chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip

Browse source
This commit is contained in:
Chris Kruining 2025-04-01 19:58:31 +02:00
parent 941801e94f
commit c6933ae16a
Signed by: chris
SSH key fingerprint: SHA256:nG82MUfuVdRVyCKKWqhY+pCrbz9nbX6uzUns4RKa1Pg
7 changed files with 150 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/ulmo/default.nix
View file

@ -11,7 +11,9 @@
networking.ssh.enable = true;
services = {
auth.enable = true;
media.enable = true;
nextcloud.enable = true;
games = {
minecraft.enable = true;

25
lib/nixos.nix
View file

@ -39,22 +39,27 @@ in rec
mutableUsers = true; # Set this to false when I get sops with passwords set up properly
users = mkIf (pathExists "${path}/users") (mapModules "${path}/users" mkSysUser);
};
home-manager = {
backupFileExtension = "bak";
useGlobalPkgs = true;
sharedModules = [
inputs.plasma-manager.homeManagerModules.plasma-manager
];
users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (users ++ [ "root" ]));
};
})
(filterAttrs (n: v: !elem n ["system"]) attrs)
(import path)
(args@{ inputs, lib, pkgs, config, options, ... }: {
imports = mapModulesRec' ../modules/home (file: (import file (args // { user = "root"; })));
})
({config, ...}: {
imports = [];
config = {
home-manager = {
backupFileExtension = "bak";
useGlobalPkgs = true;
sharedModules = [
inputs.plasma-manager.homeManagerModules.plasma-manager
];
users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (attrNames config.users.users));
};
};
})
]
++ (map (user: (args@{ inputs, lib, pkgs, config, options, ... }: {
imports = mapModulesRec' ../modules/home (file: (import file (args // { inherit user; })));

160
modules/system/services/auth.nix
View file

@ -1,11 +1,12 @@
{ config, options, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
user = "authelia-testing";
in
{
options.modules.services.auth = let
inherit (lib.options) mkEnableOption;
in {
options.modules.services.auth = {
enable = mkEnableOption "Auth";
};
@ -16,66 +17,137 @@ in
services.authelia.instances.testing = {
enable = true;
secrets.storageEncryptionKeyFile = "/etc/authelia/storageEncryptionKeyFile";
secrets.jwtSecretFile = "/etc/authelia/jwtSecretFile";
secrets = {
storageEncryptionKeyFile = "/etc/authelia/testing/storageEncryptionKeyFile";
jwtSecretFile = "/etc/authelia/testing/jwtSecretFile";
sessionSecretFile = "/etc/authelia/testing/sessionSecrets";
};
settings = {
log.level = "info";
authentication_backend.file.path = "/etc/authelia/users_database.yml";
access_control.default_policy = "one_factor";
session.domain = "kruining.eu";
storage.local.path = "/tmp/db.sqlite3";
notifier.filesystem.filename = "/tmp/notifications.txt";
server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
identity_providers.oidc.clients = [];
theme = "auto";
server = {
address = "tcp://127.0.0.1:9091";
};
log = {
level = "info";
format = "json";
};
authentication_backend.file.path = "/etc/authelia/testing/users_database.yml";
access_control = {
default_policy = "deny";
rules = [
{
domain = ["auth.kruining.eu"];
policy = "bypass";
}
{
domain = ["*.kruining.eu"];
policy = "one_factor";
}
];
};
session = {
name = "authelia_testing_session";
expiration = "12h";
inactivity = "45m";
remember_me = "1m";
# redis.host = "/run/redis-authelia-testing/redis.sock";
cookies = [
{
domain = "kruining.eu";
authelia_url = "https://auth.kruining.eu";
default_redirection_url = "https://kaas.kruining.eu";
name = "authelia_session";
}
];
};
regulation = {
max_retries = 300;
find_time = "5m";
ban_time = "15m";
};
storage = {
local.path = "/var/authelia/testing/db.sqlite3";
};
notifier = {
disable_startup_check = false;
filesystem.filename = "/var/authelia/testing/notifications.txt";
};
# identity_providers.oidc.clients = [];
};
};
# systemd.services."authelia-testing" = {
# serviceConfig.Environment = "X_AUTHELIA_CONFIG_FILTERS=template";
# };
systemd = {
tmpfiles.rules = [
"d /var/authelia/testing 400 ${user} ${user} -"
];
};
# These should not be set from nix but through other means to not leak the secret!
# This is purely for testing purposes!
environment.etc."authelia/storageEncryptionKeyFile" = {
mode = "0400";
user = "authelia-testing";
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
};
environment.etc."authelia/jwtSecretFile" = {
mode = "0400";
user = "authelia-testing";
text = "a_very_important_secret";
};
environment.etc."authelia/users_database.yml" = {
mode = "0400";
user = "authelia-testing";
text = ''
users:
bob:
disabled: false
displayname: bob
# password of password
password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs
email: bob@jim.com
groups:
- admin
- dev
'';
environment.etc = {
"authelia/testing/storageEncryptionKeyFile" = {
mode = "0400";
user = user;
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
};
"authelia/testing/jwtSecretFile" = {
mode = "0400";
user = user;
text = "a_very_important_secret";
};
"authelia/testing/sessionSecrets" = {
mode = "0400";
user = user;
text = "some_session_secrets";
};
"authelia/testing/users_database.yml" = {
mode = "0400";
user = user;
text = ''
users:
chris:
disabled: false
displayname: chris
# password of password
password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs
email: chris@kruining.eu
groups:
- admin
- dev
'';
};
};
services.caddy = {
enable = true;
virtualHosts = {
"auth.kruining.eu".extraConfig = ''
reverse_proxy :9091
reverse_proxy authelia:9091
'';
"kaas.kruining.eu".extraConfig = ''
import auth
respond "KAAS"
'';
};
extraConfig = ''
(auth) {
forward_auth :9091 {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}

9
modules/system/services/default.nix
View file

@ -1,9 +1,4 @@
{ config, options, lib, pkgs, ... }:
let
inherit (lib.modules) mkIf;
in
{ ... }:
{
options.modules.services = let
inherit (lib.options) mkEnableOption;
in {};
options.modules.services = {};
}

4
modules/system/services/media.nix
View file

@ -27,11 +27,11 @@ in
];
users = {
users."${user}" = {
users.${user} = {
isSystemUser = true;
group = group;
};
groups."${group}" = {};
groups.${group} = {};
};
system.activationScripts.var = mkForce ''

23
modules/system/services/nextcloud.nix
View file

@ -1,22 +1,24 @@
{ config, options, lib, pkgs, ... }:
{ config, lib, pkgs, ... }:
let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
user = "nextcloud";
in
{
options.modules.services.nextcloud = let
inherit (lib.options) mkEnableOption;
in {
options.modules.services.nextcloud = {
enable = mkEnableOption "Nextcloud";
};
config = mkIf config.modules.services.nextcloud.enable {
users.users.${user} = {
name = user;
isSystemUser = true;
home = "/home/${user}";
group = user;
users = {
users.${user} = {
name = user;
isSystemUser = true;
home = "/home/${user}";
group = user;
};
groups.${user} = {};
};
home-manager.users.${user}.home.file.".netrc".text = ''
@ -30,6 +32,7 @@ in
Description = "Automatic nextcloud sync";
After = "network-online.target";
};
WantedBy = [ "multi-user.target" ];
Service = {
Type = "simple";
ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path /var/music /home/${user}/Music https://cloud.kruining.eu";
@ -37,8 +40,8 @@ in
KillMode = "process";
KillSignal = "SIGINT";
};
Install.WantedBy = [ "multi-user.target" ];
};
timers.nextcloud-autosync = {
Unit.Description = "Automatic nextcloud sync";
Timer.OnBootSec = "5min";

5
modules/system/services/oidc_clients.yml
View file

@ -1,5 +0,0 @@
# Hashed client secrets go here, and unhashed ones go in the client configurations
identity_providers:
oidc:
clients: