc 'h3=":443"; ma=86400'; - ''; - }) - ); - }; - }; - config = { - networking.firewall.allowedTCPPorts = [ 80 443 ]; - networking.firewall.allowedUDPPorts = [ 443 ]; - services.nginx = { - enable = true; - package = pkgs.nginxQuic; - recommendedTlsSettings = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - }; - security.acme = { - acceptTerms = true; - defaults = { - email = "rouven@${config.networking.domain}"; - }; - }; - }; -} diff --git a/hosts/nuc/modules/seafile/default.nix b/hosts/nuc/modules/seafile/default.nix index d231495..9136cf9 100644 --- a/hosts/nuc/modules/seafile/default.nix +++ b/hosts/nuc/modules/seafile/default.nix @@ -35,7 +35,7 @@ in redir /accounts/login /oauth/login reverse_proxy unix//run/seahub/gunicorn.sock route /media/* { - root '${pkgs.seahub}' + root * ${pkgs.seahub} } route /seafhttp/* { diff --git a/secrets.nix b/secrets.nix index e255c53..86010a7 100644 --- a/secrets.nix +++ b/secrets.nix @@ -22,7 +22,8 @@ in "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ]; "secrets/nuc/mullvad.age".publicKeys = [ rouven nuc ]; "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ]; - "secrets/nuc/authentik.age".publicKeys = [ rouven nuc ]; + "secrets/nuc/authentik/core.age".publicKeys = [ rouven nuc ]; + "secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; diff --git a/secrets/nuc/authentik.age b/secrets/nuc/authentik/core.age similarity index 100% rename from secrets/nuc/authentik.age rename to secrets/nuc/authentik/core.age diff --git a/secrets/nuc/authentik/ldap.age b/secrets/nuc/authentik/ldap.age new file mode 100644 index 0000000..0a4b06e --- /dev/null +++ b/secrets/nuc/authentik/ldap.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 uWbAHQ 3GSNWb2Oly++M5tvybIiDwr2yMJ/1OGDlfXMMsjFkkI +yQpVNnYmv0SOtSy6K6KBuCPpOWJ1D//tWL4QkfbQqCI +-> ssh-ed25519 2TRdXg Eme+V3YHksjnqGsbWILJWyiLyh2EqqZ2VbylKVa9TAY +tJyYG2C6cykSUipTFzbAh5/UkUZ5KOsJjOeis/+sMks +--- tEpEe7Vh4XVOFgAQHCx42pFcx7P2XV4LqFXVJsv/Ug8 +%ֺo$"ؽ0֗2'nHٶl7j ne/-\?3zG"r*Ћ0У;me.ٍ1@9 F!*%>,̍R)yjUlFݨ1>V p%iM*wě \ No newline at end of file