user and group juggling

This commit is contained in:
Benjamin Bädorf 2023-07-02 20:36:30 +02:00
parent f5279133f8
commit 4625d62d83
No known key found for this signature in database
GPG key ID: 4406E80E13CD656C
6 changed files with 253 additions and 101 deletions

View file

@ -18,26 +18,62 @@ in {
age.secrets."hosting.de-api.key" = { age.secrets."hosting.de-api.key" = {
file = "${self}/secrets/hosting.de-api.key"; file = "${self}/secrets/hosting.de-api.key";
mode = "440"; mode = "440";
owner = "acme"; group = "acme";
}; };
security.acme = { systemd.tmpfiles.rules = [
acceptTerms = true; "d '/data/acme' 0750 root acme - -"
defaults.email = "acme@benjaminbaedorf.eu"; ];
certs."b12f.io" = hostingdeProviderConf; users.groups.acme = {};
certs."mail.b12f.io" = hostingdeProviderConf; ids.uids.acme = 997;
certs."transmission.b12f.io" = hostingdeProviderConf; ids.gids.acme = 997;
certs."${exDomain}" = hostingdeProviderConf; containers.acme = {
certs."mail.${exDomain}" = hostingdeProviderConf; autoStart = true;
privateNetwork = true;
hostAddress = "192.168.101.0";
localAddress = "192.168.106.0";
hostAddress6 = "fc00::1";
localAddress6 = "fc00::6";
certs."${pubsolarDomain}" = hostingdeProviderConf; bindMounts = {
certs."www.${pubsolarDomain}" = hostingdeProviderConf; "/var/lib/acme" = {
certs."auth.${pubsolarDomain}" = hostingdeProviderConf; hostPath = "/data/acme";
certs."git.${pubsolarDomain}" = hostingdeProviderConf; isReadOnly = false;
certs."ci.${pubsolarDomain}" = hostingdeProviderConf; };
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf; "${config.age.secrets."hosting.de-api.key".path}" = {
hostPath = "${config.age.secrets."hosting.de-api.key".path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
users.groups.acme = config.users.groups.acme;
security.acme = {
acceptTerms = true;
defaults.email = "acme@benjaminbaedorf.eu";
defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
defaults.group = "acme";
certs."b12f.io" = hostingdeProviderConf;
certs."mail.b12f.io" = hostingdeProviderConf;
certs."transmission.b12f.io" = hostingdeProviderConf;
certs."${exDomain}" = hostingdeProviderConf;
certs."mail.${exDomain}" = hostingdeProviderConf;
certs."${pubsolarDomain}" = hostingdeProviderConf;
certs."www.${pubsolarDomain}" = hostingdeProviderConf;
certs."auth.${pubsolarDomain}" = hostingdeProviderConf;
certs."git.${pubsolarDomain}" = hostingdeProviderConf;
certs."ci.${pubsolarDomain}" = hostingdeProviderConf;
certs."list.${pubsolarDomain}" = hostingdeProviderConf;
certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
};
};
}; };
} }

View file

@ -6,7 +6,9 @@
... ...
}: let }: let
pubsolarDomain = import ./pubsolar-domain.nix; pubsolarDomain = import ./pubsolar-domain.nix;
# Machine user for CI pipelines
in { in {
networking.firewall.allowedTCPPorts = [80 443];
networking.networkmanager.unmanaged = ["interface-name:ve-caddy"]; networking.networkmanager.unmanaged = ["interface-name:ve-caddy"];
networking.nat = { networking.nat = {
enable = true; enable = true;
@ -17,13 +19,35 @@ in {
# Lazy IPv6 connectivity for the container # Lazy IPv6 connectivity for the container
enableIPv6 = true; enableIPv6 = true;
}; };
systemd.tmpfiles.rules = [
"d '/data/www' 0750 root www - -"
"d '/data/caddy' 0750 root caddy - -"
];
users.groups.caddy = {};
users.groups.www = {};
users.users.hakkonaut.extraGroups = ["www"];
ids.uids.www = 996;
ids.gids.www = 996;
fileSystems."/var/lib/caddy" = {
device = "/data/caddy";
options = ["bind"];
};
fileSystems."/srv/www" = {
device = "/data/www";
options = ["bind"];
};
containers.caddy = { containers.caddy = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "192.168.101.0"; hostAddress = "192.168.101.0";
localAddress = "192.168.102.0"; localAddress = "192.168.103.0";
hostAddress6 = "fc00::1"; hostAddress6 = "fc00::1";
localAddress6 = "fc00::2"; localAddress6 = "fc00::3";
forwardPorts = [ forwardPorts = [
{ {
@ -40,20 +64,36 @@ in {
bindMounts = { bindMounts = {
"/srv/www/" = { "/srv/www/" = {
hostPath = "/data/www/"; hostPath = "/data/www";
isReadOnly = false;
};
"/var/lib/caddy/" = {
hostPath = "/data/caddy";
isReadOnly = false;
};
"/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory" = {
hostPath = "/data/acme";
isReadOnly = false; isReadOnly = false;
}; };
}; };
config = { config = {
users.groups.caddy = {};
users.groups.www = {};
users.groups.acme = {};
users.users.caddy.extraGroups = ["www" "acme"];
networking.firewall.allowedTCPPorts = [80 443];
environment.etc."resolv.conf".text = "nameserver 1.1.1.0";
services.caddy = { services.caddy = {
enable = lib.mkForce true; enable = lib.mkForce true;
group = "hakkonaut";
email = "admins@pub.solar"; email = "acme@benjaminbaedorf.eu";
globalConfig = lib.mkForce '' globalConfig = lib.mkForce "";
auto_https off
'';
acmeCA = null;
virtualHosts = { virtualHosts = {
"dashboard.nougat-2.b12f.io" = { "dashboard.nougat-2.b12f.io" = {
extraConfig = '' extraConfig = ''
@ -113,7 +153,7 @@ in {
''; '';
extraConfig = '' extraConfig = ''
redir / /realms/${pubsolarDomain}/account temporary redir / /realms/${pubsolarDomain}/account temporary
reverse_proxy 192.168.103.0:8080 reverse_proxy 192.168.104.0:8080
''; '';
}; };
"git.${pubsolarDomain}" = { "git.${pubsolarDomain}" = {
@ -122,7 +162,7 @@ in {
''; '';
extraConfig = '' extraConfig = ''
redir /user/login /user/oauth2/keycloak temporary redir /user/login /user/oauth2/keycloak temporary
reverse_proxy 192.168.101.0:3000 reverse_proxy 192.168.105.0:3000
''; '';
}; };
"ci.${pubsolarDomain}" = { "ci.${pubsolarDomain}" = {
@ -135,7 +175,6 @@ in {
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [80 443];
}; };
}; };
} }

View file

@ -33,22 +33,31 @@ in {
description = "Concourse Service"; description = "Concourse Service";
home = "/var/lib/concourse"; home = "/var/lib/concourse";
useDefaultShell = true; useDefaultShell = true;
uid = 10001;
group = "concourse"; group = "concourse";
isSystemUser = true; isSystemUser = true;
}; };
users.groups.concourse = {}; users.groups.concourse = {};
users.groups.postgres = {};
ids.uids.concourse = 995;
ids.gids.concourse = 995;
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '/var/lib/concourse' 0750 concourse concourse - -" "d '/data/concourse/db' 0770 ${builtins.toString config.ids.uids.postgres} postgres - -"
]; ];
system.activationScripts.mkConcourseNet = let
docker = config.virtualisation.oci-containers.backend;
dockerBin = "${pkgs.${docker}}/bin/${docker}";
in ''
${dockerBin} network inspect concourse-net >/dev/null 2>&1 || ${dockerBin} network create concourse-net --subnet 172.20.0.0/24
'';
virtualisation.oci-containers = { virtualisation.oci-containers = {
containers."concourse-db" = { containers."concourse-db" = {
image = "postgres:14"; image = "postgres:14";
autoStart = true; autoStart = true;
user = "994"; user = builtins.toString config.ids.uids.postgres;
volumes = [ volumes = [
"/data/concourse/db:/var/lib/postgresql/data" "/data/concourse/db:/var/lib/postgresql/data"
]; ];
@ -63,7 +72,7 @@ in {
containers."concourse" = { containers."concourse" = {
image = "concourse/concourse:7.9.1"; image = "concourse/concourse:7.9.1";
autoStart = true; autoStart = true;
user = "10001"; user = builtins.toString config.ids.uids.concourse;
ports = [ ports = [
"8080:8080" "8080:8080"
]; ];

View file

@ -76,7 +76,7 @@ in {
interface = "enp0s31f6"; interface = "enp0s31f6";
}; };
networking.nameservers = ["8.8.8.8"]; networking.nameservers = ["1.1.1.1"];
# Initial empty root password for easy login: # Initial empty root password for easy login:
users.users.root.initialHashedPassword = ""; users.users.root.initialHashedPassword = "";
@ -85,6 +85,21 @@ in {
then psCfg.user.publicKeys then psCfg.user.publicKeys
else []; else [];
users.users.hakkonaut = {
home = "/home/hakkonaut";
description = "CI and automation user";
useDefaultShell = true;
group = "hakkonaut";
isSystemUser = true;
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
];
};
users.groups.hakkonaut = {};
ids.uids.hakkonaut = 998;
ids.gids.hakkonaut = 998;
services.openssh.enable = true; services.openssh.enable = true;
services.openssh.settings.PermitRootLogin = "prohibit-password"; services.openssh.settings.PermitRootLogin = "prohibit-password";
@ -94,9 +109,6 @@ in {
virtualisation = { virtualisation = {
docker = { docker = {
enable = true; enable = true;
extraOptions = ''
--data-root /data/docker
'';
}; };
oci-containers = { oci-containers = {

View file

@ -10,7 +10,7 @@ in {
age.secrets.gitea-database-password = { age.secrets.gitea-database-password = {
file = "${self}/secrets/gitea-database-password.age"; file = "${self}/secrets/gitea-database-password.age";
mode = "600"; mode = "600";
owner = "gitea"; group = "gitea";
}; };
# age.secrets.gitea-mailer-password = { # age.secrets.gitea-mailer-password = {
@ -19,66 +19,106 @@ in {
# owner = "gitea"; # owner = "gitea";
# }; # };
services.gitea = { systemd.tmpfiles.rules = [
enable = true; "d '/data/gitea/db' 0770 root postgres - -"
package = pkgs.forgejo; "d '/data/gitea/gitea' 0770 root gitea - -"
appName = "pub.solar git server"; ];
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea-database-password.path;
};
lfs.enable = true;
# mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
settings = {
server = {
DOMAIN = "git.${pubsolarDomain}";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
ROOT_URL = "https://git.${pubsolarDomain}";
};
mailer = {
ENABLED = false;
PROTOCOL = "smtps";
SMTP_ADDR = "mx2.greenbaum.cloud";
SMTP_PORT = 465;
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
USER = "admins@pub.solar";
};
"repository.signing" = {
SIGNING_KEY = "default";
MERGES = "always";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
# uncomment after initial deployment, first user is admin user
# required to setup SSO (oauth openid-connect, keycloak auth provider)
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
service.ENABLE_NOTIFY_MAIL = true;
session.COOKIE_SECURE = lib.mkForce true;
};
};
# See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea users.groups.postgres = {};
# Required for gitea server side gpg signatures users.groups.gitea = {};
# configured/setup manually in: ids.uids.gitea = 994;
# /var/lib/gitea/data/home/.gitconfig ids.gids.gitea = 994;
# /var/lib/gitea/data/home/.gnupg/
# sudo su gitea containers.gitea = {
# export GNUPGHOME=/var/lib/gitea/data/home/.gnupg autoStart = true;
# gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519 privateNetwork = true;
# TODO: implement declarative GPG key generation and hostAddress = "192.168.101.0";
# gitea gitconfig localAddress = "192.168.105.0";
programs.gnupg.agent = { hostAddress6 = "fc00::1";
enable = true; localAddress6 = "fc00::5";
pinentryFlavor = "curses";
}; bindMounts = {
# Required to make gpg work without a graphical environment? "/var/lib/postgresql/14" = {
# otherwise generating a new gpg key fails with this error: hostPath = "/data/gitea/db";
# gpg: agent_genkey failed: No pinentry isReadOnly = false;
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675 };
environment.variables = {
GPG_TTY = "$(tty)"; "/var/lib/gitea" = {
hostPath = "/data/gitea/gitea";
isReadOnly = false;
};
"${config.age.secrets.gitea-database-password.path}" = {
hostPath = "${config.age.secrets.gitea-database-password.path}";
isReadOnly = true;
};
};
config = {
networking.nameservers = ["1.1.1.1"];
services.gitea = {
enable = true;
package = pkgs.forgejo;
appName = "pub.solar git server";
database = {
type = "postgres";
passwordFile = config.age.secrets.gitea-database-password.path;
};
lfs.enable = true;
# mailerPasswordFile = config.age.secrets.gitea-mailer-password.path;
settings = {
server = {
DOMAIN = "git.${pubsolarDomain}";
HTTP_ADDR = "127.0.0.1";
HTTP_PORT = 3000;
ROOT_URL = "https://git.${pubsolarDomain}";
};
mailer = {
ENABLED = false;
PROTOCOL = "smtps";
SMTP_ADDR = "mx2.greenbaum.cloud";
SMTP_PORT = 465;
FROM = ''"pub.solar git server" <gitea@pub.solar>'';
USER = "admins@pub.solar";
};
"repository.signing" = {
SIGNING_KEY = "default";
MERGES = "always";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
};
# uncomment after initial deployment, first user is admin user
# required to setup SSO (oauth openid-connect, keycloak auth provider)
service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
service.ENABLE_NOTIFY_MAIL = true;
session.COOKIE_SECURE = lib.mkForce true;
};
};
# See: https://docs.gitea.io/en-us/signing/#installing-and-generating-a-gpg-key-for-gitea
# Required for gitea server side gpg signatures
# configured/setup manually in:
# /var/lib/gitea/data/home/.gitconfig
# /var/lib/gitea/data/home/.gnupg/
# sudo su gitea
# export GNUPGHOME=/var/lib/gitea/data/home/.gnupg
# gpg --quick-gen-key 'pub.solar gitea <gitea@pub.solar>' ed25519
# TODO: implement declarative GPG key generation and
# gitea gitconfig
programs.gnupg.agent = {
enable = true;
pinentryFlavor = "curses";
};
# Required to make gpg work without a graphical environment?
# otherwise generating a new gpg key fails with this error:
# gpg: agent_genkey failed: No pinentry
# see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675
environment.variables = {
GPG_TTY = "$(tty)";
};
};
}; };
} }

View file

@ -10,26 +10,42 @@
in { in {
age.secrets.keycloak-database-password = { age.secrets.keycloak-database-password = {
file = "${self}/secrets/keycloak-database-password.age"; file = "${self}/secrets/keycloak-database-password.age";
mode = "700"; mode = "770";
#owner = "keycloak"; group = "keycloak";
}; };
systemd.tmpfiles.rules = [
"d '/data/keycloak/db' 0770 root postgres - -"
];
users.groups.postgres = {};
users.groups.keycloak = {};
ids.uids.keycloak = 993;
ids.gids.keycloak = 993;
containers.keycloak = { containers.keycloak = {
autoStart = true; autoStart = true;
privateNetwork = true; privateNetwork = true;
hostAddress = "192.168.101.0"; hostAddress = "192.168.101.0";
localAddress = "192.168.103.0"; localAddress = "192.168.104.0";
hostAddress6 = "fc00::1"; hostAddress6 = "fc00::1";
localAddress6 = "fc00::3"; localAddress6 = "fc00::4";
bindMounts = { bindMounts = {
"/var/lib/postgresql/14" = { "/var/lib/postgresql/14" = {
hostPath = "/data/keycloak/db"; hostPath = "/data/keycloak/db";
isReadOnly = false; isReadOnly = false;
}; };
"${config.age.secrets.keycloak-database-password.path}" = {
hostPath = "${config.age.secrets.keycloak-database-password.path}";
isReadOnly = true;
};
}; };
config = { config = {
networking.nameservers = ["1.1.1.1"];
services.keycloak = { services.keycloak = {
enable = true; enable = true;
database.passwordFile = config.age.secrets.keycloak-database-password.path; database.passwordFile = config.age.secrets.keycloak-database-password.path;