From 70004fb081cd19e68aad7d0b686782a36ad69cd6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandro=20J=C3=A4ckel?= <sandro.jaeckel@gmail.com>
Date: Sat, 23 Jul 2022 00:06:12 +0200
Subject: [PATCH] Add auth.c3d2.de

---
 flake.lock                                    | 77 +++++++++++--------
 flake.nix                                     |  9 +++
 hosts/containers/auth/default.nix             | 51 ++++++++++++
 .../public-access-proxy/default.nix           |  3 +
 4 files changed, 110 insertions(+), 30 deletions(-)
 create mode 100644 hosts/containers/auth/default.nix

diff --git a/flake.lock b/flake.lock
index b4f3c12d..5c9ff9a9 100644
--- a/flake.lock
+++ b/flake.lock
@@ -8,11 +8,11 @@
         "rust-analyzer-src": "rust-analyzer-src"
       },
       "locked": {
-        "lastModified": 1658212081,
-        "narHash": "sha256-zy+sNlqK/yqmMpSzZUIp54OT1yet62r4AZcRR8HiITY=",
+        "lastModified": 1658471435,
+        "narHash": "sha256-NQ6pbKcXv/zZYXiGzx+BsPJglrEps9qJxCdpmB135n4=",
         "owner": "nix-community",
         "repo": "fenix",
-        "rev": "69069698c3aa14fc211c66c6635c1e34f4d6b441",
+        "rev": "353d5ac5d0e3e8c26fe7c6744afdb1929496b1df",
         "type": "github"
       },
       "original": {
@@ -52,7 +52,7 @@
       "locked": {
         "lastModified": 1657923513,
         "narHash": "sha256-YzHPow09B9uSdybUxP5lQn2hXk90Q6oTDL6UXzD0/+k=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "f7cf04a7ad47e388121f0771651fec0df91407f3",
         "revCount": 61,
         "type": "git",
@@ -261,11 +261,11 @@
     },
     "nixos-hardware": {
       "locked": {
-        "lastModified": 1657781616,
-        "narHash": "sha256-M/wl8+gRNELNhEmNjWTZVf61lfZIyiUn/NkyEqQAW80=",
+        "lastModified": 1658401027,
+        "narHash": "sha256-z/sDfzsFOoWNO9nZGfxDCNjHqXvSVZLDBDSgzr9qDXE=",
         "owner": "nixos",
         "repo": "nixos-hardware",
-        "rev": "76c9664813ed7082115ac7efb8a1619a804a631f",
+        "rev": "83009edccc2e24afe3d0165ed98b60ff7471a5f8",
         "type": "github"
       },
       "original": {
@@ -276,11 +276,11 @@
     },
     "nixos-unstable": {
       "locked": {
-        "lastModified": 1658103945,
-        "narHash": "sha256-1/kQlzKGt1563JZ+gIlNHU6rEbaDh2KopZLJ4CzraWI=",
+        "lastModified": 1658380158,
+        "narHash": "sha256-DBunkegKWlxPZiOcw3/SNIFg93amkdGIy2g0y/jDpHg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "2e3f6efdeda4cfff0259912495761885d8bee74a",
+        "rev": "a65b5b3f5504b8b89c196aba733bdf2b0bd13c16",
         "type": "github"
       },
       "original": {
@@ -290,6 +290,22 @@
         "type": "github"
       }
     },
+    "nixos-unstable-sandro": {
+      "locked": {
+        "lastModified": 1658518038,
+        "narHash": "sha256-UmZMks6eanvgS4C1qYzyqmnm8Cq0WfXp+UuRR6P7BDU=",
+        "owner": "SuperSandro2000",
+        "repo": "nixpkgs",
+        "rev": "ca0f6a20d2a14638f303d9358d9d39dddd33e47e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "SuperSandro2000",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "nixpkgs": {
       "locked": {
         "lastModified": 1645296114,
@@ -368,11 +384,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1657972522,
-        "narHash": "sha256-JTiKsBT1BwMbtSUsvtSl8ffkiirby8FaujJVGV766Q8=",
+        "lastModified": 1658422817,
+        "narHash": "sha256-kzZrlzqK6kbkTEnDK21wjRDamUJP0m30pm3XRPk0aZg=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "07a2e6a4e31ea48408861607198972d60adaf4ad",
+        "rev": "70e3e0ee807371e16563a88b77b8533e2cea8aa2",
         "type": "github"
       },
       "original": {
@@ -423,11 +439,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1657582234,
-        "narHash": "sha256-0PKwtnYb+uxWR4CghP6Uh2HduGRjW31DnvIp9x3TCUE=",
+        "lastModified": 1658251917,
+        "narHash": "sha256-uQHbd2hTM+JjQOQvJxuixerjWIty395yhe3MKkF2l1I=",
         "owner": "astro",
         "repo": "nix-openwrt-imagebuilder",
-        "rev": "1a18b5abddaef5c9aee89f499183106beb3a95a9",
+        "rev": "43ef0baec4b3928a75cb3be8bc9d6a880dd95d89",
         "type": "github"
       },
       "original": {
@@ -466,6 +482,7 @@
         "naersk": "naersk",
         "nixos-hardware": "nixos-hardware",
         "nixos-unstable": "nixos-unstable",
+        "nixos-unstable-sandro": "nixos-unstable-sandro",
         "nixpkgs": "nixpkgs_3",
         "nixpkgs-mobilizon": "nixpkgs-mobilizon",
         "oparl-scraper": "oparl-scraper",
@@ -485,11 +502,11 @@
     "rust-analyzer-src": {
       "flake": false,
       "locked": {
-        "lastModified": 1658182792,
-        "narHash": "sha256-NOpxaEiFT9n7oSe02puqerKAt2VRsO8XtZ0Ra83JOOY=",
+        "lastModified": 1658391799,
+        "narHash": "sha256-Bw/zHZXdxe4DLhtT/hk0t/oDwXKLTTtb6Xt4HTbWT74=",
         "owner": "rust-lang",
         "repo": "rust-analyzer",
-        "rev": "567a5e9ef7c753e03d528cbc19110db99e8d6878",
+        "rev": "84a6fac37ad61ff512993ee64b47deff9a52c560",
         "type": "github"
       },
       "original": {
@@ -504,7 +521,7 @@
       "locked": {
         "lastModified": 1657924163,
         "narHash": "sha256-iLIo/V8FGW2Urfjom/qroQVmj+4plvb2yclv4ZDA8Yw=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "0109b2afff571835107d0861ae8459dd73dc9a66",
         "revCount": 58,
         "type": "git",
@@ -527,7 +544,7 @@
       "locked": {
         "lastModified": 1657928876,
         "narHash": "sha256-vK8OIjiD3XpzTH6uv358IU71Jwvu5o2+q8ISg+Vg+tU=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "ce0f7c9f962851cdead48cf8dd3ee088aa00efed",
         "revCount": 143,
         "type": "git",
@@ -548,11 +565,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1658030499,
-        "narHash": "sha256-Y2Me+uys8VpKUincd7T3ab8O4gBFv8bR5BmBZfn4i4w=",
+        "lastModified": 1658398472,
+        "narHash": "sha256-DjPJ3YQXyV1GRvF3ToBIY+RYdypwNxYchN1HIhDPLe0=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "7526ce07b897ad1f1016680de5121f646e28a893",
+        "rev": "6efa719f8d02139ce41398b9e59e06888dc1305a",
         "type": "github"
       },
       "original": {
@@ -593,7 +610,7 @@
       "locked": {
         "lastModified": 1657495218,
         "narHash": "sha256-iPoKIGSnnMo7JG74pSs3RH1ivl6feUlqM+lS5ZnCAnY=",
-        "ref": "master",
+        "ref": "refs/heads/master",
         "rev": "58006d51a409ae6ceb996f66fa4d7eea0e160ecc",
         "revCount": 96,
         "type": "git",
@@ -684,11 +701,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1658176981,
-        "narHash": "sha256-zGf7rRHV1PolB48XV6JT2fdPQu8UK52HMNFVymSG3hE=",
-        "ref": "master",
-        "rev": "78586ec3f672ea5a67234da9a409121f44d6247e",
-        "revCount": 1498,
+        "lastModified": 1658519473,
+        "narHash": "sha256-IjZUJBAzwv5I9AagDVYw6R/b3YndY0Vk6jvRq1kwfUM=",
+        "ref": "refs/heads/master",
+        "rev": "ec93cdfcda09a749007e5161c75517e47ecd165d",
+        "revCount": 1501,
         "type": "git",
         "url": "https://gitea.c3d2.de/zentralwerk/network.git"
       },
diff --git a/flake.nix b/flake.nix
index 501ba98f..9fc1db5b 100644
--- a/flake.nix
+++ b/flake.nix
@@ -5,6 +5,8 @@
     nixpkgs.url = "github:nixos/nixpkgs/nixos-22.05";
     nixpkgs-mobilizon.url = "github:minijackson/nixpkgs/init-mobilizon";
     nixos-unstable.url = "github:nixos/nixpkgs/nixos-unstable";
+    # contains portunus WIP branch on current nixos-unstable
+    nixos-unstable-sandro.url = "github:SuperSandro2000/nixpkgs/nixos-unstable";
     nixos-hardware.url = "github:nixos/nixos-hardware";
     fenix = {
       url = "github:nix-community/fenix";
@@ -427,6 +429,13 @@
             ] ++ modules;
           };
       in {
+        auth = nixosSystem' {
+          modules = [
+            self.nixosModules.microvm
+            ./hosts/containers/auth
+          ];
+          nixpkgs = inputs.nixos-unstable-sandro;
+        };
 
         broker = nixosSystem' {
           modules = [
diff --git a/hosts/containers/auth/default.nix b/hosts/containers/auth/default.nix
new file mode 100644
index 00000000..5af84004
--- /dev/null
+++ b/hosts/containers/auth/default.nix
@@ -0,0 +1,51 @@
+{ zentralwerk, config, lib, pkgs, ... }:
+
+{
+  c3d2 = {
+    deployment = {
+      server = "server10";
+      mounts = [ "etc" "home" "var"];
+    };
+  };
+
+  system.stateVersion = "22.05";
+
+  networking = {
+    hostName = "auth";
+    hosts = {
+      # required for ldaps connection over localhost
+      "::1" = [ "auth.c3d2.de" ];
+      "127.0.0.1" = [ "auth.c3d2.de" ];
+    };
+    firewall.allowedTCPPorts = [ 80 443 ];
+  };
+
+  services = {
+    nginx = {
+      enable = true;
+      virtualHosts."auth.c3d2.de" = {
+        default = true;
+        forceSSL = true;
+        enableACME = true;
+        locations = {
+          "/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
+          "/" = {
+            proxyPass = "http://localhost:${toString config.services.portunus.port}";
+          };
+        };
+      };
+    };
+
+    portunus = {
+      enable = true;
+      dex = {
+        # enable = true;
+      };
+      domain = "auth.c3d2.de";
+      ldap = {
+        suffix = "dc=c3d2,dc=de";
+        tls = true;
+      };
+    };
+  };
+}
diff --git a/hosts/containers/public-access-proxy/default.nix b/hosts/containers/public-access-proxy/default.nix
index a147077f..2a8c0678 100644
--- a/hosts/containers/public-access-proxy/default.nix
+++ b/hosts/containers/public-access-proxy/default.nix
@@ -19,6 +19,9 @@
       hostNames = [ "vps1.nixvita.de" "vps1.codetu.be" "nixvita.de" ];
       proxyTo.host = "172.20.73.51";
       matchArg = "-m end";
+    } {
+      hostNames = [ "auth.c3d2.de" ];
+      proxyTo.host = config.c3d2.hosts.auth.ip4;
     } {
       hostNames = [ "jabber.c3d2.de" ];
       proxyTo = {