desec

2023-09-14 15:50:04 +02:00 · 2023-09-14 15:50:04 +02:00 · 91259d02e7
commit 91259d02e7
parent 0342390b6f
11 changed files with 154 additions and 99 deletions
--- a/nixos-modules/services/authelia.nix
+++ b/nixos-modules/services/authelia.nix
@ -1,8 +1,8 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.ragon.services.authelia;
-  stateDir = "/var/lib/authelia";
  instanceName = "main";
+  stateDir = "/var/lib/authelia-${instanceName}";
 in
 {
  options.ragon.services.authelia.enable = lib.mkEnableOption "Enables the authelia SSO Server";
@ -13,12 +13,12 @@ in
    };
  config = lib.mkIf cfg.enable {

-    ragon.agenix.secrets.autheliaStorageEncryption = { };
-    ragon.agenix.secrets.autheliaSessionSecret = { };
-    ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { };
-    ragon.agenix.secrets.autheliaOidcHmacSecret = { };
-    ragon.agenix.secrets.autheliaJwtSecret = { };
-    ragon.agenix.secrets.autheliaEmail = { user = "authelia"; };
+    ragon.agenix.secrets.autheliaStorageEncryption = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaSessionSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaOidcHmacSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaJwtSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaEmail = { owner = "authelia-main"; };
    services.authelia.instances.${instanceName} = {
      enable = true;
      secrets = {
@ -28,38 +28,35 @@ in
        oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path;
        jwtSecretFile = config.age.secrets.autheliaJwtSecret.path;
      };
-      settingstFiles = [
+      settingsFiles = [
        config.age.secrets.autheliaEmail.path
      ];
      settings = {
        theme = "auto";
        default_2fa_method = "webauthn";
+        access_control = {
+          default_policy = "one_factor";
+        };
        authentication_backend = {
          file = {
            path = "${stateDir}/users.yml";
          };
        };
+        session = {
+          domain = cfg.domain;
+        };
        storage = {
          postgres = {
            host = "/run/postgresql";
-          };
-        };
-        notifier = {
-          smtp = {
-            address = "smtp://smtp.ionos.de:465";
-            sender = "xyno.systems SSO <machdas@xyno.space>";
-            username = "machdas@xyno.space";
-            subject = "[xyno.systems SSO] {title}";
-            startup_check_address = "autodelete@phochkamp.de";
+            port = "5432";
+            database = "authelia";
+            username = "authelia-main";
+            password = "dosentmatter";
          };
        };

      };
    };
-    systemd.tmpfiles.rules = [
-      "d ${stateDir} 0755 authelia authelia -"
-    ];
-    ragon.agenix.secrets.autheliaSecret.owner = "authelia";
    services.nginx.virtualHosts."${cfg.domain}" = {
      locations."/".proxyWebsockets = true;
      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.authelia.instances.${instanceName}.settings.server.port}";
@ -71,7 +68,7 @@ in
      ensureDatabases = [ "authelia" ];
      ensureUsers = [
        {
-          name = "authelia";
+          name = "authelia-main";
          ensurePermissions."DATABASE authelia" = "ALL PRIVILEGES";
        }
      ];
--- a/nixos-modules/services/hedgedoc.nix
+++ b/nixos-modules/services/hedgedoc.nix
@ -1,7 +1,6 @@
 { config, lib, pkgs, ... }:
 let
  cfg = config.ragon.services.hedgedoc;
-  domain = config.ragon.services.nginx.domain;
 in
 {
  options.ragon.services.hedgedoc.enable = lib.mkEnableOption "Enables the hedgedoc BitWarden Server";
@ -11,14 +10,14 @@ in
      default = "md.xyno.systems";
    };
  config = lib.mkIf cfg.enable {
-    ragon.agenix.secrets.autheliaHedgedoc = { user = "authelia"; };
+    ragon.agenix.secrets.autheliaHedgedoc = { owner = "authelia-main"; };
    services.authelia.instances.main.settingsFiles = [
      config.age.secrets.autheliaHedgedoc.path
    ];
    services.hedgedoc = {
      enable = true;
      environmentFile = "${config.age.secrets.hedgedocSecret.path}";
-      configuration = {
+      settings = {
        protocolUseSSL = true;
        sessionSecret = "$SESSION_SECRET";
        allowAnonymous = false;
@ -26,12 +25,12 @@ in
        allowFreeURL = true;
        email = false;
        oauth2 = {
-          clientID = "$OAUTH2_CLIENT_ID";
-          clientSecret = "$OAUTH2_CLIENT_SECRET";
+          clientID = "$CLIENT_ID";
+          clientSecret = "$CLIENT_SECRET";
          providerName = "xyno.systems SSO";
-          authorizationURL = "https://sso.xyno.systems/oauth2/authorize";
-          tokenURL = "https://sso.xyno.systems/oauth2/token";
-          userProfileURL = "https://sso.xyno.systems/oauth2/userinfo";
+          authorizationURL = "https://sso.xyno.systems/api/oidc/authorize";
+          tokenURL = "https://sso.xyno.systems/api/oidc/token";
+          userProfileURL = "https://sso.xyno.systems/api/oidc/userinfo";
          scope = "openid profile email";
          userProfileUsernameAttr = "sub";
          userProfileEmailAttr = "email";
@ -47,9 +46,9 @@ in

    };
    ragon.agenix.secrets.hedgedocSecret.owner = "hedgedoc";
-    services.nginx.virtualHosts."${cfg.domainPrefix}.${domain}" = {
+    services.nginx.virtualHosts."${cfg.domain}" = {
      locations."/".proxyWebsockets = true;
-      locations."/".proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.configuration.port}";
+      locations."/".proxyPass = "http://[::1]:${toString config.services.hedgedoc.settings.port}";
    } // (lib.my.findOutTlsConfig cfg.domain config);
    services.postgresql = {

--- a/nixos-modules/services/tailscale-to-vpn.nix
+++ b/nixos-modules/services/tailscale-to-vpn.nix
@ -0,0 +1,68 @@
+{ config, pkgs, lib, ... }:
+with lib;
+let
+  cfg = config.ragon.tailscaleToVpn;
+  ovpnConfigPath = cfg.ovpnConfigPath;
+  stateVer = config.system.stateVersion;
+in
+{
+
+  options.ragon.tailscaleToVpn = {
+    enable = mkEnableOption "tailscale-to-vpn. you need to enable nat to ve-+ able to use this";
+    ovpnConfigPath = mkOption {
+      type = types.str;
+      default = "/etc/openvpn/client.conf";
+      description = "full path to the OpenVPN client configuration file, is expected to be in /run";
+    };
+  };
+
+  config = mkIf cfg.enable {
+    networking.bridges.br-ovpn-ts = {
+      interfaces = [ ];
+    };
+    containers.TSTVPN-openvpn = {
+      ephemeral = true;
+      enableTun = true;
+      interfaces = [ "br-ovpn-ts" ];
+      localAddress = "192.168.102.11";
+      hostAddress = "192.168.102.10";
+
+      config = { config, pkgs, ... }: {
+        system.stateVersion = stateVer;
+        networking.interfaces.br-ovpn-ts = {
+          ipv4.addresses = [ "192.168.101.1/24" ];
+        };
+        services.openvpn.servers.bridge = {
+          config = ''
+            config /host${ovpnConfigPath}
+            dev ovpn-bridge
+            dev-type tun
+          '';
+        };
+        networking.nat = {
+          externalInterface = "ovpn-bridge";
+          internalInterfaces = [ "br-ovpn-ts" ];
+        };
+      };
+      privateNetwork = true;
+      bindMounts = {
+        "/host/run" = { hostPath = "/run"; isReadOnly = true; };
+        "/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = true; };
+      };
+    };
+    containers.TSTVPN-tailscale = {
+      enableTun = true;
+      hostBridge = "br-ovpn-ts";
+      localAddress = "192.168.101.2/24";
+      privateNetwork = true;
+      config = { config, pkgs, ... }: {
+        system.stateVersion = stateVer;
+        services.tailscale = {
+          enable = true;
+          useRoutingFeatures = "both";
+        };
+      };
+    };
+
+  };
+}