From 7007fece7a052839a45251e4718802e95addf86a Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Sun, 17 Dec 2023 17:16:53 +0100 Subject: [PATCH] feat(external/netbox): Add OIDC configuration --- external/netbox/default.nix | 66 +++++++++++++++++--------- external/netbox/secrets/default.nix | 8 +--- external/netbox/secrets/netbox_env.age | 31 ++++++++++++ external/netbox/secrets/secrets.nix | 14 +++--- 4 files changed, 84 insertions(+), 35 deletions(-) create mode 100644 external/netbox/secrets/netbox_env.age diff --git a/external/netbox/default.nix b/external/netbox/default.nix index 46ffb8c..67157a4 100644 --- a/external/netbox/default.nix +++ b/external/netbox/default.nix @@ -1,28 +1,50 @@ -{ pkgs, lib, config, ... }: -{ - imports = [ - ./secrets - ]; - services.netbox = { - enable = true; - secretKeyFile = config.age.secrets."netbox".path; - listenAddress = "127.0.0.1"; - settings = { - ALLOWED_HOSTS = [ "netbox.dgnum.sinavir.fr" ]; +{ config, pkgs, ... }: { + imports = [ ./secrets ]; + + services = { + netbox = { + enable = true; + secretKeyFile = config.age.secrets."netbox".path; + listenAddress = "127.0.0.1"; + settings = { + ALLOWED_HOSTS = [ "netbox.dgnum.sinavir.fr" ]; + REMOTE_AUTH_BACKEND = + "social_core.backends.open_id_connect.OpenIdConnectAuth"; + }; + + extraConfig = '' + from os import environ as env + + SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"] + SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"] + SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"] + ''; }; + + nginx = { + enable = true; + virtualHosts."netbox.dgnum.sinavir.fr" = { + enableACME = true; + forceSSL = true; + + locations."/".proxyPass = + "http://${config.services.netbox.listenAddress}:${ + builtins.toString config.services.netbox.port + }"; + locations."/static/".alias = + "${config.services.netbox.dataDir}/static/"; + }; + }; + + postgresql.package = pkgs.postgresql_14; }; + # my server is slow sorry - systemd.services.netbox.serviceConfig.TimeoutStartSec = 600; - services.nginx = { - enable = true; - virtualHosts."netbox.dgnum.sinavir.fr" = { - enableACME = true; - forceSSL = true; - locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}"; - locations."/static/".alias = "${config.services.netbox.dataDir}/static/"; - }; + systemd.services.netbox.serviceConfig = { + TimeoutStartSec = 600; + EnvironmentFile = config.age.secrets."netbox_env".path; }; - users.users.nginx.extraGroups = ["netbox"]; + + users.users.nginx.extraGroups = [ "netbox" ]; networking.firewall.allowedTCPPorts = [ 443 80 ]; - services.postgresql.package = pkgs.postgresql_14; } diff --git a/external/netbox/secrets/default.nix b/external/netbox/secrets/default.nix index bc72dc4..5f21e7f 100644 --- a/external/netbox/secrets/default.nix +++ b/external/netbox/secrets/default.nix @@ -1,14 +1,10 @@ -{ - pkgs, - config, - lib, - ... -}: { +_: { age.secrets = { "netbox" = { file = ./netbox.age; group = "netbox"; owner = "netbox"; }; + "netbox_env".file = ./netbox_env.age; }; } diff --git a/external/netbox/secrets/netbox_env.age b/external/netbox/secrets/netbox_env.age new file mode 100644 index 0000000..2b8d3d5 --- /dev/null +++ b/external/netbox/secrets/netbox_env.age @@ -0,0 +1,31 @@ +age-encryption.org/v1 +-> ssh-ed25519 6J6ApA uOgCmOqPlLdETLFaMMPKIjbp6d41T0gtX0X0hGJDElA +cBHPVEsfBpEEzHN7ryG7TF7VYt4ft0tO20UOfM1+J5E +-> ssh-ed25519 JGx7Ng IEeY5TQO0glsTZSsrPS9TlMnz5f1okeWlut640ahAio +AYVWLcPETYKJAYxlUpFpQcPSsIffDIX9+9seqONrCFc +-> ssh-ed25519 Ih+Lhw UDpkkIBQKwPMKlby2KdPOauvW9fZdVzvpLy6PB55aCI +YvuwrcEHiPVdg7qIzR+y86mSQSbMezbfXvWa8krucP0 +-> ssh-ed25519 jIXfPA j7tG5njdpep2XrlFieR/DxhDdzAixDG++erR3KC6fQI +h4BM2WgwJ0CZG5/XM50V086YF4UGJcmBiOmxsIyf190 +-> ssh-ed25519 QlRB9Q vfE9b1Yo8zr+eUPGrWfl2T3rIlD2j0QweDXSI7wu1TU +Uupo2QK0dbjE9UEt6A/6nxQViW1LvqhDU5lX+hOYX2o +-> ssh-ed25519 r+nK/Q zj475ZsZBzPjfOzqyyylvpG0J00ZiE8NWL+rvhURRWk +ZSpCLcgfm3X2+KIllRVUVZamn3JZrlUOR/Nahk5sBUA +-> ssh-rsa krWCLQ +Uij+BTfVAjkGIKQ3qSL+E5YGJfZ6nMB/Kw3IWwZD1QGih6CO3+oooGR1DOqAJv0O +o2H9v3AbAr0qnaYjK0Gjw/2+6uSu5SDt75p1ocMvLu8gwM1Br+T/7uSuIw7wLgPz +IinUGDPTFhjR7X7x16IxgXWGMowCa6K/285ztY8v0v9s22uNrrjNEGEiJ/qn41DX +8hpOmRpxiq5xOG1fsWQYsSW+ZmobBWfJJXzM0iknQL+GniRZd/ySjWr84HcMjDns +8CcTgeo6gVstQITekvMS3jkixmszJhFJR8WMS9b/bunDIGrxj3cUEObRAzlU48Jd +dAzOQ+kjzqMwnXbNexq54w +-> ssh-ed25519 /vwQcQ kYZUqgKfoKSAaaJal1bl521wUkrZXR/12+U9Fuff4m8 +4foVQpY3UGsUz1jQFQF+5Es3ui0+QsRVRFgxEmmcws4 +-> ssh-ed25519 0R97PA rW9FfcNNRzvCF7p8KOLjJnKZN0dOdJ1nANzaA1vEzw0 +yd1gOIEucTCXsciTtB3VPjdlJvrqv/SKuQwtNKVhGs0 +-> ssh-ed25519 JGx7Ng KdsKUOQ+6VcZyxT63RoPpJyK8qg1xkVz8NuPDJUauQs +MSwBdYg/wGrvylPoIy+UVjiIyVfqbyuliIEVuk+B7cQ +-> Ko+-grease +xF0g4xMUtgeLzmHbpdZM/cKiQ1yXVpcgLXhpd4czuP4Mv0YDZPnE5//nFsh2N9M2 +ugEnZvPls1cMoKMh6DoM +--- VzbmV+CoC0fLoX3FKJqQqbde/H5E77JhGDcedYKbk+g + +m|L厍.H2_R~uv]OmR`&d-H8O s,pReӚ htK x=Yd`FADLqJoЯ>:9`9|3cƅ