forked from c3d2/nix-config
71 lines
1.6 KiB
Nix
71 lines
1.6 KiB
Nix
{ config, lib, libS, ... }:
|
|
|
|
{
|
|
c3d2.deployment.server = "server10";
|
|
|
|
system.stateVersion = "22.05";
|
|
|
|
networking = {
|
|
hostName = "auth";
|
|
firewall.allowedTCPPorts = [
|
|
636 # ldaps
|
|
];
|
|
};
|
|
|
|
services = {
|
|
dex.settings.oauth2.skipApprovalScreen = true;
|
|
|
|
nginx = {
|
|
enable = true;
|
|
virtualHosts."auth.c3d2.de" = {
|
|
default = true;
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations = {
|
|
"/".proxyPass = "http://localhost:${toString config.services.portunus.port}";
|
|
"/dex".proxyPass ="http://localhost:${toString config.services.portunus.dex.port}";
|
|
};
|
|
};
|
|
};
|
|
|
|
portunus = {
|
|
enable = true;
|
|
dex = {
|
|
enable = true;
|
|
oidcClients = [ {
|
|
callbackURL = "https://grafana.hq.c3d2.de/login/generic_oauth";
|
|
id = "grafana";
|
|
} ];
|
|
};
|
|
ldap = {
|
|
searchUserName = "search";
|
|
suffix = "dc=c3d2,dc=de";
|
|
tls = true;
|
|
};
|
|
seedPath = ./seed.json;
|
|
};
|
|
};
|
|
|
|
sops = {
|
|
defaultSopsFile = ./secrets.yaml;
|
|
secrets."dex/environment" = libS.sops.permissionForUser "dex";
|
|
secrets."portunus/users/admin-password" = libS.sops.permissionForUser "portunus";
|
|
secrets."portunus/users/search-password" = libS.sops.permissionForUser "portunus";
|
|
};
|
|
|
|
systemd.services.dex.serviceConfig = {
|
|
DynamicUser = lib.mkForce false;
|
|
EnvironmentFile = config.sops.secrets."dex/environment".path;
|
|
StateDirectory = "dex";
|
|
User = "dex";
|
|
};
|
|
|
|
users = {
|
|
groups.dex = { };
|
|
users.dex = {
|
|
group = "dex";
|
|
isSystemUser = true;
|
|
};
|
|
};
|
|
}
|