diff --git a/common/databases/default.nix b/common/databases/default.nix new file mode 100644 index 0000000..99e770b --- /dev/null +++ b/common/databases/default.nix @@ -0,0 +1 @@ +{ imports = [ ./postgres.nix ]; } diff --git a/common/databases/postgres.nix b/common/databases/postgres.nix new file mode 100644 index 0000000..d55e7b9 --- /dev/null +++ b/common/databases/postgres.nix @@ -0,0 +1,72 @@ +{ + pkgs, + config, + lib, + ... +}: +let + inherit (lib) + types + concatLines + optionalString + mkOption + ; + + createPasswords = pkgs.writeText "psql-password-def" ( + concatLines ( + map ( + s: + optionalString (!isNull s.passFile) '' + DO $$ + DECLARE password TEXT; + BEGIN + password := trim(both from replace(pg_read_file('${s.passFile}'), E'\n', ''')); + EXECUTE format('ALTER ROLE ${s.name} WITH PASSWORD '''%s''';', password); + END $$; + '' + ) config.services.postgresql.ensureUsers + ) + ); +in +{ + config = { + systemd.services.postgresql.postStart = "$PSQL -tA -f ${createPasswords}"; + + services.postgresql = { + package = pkgs.postgresql_15; + + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method + local all all peer map=superuser_map + local all all peer + host all all 127.0.0.1/32 md5 + host all all ::1/128 md5 + local replication all peer + host replication all 127.0.0.1/32 md5 + host replication all ::1/128 md5 + ''; + identMap = '' + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map matrix-synapse synapse + superuser_map postgres-exporter postgres + # Let other names login as themselves + superuser_map /^(.*)$ \1 + ''; + }; + }; + + options.services.postgresql.ensureUsers = mkOption { + type = types.listOf ( + types.submodule { + options = { + passFile = mkOption { + type = types.nullOr types.path; + default = null; + description = "path to a password file containing the password to be set"; + }; + }; + } + ); + }; +} diff --git a/common/default.nix b/common/default.nix index 5e64b12..4f4c620 100644 --- a/common/default.nix +++ b/common/default.nix @@ -17,5 +17,6 @@ with lib; ./firefox.nix ./cloudsync.nix ./hardware + ./databases ]; } diff --git a/modules/auth.nix b/modules/auth.nix index 30497bd..106cd65 100644 --- a/modules/auth.nix +++ b/modules/auth.nix @@ -1,10 +1,128 @@ -{ config, pkgs, ... }: +{ + config, + pkgs, + lib, + ... +}: let inherit (config.serverConfig) vhosts; inherit (config.networking) domain; -in { - services.openldap = { + inherit (lib) remove concatStringsSep; +in +{ + age.secrets.openldap_admin = + let + inherit (config.services.openldap) user group; + in + { + file = ../secrets/openldap_admin.age; + inherit group; + owner = user; + mode = "0444"; + }; + + age.secrets.keycloak_db_pass = { + file = ../secrets/keycloak_db_pass.age; + group = "keycloak"; + owner = "keycloak"; + mode = "0444"; + }; + + users.users.keycloak = { + isSystemUser = true; + group = "keycloak"; + }; + users.groups.keycloak = { }; + + services.postgresql = + let + inherit (config.services.keycloak.database) name username; + in + { + enable = true; + ensureDatabases = [ name ]; + ensureUsers = [ + { + name = username; + passFile = config.age.secrets.keycloak_db_pass.path; + ensureDBOwnership = true; + } + ]; + }; + + services.keycloak = { enable = true; + database = { + type = "postgresql"; + createLocally = false; + + username = "keycloak"; + passwordFile = config.age.secrets.keycloak_db_pass.path; + }; + + settings = { + hostname = vhosts.auth_host.host; + http-host = "127.0.0.1"; + http-port = vhosts.auth_host.port; + proxy = "edge"; # passthrough"; + }; }; + + services.openldap = + let + localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain))); + in + { + enable = true; + urlList = [ "ldap:///" "ldapi:///" ]; + +# declarativeContents = { +# "${localDc}" = import ./ldapConf.nix { inherit localDc; }; +# }; + + settings = { + attrs = { + olcLogLevel = "conns config"; + }; + + children = { + "cn=schema".includes = [ + "${pkgs.openldap}/etc/schema/core.ldif" + "${pkgs.openldap}/etc/schema/cosine.ldif" + "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + ]; + + "olcDatabase={1}mdb".attrs = { + objectClass = [ + "olcDatabaseConfig" + "olcMdbConfig" + ]; + + olcDatabase = "{1}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = localDc; + + olcRootDN = "cn=admin,${localDc}"; +# olcRootPW.path = config.age.secrets.openldap_admin.path; + olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr"; + + olcAccess = [ + # custom access rules for userPassword attributes + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by * none'' + + # allow read on anything else + '' + {1}to * + by * read'' + ]; + }; + }; + }; + }; } diff --git a/modules/default.nix b/modules/default.nix index 73e4a36..412ad99 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -187,11 +187,11 @@ in nix_cache_host = { host = "nixcache.${domain}"; port = 5000; - accessType = "proxy"; + accessType = "proxy"; }; auth_host = { host = "auth.${domain}"; - port = 9443; + port = 38080; accessType = "proxy"; }; }; diff --git a/modules/matrix.nix b/modules/matrix.nix index 2c79c42..6eac5e4 100644 --- a/modules/matrix.nix +++ b/modules/matrix.nix @@ -11,53 +11,16 @@ in { services.postgresql = { enable = true; - # CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse; ensureDatabases = [ "synapse" ]; - package = pkgs.postgresql_15; ensureUsers = [ { name = "synapse"; + passFile = config.age.secrets.synapse_db_pass.path; ensureDBOwnership = true; } ]; - authentication = pkgs.lib.mkOverride 10 '' - #type database DBuser auth-method - local all postgres peer - local all all peer - host all all 127.0.0.1/32 md5 - host synapse matrix-synapse ::1/128 md5 - host nextcloud nextcloud ::1/128 md5 - host all all ::1/128 md5 - local replication all peer - host replication all 127.0.0.1/32 md5 - host replication all ::1/128 md5 - ''; - identMap = '' - # ArbitraryMapName systemUser DBUser - superuser_map root postgres - superuser_map matrix-synapse synapse - superuser_map nextcloud nextcloud - superuser_map postgres postgres - # Let other names login as themselves - superuser_map /^(.*)$ \1 - ''; }; - systemd.services.postgresql.postStart = - let - password_file_path = config.age.secrets.synapse_db_pass.path; - in - '' - $PSQL -tA <<'EOF' - DO $$ - DECLARE password TEXT; - BEGIN - password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', ''')); - EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password); - END $$; - EOF - ''; - services.matrix-synapse-next = { enable = true; diff --git a/modules/prometheus.nix b/modules/prometheus.nix index eb97aa8..7778988 100644 --- a/modules/prometheus.nix +++ b/modules/prometheus.nix @@ -14,11 +14,7 @@ in { targets = let - inherit (lib) - filter - isAttrs - attrValues - ; + inherit (lib) filter isAttrs attrValues; in map (v: "127.0.0.1:${builtins.toString v.port}") ( filter (v: (isAttrs v) && v.enable) (attrValues config.services.prometheus.exporters) diff --git a/secrets/keycloak_db_pass.age b/secrets/keycloak_db_pass.age new file mode 100644 index 0000000..fad465a --- /dev/null +++ b/secrets/keycloak_db_pass.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-rsa jWbwAg +bYI5XiBLSBsLCsBlAwXZqtVlJ662v5Wb2ugK8BiMAT81lKWVUCYiunki5HKRixnq +GqpETIGLKS3H4aqY8t2CoRU9AlIVkDEgHOF1pF8WGKlsyA0A7NIr3VzlPZdER3Cv +6bP2YK90Ec0OGePaQJEcDS2EvjgqxgPMQh/QZSVG4ka4ChDkTN3CqKOzoVA1+T2Q +jWC3ODefhGm81mXSFHVgJaAxK3EKXOgj/4pPqAZPAaHhxMjth3wvo6oB9UKPP03a +yoaD6nYzLA9ow2z2PYgRHRKSt80Y8EvOy77C0sfyZxkfQy0TziZXigfTosUw8IsL +5WJaqXzyt3yZSj+cG5LQowYR63UOQms2eYiXdO96vfxATdQOyLZxlD3EzwSUgamy +czxIbL1kUnYSQR6Dq1v9gRxW/+5PwTqREYz+8lK3ljt01e6bav8hk4Zh8vpwy06U +E8eYtUpWdnsw6ZgMjECfWmd2UGVtd2aZhUoMrPfvxCwJyeQ9UuOcdvPeYc86gy0Y +xzGQpHxVVhE64NlCmnTCqsu+bojaOZ8hNHU6683yOMFGNWrwjnY6IimNUz8IJI9Z +YU8tXenk/9HOf2nIxUsmWu+/pWK+8e2pI5IyWm0bJryeh3UPmyMcjetjiWIMCxB0 +jHdrs5WRzwA9tV0ChshkO7gHgq4xeRKmKfr2tLFbFmA +--- 6TjSc9yvPIuT88DsMWAWZhU5zeO8DqxBlvaAvBxTsq4 +F7L=$ q^Mxh@jI.:ly63?/TNوdhYI盼xoG!/U0 \ No newline at end of file diff --git a/secrets/openldap_admin.age b/secrets/openldap_admin.age new file mode 100644 index 0000000..1c59df6 --- /dev/null +++ b/secrets/openldap_admin.age @@ -0,0 +1,15 @@ +age-encryption.org/v1 +-> ssh-rsa jWbwAg +CgH6gIYLzGuMLxrYlB/jCfzkteSN5SX4HFl905ys12Vtlr0eoD57KvMM5RzhBVyL +a8yxi09qAlhf6fekjMmOJ9veX2ueN2eb8JOMjArZd+Fas7GN6wv2YaMlbI2jsfQh +e/Q+DeyLkWJKdaApJnHkVko84Om/6C2nqhE7iaAdpFbXMXcxYiIhGkoH2eMNJI/w +mn+eF5W45+jA+Ips1+LMHewAyKxaEQpuOUOV/xj8IQKui1buLOW9Y61N9CSSTSse +8kr9rXm4t7a0foEkXk+C9lrO3y4hjfnF/JOMaU5DNUgF36d8zDthTaf71mkMgbnS +ULdCr/XoudHMWGOy/8Q6zz8n9tvIkjNNleHccE6FVW7i2uxWeABPk4EVHr4y+/91 +QNjhK8LLXQ4ZtJWaX08I+SpZk9h4xInf8MbNQNQlK7upua3bJM4qdDLh772enO78 +DHa7Se4G0Jl8ALUwY3+/H2tZrbvXvBEQbH+ErS014raJOSu/cgkFw54SlI2X3b6+ +4LaUxjb5rxItORLGbGsquCBVSB/qxsSR6LJjrSYnBKvUYvqR57X5f9SO+6dbt70n +Z5y7jZZ6JMW9uqgLJ3/pR8uIxnYjr+B+O+zlubGsywWadQaShWL4Ukf0kEmEFqEP +LXJro1ntCQcFmAhEvLc2gsVRxbwwzlFOmymvjcnN7Bk +--- TzABYKP2llgfeMeGMDK9kb1TuGzKxVbCR5xqOVwhUjU +^ɛmy|i~(}Cr4._Y;+n͏1wqvd\rWȚU] >닞6g皂 \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index ff54e82..d25ba25 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -13,6 +13,8 @@ in # "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ]; + "openldap_admin.age".publicKeys = [ contabo_nix_pub ]; + "keycloak_db_pass.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ]; "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ]; diff --git a/specific/grimm-nixos-laptop/configuration.nix b/specific/grimm-nixos-laptop/configuration.nix index fb5d7d1..034b5d0 100644 --- a/specific/grimm-nixos-laptop/configuration.nix +++ b/specific/grimm-nixos-laptop/configuration.nix @@ -53,9 +53,7 @@ system.stateVersion = "23.05"; - nix.settings.extra-substituters = [ - "https://nixcache.grimmauld.de" - ]; + nix.settings.extra-substituters = [ "https://nixcache.grimmauld.de" ]; nix.settings.trusted-public-keys = [ "nixcache.grimmauld.de:LFBlakr8RYIuVb9I1S0+L9JGyB2THcfbPa0W6srghqo="