Tom Hubrecht
88d9b8c3e3
Some checks failed
Check meta / check_dns (pull_request) Successful in 19s
Check meta / check_meta (pull_request) Successful in 20s
Check workflows / check_workflows (pull_request) Successful in 24s
Build all the nodes / ap01 (pull_request) Successful in 1m15s
Build all the nodes / bridge01 (pull_request) Successful in 1m53s
Build all the nodes / geo01 (pull_request) Successful in 1m55s
Build all the nodes / geo02 (pull_request) Successful in 1m53s
Build all the nodes / compute01 (pull_request) Successful in 2m33s
Build all the nodes / rescue01 (pull_request) Successful in 2m13s
Build all the nodes / storage01 (pull_request) Successful in 1m57s
Run pre-commit on all files / check (pull_request) Successful in 30s
Build all the nodes / web02 (pull_request) Successful in 1m47s
Build all the nodes / vault01 (pull_request) Successful in 2m21s
Build all the nodes / web03 (pull_request) Successful in 1m40s
Build all the nodes / web01 (pull_request) Successful in 2m54s
Check meta / check_dns (push) Successful in 20s
Check meta / check_meta (push) Successful in 19s
Check workflows / check_workflows (push) Successful in 25s
Build all the nodes / ap01 (push) Successful in 1m16s
Build all the nodes / bridge01 (push) Successful in 1m41s
Build all the nodes / geo02 (push) Successful in 1m44s
Build all the nodes / geo01 (push) Successful in 1m53s
Build all the nodes / compute01 (push) Successful in 2m20s
Build all the nodes / rescue01 (push) Successful in 1m49s
Build all the nodes / storage01 (push) Successful in 1m46s
Build all the nodes / vault01 (push) Successful in 1m45s
Run pre-commit on all files / check (push) Successful in 30s
Build all the nodes / web02 (push) Has been cancelled
Build all the nodes / web01 (push) Has been cancelled
Build all the nodes / web03 (push) Has been cancelled
Signed-off-by: Tom Hubrecht <tom.hubrecht@dgnum.eu> Acked-by: Ryan Lahfa <ryan.lahfa@dgnum.eu> Acked-by: Maurice Debray <maurice.debray@dgnum.eu> Acked-by: Lubin Bailly <lubin.bailly@dgnum.eu> Acked-by: Jean-Marc Gailis <jean-marc.gailis@dgnum.eu> as the legal authority, at the time of writing, in DGNum. Acked-by: Elias Coppens <elias.coppens@dgnum.eu> as a member, at the time of writing, of the DGNum executive counsel.
220 lines
5.6 KiB
Nix
220 lines
5.6 KiB
Nix
# SPDX-FileCopyrightText: 2024 Tom Hubrecht <tom.hubrecht@dgnum.eu>
|
|
#
|
|
# SPDX-License-Identifier: EUPL-1.2
|
|
|
|
{
|
|
config,
|
|
lib,
|
|
meta,
|
|
...
|
|
}:
|
|
|
|
let
|
|
inherit (lib)
|
|
attrValues
|
|
catAttrs
|
|
escapeRegex
|
|
concatStringsSep
|
|
mapAttrs'
|
|
nameValuePair
|
|
;
|
|
|
|
domain = "sso.dgnum.eu";
|
|
port = 8443;
|
|
|
|
cert = config.security.acme.certs.${domain};
|
|
|
|
allowedDomains = builtins.map escapeRegex (
|
|
(builtins.map (s: "${s}.dgnum.eu") [
|
|
# DGNum subdomains
|
|
"cloud"
|
|
"git"
|
|
"videos"
|
|
"social"
|
|
"demarches"
|
|
"netbird"
|
|
])
|
|
++ [
|
|
# Extra domains
|
|
"netbird-beta.hubrecht.ovh"
|
|
]
|
|
);
|
|
|
|
usernameFor = member: meta.organization.members.${member}.username;
|
|
in
|
|
{
|
|
services.kanidm = {
|
|
enableServer = true;
|
|
|
|
# package = nixpkgs.unstable.kanidm;
|
|
|
|
serverSettings = {
|
|
inherit domain;
|
|
|
|
origin = "https://${domain}";
|
|
|
|
bindaddress = "127.0.0.1:${builtins.toString port}";
|
|
ldapbindaddress = "0.0.0.0:636";
|
|
|
|
trust_x_forward_for = true;
|
|
|
|
tls_chain = "${cert.directory}/fullchain.pem";
|
|
tls_key = "${cert.directory}/key.pem";
|
|
};
|
|
|
|
provision = {
|
|
enable = true;
|
|
|
|
persons = mapAttrs' (
|
|
_:
|
|
{
|
|
email,
|
|
name,
|
|
username,
|
|
...
|
|
}:
|
|
nameValuePair username {
|
|
displayName = name;
|
|
mailAddresses = [ email ];
|
|
}
|
|
) meta.organization.members;
|
|
|
|
groups =
|
|
{
|
|
grp_active.members = catAttrs "username" (attrValues meta.organization.members);
|
|
}
|
|
// (mapAttrs' (
|
|
name: members: nameValuePair "grp_${name}" { members = builtins.map usernameFor members; }
|
|
) meta.organization.groups);
|
|
|
|
# INFO: The authentication resources declared here can only be for internal services,
|
|
# as regular members cannot be statically known.
|
|
systems.oauth2 = {
|
|
dgn_grafana = {
|
|
displayName = "Grafana [Analysis]";
|
|
originLanding = "https://grafana.dgnum.eu";
|
|
originUrl = "https://grafana.dgnum.eu/";
|
|
preferShortUsername = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
|
|
dgn_librenms = {
|
|
allowInsecureClientDisablePkce = true;
|
|
displayName = "LibreNMS [Network]";
|
|
enableLegacyCrypto = true;
|
|
originLanding = "https://nms.dgnum.eu";
|
|
originUrl = "https://nms.dgnum.eu/";
|
|
preferShortUsername = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
|
|
dgn_netbird = {
|
|
displayName = "Netbird [VPN]";
|
|
enableLocalhostRedirects = true;
|
|
originLanding = "https://netbird.dgnum.eu";
|
|
originUrl = "https://netbird.dgnum.eu/";
|
|
preferShortUsername = true;
|
|
public = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
|
|
dgn_netbox = {
|
|
allowInsecureClientDisablePkce = true;
|
|
displayName = "Netbox [Inventory]";
|
|
enableLegacyCrypto = true;
|
|
originLanding = "https://netbox.dgnum.eu";
|
|
originUrl = "https://netbox.dgnum.eu/";
|
|
preferShortUsername = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
|
|
dgn_outline = {
|
|
displayName = "Outline [Docs]";
|
|
originUrl = "https://docs.dgnum.eu/";
|
|
originLanding = "https://docs.dgnum.eu";
|
|
preferShortUsername = true;
|
|
|
|
scopeMaps.grp_active = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
users.users.kanidm.extraGroups = [ cert.group ];
|
|
|
|
dgn-web.internalPorts.kanidm = port;
|
|
|
|
services.nginx = {
|
|
enable = true;
|
|
|
|
virtualHosts.${domain} = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
locations."/" = {
|
|
proxyPass = "https://127.0.0.1:${builtins.toString port}";
|
|
|
|
extraConfig = ''
|
|
if ( $request_method !~ ^(GET|POST|HEAD|OPTIONS|PUT|PATCH|DELETE)$ ) {
|
|
return 444;
|
|
}
|
|
|
|
set $origin $http_origin;
|
|
|
|
if ($origin !~ '^https?://(${concatStringsSep "|" allowedDomains})$') {
|
|
set $origin 'https://${domain}';
|
|
}
|
|
|
|
proxy_hide_header Access-Control-Allow-Origin;
|
|
|
|
if ($request_method = 'OPTIONS') {
|
|
add_header 'Access-Control-Allow-Origin' "$origin" always;
|
|
add_header 'Access-Control-Allow-Methods' 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
|
add_header 'Access-Control-Allow-Headers' 'Content-Type, Accept, Authorization' always;
|
|
add_header 'Access-Control-Allow-Credentials' 'true' always;
|
|
|
|
add_header Access-Control-Max-Age 1728000;
|
|
add_header Content-Type 'text/plain charset=UTF-8';
|
|
add_header Content-Length 0;
|
|
return 204;
|
|
}
|
|
|
|
if ($request_method ~ '(GET|POST|PATCH|PUT|DELETE)') {
|
|
add_header Access-Control-Allow-Origin "$origin" always;
|
|
add_header Access-Control-Allow-Methods 'GET, POST, PATCH, PUT, DELETE, OPTIONS' always;
|
|
add_header Access-Control-Allow-Headers 'Content-Type, Accept, Authorization' always;
|
|
add_header Access-Control-Allow-Credentials true always;
|
|
}
|
|
'';
|
|
};
|
|
};
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 636 ];
|
|
networking.firewall.allowedUDPPorts = [ 636 ];
|
|
|
|
dgn-backups.jobs.kanidm.settings.paths = [ "/var/lib/kanidm" ];
|
|
}
|