diff --git a/krops.nix b/krops.nix index 01ee420..770fcff 100644 --- a/krops.nix +++ b/krops.nix @@ -8,7 +8,7 @@ let nixos-config.symlink = "config/${machine}/configuration.nix"; nixpkgs.git = { clean.exclude = [ "/.version-suffix" ]; - ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05 + ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable url = "https://github.com/NixOS/nixpkgs"; }; }]; diff --git a/machines/core-services-01/acme-ssl.nix b/machines/core-services-01/acme-ssl.nix index 2403cd6..f111e17 100644 --- a/machines/core-services-01/acme-ssl.nix +++ b/machines/core-services-01/acme-ssl.nix @@ -5,9 +5,9 @@ let in { security.acme.acceptTerms = true; - security.acme.email = my.email; + security.acme.defaults.email = my.email; - security.acme.server = + security.acme.defaults.server = if my.acmeStaging then "https://acme-staging-v02.api.letsencrypt.org/directory" else null; diff --git a/machines/core-services-01/configuration.nix b/machines/core-services-01/configuration.nix index f5ae683..8af8554 100644 --- a/machines/core-services-01/configuration.nix +++ b/machines/core-services-01/configuration.nix @@ -19,6 +19,7 @@ ./keycloak.nix ./acme-dns.nix ./backups.nix + ./headscale.nix # ./dex.nix ./oauth2_proxy.nix ./secrets diff --git a/machines/core-services-01/drone-runners.nix b/machines/core-services-01/drone-runners.nix index 6793e4b..36ecbdd 100644 --- a/machines/core-services-01/drone-runners.nix +++ b/machines/core-services-01/drone-runners.nix @@ -14,5 +14,5 @@ in envFile = config.age.secrets.droneKeyFile.path; }; - systemd.services."drone-exec-runner-nix01".after = [ "gitea" ]; + systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ]; } diff --git a/machines/core-services-01/fix-crc-computation.patch b/machines/core-services-01/fix-crc-computation.patch new file mode 100644 index 0000000..85a6a7e --- /dev/null +++ b/machines/core-services-01/fix-crc-computation.patch @@ -0,0 +1,51 @@ +From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001 +From: Mark Adler +Date: Wed, 30 Mar 2022 11:14:53 -0700 +Subject: [PATCH] Correct incorrect inputs provided to the CRC functions. + +The previous releases of zlib were not sensitive to incorrect CRC +inputs with bits set above the low 32. This commit restores that +behavior, so that applications with such bugs will continue to +operate as before. +--- + crc32.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/crc32.c b/crc32.c +index a1bdce5c2..451887bc7 100644 +--- a/crc32.c ++++ b/crc32.c +@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + /* Compute the CRC up to a word boundary. */ + while (len && ((z_size_t)buf & 7) != 0) { +@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len) + #endif /* DYNAMIC_CRC_TABLE */ + + /* Pre-condition the CRC */ +- crc ^= 0xffffffff; ++ crc = (~crc) & 0xffffffff; + + #ifdef W + +@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2) + #ifdef DYNAMIC_CRC_TABLE + once(&made, make_crc_table); + #endif /* DYNAMIC_CRC_TABLE */ +- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2; ++ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff); + } + + /* ========================================================================= */ +@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op) + uLong crc2; + uLong op; + { +- return multmodp(op, crc1) ^ crc2; ++ return multmodp(op, crc1) ^ (crc2 & 0xffffffff); + } diff --git a/machines/core-services-01/headscale.nix b/machines/core-services-01/headscale.nix new file mode 100644 index 0000000..e44b48a --- /dev/null +++ b/machines/core-services-01/headscale.nix @@ -0,0 +1,8 @@ +{ ... }: +{ + services.headscale = { + enable = true; + serverUrl = "https://tailscale.rz.ens.wtf"; + tls.letsencrypt.hostname = "tailscale.rz.ens.wtf"; + }; +} diff --git a/machines/core-services-01/keycloak.nix b/machines/core-services-01/keycloak.nix index 6f34b25..e7d48e5 100644 --- a/machines/core-services-01/keycloak.nix +++ b/machines/core-services-01/keycloak.nix @@ -1,26 +1,33 @@ -{ config, pkgs, ... }: +{ config, pkgs, lib, ... }: let my = config.my; port = 8080; + keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {}; + domain = "auth.${my.subZone}"; + certs = config.security.acme.certs."${domain}".directory; in { services.keycloak = { enable = true; - package = pkgs.keycloak.override { - jre = pkgs.jre8; - }; initialAdminPassword = "changemeasap"; - database.createLocally = true; - database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path; - frontendUrl = "https://auth.${my.subZone}/auth/"; - forceBackendUrlToFrontendUrl = true; - httpPort = toString port; - extraConfig = { - "subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true; + plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ]; + database = { + type = "postgresql"; + username = "keycloak"; + name = "keycloak"; + createLocally = true; + passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}"; + }; + settings = { + hostname-strict-backchannel = true; + http-port = port; + proxy = "edge"; + http-relative-path = "/auth"; + hostname = domain; }; }; - services.nginx.virtualHosts."auth.${my.subZone}" = { + services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { diff --git a/machines/core-services-01/keycloak/keycloak-protocol-cas.nix b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix new file mode 100644 index 0000000..1783749 --- /dev/null +++ b/machines/core-services-01/keycloak/keycloak-protocol-cas.nix @@ -0,0 +1,26 @@ +{ stdenv, lib, fetchurl }: + +stdenv.mkDerivation rec { + pname = "keycloak-protocol-cas"; + version = "18.0.0"; + + src = fetchurl { + url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar"; + sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM="; + }; + + dontUnpack = true; + dontBuild = true; + + installPhase = '' + mkdir -p $out + install "$src" "$out" + ''; + + meta = with lib; { + homepage = "https://github.com/jacekkow/keycloak-protocol-cas"; + description = "Keycloak Service Provider that adds CAS as an authentication protocol"; + license = licenses.apsl20; + maintainers = with maintainers; [ raitobezarius ]; + }; +} diff --git a/machines/core-services-01/monitoring.nix b/machines/core-services-01/monitoring.nix index f9812f9..47b7953 100644 --- a/machines/core-services-01/monitoring.nix +++ b/machines/core-services-01/monitoring.nix @@ -65,7 +65,7 @@ in "health_alarm_notify" ]; - environment.etc."netdata/netdata.conf" = { + environment.etc."netdata/netdata.conf" = lib.mkForce { user = "netdata"; group = "netdata"; mode = "0600"; diff --git a/machines/core-services-01/subZone.nix b/machines/core-services-01/subZone.nix index 08db8c1..2738afe 100644 --- a/machines/core-services-01/subZone.nix +++ b/machines/core-services-01/subZone.nix @@ -37,6 +37,7 @@ dualstack // { monitoring = dualstack; auth = dualstack; push = dualstack; + tailscale = dualstack; core01 = dualstack; ns1 = dualstack; diff --git a/machines/public-cof/configuration.nix b/machines/public-cof/configuration.nix index ef33c32..b47cf2c 100644 --- a/machines/public-cof/configuration.nix +++ b/machines/public-cof/configuration.nix @@ -14,7 +14,7 @@ ./nur.nix # ./factorio.nix # TODO ./nginx.nix - ./cryptpad.nix + # ./cryptpad.nix ./hedgedoc.nix ./secrets # TODO monitoring diff --git a/machines/public-cof/nextcloud.nix b/machines/public-cof/nextcloud.nix index 99e6e17..b243afb 100644 --- a/machines/public-cof/nextcloud.nix +++ b/machines/public-cof/nextcloud.nix @@ -5,7 +5,7 @@ hostName = "nuage.beta.rz.ens.wtf"; https = true; - package = pkgs.nextcloud22; + package = pkgs.nextcloud23; config = { overwriteProtocol = "https";