Compare commits
20 commits
b8a570ae0d
...
7f2aa36d27
Author | SHA1 | Date | |
---|---|---|---|
|
7f2aa36d27 | ||
|
575c310ee6 | ||
|
bd63389bad | ||
|
34efaf7292 | ||
|
51c90e13e6 | ||
|
61faa8fc73 | ||
|
fd06c34032 | ||
|
1a11dc52d1 | ||
|
4479a68f32 | ||
|
8700b76403 | ||
|
238de568d5 | ||
|
52fc7e29a9 | ||
|
a589a9fe00 | ||
|
9d81a72d51 | ||
|
b134abeb6d | ||
|
b85705ab74 | ||
|
fa87855ee5 | ||
|
b405988e60 | ||
|
b23ce56955 | ||
|
2dd3f4cff1 |
24 changed files with 666 additions and 200 deletions
105
.github/workflows/build.yaml
vendored
Normal file
105
.github/workflows/build.yaml
vendored
Normal file
|
@ -0,0 +1,105 @@
|
|||
# name: build
|
||||
# on: push
|
||||
# jobs:
|
||||
# checks:
|
||||
# uses: nixbuild/nixbuild-action/.github/workflows/ci-workflow.yml@v19
|
||||
# with:
|
||||
# nix_conf: |
|
||||
# allow-import-from-derivation = true
|
||||
# secrets:
|
||||
# nixbuild_token: ${{ secrets.nixbuild_token }}
|
||||
|
||||
|
||||
name: "build"
|
||||
on:
|
||||
pull_request:
|
||||
push:
|
||||
branches: [ "main" ]
|
||||
|
||||
jobs:
|
||||
build-matrix:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
|
||||
- name: Setup Caching
|
||||
uses: cachix/cachix-action@v14
|
||||
with:
|
||||
name: selfhostblocks
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
- name: Generate Matrix
|
||||
id: generate-matrix
|
||||
run: |
|
||||
nix flake show --allow-import-from-derivation --json \
|
||||
| jq -c '.["checks"]["x86_64-linux"] | keys' > .output
|
||||
|
||||
cat .output
|
||||
|
||||
echo dynamic_list="$(cat .output)" >> "$GITHUB_OUTPUT"
|
||||
outputs:
|
||||
check: ${{ steps.generate-matrix.outputs.dynamic_list }}
|
||||
|
||||
manual:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
|
||||
- name: Setup Caching
|
||||
uses: cachix/cachix-action@v14
|
||||
with:
|
||||
name: selfhostblocks
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
- name: Build
|
||||
run: |
|
||||
nix \
|
||||
--print-build-logs \
|
||||
--option keep-going true \
|
||||
--show-trace \
|
||||
build .#manualHtml
|
||||
|
||||
tests:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [ "build-matrix" ]
|
||||
strategy:
|
||||
matrix:
|
||||
check: ${{ fromJson(needs.build-matrix.outputs.check) }}
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
|
||||
- name: Setup Caching
|
||||
uses: cachix/cachix-action@v14
|
||||
with:
|
||||
name: selfhostblocks
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
- name: Build
|
||||
run: |
|
||||
nix build --print-build-logs --show-trace .#checks.x86_64-linux.${{ matrix.check }}
|
||||
|
||||
results:
|
||||
if: ${{ always() }}
|
||||
runs-on: ubuntu-latest
|
||||
name: Final Results
|
||||
needs: [ manual, tests ]
|
||||
steps:
|
||||
- run: |
|
||||
result="${{ needs.tests.result }}"
|
||||
if [[ $result == "success" || $result == "skipped" ]]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
37
.github/workflows/demo.yml
vendored
37
.github/workflows/demo.yml
vendored
|
@ -3,15 +3,31 @@ name: Demo
|
|||
on:
|
||||
workflow_dispatch:
|
||||
pull_request:
|
||||
paths: &paths
|
||||
- 'demo/**'
|
||||
push:
|
||||
branches:
|
||||
- main
|
||||
paths: *paths
|
||||
|
||||
jobs:
|
||||
path-filter:
|
||||
runs-on: ubuntu-latest
|
||||
outputs:
|
||||
changed: ${{ steps.filter.outputs.changed }}
|
||||
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v4
|
||||
|
||||
- uses: dorny/paths-filter@v3
|
||||
id: filter
|
||||
with:
|
||||
filters: |
|
||||
changed:
|
||||
- '.github/workflows/demo.yml'
|
||||
- 'demo/**'
|
||||
|
||||
build:
|
||||
needs: [ "path-filter" ]
|
||||
if: needs.path-filter.outputs.changed == 'true'
|
||||
strategy:
|
||||
matrix:
|
||||
demo:
|
||||
|
@ -38,7 +54,7 @@ jobs:
|
|||
|
||||
- uses: cachix/cachix-action@v14
|
||||
with:
|
||||
name: mycache
|
||||
name: selfhostblocks
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
|
||||
- name: Build ${{ matrix.demo.name }} .#${{ matrix.demo.flake }}
|
||||
|
@ -50,4 +66,15 @@ jobs:
|
|||
--show-trace \
|
||||
build .#nixosConfigurations.${{ matrix.demo.flake }}.config.system.build.vm
|
||||
|
||||
|
||||
result:
|
||||
runs-on: ubuntu-latest
|
||||
needs: [ "build" ]
|
||||
if: '!cancelled()'
|
||||
steps:
|
||||
- run: |
|
||||
result="${{ needs.build.result }}"
|
||||
if [[ $result == "success" || $result == "skipped" ]]; then
|
||||
exit 0
|
||||
else
|
||||
exit 1
|
||||
fi
|
||||
|
|
22
.github/workflows/garnix.yaml
vendored
22
.github/workflows/garnix.yaml
vendored
|
@ -1,22 +0,0 @@
|
|||
# Leaving commented because it does not work.
|
||||
#
|
||||
# name: "Final Results"
|
||||
#
|
||||
# on:
|
||||
# check_suite:
|
||||
# types: [completed]
|
||||
#
|
||||
# jobs:
|
||||
# results:
|
||||
# name: Final Results
|
||||
# runs-on: ubuntu-latest
|
||||
# steps:
|
||||
# - run: echo
|
||||
# - run: exit 1
|
||||
# # see https://stackoverflow.com/a/67532120/4907315
|
||||
# if: >-
|
||||
# ${{
|
||||
# contains(needs.*.result, 'failure')
|
||||
# || contains(needs.*.result, 'cancelled')
|
||||
# || contains(needs.*.result, 'skipped')
|
||||
# }}
|
11
.github/workflows/pages.yml
vendored
11
.github/workflows/pages.yml
vendored
|
@ -2,14 +2,8 @@
|
|||
name: Deploy docs
|
||||
|
||||
on:
|
||||
# Runs on pushes targeting the default branch
|
||||
push:
|
||||
branches: ["main"]
|
||||
# TODO: needed ?
|
||||
# schedule:
|
||||
# - cron: 0 0 * * 1
|
||||
|
||||
# Allows you to run this workflow manually from the Actions tab
|
||||
workflow_dispatch:
|
||||
|
||||
# Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
|
||||
|
@ -40,9 +34,10 @@ jobs:
|
|||
- name: Install nix
|
||||
uses: cachix/install-nix-action@v20
|
||||
|
||||
- uses: cachix/cachix-action@v14
|
||||
- name: Setup Caching
|
||||
uses: cachix/cachix-action@v14
|
||||
with:
|
||||
name: mycache
|
||||
name: selfhostblocks
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
|
||||
- name: Build docs
|
||||
|
|
17
CHANGELOG.md
17
CHANGELOG.md
|
@ -14,9 +14,26 @@
|
|||
- `shb.authelia.oidcClients.description` -> `shb.authelia.oidcClients.client_name`
|
||||
- `shb.authelia.oidcClients.secret` -> `shb.authelia.oidcClients.client_secret`
|
||||
- `shb.authelia.ldapEndpoint` -> `shb.authelia.ldapHostname` and `shb.authelia.ldapPort`
|
||||
- `shb.authelia.jwtSecretFile` -> `shb.authelia.jwtSecret.result.path`
|
||||
- `shb.authelia.ldapAdminPasswordFile` -> `shb.authelia.ldapAdminPassword.result.path`
|
||||
- `shb.authelia.sessionSecretFile` -> `shb.authelia.sessionSecret.result.path`
|
||||
- `shb.authelia.storageEncryptionKeyFile` -> `shb.authelia.storageEncryptionKey.result.path`
|
||||
- `shb.authelia.identityProvidersOIDCIssuerPrivateKeyFile` -> `shb.authelia.identityProvidersOIDCIssuerPrivateKey.result.path`
|
||||
- `shb.authelia.smtp.passwordFile` -> `shb.authelia.smtp.password.result.path`
|
||||
- Make Nextcloud automatically disable maintenance mode upon service restart.
|
||||
- `shb.ldap.ldapUserPasswordFile` -> `shb.ldap.ldapUserPassword.result.path`
|
||||
- `shb.ldap.jwtSecretFile` -> `shb.ldap.jwtSecret.result.path`
|
||||
- Jellyfin changes:
|
||||
- `shb.jellyfin.ldap.passwordFile` -> `shb.jellyfin.ldap.adminPassword.result.path`.
|
||||
- `shb.jellyfin.sso.secretFile` -> `shb.jellyfin.ldap.sharedSecret.result.path`.
|
||||
- + `shb.jellyfin.ldap.sharedSecretForAuthelia`.
|
||||
- Forgejo changes:
|
||||
- `shb.forgejo.ldap.adminPasswordFile` -> `shb.forgejo.ldap.adminPassword.result.path`.
|
||||
- `shb.forgejo.sso.secretFile` -> `shb.forgejo.ldap.sharedSecret.result.path`.
|
||||
- `shb.forgejo.sso.secretFileForAuthelia` -> `shb.forgejo.ldap.sharedSecretForAuthelia.result.path`.
|
||||
- `shb.forgejo.adminPasswordFile` -> `shb.forgejo.adminPassword.result.path`.
|
||||
- `shb.forgejo.databasePasswordFile` -> `shb.forgejo.databasePassword.result.path`.
|
||||
|
||||
|
||||
## User Facing Backwards Compatible Changes
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
*Modular server management based on NixOS modules and focused on best practices.*
|
||||
|
||||
[![Documentation](https://github.com/ibizaman/selfhostblocks/actions/workflows/pages.yml/badge.svg)](https://github.com/ibizaman/selfhostblocks/actions/workflows/pages.yml)
|
||||
[![Tests](https://img.shields.io/endpoint.svg?url=https%3A%2F%2Fgarnix.io%2Fapi%2Fbadges%2Fibizaman%2Fselfhostblocks%3Fbranch%3Dmain)](https://garnix.io) (using Garnix)
|
||||
[![Tests](https://github.com/ibizaman/selfhostblocks/actions/workflows/build.yaml/badge.svg)](https://github.com/ibizaman/selfhostblocks/actions/workflows/build.yaml)
|
||||
[![Demo](https://github.com/ibizaman/selfhostblocks/actions/workflows/demo.yml/badge.svg)](https://github.com/ibizaman/selfhostblocks/actions/workflows/demo.yml)
|
||||
|
||||
SHB (Self Host Blocks) is yet another server management tool
|
||||
|
|
|
@ -35,11 +35,11 @@
|
|||
},
|
||||
"nixpkgs": {
|
||||
"locked": {
|
||||
"lastModified": 1728492678,
|
||||
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
|
||||
"lastModified": 1731139594,
|
||||
"narHash": "sha256-IigrKK3vYRpUu+HEjPL/phrfh7Ox881er1UEsZvw9Q4=",
|
||||
"owner": "nixos",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
|
||||
"rev": "76612b17c0ce71689921ca12d9ffdc9c23ce40b2",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
22
flake.nix
22
flake.nix
|
@ -26,7 +26,6 @@
|
|||
src = nixpkgs;
|
||||
inherit patches;
|
||||
};
|
||||
|
||||
pkgs = import patchedNixpkgs {
|
||||
inherit system;
|
||||
};
|
||||
|
@ -34,6 +33,7 @@
|
|||
allModules = [
|
||||
modules/blocks/authelia.nix
|
||||
modules/blocks/davfs.nix
|
||||
modules/blocks/hardcodedsecret.nix
|
||||
modules/blocks/ldap.nix
|
||||
modules/blocks/monitoring.nix
|
||||
modules/blocks/nginx.nix
|
||||
|
@ -79,12 +79,14 @@
|
|||
|
||||
checks =
|
||||
let
|
||||
inherit (pkgs.lib) foldl foldlAttrs mergeAttrs optionalAttrs;
|
||||
|
||||
importFiles = files:
|
||||
map (m: pkgs.callPackage m {}) files;
|
||||
|
||||
mergeTests = pkgs.lib.lists.foldl pkgs.lib.trivial.mergeAttrs {};
|
||||
mergeTests = foldl mergeAttrs {};
|
||||
|
||||
flattenAttrs = root: attrset: pkgs.lib.attrsets.foldlAttrs (acc: name: value: acc // {
|
||||
flattenAttrs = root: attrset: foldlAttrs (acc: name: value: acc // {
|
||||
"${root}_${name}" = value;
|
||||
}) {} attrset;
|
||||
|
||||
|
@ -96,19 +98,21 @@
|
|||
);
|
||||
|
||||
shblib = pkgs.callPackage ./lib {};
|
||||
in (rec {
|
||||
in (optionalAttrs (system == "x86_64-linux") ({
|
||||
modules = shblib.check {
|
||||
inherit pkgs;
|
||||
tests =
|
||||
mergeTests (importFiles [
|
||||
./test/modules/arr.nix
|
||||
./test/modules/davfs.nix
|
||||
# TODO: Make this not use IFD
|
||||
./test/modules/lib.nix
|
||||
./test/modules/nginx.nix
|
||||
./test/modules/postgresql.nix
|
||||
]);
|
||||
};
|
||||
|
||||
# TODO: Make this not use IFD
|
||||
lib = nix-flake-tests.lib.check {
|
||||
inherit pkgs;
|
||||
tests = pkgs.callPackage ./test/modules/lib.nix {};
|
||||
|
@ -119,7 +123,7 @@
|
|||
// (vm_test "deluge" ./test/services/deluge.nix)
|
||||
// (vm_test "forgejo" ./test/services/forgejo.nix)
|
||||
// (vm_test "grocy" ./test/services/grocy.nix)
|
||||
// (vm_test "home-assistant" ./test/services/home-assistant.nix)
|
||||
// (vm_test "homeassistant" ./test/services/home-assistant.nix)
|
||||
// (vm_test "jellyfin" ./test/services/jellyfin.nix)
|
||||
// (vm_test "monitoring" ./test/services/monitoring.nix)
|
||||
// (vm_test "nextcloud" ./test/services/nextcloud.nix)
|
||||
|
@ -131,7 +135,11 @@
|
|||
// (vm_test "postgresql" ./test/blocks/postgresql.nix)
|
||||
// (vm_test "restic" ./test/blocks/restic.nix)
|
||||
// (vm_test "ssl" ./test/blocks/ssl.nix)
|
||||
);
|
||||
|
||||
// (vm_test "contracts-secret" ./test/contracts/secret.nix)
|
||||
));
|
||||
}
|
||||
);
|
||||
) // {
|
||||
herculesCI.ciSystems = [ "x86_64-linux" ];
|
||||
};
|
||||
}
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
{ pkgs, lib }:
|
||||
let
|
||||
inherit (builtins) isAttrs hasAttr;
|
||||
inherit (lib) concatStringsSep;
|
||||
inherit (lib) concatMapStringsSep concatStringsSep mapAttrsToList;
|
||||
in
|
||||
rec {
|
||||
# Replace secrets in a file.
|
||||
|
@ -31,17 +31,34 @@ rec {
|
|||
resultPath = newPath;
|
||||
};
|
||||
|
||||
genReplacement = secret:
|
||||
let
|
||||
t = { transform ? null, ... }: if isNull transform then x: x else transform;
|
||||
in
|
||||
lib.attrsets.nameValuePair (secretName secret.name) ((t secret) "$(cat ${toString secret.source})");
|
||||
|
||||
replaceSecretsScript = { file, resultPath, replacements, user ? null, permissions ? "u=r,g=r,o=" }:
|
||||
let
|
||||
templatePath = resultPath + ".template";
|
||||
sedPatterns = lib.strings.concatStringsSep " " (lib.attrsets.mapAttrsToList (from: to: "-e \"s|${from}|${to}|\"") replacements);
|
||||
sedCmd = if replacements == {}
|
||||
|
||||
# We check that the files containing the secrets have the
|
||||
# correct permissions for us to read them in this separate
|
||||
# step. Otherwise, the $(cat ...) commands inside the sed
|
||||
# replacements could fail but not fail individually but
|
||||
# not fail the whole script.
|
||||
checkPermissions = concatMapStringsSep "\n" (pattern: "cat ${pattern.source} > /dev/null") replacements;
|
||||
|
||||
sedPatterns = concatMapStringsSep " " (pattern: "-e \"s|${pattern.name}|${pattern.value}|\"") (map genReplacement replacements);
|
||||
|
||||
sedCmd = if replacements == []
|
||||
then "cat"
|
||||
else "${pkgs.gnused}/bin/sed ${sedPatterns}";
|
||||
in
|
||||
''
|
||||
set -euo pipefail
|
||||
|
||||
${checkPermissions}
|
||||
|
||||
mkdir -p $(dirname ${templatePath})
|
||||
ln -fs ${file} ${templatePath}
|
||||
rm -f ${resultPath}
|
||||
|
@ -71,8 +88,8 @@ rec {
|
|||
};
|
||||
};
|
||||
|
||||
secretName = name:
|
||||
"%SECRET${lib.strings.toUpper (lib.strings.concatMapStrings (s: "_" + s) name)}%";
|
||||
secretName = names:
|
||||
"%SECRET${lib.strings.toUpper (lib.strings.concatMapStrings (s: "_" + s) names)}%";
|
||||
|
||||
withReplacements = attrs:
|
||||
let
|
||||
|
@ -91,15 +108,8 @@ rec {
|
|||
else value // { name = name; };
|
||||
|
||||
secretsWithName = mapAttrsRecursiveCond (v: ! v ? "source") addNameField attrs;
|
||||
|
||||
allSecrets = collect (v: builtins.isAttrs v && v ? "source") secretsWithName;
|
||||
|
||||
t = { transform ? null, ... }: if isNull transform then x: x else transform;
|
||||
|
||||
genReplacement = secret:
|
||||
lib.attrsets.nameValuePair (secretName secret.name) ((t secret) "$(cat ${toString secret.source})");
|
||||
in
|
||||
lib.attrsets.listToAttrs (map genReplacement allSecrets);
|
||||
collect (v: builtins.isAttrs v && v ? "source") secretsWithName;
|
||||
|
||||
# Inspired lib.attrsets.mapAttrsRecursiveCond but also recurses on lists.
|
||||
mapAttrsRecursiveCond =
|
||||
|
@ -238,7 +248,7 @@ rec {
|
|||
results = pkgs.lib.runTests tests;
|
||||
in
|
||||
if results != [ ] then
|
||||
builtins.throw (builtins.concatStringsSep "\n" (map resultToString (lib.traceValSeqN 3 results)))
|
||||
builtins.throw (concatStringsSep "\n" (map resultToString (lib.traceValSeqN 3 results)))
|
||||
else
|
||||
pkgs.runCommand "nix-flake-tests-success" { } "echo > $out";
|
||||
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
{ config, options, pkgs, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.shb.authelia;
|
||||
opt = options.shb.authelia;
|
||||
|
||||
contracts = pkgs.callPackage ../contracts {};
|
||||
shblib = pkgs.callPackage ../../lib {};
|
||||
|
@ -67,33 +68,45 @@ in
|
|||
description = "Secrets needed by Authelia";
|
||||
type = lib.types.submodule {
|
||||
options = {
|
||||
jwtSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the JWT secret.";
|
||||
jwtSecret = contracts.secret.mkOption {
|
||||
description = "JWT secret.";
|
||||
mode = "0400";
|
||||
owner = cfg.autheliaUser;
|
||||
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||
};
|
||||
ldapAdminPasswordFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the LDAP admin user password.";
|
||||
ldapAdminPassword = contracts.secret.mkOption {
|
||||
description = "LDAP admin user password.";
|
||||
mode = "0400";
|
||||
owner = cfg.autheliaUser;
|
||||
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||
};
|
||||
sessionSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the session secret.";
|
||||
sessionSecret = contracts.secret.mkOption {
|
||||
description = "Session secret.";
|
||||
mode = "0400";
|
||||
owner = cfg.autheliaUser;
|
||||
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||
};
|
||||
storageEncryptionKeyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the storage encryption key.";
|
||||
storageEncryptionKey = contracts.secret.mkOption {
|
||||
description = "Storage encryption key.";
|
||||
mode = "0400";
|
||||
owner = cfg.autheliaUser;
|
||||
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||
};
|
||||
identityProvidersOIDCHMACSecretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the identity provider OIDC HMAC secret.";
|
||||
identityProvidersOIDCHMACSecret = contracts.secret.mkOption {
|
||||
description = "Identity provider OIDC HMAC secret.";
|
||||
mode = "0400";
|
||||
owner = cfg.autheliaUser;
|
||||
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||
};
|
||||
identityProvidersOIDCIssuerPrivateKeyFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
identityProvidersOIDCIssuerPrivateKey = contracts.secret.mkOption {
|
||||
description = ''
|
||||
File containing the identity provider OIDC issuer private key.
|
||||
Identity provider OIDC issuer private key.
|
||||
|
||||
Generate one with `nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048`
|
||||
'';
|
||||
mode = "0400";
|
||||
owner = cfg.autheliaUser;
|
||||
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -207,9 +220,11 @@ in
|
|||
type = lib.types.str;
|
||||
description = "Username to connect to the SMTP host.";
|
||||
};
|
||||
passwordFile = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
password = contracts.secret.mkOption {
|
||||
description = "File containing the password to connect to the SMTP host.";
|
||||
mode = "0400";
|
||||
owner = cfg.autheliaUser;
|
||||
restartUnits = [ "authelia-${fqdn}" ];
|
||||
};
|
||||
};
|
||||
}))
|
||||
|
@ -282,19 +297,20 @@ in
|
|||
user = cfg.autheliaUser;
|
||||
|
||||
secrets = {
|
||||
inherit (cfg.secrets) jwtSecretFile storageEncryptionKeyFile;
|
||||
jwtSecretFile = cfg.secrets.jwtSecret.result.path;
|
||||
storageEncryptionKeyFile = cfg.secrets.storageEncryptionKey.result.path;
|
||||
};
|
||||
# See https://www.authelia.com/configuration/methods/secrets/
|
||||
environmentVariables = {
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = toString cfg.secrets.ldapAdminPasswordFile;
|
||||
AUTHELIA_SESSION_SECRET_FILE = toString cfg.secrets.sessionSecretFile;
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = toString cfg.secrets.ldapAdminPassword.result.path;
|
||||
AUTHELIA_SESSION_SECRET_FILE = toString cfg.secrets.sessionSecret.result.path;
|
||||
# Not needed since we use peer auth.
|
||||
# AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/run/secrets/authelia/postgres_password";
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = toString cfg.secrets.storageEncryptionKeyFile;
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = toString cfg.secrets.identityProvidersOIDCHMACSecretFile;
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = toString cfg.secrets.identityProvidersOIDCIssuerPrivateKeyFile;
|
||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = toString cfg.secrets.storageEncryptionKey.result.path;
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = toString cfg.secrets.identityProvidersOIDCHMACSecret.result.path;
|
||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = toString cfg.secrets.identityProvidersOIDCIssuerPrivateKey.result.path;
|
||||
|
||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile);
|
||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.password.result.path);
|
||||
};
|
||||
settings = {
|
||||
server.address = "tcp://127.0.0.1:9091";
|
||||
|
|
108
modules/blocks/hardcodedsecret.nix
Normal file
108
modules/blocks/hardcodedsecret.nix
Normal file
|
@ -0,0 +1,108 @@
|
|||
{ config, options, lib, pkgs, ... }:
|
||||
let
|
||||
cfg = config.shb.hardcodedsecret;
|
||||
opt = options.shb.hardcodedsecret;
|
||||
|
||||
inherit (lib) mapAttrs' mkOption nameValuePair;
|
||||
inherit (lib.types) attrsOf listOf path nullOr str submodule;
|
||||
inherit (pkgs) writeText;
|
||||
in
|
||||
{
|
||||
options.shb.hardcodedsecret = mkOption {
|
||||
default = {};
|
||||
description = ''
|
||||
Hardcoded secrets. These should only be used in tests.
|
||||
'';
|
||||
example = lib.literalExpression ''
|
||||
{
|
||||
mySecret = {
|
||||
user = "me";
|
||||
mode = "0400";
|
||||
restartUnits = [ "myservice.service" ];
|
||||
content = "My Secrets";
|
||||
};
|
||||
}
|
||||
'';
|
||||
type = attrsOf (submodule ({ name, ... }: {
|
||||
options = {
|
||||
mode = mkOption {
|
||||
description = ''
|
||||
Mode of the secret file.
|
||||
'';
|
||||
type = str;
|
||||
default = "0400";
|
||||
};
|
||||
|
||||
owner = mkOption {
|
||||
description = ''
|
||||
Linux user owning the secret file.
|
||||
'';
|
||||
type = str;
|
||||
default = "root";
|
||||
};
|
||||
|
||||
group = mkOption {
|
||||
description = ''
|
||||
Linux group owning the secret file.
|
||||
'';
|
||||
type = str;
|
||||
default = "root";
|
||||
};
|
||||
|
||||
restartUnits = mkOption {
|
||||
description = ''
|
||||
Systemd units to restart after the secret is updated.
|
||||
'';
|
||||
type = listOf str;
|
||||
default = [];
|
||||
};
|
||||
|
||||
path = mkOption {
|
||||
type = path;
|
||||
description = ''
|
||||
Path to the file containing the secret generated out of band.
|
||||
|
||||
This path will exist after deploying to a target host,
|
||||
it is not available through the nix store.
|
||||
'';
|
||||
default = "/run/hardcodedsecrets/hardcodedsecret_${name}";
|
||||
};
|
||||
|
||||
content = mkOption {
|
||||
type = nullOr str;
|
||||
description = ''
|
||||
Content of the secret.
|
||||
|
||||
This will be stored in the nix store and should only be used for testing or maybe in dev.
|
||||
'';
|
||||
default = null;
|
||||
};
|
||||
|
||||
source = mkOption {
|
||||
type = nullOr str;
|
||||
description = ''
|
||||
Source of the content of the secret.
|
||||
'';
|
||||
default = null;
|
||||
};
|
||||
};
|
||||
}));
|
||||
};
|
||||
|
||||
config = {
|
||||
system.activationScripts = mapAttrs' (n: cfg':
|
||||
let
|
||||
source = if cfg'.source != null
|
||||
then cfg'.source
|
||||
else writeText "hardcodedsecret_${n}_content" cfg'.content;
|
||||
in
|
||||
nameValuePair "hardcodedsecret_${n}" ''
|
||||
mkdir -p "$(dirname "${cfg'.path}")"
|
||||
touch "${cfg'.path}"
|
||||
chmod ${cfg'.mode} "${cfg'.path}"
|
||||
chown ${cfg'.owner}:${cfg'.group} "${cfg'.path}"
|
||||
cp ${source} "${cfg'.path}"
|
||||
''
|
||||
) cfg;
|
||||
};
|
||||
}
|
|
@ -112,9 +112,12 @@ in
|
|||
'';
|
||||
readOnly = true;
|
||||
default = {
|
||||
user = "lldap";
|
||||
# TODO: is there a workaround that avoid needing to use root?
|
||||
# root because otherwise we cannot access the private StateDiretory
|
||||
user = "root";
|
||||
# /private because the systemd service uses DynamicUser=true
|
||||
sourceDirectories = [
|
||||
"/var/lib/lldap"
|
||||
"/var/lib/private/lldap"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
|
|
@ -1,7 +1,10 @@
|
|||
{ lib }:
|
||||
{ pkgs, lib }:
|
||||
{
|
||||
backup = import ./backup.nix { inherit lib; };
|
||||
mount = import ./mount.nix { inherit lib; };
|
||||
secret = import ./secret.nix { inherit lib; };
|
||||
ssl = import ./ssl.nix { inherit lib; };
|
||||
test = {
|
||||
secret = import ./secret/test.nix { inherit pkgs lib; };
|
||||
};
|
||||
}
|
||||
|
|
64
modules/contracts/secret/test.nix
Normal file
64
modules/contracts/secret/test.nix
Normal file
|
@ -0,0 +1,64 @@
|
|||
{ pkgs, lib, ... }:
|
||||
let
|
||||
pkgs' = pkgs;
|
||||
|
||||
testLib = pkgs.callPackage ../../../test/common.nix {};
|
||||
|
||||
inherit (lib) getAttrFromPath setAttrByPath;
|
||||
inherit (lib) mkIf;
|
||||
in
|
||||
{ name,
|
||||
configRoot,
|
||||
createContent, # config to create a secret with value "secretA".
|
||||
modules ? [],
|
||||
owner ? "root",
|
||||
group ? "root",
|
||||
mode ? "0400",
|
||||
restartUnits ? [ "myunit.service" ],
|
||||
}: pkgs.testers.runNixOSTest {
|
||||
name = "secret_${name}_${owner}_${group}_${mode}";
|
||||
|
||||
nodes.machine = { config, ... }: {
|
||||
imports = ( testLib.baseImports pkgs' ) ++ modules;
|
||||
config = lib.mkMerge [
|
||||
(setAttrByPath configRoot {
|
||||
A = {
|
||||
inherit owner group mode restartUnits;
|
||||
} // createContent;
|
||||
})
|
||||
(mkIf (owner != "root") {
|
||||
users.users.${owner}.isNormalUser = true;
|
||||
})
|
||||
(mkIf (group != "root") {
|
||||
users.groups.${group} = {};
|
||||
})
|
||||
];
|
||||
};
|
||||
|
||||
testScript = { nodes, ... }:
|
||||
let
|
||||
cfg = (getAttrFromPath configRoot nodes.machine)."A";
|
||||
in
|
||||
''
|
||||
owner = machine.succeed("stat -c '%U' ${cfg.path}").strip()
|
||||
print(f"Got owner {owner}")
|
||||
if owner != "${owner}":
|
||||
raise Exception(f"Owner should be '${owner}' but got '{owner}'")
|
||||
|
||||
group = machine.succeed("stat -c '%G' ${cfg.path}").strip()
|
||||
print(f"Got group {group}")
|
||||
if group != "${group}":
|
||||
raise Exception(f"Group should be '${group}' but got '{group}'")
|
||||
|
||||
mode = str(int(machine.succeed("stat -c '%a' ${cfg.path}").strip()))
|
||||
print(f"Got mode {mode}")
|
||||
wantedMode = str(int("${mode}"))
|
||||
if mode != wantedMode:
|
||||
raise Exception(f"Mode should be '{wantedMode}' but got '{mode}'")
|
||||
|
||||
content = machine.succeed("cat ${cfg.path}").strip()
|
||||
print(f"Got content {content}")
|
||||
if content != "secretA":
|
||||
raise Exception(f"Content should be 'secretA' but got '{content}'")
|
||||
'';
|
||||
}
|
|
@ -82,14 +82,12 @@ in
|
|||
default = "admin";
|
||||
};
|
||||
|
||||
adminPasswordFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
File containing the admin password of the LDAP server.
|
||||
|
||||
Must be readable by the forgejo system user.
|
||||
'';
|
||||
default = "";
|
||||
adminPassword = contracts.secret.mkOption {
|
||||
description = "LDAP admin password.";
|
||||
mode = "0440";
|
||||
owner = "forgejo";
|
||||
group = "forgejo";
|
||||
restartUnits = [ "forgejo.service" ];
|
||||
};
|
||||
|
||||
userGroup = lib.mkOption {
|
||||
|
@ -140,37 +138,37 @@ in
|
|||
default = "one_factor";
|
||||
};
|
||||
|
||||
secretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
File containing the secret for the OIDC endpoint.
|
||||
|
||||
Must be readable by the forgejo system user.
|
||||
'';
|
||||
sharedSecret = contracts.secret.mkOption {
|
||||
description = "OIDC shared secret for Forgejo.";
|
||||
mode = "0440";
|
||||
owner = "forgejo";
|
||||
group = "forgejo";
|
||||
restartUnits = [ "forgejo.service" ];
|
||||
};
|
||||
|
||||
secretFileForAuthelia = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = ''
|
||||
File containing the secret for the OIDC endpoint, must be readable by the Authelia user.
|
||||
|
||||
Must be readable by the authelia system user.
|
||||
'';
|
||||
sharedSecretForAuthelia = contracts.secret.mkOption {
|
||||
description = "OIDC shared secret for Authelia.";
|
||||
mode = "0400";
|
||||
owner = "authelia";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
adminPasswordFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
adminPassword = contracts.secret.mkOption {
|
||||
description = "File containing the Forgejo admin user password.";
|
||||
example = "/run/secrets/forgejo/adminPassword";
|
||||
mode = "0440";
|
||||
owner = "forgejo";
|
||||
group = "forgejo";
|
||||
restartUnits = [ "forgejo.service" ];
|
||||
};
|
||||
|
||||
databasePasswordFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
databasePassword = contracts.secret.mkOption {
|
||||
description = "File containing the Forgejo database password.";
|
||||
example = "/run/secrets/forgejo/databasePassword";
|
||||
mode = "0440";
|
||||
owner = "forgejo";
|
||||
group = "forgejo";
|
||||
restartUnits = [ "forgejo.service" ];
|
||||
};
|
||||
|
||||
repositoryRoot = lib.mkOption {
|
||||
|
@ -344,7 +342,7 @@ in
|
|||
services.forgejo.database = {
|
||||
type = "postgres";
|
||||
|
||||
passwordFile = cfg.databasePasswordFile;
|
||||
passwordFile = cfg.databasePassword.result.path;
|
||||
};
|
||||
})
|
||||
|
||||
|
@ -380,7 +378,7 @@ in
|
|||
--host ${cfg.ldap.host} \
|
||||
--port ${toString cfg.ldap.port} \
|
||||
--bind-dn uid=${cfg.ldap.adminName},ou=people,${cfg.ldap.dcdomain} \
|
||||
--bind-password $(tr -d '\n' < ${cfg.ldap.adminPasswordFile}) \
|
||||
--bind-password $(tr -d '\n' < ${cfg.ldap.adminPassword.result.path}) \
|
||||
--security-protocol Unencrypted \
|
||||
--user-search-base ou=people,${cfg.ldap.dcdomain} \
|
||||
--user-filter '(&(memberof=cn=${cfg.ldap.userGroup},ou=groups,${cfg.ldap.dcdomain})(|(uid=%[1]s)(mail=%[1]s)))' \
|
||||
|
@ -399,7 +397,7 @@ in
|
|||
--host ${cfg.ldap.host} \
|
||||
--port ${toString cfg.ldap.port} \
|
||||
--bind-dn uid=${cfg.ldap.adminName},ou=people,${cfg.ldap.dcdomain} \
|
||||
--bind-password $(tr -d '\n' < ${cfg.ldap.adminPasswordFile}) \
|
||||
--bind-password $(tr -d '\n' < ${cfg.ldap.adminPassword.result.path}) \
|
||||
--security-protocol Unencrypted \
|
||||
--user-search-base ou=people,${cfg.ldap.dcdomain} \
|
||||
--user-filter '(&(memberof=cn=${cfg.ldap.userGroup},ou=groups,${cfg.ldap.dcdomain})(|(uid=%[1]s)(mail=%[1]s)))' \
|
||||
|
@ -456,7 +454,7 @@ in
|
|||
--name ${provider} \
|
||||
--provider openidConnect \
|
||||
--key forgejo \
|
||||
--secret $(tr -d '\n' < ${cfg.sso.secretFile}) \
|
||||
--secret $(tr -d '\n' < ${cfg.sso.sharedSecret.result.path}) \
|
||||
--auto-discover-url ${cfg.sso.endpoint}/.well-known/openid-configuration
|
||||
else
|
||||
echo Did not find any sso configuration, creating one with name ${provider}.
|
||||
|
@ -464,7 +462,7 @@ in
|
|||
--name ${provider} \
|
||||
--provider openidConnect \
|
||||
--key forgejo \
|
||||
--secret $(tr -d '\n' < ${cfg.sso.secretFile}) \
|
||||
--secret $(tr -d '\n' < ${cfg.sso.sharedSecret.result.path}) \
|
||||
--auto-discover-url ${cfg.sso.endpoint}/.well-known/openid-configuration
|
||||
fi
|
||||
'';
|
||||
|
@ -475,7 +473,7 @@ in
|
|||
in {
|
||||
client_id = cfg.sso.clientID;
|
||||
client_name = "Forgejo";
|
||||
client_secret.source = cfg.sso.secretFileForAuthelia;
|
||||
client_secret.source = cfg.sso.sharedSecretForAuthelia.result.path;
|
||||
public = false;
|
||||
authorization_policy = cfg.sso.authorization_policy;
|
||||
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/user/oauth2/${provider}/callback" ];
|
||||
|
@ -486,8 +484,8 @@ in
|
|||
(lib.mkIf cfg.enable {
|
||||
systemd.services.forgejo.preStart = ''
|
||||
admin="${lib.getExe config.services.forgejo.package} admin user"
|
||||
$admin create --admin --email "root@localhost" --username meadmin --password "$(tr -d '\n' < ${cfg.adminPasswordFile})" || true
|
||||
$admin change-password --username meadmin --password "$(tr -d '\n' < ${cfg.adminPasswordFile})" || true
|
||||
$admin create --admin --email "root@localhost" --username meadmin --password "$(tr -d '\n' < ${cfg.adminPassword.result.path})" || true
|
||||
$admin change-password --username meadmin --password "$(tr -d '\n' < ${cfg.adminPassword.result.path})" || true
|
||||
'';
|
||||
})
|
||||
|
||||
|
|
|
@ -67,9 +67,12 @@ in
|
|||
default = "jellyfin_admin";
|
||||
};
|
||||
|
||||
passwordFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the LDAP admin password.";
|
||||
adminPassword = contracts.secret.mkOption {
|
||||
description = "LDAP admin password.";
|
||||
mode = "0440";
|
||||
owner = "jellyfin";
|
||||
group = "jellyfin";
|
||||
restartUnits = [ "jellyfin.service" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -118,9 +121,18 @@ in
|
|||
default = "one_factor";
|
||||
};
|
||||
|
||||
secretFile = lib.mkOption {
|
||||
type = lib.types.path;
|
||||
description = "File containing the OIDC shared secret.";
|
||||
sharedSecret = contracts.secret.mkOption {
|
||||
description = "OIDC shared secret for Jellyfin.";
|
||||
mode = "0440";
|
||||
owner = "jellyfin";
|
||||
group = "jellyfin";
|
||||
restartUnits = [ "jellyfin.service" ];
|
||||
};
|
||||
|
||||
sharedSecretForAuthelia = contracts.secret.mkOption {
|
||||
description = "OIDC shared secret for Authelia.";
|
||||
mode = "0400";
|
||||
owner = config.shb.authelia.autheliaUser;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
@ -400,30 +412,35 @@ in
|
|||
lib.strings.optionalString cfg.ldap.enable (shblib.replaceSecretsScript {
|
||||
file = ldapConfig;
|
||||
resultPath = "/var/lib/jellyfin/plugins/configurations/LDAP-Auth.xml";
|
||||
replacements = {
|
||||
"%LDAP_PASSWORD%" = "$(cat ${cfg.ldap.passwordFile})";
|
||||
};
|
||||
replacements = [
|
||||
{
|
||||
name = [ "%LDAP_PASSWORD%" ];
|
||||
source = cfg.ldap.adminPassword.result.path;
|
||||
}
|
||||
];
|
||||
})
|
||||
+ lib.strings.optionalString cfg.sso.enable (shblib.replaceSecretsScript {
|
||||
file = ssoConfig;
|
||||
resultPath = "/var/lib/jellyfin/plugins/configurations/SSO-Auth.xml";
|
||||
replacements = {
|
||||
"%SSO_SECRET%" = "$(cat ${cfg.sso.secretFile})";
|
||||
};
|
||||
replacements = [
|
||||
{
|
||||
name = [ "%SSO_SECRET%" ];
|
||||
source = cfg.sso.sharedSecret.result.path;
|
||||
}
|
||||
];
|
||||
})
|
||||
+ lib.strings.optionalString cfg.sso.enable (shblib.replaceSecretsScript {
|
||||
file = brandingConfig;
|
||||
resultPath = "/var/lib/jellyfin/config/branding.xml";
|
||||
replacements = {
|
||||
"%a%" = "%a%";
|
||||
};
|
||||
replacements = [
|
||||
];
|
||||
});
|
||||
|
||||
shb.authelia.oidcClients = lib.lists.optionals (!(isNull cfg.sso)) [
|
||||
{
|
||||
client_id = cfg.sso.clientID;
|
||||
client_name = "Jellyfin";
|
||||
client_secret.source = cfg.sso.secretFile;
|
||||
client_secret.source = cfg.sso.sharedSecretForAuthelia.result.path;
|
||||
public = false;
|
||||
authorization_policy = cfg.sso.authorization_policy;
|
||||
redirect_uris = [ "https://${cfg.subdomain}.${cfg.domain}/sso/OID/r/${cfg.sso.provider}" ];
|
||||
|
|
|
@ -13,6 +13,7 @@ in
|
|||
(pkgs'.path + "/nixos/modules/profiles/headless.nix")
|
||||
(pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
|
||||
../../modules/blocks/authelia.nix
|
||||
../../modules/blocks/hardcodedsecret.nix
|
||||
../../modules/blocks/ldap.nix
|
||||
../../modules/blocks/postgresql.nix
|
||||
];
|
||||
|
@ -44,14 +45,12 @@ in
|
|||
ldapPort = config.shb.ldap.ldapPort;
|
||||
dcdomain = config.shb.ldap.dcdomain;
|
||||
secrets = {
|
||||
jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
|
||||
ldapAdminPasswordFile = pkgs.writeText "ldapAdminPasswordFile" ldapAdminPassword;
|
||||
sessionSecretFile = pkgs.writeText "sessionSecretFile" "sessionSecretFile";
|
||||
storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKeyFile" "storageEncryptionKeyFile";
|
||||
identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecretFile" "identityProvidersOIDCHMACSecretFile";
|
||||
# This needs to be of the correct shape and at least 2048 bits. Generated with:
|
||||
# nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048
|
||||
identityProvidersOIDCIssuerPrivateKeyFile = pkgs.writeText "identityProvidersOIDCIssuerPrivateKeyFile" (builtins.readFile ./keypair.pem);
|
||||
jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path;
|
||||
ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path;
|
||||
sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path;
|
||||
storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path;
|
||||
identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path;
|
||||
identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path;
|
||||
};
|
||||
|
||||
oidcClients = [
|
||||
|
@ -73,6 +72,28 @@ in
|
|||
}
|
||||
];
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // {
|
||||
content = "jwtSecret";
|
||||
};
|
||||
shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // {
|
||||
content = ldapAdminPassword;
|
||||
};
|
||||
shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // {
|
||||
content = "sessionSecret";
|
||||
};
|
||||
shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // {
|
||||
content = "storageEncryptionKey";
|
||||
};
|
||||
shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // {
|
||||
content = "identityProvidersOIDCHMACSecret";
|
||||
};
|
||||
shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // {
|
||||
source = (pkgs.runCommand "gen-private-key" {} ''
|
||||
mkdir $out
|
||||
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
|
||||
'') + "/private.pem";
|
||||
};
|
||||
};
|
||||
|
||||
testScript = { nodes, ... }: ''
|
||||
|
|
|
@ -12,11 +12,25 @@ let
|
|||
commonTest = user: pkgs.testers.runNixOSTest {
|
||||
name = "restic_backupAndRestore_${user}";
|
||||
|
||||
nodes.machine = {
|
||||
nodes.machine = { config, ... }: {
|
||||
imports = ( testLib.baseImports pkgs' ) ++ [
|
||||
../../modules/blocks/hardcodedsecret.nix
|
||||
../../modules/blocks/restic.nix
|
||||
];
|
||||
|
||||
shb.hardcodedsecret.A = {
|
||||
owner = "root";
|
||||
group = "keys";
|
||||
mode = "0440";
|
||||
content = "secretA";
|
||||
};
|
||||
shb.hardcodedsecret.B = {
|
||||
owner = "root";
|
||||
group = "keys";
|
||||
mode = "0440";
|
||||
content = "secretB";
|
||||
};
|
||||
|
||||
shb.restic.instances."testinstance" = {
|
||||
enable = true;
|
||||
|
||||
|
@ -39,8 +53,8 @@ let
|
|||
# Those are not needed by the repository but are still included
|
||||
# so we can test them in the hooks section.
|
||||
secrets = {
|
||||
A.source = "/run/secrets/A";
|
||||
B.source = "/run/secrets/B";
|
||||
A.source = config.shb.hardcodedsecret.A.path;
|
||||
B.source = config.shb.hardcodedsecret.B.path;
|
||||
};
|
||||
}
|
||||
{
|
||||
|
@ -97,19 +111,6 @@ let
|
|||
if len(result) > 0:
|
||||
raise Exception("Unexpected files:", result)
|
||||
|
||||
with subtest("Create secrets"):
|
||||
print(machine.succeed("""
|
||||
mkdir -p /run/secrets/
|
||||
|
||||
echo secretA > /run/secrets/A
|
||||
echo secretB > /run/secrets/B
|
||||
|
||||
chown root:keys -R /run/secrets
|
||||
find /run/secrets -type d -exec chmod u=rwx,g=rx,o=x '{}' ';'
|
||||
find /run/secrets -type f -exec chmod u=r,g=r,o= '{}' ';'
|
||||
ls -l /run/secrets
|
||||
"""))
|
||||
|
||||
with subtest("Create initial content"):
|
||||
machine.succeed("""
|
||||
mkdir -p /opt/files/A
|
||||
|
|
|
@ -1,6 +1,4 @@
|
|||
{
|
||||
lib,
|
||||
}:
|
||||
{ lib }:
|
||||
let
|
||||
baseImports = pkgs: [
|
||||
(pkgs.path + "/nixos/modules/profiles/headless.nix")
|
||||
|
@ -109,6 +107,7 @@ in
|
|||
../modules/blocks/postgresql.nix
|
||||
../modules/blocks/authelia.nix
|
||||
../modules/blocks/nginx.nix
|
||||
../modules/blocks/hardcodedsecret.nix
|
||||
]
|
||||
++ additionalModules;
|
||||
|
||||
|
@ -138,7 +137,7 @@ in
|
|||
systemd.services.nginx.requires = [ config.shb.certs.certs.selfsigned.n.systemdService ];
|
||||
};
|
||||
|
||||
ldap = domain: pkgs: {
|
||||
ldap = domain: pkgs: { config, ... }: {
|
||||
imports = [
|
||||
../modules/blocks/ldap.nix
|
||||
];
|
||||
|
@ -147,6 +146,13 @@ in
|
|||
"127.0.0.1" = [ "ldap.${domain}" ];
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.ldapUserPassword = config.shb.ldap.ldapUserPassword.request // {
|
||||
content = "ldapUserPassword";
|
||||
};
|
||||
shb.hardcodedsecret.jwtSecret = config.shb.ldap.ldapUserPassword.request // {
|
||||
content = "jwtSecrets";
|
||||
};
|
||||
|
||||
shb.ldap = {
|
||||
enable = true;
|
||||
inherit domain;
|
||||
|
@ -154,8 +160,8 @@ in
|
|||
ldapPort = 3890;
|
||||
webUIListenPort = 17170;
|
||||
dcdomain = "dc=example,dc=com";
|
||||
ldapUserPassword.result.path = pkgs.writeText "ldapUserPassword" "ldapUserPassword";
|
||||
jwtSecret.result.path = pkgs.writeText "jwtSecret" "jwtSecret";
|
||||
ldapUserPassword.result.path = config.shb.hardcodedsecret.ldapUserPassword.path;
|
||||
jwtSecret.result.path = config.shb.hardcodedsecret.jwtSecret.path;
|
||||
};
|
||||
};
|
||||
|
||||
|
@ -179,17 +185,36 @@ in
|
|||
dcdomain = config.shb.ldap.dcdomain;
|
||||
|
||||
secrets = {
|
||||
jwtSecretFile = pkgs.writeText "jwtSecret" "jwtSecret";
|
||||
ldapAdminPasswordFile = pkgs.writeText "ldapUserPassword" "ldapUserPassword";
|
||||
sessionSecretFile = pkgs.writeText "sessionSecret" "sessionSecret";
|
||||
storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKey" "storageEncryptionKey";
|
||||
identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecret" "identityProvidersOIDCHMACSecret";
|
||||
identityProvidersOIDCIssuerPrivateKeyFile = (pkgs.runCommand "gen-private-key" {} ''
|
||||
mkdir $out
|
||||
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
|
||||
'') + "/private.pem";
|
||||
jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path;
|
||||
ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path;
|
||||
sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path;
|
||||
storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path;
|
||||
identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path;
|
||||
identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path;
|
||||
};
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // {
|
||||
content = "jwtSecret";
|
||||
};
|
||||
shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // {
|
||||
content = "ldapUserPassword";
|
||||
};
|
||||
shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // {
|
||||
content = "sessionSecret";
|
||||
};
|
||||
shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // {
|
||||
content = "storageEncryptionKey";
|
||||
};
|
||||
shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // {
|
||||
content = "identityProvidersOIDCHMACSecret";
|
||||
};
|
||||
shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // {
|
||||
source = (pkgs.runCommand "gen-private-key" {} ''
|
||||
mkdir $out
|
||||
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
|
||||
'') + "/private.pem";
|
||||
};
|
||||
};
|
||||
|
||||
}
|
||||
|
|
35
test/contracts/secret.nix
Normal file
35
test/contracts/secret.nix
Normal file
|
@ -0,0 +1,35 @@
|
|||
{ pkgs, ... }:
|
||||
let
|
||||
contracts = pkgs.callPackage ../../modules/contracts {};
|
||||
in
|
||||
{
|
||||
hardcoded_root_root = contracts.test.secret {
|
||||
name = "hardcoded";
|
||||
modules = [ ../../modules/blocks/hardcodedsecret.nix ];
|
||||
configRoot = [ "shb" "hardcodedsecret" ];
|
||||
createContent = {
|
||||
content = "secretA";
|
||||
};
|
||||
};
|
||||
|
||||
hardcoded_user_group = contracts.test.secret {
|
||||
name = "hardcoded";
|
||||
modules = [ ../../modules/blocks/hardcodedsecret.nix ];
|
||||
configRoot = [ "shb" "hardcodedsecret" ];
|
||||
createContent = {
|
||||
content = "secretA";
|
||||
};
|
||||
owner = "user";
|
||||
group = "group";
|
||||
mode = "640";
|
||||
};
|
||||
|
||||
# TODO: how to do this?
|
||||
# sops = contracts.test.secret {
|
||||
# name = "sops";
|
||||
# configRoot = cfg: name: cfg.sops.secrets.${name};
|
||||
# createContent = content: {
|
||||
# sopsFile = ./secret/sops.yaml;
|
||||
# };
|
||||
# };
|
||||
}
|
0
test/contracts/secret/sops.yaml
Normal file
0
test/contracts/secret/sops.yaml
Normal file
|
@ -1,6 +1,8 @@
|
|||
{ pkgs, lib, ... }:
|
||||
let
|
||||
shblib = pkgs.callPackage ../../lib {};
|
||||
|
||||
inherit (lib) nameValuePair;
|
||||
in
|
||||
{
|
||||
# Tests that withReplacements can:
|
||||
|
@ -79,15 +81,15 @@ in
|
|||
testLibGetReplacements = {
|
||||
expected =
|
||||
let
|
||||
secrets = root: {
|
||||
"%SECRET_${root}B%" = "$(cat /path/B)";
|
||||
"%SECRET_${root}C%" = "prefix-$(cat /path/C)-suffix";
|
||||
};
|
||||
secrets = root: [
|
||||
(nameValuePair "%SECRET_${root}B%" "$(cat /path/B)")
|
||||
(nameValuePair "%SECRET_${root}C%" "prefix-$(cat /path/C)-suffix")
|
||||
];
|
||||
in
|
||||
(secrets "") //
|
||||
(secrets "NESTEDATTR_") //
|
||||
(secrets "NESTEDLIST_0_") //
|
||||
(secrets "DOUBLENESTEDLIST_0_N_");
|
||||
(secrets "") ++
|
||||
(secrets "DOUBLENESTEDLIST_0_N_") ++
|
||||
(secrets "NESTEDATTR_") ++
|
||||
(secrets "NESTEDLIST_0_");
|
||||
expr =
|
||||
let
|
||||
item = {
|
||||
|
@ -99,13 +101,13 @@ in
|
|||
c.other = "other";
|
||||
};
|
||||
in
|
||||
shblib.getReplacements (
|
||||
map shblib.genReplacement (shblib.getReplacements (
|
||||
item // {
|
||||
nestedAttr = item;
|
||||
nestedList = [ item ];
|
||||
doubleNestedList = [ { n = item; } ];
|
||||
}
|
||||
);
|
||||
));
|
||||
};
|
||||
|
||||
testParseXML = {
|
||||
|
|
|
@ -29,19 +29,27 @@ let
|
|||
../../modules/services/forgejo.nix
|
||||
];
|
||||
|
||||
basic = {
|
||||
basic = { config, ... }: {
|
||||
shb.forgejo = {
|
||||
enable = true;
|
||||
inherit domain subdomain;
|
||||
|
||||
adminPasswordFile = pkgs.writeText "adminPasswordFile" adminPassword;
|
||||
databasePasswordFile = pkgs.writeText "databasePassword" "databasePassword";
|
||||
adminPassword.result.path = config.shb.hardcodedsecret.forgejoAdminPassword.path;
|
||||
databasePassword.result.path = config.shb.hardcodedsecret.forgejoDatabasePassword.path;
|
||||
};
|
||||
|
||||
# Needed for gitea-runner-local to be able to ping forgejo.
|
||||
networking.hosts = {
|
||||
"127.0.0.1" = [ "${subdomain}.${domain}" ];
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.forgejoAdminPassword = config.shb.forgejo.adminPassword.request // {
|
||||
content = adminPassword;
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.forgejoDatabasePassword = config.shb.forgejo.databasePassword.request // {
|
||||
content = "databasePassword";
|
||||
};
|
||||
};
|
||||
|
||||
https = { config, ... }: {
|
||||
|
@ -57,9 +65,13 @@ let
|
|||
host = "127.0.0.1";
|
||||
port = config.shb.ldap.ldapPort;
|
||||
dcdomain = config.shb.ldap.dcdomain;
|
||||
adminPasswordFile = config.shb.ldap.ldapUserPassword.result.path;
|
||||
adminPassword.result.path = config.shb.hardcodedsecret.forgejoLdapUserPassword.path;
|
||||
};
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.forgejoLdapUserPassword = config.shb.forgejo.ldap.adminPassword.request // {
|
||||
content = "ldapUserPassword";
|
||||
};
|
||||
};
|
||||
|
||||
sso = { config, ... }: {
|
||||
|
@ -67,10 +79,18 @@ let
|
|||
sso = {
|
||||
enable = true;
|
||||
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
secretFile = pkgs.writeText "ssoSecretFile" "ssoSecretFile";
|
||||
secretFileForAuthelia = pkgs.writeText "ssoSecretFile" "ssoSecretFile";
|
||||
sharedSecret.result.path = config.shb.hardcodedsecret.forgejoSSOPassword.path;
|
||||
sharedSecretForAuthelia.result.path = config.shb.hardcodedsecret.forgejoSSOPasswordAuthelia.path;
|
||||
};
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.forgejoSSOPassword = config.shb.forgejo.sso.sharedSecret.request // {
|
||||
content = "ssoPassword";
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.forgejoSSOPasswordAuthelia = config.shb.forgejo.sso.sharedSecretForAuthelia.request // {
|
||||
content = "ssoPassword";
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
|
|
|
@ -43,9 +43,13 @@ let
|
|||
host = "127.0.0.1";
|
||||
port = config.shb.ldap.ldapPort;
|
||||
dcdomain = config.shb.ldap.dcdomain;
|
||||
passwordFile = config.shb.ldap.ldapUserPassword.result.path;
|
||||
adminPassword.result.path = config.shb.hardcodedsecret.jellyfinLdapUserPassword.path;
|
||||
};
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.jellyfinLdapUserPassword = config.shb.jellyfin.ldap.adminPassword.request // {
|
||||
content = "ldapUserPassword";
|
||||
};
|
||||
};
|
||||
|
||||
sso = { config, ... }: {
|
||||
|
@ -53,9 +57,18 @@ let
|
|||
sso = {
|
||||
enable = true;
|
||||
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
secretFile = pkgs.writeText "ssoSecretFile" "ssoSecretFile";
|
||||
sharedSecret.result.path = config.shb.hardcodedsecret.jellyfinSSOPassword.path;
|
||||
sharedSecretForAuthelia.result.path = config.shb.hardcodedsecret.jellyfinSSOPasswordAuthelia.path;
|
||||
};
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.jellyfinSSOPassword = config.shb.jellyfin.sso.sharedSecret.request // {
|
||||
content = "ssoPassword";
|
||||
};
|
||||
|
||||
shb.hardcodedsecret.jellyfinSSOPasswordAuthelia = config.shb.jellyfin.sso.sharedSecretForAuthelia.request // {
|
||||
content = "ssoPassword";
|
||||
};
|
||||
};
|
||||
in
|
||||
{
|
||||
|
|
Loading…
Reference in a new issue