pfzetto
/
obscuresecure-infra
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

init

This commit is contained in:
Paul Zinselmeyer 2023-11-24 21:20:43 +01:00
commit c02ee1c083
14 changed files with 1027 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

577
flake.lock Normal file
View File

@ -0,0 +1,577 @@
{
"nodes": {
"agenix": {
"inputs": {
"darwin": "darwin",
"home-manager": "home-manager",
"nixpkgs": "nixpkgs"
},
"locked": {
"lastModified": 1696775529,
"narHash": "sha256-TYlE4B0ktPtlJJF9IFxTWrEeq+XKG8Ny0gc2FGEAdj0=",
"owner": "ryantm",
"repo": "agenix",
"rev": "daf42cb35b2dc614d1551e37f96406e4c4a2d3e4",
"type": "github"
},
"original": {
"owner": "ryantm",
"repo": "agenix",
"type": "github"
}
},
"arion": {
"inputs": {
"flake-parts": "flake-parts",
"haskell-flake": "haskell-flake",
"hercules-ci-effects": "hercules-ci-effects",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1692787336,
"narHash": "sha256-WabgeYsUiMRbpb1bCT3oY6GJEciZQIf3tYD8RQAUf2c=",
"owner": "hercules-ci",
"repo": "arion",
"rev": "28902d348807c494115177595f812a3e54cc913b",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "arion",
"type": "github"
}
},
"crane": {
"inputs": {
"nixpkgs": [
"zettoitArs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699548976,
"narHash": "sha256-xnpxms0koM8mQpxIup9JnT0F7GrKdvv0QvtxvRuOYR4=",
"owner": "ipetkov",
"repo": "crane",
"rev": "6849911446e18e520970cc6b7a691e64ee90d649",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"crane_2": {
"inputs": {
"nixpkgs": [
"zettoitBin",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699548976,
"narHash": "sha256-xnpxms0koM8mQpxIup9JnT0F7GrKdvv0QvtxvRuOYR4=",
"owner": "ipetkov",
"repo": "crane",
"rev": "6849911446e18e520970cc6b7a691e64ee90d649",
"type": "github"
},
"original": {
"owner": "ipetkov",
"repo": "crane",
"type": "github"
}
},
"darwin": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673295039,
"narHash": "sha256-AsdYgE8/GPwcelGgrntlijMg4t3hLFJFCRF3tL5WVjA=",
"owner": "lnl7",
"repo": "nix-darwin",
"rev": "87b9d090ad39b25b2400029c64825fc2a8868943",
"type": "github"
},
"original": {
"owner": "lnl7",
"ref": "master",
"repo": "nix-darwin",
"type": "github"
}
},
"deploy-rs": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixpkgs"
],
"utils": "utils"
},
"locked": {
"lastModified": 1698921442,
"narHash": "sha256-7KmvhQ7FuXlT/wG4zjTssap6maVqeAMBdtel+VjClSM=",
"owner": "serokell",
"repo": "deploy-rs",
"rev": "660180bbbeae7d60dad5a92b30858306945fd427",
"type": "github"
},
"original": {
"owner": "serokell",
"repo": "deploy-rs",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1668681692,
"narHash": "sha256-Ht91NGdewz8IQLtWZ9LCeNXMSXHUss+9COoqu6JLmXU=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "009399224d5e398d03b22badca40a37ac85412a1",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": [
"arion",
"nixpkgs"
]
},
"locked": {
"lastModified": 1675933616,
"narHash": "sha256-/rczJkJHtx16IFxMmAWu5nNYcSXNg1YYXTHoGjLrLUA=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "47478a4a003e745402acf63be7f9a092d51b83d7",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-parts_2": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1688466019,
"narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
"type": "github"
},
"original": {
"id": "flake-parts",
"type": "indirect"
}
},
"flake-parts_3": {
"inputs": {
"nixpkgs-lib": [
"arion",
"hercules-ci-effects",
"hercules-ci-agent",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688466019,
"narHash": "sha256-VeM2akYrBYMsb4W/MmBo1zmaMfgbL4cH3Pu8PGyIwJ0=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8e8d955c22df93dbe24f19ea04f47a74adbdc5ec",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"haskell-flake": {
"locked": {
"lastModified": 1675296942,
"narHash": "sha256-u1X1sblozi5qYEcLp1hxcyo8FfDHnRUVX3dJ/tW19jY=",
"owner": "srid",
"repo": "haskell-flake",
"rev": "c2cafce9d57bfca41794dc3b99c593155006c71e",
"type": "github"
},
"original": {
"owner": "srid",
"ref": "0.1.0",
"repo": "haskell-flake",
"type": "github"
}
},
"haskell-flake_2": {
"locked": {
"lastModified": 1684780604,
"narHash": "sha256-2uMZsewmRn7rRtAnnQNw1lj0uZBMh4m6Cs/7dV5YF08=",
"owner": "srid",
"repo": "haskell-flake",
"rev": "74210fa80a49f1b6f67223debdbf1494596ff9f2",
"type": "github"
},
"original": {
"owner": "srid",
"ref": "0.3.0",
"repo": "haskell-flake",
"type": "github"
}
},
"hercules-ci-agent": {
"inputs": {
"flake-parts": "flake-parts_3",
"haskell-flake": "haskell-flake_2",
"nixpkgs": "nixpkgs_2"
},
"locked": {
"lastModified": 1688568579,
"narHash": "sha256-ON0M56wtY/TIIGPkXDlJboAmuYwc73Hi8X9iJGtxOhM=",
"owner": "hercules-ci",
"repo": "hercules-ci-agent",
"rev": "367dd8cd649b57009a6502e878005a1e54ad78c5",
"type": "github"
},
"original": {
"id": "hercules-ci-agent",
"type": "indirect"
}
},
"hercules-ci-effects": {
"inputs": {
"flake-parts": "flake-parts_2",
"hercules-ci-agent": "hercules-ci-agent",
"nixpkgs": [
"arion",
"nixpkgs"
]
},
"locked": {
"lastModified": 1689397210,
"narHash": "sha256-fVxZnqxMbsDkB4GzGAs/B41K0wt/e+B/fLxmTFF/S20=",
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"rev": "0a63bfa3f00a3775ea3a6722b247880f1ffe91ce",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "hercules-ci-effects",
"type": "github"
}
},
"home-manager": {
"inputs": {
"nixpkgs": [
"agenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1682203081,
"narHash": "sha256-kRL4ejWDhi0zph/FpebFYhzqlOBrk0Pl3dzGEKSAlEw=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "32d3e39c491e2f91152c84f8ad8b003420eab0a1",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "home-manager",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1677676435,
"narHash": "sha256-6FxdcmQr5JeZqsQvfinIMr0XcTyTuR7EXX0H3ANShpQ=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a08d6979dd7c82c4cef0dcc6ac45ab16051c1169",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"dir": "lib",
"lastModified": 1688049487,
"narHash": "sha256-100g4iaKC9MalDjUW9iN6Jl/OocTDtXdeAj7pEGIRh4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "4bc72cae107788bf3f24f30db2e2f685c9298dc9",
"type": "github"
},
"original": {
"dir": "lib",
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1700390070,
"narHash": "sha256-de9KYi8rSJpqvBfNwscWdalIJXPo8NjdIZcEJum1mH0=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "e4ad989506ec7d71f7302cc3067abd82730a4beb",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1688322751,
"narHash": "sha256-eW62dC5f33oKZL7VWlomttbUnOTHrAbte9yNUNW8rbk=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "0fbe93c5a7cac99f90b60bdf5f149383daaa615f",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_3": {
"locked": {
"lastModified": 1700678569,
"narHash": "sha256-2Ki+2UvOidxEb3xB4ADqlbPQ2BZOF4uZMR094O8or2I=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "8f1180704ac35baded1a74164365ac7cdfba6f38",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"agenix": "agenix",
"arion": "arion",
"deploy-rs": "deploy-rs",
"nixpkgs": "nixpkgs_3",
"nixpkgs-unstable": "nixpkgs-unstable",
"zettoitArs": "zettoitArs",
"zettoitBin": "zettoitBin"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"zettoitArs",
"flake-utils"
],
"nixpkgs": [
"zettoitArs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699582387,
"narHash": "sha256-sPmUXPDl+cEi+zFtM5lnAs7dWOdRn0ptZ4a/qHwvNDk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "41f7b0618052430d3a050e8f937030d00a2fcced",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"zettoitBin",
"flake-utils"
],
"nixpkgs": [
"zettoitBin",
"nixpkgs"
]
},
"locked": {
"lastModified": 1699582387,
"narHash": "sha256-sPmUXPDl+cEi+zFtM5lnAs7dWOdRn0ptZ4a/qHwvNDk=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "41f7b0618052430d3a050e8f937030d00a2fcced",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"utils": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "5aed5285a952e0b949eb3ba02c12fa4fcfef535f",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"zettoitArs": {
"inputs": {
"crane": "crane",
"flake-utils": "flake-utils",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1700765650,
"narHash": "sha256-eTc/9des4m8IywqKnuW24NvC0+HaBVhKkwBboxRZFTE=",
"ref": "refs/heads/master",
"rev": "defa769dd297e8f4e2afc526fa2dfc1c9ccc8f8c",
"revCount": 20,
"type": "git",
"url": "https://git2.zettoit.eu/zettoit/ars"
},
"original": {
"type": "git",
"url": "https://git2.zettoit.eu/zettoit/ars"
}
},
"zettoitBin": {
"inputs": {
"crane": "crane_2",
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay_2"
},
"locked": {
"lastModified": 1699628835,
"narHash": "sha256-ox6YLqjCaaWvXC6R7UTtfVzrl0ssQYxzflT/nlmQpPg=",
"ref": "refs/heads/master",
"rev": "04a6d296b586f62e7bc44e7e59b04973e0b1ab03",
"revCount": 50,
"type": "git",
"url": "https://git2.zettoit.eu/zettoit/bin"
},
"original": {
"type": "git",
"url": "https://git2.zettoit.eu/zettoit/bin"
}
}
},
"root": "root",
"version": 7
}

69
flake.nix Normal file
View File

@ -0,0 +1,69 @@
{
description = "obscuresecure.dev NixOS Infrastructure";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-23.05";
nixpkgs-unstable.url ="github:NixOS/nixpkgs/nixos-unstable";
agenix.url = "github:ryantm/agenix";
zettoitBin = {
url = "git+https://git2.zettoit.eu/zettoit/bin";
inputs.nixpkgs.follows = "nixpkgs";
};
zettoitArs = {
url = "git+https://git2.zettoit.eu/zettoit/ars";
inputs.nixpkgs.follows = "nixpkgs";
};
arion = {
url = "github:hercules-ci/arion";
inputs.nixpkgs.follows = "nixpkgs";
};
deploy-rs = {
url = "github:serokell/deploy-rs";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { self, nixpkgs, nixpkgs-unstable, agenix, zettoitBin, zettoitArs, arion, deploy-rs }@inputs:
let
defaultSystem = module: nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = inputs;
modules = [
({ config, pkgs, ... }: { nixpkgs.overlays = [ overlay ]; })
agenix.nixosModules.default
arion.nixosModules.arion
module
];
};
overlay = final: prev: {
unstable = nixpkgs-unstable.legacyPackages.${prev.system};
zettoitBin = zettoitBin.packages.${prev.system};
zettoitArs = zettoitArs.packages.${prev.system};
};
defaultDeploySystem = name: {
"${name}" = {
hostname = self.nixosConfigurations."${name}".config.networking.fqdn;
profiles.system = {
user = "root";
path = deploy-rs.lib.x86_64-linux.activate.nixos self.nixosConfigurations."${name}";
};
};
};
in
{
nixosConfigurations = {
"gitea" = defaultSystem(./hosts/de-dus01/gitea);
"kanidm" = defaultSystem(./hosts/de-dus01/kanidm);
};
deploy = {
sshOpts = [ "-J" "fw.de-dus01.zettoit.eu" ];
nodes = defaultDeploySystem "gitea" //
defaultDeploySystem "kanidm";
};
checks = builtins.mapAttrs (system: deployLib: deployLib.deployChecks self.deploy) deploy-rs.lib;
};
}

95
hosts/de-dus01/gitea/default.nix Normal file
View File

@ -0,0 +1,95 @@
{ config, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../../modules/common_vm.nix
];
age.secrets = {
smtpPassword = {
file = ../../../secrets/de-dus01/gitea/smtp_password.age;
owner = "git";
group = "git";
};
};
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.useOSProber = true;
networking.hostName = "gitea";
networking.firewall.allowedTCPPorts = [ 3000 ];
services.mysql = {
enable = true;
package = pkgs.mariadb;
ensureDatabases = [ "gitea" ];
ensureUsers = [{
name = "git";
ensurePermissions = {
"gitea.*" = "ALL PRIVILEGES";
};
}];
};
services.gitea = {
enable = true;
user = "git";
group = "git";
package = pkgs.unstable.gitea;
appName = "obscuresecure.dev git";
lfs.enable = true;
database = {
type = "mysql";
socket = "/var/run/mysqld/mysqld.sock";
name = "gitea";
user = "git";
};
settings = {
server = {
DOMAIN = "git.obscuresecure.dev";
HTTP_ADDR = "::";
ROOT_URL = "https://git.obscuresecure.dev/";
DISABLE_SSH = false;
SSH_PORT = 22;
SSH_USER = "git";
SSH_DOMAIN = "ssh.git.obscuresecure.dev";
SSH_AUTHORIZED_KEYS_COMMAND_TEMPLATE = "{{.AppPath}} --config={{.CustomConf}} --work-path /tmp/gitea serv key-{{.Key.ID}}";
};
actions = {
ENABLED = true;
};
#mailer = {
# ENABLED = "true";
# PROTOCOL = "smtps";
# SMTP_ADDR = "mx1.zettoit.eu";
# USER = "git@zettoit.eu";
# FROM = "git@zettoit.eu";
#};
metrics = {
ENABLED = "true";
};
};
mailerPasswordFile = config.age.secrets.smtpPassword.path;
};
users.users.git = {
description = "Gitea Service";
home = config.services.gitea.stateDir;
useDefaultShell = true;
group = "git";
isSystemUser = true;
uid = 992;
};
users.groups.git = {
gid = 991;
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

31
hosts/de-dus01/gitea/hardware-configuration.nix Normal file
View File

@ -0,0 +1,31 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/03723df1-fb71-40d2-a983-435134d18d3e";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

102
hosts/de-dus01/kanidm/default.nix Normal file
View File

@ -0,0 +1,102 @@
{ config, lib, pkgs, ... }: let
serverConfig = pkgs.writeText "server.toml" ''
bindaddress = "[::]:8443"
db_path = "/data/kanidm.db"
tls_chain = "/data/chain.pem"
tls_key = "/data/key.pem"
domain = "idm.obscuresecure.dev"
origin = "https://idm.obscuresecure.dev"
trust_x_forward_for = true
[online_backup]
path = "/data/kanidm/backups/"
schedule = "00 22 * * *"
'';
in {
imports = [
./hardware-configuration.nix
../../../modules/common_vm.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
boot.loader.grub.useOSProber = true;
networking.hostName = "kanidm";
networking.firewall.allowedTCPPorts = [ 80 443 ];
virtualisation.docker.enable = true;
security.acme = {
acceptTerms = true;
certs = {
"idm.obscuresecure.dev" = {
email = "admin@zettoit.eu";
listenHTTP = "[::1]:8080";
};
};
};
services.traefik = {
enable = true;
staticConfigOptions = {
entryPoints = {
web.address = ":80";
};
};
dynamicConfigOptions = {
http = {
routers = {
acme = {
rule = "PathPrefix(`/.well-known/acme-challenge`)";
entryPoints = [ "web" ];
service = "acme";
};
kanidm = {
rule = "PathPrefix(`/`)";
entryPoints = [ "web" ];
middlewares = [ "redirect-to-https" ];
service = "empty";
};
};
middlewares.redirect-to-https.redirectScheme = {
scheme = "https";
permanent = true;
};
services = {
empty.loadBalancer.servers = [];
acme.loadBalancer.servers = [{
url = "http://[::1]:8080";
}];
};
};
};
};
virtualisation.arion = {
backend = "docker";
projects.kanidm.settings = {
docker-compose.volumes = {
kanidm = {};
};
services = {
kanidm_server.service = {
image = "kanidm/server:latest";
volumes = [
"${serverConfig}:/data/server.toml"
"/var/lib/acme/idm.obscuresecure.dev/fullchain.pem:/data/chain.pem"
"/var/lib/acme/idm.obscuresecure.dev/key.pem:/data/key.pem"
"kanidm:/data"
];
ports = [ "443:8443" ];
};
};
};
};
# This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment?
}

31
hosts/de-dus01/kanidm/hardware-configuration.nix Normal file
View File

@ -0,0 +1,31 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, pkgs, modulesPath, ... }:
{
imports =
[ (modulesPath + "/profiles/qemu-guest.nix")
];
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "virtio_pci" "virtio_scsi" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ ];
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/c1e9f5de-ae5d-4bc7-8f58-49bb55c159a7";
fsType = "ext4";
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.ens18.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
}

20
modules/access.nix Normal file
View File

@ -0,0 +1,20 @@
{ config, pkgs, ... }:
{
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
security.sudo.wheelNeedsPassword = false;
users.users.paulz = {
isNormalUser = true;
description = "paulz";
extraGroups = [ "wheel" ];
packages = with pkgs; [];
openssh.authorizedKeys.keys = [ "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQC3rKd/9/v8zKS7TOlGD476K85OMuPlW/wMbI6mdBiWS23DlplCV2wdfQvZNB4UHRwobMx2smkOaTfRIykdDPosaO9pvTKOQDOHGb+KeifG07YkkboekV473c1C1z66+Vui3/kqlKtbaQOePLp0uW2+9A9DInrNis1mgNbX87eKF8VHTwqwGgDfsjx16tembS7DknkzmRo3eZZCxVBruCY6ataobP/U+h5DK87Mb3gcP997ciUwhYo3jEO0IKxazHj33u7On2AAGFz2iFxxcOEtNA0wt0p22hZxDsFiX21GC9FWNqd3S4FrAd18CMtT4+qlTgeTPT+CyziSAtRxhpDf8snxp6XfgnF9g3pHS1w27oPHcBdVpyA9DyB9T0hb7m07O0CfHd5bRB40uhW3eQYAcBmqd89yqgsgC5nE6mWV1sL0TdE8Tqrjru6YGEr+njhRPeaPjhRUPHT+PEIACPBV4dyy0kIXSUlZ/P9IRIXvn8NSY06tnWqScA1Xb8QmzqpkkkWZ/e1vthcisxI45WGz/zzFfpcPvSqWjT/J3Z8JNDyOqazkjodkuFrc8H2DBDVoL5c5X6enF0bmZjaoKYJGkxLzYWx3ReAEE6VsiTxPLflI4N9eOh50oK5CIRc2ZB+d4z2y7g8EofwTCv9UNneDdlYqtj5yadVzw91Spw8nTQ==" ];
};
}

4
modules/agenix.nix Normal file
View File

@ -0,0 +1,4 @@
{ ... }:
{
age.identityPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
}

24
modules/common_vm.nix Normal file
View File

@ -0,0 +1,24 @@
{ config, pkgs, ... }:
{
imports = [
./locale_german.nix
./agenix.nix
./nix.nix
./access.nix
];
networking = {
domain = "de-dus01.obscuresecure.dev";
enableIPv6 = true;
tempAddresses = "disabled";
firewall.enable = true;
interfaces.ens18.ipv4.addresses = [];
};
environment.systemPackages = with pkgs; [
vim
git
];
services.qemuGuest.enable = true;
}

22
modules/locale_german.nix Normal file
View File

@ -0,0 +1,22 @@
{ ... }:
{
time.timeZone = "Europe/Berlin";
# Select internationalisation properties.
i18n.defaultLocale = "de_DE.UTF-8";
i18n.extraLocaleSettings = {
LC_ADDRESS = "de_DE.UTF-8";
LC_IDENTIFICATION = "de_DE.UTF-8";
LC_MEASUREMENT = "de_DE.UTF-8";
LC_MONETARY = "de_DE.UTF-8";
LC_NAME = "de_DE.UTF-8";
LC_NUMERIC = "de_DE.UTF-8";
LC_PAPER = "de_DE.UTF-8";
LC_TELEPHONE = "de_DE.UTF-8";
LC_TIME = "de_DE.UTF-8";
};
# Configure console keymap
console.keyMap = "de";
}

17
modules/nix.nix Normal file
View File

@ -0,0 +1,17 @@
{ config, pkgs, ... }:
{
nix = {
package = pkgs.nix;
settings = {
trusted-users = [ "@wheel" ];
experimental-features = [ "nix-command" "flakes" ];
substituters = [
"https://nix.cache.zettoit.eu"
"https://cache.nixos.org/"
];
trusted-public-keys = [
"nix.cache.zettoit.eu:Z1kmRPDMQYXCC8+jRL0eUtxPDcQQPXcdT734bS+8R8o="
];
};
};
}

14
modules/ssh.nix Normal file
View File

@ -0,0 +1,14 @@
{ config, pkgs, ... }:
{
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = "no";
PasswordAuthentication = false;
};
};
security.sudo.wheelNeedsPassword = false;
}

10
secrets/de-dus01/gitea/smtp_password.age Normal file
View File

@ -0,0 +1,10 @@
age-encryption.org/v1
-> ssh-ed25519 Wb9C2w PiO0unBfXeTCGbUgValc1FByGt+jxImChClgD1AhRlw
fmsC1Z6EWolZqVp7VwXA3NlS1HWti/0evztWo3hHabw
-> ssh-ed25519 61VxIQ zvOoc9E8ShR6XKFoYVDOcw/yR/UAO9Xla7/eTajYdlE
XpaL60+rb5AyaHHCTOpZBJC7VwvtLn2XFyOKlpjWdWw
-> eebzRCwy-grease
DMrz0Nt62KtC2Kw/W4aBguZ2bUfz6Kn2i4MS63rcutL5eq9K2CHfUpUpb87OBcCT
DXaUbKTxA3YJ256HkKxvQ5AdqXNrc7EsmoiG0P8Rjyep/GHcOmCUz3M7U+o
--- UxiFEZMgqouAzGOTQ+ztNMsCLsg2raVFTJnlSXtt/xg
Þ+QøD¿µkš«1êÊbM„Òš‡aI„Úí›ÑÆ*À‚˜ ⵡN{Œð>_0?“b”π™·ÐÆiè

11
secrets/secrets.nix Normal file
View File

@ -0,0 +1,11 @@
let
# users
admins = [ paulz_paul-pc ];
paulz_paul-pc = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIERQ8jN8J4LAVsjjIXClTGiFOv9YxBLx9LwWRkMKjD0D";
# hosts
gitea = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGUvL3O6+G/qus05acinyfk3TX6Le+00bm9pQY1Qjby6";
in
{
"de-dus01/gitea/smtp_password.age".publicKeys = admins ++ [ gitea ];
}