From f226c32865818c1c815ea6c113c4987a47537967 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 4 Feb 2025 23:29:50 +0100 Subject: [PATCH 1/3] services/kanidm: init --- secrets/kanidm-admin-pass.age | 7 +++ secrets/kanidm-idm-admin-pass.age | 8 +++ secrets/secrets.nix | 8 +++ services/default.nix | 1 + services/kanidm.nix | 85 +++++++++++++++++++++++++++++++ 5 files changed, 109 insertions(+) create mode 100644 secrets/kanidm-admin-pass.age create mode 100644 secrets/kanidm-idm-admin-pass.age create mode 100644 services/kanidm.nix diff --git a/secrets/kanidm-admin-pass.age b/secrets/kanidm-admin-pass.age new file mode 100644 index 0000000..2b229b2 --- /dev/null +++ b/secrets/kanidm-admin-pass.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw W4+Z4WjOyUl4mWPqVykNWRhf2/8qfVOSM7QCFPNMZTA +0ndQjslMwjQqguN25nBQtCchpCLhoD/vrxh1yNVeTNw +-> ssh-ed25519 GKhvwg H8XcFJDZTA3IzxmK6wbB+PVM2gCZ4ysAPjL5j0LgeE0 +kehTMRIVOZ5ubtO7w8WF+gU3sjYXMQtd5hH+wcv3uSE +--- 72ntrRbWq8pdkk/GrsVupTttfY9t+w3l+2KQbQyNn/I +iyd$vVl TK$4G[MI[#tz:r9~ESA6}׵ \ No newline at end of file diff --git a/secrets/kanidm-idm-admin-pass.age b/secrets/kanidm-idm-admin-pass.age new file mode 100644 index 0000000..0eac321 --- /dev/null +++ b/secrets/kanidm-idm-admin-pass.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 84j9mw 8zYeVXx36dpC8TxMdoM1GdERoNNj902KwTF4h/r4inM +n3mYra0BeM4gWsZ7Roilu14o/GajX1iWw0fcy0q31yc +-> ssh-ed25519 GKhvwg cqd7YmVpbxqZxaVluHDZ8Yw0gNfJCKMmoWa4mEoXym8 +Gbcj+PJaqyPRRGX4olr7mmJ5IoEGlQaogYbj7i9E/98 +--- LoQPWI+m8s3NjalUh0+xdW54c8lgddBmhPoIiPbmR8I +Җ܉Y +9!42DVP9N]G;?ЉS ' \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fc8ce14..551c4cd 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -89,4 +89,12 @@ in keys.system.ude keys.other.bootstrap ]; + "kanidm-admin-pass.age".publicKeys = [ + keys.system.kazuki + keys.other.bootstrap + ]; + "kanidm-idm-admin-pass.age".publicKeys = [ + keys.system.kazuki + keys.other.bootstrap + ]; } diff --git a/services/default.nix b/services/default.nix index d588ede..901faff 100644 --- a/services/default.nix +++ b/services/default.nix @@ -1,5 +1,6 @@ { imports = [ ./attic.nix + ./kanidm.nix ]; } diff --git a/services/kanidm.nix b/services/kanidm.nix new file mode 100644 index 0000000..b288e14 --- /dev/null +++ b/services/kanidm.nix @@ -0,0 +1,85 @@ +{ + services.kanidm = + let + port = 8443; + domain = "auth.rabulinski.com"; + in + { + host = "kazuki"; + ports = [ port ]; + config = + { config, pkgs, ... }: + let + cert = config.security.acme.certs.${domain}; + in + { + age.secrets.rabulinski-com-cf = { + file = ../secrets/rabulinski-com-cf.age; + owner = config.services.nginx.user; + }; + age.secrets.kanidm-admin-pass = { + file = ../secrets/kanidm-admin-pass.age; + owner = "kanidm"; + }; + age.secrets.kanidm-idm-admin-pass = { + file = ../secrets/kanidm-idm-admin-pass.age; + owner = "kanidm"; + }; + + services.kanidm = { + enableServer = true; + package = pkgs.kanidmWithSecretProvisioning; + serverSettings = { + bindaddress = "127.0.0.1:${toString port}"; + inherit domain; + origin = "https://${domain}"; + trust_x_forward_for = true; + tls_chain = "${cert.directory}/fullchain.pem"; + tls_key = "${cert.directory}/key.pem"; + }; + provision = { + enable = true; + idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-pass.path; + adminPasswordFile = config.age.secrets.kanidm-admin-pass.path; + }; + }; + + systemd.services.kanidm.serviceConfig = { + SupplementaryGroups = [ cert.group ]; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + networking.firewall.allowedTCPPorts = [ + 80 + 443 + ]; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts."auth.rabulinski.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "https://localhost:${toString port}"; + proxyWebsockets = true; + extraConfig = '' + proxy_ssl_verify off; + proxy_ssl_name ${domain}; + ''; + }; + }; + }; + + security.acme.certs.${domain} = { + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.rabulinski-com-cf.path; + reloadServices = [ "kanidm" ]; + }; + }; + }; +} From 9a4289e6f31b922a36b3d3e82e2bb036ba2ce3d2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Wed, 5 Feb 2025 16:28:31 +0100 Subject: [PATCH 2/3] services/forgejo: move from hosts/kazuki --- hosts/kazuki/default.nix | 1 - hosts/kazuki/forgejo.nix | 62 ------------------------------------ services/default.nix | 1 + services/forgejo.nix | 69 ++++++++++++++++++++++++++++++++++++++++ 4 files changed, 70 insertions(+), 63 deletions(-) delete mode 100644 hosts/kazuki/forgejo.nix create mode 100644 services/forgejo.nix diff --git a/hosts/kazuki/default.nix b/hosts/kazuki/default.nix index df92f1c..8464cb5 100644 --- a/hosts/kazuki/default.nix +++ b/hosts/kazuki/default.nix @@ -15,7 +15,6 @@ ./storage.nix ./ntfy.nix ./zitadel.nix - ./forgejo.nix ./prometheus.nix ]; diff --git a/hosts/kazuki/forgejo.nix b/hosts/kazuki/forgejo.nix deleted file mode 100644 index 9f200e2..0000000 --- a/hosts/kazuki/forgejo.nix +++ /dev/null @@ -1,62 +0,0 @@ -{ config, ... }: -{ - age.secrets.rab-lol-cf = { - file = ../../secrets/rab-lol-cf.age; - owner = config.services.nginx.user; - }; - - services.forgejo = { - enable = true; - settings = { - server = { - DOMAIN = "git.rab.lol"; - ROOT_URL = "https://git.rab.lol/"; - }; - oauth2_client = { - REGISTER_EMAIL_CONFIRM = false; - ENABLE_AUTO_REGISTRATION = true; - ACCOUNT_LINKING = "auto"; - UPDATE_AVATAR = true; - }; - service = { - DISABLE_REGISTRATION = false; - ALLOW_ONLY_INTERNAL_REGISTRATION = false; - ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - }; - federation.ENABLED = true; - }; - repositoryRoot = "/storage-box/forgejo/repos"; - lfs = { - enable = true; - contentDir = "/storage-box/forgejo/lfs"; - }; - }; - - services.nginx = { - enable = true; - recommendedProxySettings = true; - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedTlsSettings = true; - virtualHosts."git.rab.lol" = { - forceSSL = true; - enableACME = true; - acmeRoot = null; - locations."/" = { - proxyPass = "http://127.0.0.1:3000"; - extraConfig = '' - proxy_set_header Connection $http_connection; - proxy_set_header Upgrade $http_upgrade; - ''; - }; - }; - }; - - users.users.nginx.extraGroups = [ "acme" ]; - security.acme.acceptTerms = true; - security.acme.certs."git.rab.lol" = { - dnsProvider = "cloudflare"; - credentialsFile = config.age.secrets.rab-lol-cf.path; - email = "nikodem@rabulinski.com"; - }; -} diff --git a/services/default.nix b/services/default.nix index 901faff..7ff2aaf 100644 --- a/services/default.nix +++ b/services/default.nix @@ -2,5 +2,6 @@ imports = [ ./attic.nix ./kanidm.nix + ./forgejo.nix ]; } diff --git a/services/forgejo.nix b/services/forgejo.nix new file mode 100644 index 0000000..2f69a55 --- /dev/null +++ b/services/forgejo.nix @@ -0,0 +1,69 @@ +{ + services.forgejo = { + host = "kazuki"; + ports = [ 3000 ]; + config = + { config, ... }: + { + age.secrets.rab-lol-cf = { + file = ../secrets/rab-lol-cf.age; + owner = config.services.nginx.user; + }; + + services.forgejo = { + enable = true; + settings = { + server = { + DOMAIN = "git.rab.lol"; + ROOT_URL = "https://git.rab.lol/"; + }; + oauth2_client = { + REGISTER_EMAIL_CONFIRM = false; + ENABLE_AUTO_REGISTRATION = true; + ACCOUNT_LINKING = "auto"; + UPDATE_AVATAR = true; + }; + service = { + DISABLE_REGISTRATION = false; + ALLOW_ONLY_INTERNAL_REGISTRATION = false; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + }; + federation.ENABLED = true; + }; + repositoryRoot = "/storage-box/forgejo/repos"; + lfs = { + enable = true; + contentDir = "/storage-box/forgejo/lfs"; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedGzipSettings = true; + recommendedOptimisation = true; + recommendedTlsSettings = true; + virtualHosts."git.rab.lol" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "http://127.0.0.1:3000"; + extraConfig = '' + proxy_set_header Connection $http_connection; + proxy_set_header Upgrade $http_upgrade; + ''; + }; + }; + }; + + users.users.nginx.extraGroups = [ "acme" ]; + security.acme.acceptTerms = true; + security.acme.certs."git.rab.lol" = { + dnsProvider = "cloudflare"; + credentialsFile = config.age.secrets.rab-lol-cf.path; + email = "nikodem@rabulinski.com"; + }; + }; + }; +} From 4ae7e1340ef3fc50259ec66430379fd8357b0d43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nikodem=20Rabuli=C5=84ski?= Date: Tue, 4 Mar 2025 13:47:56 +0100 Subject: [PATCH 3/3] modules/system/containers: enable nat for container interfaces --- modules/system/containers.nix | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/modules/system/containers.nix b/modules/system/containers.nix index a0942f9..26e7e7e 100644 --- a/modules/system/containers.nix +++ b/modules/system/containers.nix @@ -85,6 +85,12 @@ let services.openssh.hostKeys = [ ]; system.stateVersion = lib.mkDefault config.system.stateVersion; + + networking.useHostResolvConf = false; + networking.nameservers = [ + "1.1.1.1" + "1.0.0.1" + ]; }; bindMounts = { @@ -95,6 +101,11 @@ let privateNetwork = lib.mkForce true; } ) config.settei.containers; + + networking.nat = lib.mkIf (config.settei.containers != { }) { + enable = true; + internalInterfaces = [ "ve-+" ]; + }; }; darwinConfig = lib.optionalAttrs (!isLinux) {