Headscale support (upgrade to latest nixpkgs) (#9)

This adds Headscale support.

It provides also an upgrade to Keycloak 18.0.0 (Quarkus distribution).
It upgrades NextCloud from 22 to 23.

Reviewed-on: https://git.rz.ens.wtf/Klub-RZ/infrastructure/pulls/9
Co-authored-by: Ryan Lahfa <raito@noreply.git.rz.ens.wtf>
Co-committed-by: Ryan Lahfa <raito@noreply.git.rz.ens.wtf>
This commit is contained in:
Ryan Lahfa 2022-06-26 23:48:43 +02:00
parent 57b5c931d1
commit 6f5fdb0317
12 changed files with 113 additions and 19 deletions

View file

@ -8,7 +8,7 @@ let
nixos-config.symlink = "config/${machine}/configuration.nix";
nixpkgs.git = {
clean.exclude = [ "/.version-suffix" ];
ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05
ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable
url = "https://github.com/NixOS/nixpkgs";
};
}];

View file

@ -5,9 +5,9 @@ let
in
{
security.acme.acceptTerms = true;
security.acme.email = my.email;
security.acme.defaults.email = my.email;
security.acme.server =
security.acme.defaults.server =
if my.acmeStaging
then "https://acme-staging-v02.api.letsencrypt.org/directory"
else null;

View file

@ -19,6 +19,7 @@
./keycloak.nix
./acme-dns.nix
./backups.nix
./headscale.nix
# ./dex.nix
./oauth2_proxy.nix
./secrets

View file

@ -14,5 +14,5 @@ in
envFile = config.age.secrets.droneKeyFile.path;
};
systemd.services."drone-exec-runner-nix01".after = [ "gitea" ];
systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ];
}

View file

@ -0,0 +1,51 @@
From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Wed, 30 Mar 2022 11:14:53 -0700
Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
The previous releases of zlib were not sensitive to incorrect CRC
inputs with bits set above the low 32. This commit restores that
behavior, so that applications with such bugs will continue to
operate as before.
---
crc32.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crc32.c b/crc32.c
index a1bdce5c2..451887bc7 100644
--- a/crc32.c
+++ b/crc32.c
@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
#endif /* DYNAMIC_CRC_TABLE */
/* Pre-condition the CRC */
- crc ^= 0xffffffff;
+ crc = (~crc) & 0xffffffff;
/* Compute the CRC up to a word boundary. */
while (len && ((z_size_t)buf & 7) != 0) {
@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
#endif /* DYNAMIC_CRC_TABLE */
/* Pre-condition the CRC */
- crc ^= 0xffffffff;
+ crc = (~crc) & 0xffffffff;
#ifdef W
@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
#ifdef DYNAMIC_CRC_TABLE
once(&made, make_crc_table);
#endif /* DYNAMIC_CRC_TABLE */
- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
}
/* ========================================================================= */
@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
uLong crc2;
uLong op;
{
- return multmodp(op, crc1) ^ crc2;
+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
}

View file

@ -0,0 +1,8 @@
{ ... }:
{
services.headscale = {
enable = true;
serverUrl = "https://tailscale.rz.ens.wtf";
tls.letsencrypt.hostname = "tailscale.rz.ens.wtf";
};
}

View file

@ -1,26 +1,33 @@
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
let
my = config.my;
port = 8080;
keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {};
domain = "auth.${my.subZone}";
certs = config.security.acme.certs."${domain}".directory;
in
{
services.keycloak = {
enable = true;
package = pkgs.keycloak.override {
jre = pkgs.jre8;
};
initialAdminPassword = "changemeasap";
database.createLocally = true;
database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path;
frontendUrl = "https://auth.${my.subZone}/auth/";
forceBackendUrlToFrontendUrl = true;
httpPort = toString port;
extraConfig = {
"subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ];
database = {
type = "postgresql";
username = "keycloak";
name = "keycloak";
createLocally = true;
passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}";
};
settings = {
hostname-strict-backchannel = true;
http-port = port;
proxy = "edge";
http-relative-path = "/auth";
hostname = domain;
};
};
services.nginx.virtualHosts."auth.${my.subZone}" = {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {

View file

@ -0,0 +1,26 @@
{ stdenv, lib, fetchurl }:
stdenv.mkDerivation rec {
pname = "keycloak-protocol-cas";
version = "18.0.0";
src = fetchurl {
url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar";
sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM=";
};
dontUnpack = true;
dontBuild = true;
installPhase = ''
mkdir -p $out
install "$src" "$out"
'';
meta = with lib; {
homepage = "https://github.com/jacekkow/keycloak-protocol-cas";
description = "Keycloak Service Provider that adds CAS as an authentication protocol";
license = licenses.apsl20;
maintainers = with maintainers; [ raitobezarius ];
};
}

View file

@ -65,7 +65,7 @@ in
"health_alarm_notify"
];
environment.etc."netdata/netdata.conf" = {
environment.etc."netdata/netdata.conf" = lib.mkForce {
user = "netdata";
group = "netdata";
mode = "0600";

View file

@ -37,6 +37,7 @@ dualstack // {
monitoring = dualstack;
auth = dualstack;
push = dualstack;
tailscale = dualstack;
core01 = dualstack;
ns1 = dualstack;

View file

@ -14,7 +14,7 @@
./nur.nix
# ./factorio.nix # TODO
./nginx.nix
./cryptpad.nix
# ./cryptpad.nix
./hedgedoc.nix
./secrets
# TODO monitoring

View file

@ -5,7 +5,7 @@
hostName = "nuage.beta.rz.ens.wtf";
https = true;
package = pkgs.nextcloud22;
package = pkgs.nextcloud23;
config = {
overwriteProtocol = "https";