diff --git a/hosts/host_001_momo_koeln/caddy.nix b/hosts/host_001_momo_koeln/caddy.nix new file mode 100644 index 00000000..8e90b16d --- /dev/null +++ b/hosts/host_001_momo_koeln/caddy.nix @@ -0,0 +1,26 @@ +{ + config, + ... +}: { + # Changing the Caddyfile should only trigger a reload, not a restart + systemd.services.caddy.reloadTriggers = [ + config.services.caddy.configFile + ]; + + services.caddy = { + enable = true; + email = "wg-tooling@list.momo.koeln"; + virtualHosts = { + "auth.momo.koeln" = { + logFormat = '' + output discard + ''; + extraConfig = '' + reverse_proxy :8080 + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/hosts/host_001_momo_koeln/configuration.nix b/hosts/host_001_momo_koeln/configuration.nix index 43e5558f..a955f57b 100644 --- a/hosts/host_001_momo_koeln/configuration.nix +++ b/hosts/host_001_momo_koeln/configuration.nix @@ -5,6 +5,9 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix + + ./caddy.nix + ./keycloak.nix ]; pub-solar.core.lite = true; diff --git a/hosts/host_001_momo_koeln/keycloak.nix b/hosts/host_001_momo_koeln/keycloak.nix new file mode 100644 index 00000000..da712d09 --- /dev/null +++ b/hosts/host_001_momo_koeln/keycloak.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + inputs, + pkgs, + self, + ... +}: { + age.secrets.keycloak-database-password = { + file = "${self}/secrets/keycloak-database-password.age"; + mode = "700"; + }; + + # keycloak + services.keycloak = { + enable = true; + database.passwordFile = config.age.secrets.keycloak-database-password.path; + settings = { + hostname = "auth.momo.koeln"; + http-host = "127.0.0.1"; + http-port = 8080; + proxy = "edge"; + }; + }; +} diff --git a/secrets/keycloak-database-password.age b/secrets/keycloak-database-password.age new file mode 100644 index 00000000..faab496d Binary files /dev/null and b/secrets/keycloak-database-password.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 641ef20d..d7251820 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,8 +1,21 @@ let # set ssh public keys here for your system and user - system = ""; - user = ""; - allKeys = [system user]; + host_001_momo_koeln = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7XTCHfX6ta8EtkdOcZLnpdhMmXDfTebVMs4NC8JEPj root@nixos"; + axeman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU @axeman"; + b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw=="; + teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; + hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"; + hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"; + hensoko_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"; + allKeys = [ + axeman + b12f-bbcom + hensoko_nitrokey_1 + hensoko_harrison + hensoko_norman + host_001_momo_koeln + teutat3s-dumpyourvms + ]; in { - "secret.age".publicKeys = allKeys; + "keycloak-database-password.age".publicKeys = allKeys; }