diff --git a/hosts/flora-6/caddy.nix b/hosts/flora-6/caddy.nix new file mode 100644 index 00000000..c69f4ebd --- /dev/null +++ b/hosts/flora-6/caddy.nix @@ -0,0 +1,32 @@ +{ config +, lib +, pkgs +, self +, ... +}: +{ + services.caddy = { + enable = lib.mkForce true; + email = "admins@pub.solar"; + globalConfig = lib.mkForce ""; + virtualHosts = { + "auth.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :8080 + ''; + }; + "git.pub.solar" = { + logFormat = lib.mkForce '' + output discard + ''; + extraConfig = '' + reverse_proxy :3000 + ''; + }; + }; + }; + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/hosts/flora-6/flora-6.nix b/hosts/flora-6/flora-6.nix index 4864bc3f..4f95d9ef 100644 --- a/hosts/flora-6/flora-6.nix +++ b/hosts/flora-6/flora-6.nix @@ -17,6 +17,10 @@ in ./hardware-configuration.nix ./triton-vmtools.nix + ./caddy.nix + ./keycloak.nix + ./gitea.nix + profiles.base-user profiles.users.root # make sure to configure ssh keys profiles.users.barkeeper @@ -39,121 +43,6 @@ in lite = true; }; - age.secrets.keycloak-database-password = { - file = "${self}/secrets/keycloak-database-password.age"; - mode = "700"; - #owner = "keycloak"; - }; - age.secrets.gitea-database-password = { - file = "${self}/secrets/gitea-database-password.age"; - mode = "700"; - owner = "gitea"; - }; - age.secrets.gitea-mailer-password = { - file = "${self}/secrets/gitea-mailer-password.age"; - mode = "700"; - owner = "gitea"; - }; - - # # # - # # # Host packages and configuration - # # # - - # caddy - services.caddy = { - enable = lib.mkForce true; - email = "admins@pub.solar"; - globalConfig = lib.mkForce ""; - virtualHosts = { - "auth.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - reverse_proxy :8080 - ''; - }; - "git.pub.solar" = { - logFormat = lib.mkForce '' - output discard - ''; - extraConfig = '' - reverse_proxy :3000 - ''; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - # keycloak - services.keycloak = { - enable = true; - database.passwordFile = config.age.secrets.keycloak-database-password.path; - settings = { - hostname = "auth.pub.solar"; - http-host = "127.0.0.1"; - http-port = 8080; - proxy = "edge"; - }; - themes = { - "pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; - }; - }; - - # gitea - services.gitea = { - enable = true; - appName = "pub.solar git server"; - database = { - type = "postgres"; - passwordFile = config.age.secrets.gitea-database-password.path; - }; - domain = "git.pub.solar"; - httpAddress = "127.0.0.1"; - httpPort = 3000; - lfs.enable = true; - mailerPasswordFile = config.age.secrets.gitea-mailer-password.path; - rootUrl = "https://git.pub.solar"; - settings = { - mailer = { - ENABLED = true; - MAILER_TYPE = "smtp"; - HOST = "mail.greenbaum.cloud:465"; - FROM = ''"pub.solar git server" ''; - USER = "admins@pub.solar"; - }; - "repository.signing" = { - SIGNING_KEY = "default"; - MERGES = "always"; - }; - openid = { - ENABLE_OPENID_SIGNIN = true; - ENABLE_OPENID_SIGNUP = true; - }; - # uncomment after initial deployment, first user is admin user - # required to setup SSO (oauth openid-connect, keycloak auth provider) - service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true; - session.COOKIE_SECURE = lib.mkForce true; - }; - }; - # Required for gitea server side gpg signatures - # configured / setup manually in - # /var/lib/gitea/data/home/.gitconfig and - # /var/lib/gitea/data/home/.gnupg/ - programs.gnupg.agent = { - enable = true; - pinentryFlavor = "curses"; - }; - # Required to make gpg work without a graphical environment? - # otherwise generating a new gpg key fails with this error: - # gpg: agent_genkey failed: No pinentry - # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675 - environment.variables = { - GPG_TTY = "$(tty)"; - }; - - # netbird - # Allow sudo without a password for the barkeeper user security.sudo.extraRules = [ { diff --git a/hosts/flora-6/gitea.nix b/hosts/flora-6/gitea.nix new file mode 100644 index 00000000..62b5a033 --- /dev/null +++ b/hosts/flora-6/gitea.nix @@ -0,0 +1,72 @@ +{ config +, lib +, pkgs +, self +, ... +}: +{ + age.secrets.gitea-database-password = { + file = "${self}/secrets/gitea-database-password.age"; + mode = "700"; + owner = "gitea"; + }; + age.secrets.gitea-mailer-password = { + file = "${self}/secrets/gitea-mailer-password.age"; + mode = "700"; + owner = "gitea"; + }; + + # gitea + services.gitea = { + enable = true; + appName = "pub.solar git server"; + database = { + type = "postgres"; + passwordFile = config.age.secrets.gitea-database-password.path; + }; + domain = "git.pub.solar"; + httpAddress = "127.0.0.1"; + httpPort = 3000; + lfs.enable = true; + mailerPasswordFile = config.age.secrets.gitea-mailer-password.path; + rootUrl = "https://git.pub.solar"; + settings = { + mailer = { + ENABLED = true; + MAILER_TYPE = "smtp"; + HOST = "mail.greenbaum.cloud:465"; + FROM = ''"pub.solar git server" ''; + USER = "admins@pub.solar"; + }; + "repository.signing" = { + SIGNING_KEY = "default"; + MERGES = "always"; + }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + }; + # uncomment after initial deployment, first user is admin user + # required to setup SSO (oauth openid-connect, keycloak auth provider) + service.ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + session.COOKIE_SECURE = lib.mkForce true; + }; + }; + + # Required for gitea server side gpg signatures + # configured / setup manually in + # /var/lib/gitea/data/home/.gitconfig and + # /var/lib/gitea/data/home/.gnupg/ + programs.gnupg.agent = { + enable = true; + pinentryFlavor = "curses"; + }; + # Required to make gpg work without a graphical environment? + # otherwise generating a new gpg key fails with this error: + # gpg: agent_genkey failed: No pinentry + # see: https://github.com/NixOS/nixpkgs/issues/97861#issuecomment-827951675 + environment.variables = { + GPG_TTY = "$(tty)"; + }; + +} diff --git a/hosts/flora-6/keycloak.nix b/hosts/flora-6/keycloak.nix new file mode 100644 index 00000000..7f5c9984 --- /dev/null +++ b/hosts/flora-6/keycloak.nix @@ -0,0 +1,29 @@ +{ config +, lib +, inputs +, pkgs +, self +, ... +}: +{ + age.secrets.keycloak-database-password = { + file = "${self}/secrets/keycloak-database-password.age"; + mode = "700"; + #owner = "keycloak"; + }; + + # keycloak + services.keycloak = { + enable = true; + database.passwordFile = config.age.secrets.keycloak-database-password.path; + settings = { + hostname = "auth.pub.solar"; + http-host = "127.0.0.1"; + http-port = 8080; + proxy = "edge"; + }; + themes = { + "pub.solar" = inputs.keycloak-theme-pub-solar.legacyPackages.${pkgs.system}.keycloak-theme-pub-solar; + }; + }; +}