fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

configure domain in a central file

Browse source
This commit is contained in:
eyjhb 2024-08-11 14:50:32 +02:00
parent 865e1251de
commit d459fa895e
No known key found for this signature in database
GPG key ID: 609F508E3239F920
8 changed files with 52 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
machines/gerd/services/authelia.nix
View file

@ -1,6 +1,8 @@
{ config, ... }: { config, ... }:
let let
svc_domain = "auth.${config.mine.settings.domain}";
autheliaStateDir = "/var/lib/authelia-main"; autheliaStateDir = "/var/lib/authelia-main";
in { in {
services.authelia.instances.main = { services.authelia.instances.main = {
@ -16,7 +18,7 @@ in {
settings = { settings = {
access_control.default_policy = "one_factor"; access_control.default_policy = "one_factor";
session.domain = "fricloud.dk"; session.domain = config.mine.settings.domain;
storage.local.path = "${autheliaStateDir}/authelia.sqlite3"; storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt"; notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
@ -33,19 +35,19 @@ in {
timeout = "5s"; timeout = "5s";
start_tls = false; start_tls = false;
base_dn = "dc=fricloud,dc=dk"; base_dn = config.mine.settings.ldap.dc;
additional_users_dn = "ou=people"; additional_users_dn = "ou=${config.mine.settings.ldap.ou.users}";
additional_groups_dn = "ou=${config.mine.settings.ldap.ou.groups}";
users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"; users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
additional_groups_dn = "ou=groups";
groups_filter = "(member={dn})"; groups_filter = "(member={dn})";
display_name_attribute = "displayName"; display_name_attribute = config.mine.settings.ldap.attr.firstname;
username_attribute = "uid"; username_attribute = config.mine.settings.ldap.attr.uid;
group_name_attribute = "cn"; group_name_attribute = config.mine.settings.ldap.attr.groupname;
mail_attribute = "mail"; mail_attribute = config.mine.settings.ldap.attr.email;
user = "uid=bind_user,ou=people,dc=fricloud,dc=dk"; user = config.mine.settings.ldap.bind_dn;
}; };
}; };
}; };
@ -74,7 +76,7 @@ in {
# }]; # }];
services.nginx.virtualHosts."auth.fricloud.dk" = { services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}"; locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}";

8
machines/gerd/services/forgejo.nix
View file

@ -1,6 +1,8 @@
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
let let
svc_domain = "git.${config.mine.settings.domain}";
scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" '' scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
#!/usr/bin/env sh #!/usr/bin/env sh
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}" FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
@ -54,8 +56,8 @@ in {
settings = { settings = {
server = { server = {
DOMAIN = "git.fricloud.dk"; DOMAIN = svc_domain;
ROOT_URL = "https://git.fricloud.dk"; ROOT_URL = "https://${svc_domain}";
HTTPPORT = 3000; HTTPPORT = 3000;
}; };
@ -78,7 +80,7 @@ in {
# already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z # already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ]; security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];
services.nginx.virtualHosts."git.fricloud.dk" = { services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''

14
machines/gerd/services/fricloud-website.nix
View file

@ -1,13 +1,15 @@
{ config, pkgs, ... }: { config, pkgs, ... }:
{ let
services.nginx.virtualHosts."fricloud.dk" = { svc_domain = config.mine.settings.domain;
in {
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
root = pkgs.writeTextDir "index.html" '' root = pkgs.writeTextDir "index.html" ''
<html> <html>
<head> <head>
<title>Fricloud.dk</title> <title>${svc_domain}</title>
</head> </head>
<body> <body>
<marquee <marquee
@ -21,7 +23,7 @@
}; };
# setup group for fricloud.dk cert + add nginx to group. # setup group for fricloud.dk cert + add nginx to group.
# group `fricloud-domain` is used for users that need access to the domain certificate, e.g. murmur # group `main-domain` is used for users that need access to the domain certificate, e.g. murmur
security.acme.certs."fricloud.dk".group = config.users.groups.fricloud-domain.name; security.acme.certs."${svc_domain}".group = config.users.groups.main-domain.name;
users.groups.fricloud-domain.members = [ config.users.users.nginx.name ]; users.groups.main-domain.members = [ config.users.users.nginx.name ];
} }

7
machines/gerd/services/hedgedoc.nix
View file

@ -1,7 +1,8 @@
{ config, ... }: { config, ... }:
let let
domain = "hedgedoc.fricloud.dk"; svc_domain = "hedgedoc.${config.mine.settings.domain}";
stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc"; stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc";
in { in {
services.hedgedoc = { services.hedgedoc = {
@ -9,7 +10,7 @@ in {
settings = { settings = {
# only change default port, because 3000 is used by other service # only change default port, because 3000 is used by other service
port = 6864; port = 6864;
domain = domain; domain = svc_domain;
protocolUseSSL = true; protocolUseSSL = true;
debug = true; debug = true;
uploadsPath = stateDir + "/uploads"; uploadsPath = stateDir + "/uploads";
@ -41,7 +42,7 @@ in {
systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ]; systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ];
systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path; systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path;
services.nginx.virtualHosts."${domain}" = { services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}"; locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}";

11
machines/gerd/services/lldap.nix
View file

@ -1,13 +1,15 @@
{ config, ... }: { config, ... }:
{ let
svc_domain = "ldap.${config.mine.settings.domain}";
in {
services.lldap = { services.lldap = {
enable = true; enable = true;
settings = { settings = {
verbose = true; verbose = true;
ldap_user_email = "fricloudlldap.grief462@simplelogin.com"; ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
ldap_base_dn = "dc=fricloud,dc=dk"; ldap_base_dn = config.mine.settings.ldap.dc;
}; };
environment = { environment = {
@ -20,7 +22,7 @@
}; };
}; };
services.nginx.virtualHosts."ldap.fricloud.dk" = { services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}"; locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
@ -51,7 +53,7 @@
port = 3890; port = 3890;
url = "ldap://${host}:${builtins.toString port}"; url = "ldap://${host}:${builtins.toString port}";
dc = "dc=fricloud,dc=dk"; dc = "dc=${config.mine.settings.domain_sld},dc=${config.mine.settings.domain_tld}";
bind_dn = "uid=${users.bind},ou=${ou.users},${dc}"; bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
search_base = "ou=${ou.users},${dc}"; search_base = "ou=${ou.users},${dc}";
user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})"; user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
@ -78,6 +80,7 @@
lastname = "sn"; lastname = "sn";
email = "mail"; email = "mail";
avatar = "jpegPhoto"; avatar = "jpegPhoto";
groupname = "cn";
}; };
age_secret = config.age.secrets.lldap-bind-user-pass.path; age_secret = config.age.secrets.lldap-bind-user-pass.path;

8
machines/gerd/services/murmur.nix
View file

@ -1,8 +1,10 @@
{ config, lib, ... }: { config, lib, ... }:
{ let
svc_domain = config.mine.settings.domain;
in {
services.murmur = let services.murmur = let
certLocation = config.security.acme.certs."fricloud.dk".directory; certLocation = config.security.acme.certs."${svc_domain}".directory;
in { in {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
@ -19,7 +21,7 @@
systemd.services.murmur.preStart = lib.mkAfter ''${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -readsupw < ${config.age.secrets.murmur-superpassword.path}''; systemd.services.murmur.preStart = lib.mkAfter ''${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -readsupw < ${config.age.secrets.murmur-superpassword.path}'';
# add murmur user to domain group to access cert # add murmur user to domain group to access cert
users.groups.fricloud-domain.members = [ config.users.groups.murmur.name ]; users.groups.main-domain.members = [ config.users.groups.murmur.name ];
age.secrets = { age.secrets = {
murmur-env.owner = config.users.users.murmur.name; murmur-env.owner = config.users.users.murmur.name;

4
machines/gerd/services/teeworlds.nix
View file

@ -1,8 +1,10 @@
{ config, ... }:
{ {
services.teeworlds = { services.teeworlds = {
enable = true; enable = true;
openPorts = true; openPorts = true;
motd = "Welcome to Fricloud.dk's Teeworld server!"; motd = "Welcome to ${config.mine.settings.domain}'s Teeworld server!";
}; };
} }

8
shared/default.nix
View file

@ -1,3 +1,5 @@
{ config, ... }:
let let
sources = import ./sources/sources.nix; sources = import ./sources/sources.nix;
in { in {
@ -10,4 +12,10 @@ in {
./platforms ./platforms
./modules ./modules
]; ];
# TODO(eyJhb): why is the commented line a infinite recurssion
mine.settings.domain_tld = "dk";
mine.settings.domain_sld = "fricloud";
# mine.settings.domain = "${config.mine.settings.domain_sld}.${config.mine.settings.domain_tld}";
mine.settings.domain = "fricloud.dk";
} }