Klub-RZ/infrastructure
4
0
Fork 0
Code Issues 7 Pull requests Projects Releases Packages Wiki Activity

Compare commits

merge into: Klub-RZ:master
Branches Tags
Klub-RZ:master
Klub-RZ:serveur-photo
Klub-RZ:mrf-whitelist
Klub-RZ:deploy_dokuwiki
Klub-RZ:headscale
Klub-RZ:public-cof
Klub-RZ:rm-HackENS-keys
Klub-RZ:raito/add-remote-builders
Klub-RZ:remote-builder-01
...
pull from: Klub-RZ:headscale
Branches Tags
Klub-RZ:master
Klub-RZ:serveur-photo
Klub-RZ:mrf-whitelist
Klub-RZ:deploy_dokuwiki
Klub-RZ:headscale
Klub-RZ:public-cof
Klub-RZ:rm-HackENS-keys
Klub-RZ:raito/add-remote-builders
Klub-RZ:remote-builder-01

13 commits
master ... headscale

Author SHA1 Message Date
Raito Bezarius
dcddd19fb4 core01(keycloak): remove useless file 2022-06-26 23:45:11 +02:00
Raito Bezarius
28c3ad2429 public-cof: upgrade to NC24 2022-06-26 23:45:11 +02:00
Raito Bezarius
3b1338043c public-cof: disable cryptpad 2022-06-26 23:45:11 +02:00
Raito Bezarius
2e09ceabf7 core01(keycloak): bump to nixos-unstable 2022-06-26 23:45:11 +02:00
Raito Bezarius
173cdedb7c core01(keycloak): bump to nixpkgs-unstable who has the patch 2022-06-26 23:45:11 +02:00
Raito Bezarius
deda24e3ae core01(keycloak): oops 2022-06-26 23:45:11 +02:00
Raito Bezarius
aa328045a7 core01(keycloak): try a zlib upstream patch 2022-06-26 23:45:11 +02:00
Raito Bezarius
6f52987d5f core01(keycloak): remove customizations 2022-06-26 23:45:11 +02:00
Raito Bezarius
4d5ea04099 nixpkgs: try 22.11 unreleased 2022-06-26 23:45:11 +02:00
Raito Bezarius
22996eddff nixpkgs: update to 22.05 release 2022-06-26 23:45:11 +02:00
Raito Bezarius
4df131d59b core01: update to 22.05-beta 2022-06-26 23:45:11 +02:00
Raito Bezarius
cce562ac9a core01: update to latest nixpkgs, fix up keycloak 2022-06-26 23:45:11 +02:00
Raito Bezarius
7fefcc0d54 core01: add headscale support 2022-06-26 23:45:11 +02:00
12 changed files with 113 additions and 19 deletions
Show stats Expand all files Collapse all files

2
krops.nix
View file

@ -8,7 +8,7 @@ let
nixos-config.symlink = "config/${machine}/configuration.nix";
nixpkgs.git = {
clean.exclude = [ "/.version-suffix" ];
ref = "e96c668072d7c98ddf2062f6d2b37f84909a572b"; # nixos-22.05
ref = "0d68d7c857fe301d49cdcd56130e0beea4ecd5aa"; # nixos-unstable
url = "https://github.com/NixOS/nixpkgs";
};
}];

4
machines/core-services-01/acme-ssl.nix
View file

@ -5,9 +5,9 @@ let
in
{
security.acme.acceptTerms = true;
security.acme.email = my.email;
security.acme.defaults.email = my.email;
security.acme.server =
security.acme.defaults.server =
if my.acmeStaging
then "https://acme-staging-v02.api.letsencrypt.org/directory"
else null;

1
machines/core-services-01/configuration.nix
View file

@ -19,6 +19,7 @@
./keycloak.nix
./acme-dns.nix
./backups.nix
./headscale.nix
# ./dex.nix
./oauth2_proxy.nix
./secrets

2
machines/core-services-01/drone-runners.nix
View file

@ -14,5 +14,5 @@ in
envFile = config.age.secrets.droneKeyFile.path;
};
systemd.services."drone-exec-runner-nix01".after = [ "gitea" ];
systemd.services."drone-exec-runner-nix01".after = [ "gitea.service" ];
}

51
machines/core-services-01/fix-crc-computation.patch Normal file
View file

@ -0,0 +1,51 @@
From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Wed, 30 Mar 2022 11:14:53 -0700
Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
The previous releases of zlib were not sensitive to incorrect CRC
inputs with bits set above the low 32. This commit restores that
behavior, so that applications with such bugs will continue to
operate as before.
---
crc32.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/crc32.c b/crc32.c
index a1bdce5c2..451887bc7 100644
--- a/crc32.c
+++ b/crc32.c
@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
#endif /* DYNAMIC_CRC_TABLE */
/* Pre-condition the CRC */
- crc ^= 0xffffffff;
+ crc = (~crc) & 0xffffffff;
/* Compute the CRC up to a word boundary. */
while (len && ((z_size_t)buf & 7) != 0) {
@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
#endif /* DYNAMIC_CRC_TABLE */
/* Pre-condition the CRC */
- crc ^= 0xffffffff;
+ crc = (~crc) & 0xffffffff;
#ifdef W
@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
#ifdef DYNAMIC_CRC_TABLE
once(&made, make_crc_table);
#endif /* DYNAMIC_CRC_TABLE */
- return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
+ return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
}
/* ========================================================================= */
@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
uLong crc2;
uLong op;
{
- return multmodp(op, crc1) ^ crc2;
+ return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
}

8
machines/core-services-01/headscale.nix Normal file
View file

@ -0,0 +1,8 @@
{ ... }:
{
services.headscale = {
enable = true;
serverUrl = "https://tailscale.rz.ens.wtf";
tls.letsencrypt.hostname = "tailscale.rz.ens.wtf";
};
}

31
machines/core-services-01/keycloak.nix
View file

@ -1,26 +1,33 @@
{ config, pkgs, ... }:
{ config, pkgs, lib, ... }:
let
my = config.my;
port = 8080;
keycloak-protocol-cas = pkgs.callPackage ./keycloak/keycloak-protocol-cas.nix {};
domain = "auth.${my.subZone}";
certs = config.security.acme.certs."${domain}".directory;
in
{
services.keycloak = {
enable = true;
package = pkgs.keycloak.override {
jre = pkgs.jre8;
};
initialAdminPassword = "changemeasap";
database.createLocally = true;
database.passwordFile = config.age.secrets.keycloakDatabasePasswordFile.path;
frontendUrl = "https://auth.${my.subZone}/auth/";
forceBackendUrlToFrontendUrl = true;
httpPort = toString port;
extraConfig = {
"subsystem=undertow"."server=default-server"."http-listener=default".proxy-address-forwarding = true;
plugins = [ pkgs.keycloak.plugins.keycloak-metrics-spi keycloak-protocol-cas ];
database = {
type = "postgresql";
username = "keycloak";
name = "keycloak";
createLocally = true;
passwordFile = "${config.age.secrets.keycloakDatabasePasswordFile.path}";
};
settings = {
hostname-strict-backchannel = true;
http-port = port;
proxy = "edge";
http-relative-path = "/auth";
hostname = domain;
};
};
services.nginx.virtualHosts."auth.${my.subZone}" = {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {

26
machines/core-services-01/keycloak/keycloak-protocol-cas.nix Normal file
View file

@ -0,0 +1,26 @@
{ stdenv, lib, fetchurl }:
stdenv.mkDerivation rec {
pname = "keycloak-protocol-cas";
version = "18.0.0";
src = fetchurl {
url = "https://github.com/jacekkow/keycloak-protocol-cas/releases/download/${version}/keycloak-protocol-cas-${version}.jar";
sha256 = "sha256-N+IJqD7oQ4T4MI8klt96kfHwFnPJy5l8MK6bq62nBrM=";
};
dontUnpack = true;
dontBuild = true;
installPhase = ''
mkdir -p $out
install "$src" "$out"
'';
meta = with lib; {
homepage = "https://github.com/jacekkow/keycloak-protocol-cas";
description = "Keycloak Service Provider that adds CAS as an authentication protocol";
license = licenses.apsl20;
maintainers = with maintainers; [ raitobezarius ];
};
}

2
machines/core-services-01/monitoring.nix
View file

@ -65,7 +65,7 @@ in
"health_alarm_notify"
];
environment.etc."netdata/netdata.conf" = {
environment.etc."netdata/netdata.conf" = lib.mkForce {
user = "netdata";
group = "netdata";
mode = "0600";

1
machines/core-services-01/subZone.nix
View file

@ -37,6 +37,7 @@ dualstack // {
monitoring = dualstack;
auth = dualstack;
push = dualstack;
tailscale = dualstack;
core01 = dualstack;
ns1 = dualstack;

2
machines/public-cof/configuration.nix
View file

@ -14,7 +14,7 @@
./nur.nix
# ./factorio.nix # TODO
./nginx.nix
./cryptpad.nix
# ./cryptpad.nix
./hedgedoc.nix
./secrets
# TODO monitoring

2
machines/public-cof/nextcloud.nix
View file

@ -5,7 +5,7 @@
hostName = "nuage.beta.rz.ens.wtf";
https = true;
package = pkgs.nextcloud22;
package = pkgs.nextcloud23;
config = {
overwriteProtocol = "https";