Grimmauld/grimm-nixos-laptop
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

preliminary auth

Browse source
This commit is contained in:
Grimmauld 2024-05-25 21:50:51 +02:00
parent 6cb15ad29e
commit 65b39ce021
11 changed files with 232 additions and 51 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
common/databases/default.nix Normal file
View file

@ -0,0 +1 @@
{ imports = [ ./postgres.nix ]; }

72
common/databases/postgres.nix Normal file
View file

@ -0,0 +1,72 @@
{
pkgs,
config,
lib,
...
}:
let
inherit (lib)
types
concatLines
optionalString
mkOption
;
createPasswords = pkgs.writeText "psql-password-def" (
concatLines (
map (
s:
optionalString (!isNull s.passFile) ''
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${s.passFile}'), E'\n', '''));
EXECUTE format('ALTER ROLE ${s.name} WITH PASSWORD '''%s''';', password);
END $$;
''
) config.services.postgresql.ensureUsers
)
);
in
{
config = {
systemd.services.postgresql.postStart = "$PSQL -tA -f ${createPasswords}";
services.postgresql = {
package = pkgs.postgresql_15;
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all all peer map=superuser_map
local all all peer
host all all 127.0.0.1/32 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map postgres-exporter postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
};
};
options.services.postgresql.ensureUsers = mkOption {
type = types.listOf (
types.submodule {
options = {
passFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "path to a password file containing the password to be set";
};
};
}
);
};
}

1
common/default.nix
View file

@ -17,5 +17,6 @@ with lib;
./firefox.nix ./firefox.nix
./cloudsync.nix ./cloudsync.nix
./hardware ./hardware
./databases
]; ];
} }

124
modules/auth.nix
View file

@ -1,10 +1,128 @@
{ config, pkgs, ... }: {
config,
pkgs,
lib,
...
}:
let let
inherit (config.serverConfig) vhosts; inherit (config.serverConfig) vhosts;
inherit (config.networking) domain; inherit (config.networking) domain;
in { inherit (lib) remove concatStringsSep;
services.openldap = { in
{
age.secrets.openldap_admin =
let
inherit (config.services.openldap) user group;
in
{
file = ../secrets/openldap_admin.age;
inherit group;
owner = user;
mode = "0444";
};
age.secrets.keycloak_db_pass = {
file = ../secrets/keycloak_db_pass.age;
group = "keycloak";
owner = "keycloak";
mode = "0444";
};
users.users.keycloak = {
isSystemUser = true;
group = "keycloak";
};
users.groups.keycloak = { };
services.postgresql =
let
inherit (config.services.keycloak.database) name username;
in
{
enable = true;
ensureDatabases = [ name ];
ensureUsers = [
{
name = username;
passFile = config.age.secrets.keycloak_db_pass.path;
ensureDBOwnership = true;
}
];
};
services.keycloak = {
enable = true; enable = true;
database = {
type = "postgresql";
createLocally = false;
username = "keycloak";
passwordFile = config.age.secrets.keycloak_db_pass.path;
};
settings = {
hostname = vhosts.auth_host.host;
http-host = "127.0.0.1";
http-port = vhosts.auth_host.port;
proxy = "edge"; # passthrough";
};
}; };
services.openldap =
let
localDc = concatStringsSep "," (map (s: "dc=${s}") (remove [ ] (builtins.split "\\." domain)));
in
{
enable = true;
urlList = [ "ldap:///" "ldapi:///" ];
# declarativeContents = {
# "${localDc}" = import ./ldapConf.nix { inherit localDc; };
# };
settings = {
attrs = {
olcLogLevel = "conns config";
};
children = {
"cn=schema".includes = [
"${pkgs.openldap}/etc/schema/core.ldif"
"${pkgs.openldap}/etc/schema/cosine.ldif"
"${pkgs.openldap}/etc/schema/inetorgperson.ldif"
];
"olcDatabase={1}mdb".attrs = {
objectClass = [
"olcDatabaseConfig"
"olcMdbConfig"
];
olcDatabase = "{1}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = localDc;
olcRootDN = "cn=admin,${localDc}";
# olcRootPW.path = config.age.secrets.openldap_admin.path;
olcRootPW = "{SSHA}D1U1E6Xz07DGYLjke1YcCsVF6ddSLyLr";
olcAccess = [
# custom access rules for userPassword attributes
''
{0}to attrs=userPassword
by self write
by anonymous auth
by * none''
# allow read on anything else
''
{1}to *
by * read''
];
};
};
};
};
} }

4
modules/default.nix
View file

@ -187,11 +187,11 @@ in
nix_cache_host = { nix_cache_host = {
host = "nixcache.${domain}"; host = "nixcache.${domain}";
port = 5000; port = 5000;
accessType = "proxy"; accessType = "proxy";
}; };
auth_host = { auth_host = {
host = "auth.${domain}"; host = "auth.${domain}";
port = 9443; port = 38080;
accessType = "proxy"; accessType = "proxy";
}; };
}; };

39
modules/matrix.nix
View file

@ -11,53 +11,16 @@ in
{ {
services.postgresql = { services.postgresql = {
enable = true; enable = true;
# CREATE DATABASE synapse ENCODING 'UTF8' LC_COLLATE='C' LC_CTYPE='C' template=template0 OWNER synapse;
ensureDatabases = [ "synapse" ]; ensureDatabases = [ "synapse" ];
package = pkgs.postgresql_15;
ensureUsers = [ ensureUsers = [
{ {
name = "synapse"; name = "synapse";
passFile = config.age.secrets.synapse_db_pass.path;
ensureDBOwnership = true; ensureDBOwnership = true;
} }
]; ];
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method
local all postgres peer
local all all peer
host all all 127.0.0.1/32 md5
host synapse matrix-synapse ::1/128 md5
host nextcloud nextcloud ::1/128 md5
host all all ::1/128 md5
local replication all peer
host replication all 127.0.0.1/32 md5
host replication all ::1/128 md5
'';
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map matrix-synapse synapse
superuser_map nextcloud nextcloud
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
}; };
systemd.services.postgresql.postStart =
let
password_file_path = config.age.secrets.synapse_db_pass.path;
in
''
$PSQL -tA <<'EOF'
DO $$
DECLARE password TEXT;
BEGIN
password := trim(both from replace(pg_read_file('${password_file_path}'), E'\n', '''));
EXECUTE format('ALTER ROLE synapse WITH PASSWORD '''%s''';', password);
END $$;
EOF
'';
services.matrix-synapse-next = { services.matrix-synapse-next = {
enable = true; enable = true;

6
modules/prometheus.nix
View file

@ -14,11 +14,7 @@ in
{ {
targets = targets =
let let
inherit (lib) inherit (lib) filter isAttrs attrValues;
filter
isAttrs
attrValues
;
in in
map (v: "127.0.0.1:${builtins.toString v.port}") ( map (v: "127.0.0.1:${builtins.toString v.port}") (
filter (v: (isAttrs v) && v.enable) (attrValues config.services.prometheus.exporters) filter (v: (isAttrs v) && v.enable) (attrValues config.services.prometheus.exporters)

15
secrets/keycloak_db_pass.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
bYI5XiBLSBsLCsBlAwXZqtVlJ662v5Wb2ugK8BiMAT81lKWVUCYiunki5HKRixnq
GqpETIGLKS3H4aqY8t2CoRU9AlIVkDEgHOF1pF8WGKlsyA0A7NIr3VzlPZdER3Cv
6bP2YK90Ec0OGePaQJEcDS2EvjgqxgPMQh/QZSVG4ka4ChDkTN3CqKOzoVA1+T2Q
jWC3ODefhGm81mXSFHVgJaAxK3EKXOgj/4pPqAZPAaHhxMjth3wvo6oB9UKPP03a
yoaD6nYzLA9ow2z2PYgRHRKSt80Y8EvOy77C0sfyZxkfQy0TziZXigfTosUw8IsL
5WJaqXzyt3yZSj+cG5LQowYR63UOQms2eYiXdO96vfxATdQOyLZxlD3EzwSUgamy
czxIbL1kUnYSQR6Dq1v9gRxW/+5PwTqREYz+8lK3ljt01e6bav8hk4Zh8vpwy06U
E8eYtUpWdnsw6ZgMjECfWmd2UGVtd2aZhUoMrPfvxCwJyeQ9UuOcdvPeYc86gy0Y
xzGQpHxVVhE64NlCmnTCqsu+bojaOZ8hNHU6683yOMFGNWrwjnY6IimNUz8IJI9Z
YU8tXenk/9HOf2nIxUsmWu+/pWK+8e2pI5IyWm0bJryeh3UPmyMcjetjiWIMCxB0
jHdrs5WRzwA9tV0ChshkO7gHgq4xeRKmKfr2tLFbFmA
--- 6TjSc9yvPIuT88DsMWAWZhU5zeO8DqxBlvaAvBxTsq4
šF7·LÛ=$ó q^êMxh¸ç<C2B8>@jÄIâ.Ù:¾l¸®ç§yö6ð3×?/T­NõÙˆdhYIó÷ç¼xo˜Gô’!/úU0

15
secrets/openldap_admin.age Normal file
View file

@ -0,0 +1,15 @@
age-encryption.org/v1
-> ssh-rsa jWbwAg
CgH6gIYLzGuMLxrYlB/jCfzkteSN5SX4HFl905ys12Vtlr0eoD57KvMM5RzhBVyL
a8yxi09qAlhf6fekjMmOJ9veX2ueN2eb8JOMjArZd+Fas7GN6wv2YaMlbI2jsfQh
e/Q+DeyLkWJKdaApJnHkVko84Om/6C2nqhE7iaAdpFbXMXcxYiIhGkoH2eMNJI/w
mn+eF5W45+jA+Ips1+LMHewAyKxaEQpuOUOV/xj8IQKui1buLOW9Y61N9CSSTSse
8kr9rXm4t7a0foEkXk+C9lrO3y4hjfnF/JOMaU5DNUgF36d8zDthTaf71mkMgbnS
ULdCr/XoudHMWGOy/8Q6zz8n9tvIkjNNleHccE6FVW7i2uxWeABPk4EVHr4y+/91
QNjhK8LLXQ4ZtJWaX08I+SpZk9h4xInf8MbNQNQlK7upua3bJM4qdDLh772enO78
DHa7Se4G0Jl8ALUwY3+/H2tZrbvXvBEQbH+ErS014raJOSu/cgkFw54SlI2X3b6+
4LaUxjb5rxItORLGbGsquCBVSB/qxsSR6LJjrSYnBKvUYvqR57X5f9SO+6dbt70n
Z5y7jZZ6JMW9uqgLJ3/pR8uIxnYjr+B+O+zlubGsywWadQaShWL4Ukf0kEmEFqEP
LXJro1ntCQcFmAhEvLc2gsVRxbwwzlFOmymvjcnN7Bk
--- TzABYKP2llgfeMeGMDK9kb1TuGzKxVbCR5xqOVwhUjU
úÉÜmþyÑâ|iŠÇ~(}CrÚê4Í._Y¯;+¶nÍ<6E>ŠŠ1wß÷qÎvdÃË\rWÛÈšâU] >ëžùí—6gçš

2
secrets/secrets.nix
View file

@ -13,6 +13,8 @@ in
# "duckdns_token.age".publicKeys = [ contabo_nix_pub ]; # "duckdns_token.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass.age".publicKeys = [ contabo_nix_pub ];
"openldap_admin.age".publicKeys = [ contabo_nix_pub ];
"keycloak_db_pass.age".publicKeys = [ contabo_nix_pub ];
"synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ]; "synapse_db_pass_prepared.age".publicKeys = [ contabo_nix_pub ];
"grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ]; "grafana_admin_pass.age".publicKeys = [ contabo_nix_pub ];

4
specific/grimm-nixos-laptop/configuration.nix
View file

@ -53,9 +53,7 @@
system.stateVersion = "23.05"; system.stateVersion = "23.05";
nix.settings.extra-substituters = [ nix.settings.extra-substituters = [ "https://nixcache.grimmauld.de" ];
"https://nixcache.grimmauld.de"
];
nix.settings.trusted-public-keys = [ nix.settings.trusted-public-keys = [
"nixcache.grimmauld.de:LFBlakr8RYIuVb9I1S0+L9JGyB2THcfbPa0W6srghqo=" "nixcache.grimmauld.de:LFBlakr8RYIuVb9I1S0+L9JGyB2THcfbPa0W6srghqo="