From 6e6e5857fd28128e94a0ef1757b183c679cc2b5f Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 31 Mar 2023 15:20:56 +0200 Subject: [PATCH 1/7] 001_momo_koeln: Add keycloak --- hosts/host_001_momo_koeln/configuration.nix | 2 ++ hosts/host_001_momo_koeln/keycloak.nix | 25 +++++++++++++++++++++ 2 files changed, 27 insertions(+) create mode 100644 hosts/host_001_momo_koeln/keycloak.nix diff --git a/hosts/host_001_momo_koeln/configuration.nix b/hosts/host_001_momo_koeln/configuration.nix index 43e5558f..71f49ad8 100644 --- a/hosts/host_001_momo_koeln/configuration.nix +++ b/hosts/host_001_momo_koeln/configuration.nix @@ -5,6 +5,8 @@ [ # Include the results of the hardware scan. ./hardware-configuration.nix + + ./keycloak.nix ]; pub-solar.core.lite = true; diff --git a/hosts/host_001_momo_koeln/keycloak.nix b/hosts/host_001_momo_koeln/keycloak.nix new file mode 100644 index 00000000..da712d09 --- /dev/null +++ b/hosts/host_001_momo_koeln/keycloak.nix @@ -0,0 +1,25 @@ +{ + config, + lib, + inputs, + pkgs, + self, + ... +}: { + age.secrets.keycloak-database-password = { + file = "${self}/secrets/keycloak-database-password.age"; + mode = "700"; + }; + + # keycloak + services.keycloak = { + enable = true; + database.passwordFile = config.age.secrets.keycloak-database-password.path; + settings = { + hostname = "auth.momo.koeln"; + http-host = "127.0.0.1"; + http-port = 8080; + proxy = "edge"; + }; + }; +} -- 2.44.1 From a0a92d27c9fa279b6e60bdd414488fede96da103 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 31 Mar 2023 15:58:57 +0200 Subject: [PATCH 2/7] 001_momo_koeln: Add caddy --- hosts/host_001_momo_koeln/caddy.nix | 26 +++++++++++++++++++++ hosts/host_001_momo_koeln/configuration.nix | 1 + 2 files changed, 27 insertions(+) create mode 100644 hosts/host_001_momo_koeln/caddy.nix diff --git a/hosts/host_001_momo_koeln/caddy.nix b/hosts/host_001_momo_koeln/caddy.nix new file mode 100644 index 00000000..8e90b16d --- /dev/null +++ b/hosts/host_001_momo_koeln/caddy.nix @@ -0,0 +1,26 @@ +{ + config, + ... +}: { + # Changing the Caddyfile should only trigger a reload, not a restart + systemd.services.caddy.reloadTriggers = [ + config.services.caddy.configFile + ]; + + services.caddy = { + enable = true; + email = "wg-tooling@list.momo.koeln"; + virtualHosts = { + "auth.momo.koeln" = { + logFormat = '' + output discard + ''; + extraConfig = '' + reverse_proxy :8080 + ''; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [80 443]; +} diff --git a/hosts/host_001_momo_koeln/configuration.nix b/hosts/host_001_momo_koeln/configuration.nix index 71f49ad8..a955f57b 100644 --- a/hosts/host_001_momo_koeln/configuration.nix +++ b/hosts/host_001_momo_koeln/configuration.nix @@ -6,6 +6,7 @@ # Include the results of the hardware scan. ./hardware-configuration.nix + ./caddy.nix ./keycloak.nix ]; -- 2.44.1 From 8b8280d07e06aeb8118d4a82f05a6818cdbce5ca Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 31 Mar 2023 16:51:04 +0200 Subject: [PATCH 3/7] secrets: Add keys for axeman and host_001_momo_koeln --- secrets/secrets.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 641ef20d..9024f71e 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -1,8 +1,8 @@ let # set ssh public keys here for your system and user - system = ""; - user = ""; - allKeys = [system user]; + host_001_momo_koeln = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7XTCHfX6ta8EtkdOcZLnpdhMmXDfTebVMs4NC8JEPj root@nixos"; + axeman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU @axeman"; + allKeys = [host_001_momo_koeln axeman]; in { "secret.age".publicKeys = allKeys; } -- 2.44.1 From 4c4c4cab0b00be2a8c8cbb839602d5c0645987c3 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Fri, 31 Mar 2023 16:52:23 +0200 Subject: [PATCH 4/7] secrets: Add keycloak-database-password --- secrets/keycloak-database-password.age | 10 ++++++++++ secrets/secrets.nix | 2 +- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 secrets/keycloak-database-password.age diff --git a/secrets/keycloak-database-password.age b/secrets/keycloak-database-password.age new file mode 100644 index 00000000..6b73ed5e --- /dev/null +++ b/secrets/keycloak-database-password.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 1bbksA z0Fl2MQtElRbmJyvOTR4X1kyTR3hD4rowXOxkObyYEA +1RsnMcGyayGS4cWkTIzDpRtD2yM6GO3TRP3/N4EWEp0 +-> ssh-ed25519 uYcDNw LxfEkPFAtMnzTiHj/qWQDOX0VHNs/1J3uvqe4sNqm34 +a/LEh6l8VkLZj0L0Hk36EPUnm2zRrQKzsNpIdbw6ebE +-> fl_rP-grease MNtaz=` ++GSrNb4wwZiMNmGic1os5KczQXyxZTE94h62Twck +--- MK6TtGPzC4dEVKpfjoYTfvThfMHVIJVm/hoDzG8WbMk +p)_z΃tLvz {ȂhqBQn'7lw5!W vz]şSo\ yPGsk}dkzhiH <! +^F\g4pkk0Sr \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9024f71e..42a72ff8 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,5 +4,5 @@ let axeman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU @axeman"; allKeys = [host_001_momo_koeln axeman]; in { - "secret.age".publicKeys = allKeys; + "keycloak-database-password.age".publicKeys = allKeys; } -- 2.44.1 From 41939956c5ca1c1ec3acae71b2bde2707caae0c8 Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 25 Apr 2023 10:14:46 +0200 Subject: [PATCH 5/7] secrets: add host keys for b12f + teutat3s --- secrets/secrets.nix | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 42a72ff8..2fbf4364 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -2,7 +2,14 @@ let # set ssh public keys here for your system and user host_001_momo_koeln = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE7XTCHfX6ta8EtkdOcZLnpdhMmXDfTebVMs4NC8JEPj root@nixos"; axeman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU @axeman"; - allKeys = [host_001_momo_koeln axeman]; + b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw=="; + teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; + allKeys = [ + axeman + b12f-bbcom + host_001_momo_koeln + teutat3s-dumpyourvms + ]; in { "keycloak-database-password.age".publicKeys = allKeys; } -- 2.44.1 From a5061b894767e3c845b7688d62ceb1dda15c459b Mon Sep 17 00:00:00 2001 From: teutat3s Date: Tue, 25 Apr 2023 10:18:54 +0200 Subject: [PATCH 6/7] secrets: add host keys for hensoko --- secrets/secrets.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 2fbf4364..d7251820 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -4,9 +4,15 @@ let axeman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMNeQYLFauAbzDyIbKC86NUh9yZfiyBm/BtIdkcpZnSU @axeman"; b12f-bbcom = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCmXpOU6vzQiVSSYCoxHYv7wDxC63Qg3dxlAMR6AOzwIABCU5PFFNcO0NWYms/YR7MOViorl+19LCLRABar9JgHU1n+uqxKV6eGph3OPeMp5sN8LAh7C9N+TZj8iJzBxQ3ch+Z/LdmLRwYNJ7KSUI+gwGK6xRS3+z1022Y4P0G0sx7IeCBl4lealQEIIF10ZOfjUdBcLQar7XTc5AxyGKnHCerXHRtccCoadLQujk0AvPXbv3Ma4JwX9X++AnCWRWakqS5UInu2tGuZ/6Hrjd2a9AKWjTaBVDcbYqCvY4XVuMj2/A2bCceFBaoi41apybSk26FSFTU4qiEUNQ6lxeOwG4+1NCXyHe2bGI4VyoxinDYa8vLLzXIRfTRA0qoGfCweXNeWPf0jMqASkUKaSOH5Ot7O5ps34r0j9pWzavDid8QeKJPyhxKuF1a5G4iBEZ0O9vuti60dPSjJPci9oTxbune2/jb7Sa0yO06DtLFJ2ncr5f70s/BDxKk4XIwQLy+KsvzlQEGdY8yA6xv28bOGxL3sQ0HE2pDTsvIbAisVOKzdJeolStL9MM5W8Hg0r/KkGj2bg0TfoRp1xHV9hjKkvJrsQ6okaPvNFeZq0HXzPhWMOVQ+/46z80uaQ1ByRLr3FTwuWJ7F/73ndfxiq6bDE4z2Ji0vOjeWJm6HCxTdGw=="; teutat3s-dumpyourvms = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHcU6KPy4b1MQXd6EJhcYwbJu7E+0IrBZF/IP6T7gbMf teutat3s@dumpyourvms"; + hensoko_nitrokey_1 = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII/58A18EtxnLYHu63c/+AyTSkJQSso/VVdHUFGp1CTk cardno:FFFE34353135"; + hensoko_harrison = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEbaQdxp7Flz6ttELe63rn+Nt9g43qJOLih6VCMP4gPb hensoko@harrison"; + hensoko_norman = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAqkqMYgncrnczcW/0PY+Z+FmNXXpgw6D9JWTTwiainy hensoko@hensoko-tp-work"; allKeys = [ axeman b12f-bbcom + hensoko_nitrokey_1 + hensoko_harrison + hensoko_norman host_001_momo_koeln teutat3s-dumpyourvms ]; -- 2.44.1 From 5c894c5265f6ab78f5a379e9e08129bd0f7c7d81 Mon Sep 17 00:00:00 2001 From: Akshay Mankar Date: Tue, 25 Apr 2023 12:10:02 +0200 Subject: [PATCH 7/7] Rekey agenix secrets --- secrets/keycloak-database-password.age | Bin 481 -> 1685 bytes 1 file changed, 0 insertions(+), 0 deletions(-) diff --git a/secrets/keycloak-database-password.age b/secrets/keycloak-database-password.age index 6b73ed5e846d381ee98d607c73e5a85c4105ef1e..faab496d732cbfbe6f86f2073b3e64581d836fb9 100644 GIT binary patch literal 1685 zcmZ9M$?Nn69fy@tc?p7o8`#SzQp8_>PPWNXsE|yS$z-x;GD)Cl_I=MJnTX=0pyE+b z5qt2UpeGL=q!f{Q=}9Rb3N1>Z;z{)4r3?7;@OpUvf`{kJ^Z9y7bRX40e{09AslVFv z$##N(`>$<=A-#`6c(;Sd&D9AQdEVSyCPL&IA}ZDZZ4xwiqA}-AB)h2fPaK_fk(tS8 zBT)gM;SlFcj^oB$Yvn40QW$eI8$Kg3@p2C9b$>FW+-^&2cueaDZ&PrL0a8Flt9ZR& z%f37g7s@XZL3TC6-7e5bjgkWyq3-iIW{4r7ZY_Kz=aT_@VCkFEO`qcw$iOz3s}p5G zet;|ZDe+ZaJS)-I%-zVHyco(gv#=6EigRkAFn_Wk|E@YL9(-vyItEZBq?QLCT+w3| zGxuBFl2?m$>yd|zSr#YH^RzKUN+u!W%3R4_S2FXcD-cMk1?vE^3$t~wr}5np(#aVs zb;}DCbsHh7+eC`j>NklHxRZ9&a=DLDe~XRbox^Nfwn3=62C{I8$9}C=c%ROgyX!>Z zc0`tLTgvTBAu=9M@lhU|<*-FL{jMHF$ZA*V2$~#j2CxQfE3YrG+K@-v6;f!tj0Taf zFqa-65?i`8Ep3-s*ZGvGO6XC!W?w?3gMFIaE$MpcfD*nQl#_*Nvvg|(#&D&zy!e+% zKWls8QnP+ZU2+~y`FbTpS_!x{UK}Wo&#Ev5$g5Y< zlPlo@U&W*#Z$88Dsv}+RD4jRkcv$F4H^TPn1D%q!W=bPOfVzl_wG(%Qaec?up!aYM zsmJIuKY`bTI!6gO=hu2M?K`}(9plQx1J?mUC_tESR$5tyt4^ks+X6D#svHqm#BT|{ z7b%Df4#!dIP{yQm&n!b_=O$bJ;O2n?15{5mP;0~9Oj$%Uo!u!$2%v|_ zSz?a0z?{mFurW=ih`bCA4t7;V46{k;imQ`nG|kLC_3#mDCJPxd3$zezh!a&rg_va9V`HQ8JcW^OUWxt z#pp8YIhOU*w9I!=fi^r8o=5KD&Z&I{pLBzKzZj^EV#jRHR7``eh2jalcSW@XVeML9 z6U(87Dmtjk?aI(u@Q~h_Vz{X;5Il{D8+0&Gg%;dG7eu4Ps6?!66+YXqyqZ*XYtOFAj zUF%^BGod1m;d{E2mISkc|IyI!n=jlaedG<%2HiL>sGC(a_yX`JBy_5C4A*d4IoA`y~(egocV--4s0x$9d}@UeNk-D&1fxV#C3(f-C_E;LqaEe^#uYeeV0j zZ(c{A`PPV=&@Y!CKlR!t-~0Q=zx(;?AHMSD^26W1_R8=6`pT!?aX<3tZ%_Y;bRPZd z^xU(5`P|E&UVi(fAMC&Qi+}#~qi?+Zy|2SRdVYNWnYTXk?61^UU;V}(WAmwxefuQ} k`^P7~U{ODL_t)PM`A7DDx(532<@c5N%kTdCgO^_XFZ9+n%m4rY delta 454 zcmV;%0XhDa4dDZjC4VtuVrz3jAbK!HY%)zzbVY1ZVr@!!c287NG*~ffc~nv}Xhbw} zZ+BQvcxz8$d09n43Ncc1ZcSrHd0}}+Q#4~&Yg9>kL~v4cL^63zHb+l0R8mkgFHST? zS4D6z3N1b$b8~1dWn?lnH8D9Lby;IXPIn+ocxFXwP)0#?O@D5BRB1?RFL75aIZ8J0qVJ}QYXf|v(R%=XJYA{SNNNY1TMNn04Z8CaNa#2fq zb53wcWMX$VWnx7NEj}P-Y+rIvEoX9NVRL05O-^)SdOctYD@RjuPGU57cUoypPHjhN zV=-@YHA`c9QGZx@cv@6NIW%ZCGE{eCYYHtbEg(%xHdJ&+PaAs<6SyX0r zRA^>RNLEQoR&6h6Z$x@WI9Fm#YYG!^`?4utje5?5bWC>mdJKE-$bx96%W>C2<5Bdl zZYMWvcQqkb3;OtW*T(01jt*Vk=*z{QQv%v=z1m!e3qSgcpn!Q$?nl0J+iU-Qyq08& wYr^cG$a=GAX{zB!3_JqZAqs-K6JCGZMqFoqr!<^!jK^zh7Namza_AuYi*mB8)c^nh -- 2.44.1