feat(external/netbox): Add OIDC configuration

This commit is contained in:
Tom Hubrecht 2023-12-17 17:16:53 +01:00
parent e91b0c81f1
commit 7007fece7a
4 changed files with 84 additions and 35 deletions

View file

@ -1,28 +1,50 @@
{ pkgs, lib, config, ... }: { config, pkgs, ... }: {
{ imports = [ ./secrets ];
imports = [
./secrets services = {
]; netbox = {
services.netbox = {
enable = true; enable = true;
secretKeyFile = config.age.secrets."netbox".path; secretKeyFile = config.age.secrets."netbox".path;
listenAddress = "127.0.0.1"; listenAddress = "127.0.0.1";
settings = { settings = {
ALLOWED_HOSTS = [ "netbox.dgnum.sinavir.fr" ]; ALLOWED_HOSTS = [ "netbox.dgnum.sinavir.fr" ];
REMOTE_AUTH_BACKEND =
"social_core.backends.open_id_connect.OpenIdConnectAuth";
}; };
extraConfig = ''
from os import environ as env
SOCIAL_AUTH_OIDC_OIDC_ENDPOINT = env["NETBOX_OIDC_URL"]
SOCIAL_AUTH_OIDC_KEY = env["NETBOX_OIDC_KEY"]
SOCIAL_AUTH_OIDC_SECRET = env["NETBOX_OIDC_SECRET"]
'';
}; };
# my server is slow sorry
systemd.services.netbox.serviceConfig.TimeoutStartSec = 600; nginx = {
services.nginx = {
enable = true; enable = true;
virtualHosts."netbox.dgnum.sinavir.fr" = { virtualHosts."netbox.dgnum.sinavir.fr" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/".proxyPass = "http://${config.services.netbox.listenAddress}:${builtins.toString config.services.netbox.port}";
locations."/static/".alias = "${config.services.netbox.dataDir}/static/"; locations."/".proxyPass =
"http://${config.services.netbox.listenAddress}:${
builtins.toString config.services.netbox.port
}";
locations."/static/".alias =
"${config.services.netbox.dataDir}/static/";
}; };
}; };
postgresql.package = pkgs.postgresql_14;
};
# my server is slow sorry
systemd.services.netbox.serviceConfig = {
TimeoutStartSec = 600;
EnvironmentFile = config.age.secrets."netbox_env".path;
};
users.users.nginx.extraGroups = [ "netbox" ]; users.users.nginx.extraGroups = [ "netbox" ];
networking.firewall.allowedTCPPorts = [ 443 80 ]; networking.firewall.allowedTCPPorts = [ 443 80 ];
services.postgresql.package = pkgs.postgresql_14;
} }

View file

@ -1,14 +1,10 @@
{ _: {
pkgs,
config,
lib,
...
}: {
age.secrets = { age.secrets = {
"netbox" = { "netbox" = {
file = ./netbox.age; file = ./netbox.age;
group = "netbox"; group = "netbox";
owner = "netbox"; owner = "netbox";
}; };
"netbox_env".file = ./netbox_env.age;
}; };
} }

31
external/netbox/secrets/netbox_env.age vendored Normal file
View file

@ -0,0 +1,31 @@
age-encryption.org/v1
-> ssh-ed25519 6J6ApA uOgCmOqPlLdETLFaMMPKIjbp6d41T0gtX0X0hGJDElA
cBHPVEsfBpEEzHN7ryG7TF7VYt4ft0tO20UOfM1+J5E
-> ssh-ed25519 JGx7Ng IEeY5TQO0glsTZSsrPS9TlMnz5f1okeWlut640ahAio
AYVWLcPETYKJAYxlUpFpQcPSsIffDIX9+9seqONrCFc
-> ssh-ed25519 Ih+Lhw UDpkkIBQKwPMKlby2KdPOauvW9fZdVzvpLy6PB55aCI
YvuwrcEHiPVdg7qIzR+y86mSQSbMezbfXvWa8krucP0
-> ssh-ed25519 jIXfPA j7tG5njdpep2XrlFieR/DxhDdzAixDG++erR3KC6fQI
h4BM2WgwJ0CZG5/XM50V086YF4UGJcmBiOmxsIyf190
-> ssh-ed25519 QlRB9Q vfE9b1Yo8zr+eUPGrWfl2T3rIlD2j0QweDXSI7wu1TU
Uupo2QK0dbjE9UEt6A/6nxQViW1LvqhDU5lX+hOYX2o
-> ssh-ed25519 r+nK/Q zj475ZsZBzPjfOzqyyylvpG0J00ZiE8NWL+rvhURRWk
ZSpCLcgfm3X2+KIllRVUVZamn3JZrlUOR/Nahk5sBUA
-> ssh-rsa krWCLQ
Uij+BTfVAjkGIKQ3qSL+E5YGJfZ6nMB/Kw3IWwZD1QGih6CO3+oooGR1DOqAJv0O
o2H9v3AbAr0qnaYjK0Gjw/2+6uSu5SDt75p1ocMvLu8gwM1Br+T/7uSuIw7wLgPz
IinUGDPTFhjR7X7x16IxgXWGMowCa6K/285ztY8v0v9s22uNrrjNEGEiJ/qn41DX
8hpOmRpxiq5xOG1fsWQYsSW+ZmobBWfJJXzM0iknQL+GniRZd/ySjWr84HcMjDns
8CcTgeo6gVstQITekvMS3jkixmszJhFJR8WMS9b/bunDIGrxj3cUEObRAzlU48Jd
dAzOQ+kjzqMwnXbNexq54w
-> ssh-ed25519 /vwQcQ kYZUqgKfoKSAaaJal1bl521wUkrZXR/12+U9Fuff4m8
4foVQpY3UGsUz1jQFQF+5Es3ui0+QsRVRFgxEmmcws4
-> ssh-ed25519 0R97PA rW9FfcNNRzvCF7p8KOLjJnKZN0dOdJ1nANzaA1vEzw0
yd1gOIEucTCXsciTtB3VPjdlJvrqv/SKuQwtNKVhGs0
-> ssh-ed25519 JGx7Ng KdsKUOQ+6VcZyxT63RoPpJyK8qg1xkVz8NuPDJUauQs
MSwBdYg/wGrvylPoIy+UVjiIyVfqbyuliIEVuk+B7cQ
-> Ko+-grease
xF0g4xMUtgeLzmHbpdZM/cKiQ1yXVpcgLXhpd4czuP4Mv0YDZPnE5//nFsh2N9M2
ugEnZvPls1cMoKMh6DoM
--- VzbmV+CoC0fLoX3FKJqQqbde/H5E77JhGDcedYKbk+g
„ï +m|L™å¬åŽ<C3A5>¬.·H£±2”®_©R~uév]¢OmR`ÿ&é˜d-Á¨äHñ8“ˆ  s,ÒpRéeÓš¿ö ®Åh¹t¤K x=Y­¼ÖêÒ×è·Ìdâ`±FADñŒLÐqJo Ÿ›”¶Ð¯>ž:9`9|3cëÆ…™<îGð$É)}©€?;-$öb•º<16>þ.÷¦†—³{¶Cï¡´0¿ )äk&¹úr<šöâf¥³

View file

@ -4,12 +4,12 @@ let
inherit ((import sources.nixpkgs { })) lib; inherit ((import sources.nixpkgs { })) lib;
nix-lib = import ../../../lib { }; nix-lib = import ../../../lib { };
groups = (import ../../../meta).members.groups; inherit ((import ../../../meta).members) groups;
publicKeys = lib.splitString "\n"
(builtins.readFile (./maurice.keys)) # maurice servers' keys
++ nix-lib.getAllKeys (groups.netbox ++ groups.root);
in { in {
"netbox.age".publicKeys = "netbox.age" = { inherit publicKeys; };
lib.splitString "\n" (builtins.readFile (./maurice.keys)) # maurice servers' keys "netbox_env.age" = { inherit publicKeys; };
++ nix-lib.getAllKeys (
groups.netbox ++
groups.root
);
} }