Headscale support (upgrade to latest nixpkgs) (#9)
This adds Headscale support. It provides also an upgrade to Keycloak 18.0.0 (Quarkus distribution). It upgrades NextCloud from 22 to 23. Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/9 Co-authored-by: Ryan Lahfa <raito@noreply.git.rz.ens.wtf> Co-committed-by: Ryan Lahfa <raito@noreply.git.rz.ens.wtf>
This commit is contained in:
parent
57b5c931d1
commit
6f5fdb0317
12 changed files with 113 additions and 19 deletions
|
@ -8,7 +8,7 @@ let
|
|||
nixos-config.symlink = "config/${machine}/configuration.nix";
|
||||
nixpkgs.git = {
|
||||
clean.exclude = [ "/.version-suffix" ];
|
||||
ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05
|
||||
ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable
|
||||
url = "https://github.com/NixOS/nixpkgs";
|
||||
};
|
||||
}];
|
||||
|
|
|
@ -5,9 +5,9 @@ let
|
|||
in
|
||||
{
|
||||
security.acme.acceptTerms = true;
|
||||
security.acme.email = my.email;
|
||||
security.acme.defaults.email = my.email;
|
||||
|
||||
security.acme.server =
|
||||
security.acme.defaults.server =
|
||||
if my.acmeStaging
|
||||
then "https://acme-staging-v02.api.letsencrypt.org/directory"
|
||||
else null;
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
./keycloak.nix
|
||||
./acme-dns.nix
|
||||
./backups.nix
|
||||
./headscale.nix
|
||||
# ./dex.nix
|
||||
./oauth2_proxy.nix
|
||||
./secrets
|
||||
|
|
|
@ -14,5 +14,5 @@ in
|
|||
envFile = config.age.secrets.droneKeyFile.path;
|
||||
};
|
||||
|
||||
systemd.services."drone-exec-runner-nix01".after = [ "gitea" ];
|
||||
systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ];
|
||||
}
|
||||
|
|
51
machines/core-services-01/fix-crc-computation.patch
Normal file
51
machines/core-services-01/fix-crc-computation.patch
Normal file
|
@ -0,0 +1,51 @@
|
|||
From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
|
||||
From: Mark Adler <madler@alumni.caltech.edu>
|
||||
Date: Wed, 30 Mar 2022 11:14:53 -0700
|
||||
Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
|
||||
|
||||
The previous releases of zlib were not sensitive to incorrect CRC
|
||||
inputs with bits set above the low 32. This commit restores that
|
||||
behavior, so that applications with such bugs will continue to
|
||||
operate as before.
|
||||
---
|
||||
crc32.c | 8 ++++----
|
||||
1 file changed, 4 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/crc32.c b/crc32.c
|
||||
index a1bdce5c2..451887bc7 100644
|
||||
--- a/crc32.c
|
||||
+++ b/crc32.c
|
||||
@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
|
||||
#endif /* DYNAMIC_CRC_TABLE */
|
||||
|
||||
/* Pre-condition the CRC */
|
||||
- crc ^= 0xffffffff;
|
||||
+ crc = (~crc) & 0xffffffff;
|
||||
|
||||
/* Compute the CRC up to a word boundary. */
|
||||
while (len && ((z_size_t)buf & 7) != 0) {
|
||||
@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
|
||||
#endif /* DYNAMIC_CRC_TABLE */
|
||||
|
||||
/* Pre-condition the CRC */
|
||||
- crc ^= 0xffffffff;
|
||||
+ crc = (~crc) & 0xffffffff;
|
||||
|
||||
#ifdef W
|
||||
|
||||
@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
|
||||
#ifdef DYNAMIC_CRC_TABLE
|
||||
once(&made, make_crc_table);
|
||||
#endif /* DYNAMIC_CRC_TABLE */
|
||||
- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
|
||||
+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
|
||||
}
|
||||
|
||||
/* ========================================================================= */
|
||||
@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
|
||||
uLong crc2;
|
||||
uLong op;
|
||||
{
|
||||
- return multmodp(op, crc1) ^ crc2;
|
||||
+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
|
||||
}
|
8
machines/core-services-01/headscale.nix
Normal file
8
machines/core-services-01/headscale.nix
Normal file
|
@ -0,0 +1,8 @@
|
|||
{ ... }:
|
||||
{
|
||||
services.headscale = {
|
||||
enable = true;
|
||||
serverUrl = "https://tailscale.rz.ens.wtf";
|
||||
tls.letsencrypt.hostname = "tailscale.rz.ens.wtf";
|
||||
};
|
||||
}
|
|
@ -1,26 +1,33 @@
|
|||
{ config, pkgs, ... }:
|
||||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
my = config.my;
|
||||
port = 8080;
|
||||
keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {};
|
||||
domain = "auth.${my.subZone}";
|
||||
certs = config.security.acme.certs."${domain}".directory;
|
||||
in
|
||||
{
|
||||
services.keycloak = {
|
||||
enable = true;
|
||||
package = pkgs.keycloak.override {
|
||||
jre = pkgs.jre8;
|
||||
};
|
||||
initialAdminPassword = "changemeasap";
|
||||
database.createLocally = true;
|
||||
database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path;
|
||||
frontendUrl = "https://auth.${my.subZone}/auth/";
|
||||
forceBackendUrlToFrontendUrl = true;
|
||||
httpPort = toString port;
|
||||
extraConfig = {
|
||||
"subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
|
||||
plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ];
|
||||
database = {
|
||||
type = "postgresql";
|
||||
username = "keycloak";
|
||||
name = "keycloak";
|
||||
createLocally = true;
|
||||
passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}";
|
||||
};
|
||||
settings = {
|
||||
hostname-strict-backchannel = true;
|
||||
http-port = port;
|
||||
proxy = "edge";
|
||||
http-relative-path = "/auth";
|
||||
hostname = domain;
|
||||
};
|
||||
};
|
||||
|
||||
services.nginx.virtualHosts."auth.${my.subZone}" = {
|
||||
services.nginx.virtualHosts."${domain}" = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
|
|
26
machines/core-services-01/keycloak/keycloak-protocol-cas.nix
Normal file
26
machines/core-services-01/keycloak/keycloak-protocol-cas.nix
Normal file
|
@ -0,0 +1,26 @@
|
|||
{ stdenv, lib, fetchurl }:
|
||||
|
||||
stdenv.mkDerivation rec {
|
||||
pname = "keycloak-protocol-cas";
|
||||
version = "18.0.0";
|
||||
|
||||
src = fetchurl {
|
||||
url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar";
|
||||
sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM=";
|
||||
};
|
||||
|
||||
dontUnpack = true;
|
||||
dontBuild = true;
|
||||
|
||||
installPhase = ''
|
||||
mkdir -p $out
|
||||
install "$src" "$out"
|
||||
'';
|
||||
|
||||
meta = with lib; {
|
||||
homepage = "https://github.com/jacekkow/keycloak-protocol-cas";
|
||||
description = "Keycloak Service Provider that adds CAS as an authentication protocol";
|
||||
license = licenses.apsl20;
|
||||
maintainers = with maintainers; [ raitobezarius ];
|
||||
};
|
||||
}
|
|
@ -65,7 +65,7 @@ in
|
|||
"health_alarm_notify"
|
||||
];
|
||||
|
||||
environment.etc."netdata/netdata.conf" = {
|
||||
environment.etc."netdata/netdata.conf" = lib.mkForce {
|
||||
user = "netdata";
|
||||
group = "netdata";
|
||||
mode = "0600";
|
||||
|
|
|
@ -37,6 +37,7 @@ dualstack // {
|
|||
monitoring = dualstack;
|
||||
auth = dualstack;
|
||||
push = dualstack;
|
||||
tailscale = dualstack;
|
||||
core01 = dualstack;
|
||||
ns1 = dualstack;
|
||||
|
||||
|
|
|
@ -14,7 +14,7 @@
|
|||
./nur.nix
|
||||
# ./factorio.nix # TODO
|
||||
./nginx.nix
|
||||
./cryptpad.nix
|
||||
# ./cryptpad.nix
|
||||
./hedgedoc.nix
|
||||
./secrets
|
||||
# TODO monitoring
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
hostName = "nuage.beta.rz.ens.wtf";
|
||||
https = true;
|
||||
|
||||
package = pkgs.nextcloud22;
|
||||
package = pkgs.nextcloud23;
|
||||
|
||||
config = {
|
||||
overwriteProtocol = "https";
|
||||
|
|
Loading…
Reference in a new issue