chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wip

Browse source
This commit is contained in:
Chris Kruining 2025-04-01 19:58:31 +02:00
parent 941801e94f
commit c6933ae16a
Signed by: chris
SSH key fingerprint: SHA256:nG82MUfuVdRVyCKKWqhY+pCrbz9nbX6uzUns4RKa1Pg
7 changed files with 150 additions and 78 deletions
Download patch file Download diff file Expand all files Collapse all files

2
hosts/ulmo/default.nix
View file

@ -11,7 +11,9 @@
networking.ssh.enable = true; networking.ssh.enable = true;
services = { services = {
auth.enable = true;
media.enable = true; media.enable = true;
nextcloud.enable = true;
games = { games = {
minecraft.enable = true; minecraft.enable = true;

17
lib/nixos.nix
View file

@ -39,7 +39,16 @@ in rec
mutableUsers = true; # Set this to false when I get sops with passwords set up properly mutableUsers = true; # Set this to false when I get sops with passwords set up properly
users = mkIf (pathExists "${path}/users") (mapModules "${path}/users" mkSysUser); users = mkIf (pathExists "${path}/users") (mapModules "${path}/users" mkSysUser);
}; };
})
(filterAttrs (n: v: !elem n ["system"]) attrs)
(import path)
(args@{ inputs, lib, pkgs, config, options, ... }: {
imports = mapModulesRec' ../modules/home (file: (import file (args // { user = "root"; })));
})
({config, ...}: {
imports = [];
config = {
home-manager = { home-manager = {
backupFileExtension = "bak"; backupFileExtension = "bak";
useGlobalPkgs = true; useGlobalPkgs = true;
@ -47,13 +56,9 @@ in rec
inputs.plasma-manager.homeManagerModules.plasma-manager inputs.plasma-manager.homeManagerModules.plasma-manager
]; ];
users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (users ++ [ "root" ])); users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (attrNames config.users.users));
};
}; };
})
(filterAttrs (n: v: !elem n ["system"]) attrs)
(import path)
(args@{ inputs, lib, pkgs, config, options, ... }: {
imports = mapModulesRec' ../modules/home (file: (import file (args // { user = "root"; })));
}) })
] ]
++ (map (user: (args@{ inputs, lib, pkgs, config, options, ... }: { ++ (map (user: (args@{ inputs, lib, pkgs, config, options, ... }: {

128
modules/system/services/auth.nix
View file

@ -1,11 +1,12 @@
{ config, options, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf; inherit (lib.modules) mkIf;
user = "authelia-testing";
in in
{ {
options.modules.services.auth = let options.modules.services.auth = {
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "Auth"; enable = mkEnableOption "Auth";
}; };
@ -16,66 +17,137 @@ in
services.authelia.instances.testing = { services.authelia.instances.testing = {
enable = true; enable = true;
secrets.storageEncryptionKeyFile = "/etc/authelia/storageEncryptionKeyFile";
secrets.jwtSecretFile = "/etc/authelia/jwtSecretFile"; secrets = {
storageEncryptionKeyFile = "/etc/authelia/testing/storageEncryptionKeyFile";
jwtSecretFile = "/etc/authelia/testing/jwtSecretFile";
sessionSecretFile = "/etc/authelia/testing/sessionSecrets";
};
settings = { settings = {
log.level = "info"; theme = "auto";
authentication_backend.file.path = "/etc/authelia/users_database.yml";
access_control.default_policy = "one_factor"; server = {
session.domain = "kruining.eu"; address = "tcp://127.0.0.1:9091";
storage.local.path = "/tmp/db.sqlite3"; };
notifier.filesystem.filename = "/tmp/notifications.txt";
server.endpoints.authz.forward-auth.implementation = "ForwardAuth"; log = {
identity_providers.oidc.clients = []; level = "info";
format = "json";
};
authentication_backend.file.path = "/etc/authelia/testing/users_database.yml";
access_control = {
default_policy = "deny";
rules = [
{
domain = ["auth.kruining.eu"];
policy = "bypass";
}
{
domain = ["*.kruining.eu"];
policy = "one_factor";
}
];
};
session = {
name = "authelia_testing_session";
expiration = "12h";
inactivity = "45m";
remember_me = "1m";
# redis.host = "/run/redis-authelia-testing/redis.sock";
cookies = [
{
domain = "kruining.eu";
authelia_url = "https://auth.kruining.eu";
default_redirection_url = "https://kaas.kruining.eu";
name = "authelia_session";
}
];
};
regulation = {
max_retries = 300;
find_time = "5m";
ban_time = "15m";
};
storage = {
local.path = "/var/authelia/testing/db.sqlite3";
};
notifier = {
disable_startup_check = false;
filesystem.filename = "/var/authelia/testing/notifications.txt";
};
# identity_providers.oidc.clients = [];
}; };
}; };
# systemd.services."authelia-testing" = { systemd = {
# serviceConfig.Environment = "X_AUTHELIA_CONFIG_FILTERS=template"; tmpfiles.rules = [
# }; "d /var/authelia/testing 400 ${user} ${user} -"
];
};
# These should not be set from nix but through other means to not leak the secret! # These should not be set from nix but through other means to not leak the secret!
# This is purely for testing purposes! # This is purely for testing purposes!
environment.etc."authelia/storageEncryptionKeyFile" = { environment.etc = {
"authelia/testing/storageEncryptionKeyFile" = {
mode = "0400"; mode = "0400";
user = "authelia-testing"; user = user;
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this"; text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
}; };
environment.etc."authelia/jwtSecretFile" = {
"authelia/testing/jwtSecretFile" = {
mode = "0400"; mode = "0400";
user = "authelia-testing"; user = user;
text = "a_very_important_secret"; text = "a_very_important_secret";
}; };
environment.etc."authelia/users_database.yml" = {
"authelia/testing/sessionSecrets" = {
mode = "0400"; mode = "0400";
user = "authelia-testing"; user = user;
text = "some_session_secrets";
};
"authelia/testing/users_database.yml" = {
mode = "0400";
user = user;
text = '' text = ''
users: users:
bob: chris:
disabled: false disabled: false
displayname: bob displayname: chris
# password of password # password of password
password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs
email: bob@jim.com email: chris@kruining.eu
groups: groups:
- admin - admin
- dev - dev
''; '';
}; };
};
services.caddy = { services.caddy = {
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"auth.kruining.eu".extraConfig = '' "auth.kruining.eu".extraConfig = ''
reverse_proxy :9091 reverse_proxy authelia:9091
''; '';
"kaas.kruining.eu".extraConfig = '' "kaas.kruining.eu".extraConfig = ''
import auth
respond "KAAS" respond "KAAS"
''; '';
}; };
extraConfig = '' extraConfig = ''
(auth) { (auth) {
forward_auth :9091 { forward_auth authelia:9091 {
uri /api/authz/forward-auth uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
} }

9
modules/system/services/default.nix
View file

@ -1,9 +1,4 @@
{ config, options, lib, pkgs, ... }: { ... }:
let
inherit (lib.modules) mkIf;
in
{ {
options.modules.services = let options.modules.services = {};
inherit (lib.options) mkEnableOption;
in {};
} }

4
modules/system/services/media.nix
View file

@ -27,11 +27,11 @@ in
]; ];
users = { users = {
users."${user}" = { users.${user} = {
isSystemUser = true; isSystemUser = true;
group = group; group = group;
}; };
groups."${group}" = {}; groups.${group} = {};
}; };
system.activationScripts.var = mkForce '' system.activationScripts.var = mkForce ''

15
modules/system/services/nextcloud.nix
View file

@ -1,23 +1,25 @@
{ config, options, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf; inherit (lib.modules) mkIf;
user = "nextcloud"; user = "nextcloud";
in in
{ {
options.modules.services.nextcloud = let options.modules.services.nextcloud = {
inherit (lib.options) mkEnableOption;
in {
enable = mkEnableOption "Nextcloud"; enable = mkEnableOption "Nextcloud";
}; };
config = mkIf config.modules.services.nextcloud.enable { config = mkIf config.modules.services.nextcloud.enable {
users.users.${user} = { users = {
users.${user} = {
name = user; name = user;
isSystemUser = true; isSystemUser = true;
home = "/home/${user}"; home = "/home/${user}";
group = user; group = user;
}; };
groups.${user} = {};
};
home-manager.users.${user}.home.file.".netrc".text = '' home-manager.users.${user}.home.file.".netrc".text = ''
login root login root
@ -30,6 +32,7 @@ in
Description = "Automatic nextcloud sync"; Description = "Automatic nextcloud sync";
After = "network-online.target"; After = "network-online.target";
}; };
WantedBy = [ "multi-user.target" ];
Service = { Service = {
Type = "simple"; Type = "simple";
ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path /var/music /home/${user}/Music https://cloud.kruining.eu"; ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path /var/music /home/${user}/Music https://cloud.kruining.eu";
@ -37,8 +40,8 @@ in
KillMode = "process"; KillMode = "process";
KillSignal = "SIGINT"; KillSignal = "SIGINT";
}; };
Install.WantedBy = [ "multi-user.target" ];
}; };
timers.nextcloud-autosync = { timers.nextcloud-autosync = {
Unit.Description = "Automatic nextcloud sync"; Unit.Description = "Automatic nextcloud sync";
Timer.OnBootSec = "5min"; Timer.OnBootSec = "5min";

5
modules/system/services/oidc_clients.yml
View file

@ -1,5 +0,0 @@
# Hashed client secrets go here, and unhashed ones go in the client configurations
identity_providers:
oidc:
clients: