Pains-Perdus
/
nixos-modules
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: Pains-Perdus:d336ea124ed7da2a9ebbef91c7b26d689f8c9cbf
Branches Tags
Pains-Perdus:master
..
compare: Pains-Perdus:7d00638c0435123ae9515c21a07e0a90dc22dbb0
Branches Tags
Pains-Perdus:master

No commits in common. "d336ea124ed7da2a9ebbef91c7b26d689f8c9cbf" and "7d00638c0435123ae9515c21a07e0a90dc22dbb0" have entirely different histories.
d336ea124e ... 7d00638c04

4 changed files with 7 additions and 151 deletions
Show Stats Expand all files Collapse all files

3
TODO.md
View File

@ -1,3 +0,0 @@
# TODO:
- Handle dependention to the user creation for the password files

10
base.nix
View File

@ -12,12 +12,7 @@ in {
domainName = mkOption { domainName = mkOption {
type = types.str; type = types.str;
example = "example.com"; example = "example.com";
description = "Domain of the machine, use for hostname"; description = "Name of the machine, use for hostname";
};
adminEmail = mkOption {
type = types.str;
example = "example@example.com";
description = "Email of the admin, use for ACME and stuff";
}; };
}; };
config = { config = {
@ -32,9 +27,6 @@ in {
boot.kernelParams = [ "console=tty0" "console=ttyS0,115200"]; boot.kernelParams = [ "console=tty0" "console=ttyS0,115200"];
services.qemuGuest.enable = true; services.qemuGuest.enable = true;
system.autoUpgrade.enable = true;
system.autoUpgrade.allowReboot = true;
networking.hostName = "${cfg.name}"; networking.hostName = "${cfg.name}";
time.timeZone = "Europe/Paris"; time.timeZone = "Europe/Paris";

64
pp-gitea.nix
View File

@ -12,15 +12,10 @@ in
example = "git.example.com"; example = "git.example.com";
description = "The domain of the server"; description = "The domain of the server";
}; };
openIdEnable = mkOption { disableRegistration = mkOption {
type = types.bool; type = types.bool;
default = false; default = true;
description = "If OpenId provider is setup and should be used exclusively."; description = "Must be set to `false` for the initial deployement";
};
openIdClientName = mkOption {
type = types.str;
default = "";
description = "The name (id) of the openId client to use exclusively.";
}; };
customPackage = mkOption { customPackage = mkOption {
type = types.package; type = types.package;
@ -30,11 +25,6 @@ in
}; };
description= "The package for custom configs like theme."; description= "The package for custom configs like theme.";
}; };
dbPasswordFile = mkOption {
type = types.str;
default = "/etc/gitea_db_pwd";
description = "The file containing the database password. Be sure to secure it.";
};
}; };
config = { config = {
@ -43,25 +33,13 @@ in
services.gitea.stateDir = "/var/lib/gitea"; # default value services.gitea.stateDir = "/var/lib/gitea"; # default value
services.gitea.enable = true; services.gitea.enable = true;
services.gitea.rootUrl = "https://${cfg.domain}/"; services.gitea.rootUrl = "https://${cfg.domain}/";
services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce cfg.disableRegistration; # Only set after initial deploy
services.gitea.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this??? services.gitea.settings.session.COOKIE_SECURE = lib.mkForce true; # Why do I need to override this???
# If true, openid users cannot create new account
#services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce (!cfg.openIdEnable);
services.gitea.settings.service.DISABLE_REGISTRATION = lib.mkForce false;
services.gitea.settings.service.ALLOW_ONLY_EXTERNAL_REGISTRATION = cfg.openIdEnable;
services.gitea.lfs.enable = true; services.gitea.lfs.enable = true;
services.gitea.domain = cfg.domain; services.gitea.domain = cfg.domain;
# services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance # services.gitea.database.type = "postgres"; # Default is sqlite3, probably better for a small instance
services.gitea.database.passwordFile = cfg.dbPasswordFile; services.gitea.database.passwordFile = "/var/lib/gitea/gitea-dbpassword";
# Set the permittions for the db file networking.firewall.allowedTCPPorts = [ 3000 ];
system.activationScripts = {
giteaDbFilePermission.text =
''
chmod 400 ${cfg.dbPasswordFile}
chown ${config.services.gitea.user} ${cfg.dbPasswordFile}
'';
};
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
gitea gitea
]; ];
@ -79,35 +57,5 @@ in
DESCRIPTION = "Code everywhere"; DESCRIPTION = "Code everywhere";
}; };
}; };
# NGINX
security.acme.acceptTerms = true;
security.acme.defaults.email = cfgBase.adminEmail;
services.nginx = {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:3000";
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass_request_headers on;
'';
};
locations."/user/login" = lib.mkIf (cfg.openIdEnable) {
return = "301 https://$host/user/oauth2/${cfg.openIdClientName}";
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
}; };
} }

81
pp-keycloak.nix
View File

@ -1,81 +0,0 @@
{ config, pkgs, lib, ... }:
with lib;
let
cfgBase = config.base;
cfg = config.services.ppKeycloak;
in
{
options.services.ppKeycloak = {
domain = mkOption {
type = types.str;
default = "auth.${cfgBase.domainName}";
example = "auth.example.com";
description = "The domain of the server";
};
initialAdminPassword = mkOption {
type = types.str;
description = "Change on first login, the initial password for the keycloak admin";
};
dbPasswordFile = mkOption {
type = types.str;
default = "/etc/kc_db_pwd";
description = "The file containing the database password. Be sure to secure it.";
};
};
config = {
services.keycloak.enable = true;
services.keycloak.settings = {
hostname = cfg.domain;
http-host = "127.0.0.1";
http-port = 8080;
https-port = 8443;
proxy = "edge"; # TODO: change to reencrypt or passthrough
hostname-strict-backchannel = true;
};
services.keycloak.initialAdminPassword = cfg.initialAdminPassword;
services.keycloak.database.passwordFile = cfg.dbPasswordFile;
# Set the permittions for the db file
system.activationScripts = {
keycloakDbFilePermission.text =
''
chmod 400 ${cfg.dbPasswordFile}
chown keycloak ${cfg.dbPasswordFile}
'';
};
services.keycloak.database.createLocally = true;
# TODO: enable client cert lookup: https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
# NGINX
security.acme.acceptTerms = true;
security.acme.defaults.email = cfgBase.adminEmail;
services.nginx = {
enable = true;
virtualHosts = {
"${cfg.domain}" = {
forceSSL = true;
enableACME = true;
# TODO: reduce attack surface https://www.keycloak.org/server/reverseproxy#_enabling_client_certificate_lookup
locations."/" = {
proxyPass = "http://127.0.0.1:8080";
extraConfig = ''
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass_request_headers on;
'';
};
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}