diff --git a/hosts/zora/default.nix b/hosts/zora/default.nix index 4e19179..6816130 100644 --- a/hosts/zora/default.nix +++ b/hosts/zora/default.nix @@ -8,11 +8,13 @@ ./hardware.nix ./networking.nix # ./disko-config.nix + ./reverse-proxy.nix ../../users/lyes ../../modules ../../modules/server + ../../modules/server/idm # disko.nixosModules.disko agenix.nixosModules.default diff --git a/hosts/zora/hardware-configuration.nix b/hosts/zora/hardware-configuration.nix index 20dc638..87c524f 100644 --- a/hosts/zora/hardware-configuration.nix +++ b/hosts/zora/hardware-configuration.nix @@ -42,6 +42,12 @@ options = [ "subvol=root" ]; }; + fileSystems."/var/data" = + { device = "/dev/md127"; + fsType = "btrfs"; + options = [ ]; + }; + swapDevices = [ ]; # Enables DHCP on each ethernet and wireless interface. In case of scripted networking diff --git a/hosts/zora/reverse-proxy.nix b/hosts/zora/reverse-proxy.nix new file mode 100644 index 0000000..1ad4360 --- /dev/null +++ b/hosts/zora/reverse-proxy.nix @@ -0,0 +1,24 @@ +{ config, ... }: + +{ + security.acme = { + acceptTerms = true; + defaults.email = "security@lyes.eu"; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts = { + "auth.lyes.eu" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "https://${config.services.kanidm.serverSettings.bindaddress}"; + }; + }; + }; + }; +} diff --git a/modules/server/default.nix b/modules/server/default.nix index 414f132..011e5ae 100644 --- a/modules/server/default.nix +++ b/modules/server/default.nix @@ -6,6 +6,7 @@ boot.swraid = { enable = true; mdadmConf = '' + MAILADDR root@lyes.eu DEVICE partitions ''; }; diff --git a/modules/server/link/default.nix b/modules/server/link/default.nix new file mode 100644 index 0000000..e42d3ee --- /dev/null +++ b/modules/server/link/default.nix @@ -0,0 +1,40 @@ +{ config, pkgs }: + +let + hostname = "auth.${config.networking.domain}"; + port = "44300"; +in +{ + services.kanidm = { + package = pkgs.kanidmWithSecretProvisioning_1_7; + + enableServer = true; + serverSettings = { + bindaddress = "127.0.0.1:${port}"; + ldapbindaddress = "0.0.0.0:636"; + domain = hostname; + origin = "https://${hostname}"; + tls_chain = "/var/lib/acme/${hostname}/cert.pem"; + tls_key = "/var/lib/acme/${hostname}/key.pem"; + + online_backup = { + path = "/var/data/backups/kanidm"; + schedule = "00 06 * * *"; + versions = 5; + }; + }; + + enableClient = true; + + clientSettings = { + uri = "https://127.0.0.1:${port}"; + verify_ca = false; + }; + + provision = { + enable = true; + adminPasswordFile = config.age.secrets.kanidm-admin-password.path; + idmAdminPasswordFile = config.age.secrets.kanidm-idm-admin-password.path; + }; + }; +} diff --git a/secrets.nix b/secrets.nix new file mode 100644 index 0000000..14a6b3b --- /dev/null +++ b/secrets.nix @@ -0,0 +1,15 @@ +let + lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHJ2Wjz+SYDfgX8kMpZtVLCNxwWT2XbKOqFyDwkHOg9 mail@lyes.eu"; + users = [ lyes ]; + zora = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDu+E8SJKMzvhezPLLvqpgJQUs/qa+GwieeW92dHlcVI root@zora"; + hosts = [ zora ]; + all = users ++ hosts; +in +{ + # Lyes + # "lyes/name.age".publicKeys = [ lyes ]; + + # Zora + "secrets/zora/services/kanidm-admin-password.age".publicKeys = all; + "secrets/zora/services/kanidm-idm-admin-password.age".publicKeys = all; +} diff --git a/secrets/secrets.nix b/secrets/secrets.nix deleted file mode 100644 index bd7d639..0000000 --- a/secrets/secrets.nix +++ /dev/null @@ -1,8 +0,0 @@ -let - lyes = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMHJ2Wjz+SYDfgX8kMpZtVLCNxwWT2XbKOqFyDwkHOg9 mail@lyes.eu"; - users = [ lyes ]; -in -{ - # Lyes - # "lyes/name.age".publicKeys = [ lyes ]; -} diff --git a/secrets/zora/services/kanidm-admin-password.age b/secrets/zora/services/kanidm-admin-password.age new file mode 100644 index 0000000..513f9f7 --- /dev/null +++ b/secrets/zora/services/kanidm-admin-password.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 whuRpQ yaCtnbl+PhcqP6SAuO73GUnCnQdFp/Auz20/R2OXMH0 +N/TqTzciVJRo/FJdAALFBDLzEveIDBc/IMg4ogv6T8M +-> ssh-ed25519 M75vQg yshoof4MQSFtFUYGmfiud0aAnQN3AHIunF+TBQ8s0jA +xuE67ay+OVsNC6PQ7/lbJkpNWrbOP0/M/5PVyqQp08M +--- CBH50TQjyCrMDho3hh/5Bp609h2EIrR326YH60111YQ +Ä_p*MGƃ´”®­÷½TãèóËÜa‡ø7GßØZ¬nYé@¹ò Öâ‰|‘’wšºæs¿‚+îªðöÇ= \ No newline at end of file diff --git a/secrets/zora/services/kanidm-idm-admin-password.age b/secrets/zora/services/kanidm-idm-admin-password.age new file mode 100644 index 0000000..10707b5 Binary files /dev/null and b/secrets/zora/services/kanidm-idm-admin-password.age differ