mirror of
https://github.com/kittywitch/nixfiles.git
synced 2026-02-10 04:49:19 -08:00
fix(network): uqdn
This commit is contained in:
parent
d1dc6a0e72
commit
58992ff283
GPG key ID:
465E64DECEA8CF0F
6 changed files with 53 additions and 36 deletions
|
|
@ -46,6 +46,10 @@
|
|||
type = nullOr str;
|
||||
default = null;
|
||||
};
|
||||
uqdn = mkOption {
|
||||
type = nullOr str;
|
||||
default = (if config.domain == "@" then (removeSuffix "." config.zone) else (removeSuffix "." config.target));
|
||||
};
|
||||
zone = mkOption {
|
||||
type = nullOr str;
|
||||
default = "kittywit.ch.";
|
||||
|
|
@ -177,7 +181,7 @@
|
|||
};
|
||||
uqdn = mkOption {
|
||||
type = nullOr str;
|
||||
default = lib.removeSuffix "." config.target;
|
||||
default = (if config.domain == "@" then (removeSuffix "." config.zone) else (removeSuffix "." config.target));
|
||||
};
|
||||
target = mkOption {
|
||||
type = nullOr str;
|
||||
|
|
@ -271,7 +275,7 @@
|
|||
# Merge the result of a map upon address_families to mapAttrs'
|
||||
networks'' = map (family: mapAttrs' (network: settings:
|
||||
nameValuePair "${network}-${family}-${settings.domain}-${settings.zone}" ({
|
||||
inherit (settings) zone;
|
||||
inherit (settings) zone domain;
|
||||
} // (if family == "ipv6" then {
|
||||
aaaa.address = settings.ipv6;
|
||||
enable = mkForce settings.ipv6_defined;
|
||||
|
|
@ -279,10 +283,7 @@
|
|||
enable = mkForce settings.ipv4_defined;
|
||||
a.address = settings.ipv4;
|
||||
})
|
||||
) // optionalAttrs (settings.domain != "@" && settings.domain != "" && settings.domain != null) {
|
||||
inherit (settings) domain;
|
||||
} // optionalAttrs (settings.domain == "@" || settings.domain == "" || settings.domain == null) {
|
||||
}) networks') address_families;
|
||||
)) networks') address_families;
|
||||
in mkMerge (if tf.state.enable then (networks'' ++ domains' ++ [ extraDomains ]) else []);
|
||||
|
||||
acme = let
|
||||
|
|
@ -303,9 +304,9 @@
|
|||
};
|
||||
};
|
||||
certs = let
|
||||
nvP = network: settings: nameValuePair "${removeSuffix "." settings.target}" {
|
||||
nvP = network: settings: nameValuePair settings.uqdn {
|
||||
keyType = "4096";
|
||||
dnsNames = [ (removeSuffix "." settings.target) ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains);
|
||||
dnsNames = [ settings.uqdn ] ++ (lib.optionals (settings ? extra_domains) settings.extra_domains);
|
||||
};
|
||||
network_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) sane_networks);
|
||||
domain_certs = mapAttrs' nvP (filterAttrs (network: settings: settings.create_cert) config.domains);
|
||||
|
|
@ -338,34 +339,33 @@
|
|||
};
|
||||
|
||||
secrets.files = let
|
||||
fixedTarget = settings: removeSuffix "." settings.target;
|
||||
networks = mapAttrs' (network: settings:
|
||||
nameValuePair "${fixedTarget settings}-cert" {
|
||||
text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem;
|
||||
nameValuePair "${settings.uqdn}-cert" {
|
||||
text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem;
|
||||
owner = "nginx";
|
||||
group = "domain-auth";
|
||||
mode = "0440";
|
||||
}
|
||||
) (filterAttrs (_: settings: settings.create_cert) sane_networks);
|
||||
networks' = mapAttrs' (network: settings:
|
||||
nameValuePair "${fixedTarget settings}-key" {
|
||||
text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem;
|
||||
nameValuePair "${settings.uqdn}-key" {
|
||||
text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem;
|
||||
owner = "nginx";
|
||||
group = "domain-auth";
|
||||
mode = "0440";
|
||||
}
|
||||
) (filterAttrs (_: settings: settings.create_cert) sane_networks);
|
||||
domains = mapAttrs' (network: settings:
|
||||
nameValuePair "${fixedTarget settings}-cert" {
|
||||
text = tf.acme.certs.${fixedTarget settings}.out.refFullchainPem;
|
||||
nameValuePair "${settings.uqdn}-cert" {
|
||||
text = tf.acme.certs.${settings.uqdn}.out.refFullchainPem;
|
||||
owner = settings.owner;
|
||||
group = settings.group;
|
||||
mode = "0440";
|
||||
}
|
||||
) (filterAttrs (network: settings: settings.create_cert) config.domains);
|
||||
domains' = mapAttrs' (network: settings:
|
||||
nameValuePair "${fixedTarget settings}-key" {
|
||||
text = tf.acme.certs.${fixedTarget settings}.out.refPrivateKeyPem;
|
||||
nameValuePair "${settings.uqdn}-key" {
|
||||
text = tf.acme.certs.${settings.uqdn}.out.refPrivateKeyPem;
|
||||
owner = settings.owner;
|
||||
group = settings.group;
|
||||
mode = "0440";
|
||||
|
|
@ -374,18 +374,17 @@
|
|||
in networks // networks' // domains // domains';
|
||||
|
||||
services.nginx.virtualHosts = let
|
||||
networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else "root") {
|
||||
networkVirtualHosts = concatLists (mapAttrsToList (network: settings: map(domain: nameValuePair (if domain != "@" then domain else settings.zone) {
|
||||
forceSSL = true;
|
||||
sslCertificate = config.secrets.files."${removeSuffix "." settings.target}-cert".path;
|
||||
sslCertificateKey = config.secrets.files."${removeSuffix "." settings.target}-key".path;
|
||||
}) ([ settings.target ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks));
|
||||
domainVirtualHosts = (attrValues (mapAttrs (network: settings: removeSuffix "." settings.target) (filterAttrs (network: settings: settings.create_cert) config.domains)));
|
||||
domainVirtualHosts' = (map (hostname2: let
|
||||
hostname = if hasPrefix "@" hostname2 then "root" else hostname2;
|
||||
in nameValuePair hostname {
|
||||
sslCertificate = config.secrets.files."${settings.uqdn}-cert".path;
|
||||
sslCertificateKey = config.secrets.files."${settings.uqdn}-key".path;
|
||||
}) ([ settings.uqdn ] ++ settings.extra_domains)) (filterAttrs (_: settings: settings.create_cert) sane_networks));
|
||||
domainVirtualHosts = (filterAttrs (network: settings: settings.create_cert) config.domains);
|
||||
domainVirtualHosts' = (mapAttrsToList (network: settings: let
|
||||
in nameValuePair settings.uqdn {
|
||||
forceSSL = true;
|
||||
sslCertificate = mkDefault config.secrets.files."${hostname}-cert".path;
|
||||
sslCertificateKey = mkDefault config.secrets.files."${hostname}-key".path;
|
||||
sslCertificate = mkDefault config.secrets.files."${settings.uqdn}-cert".path;
|
||||
sslCertificateKey = mkDefault config.secrets.files."${settings.uqdn}-key".path;
|
||||
}) domainVirtualHosts);
|
||||
in listToAttrs (networkVirtualHosts ++ (lib.optionals config.services.nginx.enable domainVirtualHosts'));
|
||||
|
||||
|
|
|
|||
|
|
@ -11,6 +11,11 @@
|
|||
field = "z2m";
|
||||
};
|
||||
|
||||
kw.secrets.variables.systemd-pass = {
|
||||
path = "secrets/mosquitto";
|
||||
field = "systemd";
|
||||
};
|
||||
|
||||
kw.secrets.variables.hass-pass = {
|
||||
path = "secrets/mosquitto";
|
||||
field = "hass";
|
||||
|
|
@ -22,6 +27,12 @@
|
|||
group = "mosquitto";
|
||||
};
|
||||
|
||||
secrets.files.systemd-pass = {
|
||||
text = tf.variables.systemd-pass.ref;
|
||||
owner = "mosquitto";
|
||||
group = "mosquitto";
|
||||
};
|
||||
|
||||
secrets.files.hass-pass = {
|
||||
text = tf.variables.hass-pass.ref;
|
||||
owner = "mosquitto";
|
||||
|
|
@ -36,14 +47,20 @@
|
|||
"pattern readwrite #"
|
||||
];
|
||||
users = {
|
||||
hass = {
|
||||
passwordFile = config.secrets.files.hass-pass.path;
|
||||
z2m = {
|
||||
passwordFile = config.secrets.files.z2m-pass.path;
|
||||
acl = [
|
||||
"readwrite #"
|
||||
];
|
||||
};
|
||||
z2m = {
|
||||
passwordFile = config.secrets.files.z2m-pass.path;
|
||||
systemd = {
|
||||
passwordFile = config.secrets.files.systemd-pass.path;
|
||||
acl = [
|
||||
"readwrite #"
|
||||
];
|
||||
};
|
||||
hass = {
|
||||
passwordFile = config.secrets.files.hass-pass.path;
|
||||
acl = [
|
||||
"readwrite #"
|
||||
];
|
||||
|
|
|
|||
|
|
@ -4,7 +4,7 @@
|
|||
owner = "kittywitch";
|
||||
repo = "inskip.me";
|
||||
rev = "3789d9ae2b0135828a6d92e2e6846aec42a29d88";
|
||||
sha256 = "sha256-EYtlGmfEjJ0n2F2OKgKD59SgvKHZC109jgRsyawqGNw=";
|
||||
sha256 = "sha256-nIAeZRxZ86QuZxGnHTIaawySiTEdw8ZQ4L8eR/2Mdy0=";
|
||||
};
|
||||
buildPhase = ''
|
||||
'';
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
{ config, pkgs, lib, tf, ... }: with lib; let
|
||||
id = tf.acme.certs."auth.kittywit.ch".out.resource.getAttr "id";
|
||||
in {
|
||||
services.keycloak = {
|
||||
services.keycloak = lib.mkIf (tf.state.enable) {
|
||||
enable = builtins.getEnv "CI_PLATFORM" == "impure";
|
||||
package = (pkgs.keycloak.override {
|
||||
jre = pkgs.openjdk11;
|
||||
|
|
@ -33,12 +33,12 @@ in {
|
|||
members = [ "keycloak" "openldap" ];
|
||||
};
|
||||
|
||||
systemd.services.keycloak.script = lib.mkBefore ''
|
||||
systemd.services.keycloak.script = lib.mkIf (tf.state.enable) (lib.mkBefore ''
|
||||
mkdir -p /run/keycloak
|
||||
if [[ ! -e /run/keycloak/${id}.jks ]]; then
|
||||
${pkgs.adoptopenjdk-jre-bin}/bin/keytool -import -alias auth.kittywit.ch -noprompt -keystore /run/keycloak/${id}.jks -keypass ${id} -storepass ${id} -file ${config.domains.kittywitch-keycloak.cert_path}
|
||||
fi
|
||||
'';
|
||||
'');
|
||||
|
||||
users.groups.keycloak = { };
|
||||
|
||||
|
|
|
|||
|
|
@ -71,5 +71,6 @@
|
|||
network = "internet";
|
||||
type = "cname";
|
||||
domain = "vault";
|
||||
zone = "kittywit.ch.";
|
||||
};
|
||||
}
|
||||
|
|
|
|||
2
tf
2
tf
|
|
@ -1 +1 @@
|
|||
Subproject commit b437fcdf335a6ac1fd710603c4f9b9033752922e
|
||||
Subproject commit abf696684d586e054efc3de9abb7829b8171e91e
|
||||
Loading…
Add table
Add a link
Reference in a new issue