diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml new file mode 100644 index 0000000..93d16c5 --- /dev/null +++ b/.github/workflows/fmt.yaml @@ -0,0 +1,27 @@ +name: main + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + check-flake: + name: Nixpkgs Formatting + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Install Nix + uses: cachix/install-nix-action@v18 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos + - run: nix-channel --update + - run: nix shell nixpkgs#nixpkgs-fmt -c nixpkgs-fmt . --check diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json new file mode 100644 index 0000000..dc28aba --- /dev/null +++ b/config/portunus_seeds.json @@ -0,0 +1,39 @@ +{ + "groups": [ + { + "name": "admins", + "long-name": "Portunus Admins", + "members": ["admin"], + "permissions": { + "portunus": { "is-admin": true }, + "ldap": { "can-read": true } + } + }, + { + "name": "ifsr", + "long-name": "Mitglieder des ifsr", + "members": [], + "permissions": { + "portunus": { "is-admin": false }, + "ldap": { "can-read": false } + } + }, + { + "name": "strukturer", + "long-name": "Strukturer des ifsr", + "members": [], + "permissions": { + "portunus": { "is-admin": false }, + "ldap": { "can-read": false } + } + } + ], + "users": [ + { + "login_name": "admin", + "given_name": "admin", + "family_name": "admin", + "password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] } + } + ] +} diff --git a/flake.lock b/flake.lock index 7698a4f..714027c 100644 --- a/flake.lock +++ b/flake.lock @@ -69,34 +69,34 @@ "type": "github" } }, - "nixpkgs-22_05": { + "nixpkgs-stable": { "locked": { - "lastModified": 1668307144, - "narHash": "sha256-uY2StvGJvTfgtLaiz3uvX+EQeWZDkiLFiz2vekgJ9ZE=", + "lastModified": 1670146390, + "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "eac99848dfd869e486573d8272b0c10729675ca2", + "rev": "86370507cb20c905800527539fc049a2bf09c667", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-22.05", + "ref": "release-22.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1668595291, - "narHash": "sha256-j8cyfbtT5sAYPYwbERgTDzfD48ZernL0/V668eGpXAM=", + "lastModified": 1671215800, + "narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b", + "rev": "9d692a724e74d2a49f7c985132972f991d144254", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.05", + "ref": "nixos-22.11", "repo": "nixpkgs", "type": "github" } @@ -113,14 +113,14 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-22_05": "nixpkgs-22_05" + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1668311578, - "narHash": "sha256-nF6mwSbVyvnlIICWFZlADegWdTsgrk1pZnA/0VqByNw=", + "lastModified": 1670149631, + "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "39f0fe57f1ef78764c1abc1de145f091fee1bbbb", + "rev": "da98a111623101c64474a14983d83dad8f09f93d", "type": "github" }, "original": { diff --git a/flake.nix b/flake.nix index 973bcda..335440c 100755 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = github:nixos/nixpkgs/nixos-22.05; + nixpkgs.url = github:nixos/nixpkgs/nixos-22.11; sops-nix.url = github:Mic92/sops-nix; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; fsr-infoscreen.url = github:fsr/infoscreen; @@ -56,9 +56,11 @@ modules = [ inputs.sops-nix.nixosModules.sops ./hosts/quitte/configuration.nix + ./modules/options.nix ./modules/base.nix ./modules/sops.nix - ./modules/keycloak.nix + ./modules/ldap.nix + # ./modules/keycloak.nix replaced by portunus ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix @@ -66,6 +68,8 @@ ./modules/nextcloud.nix ./modules/matrix.nix { + fsr.enable_office_bloat = false; + fsr.domain = "staging.ifsr.de"; sops.defaultSopsFile = ./secrets/quitte.yaml; } ]; @@ -75,8 +79,9 @@ modules = [ inputs.sops-nix.nixosModules.sops ./hosts/quitte/configuration.nix + ./modules/options.nix ./modules/base.nix - ./modules/keycloak.nix + # ./modules/keycloak.nix replaced by portunus ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 501b0d9..3c8b776 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - domain = "pad.quitte.tassilo-tanneberger.de"; + domain = "pad.${config.fsr.domain}"; in { services = { diff --git a/modules/ldap.nix b/modules/ldap.nix new file mode 100644 index 0000000..7d39bea --- /dev/null +++ b/modules/ldap.nix @@ -0,0 +1,67 @@ +{ config, ... }: +let + domain = "auth.${config.fsr.domain}"; + + portunusUser = "portunus"; + portunusGroup = "portunus"; + + ldapUser = "openldap"; + ldapGroup = "openldap"; +in +{ + users.users."${portunusUser}" = { + isSystemUser = true; + group = "${portunusGroup}"; + }; + + users.groups."${portunusGroup}" = { + name = "${portunusGroup}"; + members = [ "${portunusUser}" ]; + }; + + users.users."${ldapUser}" = { + isSystemUser = true; + group = "${ldapGroup}"; + }; + + users.groups."${ldapGroup}" = { + name = "${ldapGroup}"; + members = [ "${ldapUser}" ]; + }; + + sops.secrets."portunus_admin" = { + owner = "${portunusUser}"; + group = "${portunusGroup}"; + }; + + services.portunus = { + enable = true; + user = "${portunusUser}"; + group = "${portunusGroup}"; + domain = "${domain}"; + ldap = { + user = "${ldapUser}"; + group = "${ldapGroup}"; + suffix = "dc=ifsr,dc=de"; + tls = true; + }; + + seedPath = ../config/portunus_seeds.json; + }; + + services.nginx = { + enable = true; + virtualHosts."${config.services.portunus.domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + 80 # http + 443 # https + ]; +} diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 407f847..373466d 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - domain = "nc.quitte.fugi.dev"; + domain = "nc.${config.fsr.domain}"; in { sops.secrets = { diff --git a/modules/options.nix b/modules/options.nix index 26868ae..dc8f4d5 100644 --- a/modules/options.nix +++ b/modules/options.nix @@ -1,7 +1,14 @@ { config, lib, ... }: with lib; { - options.fsr.enable_office_bloat = mkOption { - type = types.bool; - default = false; - description = "install heavy office bloat like texlive, okular, ..."; + options.fsr = { + enable_office_bloat = mkOption { + type = types.bool; + default = false; + description = "install heavy office bloat like texlive, okular, ..."; + }; + domain = mkOption { + type = types.str; + default = "ifsr.de"; + description = "under which top level domain the services should run"; + }; }; } diff --git a/modules/stream.nix b/modules/stream.nix index 2d7bb7f..088840d 100644 --- a/modules/stream.nix +++ b/modules/stream.nix @@ -10,7 +10,7 @@ in services = { nginx = { virtualHosts = { - "stream.ifsr.de" = { + "stream.${config.fsr.domain}" = { enableACME = true; forceSSL = true; locations."/" = diff --git a/modules/wiki.nix b/modules/wiki.nix index 23767c8..aa4e5cc 100644 --- a/modules/wiki.nix +++ b/modules/wiki.nix @@ -116,10 +116,6 @@ $wgPluggableAuth_EnableLocalLogin = true; ''; extensions = { - #Cite = pkgs.fetchzip { - # url = "https://web.archive.org/web/20220627203658/https://extdist.wmflabs.org/dist/extensions/Cite-REL1_38-d40993e.tar.gz"; - # sha256 = "sha256-dziMo6sH4yMPjnDtt0TXiGBxE5uGRJM+scwdeuer5sM="; - #}; CiteThisPage = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203556/https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_38-bb4881c.tar.gz"; sha256 = "sha256-sTZMCLlOkQBEmLiFz2BQJpWRxSDbpS40EZQ+f/jFjxI="; @@ -128,10 +124,6 @@ url = "https://web.archive.org/web/20220627203619/https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_38-50f4dfd.tar.gz"; sha256 = "sha256-babZDzcQDE446TBuGW/olbt2xRbPjk+5o3o9DUFlCxk="; }; - #DynamicPageList = pkgs.fetchzip { - # url = "https://web.archive.org/web/20220627203129/https://extdist.wmflabs.org/dist/extensions/DynamicPageList-REL1_38-3b7a26d.tar.gz"; - # sha256 = "sha256-WjVLks0Q9hSN2poqbKzTJhvOXog7UHJqjY2WJ4Uc64o="; - #}; Lockdown = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203048/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_38-1915db4.tar.gz"; sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA="; @@ -188,7 +180,7 @@ nginx = { recommendedProxySettings = true; virtualHosts = { - "wiki.quitte.tassilo-tanneberger.de" = { + "wiki.${config.fsr.domain}" = { enableACME = true; forceSSL = true; locations."/" = { diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index 5feab36..716bca9 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -4,6 +4,7 @@ postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] +portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] @@ -23,8 +24,8 @@ sops: Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-18T15:28:28Z" - mac: ENC[AES256_GCM,data:+o08gLLG3tz9uheJOMeKWtdvcRjgdcpOFUjSW3sHdFWC/FM5dcwDgBAtTO3/pPB6+e//SfpZgIWq1EASpgChPmE61K0U1lnYK/5gBY1QMDZ9tLgl8VjQ1ShVSeTL/dLWopBEVeDT0cR8jhJ+MIaVTEzMLK8I2qn/LaZqEktMPSg=,iv:N5TPSuijpULToU4EoZ7P6bL0sMZ1Jfu10Jxmnpzh4Ec=,tag:UIHIM+CMNS70ivKtEzbR3w==,type:str] + lastmodified: "2022-12-17T17:42:18Z" + mac: ENC[AES256_GCM,data:qLBASH8XmcHjTFrxdEqyk7KwXHEGx9hT6Jvqw1JMtZDhP95OjKNRySh5fptG1+Jz1ZIaG5zwDWdzV2/GXGru06dDR8bZYoXCboa0YR1NSESZ9f95n9v1HYQf/oSww8KHTP3METZ/1oS7i1nQdL5FxLFTK+nx77uQ1VxX7Ztl85Y=,iv:jEWOsxeTamGGNVw8OXFQT9o5MIyE7EMPAYEdfQesLZw=,tag:vUZK+H93qUursPwfoTpEJg==,type:str] pgp: - created_at: "2022-11-18T16:37:48Z" enc: |