user and group juggling

2023-07-02 20:36:30 +02:00 · 2023-07-02 20:36:30 +02:00 · 4625d62d83
parent f5279133f8
commit 4625d62d83
6 changed files with 253 additions and 101 deletions
--- a/hosts/nougat-2/acme.nix
+++ b/hosts/nougat-2/acme.nix
@ -18,12 +18,46 @@ in {
  age.secrets."hosting.de-api.key" = {
    file = "${self}/secrets/hosting.de-api.key";
    mode = "440";
-    owner = "acme";
+    group = "acme";
  };

+  systemd.tmpfiles.rules = [
+    "d '/data/acme' 0750 root acme - -"
+  ];
+
+  users.groups.acme = {};
+  ids.uids.acme = 997;
+  ids.gids.acme = 997;
+
+  containers.acme = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.101.0";
+    localAddress = "192.168.106.0";
+    hostAddress6 = "fc00::1";
+    localAddress6 = "fc00::6";
+
+    bindMounts = {
+      "/var/lib/acme" = {
+        hostPath = "/data/acme";
+        isReadOnly = false;
+      };
+
+      "${config.age.secrets."hosting.de-api.key".path}" = {
+        hostPath = "${config.age.secrets."hosting.de-api.key".path}";
+        isReadOnly = true;
+      };
+    };
+
+    config = {
+      networking.nameservers = ["1.1.1.1"];
+      users.groups.acme = config.users.groups.acme;
+
      security.acme = {
        acceptTerms = true;
        defaults.email = "acme@benjaminbaedorf.eu";
+        defaults.server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+        defaults.group = "acme";

        certs."b12f.io" = hostingdeProviderConf;
        certs."mail.b12f.io" = hostingdeProviderConf;
@ -40,4 +74,6 @@ in {
        certs."list.${pubsolarDomain}" = hostingdeProviderConf;
        certs."obs-portal.${pubsolarDomain}" = hostingdeProviderConf;
      };
+    };
+  };
 }
--- a/hosts/nougat-2/caddy.nix
+++ b/hosts/nougat-2/caddy.nix
@ -6,7 +6,9 @@
  ...
 }: let
  pubsolarDomain = import ./pubsolar-domain.nix;
+  # Machine user for CI pipelines
 in {
+  networking.firewall.allowedTCPPorts = [80 443];
  networking.networkmanager.unmanaged = ["interface-name:ve-caddy"];
  networking.nat = {
    enable = true;
@ -17,13 +19,35 @@ in {
    # Lazy IPv6 connectivity for the container
    enableIPv6 = true;
  };
+
+  systemd.tmpfiles.rules = [
+    "d '/data/www' 0750 root www - -"
+    "d '/data/caddy' 0750 root caddy - -"
+  ];
+
+  users.groups.caddy = {};
+  users.groups.www = {};
+  users.users.hakkonaut.extraGroups = ["www"];
+  ids.uids.www = 996;
+  ids.gids.www = 996;
+
+  fileSystems."/var/lib/caddy" = {
+    device = "/data/caddy";
+    options = ["bind"];
+  };
+
+  fileSystems."/srv/www" = {
+    device = "/data/www";
+    options = ["bind"];
+  };
+
  containers.caddy = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.101.0";
-    localAddress = "192.168.102.0";
+    localAddress = "192.168.103.0";
    hostAddress6 = "fc00::1";
-    localAddress6 = "fc00::2";
+    localAddress6 = "fc00::3";

    forwardPorts = [
      {
@ -40,20 +64,36 @@ in {

    bindMounts = {
      "/srv/www/" = {
-        hostPath = "/data/www/";
+        hostPath = "/data/www";
+        isReadOnly = false;
+      };
+
+      "/var/lib/caddy/" = {
+        hostPath = "/data/caddy";
+        isReadOnly = false;
+      };
+
+      "/var/lib/caddy/.local/share/caddy/certificates/acme-v02.api.letsencrypt.org-directory" = {
+        hostPath = "/data/acme";
        isReadOnly = false;
      };
    };

    config = {
+      users.groups.caddy = {};
+      users.groups.www = {};
+      users.groups.acme = {};
+      users.users.caddy.extraGroups = ["www" "acme"];
+
+      networking.firewall.allowedTCPPorts = [80 443];
+      environment.etc."resolv.conf".text = "nameserver 1.1.1.0";
+
      services.caddy = {
        enable = lib.mkForce true;
-        group = "hakkonaut";
-        email = "admins@pub.solar";
-        globalConfig = lib.mkForce ''
-          auto_https off
-        '';
-        acmeCA = null;
+
+        email = "acme@benjaminbaedorf.eu";
+        globalConfig = lib.mkForce "";
+
        virtualHosts = {
          "dashboard.nougat-2.b12f.io" = {
            extraConfig = ''
@ -113,7 +153,7 @@ in {
            '';
            extraConfig = ''
              redir / /realms/${pubsolarDomain}/account temporary
-              reverse_proxy 192.168.103.0:8080
+              reverse_proxy 192.168.104.0:8080
            '';
          };
          "git.${pubsolarDomain}" = {
@ -122,7 +162,7 @@ in {
            '';
            extraConfig = ''
              redir /user/login /user/oauth2/keycloak temporary
-              reverse_proxy 192.168.101.0:3000
+              reverse_proxy 192.168.105.0:3000
            '';
          };
          "ci.${pubsolarDomain}" = {
@ -135,7 +175,6 @@ in {
          };
        };
      };
-      networking.firewall.allowedTCPPorts = [80 443];
    };
  };
 }
--- a/hosts/nougat-2/concourse.nix
+++ b/hosts/nougat-2/concourse.nix
@ -33,22 +33,31 @@ in {
    description = "Concourse Service";
    home = "/var/lib/concourse";
    useDefaultShell = true;
-    uid = 10001;
    group = "concourse";
    isSystemUser = true;
  };

  users.groups.concourse = {};
+  users.groups.postgres = {};
+  ids.uids.concourse = 995;
+  ids.gids.concourse = 995;

  systemd.tmpfiles.rules = [
-    "d '/var/lib/concourse' 0750 concourse concourse - -"
+    "d '/data/concourse/db' 0770 ${builtins.toString config.ids.uids.postgres} postgres - -"
  ];

+  system.activationScripts.mkConcourseNet = let
+    docker = config.virtualisation.oci-containers.backend;
+    dockerBin = "${pkgs.${docker}}/bin/${docker}";
+  in ''
+    ${dockerBin} network inspect concourse-net >/dev/null 2>&1 || ${dockerBin} network create concourse-net --subnet 172.20.0.0/24
+  '';
+
  virtualisation.oci-containers = {
    containers."concourse-db" = {
      image = "postgres:14";
      autoStart = true;
-      user = "994";
+      user = builtins.toString config.ids.uids.postgres;
      volumes = [
        "/data/concourse/db:/var/lib/postgresql/data"
      ];
@ -63,7 +72,7 @@ in {
    containers."concourse" = {
      image = "concourse/concourse:7.9.1";
      autoStart = true;
-      user = "10001";
+      user = builtins.toString config.ids.uids.concourse;
      ports = [
        "8080:8080"
      ];
--- a/hosts/nougat-2/configuration.nix
+++ b/hosts/nougat-2/configuration.nix
@ -76,7 +76,7 @@ in {
    interface = "enp0s31f6";
  };

-  networking.nameservers = ["8.8.8.8"];
+  networking.nameservers = ["1.1.1.1"];

  # Initial empty root password for easy login:
  users.users.root.initialHashedPassword = "";
@ -85,6 +85,21 @@ in {
    then psCfg.user.publicKeys
    else [];

+  users.users.hakkonaut = {
+    home = "/home/hakkonaut";
+    description = "CI and automation user";
+    useDefaultShell = true;
+    group = "hakkonaut";
+    isSystemUser = true;
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGP5MvCwNRtCcP1pSDrn0XZTNlpOqYnjHDm9/OI4hECW hakkonaut@flora-6"
+    ];
+  };
+
+  users.groups.hakkonaut = {};
+  ids.uids.hakkonaut = 998;
+  ids.gids.hakkonaut = 998;
+
  services.openssh.enable = true;
  services.openssh.settings.PermitRootLogin = "prohibit-password";

@ -94,9 +109,6 @@ in {
  virtualisation = {
    docker = {
      enable = true;
-      extraOptions = ''
-        --data-root /data/docker
-      '';
    };

    oci-containers = {
--- a/hosts/nougat-2/gitea.nix
+++ b/hosts/nougat-2/gitea.nix
@ -10,7 +10,7 @@ in {
  age.secrets.gitea-database-password = {
    file = "${self}/secrets/gitea-database-password.age";
    mode = "600";
-    owner = "gitea";
+    group = "gitea";
  };

  # age.secrets.gitea-mailer-password = {
@ -19,6 +19,44 @@ in {
  #   owner = "gitea";
  # };

+  systemd.tmpfiles.rules = [
+    "d '/data/gitea/db' 0770 root postgres - -"
+    "d '/data/gitea/gitea' 0770 root gitea - -"
+  ];
+
+  users.groups.postgres = {};
+  users.groups.gitea = {};
+  ids.uids.gitea = 994;
+  ids.gids.gitea = 994;
+
+  containers.gitea = {
+    autoStart = true;
+    privateNetwork = true;
+    hostAddress = "192.168.101.0";
+    localAddress = "192.168.105.0";
+    hostAddress6 = "fc00::1";
+    localAddress6 = "fc00::5";
+
+    bindMounts = {
+      "/var/lib/postgresql/14" = {
+        hostPath = "/data/gitea/db";
+        isReadOnly = false;
+      };
+
+      "/var/lib/gitea" = {
+        hostPath = "/data/gitea/gitea";
+        isReadOnly = false;
+      };
+
+      "${config.age.secrets.gitea-database-password.path}" = {
+        hostPath = "${config.age.secrets.gitea-database-password.path}";
+        isReadOnly = true;
+      };
+    };
+
+    config = {
+      networking.nameservers = ["1.1.1.1"];
+
      services.gitea = {
        enable = true;
        package = pkgs.forgejo;
@ -81,4 +119,6 @@ in {
      environment.variables = {
        GPG_TTY = "$(tty)";
      };
+    };
+  };
 }
--- a/hosts/nougat-2/keycloak.nix
+++ b/hosts/nougat-2/keycloak.nix
@ -10,26 +10,42 @@
 in {
  age.secrets.keycloak-database-password = {
    file = "${self}/secrets/keycloak-database-password.age";
-    mode = "700";
-    #owner = "keycloak";
+    mode = "770";
+    group = "keycloak";
  };

+  systemd.tmpfiles.rules = [
+    "d '/data/keycloak/db' 0770 root postgres - -"
+  ];
+
+  users.groups.postgres = {};
+  users.groups.keycloak = {};
+  ids.uids.keycloak = 993;
+  ids.gids.keycloak = 993;
+
  containers.keycloak = {
    autoStart = true;
    privateNetwork = true;
    hostAddress = "192.168.101.0";
-    localAddress = "192.168.103.0";
+    localAddress = "192.168.104.0";
    hostAddress6 = "fc00::1";
-    localAddress6 = "fc00::3";
+    localAddress6 = "fc00::4";

    bindMounts = {
      "/var/lib/postgresql/14" = {
        hostPath = "/data/keycloak/db";
        isReadOnly = false;
      };
+
+      "${config.age.secrets.keycloak-database-password.path}" = {
+        hostPath = "${config.age.secrets.keycloak-database-password.path}";
+        isReadOnly = true;
+      };
    };

    config = {
+      networking.nameservers = ["1.1.1.1"];
+
      services.keycloak = {
        enable = true;
        database.passwordFile = config.age.secrets.keycloak-database-password.path;