Add auth.c3d2.de

2022-07-23 00:06:12 +02:00 · 2022-07-23 00:06:12 +02:00 · 70004fb081
parent 6a0583b592
commit 70004fb081
4 changed files with 110 additions and 30 deletions
--- a/flake.lock
+++ b/flake.lock
@ -8,11 +8,11 @@
        "rust-analyzer-src": "rust-analyzer-src"
      },
      "locked": {
-        "lastModified": 1658212081,
-        "narHash": "sha256-zy+sNlqK/yqmMpSzZUIp54OT1yet62r4AZcRR8HiITY=",
+        "lastModified": 1658471435,
+        "narHash": "sha256-NQ6pbKcXv/zZYXiGzx+BsPJglrEps9qJxCdpmB135n4=",
        "owner": "nix-community",
        "repo": "fenix",
-        "rev": "69069698c3aa14fc211c66c6635c1e34f4d6b441",
+        "rev": "353d5ac5d0e3e8c26fe7c6744afdb1929496b1df",
        "type": "github"
      },
      "original": {
@ -52,7 +52,7 @@
      "locked": {
        "lastModified": 1657923513,
        "narHash": "sha256-YzHPow09B9uSdybUxP5lQn2hXk90Q6oTDL6UXzD0/+k=",
-        "ref": "master",
+        "ref": "refs/heads/master",
        "rev": "f7cf04a7ad47e388121f0771651fec0df91407f3",
        "revCount": 61,
        "type": "git",
@ -261,11 +261,11 @@
    },
    "nixos-hardware": {
      "locked": {
-        "lastModified": 1657781616,
-        "narHash": "sha256-M/wl8+gRNELNhEmNjWTZVf61lfZIyiUn/NkyEqQAW80=",
+        "lastModified": 1658401027,
+        "narHash": "sha256-z/sDfzsFOoWNO9nZGfxDCNjHqXvSVZLDBDSgzr9qDXE=",
        "owner": "nixos",
        "repo": "nixos-hardware",
-        "rev": "76c9664813ed7082115ac7efb8a1619a804a631f",
+        "rev": "83009edccc2e24afe3d0165ed98b60ff7471a5f8",
        "type": "github"
      },
      "original": {
@ -276,11 +276,11 @@
    },
    "nixos-unstable": {
      "locked": {
-        "lastModified": 1658103945,
-        "narHash": "sha256-1/kQlzKGt1563JZ+gIlNHU6rEbaDh2KopZLJ4CzraWI=",
+        "lastModified": 1658380158,
+        "narHash": "sha256-DBunkegKWlxPZiOcw3/SNIFg93amkdGIy2g0y/jDpHg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "2e3f6efdeda4cfff0259912495761885d8bee74a",
+        "rev": "a65b5b3f5504b8b89c196aba733bdf2b0bd13c16",
        "type": "github"
      },
      "original": {
@ -290,6 +290,22 @@
        "type": "github"
      }
    },
+    "nixos-unstable-sandro": {
+      "locked": {
+        "lastModified": 1658518038,
+        "narHash": "sha256-UmZMks6eanvgS4C1qYzyqmnm8Cq0WfXp+UuRR6P7BDU=",
+        "owner": "SuperSandro2000",
+        "repo": "nixpkgs",
+        "rev": "ca0f6a20d2a14638f303d9358d9d39dddd33e47e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SuperSandro2000",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1645296114,
@ -368,11 +384,11 @@
    },
    "nixpkgs_3": {
      "locked": {
-        "lastModified": 1657972522,
-        "narHash": "sha256-JTiKsBT1BwMbtSUsvtSl8ffkiirby8FaujJVGV766Q8=",
+        "lastModified": 1658422817,
+        "narHash": "sha256-kzZrlzqK6kbkTEnDK21wjRDamUJP0m30pm3XRPk0aZg=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "07a2e6a4e31ea48408861607198972d60adaf4ad",
+        "rev": "70e3e0ee807371e16563a88b77b8533e2cea8aa2",
        "type": "github"
      },
      "original": {
@ -423,11 +439,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1657582234,
-        "narHash": "sha256-0PKwtnYb+uxWR4CghP6Uh2HduGRjW31DnvIp9x3TCUE=",
+        "lastModified": 1658251917,
+        "narHash": "sha256-uQHbd2hTM+JjQOQvJxuixerjWIty395yhe3MKkF2l1I=",
        "owner": "astro",
        "repo": "nix-openwrt-imagebuilder",
-        "rev": "1a18b5abddaef5c9aee89f499183106beb3a95a9",
+        "rev": "43ef0baec4b3928a75cb3be8bc9d6a880dd95d89",
        "type": "github"
      },
      "original": {
@ -466,6 +482,7 @@
        "naersk": "naersk",
        "nixos-hardware": "nixos-hardware",
        "nixos-unstable": "nixos-unstable",
+        "nixos-unstable-sandro": "nixos-unstable-sandro",
        "nixpkgs": "nixpkgs_3",
        "nixpkgs-mobilizon": "nixpkgs-mobilizon",
        "oparl-scraper": "oparl-scraper",
@ -485,11 +502,11 @@
    "rust-analyzer-src": {
      "flake": false,
      "locked": {
-        "lastModified": 1658182792,
-        "narHash": "sha256-NOpxaEiFT9n7oSe02puqerKAt2VRsO8XtZ0Ra83JOOY=",
+        "lastModified": 1658391799,
+        "narHash": "sha256-Bw/zHZXdxe4DLhtT/hk0t/oDwXKLTTtb6Xt4HTbWT74=",
        "owner": "rust-lang",
        "repo": "rust-analyzer",
-        "rev": "567a5e9ef7c753e03d528cbc19110db99e8d6878",
+        "rev": "84a6fac37ad61ff512993ee64b47deff9a52c560",
        "type": "github"
      },
      "original": {
@ -504,7 +521,7 @@
      "locked": {
        "lastModified": 1657924163,
        "narHash": "sha256-iLIo/V8FGW2Urfjom/qroQVmj+4plvb2yclv4ZDA8Yw=",
-        "ref": "master",
+        "ref": "refs/heads/master",
        "rev": "0109b2afff571835107d0861ae8459dd73dc9a66",
        "revCount": 58,
        "type": "git",
@ -527,7 +544,7 @@
      "locked": {
        "lastModified": 1657928876,
        "narHash": "sha256-vK8OIjiD3XpzTH6uv358IU71Jwvu5o2+q8ISg+Vg+tU=",
-        "ref": "master",
+        "ref": "refs/heads/master",
        "rev": "ce0f7c9f962851cdead48cf8dd3ee088aa00efed",
        "revCount": 143,
        "type": "git",
@ -548,11 +565,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1658030499,
-        "narHash": "sha256-Y2Me+uys8VpKUincd7T3ab8O4gBFv8bR5BmBZfn4i4w=",
+        "lastModified": 1658398472,
+        "narHash": "sha256-DjPJ3YQXyV1GRvF3ToBIY+RYdypwNxYchN1HIhDPLe0=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "7526ce07b897ad1f1016680de5121f646e28a893",
+        "rev": "6efa719f8d02139ce41398b9e59e06888dc1305a",
        "type": "github"
      },
      "original": {
@ -593,7 +610,7 @@
      "locked": {
        "lastModified": 1657495218,
        "narHash": "sha256-iPoKIGSnnMo7JG74pSs3RH1ivl6feUlqM+lS5ZnCAnY=",
-        "ref": "master",
+        "ref": "refs/heads/master",
        "rev": "58006d51a409ae6ceb996f66fa4d7eea0e160ecc",
        "revCount": 96,
        "type": "git",
@ -684,11 +701,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1658176981,
-        "narHash": "sha256-zGf7rRHV1PolB48XV6JT2fdPQu8UK52HMNFVymSG3hE=",
-        "ref": "master",
-        "rev": "78586ec3f672ea5a67234da9a409121f44d6247e",
-        "revCount": 1498,
+        "lastModified": 1658519473,
+        "narHash": "sha256-IjZUJBAzwv5I9AagDVYw6R/b3YndY0Vk6jvRq1kwfUM=",
+        "ref": "refs/heads/master",
+        "rev": "ec93cdfcda09a749007e5161c75517e47ecd165d",
+        "revCount": 1501,
        "type": "git",
        "url": "https://gitea.c3d2.de/zentralwerk/network.git"
      },
--- a/flake.nix
+++ b/flake.nix
@ -5,6 +5,8 @@
    nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
    nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon";
    nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    # contains portunus WIP branch on current nixos-unstable
+    nixos-unstable-sandro.url = "github:SuperSandro2000/nixpkgs/nixos-unstable";
    nixos-hardware.url = "github:nixos/nixos-hardware";
    fenix = {
      url = "github:nix-community/fenix";
@ -427,6 +429,13 @@
            ] ++ modules;
          };
      in {
+        auth = nixosSystem' {
+          modules = [
+            self.nixosModules.microvm
+            ./hosts/containers/auth
+          ];
+          nixpkgs = inputs.nixos-unstable-sandro;
+        };

        broker = nixosSystem' {
          modules = [
--- a/hosts/containers/auth/default.nix
+++ b/hosts/containers/auth/default.nix
@ -0,0 +1,51 @@
+{ zentralwerk, config, lib, pkgs, ... }:
+
+{
+  c3d2 = {
+    deployment = {
+      server = "server10";
+      mounts = [ "etc" "home" "var"];
+    };
+  };
+
+  system.stateVersion = "22.05";
+
+  networking = {
+    hostName = "auth";
+    hosts = {
+      # required for ldaps connection over localhost
+      "::1" = [ "auth.c3d2.de" ];
+      "127.0.0.1" = [ "auth.c3d2.de" ];
+    };
+    firewall.allowedTCPPorts = [ 80 443 ];
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      virtualHosts."auth.c3d2.de" = {
+        default = true;
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
+          "/" = {
+            proxyPass = "http://localhost:${toString config.services.portunus.port}";
+          };
+        };
+      };
+    };
+
+    portunus = {
+      enable = true;
+      dex = {
+        # enable = true;
+      };
+      domain = "auth.c3d2.de";
+      ldap = {
+        suffix = "dc=c3d2,dc=de";
+        tls = true;
+      };
+    };
+  };
+}
--- a/hosts/containers/public-access-proxy/default.nix
+++ b/hosts/containers/public-access-proxy/default.nix
@ -19,6 +19,9 @@
      hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
      proxyTo.host = "172.20.73.51";
      matchArg = "-m end";
+    } {
+      hostNames = [ "auth.c3d2.de" ];
+      proxyTo.host = config.c3d2.hosts.auth.ip4;
    } {
      hostNames = [ "jabber.c3d2.de" ];
      proxyTo = {