From 00291f7e9f0415bf9fb53955eb83e5567a13bf77 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Fri, 2 Dec 2022 14:25:55 +0100 Subject: [PATCH 01/23] basic ldap/portunus config - config im moment nur auf meiner infra funktionstauglich, login auf website funktioniert - keine integrations getestet --- modules/ldap.nix | 53 ++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 53 insertions(+) create mode 100644 modules/ldap.nix diff --git a/modules/ldap.nix b/modules/ldap.nix new file mode 100644 index 0000000..fe4c3b0 --- /dev/null +++ b/modules/ldap.nix @@ -0,0 +1,53 @@ +{config, ...}: let + # temporary url, zum testen auf laptop zuhause + tld = "moe"; + hostname = "eisvogel"; + domain = "portunus.${hostname}.${tld}"; +in { + # TODO: acme/letsencrypt oder andere lösung? + # + services.nginx = { + enable = true; + virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; + "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; + }; + }; + }; + + services.portunus = { + enable = true; + domain = "${domain}"; + ldap = { + suffix = "dc=${hostname},dc=${tld}"; + tls = true; + }; + + # TODO: siehe unten sops, statische config + # seedPath = ""; + + # falls wir das brauchen + # dex = { + # enable = true; + # ... + # }; + # searchUserName = "xxx"; + }; + + users.ldap = { + enable = true; + server = "ldaps://${domain}"; + base = "dc=${hostname},dc=${tld}"; + # useTLS = true; # nicht noetig weil ldaps domain festgelegt. wuerde sonst starttls auf port 389 versuchen + }; + + networking.firewall.allowedTCPPorts = [ + 80 # http + 443 # https + 636 # ldaps + ]; + # TODO: sops zeug, keine ahnung wie das (ordentlich) gemacht wird/gemacht werden soll +} From 29e69b67edbd4e635d2489b57c7c7647c3ffb560 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 13:58:06 +0100 Subject: [PATCH 02/23] expanded portunus config - daclaritve portunus and openldap users/groups - basic sops stuff still needs discussion --- modules/ldap.nix | 66 ++++++++++++++++++++++++++++++++++++------------ 1 file changed, 50 insertions(+), 16 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index fe4c3b0..bced946 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -3,31 +3,53 @@ tld = "moe"; hostname = "eisvogel"; domain = "portunus.${hostname}.${tld}"; + + portunusUser = "portunus"; + portunusGroup = "portunus"; + + ldapUser = "openldap"; + ldapGroup = "openldap"; in { - # TODO: acme/letsencrypt oder andere lösung? - # - services.nginx = { - enable = true; - virtualHosts."${domain}" = { - forceSSL = true; - enableACME = true; - locations = { - "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; - "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; - }; - }; + users.users."${portunusUser}" = { + isSystemUser = true; + group = "${portunusGroup}"; + }; + + users.groups."${portunusGroup}" = { + name = "${portunusGroup}"; + members = ["${portunusUser}"]; + }; + + users.users."${ldapUser}" = { + isSystemUser = true; + group = "${ldapGroup}"; + }; + + users.groups."${ldapGroup}" = { + name = "${ldapGroup}"; + members = ["${ldapUser}"]; + }; + + # TODO: eigenes secrets.yaml für seedfile? + sops.secrets.portunus_seedfile = { + owner = "${portunusUser}"; + group = "${portunusGroup}"; }; services.portunus = { enable = true; + user = "${portunusUser}"; + group = "${portunusGroup}"; domain = "${domain}"; ldap = { + user = "${ldapUser}"; + group = "${ldapGroup}"; suffix = "dc=${hostname},dc=${tld}"; tls = true; }; - # TODO: siehe unten sops, statische config - # seedPath = ""; + # TODO: wohin seed file? + seedPath = ""; # falls wir das brauchen # dex = { @@ -41,7 +63,20 @@ in { enable = true; server = "ldaps://${domain}"; base = "dc=${hostname},dc=${tld}"; - # useTLS = true; # nicht noetig weil ldaps domain festgelegt. wuerde sonst starttls auf port 389 versuchen + # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen + }; + + # TODO: acme/letsencrypt oder andere lösung? + services.nginx = { + enable = true; + virtualHosts."${config.services.portunus.domain}" = { + forceSSL = true; + enableACME = true; + locations = { + "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; + "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; + }; + }; }; networking.firewall.allowedTCPPorts = [ @@ -49,5 +84,4 @@ in { 443 # https 636 # ldaps ]; - # TODO: sops zeug, keine ahnung wie das (ordentlich) gemacht wird/gemacht werden soll } From db63f4eb8d3f43f7ea624b267ddd4330d31e0b38 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 17:42:10 +0100 Subject: [PATCH 03/23] format ldap.nix --- modules/ldap.nix | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index bced946..697bca1 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,4 +1,5 @@ -{config, ...}: let +{ config, ... }: +let # temporary url, zum testen auf laptop zuhause tld = "moe"; hostname = "eisvogel"; @@ -9,7 +10,8 @@ ldapUser = "openldap"; ldapGroup = "openldap"; -in { +in +{ users.users."${portunusUser}" = { isSystemUser = true; group = "${portunusGroup}"; @@ -17,7 +19,7 @@ in { users.groups."${portunusGroup}" = { name = "${portunusGroup}"; - members = ["${portunusUser}"]; + members = [ "${portunusUser}" ]; }; users.users."${ldapUser}" = { @@ -27,7 +29,7 @@ in { users.groups."${ldapGroup}" = { name = "${ldapGroup}"; - members = ["${ldapUser}"]; + members = [ "${ldapUser}" ]; }; # TODO: eigenes secrets.yaml für seedfile? From dee80f1127caef8b4e32c6431680aea8c984155e Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:46:09 +0100 Subject: [PATCH 04/23] addning nixpkgs fmt ci --- .github/workflows/fmt.yaml | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) create mode 100644 .github/workflows/fmt.yaml diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml new file mode 100644 index 0000000..1bffffa --- /dev/null +++ b/.github/workflows/fmt.yaml @@ -0,0 +1,25 @@ +name: main + +on: + push: + branches: + - main + pull_request: + branches: + - main + +jobs: + check-flake: + name: Check Flake + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v3 + + - name: Install Nix + uses: cachix/install-nix-action@v18 + with: + extra_nix_config: | + experimental-features = nix-command flakes + + - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt .' From c8f8779e4b9029950ade9e69e9b8bec630b625a5 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:46:35 +0100 Subject: [PATCH 05/23] nixpkgs-fmt forgot the --check flag --- .github/workflows/fmt.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index 1bffffa..6f8d3f4 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -22,4 +22,4 @@ jobs: extra_nix_config: | experimental-features = nix-command flakes - - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt .' + - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From e6d173f07ff30909d0db96bc383a2a9118135064 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:48:47 +0100 Subject: [PATCH 06/23] github ci updating channel --- .github/workflows/fmt.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index 6f8d3f4..dc26e7a 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -22,4 +22,5 @@ jobs: extra_nix_config: | experimental-features = nix-command flakes + - run: nix-channel --update - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From 9776469317bff5604ae602d1e4a26a1078f93183 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 17:50:33 +0100 Subject: [PATCH 07/23] include ldap.nix in flake --- flake.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/flake.nix b/flake.nix index bd91d47..99a38a7 100755 --- a/flake.nix +++ b/flake.nix @@ -59,6 +59,7 @@ ./modules/base.nix ./modules/sops.nix ./modules/keycloak.nix + ./modules/ldap.nix ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix From e0ef7537e10dc1c7a177148c994654c0cf20f3ed Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:52:51 +0100 Subject: [PATCH 08/23] updating and adding channel --- .github/workflows/fmt.yaml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index dc26e7a..dd730bd 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -21,6 +21,7 @@ jobs: with: extra_nix_config: | experimental-features = nix-command flakes - + - run: nix-channel --list + - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos - run: nix-channel --update - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From 3395b4740530925b2b94ff7c949c7881aab5e988 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 17:57:05 +0100 Subject: [PATCH 09/23] lisiting channels --- .github/workflows/fmt.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index dd730bd..d9e3359 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -24,4 +24,5 @@ jobs: - run: nix-channel --list - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos - run: nix-channel --update + - run: nix-channel --list - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From 01129ebf173945c9ce18ffa3731f2e9caa63dbf9 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 18:01:28 +0100 Subject: [PATCH 10/23] using modern nix --- .github/workflows/fmt.yaml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index d9e3359..ba75025 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -10,7 +10,7 @@ on: jobs: check-flake: - name: Check Flake + name: Nixpkgs Formatting runs-on: ubuntu-latest steps: @@ -21,8 +21,10 @@ jobs: with: extra_nix_config: | experimental-features = nix-command flakes + - run: nix-channel --list - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos - run: nix-channel --update - run: nix-channel --list + - run: nix shell nixpkgs#nixpkgs-fmt -c nixpkgs-fmt . --check - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From 09d8697f7a2c03977ef04e8e3050008cf4f2c015 Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 18:05:19 +0100 Subject: [PATCH 11/23] removing old command from pipeline --- .github/workflows/fmt.yaml | 3 --- 1 file changed, 3 deletions(-) diff --git a/.github/workflows/fmt.yaml b/.github/workflows/fmt.yaml index ba75025..93d16c5 100644 --- a/.github/workflows/fmt.yaml +++ b/.github/workflows/fmt.yaml @@ -22,9 +22,6 @@ jobs: extra_nix_config: | experimental-features = nix-command flakes - - run: nix-channel --list - run: nix-channel --add https://nixos.org/channels/nixos-22.11 nixos - run: nix-channel --update - - run: nix-channel --list - run: nix shell nixpkgs#nixpkgs-fmt -c nixpkgs-fmt . --check - - run: nix-shell -p nixpkgs-fmt --run 'nixpkgs-fmt . --check' From f3ac390cf9eff37a15964bb38960046dd0c0ebf6 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 18:27:16 +0100 Subject: [PATCH 12/23] add portunus seeds file with basic groups, no users --- config/portunus_seeds.json | 34 ++++++++++++++++++++++++++++++++++ modules/ldap.nix | 11 +---------- 2 files changed, 35 insertions(+), 10 deletions(-) create mode 100644 config/portunus_seeds.json diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json new file mode 100644 index 0000000..58900aa --- /dev/null +++ b/config/portunus_seeds.json @@ -0,0 +1,34 @@ +{ + "groups": [ + { + "name": "admins", + "long-name": "Portunus Admins", + "members": [], + "permissions": { + "portunus": { "is-admin": true }, + "ldap": { "can-read": true } + } + }, + { + "name": "ifsr", + "long-name": "Mitglieder des ifsr", + "members": [], + "permissions": { + "portunus": { "is-admin": false }, + "ldap": { "can-read": false } + } + }, + { + "name": "strukturer", + "long-name": "Strukturer des ifsr", + "members": [], + "permissions": { + "portunus": { "is-admin": false }, + "ldap": { "can-read": false } + } + } + ], + "users": [ + {} + ] +} diff --git a/modules/ldap.nix b/modules/ldap.nix index 697bca1..edbdc14 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -50,15 +50,7 @@ in tls = true; }; - # TODO: wohin seed file? - seedPath = ""; - - # falls wir das brauchen - # dex = { - # enable = true; - # ... - # }; - # searchUserName = "xxx"; + seedPath = "../config/portunus_seeds.json"; }; users.ldap = { @@ -68,7 +60,6 @@ in # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen }; - # TODO: acme/letsencrypt oder andere lösung? services.nginx = { enable = true; virtualHosts."${config.services.portunus.domain}" = { From eece008de6dd559aa5de451eaebc1d1d702052d8 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 18:48:30 +0100 Subject: [PATCH 13/23] add admin user with sops secured password --- config/portunus_seeds.json | 7 ++++++- modules/ldap.nix | 2 +- secrets/quitte.yaml | 5 +++-- 3 files changed, 10 insertions(+), 4 deletions(-) diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json index 58900aa..63a399b 100644 --- a/config/portunus_seeds.json +++ b/config/portunus_seeds.json @@ -29,6 +29,11 @@ } ], "users": [ - {} + { + "login_name": "admin", + "given_name": "admin", + "family_name": "admin", + "password": { "from_command": ["/usr/bin/env", "cat", "/run/secrets/portunus_admin"] } + } ] } diff --git a/modules/ldap.nix b/modules/ldap.nix index edbdc14..80aef7d 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -33,7 +33,7 @@ in }; # TODO: eigenes secrets.yaml für seedfile? - sops.secrets.portunus_seedfile = { + sops.secrets."portunus_admin" = { owner = "${portunusUser}"; group = "${portunusGroup}"; }; diff --git a/secrets/quitte.yaml b/secrets/quitte.yaml index 5feab36..716bca9 100644 --- a/secrets/quitte.yaml +++ b/secrets/quitte.yaml @@ -4,6 +4,7 @@ postgres_nextcloud: ENC[AES256_GCM,data:Lv0Ld3sf+hoUE2qrsf9qGSYf5aVLqm5GIbK2hEoR nextcloud_adminpass: ENC[AES256_GCM,data:EMvcFOGJz45P4nvJ5Yy4SziWa2pUWBqt4ZZdde6wegk=,iv:tG9bhB7HPprZMnfV/uC/v7fqmjQd5d4Oj5avOtK2/0A=,tag:8jBDpnahwQsXsD2Ivf6jDw==,type:str] hedgedoc_session_secret: ENC[AES256_GCM,data:uz7KggZqeZ2eqiCnOcnYh2I1p5BBXTQbC8PUhB2kM2U=,iv:aJDHKCPkccCT/OF6AGZMfRESNmoV9muGHbuCUfLQhH8=,tag:uEVXylpE8MSebqRr+4mQOw==,type:str] wg-seckey: ENC[AES256_GCM,data:NHk6E5uu3CshC/0//LoGk6iCGKWbx49wVVkjoMqF19gc7MhdHAn9aJD+0Zc=,iv:N3PuU7+QSW9aD0ZhTI7CmMI3drLIzO7XaW3mgEDp/sk=,tag:fxH4eRIboy9O15oul7JOTw==,type:str] +portunus_admin: ENC[AES256_GCM,data:bPuYdfpWJtYib9lUcXHVZeGerskd5vs5IOe+DE9Q7OOPkAwp,iv:6ZjjfQ3E1xxYjmEg7o849RZzUt8dyXjI84DSfPYGUWQ=,tag:JJpOLjPs8YdEBl3xGGAzbg==,type:str] mediawiki: postgres: ENC[AES256_GCM,data:XRfUc2PRMJcoILAnm5MWr2Cg5u4e/IhGMUnz/oIQSzY=,iv:8U+qlD1SQzxUyD/6QK4SdwRCDyMODK/lP0IDrLlcQ4U=,tag:2spNMj9dY2wWilOusq24yQ==,type:str] initial_admin: ENC[AES256_GCM,data:iET5rz9rygx49NDBjKwqAlRgpeS+jq5iM5zmjnoKcyk=,iv:11iDbCrpzjCdyAB22R8NknJ6vzcpVZXCXB3iWsGWXw0=,tag:1RCyg1ysOWaXKdqqdHqRrw==,type:str] @@ -23,8 +24,8 @@ sops: Z212K3JDWmRsZmVpdjBaUE1kL3phMm8K/x3Ssn0LEO7BfTUoOJQ6h88vlwA/AvQj KsosHSWO7vsgqKPPO+OPbHV1y8OTAKubcrk5szTUWBNOvggIw3nWDA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-11-18T15:28:28Z" - mac: ENC[AES256_GCM,data:+o08gLLG3tz9uheJOMeKWtdvcRjgdcpOFUjSW3sHdFWC/FM5dcwDgBAtTO3/pPB6+e//SfpZgIWq1EASpgChPmE61K0U1lnYK/5gBY1QMDZ9tLgl8VjQ1ShVSeTL/dLWopBEVeDT0cR8jhJ+MIaVTEzMLK8I2qn/LaZqEktMPSg=,iv:N5TPSuijpULToU4EoZ7P6bL0sMZ1Jfu10Jxmnpzh4Ec=,tag:UIHIM+CMNS70ivKtEzbR3w==,type:str] + lastmodified: "2022-12-17T17:42:18Z" + mac: ENC[AES256_GCM,data:qLBASH8XmcHjTFrxdEqyk7KwXHEGx9hT6Jvqw1JMtZDhP95OjKNRySh5fptG1+Jz1ZIaG5zwDWdzV2/GXGru06dDR8bZYoXCboa0YR1NSESZ9f95n9v1HYQf/oSww8KHTP3METZ/1oS7i1nQdL5FxLFTK+nx77uQ1VxX7Ztl85Y=,iv:jEWOsxeTamGGNVw8OXFQT9o5MIyE7EMPAYEdfQesLZw=,tag:vUZK+H93qUursPwfoTpEJg==,type:str] pgp: - created_at: "2022-11-18T16:37:48Z" enc: | From 2f8d5b89498b2523bf636bede6736ac64ac56654 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:03:02 +0100 Subject: [PATCH 14/23] remove `users.ldap` config --- modules/ldap.nix | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index 80aef7d..b1ed81a 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,9 +1,9 @@ { config, ... }: let # temporary url, zum testen auf laptop zuhause - tld = "moe"; - hostname = "eisvogel"; - domain = "portunus.${hostname}.${tld}"; + tld = "de"; + hostname = "ifsr"; + domain = "auth.staging.${hostname}.${tld}"; portunusUser = "portunus"; portunusGroup = "portunus"; @@ -53,13 +53,6 @@ in seedPath = "../config/portunus_seeds.json"; }; - users.ldap = { - enable = true; - server = "ldaps://${domain}"; - base = "dc=${hostname},dc=${tld}"; - # useTLS = true; # nicht nötig weil ldaps domain festgelegt. würde sonst starttls auf port 389 versuchen - }; - services.nginx = { enable = true; virtualHosts."${config.services.portunus.domain}" = { From e1c992f50a26f3cf0ac2ce6391779134487110eb Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:04:45 +0100 Subject: [PATCH 15/23] clean up ldap.nix --- modules/ldap.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index b1ed81a..ce9e798 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -32,7 +32,6 @@ in members = [ "${ldapUser}" ]; }; - # TODO: eigenes secrets.yaml für seedfile? sops.secrets."portunus_admin" = { owner = "${portunusUser}"; group = "${portunusGroup}"; From 141bdb9737d3cebe5592349a56ec73f4b2a6600f Mon Sep 17 00:00:00 2001 From: revol-xut Date: Sat, 17 Dec 2022 19:12:41 +0100 Subject: [PATCH 16/23] adding option for domain --- flake.nix | 8 ++++++-- modules/hedgedoc.nix | 2 +- modules/nextcloud.nix | 2 +- modules/options.nix | 15 +++++++++++---- modules/stream.nix | 2 +- modules/wiki.nix | 10 +--------- 6 files changed, 21 insertions(+), 18 deletions(-) diff --git a/flake.nix b/flake.nix index bd91d47..2f5f766 100755 --- a/flake.nix +++ b/flake.nix @@ -56,15 +56,18 @@ modules = [ inputs.sops-nix.nixosModules.sops ./hosts/quitte/configuration.nix + ./modules/options.nix ./modules/base.nix ./modules/sops.nix - ./modules/keycloak.nix + # ./modules/keycloak.nix replaced by portunus ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix ./modules/stream.nix ./modules/nextcloud.nix { + fsr.enable_office_bloat = false; + fsr.domain = "staging.ifsr.de"; sops.defaultSopsFile = ./secrets/quitte.yaml; } ]; @@ -74,8 +77,9 @@ modules = [ inputs.sops-nix.nixosModules.sops ./hosts/quitte/configuration.nix + ./modules/options.nix ./modules/base.nix - ./modules/keycloak.nix + # ./modules/keycloak.nix replaced by portunus ./modules/nginx.nix ./modules/hedgedoc.nix ./modules/wiki.nix diff --git a/modules/hedgedoc.nix b/modules/hedgedoc.nix index 501b0d9..3c8b776 100644 --- a/modules/hedgedoc.nix +++ b/modules/hedgedoc.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - domain = "pad.quitte.tassilo-tanneberger.de"; + domain = "pad.${config.fsr.domain}"; in { services = { diff --git a/modules/nextcloud.nix b/modules/nextcloud.nix index 407f847..373466d 100644 --- a/modules/nextcloud.nix +++ b/modules/nextcloud.nix @@ -1,6 +1,6 @@ { config, pkgs, lib, ... }: let - domain = "nc.quitte.fugi.dev"; + domain = "nc.${config.fsr.domain}"; in { sops.secrets = { diff --git a/modules/options.nix b/modules/options.nix index 26868ae..dc8f4d5 100644 --- a/modules/options.nix +++ b/modules/options.nix @@ -1,7 +1,14 @@ { config, lib, ... }: with lib; { - options.fsr.enable_office_bloat = mkOption { - type = types.bool; - default = false; - description = "install heavy office bloat like texlive, okular, ..."; + options.fsr = { + enable_office_bloat = mkOption { + type = types.bool; + default = false; + description = "install heavy office bloat like texlive, okular, ..."; + }; + domain = mkOption { + type = types.str; + default = "ifsr.de"; + description = "under which top level domain the services should run"; + }; }; } diff --git a/modules/stream.nix b/modules/stream.nix index 2d7bb7f..088840d 100644 --- a/modules/stream.nix +++ b/modules/stream.nix @@ -10,7 +10,7 @@ in services = { nginx = { virtualHosts = { - "stream.ifsr.de" = { + "stream.${config.fsr.domain}" = { enableACME = true; forceSSL = true; locations."/" = diff --git a/modules/wiki.nix b/modules/wiki.nix index 23767c8..aa4e5cc 100644 --- a/modules/wiki.nix +++ b/modules/wiki.nix @@ -116,10 +116,6 @@ $wgPluggableAuth_EnableLocalLogin = true; ''; extensions = { - #Cite = pkgs.fetchzip { - # url = "https://web.archive.org/web/20220627203658/https://extdist.wmflabs.org/dist/extensions/Cite-REL1_38-d40993e.tar.gz"; - # sha256 = "sha256-dziMo6sH4yMPjnDtt0TXiGBxE5uGRJM+scwdeuer5sM="; - #}; CiteThisPage = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203556/https://extdist.wmflabs.org/dist/extensions/CiteThisPage-REL1_38-bb4881c.tar.gz"; sha256 = "sha256-sTZMCLlOkQBEmLiFz2BQJpWRxSDbpS40EZQ+f/jFjxI="; @@ -128,10 +124,6 @@ url = "https://web.archive.org/web/20220627203619/https://extdist.wmflabs.org/dist/extensions/ConfirmEdit-REL1_38-50f4dfd.tar.gz"; sha256 = "sha256-babZDzcQDE446TBuGW/olbt2xRbPjk+5o3o9DUFlCxk="; }; - #DynamicPageList = pkgs.fetchzip { - # url = "https://web.archive.org/web/20220627203129/https://extdist.wmflabs.org/dist/extensions/DynamicPageList-REL1_38-3b7a26d.tar.gz"; - # sha256 = "sha256-WjVLks0Q9hSN2poqbKzTJhvOXog7UHJqjY2WJ4Uc64o="; - #}; Lockdown = pkgs.fetchzip { url = "https://web.archive.org/web/20220627203048/https://extdist.wmflabs.org/dist/extensions/Lockdown-REL1_38-1915db4.tar.gz"; sha256 = "sha256-YCYsjh/3g2P8oT6IomP3UWjOoggH7jYjiiix7poOYnA="; @@ -188,7 +180,7 @@ nginx = { recommendedProxySettings = true; virtualHosts = { - "wiki.quitte.tassilo-tanneberger.de" = { + "wiki.${config.fsr.domain}" = { enableACME = true; forceSSL = true; locations."/" = { From 86295b55018468025005ceaca6d1124a71d311d6 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:21:16 +0100 Subject: [PATCH 17/23] use `config.fsr.domain` --- modules/ldap.nix | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index ce9e798..1de922e 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -1,9 +1,6 @@ { config, ... }: let - # temporary url, zum testen auf laptop zuhause - tld = "de"; - hostname = "ifsr"; - domain = "auth.staging.${hostname}.${tld}"; + domain = "auth.${config.fsr.domain}"; portunusUser = "portunus"; portunusGroup = "portunus"; @@ -45,7 +42,7 @@ in ldap = { user = "${ldapUser}"; group = "${ldapGroup}"; - suffix = "dc=${hostname},dc=${tld}"; + suffix = "dc=ifsr,dc=de"; tls = true; }; From f442eba0f8ba72a2f6f423e384f62bbbad72ce9a Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:22:05 +0100 Subject: [PATCH 18/23] update nixpkgs version --- flake.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 8d70ec2..fee070a 100755 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ { inputs = { - nixpkgs.url = github:nixos/nixpkgs/nixos-22.05; + nixpkgs.url = github:nixos/nixpkgs/nixos-22.11; sops-nix.url = github:Mic92/sops-nix; sops-nix.inputs.nixpkgs.follows = "nixpkgs"; fsr-infoscreen.url = github:fsr/infoscreen; From 8cb57aa7233327ba344ef30990f01f132b507530 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:31:52 +0100 Subject: [PATCH 19/23] portunus: add admin user to admin group --- config/portunus_seeds.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/portunus_seeds.json b/config/portunus_seeds.json index 63a399b..dc28aba 100644 --- a/config/portunus_seeds.json +++ b/config/portunus_seeds.json @@ -3,7 +3,7 @@ { "name": "admins", "long-name": "Portunus Admins", - "members": [], + "members": ["admin"], "permissions": { "portunus": { "is-admin": true }, "ldap": { "can-read": true } From c91bcb11f81573e5030aa4b1b0b8388cc2bc50f5 Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:44:16 +0100 Subject: [PATCH 20/23] fix: seedPath string -> path --- modules/ldap.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index 1de922e..ab46c53 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -46,7 +46,7 @@ in tls = true; }; - seedPath = "../config/portunus_seeds.json"; + seedPath = ../config/portunus_seeds.json; }; services.nginx = { From cd1647e5d6866ca32ef1f2cf90eebbcaaae159ef Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:45:06 +0100 Subject: [PATCH 21/23] fix: remove unneeded `/dex` reverse proxy --- modules/ldap.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index ab46c53..e35d909 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -56,7 +56,6 @@ in enableACME = true; locations = { "/".proxyPass = "http://localhost:${toString config.services.portunus.port}"; - "/dex".proxyPass = "http://localhost:${toString config.services.portunus.dex.port}"; }; }; }; From fc873af4b37ce0e949534ec7ffb33e835a8bee0a Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:45:53 +0100 Subject: [PATCH 22/23] fix: remove open port 636, potential security risk --- modules/ldap.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/ldap.nix b/modules/ldap.nix index e35d909..7d39bea 100644 --- a/modules/ldap.nix +++ b/modules/ldap.nix @@ -63,6 +63,5 @@ in networking.firewall.allowedTCPPorts = [ 80 # http 443 # https - 636 # ldaps ]; } From 49632576234361ff03fe67997447dbfa6fef95fb Mon Sep 17 00:00:00 2001 From: halcyon <55317573+hxlcyxn@users.noreply.github.com> Date: Sat, 17 Dec 2022 19:49:08 +0100 Subject: [PATCH 23/23] nix flake update --- flake.lock | 26 +++++++++++++------------- 1 file changed, 13 insertions(+), 13 deletions(-) diff --git a/flake.lock b/flake.lock index 7698a4f..714027c 100644 --- a/flake.lock +++ b/flake.lock @@ -69,34 +69,34 @@ "type": "github" } }, - "nixpkgs-22_05": { + "nixpkgs-stable": { "locked": { - "lastModified": 1668307144, - "narHash": "sha256-uY2StvGJvTfgtLaiz3uvX+EQeWZDkiLFiz2vekgJ9ZE=", + "lastModified": 1670146390, + "narHash": "sha256-XrEoDpuloRHHbUkbPnhF2bQ0uwHllXq3NHxtuVe/QK4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "eac99848dfd869e486573d8272b0c10729675ca2", + "rev": "86370507cb20c905800527539fc049a2bf09c667", "type": "github" }, "original": { "owner": "NixOS", - "ref": "release-22.05", + "ref": "release-22.11", "repo": "nixpkgs", "type": "github" } }, "nixpkgs_2": { "locked": { - "lastModified": 1668595291, - "narHash": "sha256-j8cyfbtT5sAYPYwbERgTDzfD48ZernL0/V668eGpXAM=", + "lastModified": 1671215800, + "narHash": "sha256-2W54K41A7MefEaWzgL/TsaWlhKRK/RhWUybyOW4i0K8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "6474d93e007e4d165bcf48e7f87de2175c93d10b", + "rev": "9d692a724e74d2a49f7c985132972f991d144254", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-22.05", + "ref": "nixos-22.11", "repo": "nixpkgs", "type": "github" } @@ -113,14 +113,14 @@ "nixpkgs": [ "nixpkgs" ], - "nixpkgs-22_05": "nixpkgs-22_05" + "nixpkgs-stable": "nixpkgs-stable" }, "locked": { - "lastModified": 1668311578, - "narHash": "sha256-nF6mwSbVyvnlIICWFZlADegWdTsgrk1pZnA/0VqByNw=", + "lastModified": 1670149631, + "narHash": "sha256-rwmtlxx45PvOeZNP51wql/cWjY3rqzIR3Oj2Y+V7jM0=", "owner": "Mic92", "repo": "sops-nix", - "rev": "39f0fe57f1ef78764c1abc1de145f091fee1bbbb", + "rev": "da98a111623101c64474a14983d83dad8f09f93d", "type": "github" }, "original": {