Compare commits
10 Commits
7d00638c04
...
d336ea124e
| Author | SHA1 | Date |
|---|---|---|
 Histausse
|
d336ea124e | |
|
Histausse
|
251e32c76e | |
|
Histausse
|
fa4f5c2d75 | |
|
Histausse
|
104780d95f | |
|
Histausse
|
60e22d1288 | |
|
Histausse
|
ab8222b8aa | |
|
Histausse
|
a1265d240b | |
|
Histausse
|
3bd766d87a | |
|
Histausse
|
a36838a657 | |
|
Histausse
|
bdca8e626c |
|
|
@ -0,0 +1,3 @@
|
|||
# TODO:
|
||||
|
||||
- Handle dependention to the user creation for the password files
|
||||
10
base.nix
10
base.nix
|
|
@ -12,7 +12,12 @@ in {
|
|||
domainName = mkOption {
|
||||
type = types.str;
|
||||
example = "example.com";
|
||||
description = "Name of the machine, use for hostname";
|
||||
description = "Domain of the machine, use for hostname";
|
||||
};
|
||||
adminEmail = mkOption {
|
||||
type = types.str;
|
||||
example = "example@example.com";
|
||||
description = "Email of the admin, use for ACME and stuff";
|
||||
};
|
||||
};
|
||||
config = {
|
||||
|
|
@ -26,6 +31,9 @@ in {
|
|||
|
||||
boot.kernelParams = [ "console=tty0" "console=ttyS0,115200"];
|
||||
services.qemuGuest.enable = true;
|
||||
|
||||
system.autoUpgrade.enable = true;
|
||||
system.autoUpgrade.allowReboot = true;
|
||||
|
||||
networking.hostName = "${cfg.name}";
|
||||
|
||||
|
|
|
|||
64
pp-gitea.nix
64
pp-gitea.nix
|
|
@ -12,10 +12,15 @@ in
|
|||
example = "git.example.com";
|
||||
description = "The domain of the server";
|
||||
};
|
||||
disableRegistration = mkOption {
|
||||
openIdEnable = mkOption {
|
||||
type = types.bool;
|
||||
default = true;
|
||||
description = "Must be set to `false` for the initial deployement";
|
||||
default = false;
|
||||
description = "If OpenId provider is setup and should be used exclusively.";
|
||||
};
|
||||
openIdClientName = mkOption {
|
||||
type = types.str;
|
||||
default = "";
|
||||
description = "The name (id) of the openId client to use exclusively.";
|
||||
};
|
||||
customPackage = mkOption {
|
||||
type = types.package;
|
||||
|
|
@ -25,6 +30,11 @@ in
|
|||
};
|
||||
description= "The package for custom configs like theme.";
|
||||
};
|
||||
dbPasswordFile = mkOption {
|
||||
type = types.str;
|
||||
default = "/etc/gitea_db_pwd";
|
||||
description = "The file containing the database password. Be sure to secure it.";
|
||||
};
|
||||
};
|
||||
|
||||
config = {
|
||||
|
|
@ -33,13 +43,25 @@ in
|
|||
services.gitea.stateDir = "/var/lib/gitea"; # default value
|
||||
services.gitea.enable = true;
|
||||
services.gitea.rootUrl = "https://${cfg.domain}/";
|
||||
services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce cfg.disableRegistration; # Only set after initial deploy
|
||||
services.gitea.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this???
|
||||
|
||||
# If true, openid users cannot create new account
|
||||
#services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable);
|
||||
services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce false;
|
||||
services.gitea.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable;
|
||||
|
||||
services.gitea.lfs.enable = true;
|
||||
services.gitea.domain = cfg.domain;
|
||||
# services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
|
||||
services.gitea.database.passwordFile = "/var/lib/gitea/gitea-dbpassword";
|
||||
networking.firewall.allowedTCPPorts = [ 3000 ];
|
||||
services.gitea.database.passwordFile = cfg.dbPasswordFile;
|
||||
# Set the permittions for the db file
|
||||
system.activationScripts = {
|
||||
giteaDbFilePermission.text =
|
||||
''
|
||||
chmod 400 ${cfg.dbPasswordFile}
|
||||
chown ${config.services.gitea.user} ${cfg.dbPasswordFile}
|
||||
'';
|
||||
};
|
||||
environment.systemPackages = with pkgs; [
|
||||
gitea
|
||||
];
|
||||
|
|
@ -57,5 +79,35 @@ in
|
|||
DESCRIPTION = "Code everywhere";
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
# NGINX
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = cfgBase.adminEmail;
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"${cfg.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:3000";
|
||||
extraConfig = ''
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass_request_headers on;
|
||||
'';
|
||||
};
|
||||
locations."/user/login" = lib.mkIf (cfg.openIdEnable) {
|
||||
return = "301 https://$host/user/oauth2/${cfg.openIdClientName}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,81 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
with lib;
|
||||
let
|
||||
cfgBase = config.base;
|
||||
cfg = config.services.ppKeycloak;
|
||||
in
|
||||
{
|
||||
options.services.ppKeycloak = {
|
||||
domain = mkOption {
|
||||
type = types.str;
|
||||
default = "auth.${cfgBase.domainName}";
|
||||
example = "auth.example.com";
|
||||
description = "The domain of the server";
|
||||
};
|
||||
initialAdminPassword = mkOption {
|
||||
type = types.str;
|
||||
description = "Change on first login, the initial password for the keycloak admin";
|
||||
};
|
||||
dbPasswordFile = mkOption {
|
||||
type = types.str;
|
||||
default = "/etc/kc_db_pwd";
|
||||
description = "The file containing the database password. Be sure to secure it.";
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = {
|
||||
services.keycloak.enable = true;
|
||||
services.keycloak.settings = {
|
||||
hostname = cfg.domain;
|
||||
http-host = "127.0.0.1";
|
||||
http-port = 8080;
|
||||
https-port = 8443;
|
||||
proxy = "edge"; # TODO: change to reencrypt or passthrough
|
||||
hostname-strict-backchannel = true;
|
||||
};
|
||||
services.keycloak.initialAdminPassword = cfg.initialAdminPassword;
|
||||
services.keycloak.database.passwordFile = cfg.dbPasswordFile;
|
||||
# Set the permittions for the db file
|
||||
system.activationScripts = {
|
||||
keycloakDbFilePermission.text =
|
||||
''
|
||||
chmod 400 ${cfg.dbPasswordFile}
|
||||
chown keycloak ${cfg.dbPasswordFile}
|
||||
'';
|
||||
};
|
||||
services.keycloak.database.createLocally = true;
|
||||
# TODO: enable client cert lookup: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
|
||||
|
||||
# NGINX
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.defaults.email = cfgBase.adminEmail;
|
||||
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
virtualHosts = {
|
||||
"${cfg.domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
# TODO: reduce attack surface https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:8080";
|
||||
extraConfig = ''
|
||||
proxy_buffer_size 128k;
|
||||
proxy_buffers 4 256k;
|
||||
proxy_busy_buffers_size 256k;
|
||||
proxy_set_header X-Forwarded-Host $host;
|
||||
proxy_set_header X-Forwarded-Server $host;
|
||||
proxy_set_header X-Real-IP $remote_addr;
|
||||
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
||||
proxy_set_header X-Forwarded-Proto $scheme;
|
||||
proxy_set_header Host $host;
|
||||
proxy_pass_request_headers on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
||||
};
|
||||
}
|
||||
Loading…
Reference in New Issue