Pains-Perdus
/
nixos-modules
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Pains-Perdus:7d00638c0435123ae9515c21a07e0a90dc22dbb0
Branches Tags
Pains-Perdus:master
..
compare: Pains-Perdus:d336ea124ed7da2a9ebbef91c7b26d689f8c9cbf
Branches Tags
Pains-Perdus:master

10 Commits
7d00638c04 ... d336ea124e

Author SHA1 Message Date
Histausse d336ea124e fix openid config for gitea 2023-04-26 22:12:41 +02:00
Histausse 251e32c76e test openid redirection WIP 2023-04-24 23:30:23 +02:00
Histausse fa4f5c2d75 fix proxy buffer size 2023-04-20 21:01:20 +02:00
Histausse 104780d95f add todo 2023-04-20 00:31:42 +02:00
Histausse 60e22d1288 fix config 2023-04-20 00:23:21 +02:00
Histausse ab8222b8aa fix config 2023-04-20 00:22:24 +02:00
Histausse a1265d240b convention 2023-04-20 00:12:13 +02:00
Histausse 3bd766d87a update keycloak 2023-04-20 00:03:56 +02:00
Histausse a36838a657 update gitea config 2023-04-19 23:50:49 +02:00
Histausse bdca8e626c add pp-keycloak.nix 2023-04-18 21:25:10 +02:00
4 changed files with 151 additions and 7 deletions
Show Stats Expand all files Collapse all files

3
TODO.md Normal file
View File

@ -0,0 +1,3 @@
# TODO:
- Handle dependention to the user creation for the password files

10
base.nix
View File

@ -12,7 +12,12 @@ in {
domainName = mkOption { domainName = mkOption {
type = types.str; type = types.str;
example = "example.com"; example = "example.com";
description = "Name of the machine, use for hostname"; description = "Domain of the machine, use for hostname";
};
adminEmail = mkOption {
type = types.str;
example = "example@example.com";
description = "Email of the admin, use for ACME and stuff";
}; };
}; };
config = { config = {
@ -26,6 +31,9 @@ in {
boot.kernelParams = [ "console=tty0" "console=ttyS0,115200"]; boot.kernelParams = [ "console=tty0" "console=ttyS0,115200"];
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
system.autoUpgrade.enable = true;
system.autoUpgrade.allowReboot = true;
networking.hostName = "${cfg.name}"; networking.hostName = "${cfg.name}";

64
pp-gitea.nix
View File

@ -12,10 +12,15 @@ in
example = "git.example.com"; example = "git.example.com";
description = "The domain of the server"; description = "The domain of the server";
}; };
disableRegistration = mkOption { openIdEnable = mkOption {
type = types.bool; type = types.bool;
default = true; default = false;
description = "Must be set to `false` for the initial deployement"; description = "If OpenId provider is setup and should be used exclusively.";
};
openIdClientName = mkOption {
type = types.str;
default = "";
description = "The name (id) of the openId client to use exclusively.";
}; };
customPackage = mkOption { customPackage = mkOption {
type = types.package; type = types.package;
@ -25,6 +30,11 @@ in
}; };
description= "The package for custom configs like theme."; description= "The package for custom configs like theme.";
}; };
dbPasswordFile = mkOption {
type = types.str;
default = "/etc/gitea_db_pwd";
description = "The file containing the database password. Be sure to secure it.";
};
}; };
config = { config = {
@ -33,13 +43,25 @@ in
services.gitea.stateDir = "/var/lib/gitea"; # default value services.gitea.stateDir = "/var/lib/gitea"; # default value
services.gitea.enable = true; services.gitea.enable = true;
services.gitea.rootUrl = "https://${cfg.domain}/"; services.gitea.rootUrl = "https://${cfg.domain}/";
services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce cfg.disableRegistration; # Only set after initial deploy
services.gitea.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? services.gitea.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this???
# If true, openid users cannot create new account
#services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable);
services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce false;
services.gitea.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable;
services.gitea.lfs.enable = true; services.gitea.lfs.enable = true;
services.gitea.domain = cfg.domain; services.gitea.domain = cfg.domain;
# services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance # services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
services.gitea.database.passwordFile = "/var/lib/gitea/gitea-dbpassword"; services.gitea.database.passwordFile = cfg.dbPasswordFile;
networking.firewall.allowedTCPPorts = [ 3000 ]; # Set the permittions for the db file
system.activationScripts = {
giteaDbFilePermission.text =
''
chmod 400 ${cfg.dbPasswordFile}
chown ${config.services.gitea.user} ${cfg.dbPasswordFile}
'';
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
gitea gitea
]; ];
@ -57,5 +79,35 @@ in
DESCRIPTION = "Code everywhere"; DESCRIPTION = "Code everywhere";
}; };
}; };
# NGINX
security.acme.acceptTerms = true;
security.acme.defaults.email = cfgBase.adminEmail;
services.nginx = {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass_request_headers on;
'';
};
locations."/user/login" = lib.mkIf (cfg.openIdEnable) {
return = "301 https://$host/user/oauth2/${cfg.openIdClientName}";
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}; };
} }

81
pp-keycloak.nix Normal file
View File

@ -0,0 +1,81 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfgBase = config.base;
cfg = config.services.ppKeycloak;
in
{
options.services.ppKeycloak = {
domain = mkOption {
type = types.str;
default = "auth.${cfgBase.domainName}";
example = "auth.example.com";
description = "The domain of the server";
};
initialAdminPassword = mkOption {
type = types.str;
description = "Change on first login, the initial password for the keycloak admin";
};
dbPasswordFile = mkOption {
type = types.str;
default = "/etc/kc_db_pwd";
description = "The file containing the database password. Be sure to secure it.";
};
};
config = {
services.keycloak.enable = true;
services.keycloak.settings = {
hostname = cfg.domain;
http-host = "127.0.0.1";
http-port = 8080;
https-port = 8443;
proxy = "edge"; # TODO: change to reencrypt or passthrough
hostname-strict-backchannel = true;
};
services.keycloak.initialAdminPassword = cfg.initialAdminPassword;
services.keycloak.database.passwordFile = cfg.dbPasswordFile;
# Set the permittions for the db file
system.activationScripts = {
keycloakDbFilePermission.text =
''
chmod 400 ${cfg.dbPasswordFile}
chown keycloak ${cfg.dbPasswordFile}
'';
};
services.keycloak.database.createLocally = true;
# TODO: enable client cert lookup: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
# NGINX
security.acme.acceptTerms = true;
security.acme.defaults.email = cfgBase.adminEmail;
services.nginx = {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
# TODO: reduce attack surface https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
extraConfig = ''
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass_request_headers on;
'';
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}