gensokyo-zone/infrastructure
1
0
Fork 0
mirror of https://github.com/gensokyo-zone/infrastructure.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity Actions

feat: add domain-auth group for privilege sharing

Browse source
This commit is contained in:
Kat Inskip 2022-09-18 10:39:09 -07:00
parent 8df455a82c
commit 6caf15b9e4
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
3 changed files with 8 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
nixos/network.nix
View file

@ -273,12 +273,12 @@
nameValuePair "${hostname}-cert" { nameValuePair "${hostname}-cert" {
text = tf.acme.certs.${hostname}.out.refFullchainPem; text = tf.acme.certs.${hostname}.out.refFullchainPem;
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "domain-auth";
}) hostnames) // listToAttrs (map (hostname: }) hostnames) // listToAttrs (map (hostname:
nameValuePair "${hostname}-key" { nameValuePair "${hostname}-key" {
text = tf.acme.certs.${hostname}.out.refPrivateKeyPem; text = tf.acme.certs.${hostname}.out.refPrivateKeyPem;
owner = "nginx"; owner = "nginx";
group = "nginx"; group = "domain-auth";
}) hostnames); }) hostnames);
services.nginx.virtualHosts = let services.nginx.virtualHosts = let
@ -291,6 +291,11 @@
sslCertificateKey = config.secrets.files."${hostname}-key".path; sslCertificateKey = config.secrets.files."${hostname}-key".path;
}) hostnames); }) hostnames);
users.groups.domain-auth = {
gid = 10600;
members = [ "nginx" "openldap" "keycloak" ];
};
networking.firewall = { networking.firewall = {
interfaces = mkMerge (mapAttrsToList (network: settings: interfaces = mkMerge (mapAttrsToList (network: settings:
genAttrs settings.interfaces (_: { allowedTCPPortRanges = settings.tcp; allowedUDPPortRanges = settings.udp; }) genAttrs settings.interfaces (_: { allowedTCPPortRanges = settings.tcp; allowedUDPPortRanges = settings.udp; })
@ -300,7 +305,6 @@
allowedUDPPorts = [ config.services.tailscale.port ]; allowedUDPPorts = [ config.services.tailscale.port ];
}; };
services.tailscale.enable = true; services.tailscale.enable = true;
systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) { systemd.services.tailscale-autoconnect = mkIf (builtins.getEnv "TF_IN_AUTOMATION" != "" || tf.state.enable) {

1
services/keycloak.nix
View file

@ -24,7 +24,6 @@ in {
}; };
users.groups.domain-auth.members = [ "nginx" "openldap" "keycloak" ];
/* security.acme.certs.domain-auth = { /* security.acme.certs.domain-auth = {
group = "domain-auth"; group = "domain-auth";
postRun = '' postRun = ''

2
tf

@ -1 +1 @@
Subproject commit e4898b63141b7be8bd96c0f91fecc807d732aa58 Subproject commit 04fe3396694d5a10317c37f0376e2397f0323a30