From 4d2f26c98f989b23ace5f33fc3407c51b93255dc Mon Sep 17 00:00:00 2001 From: Tristan Date: Wed, 8 May 2024 22:53:41 +0100 Subject: [PATCH 1/3] alpine: authentik service --- flake.nix | 5 +- hardware/alpine.nix | 8 ---- lib/mkconf.nix | 1 + nixos/modules/podman.nix | 86 ++++++++++++++++++++++++++++++++++ nixos/services/authentik.nix | 91 ++++++++++++++++++++++++++++++++++++ secrets/secrets.yaml | 13 +++++- 6 files changed, 190 insertions(+), 14 deletions(-) create mode 100644 nixos/modules/podman.nix create mode 100644 nixos/services/authentik.nix diff --git a/flake.nix b/flake.nix index 086c84d..0a5c5ca 100644 --- a/flake.nix +++ b/flake.nix @@ -9,10 +9,6 @@ inputs.nixpkgs.follows = "nixpkgs"; }; stylix.url = "github:danth/stylix"; - # hyprland = { - # url = "github:hyprwm/Hyprland/v0.36.0"; - # inputs.nixpkgs.follows = "nixpkgs"; - # }; sops-nix.url = "github:Mic92/sops-nix"; }; @@ -71,6 +67,7 @@ ./nixos/services/mautrix/signal.nix ./nixos/services/nextcloud.nix ./nixos/services/ntfy.nix + ./nixos/services/authentik.nix ] []; vm-sway = diff --git a/hardware/alpine.nix b/hardware/alpine.nix index 29a68ee..eff81ed 100644 --- a/hardware/alpine.nix +++ b/hardware/alpine.nix @@ -140,14 +140,6 @@ in { enableACME = true; root = "/srv/www/tristans.cloud"; }; - "auth.tristans.cloud" = { - forceSSL = true; - enableACME = true; - locations."~" = { - proxyPass = "http://localhost:8084"; - proxyWebsockets = true; - }; - }; }; }; security.acme = { diff --git a/lib/mkconf.nix b/lib/mkconf.nix index 8f8e302..f5b3e14 100644 --- a/lib/mkconf.nix +++ b/lib/mkconf.nix @@ -15,6 +15,7 @@ in modules = modules ++ [ + ../nixos/modules/podman.nix home-manager.nixosModules.home-manager sops-nix.nixosModules.sops { diff --git a/nixos/modules/podman.nix b/nixos/modules/podman.nix new file mode 100644 index 0000000..921d4dc --- /dev/null +++ b/nixos/modules/podman.nix @@ -0,0 +1,86 @@ +{ + lib, + pkgs, + config, + ... +}: let + inherit (lib) mkOption types; + mkRunCommand = name: { + image, + command ? "", + environment ? {}, + ports ? [], + volumes ? [], + envFile ? null, + ... + }: '' + ${pkgs.podman}/bin/podman run \ + ${toString (builtins.attrValues (builtins.mapAttrs (name: value: "-e ${name}='${value}'") environment))} \ + ${toString (builtins.map (mapping: "-p ${mapping}") ports)} \ + ${toString (builtins.map (mapping: "-v ${mapping}") volumes)} \ + ${ + if builtins.isNull envFile + then "" + else "--env-file ${toString envFile}" + } \ + --detach --replace \ + --name ${name} \ + ${image} ${command} + ''; + opts = { + config, + name, + ... + }: { + options = { + image = mkOption { + type = types.str; + }; + command = mkOption { + type = types.str; + default = ""; + }; + environment = mkOption { + type = types.attrsOf types.str; + default = {}; + }; + ports = mkOption { + type = types.listOf types.str; + default = []; + }; + volumes = mkOption { + type = types.listOf types.str; + default = []; + }; + envFile = mkOption { + type = types.nullOr types.path; + default = null; + }; + }; + }; + mkService = name: config: { + enable = true; + wants = ["network-online.target"]; + after = ["network-online.target"]; + wantedBy = ["default.target"]; + unitConfig = { + RequiresMountsFor = "/run/containers/storage"; + }; + serviceConfig = { + Environment = "PODMAN_SYSTEMD_UNIT=%n"; + Restart = "on-failure"; + TimeoutStopSec = 70; + ExecStart = mkRunCommand name config; + ExecStop = "${pkgs.podman}/bin/podman stop -t 10 ${name}"; + ExecStopPost = "${pkgs.podman}/bin/podman stop -t 10 ${name}"; + Type = "forking"; + }; + }; +in { + options.podman = mkOption { + type = types.attrsOf (types.submodule opts); + }; + config = { + systemd.services = lib.mapAttrs mkService config.podman; + }; +} diff --git a/nixos/services/authentik.nix b/nixos/services/authentik.nix new file mode 100644 index 0000000..48f5b88 --- /dev/null +++ b/nixos/services/authentik.nix @@ -0,0 +1,91 @@ +{config, ...}: let + inherit (config) sops; + inherit (sops) templates placeholder; + redis_port = "6380"; + authentik_port = "8084"; + postgres = { + user = "authentik"; + db = "authentik"; + port = "5437"; + }; + authentik-config = { + image = "ghcr.io/goauthentik/server:2023.10.7"; + volumes = ["/home/tristan/pods/authentik/media:/media"]; + environment = { + AUTHENTIK_POSTGRESQL__USER = postgres.user; + AUTHENTIK_POSTGRESQL__HOST = "192.168.1.2"; + AUTHENTIK_POSTGRESQL__PORT = postgres.port; + AUTHENTIK_REDIS__HOST = "192.168.1.2"; + AUTHENTIK_REDIS__PORT = redis_port; + AUTHENTIK_EMAIL__FROM = "Authentik "; + AUTHENTIK_DEFAULT_USER_CHANGE_USERNAME = "false"; + }; + envFile = templates."authentik/environment".path; + }; +in { + sops.secrets = { + "authentik/postgres_password" = {}; + "authentik/secret_key" = {}; + "mail/host" = {}; + "mail/port" = {}; + "mail/username" = {}; + "mail/password" = {}; + "mail/ssl" = {}; + }; + sops.templates = { + "authentik/environment" = { + content = '' + AUTHENTIK_POSTGRESQL__PASSWORD="${placeholder."authentik/postgres_password"}" + AUTHENTIK_SECRET_KEY="${placeholder."authentik/secret_key"}" + AUTHENTIK_EMAIL__HOST="${placeholder."mail/host"}" + AUTHENTIK_EMAIL__PORT="${placeholder."mail/port"}" + AUTHENTIK_EMAIL__USERNAME="${placeholder."mail/username"}" + AUTHENTIK_EMAIL__PASSWORD="${placeholder."mail/password"}" + AUTHENTIK_EMAIL__USE_SSL="${placeholder."mail/ssl"}" + ''; + }; + "authentik/postgres_env" = { + content = '' + POSTGRES_PASSWORD="${placeholder."authentik/postgres_password"}" + ''; + }; + }; + + podman.authentik-redis = { + image = "redis:latest"; + ports = ["${redis_port}:6379"]; + }; + + podman.authentik-server = + authentik-config + // { + command = "server"; + ports = ["${authentik_port}:9000" "9084:9300"]; + }; + + podman.authentik-worker = + authentik-config + // { + command = "worker"; + }; + + podman.authentik-postgres = { + image = "docker.io/postgres:14-alpine"; + ports = ["${postgres.port}:5432"]; + volumes = ["/home/tristan/pods/authentik/db:/var/lib/postgresql/data"]; + environment = { + POSTGRES_USER = postgres.user; + POSTGRES_DB = postgres.db; + }; + envFile = templates."authentik/postgres_env".path; + }; + + services.nginx.virtualHosts."auth.tristans.cloud" = { + forceSSL = true; + enableACME = true; + locations."~" = { + proxyPass = "http://localhost:${authentik_port}"; + proxyWebsockets = true; + }; + }; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index e336487..1f59b15 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -19,6 +19,15 @@ mautrix-signal: mautrix-instagram: as_token: ENC[AES256_GCM,data:pNO76BcGejQdCc5X4f/UvSsBIPU6QZCCQTJvwVIXRf3rnb9ewWNMEtYXlqj886yh3g5SgqQ4Uhqby/7vrMxREA==,iv:uYU7ACk4wEPzqUCpt5KBt5Y8LoVIdAlNvdWj5Jm94qM=,tag:vJHOhwJBPlgUPu1SFqI4ew==,type:str] hs_token: ENC[AES256_GCM,data:m1CK8Ae6QyJKgDZm904xMpZ1KgKxEUpmQ1jdKOkjexgwAWjjtYF+RVximtcXwxPg/0jkbK/LMlxA89ic+zajiA==,iv:YLed92mS+2Cpud2f8Gq+zlpSVyPo7RVNGOUPCIRDi94=,tag:rRwhYn88ZZwm5sDI1etR2g==,type:str] +authentik: + postgres_password: ENC[AES256_GCM,data:mdUFP92PQEsvXpgES/iG+zmse0AKJ2c1KdMQDWDWWzWAOn3YSAYJX/N0IIljoGNC,iv:UxFDFYWNBQospGoHlrvLQJyypIszPqpkeJy1IGr6/7I=,tag:99LWrGMaYpfTl0PM4AQaKg==,type:str] + secret_key: ENC[AES256_GCM,data:JWcHd5FLhFt7gitVyv0l5Fc/sVrBlro026CPKrECPRGQHwjWQWsXTbKisM0vCKdB,iv:WN/LXUNrd+DbxfxwotedlYnyzE2D1c6C2e0UgCXUWX8=,tag:CAo6tX5RGdg67giMWa459g==,type:str] +mail: + host: ENC[AES256_GCM,data:TpJCxb8/qtGHA7ZQNFxRfzY0jz82,iv:+hjhL2jbMP9NWYub/etBhFXxAfzoIEneepRw5uHL8bs=,tag:J5Rb6BiFKqgqxZPFSGtXhA==,type:str] + port: ENC[AES256_GCM,data:1DfD,iv:I3dK4v/h5nFLNk4yihQxkJiyAir9MLDAQIeGbSn3j+I=,tag:Xu8E6PN7u9YRVnFMWq85DQ==,type:str] + username: ENC[AES256_GCM,data:yF3a6yJbvscUM8HRL9/Df5ZU4j5a3g==,iv:LkZh8eaBZ+Z3+bjpyB3MkWTRpjtk3/bszseT9KCfDmM=,tag:sdAp283HiwYWlVLc7c4waw==,type:str] + password: ENC[AES256_GCM,data:queuYRYekTyynd6fxK4RNImMzQeR7xfNg9u96Fr+1tw=,iv:Rn30tJAoahkMr2ISDbyHClHDdjSF41MqtTwlSGUQELw=,tag:/sfAJXvFwvv3AMxTCONmkg==,type:str] + ssl: ENC[AES256_GCM,data:K2pczQ==,iv:Us4kZfQ2wIx/qJXDaPDuUNvGU2F+U8EtV21SPbTebe8=,tag:lUY9pGQ7dtxIJqOOtIMA8Q==,type:str] sops: kms: [] gcp_kms: [] @@ -34,8 +43,8 @@ sops: NUFIN3NPU2pTZ0NZRXdQY0xhWlI5T3cKd5XCj1aNsD+7+MfiAPGb1iAW9AgzyagG A7cwF9kQwWWLud9z4v6epuDkqGF+7uIy7N/CwBaEgi8+AS8o27wo4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-03-23T23:24:16Z" - mac: ENC[AES256_GCM,data:bs8t7nH5BdIz4uQd33M2pt+AVhqfBEJy9l8AFl8p80GLAMg5zKlDWxtVCPrWk8viJvfMkhvwEovBizoy3m7gt8iWLf+dtznBjALtUXVAc/+dmACUS8E9JHHKcvOHxT/cYCuU3t6pDJWlbfnpBtKSSHH8Z/YblYMlkeoNeNOoAwU=,iv:9fKO44c5TNMBgHqcuV6Fu+GW8TjND+32KDEerawpZL4=,tag:Ps8kelq+8iY88mdqugRTMg==,type:str] + lastmodified: "2024-05-08T21:41:24Z" + mac: ENC[AES256_GCM,data:BMM/NP/ls0VdkL1jOqPeEmfxwoQR1Yi5DM2xb1p+Z3u9oo61Tkc2v2G7G9jWMfa2UwVlqYOGIZlwNj2ONhWhDDZBVTd3tTEbssbizNTUWGX7cQBfQm9K0/Mk+qXdug7AfjKnVXZlEbD7QLfqhz7sl/tDaPS9sstnivJENi2sIYI=,iv:nOoc+kiSbf89qJMtGYLURVToh6bCnEjg7zVQivzate4=,tag:ogEOMkRafxKLFX0N9hbOSw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 From 457faf8c0c3dfe6f6e337921441cef29fa43b69f Mon Sep 17 00:00:00 2001 From: Tristan Date: Fri, 10 May 2024 17:28:25 +0100 Subject: [PATCH 2/3] alpine: monerod --- flake.nix | 1 + nixos/services/monero.nix | 15 +++++++++++++++ 2 files changed, 16 insertions(+) create mode 100644 nixos/services/monero.nix diff --git a/flake.nix b/flake.nix index 0a5c5ca..94f6fef 100644 --- a/flake.nix +++ b/flake.nix @@ -68,6 +68,7 @@ ./nixos/services/nextcloud.nix ./nixos/services/ntfy.nix ./nixos/services/authentik.nix + ./nixos/services/monero.nix ] []; vm-sway = diff --git a/nixos/services/monero.nix b/nixos/services/monero.nix new file mode 100644 index 0000000..94cde2b --- /dev/null +++ b/nixos/services/monero.nix @@ -0,0 +1,15 @@ +{...}: { + services.monero = { + enable = true; + rpc = { + address = "0.0.0.0"; + restricted = true; + }; + extraConfig = '' + prune-blockchain=1 + confirm-external-bind=1 + out-peers=64 # This will enable much faster sync and tx awareness; the default 8 is suboptimal nowadays + in-peers=1024 # The default is unlimited; we prefer to put a cap on this + ''; + }; +} From 09c776c9123a75f7badfcfbbd47ca60695c95330 Mon Sep 17 00:00:00 2001 From: tristan Date: Sun, 12 May 2024 13:54:31 +0100 Subject: [PATCH 3/3] zenix: fix podman module --- flake.nix | 1 - nixos/modules/podman.nix | 1 + 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/flake.nix b/flake.nix index 94f6fef..d0a4256 100644 --- a/flake.nix +++ b/flake.nix @@ -41,7 +41,6 @@ FCS-Tristan-Nixbook = mkConf [ - # inputs.hyprland.nixosModules.default ./hardware/fcs-tristan-nixbook.nix (auto-login "Hyprland") ./nixos/modules/work.nix diff --git a/nixos/modules/podman.nix b/nixos/modules/podman.nix index 921d4dc..f9cd6a7 100644 --- a/nixos/modules/podman.nix +++ b/nixos/modules/podman.nix @@ -79,6 +79,7 @@ in { options.podman = mkOption { type = types.attrsOf (types.submodule opts); + default = {}; }; config = { systemd.services = lib.mapAttrs mkService config.podman;