diff --git a/nixos/ipa.nix b/nixos/ipa.nix index ff97d028..e4d143f4 100644 --- a/nixos/ipa.nix +++ b/nixos/ipa.nix @@ -1,6 +1,6 @@ { inputs, pkgs, config, lib, ... }: let inherit (inputs.self.lib.lib) mkBaseDn; - inherit (lib.modules) mkIf mkBefore mkForce mkDefault; + inherit (lib.modules) mkIf mkBefore mkDefault; inherit (lib.strings) toUpper; inherit (config.networking) domain; cfg = config.security.ipa; diff --git a/systems/keycloak/nixos.nix b/systems/keycloak/nixos.nix index 76b01d82..089606e3 100644 --- a/systems/keycloak/nixos.nix +++ b/systems/keycloak/nixos.nix @@ -5,6 +5,7 @@ nixos.sops nixos.base nixos.reisen-ct + nixos.ipa nixos.keycloak nixos.cloudflared nixos.vouch diff --git a/systems/keycloak/secrets.yaml b/systems/keycloak/secrets.yaml index 9a4f5a36..b80b4359 100644 --- a/systems/keycloak/secrets.yaml +++ b/systems/keycloak/secrets.yaml @@ -1,4 +1,5 @@ cloudflared-tunnel-keycloak: ENC[AES256_GCM,data:nXqz6gys7c9UsOy1oiFGFIl/ra/Cf2hb+LLjXI4agEy9mXCAJlKKg7YzuNaHGAXkTKlrpp2lC0P7qNmI3zryTQKBa+LHTq5Lcj9ZSbSW9zhVVS6e155RcdDv/7j1lcZnVmynX+Dz5m8bz490IEuVme985+L9W/5/ksCnjNzUFiCkaxKwe/w2gGv6GdBVYqCFv1j4XBTNAA9D62uZLM5IATtbaam3yZvygWcDLZLpnI+D1Cd5UvOMpgEvdyvKxfaZEzbgkX6BP2mcw+jC9XM=,iv:1rJgyfj+0vIO9hi5U1IarWlaK/tlpAFHn/q7bhtqogg=,tag:fCCY9lxnFt/ImqDeBH0hvw==,type:str] +krb5-keytab: ENC[AES256_GCM,data:HzdY8lnFT89At4O/wb8cAIwtbhF0LpuOIGoYhJLMwI2BEg8oW5VvbbQZNkedIktro9eQUfKrFzwOcWZN+GO86xAWePbs/buj3TKXu9bcTFnIUiDQNT40dU8GKlfxFIDQszFhfZq7CuRzrj5MrccS2K/vMqeFTFL99MYShJuO2sxa7sl1DjF5FzgbJh2jyuMh1LEwWRE/HRUOHe+b448o2CBvZ7jop2/dKHHYGCqImeOuxg9q0rNSitkuA8JnX44h1/btYwc2Z707jmQcIqiACUsU2InOy9x7KGnKUfeSm0rIbRRPYugjosofrW+VAPQOvzxG4jGLfkvlCmYBldBeDxqg919eTCIwFOXKKRkI9USN7ozNzG7DccdTKEwSDbOwXvsH7d7CxEvWBHj/igr0srk9xH4jzZhvFynTnxOM+2lLl0VlD18R8wjVvQFuODDqxH9qT27bvSAzkPsUIJkEZDMMVtdij2dTmI/93BlzCZGjfg==,iv:xz+nWncNHB1brJcxc2IBl1mwyBIBeTjgwGmwPvaFqAk=,tag:+5AmPUoeCwcHvnDSrjEiQA==,type:str] sops: shamir_threshold: 1 kms: [] @@ -15,8 +16,8 @@ sops: WkhIeEh1amh5K0hIb2FKZ0ppSGpBZlEKjF9ysJCX40H5vH4UuZSXryAThk3ipdlP RML2if3bz+uMXgw+zdEx8Ac6IcOM25K0gco6g/6r20WYbKz9og5JuA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-19T02:38:20Z" - mac: ENC[AES256_GCM,data:OqqsVE2xKsCpIZqszpdBWl9jEToImVW/Vdb5p0HyqjUOL1NSdyRThxx7fft7RlL9Iqd340WrQ/F4kmQHr+4pIEBsKkwrWUh0sbVNz1uLXFasr1nXuhB32zCu6/gxW9fofT11aHBjnH6rLy6KTnXK56jiyaXKPc25EgzKC9aomR4=,iv:hmADJiouxO4dznlSbKXJcAJgRJKtiR5QlypWt3/I7o0=,tag:HBP0G5o30rZsj+2YpM5gkw==,type:str] + lastmodified: "2024-03-22T23:54:07Z" + mac: ENC[AES256_GCM,data:Uhu+T6indz3MjssA0v62+ob5nqih1QFJLnJD29k24rSnQPWerV6ZM+rT8kMr3wYDouyi+dZm4217wTPENj8sjmRdbCmLSsaR7FffSCDRI5pCDvzuQxSLAOGAbaWZl5zwFuUKQ8sD4xAfj7R3g+Kayyg8dvIovhs7pSTUHmMG+PI=,iv:xK1KqPN+J/y5PN6ZVbLj5QOlT/Q+5QfZo211RedRNCU=,tag:WWs+iVsY6DmBHlw0KcmrCA==,type:str] pgp: - created_at: "2024-03-13T22:39:09Z" enc: |- diff --git a/systems/utsuho/nixos.nix b/systems/utsuho/nixos.nix index e83823c0..34e18d7e 100644 --- a/systems/utsuho/nixos.nix +++ b/systems/utsuho/nixos.nix @@ -1,6 +1,5 @@ -{meta, config, access, ...}: let - inherit (config.services.nginx) virtualHosts; - tei = access.nixosFor "tei"; +{meta, config, ...}: let + inherit (config.services) nginx; in { imports = let inherit (meta) nixos; @@ -8,6 +7,7 @@ in { nixos.sops nixos.base nixos.reisen-ct + nixos.ipa nixos.cloudflared nixos.nginx nixos.access.unifi @@ -15,15 +15,17 @@ in { ]; services.cloudflared = let - tunnelId = "28bcd3fc-3467-4997-806b-546ba9995028"; inherit (config.services) unifi; + inherit (nginx) virtualHosts defaultHTTPListenPort; + tunnelId = "28bcd3fc-3467-4997-806b-546ba9995028"; + localNginx = "http://localhost:${toString defaultHTTPListenPort}"; in { tunnels.${tunnelId} = { default = "http_status:404"; credentialsFile = config.sops.secrets.cloudflared-tunnel-utsuho.path; ingress = { ${virtualHosts.unifi.serverName} = assert unifi.enable; { - service = "http://localhost"; + service = localNginx; }; }; }; diff --git a/systems/utsuho/secrets.yaml b/systems/utsuho/secrets.yaml index 5187abf9..7cd59d59 100644 --- a/systems/utsuho/secrets.yaml +++ b/systems/utsuho/secrets.yaml @@ -1,4 +1,5 @@ cloudflared-tunnel-utsuho: ENC[AES256_GCM,data:GqhrwmOjfmj4VhecMS8765MPBq0URQlW64Hs7ljLVKFZdUKOz4trT+GusDEmTnHTSo+Tl24Bd6Z6TdyFKgacVOUFaPhO3EBkMrZ0rjFWVib4LsH3IH3/hctLiGJDbXLpu3WGnY/lYopPWr5870gzRfJCvbQecrFibsD9osksScttKOUVziTKSmYeOWHiTzI/ZrMUa3HMH3+O6rfajY2qq+v3O31/PS1cHEl+A2zfdmKVMbF/ugyVn/8cveYQGz5fsIDm11i5J9BrbWvaTH8=,iv:d9bW/dYRgk6QzWzUXu6IXUuwQo+Ghm1OPqU/lQLlss0=,tag:NNAOb/QUM41x/1Qhp2MWqw==,type:str] +krb5-keytab: ENC[AES256_GCM,data:BkpMT7O9JHmWKVRaMunuYjYMIa9+37IKJmahQE7tOIKzCjPdRkUjqB0+zbuuxQC4GA36vF16U8j3Rdu5mB/27pS/ZoOtOtLftyS5EcU6rzMZP09lsxdyO/9xGCXbIK/119tNN6+PMBuxmZFfP8+bnM3KlQHBnLbjXtGDeuHEMzH2PuTCxCRO5sVOYU/0dSlZioGB0eHJJszGFcMOMeEMuGyu3XiBwIfQ4tCD2Nw9SA8eSIQ7E0RXcRQtl0h9IEgjH1O6TkCBIsGRpVXHvcJgj5XhPYilmLenNtfi/JmyzjtCJbKAgi8J9o/Tox73ORKEzHSRSmUmr/e+EKrH1TdfH0t6/h5/tErhxqQwy0tEVbhcjH56r+n/65gH3kMO0QflKMM7Z9yk9v0+FJk5T1geEf+UT1tBvfCVQ8E5brxI0Jz9mPmkkSE1ZuGZ+gtw3rYwSUrWcgmbaH+r9dIvAKMgsFxDqRzhxjEXM1w=,iv:4+/cOA51FCE9lRpJ8ib3TEf1gKFqgTVg+SsujMMzWx4=,tag:ZaDx2AJhc7CEoMCmgcCWCQ==,type:str] sops: shamir_threshold: 1 kms: [] @@ -15,8 +16,8 @@ sops: aGMvcU4xQVNuczB5NGhZMnFlWnlkSGsKm8Z3rSM/uNN1522p0inM5vQ8+OY83FDI I69BH9qL2ekRG2e2Qw+bjeHOUm9Qe9QSRsQPW3Z3XDdxEVxRgE9Avw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-21T17:43:11Z" - mac: ENC[AES256_GCM,data:g/e7TsFAbKZZpbbJyKZxbyjJ0fIDoPA+hrh7NbuJKJw8sSVBnhxbDBVzMELpekRg/HuXlYB9vf/2tVgIrDdSN8oF+JP6E5O5i7pebDSibpQ2aAsUadWBQfuzaCAu/jfbKbe7lAfU631nnkVP0K9wdj2aRRjElr68sbdfeSFIeBs=,iv:5Zr5dWk63ebyxNwXBOTjjmBg9UBJqB7BOQKtrJUafYM=,tag:D3gz/tEyZY6IIHhT19x/cw==,type:str] + lastmodified: "2024-03-22T23:44:00Z" + mac: ENC[AES256_GCM,data:l8QX2jzmUlDTs+HxGGSpuwBZ5+GTTtT6wdfH1JiPzQXBPkmOgh6qbcWDfDBSB/RCSvGYr01nhrOS0o/hFRrSB4YHGIeqvxBF+jSC/69BpWKSse1iGMFRvmDUuhk91fb3cVNJRsqUWczt83eJjnPIDVW4z6wRKcvVuZmG2S+2l2c=,iv:bakM1RALwvtHUp4bOTYLAGYyOph7fW8v/z+6z3Fqh+0=,tag:du776gXc4RQfrtNgN/Sxbg==,type:str] pgp: - created_at: "2024-03-21T17:32:41Z" enc: |-