materus
/
nixos-config
mirror of https://github.com/materusPL/nixos-config
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

waffentrager: updates to use ldap and postgres, fix samba characters

This commit is contained in:
Mateusz Słodkowicz 2024-07-22 15:31:57 +02:00
parent f833382298
commit 3dc734957e
Signed by: materus
GPG Key ID: 28D140BCA60B4FD1
9 changed files with 127 additions and 33 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
configurations/host/flamaster/configuration.nix
View File

@ -164,29 +164,28 @@
# Or disable the firewall altogether. # Or disable the firewall altogether.
networking.firewall.enable = true; networking.firewall.enable = true;
networking.networkmanager.extraConfig = lib.mkDefault '' networking.networkmanager.settings = {
[connectivity] connectivity = { uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt"; };
uri=http://nmcheck.gnome.org/check_network_status.txt };
'';
# This value determines the NixOS release from which the default # This value determines the NixOS release from which the default
# settings for stateful data, like file locations and database versions # settings for stateful data, like file locations and database versions
# on your system were taken. Its perfectly fine and recommended to leave # on your system were taken. Its perfectly fine and recommended to leave
# this value at the release version of the first install of this system. # this value at the release version of the first install of this system.
# Before changing this value read the documentation for this option # Before changing this value read the documentation for this option
# (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html).
system.stateVersion = "23.05"; # Did you read the comment? system.stateVersion = "23.05"; # Did you read the comment?
programs.neovim.enable = true; programs.neovim.enable = true;
programs.neovim.vimAlias = true; programs.neovim.vimAlias = true;
programs.neovim.viAlias = true; programs.neovim.viAlias = true;
services.flatpak.enable = true; services.flatpak.enable = true;
xdg.portal.enable = true; xdg.portal.enable = true;
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
virtualisation.podman.dockerCompat = true; virtualisation.podman.dockerCompat = true;
virtualisation.podman.enableNvidia = true; virtualisation.podman.enableNvidia = true;
virtualisation.podman.dockerSocket.enable = true; virtualisation.podman.dockerSocket.enable = true;
} }

7
configurations/host/waffentrager/secrets/secrets.yaml
View File

@ -2,6 +2,9 @@ wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLor
nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str] nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str]
jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str] jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str]
lldap-database: ENC[AES256_GCM,data:rNLS4WwvqRd3TFWDXaf8UmDTRsHZNPPS,iv:URV4Oz4ik2vHb03+Zh7ND+AbozSmoXpxENpvad4yvRI=,tag:6TbuMCnHwtTaG5mMWVN/mQ==,type:str] lldap-database: ENC[AES256_GCM,data:rNLS4WwvqRd3TFWDXaf8UmDTRsHZNPPS,iv:URV4Oz4ik2vHb03+Zh7ND+AbozSmoXpxENpvad4yvRI=,tag:6TbuMCnHwtTaG5mMWVN/mQ==,type:str]
authelia-storagekey: ENC[AES256_GCM,data:T5b5QWf6vlGHniuUic0tEFSJNNWaFbvi3emZOWEQz0AhNqDpxJZqO57KdjZ02NVMoxHN54c0ChWlHRCoAj234A==,iv:Rch5RQ0oblTTWXz0it7zZuYQNYhYMa0MsorAx9N4GV0=,tag:+GlwGnPXLukzDnW6BUf6Hg==,type:str]
authelia-database: ENC[AES256_GCM,data:XZYk4clzLaMb3/plELOnEoy4bwu/YSQg,iv:TGDKjLdcdmwEI12XDDNGHTgYnJxB+vV6RaomKU+jwpY=,tag:c/p7X4tzPWWiLvAL7DJmYg==,type:str]
ldap-master: ENC[AES256_GCM,data:jiinK8xzuKiTwB9k44okgj+sWWEgbeay,iv:Slvci3EBylIbP/I6NFIJTd3eitxVApXrORtnXY48eGg=,tag:OwaVYBNxNbQyIHrqOcUGhg==,type:str]
elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str] elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str]
users: users:
materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str]
@ -20,8 +23,8 @@ sops:
eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F
ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-07-13T16:21:39Z" lastmodified: "2024-07-21T22:14:08Z"
mac: ENC[AES256_GCM,data:vVFnPSbCbekww0RVyGdztiUZT/A0VeH+eap3JD96tut7SNJddM2YMVDFYjZROR0qrNEnEFpBNrRZCDJXzBj6qvujDaaSRSjksehyipVKRo3JvHzwj6jqCwAgAJoFYFqKvM/b9Cz88ujKpMW6cm0RKNcf56sITOi06UWtZSGdbxg=,iv:SlFXlEEbgBVIIuhjpR/Eleae34k46Ah3SSsf9fY66NU=,tag:QDqV/vXdhDAPYTTK3x3YTA==,type:str] mac: ENC[AES256_GCM,data:DKI+SljQTH+5T7wtIfYRzNK+W5qQoxQ7E/6b9S7cptAsccdZhupWmVzHlwUlk5MFm92r0Qy3A6B/qV8Dashf6ABmjfnDuysvPoI5O45xE0Qs3TEyPKAbPV07FVi6lDHInEOznNAr6vhEN1Bhveg+ByyVeo+C5C5b+U7Qvx5KESM=,iv:B6xX7/u1ZHOPbEheFSpDeaRey3SP9bZMnDARc5xvzRM=,tag:nux6gkIfodj/4JedkBXWkQ==,type:str]
pgp: pgp:
- created_at: "2024-03-21T18:15:00Z" - created_at: "2024-03-21T18:15:00Z"
enc: |- enc: |-

80
configurations/host/waffentrager/services/auth/authelia.nix Normal file
View File

@ -0,0 +1,80 @@
{ config, pkgs, lib, materusArg, ... }:
{
options.waffentragerService.auth.authelia.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable authelia";
config =
let
cfg = config.waffentragerService.auth.authelia;
port = 9091;
in
lib.mkIf cfg.enable {
sops.secrets."authelia-storagekey" = { owner = "authelia"; };
sops.secrets."authelia-database" = { owner = "authelia"; };
sops.secrets."ldap-master" = { owner = "authelia"; };
users.users.authelia = {
group = "lldap";
isSystemUser = true;
};
services.authelia.instances.main = {
enable = true;
user = "authelia";
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."ldap-master".path;
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = config.sops.secrets."authelia-database".path;
};
secrets = {
jwtSecretFile = config.sops.secrets.jwt.path;
storageEncryptionKeyFile = config.sops.secrets."authelia-storagekey".path;
};
settings = {
access_control = {
default_policy = "one_factor";
};
authentication_backend = {
ldap.url = "ldap://127.0.0.1:3890";
ldap.implementation = "custom";
ldap.base_dn = config.services.lldap.settings.ldap_base_dn;
ldap.user = "CN=master,ou=people,DC=podkos,DC=pl";
ldap.additional_users_dn = "OU=people";
ldap.users_filter = "(&({username_attribute}={input})(objectClass=person))";
ldap.additional_groups_dn = "OU=groups";
ldap.groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
};
storage = {
postgres.host = "/var/run/postgresql";
postgres.port = "5432";
postgres.database = "authelia";
postgres.username = "authelia";
};
notifier = {
disable_startup_check = false;
filesystem.filename = "/tmp/test_notification.txt";
};
session = {
name = "materus-session";
domain = "materus.pl";
};
default_redirection_url = "https://materus.pl";
server.port = port;
};
};
services.nginx.virtualHosts."gatekeeper.materus.pl" = {
forceSSL = true;
http3 = true;
sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
locations."/" = {
proxyPass = "http://127.0.0.1:${builtins.toString port}";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
};
};
}

2
configurations/host/waffentrager/services/auth/default.nix
View File

@ -3,9 +3,11 @@
imports = imports =
[ [
./lldap.nix ./lldap.nix
./authelia.nix
]; ];
config = config =
{ {
waffentragerService.auth.lldap.enable = true; waffentragerService.auth.lldap.enable = true;
waffentragerService.auth.authelia.enable = true;
}; };
} }

4
configurations/host/waffentrager/services/auth/lldap.nix
View File

@ -45,7 +45,7 @@
group = "lldap"; group = "lldap";
isSystemUser = true; isSystemUser = true;
}; };
sops.secrets.jwt = { owner = "lldap"; group = "lldap"; }; sops.secrets.jwt = { owner = "lldap"; group = "lldap"; mode = "0440"; };
sops.secrets."lldap-database" = { owner = "lldap"; group = "lldap"; }; sops.secrets."lldap-database" = { owner = "lldap"; group = "lldap"; };
services.lldap.enable = true; services.lldap.enable = true;
services.lldap.environmentFile = config.sops.templates."lldap.env".path; services.lldap.environmentFile = config.sops.templates."lldap.env".path;
@ -60,6 +60,8 @@
services.lldap.settings = { services.lldap.settings = {
ldap_base_dn = "dc=podkos,dc=pl"; ldap_base_dn = "dc=podkos,dc=pl";
ldap_host = "127.0.0.1";
http_url = "https://mamba.podkos.pl"; http_url = "https://mamba.podkos.pl";
ldap_user_dn = "master"; ldap_user_dn = "master";
ldap_user_email = "materus@podkos.pl"; ldap_user_email = "materus@podkos.pl";

4
configurations/host/waffentrager/services/nextcloud.nix
View File

@ -25,11 +25,11 @@
package = pkgs.nextcloud29; package = pkgs.nextcloud29;
hostName = "waffentrager.materus.pl"; hostName = "waffentrager.materus.pl";
home = config.waffentragerService.elements.nextcloudDir; home = config.waffentragerService.elements.nextcloudDir;
config.adminuser = "master"; config.adminuser = "nextcloud-master";
config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path; config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
config.dbtype = "pgsql"; config.dbtype = "pgsql";
extraAppsEnable = true; extraAppsEnable = true;
maxUploadSize = "4G"; maxUploadSize = "8G";
https = true; https = true;
enableImagemagick = true; enableImagemagick = true;
configureRedis = true; configureRedis = true;

9
configurations/host/waffentrager/services/samba.nix
View File

@ -35,6 +35,9 @@
hosts deny = 0.0.0.0/0 hosts deny = 0.0.0.0/0
guest account = nobody guest account = nobody
map to guest = bad user map to guest = bad user
mangled names = no
dos charset = CP850
unix charset = UTF-8
''; '';
shares = { shares = {
materus = { materus = {
@ -42,10 +45,10 @@
browseable = "yes"; browseable = "yes";
"read only" = "no"; "read only" = "no";
"guest ok" = "no"; "guest ok" = "no";
"create mask" = "0644"; "create mask" = "0770";
"directory mask" = "0755"; "directory mask" = "0770";
"force user" = "materus"; "force user" = "materus";
"force group" = "users"; "force group" = "nextcloud";
}; };
}; };
}; };

5
configurations/host/waffentrager/services/syncthing.nix
View File

@ -7,9 +7,7 @@
cfg = config.waffentragerService.syncthing; cfg = config.waffentragerService.syncthing;
in in
lib.mkIf cfg.enable { lib.mkIf cfg.enable {
waffentragerService.elements.enable = true; waffentragerService.elements.enable = true; networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port];
networking.firewall.allowedUDPPorts = [ 22000 21027 ]; networking.firewall.allowedUDPPorts = [ 22000 21027 ];
systemd.services.syncthing = { systemd.services.syncthing = {
partOf = [ "elements-mount.service" ]; partOf = [ "elements-mount.service" ];
@ -20,6 +18,7 @@
syncthing = { syncthing = {
enable = true; enable = true;
user = "materus"; user = "materus";
group = "nextcloud";
dataDir = "${config.waffentragerService.elements.path}/storage/materus"; dataDir = "${config.waffentragerService.elements.path}/storage/materus";
configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/"; configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/";
}; };

8
extraFiles/scripts/convert_images.sh
View File

@ -7,6 +7,12 @@ if ! command -v convert &> /dev/null; then $CONVERT "$@"; else convert "$@"; fi
} }
function max16 {
while [ `jobs | wc -l` -ge 16 ]
do
sleep 2
done
}
change_to_webp() { change_to_webp() {
f="$1" f="$1"
@ -31,7 +37,7 @@ pushd $XDG_PICTURES_DIR
for f in `find "." \( -name "*.png" -type f -o -name "*.jpg" -type f -o -name "*.jpeg" -type f -o -name "*.avif" -type f \) \ for f in `find "." \( -name "*.png" -type f -o -name "*.jpg" -type f -o -name "*.jpeg" -type f -o -name "*.avif" -type f \) \
-a -not \( -path "./Inne/Special/*" -o -path "./Inne/Emojis/*" -o -path "./Inne/MCSkins/*" -o -path "./Avatar/*" -o -path "./Inne/GIF/*" \)`; -a -not \( -path "./Inne/Special/*" -o -path "./Inne/Emojis/*" -o -path "./Inne/MCSkins/*" -o -path "./Avatar/*" -o -path "./Inne/GIF/*" \)`;
do do
change_to_webp "$f" & max16; change_to_webp "$f" &
done done