gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore(keycloak): cloudflared and vouch

Browse source
This commit is contained in:
arcnmx 2024-03-18 19:10:43 -07:00
parent b8714cc674
commit 2eef6e5508
15 changed files with 303 additions and 229 deletions
Download patch file Download diff file Expand all files Collapse all files

37
systems/hakurei/nixos.nix
View file

@ -10,7 +10,7 @@
mediabox = access.nixosFor "mediabox";
tei = access.nixosFor "tei";
inherit (mediabox.services) plex;
inherit (tei.services) kanidm vouch-proxy;
inherit (keycloak.services) vouch-proxy;
inherit (config.services) nginx tailscale;
in {
imports = let
@ -32,7 +32,6 @@ in {
nixos.access.global
nixos.access.gensokyo
nixos.access.vouch
nixos.access.kanidm
nixos.access.freeipa
nixos.access.freepbx
nixos.access.unifi
@ -72,22 +71,6 @@ in {
])
];
};
${access.kanidm.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
[access.kanidm.localDomain]
(mkIf access.kanidm.ldapEnable [
access.kanidm.ldapDomain
access.kanidm.ldapLocalDomain
])
(mkIf tailscale.enable [
access.kanidm.tailDomain
])
(mkIf (access.kanidm.ldapEnable && tailscale.enable) [
access.kanidm.ldapTailDomain
])
];
};
${access.unifi.domain} = {
inherit (nginx) group;
extraDomainNames = mkMerge [
@ -159,9 +142,6 @@ in {
])
];
};
"sso.${config.networking.domain}" = {
inherit (nginx) group;
};
};
services.nginx = let
@ -172,14 +152,9 @@ in {
externalPort = 41324;
};
access.vouch = assert vouch-proxy.enable; {
url = "http://${tei.lib.access.hostnameForNetwork.tail}:${toString vouch-proxy.settings.vouch.port}";
url = "http://${keycloak.lib.access.hostnameForNetwork.local}:${toString vouch-proxy.settings.vouch.port}";
useACMEHost = access.vouch.localDomain;
};
access.kanidm = assert kanidm.enableServer; {
inherit (kanidm.server.frontend) domain port;
host = tei.lib.access.hostnameForNetwork.local;
ldapEnable = false;
};
access.unifi = {
host = tei.lib.access.hostnameForNetwork.local;
useACMEHost = access.unifi.domain;
@ -200,14 +175,6 @@ in {
url = "http://${mediabox.lib.access.hostnameForNetwork.local}:${toString mediabox.services.invidious.port}";
};
virtualHosts = {
"sso.${config.networking.domain}" = {
useACMEHost = "sso.${config.networking.domain}";
locations."/".proxyPass = "http://${keycloak.lib.access.hostnameForNetwork.local}:80";
forceSSL = true;
};
${access.kanidm.domain} = {
useACMEHost = access.kanidm.domain;
};
${access.freepbx.domain} = {
local.enable = true;
};

19
systems/keycloak/lxc.json Normal file
View file

@ -0,0 +1,19 @@
{
"lxc": {
"lxc.mount.entry": [
"/dev/net/tun dev/net/tun none bind,optional,create=file"
],
"lxc.idmap": [
"u 0 100000 8000",
"g 0 100000 8000",
"u 8000 8000 128",
"g 8000 8000 256",
"u 8128 108128 57406",
"g 8256 108256 57278",
"u 65534 65534 1",
"g 65534 65534 1",
"u 65535 165535 1",
"g 65535 165535 1"
]
}
}

27
systems/keycloak/nixos.nix
View file

@ -1,4 +1,4 @@
{meta, ...}: {
{meta, config, ...}: {
imports = let
inherit (meta) nixos;
in [
@ -6,8 +6,33 @@
nixos.base
nixos.reisen-ct
nixos.keycloak
nixos.cloudflared
nixos.vouch
];
services.cloudflared = let
tunnelId = "c9a4b8c9-42d9-4566-8cff-eb63ca26809d";
inherit (config.services) keycloak vouch-proxy;
in {
tunnels.${tunnelId} = {
default = "http_status:404";
credentialsFile = config.sops.secrets.cloudflared-tunnel-keycloak.path;
ingress = {
${keycloak.settings.hostname} = assert keycloak.enable; let
scheme = if keycloak.sslCertificate != null then "https" else "http";
port = keycloak.settings."${scheme}-port";
in {
service = "${scheme}://localhost:${toString port}";
originRequest.${if scheme == "https" then "noTLSVerify" else null} = true;
};
${vouch-proxy.domain}.service = assert vouch-proxy.enable; "http://localhost:${toString vouch-proxy.settings.vouch.port}";
};
};
};
sops.secrets.cloudflared-tunnel-keycloak = {
owner = config.services.cloudflared.user;
};
sops.defaultSopsFile = ./secrets.yaml;
systemd.network.networks.eth0 = {

6
systems/keycloak/secrets.yaml
View file

@ -1,4 +1,4 @@
hello: ENC[AES256_GCM,data:RUCrfjPq790szP+p/etEBYjsJbVq+wGaquYc5EBEEeGH6lrxo7mQwmgtDtxEOQ==,iv:aNOzr8HjPVTADpWZS1J7LlSGM5cWW2dgYUPvsrQuOvM=,tag:aQoPsIqUmVaa6pEBAdxxxw==,type:str]
cloudflared-tunnel-keycloak: ENC[AES256_GCM,data:nXqz6gys7c9UsOy1oiFGFIl/ra/Cf2hb+LLjXI4agEy9mXCAJlKKg7YzuNaHGAXkTKlrpp2lC0P7qNmI3zryTQKBa+LHTq5Lcj9ZSbSW9zhVVS6e155RcdDv/7j1lcZnVmynX+Dz5m8bz490IEuVme985+L9W/5/ksCnjNzUFiCkaxKwe/w2gGv6GdBVYqCFv1j4XBTNAA9D62uZLM5IATtbaam3yZvygWcDLZLpnI+D1Cd5UvOMpgEvdyvKxfaZEzbgkX6BP2mcw+jC9XM=,iv:1rJgyfj+0vIO9hi5U1IarWlaK/tlpAFHn/q7bhtqogg=,tag:fCCY9lxnFt/ImqDeBH0hvw==,type:str]
sops:
shamir_threshold: 1
kms: []
@ -15,8 +15,8 @@ sops:
WkhIeEh1amh5K0hIb2FKZ0ppSGpBZlEKjF9ysJCX40H5vH4UuZSXryAThk3ipdlP
RML2if3bz+uMXgw+zdEx8Ac6IcOM25K0gco6g/6r20WYbKz9og5JuA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-03-13T22:39:15Z"
mac: ENC[AES256_GCM,data:14X+ClZ3Rsvi9aETzjSvjIiKKq6cPOe7t3LrB+ln3FTB4Wf7Fsbhd8aOdYff3yKqTfcnZU2VzEAEFJGNNlkCLQe9PgbKwzfKMH2i5dc9WpgJ6wY2btAUMRp3ocLwGwiRj0Nx8XsvTBL/8qzccHZL0A7I/MmwMiqsIyVWycj679c=,iv:zL8/3+XdVbvWrC5ODKurwtVoY921kQqwocc/hPgDLWI=,tag:HSDA4nCyoKaYBdNNg0+9bA==,type:str]
lastmodified: "2024-03-19T02:38:20Z"
mac: ENC[AES256_GCM,data:OqqsVE2xKsCpIZqszpdBWl9jEToImVW/Vdb5p0HyqjUOL1NSdyRThxx7fft7RlL9Iqd340WrQ/F4kmQHr+4pIEBsKkwrWUh0sbVNz1uLXFasr1nXuhB32zCu6/gxW9fofT11aHBjnH6rLy6KTnXK56jiyaXKPc25EgzKC9aomR4=,iv:hmADJiouxO4dznlSbKXJcAJgRJKtiR5QlypWt3/I7o0=,tag:HBP0G5o30rZsj+2YpM5gkw==,type:str]
pgp:
- created_at: "2024-03-13T22:39:09Z"
enc: |-

23
systems/tei/cloudflared.nix
View file

@ -40,27 +40,6 @@
nameValuePair host {
service = "http://${accessHostFor args}:${toString port}";
};
ingressForVouch = {
host ? system.services.vouch-proxy.domain,
port ? system.services.vouch-proxy.settings.vouch.port,
hostName,
system ? nixosFor hostName,
...
} @ args:
nameValuePair host {
service = "http://${accessHostFor args}:${toString port}";
};
ingressForKanidm = {
host ? system.services.kanidm.server.frontend.domain,
port ? system.services.kanidm.server.frontend.port,
hostName,
system ? nixosFor hostName,
...
} @ args:
nameValuePair host {
service = "https://${accessHostFor args}:${toString port}";
originRequest.noTLSVerify = true;
};
in {
sops.secrets.cloudflared-tunnel-apartment.owner = cfg.user;
services.cloudflared = {
@ -78,8 +57,6 @@ in {
inherit hostName;
})
(ingressForHass {inherit hostName;})
(ingressForVouch {inherit hostName;})
(ingressForKanidm {inherit hostName;})
];
};
};

1
systems/tei/lxc.json
View file

@ -6,7 +6,6 @@
"/rpool/shared/mosquitto mnt/shared/mosquitto none bind,optional,create=dir",
"/rpool/shared/hass mnt/shared/hass none bind,optional,create=dir",
"/rpool/shared/postgresql mnt/shared/postgresql none bind,optional,create=dir",
"/rpool/shared/kanidm mnt/shared/kanidm none bind,optional,create=dir",
"/rpool/shared/unifi mnt/shared/unifi none bind,optional,create=dir",
"/dev/ttyZigbee dev/ttyZigbee none bind,optional,create=file",
"/dev/net/tun dev/net/tun none bind,optional,create=file"

8
systems/tei/nixos.nix
View file

@ -5,7 +5,7 @@
...
}: let
inherit (lib.modules) mkIf mkMerge;
inherit (config.services) kanidm mosquitto home-assistant;
inherit (config.services) mosquitto home-assistant;
in {
imports = let
inherit (meta) nixos;
@ -19,8 +19,6 @@ in {
nixos.access.zigbee2mqtt
nixos.access.home-assistant
nixos.access.unifi
nixos.vouch
nixos.kanidm
nixos.unifi
nixos.mosquitto
nixos.home-assistant
@ -43,10 +41,6 @@ in {
networking.firewall = {
interfaces.local.allowedTCPPorts = mkMerge [
(mkIf kanidm.enableServer [
kanidm.server.frontend.port
(mkIf kanidm.server.ldap.enable kanidm.server.ldap.port)
])
(mkIf home-assistant.enable [
home-assistant.config.http.server_port
])