gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

README stuff, glauth

Browse source
This commit is contained in:
kat witch 2021-09-05 03:44:19 +01:00
parent acfa259b2a
commit 689e012a14
No known key found for this signature in database
GPG key ID: 1B477797DCA5EC72
4 changed files with 39 additions and 79 deletions
Download patch file Download diff file Expand all files Collapse all files

59
README.md
View file

@ -10,7 +10,6 @@ These are the NixOS configurations for my systems. I run nothing other than NixO
## Contents
- [To-do][]
- [Nodes][2]
- [Profiles][]
- [User Profiles][]
@ -20,53 +19,6 @@ These are the NixOS configurations for my systems. I run nothing other than NixO
- [Dependencies][]
- [Commands][]
## To-do
- [ ] Write my own Dynamic DNS updater to replace the removed Glauca one using [knsupdate][].
- [ ] Consider reworking [kittywitch/nixexprs][] and [kittywitch/nixfiles-base][].
- [x] In-housed [kittywitch/nixexprs][] as [exprs][].
- [x] Merged my local changes with [exprs][].
- [ ] Prioritise modules reusability.
- [ ] Expand [kittywitch/anicca][] to be a module that helps with impermanence, too.
- [x] Host impermanence enablement check.
- [ ] Break anicca-migrator into interface modules.
- [ ] Bind mount status list.
- [ ] Bind mount start/enabler script.
- [ ] Migrate any nodes that can be impermanent to impermanence.
- [ ] yule
- [ ] beltane
- [ ] athames successor
- [ ] Move to using [arcnmx/screenstub][] without any patches.
- [ ] Check new config options, port current patch to new config options.
- [ ] Move waybar modules to using signals.
- [ ] Make waybar module for gammastep toggle.
- [ ] Investigate how to fix Yules PCI-E issues.
- [ ] Migrate boline to NixOS.
- [x] Look into ARM cross-compilation w/ nixpkgs.
- [x] Look into existing binary caches.
- [ ] Write packages & services for DHT22 exporter + the socat.
- [ ] Migrate [athame][] to OCI.
- [x] Look into ARM cross-compilation w/ nixpkgs.
- [x] Look into existing binary caches.
- [ ] Do backups, figure out per-service backup system for state.
- [x] Create a replacement box before any migration on OCI.
- [ ] Look into alternatives to Yggdrasil and move to them.
- [ ] Set up IPv6 network handling for my hosts.
- [x] Fix network module tf-nix integrations.
- [x] Rinnosuke IPv6.
- [ ] Local node IPv6 configuration.
- [ ] Add CI building and caching for required architectures.
- [x] aarch64 specific implementation
- [x] ARMv6 specific implementation
- [ ] Generalised emulated compiles.
- [ ] Imports structure refactor.
- [x] Work on the readTree-like modList replacement.
- [ ] Eventually refactor recursiveMod to be sane.
- [ ] Extend recursiveMod to allow for merging of structures.
- [ ] Create a “lite” base profile for devices like shinmyoumaru.
- [x] Add a shared profile that adds user imports.
- [x] Migrate some of shinmyoumarus configuration into profiles.hardware.raspi
## Nodes
| Node | Purpose |
@ -210,7 +162,6 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
[1]: https://github.com/kittywitch/nixfiles/actions/workflows/nodes.yml
[This repository on my self hosted git.]: https://git.kittywit.ch/kat/nixfiles
[This repository on GitHub.]: https://github.com/kittywitch/nixfiles
[To-do]: #to-do
[2]: #nodes
[Profiles]: #profiles
[User Profiles]: #user-profiles
@ -219,12 +170,6 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
[CI]: #ci
[Dependencies]: #dependencies
[Commands]: #commands
[knsupdate]: https://www.knot-dns.cz/docs/2.4/html/man_knsupdate.html
[kittywitch/nixexprs]: https://github.com/kittywitch/nixexprs
[kittywitch/nixfiles-base]: https://github.com/kittywitch/nixfiles-base
[exprs]: overlays/exprs
[kittywitch/anicca]: https://github.com/kittywitch/anicca
[arcnmx/screenstub]: https://github.com/arcnmx/screenstub
[athame]: config/hosts/athame
[daiyousei]: config/hosts/daiyousei
[rinnosuke]: config/hosts/rinnosuke
@ -240,6 +185,7 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
[shared]: config/profiles/shared.nix
[vfio]: config/profiles/vfio
[arcnmx/nixexprs]: https://github.com/arcnmx/nixexprs
[arcnmx/screenstub]: https://github.com/arcnmx/screenstub
[hardware]: config/profiles/hardware
[cross]: config/profiles/cross
[3]: config/users/kat/base
@ -283,8 +229,11 @@ Please use `nix-shell` or [direnv/direnv][]. The shell is not compatible with [n
[xmpp]: config/services/xmpp/default.nix
[zfs]: config/services/zfs/default.nix
[znc]: config/services/znc/default.nix
[kittywitch/nixexprs]: https://github.com/kittywitch/nixexprs
[exprs]: overlays/exprs
[arcnmx/tf-nix]: https://github.com/arcnmx/tf-nix
[nix-community/impermanence]: https://github.com/nix-community/impermanence
[kittywitch/anicca]: https://github.com/kittywitch/anicca
[arcnmx/ci]: https://github.com/arcnmx/ci
[6]: ci/nodes.nix
[niv-cron]: ci/niv-cron.nix

29
config/modules/nixos/glauth.nix
View file

@ -50,7 +50,17 @@ in
};
settings = mkOption {
type = json.types.attrs;
default = mkIf cfg.database.enable {
default = {};
};
};
config =
let
localCheck = dbcfg.local && dbcfg.enable && dbcfg.host == "localhost";
postgresCheck = localCheck && dbcfg.type == "postgres";
mysqlCheck = localCheck && dbcfg.type == "mysql";
in
mkIf cfg.enable {
services.glauth.settings = mkIf cfg.database.enable {
backend =
let
pluginHandlers = {
@ -61,27 +71,20 @@ in
in
{
datastore = "plugin";
plugin = "bin/${cfg.database.type}.so";
plugin = "${cfg.package}/bin/plugin_${dbcfg.type}";
pluginhandler = pluginHandlers.${dbcfg.type};
database = if (dbcfg.type != "sqlite") then (builtins.replaceStrings (singleton "\n") (singleton " ") ''
host=${dbcfg.host}
port=${dbcfg.port}
port=${toString dbcfg.port}
dbname=glauth
username=${dbcfg.username}
password=@db-password@
sslmode=${if dbcfg.ssl then "enable" else "disable"}
'') else "database = \"gl.db\"";
};
};
};
};
config =
let
localCheck = dbcfg.local && dbcfg.enable && dbcfg.host == "localhost";
postgresCheck = localCheck && dbcfg.type == "postgres";
mysqlCheck = localCheck && dbcfg.type == "mysql";
in
mkIf cfg.enable {
};
systemd.services.glauthPostgreSQLInit = lib.mkIf postgresCheck {
after = [ "postgresql.service" ];
before = [ "glauth.service" ];

28
config/services/glauth/default.nix
View file

@ -1,5 +1,5 @@
{ config, tf, lib, ... }: with lib; {
network.firewall.public.tcp.ports = singleton 3984;
network.firewall.public.tcp.ports = [ 3983 3984 ];
network.extraCerts.domain-auth = "auth.${config.network.dns.domain}";
users.groups.domain-auth.members = [ "nginx" "glauth" ];
@ -17,7 +17,7 @@
settings = {
syslog = true;
ldap = {
enable = false;
enabled = true;
listen = "0.0.0.0:3893";
};
ldaps = {
@ -27,14 +27,22 @@
key = "/var/lib/acme/domain-auth/key.pem";
};
backend = {
baseDN = "dc=kittywitch,dc=com";
baseDN = "dc=kittywitc,dc=ch";
};
users = [{
name = "kat";
passsha256 = tf.variables.glauth-password-hash.ref;
uidnumber = 1000;
primarygroup = 1500;
}];
users = [
{
name = "kat";
passsha256 = tf.variables.glauth-password-hash.ref;
uidnumber = 1000;
primarygroup = 1500;
}
{
name = "kc";
passsha256 = tf.variables.glauth-kc-password-hash.ref;
uidnumber = 1001;
primarygroup = 1500;
}
];
groups = [{
name = "admins";
gidnumber = 1500;
@ -46,7 +54,7 @@
nameValuePair "glauth-${field}" {
path = "services/glauth";
inherit field;
}) ["password-hash" "postgres"];
}) ["password-hash" "kc-password-hash" "postgres"];
secrets.files = {
glauth-postgres-file = {

2
config/services/mail/default.nix
View file

@ -61,7 +61,7 @@ in
(user:
nameValuePair "mail-${user}-hash" {
text = ''
${tf.variables.mail-kat-hash.ref}
${tf.variables."mail-${user}-hash".ref}
'';
})
users);