fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions

configure domain in a central file

Browse source
This commit is contained in:
eyjhb 2024-08-11 14:50:32 +02:00
parent 865e1251de
commit d459fa895e
No known key found for this signature in database
GPG key ID: 609F508E3239F920
8 changed files with 52 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
machines/gerd/services/authelia.nix
View file

@ -1,6 +1,8 @@
{ config, ... }:
let
svc_domain = "auth.${config.mine.settings.domain}";
autheliaStateDir = "/var/lib/authelia-main";
in {
services.authelia.instances.main = {
@ -16,7 +18,7 @@ in {
settings = {
access_control.default_policy = "one_factor";
session.domain = "fricloud.dk";
session.domain = config.mine.settings.domain;
storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
@ -33,19 +35,19 @@ in {
timeout = "5s";
start_tls = false;
base_dn = "dc=fricloud,dc=dk";
additional_users_dn = "ou=people";
base_dn = config.mine.settings.ldap.dc;
additional_users_dn = "ou=${config.mine.settings.ldap.ou.users}";
additional_groups_dn = "ou=${config.mine.settings.ldap.ou.groups}";
users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
additional_groups_dn = "ou=groups";
groups_filter = "(member={dn})";
display_name_attribute = "displayName";
username_attribute = "uid";
group_name_attribute = "cn";
mail_attribute = "mail";
display_name_attribute = config.mine.settings.ldap.attr.firstname;
username_attribute = config.mine.settings.ldap.attr.uid;
group_name_attribute = config.mine.settings.ldap.attr.groupname;
mail_attribute = config.mine.settings.ldap.attr.email;
user = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
user = config.mine.settings.ldap.bind_dn;
};
};
};
@ -74,7 +76,7 @@ in {
# }];
services.nginx.virtualHosts."auth.fricloud.dk" = {
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}";

8
machines/gerd/services/forgejo.nix
View file

@ -1,6 +1,8 @@
{ config, lib, pkgs, ... }:
let
svc_domain = "git.${config.mine.settings.domain}";
scriptAddLDAPAuth = pkgs.writeShellScript "forgejo-add-update-ldap-auth.sh" ''
#!/usr/bin/env sh
FORGEJO_WORK_PATH="${config.services.forgejo.stateDir}"
@ -54,8 +56,8 @@ in {
settings = {
server = {
DOMAIN = "git.fricloud.dk";
ROOT_URL = "https://git.fricloud.dk";
DOMAIN = svc_domain;
ROOT_URL = "https://${svc_domain}";
HTTPPORT = 3000;
};
@ -78,7 +80,7 @@ in {
# already issued for this exact set of domains in the last 168 hours: git.fricloud.dk, retry after 2024-08-10T01:34:44Z
security.acme.certs."git.fricloud.dk".extraDomainNames = [ "git2.fricloud.dk" ];
services.nginx.virtualHosts."git.fricloud.dk" = {
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
extraConfig = ''

14
machines/gerd/services/fricloud-website.nix
View file

@ -1,13 +1,15 @@
{ config, pkgs, ... }:
{
services.nginx.virtualHosts."fricloud.dk" = {
let
svc_domain = config.mine.settings.domain;
in {
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
root = pkgs.writeTextDir "index.html" ''
<html>
<head>
<title>Fricloud.dk</title>
<title>${svc_domain}</title>
</head>
<body>
<marquee
@ -21,7 +23,7 @@
};
# setup group for fricloud.dk cert + add nginx to group.
# group `fricloud-domain` is used for users that need access to the domain certificate, e.g. murmur
security.acme.certs."fricloud.dk".group = config.users.groups.fricloud-domain.name;
users.groups.fricloud-domain.members = [ config.users.users.nginx.name ];
# group `main-domain` is used for users that need access to the domain certificate, e.g. murmur
security.acme.certs."${svc_domain}".group = config.users.groups.main-domain.name;
users.groups.main-domain.members = [ config.users.users.nginx.name ];
}

7
machines/gerd/services/hedgedoc.nix
View file

@ -1,7 +1,8 @@
{ config, ... }:
let
domain = "hedgedoc.fricloud.dk";
svc_domain = "hedgedoc.${config.mine.settings.domain}";
stateDir = config.mine.zfsMounts."rpool/safe/svcs/hedgedoc";
in {
services.hedgedoc = {
@ -9,7 +10,7 @@ in {
settings = {
# only change default port, because 3000 is used by other service
port = 6864;
domain = domain;
domain = svc_domain;
protocolUseSSL = true;
debug = true;
uploadsPath = stateDir + "/uploads";
@ -41,7 +42,7 @@ in {
systemd.services.hedgedoc.serviceConfig.ReadWritePaths = [ stateDir ];
systemd.services.hedgedoc.serviceConfig.EnvironmentFile = config.age.secrets.lldap-bind-user-pass-hedgedoc-env.path;
services.nginx.virtualHosts."${domain}" = {
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.hedgedoc.settings.port}";

11
machines/gerd/services/lldap.nix
View file

@ -1,13 +1,15 @@
{ config, ... }:
{
let
svc_domain = "ldap.${config.mine.settings.domain}";
in {
services.lldap = {
enable = true;
settings = {
verbose = true;
ldap_user_email = "fricloudlldap.grief462@simplelogin.com";
ldap_base_dn = "dc=fricloud,dc=dk";
ldap_base_dn = config.mine.settings.ldap.dc;
};
environment = {
@ -20,7 +22,7 @@
};
};
services.nginx.virtualHosts."ldap.fricloud.dk" = {
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.lldap.settings.http_port}";
@ -51,7 +53,7 @@
port = 3890;
url = "ldap://${host}:${builtins.toString port}";
dc = "dc=fricloud,dc=dk";
dc = "dc=${config.mine.settings.domain_sld},dc=${config.mine.settings.domain_tld}";
bind_dn = "uid=${users.bind},ou=${ou.users},${dc}";
search_base = "ou=${ou.users},${dc}";
user_filter = "(memberof=cn=${groups.member},ou=${ou.groups},${dc})";
@ -78,6 +80,7 @@
lastname = "sn";
email = "mail";
avatar = "jpegPhoto";
groupname = "cn";
};
age_secret = config.age.secrets.lldap-bind-user-pass.path;

8
machines/gerd/services/murmur.nix
View file

@ -1,8 +1,10 @@
{ config, lib, ... }:
{
let
svc_domain = config.mine.settings.domain;
in {
services.murmur = let
certLocation = config.security.acme.certs."fricloud.dk".directory;
certLocation = config.security.acme.certs."${svc_domain}".directory;
in {
enable = true;
openFirewall = true;
@ -19,7 +21,7 @@
systemd.services.murmur.preStart = lib.mkAfter ''${config.services.murmur.package}/bin/mumble-server -ini /run/murmur/murmurd.ini -readsupw < ${config.age.secrets.murmur-superpassword.path}'';
# add murmur user to domain group to access cert
users.groups.fricloud-domain.members = [ config.users.groups.murmur.name ];
users.groups.main-domain.members = [ config.users.groups.murmur.name ];
age.secrets = {
murmur-env.owner = config.users.users.murmur.name;

4
machines/gerd/services/teeworlds.nix
View file

@ -1,8 +1,10 @@
{ config, ... }:
{
services.teeworlds = {
enable = true;
openPorts = true;
motd = "Welcome to Fricloud.dk's Teeworld server!";
motd = "Welcome to ${config.mine.settings.domain}'s Teeworld server!";
};
}

8
shared/default.nix
View file

@ -1,3 +1,5 @@
{ config, ... }:
let
sources = import ./sources/sources.nix;
in {
@ -10,4 +12,10 @@ in {
./platforms
./modules
];
# TODO(eyJhb): why is the commented line a infinite recurssion
mine.settings.domain_tld = "dk";
mine.settings.domain_sld = "fricloud";
# mine.settings.domain = "${config.mine.settings.domain_sld}.${config.mine.settings.domain_tld}";
mine.settings.domain = "fricloud.dk";
}