From a150103a0b696fc262e28156f6df55b06af5ecda Mon Sep 17 00:00:00 2001 From: Victor Date: Mon, 16 Jan 2023 15:22:02 +0100 Subject: [PATCH] deploy dex --- flake.lock | 24 +++---- nixos/hosts/olympus/default.nix | 6 +- nixos/hosts/olympus/dex/configuration.nix | 69 +++++++++++++++++++++ nixos/hosts/olympus/nginx/configuration.nix | 1 + nixos/hosts/olympus/unifi/configuration.nix | 3 - 5 files changed, 87 insertions(+), 16 deletions(-) create mode 100644 nixos/hosts/olympus/dex/configuration.nix diff --git a/flake.lock b/flake.lock index b81dcc1..410cfff 100644 --- a/flake.lock +++ b/flake.lock @@ -434,11 +434,11 @@ "utils": "utils_2" }, "locked": { - "lastModified": 1673737886, - "narHash": "sha256-hNTqD0uIgpbtTI2Nuj/Q1lEFOOdZqqXpxoc8rMno2F0=", + "lastModified": 1673815682, + "narHash": "sha256-zG7Rroki+89poCTr1D8BM/wTCl+DZJvU4IUE+5hxG7U=", "owner": "nix-community", "repo": "home-manager", - "rev": "2827b5306462d91edec16a3d069b2d6e54c3079f", + "rev": "3e42035fc013ed4d8af6ee8dc0079c0c551c45a5", "type": "github" }, "original": { @@ -455,11 +455,11 @@ "xdph": "xdph" }, "locked": { - "lastModified": 1673725528, - "narHash": "sha256-mgJd3fKzUcO96IcaNpM9WJY60N+2oATp5AqgWFwm3c8=", + "lastModified": 1673811538, + "narHash": "sha256-dzaXvah1Qm8OeopF2lbS8ohhIGbGBx6kVY/W657qJdk=", "owner": "hyprwm", "repo": "Hyprland", - "rev": "b5b436e01ddb5d5200f55be3deed8f4fade0574c", + "rev": "040e99fd174e46614e9dc37a77bad67b930ac5e9", "type": "github" }, "original": { @@ -786,11 +786,11 @@ }, "nixpkgs_22-11": { "locked": { - "lastModified": 1673704454, - "narHash": "sha256-5Wdj1MgdOgn3+dMFIBtg+IAYZApjF8JzwLWDPieg0C4=", + "lastModified": 1673800717, + "narHash": "sha256-SFHraUqLSu5cC6IxTprex/nTsI81ZQAtDvlBvGDWfnA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a83ed85c14fcf242653df6f4b0974b7e1c73c6c6", + "rev": "2f9fd351ec37f5d479556cd48be4ca340da59b8f", "type": "github" }, "original": { @@ -855,11 +855,11 @@ }, "nur": { "locked": { - "lastModified": 1673804748, - "narHash": "sha256-nOoQBoPgqUHLKcrDzAjErPTefelsxW7VRNCdAJ/Lr7s=", + "lastModified": 1673874395, + "narHash": "sha256-bIMqmL3iUt4EyoqsYAipDB6Xa5Pqvu9cwGIF5XgpVq4=", "owner": "nix-community", "repo": "NUR", - "rev": "4d2c70498900a21eace533a5427191c53963b9d7", + "rev": "8cd0467d8f5399d83e0bfd381dafd1cd124c9545", "type": "github" }, "original": { diff --git a/nixos/hosts/olympus/default.nix b/nixos/hosts/olympus/default.nix index aaeb6b5..d08fa6a 100644 --- a/nixos/hosts/olympus/default.nix +++ b/nixos/hosts/olympus/default.nix @@ -47,14 +47,18 @@ ip = "10.42.42.10"; mac = "6E:A5:25:99:FE:68"; }; + "dex" = { + ip = "10.42.42.11"; + mac = "AE:66:7B:FA:15:72"; + }; "WoolooTV" = { ip = "10.42.42.13"; mac = "74:40:be:48:85:a4"; nix = false; }; "outline" = { - mac = "52:13:EB:FD:87:F0"; ip = "10.42.42.14"; + mac = "52:13:EB:FD:87:F0"; }; "dns-1" = { profile = "dns"; diff --git a/nixos/hosts/olympus/dex/configuration.nix b/nixos/hosts/olympus/dex/configuration.nix new file mode 100644 index 0000000..37ff572 --- /dev/null +++ b/nixos/hosts/olympus/dex/configuration.nix @@ -0,0 +1,69 @@ +# Edit this configuration file to define what should be installed on +# your system. Help is available in the configuration.nix(5) man page +# and in the NixOS manual (accessible by running ‘nixos-help’). + +{ config, pkgs, ... }: +let + vs = config.vault-secrets.secrets; + db_user = "dex"; + db_name = "dex"; +in { + imports = [ ]; + + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? + + networking.firewall.allowedTCPPorts = [ 5556 ]; + + services.postgresql = { + enable = true; + package = pkgs.postgresql_15; + ensureDatabases = [ db_name ]; + ensureUsers = [{ + name = db_user; + ensurePermissions = { + "DATABASE ${db_name}" = "ALL PRIVILEGES"; + "schema public" = "ALL"; + }; + }]; + }; + + vault-secrets.secrets.dex = { }; + + services.dex = { + enable = true; + settings = { + issuer = "https://dex.0x76.dev"; + storage = { + type = "postgres"; + config = { + host = "/var/run/postgresql"; + user = db_user; + database = db_name; + }; + }; + web.http = "0.0.0.0:5556"; + + connectors = [ + { + type = "gitea"; + id = "gitea"; + name = "Gitea"; + config = { + clientID = "$GITEA_CLIENT_ID"; + clientSecret = "$GITEA_CLIENT_SECRET"; + redirectURI = "https://dex.0x76.dev/callback"; + baseURL = "https://git.0x76.dev"; + }; + } + ]; + }; + + environmentFile = "${vs.dex}/environment"; + }; +} diff --git a/nixos/hosts/olympus/nginx/configuration.nix b/nixos/hosts/olympus/nginx/configuration.nix index 6d4928f..70fc203 100644 --- a/nixos/hosts/olympus/nginx/configuration.nix +++ b/nixos/hosts/olympus/nginx/configuration.nix @@ -55,6 +55,7 @@ in { virtualHosts."id.0x76.dev" = proxy "http://keycloak.olympus:80"; virtualHosts."ntfy.0x76.dev" = proxy "http://ntfy.olympus:80"; virtualHosts."ci.0x76.dev" = proxy "http://woodpecker.olympus:8000"; + virtualHosts."dex.0x76.dev" = proxy "http://dex.olympus:5556"; virtualHosts."pass.0x76.dev" = { enableACME = true; forceSSL = true; diff --git a/nixos/hosts/olympus/unifi/configuration.nix b/nixos/hosts/olympus/unifi/configuration.nix index d68f0f6..5a0adb1 100644 --- a/nixos/hosts/olympus/unifi/configuration.nix +++ b/nixos/hosts/olympus/unifi/configuration.nix @@ -15,9 +15,6 @@ # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). system.stateVersion = "21.11"; # Did you read the comment? - # Additional packages - environment.systemPackages = with pkgs; [ ]; - networking.firewall.allowedTCPPorts = [ 8443 ]; environment.noXlibs = lib.mkForce false;