2023-04-04 09:07:58 +02:00
|
|
|
rec {
|
|
|
|
machine1 = { system
|
|
|
|
, pkgs
|
|
|
|
, lib
|
|
|
|
, utils
|
|
|
|
, domain
|
|
|
|
, secret
|
|
|
|
, ... }:
|
|
|
|
let
|
|
|
|
customPkgs = (pkgs.callPackage (./../../..) {}).customPkgs {
|
|
|
|
inherit system pkgs utils secret;
|
|
|
|
};
|
|
|
|
|
|
|
|
vaultwarden = customPkgs.vaultwarden {};
|
|
|
|
keycloak = customPkgs.keycloak {};
|
|
|
|
|
|
|
|
httpUser = "http";
|
|
|
|
httpGroup = "http";
|
|
|
|
httpRoot = "/usr/share/webapps";
|
|
|
|
|
|
|
|
phpfpmUser = "phpfpm";
|
|
|
|
phpfpmGroup = "phpfpm";
|
|
|
|
phpfpmRoot = "/run/php-fpm";
|
|
|
|
|
|
|
|
keycloakUser = "keycloak";
|
|
|
|
keycloakGroup = "keycloak";
|
|
|
|
|
|
|
|
caddyHttpPort = 10001;
|
|
|
|
caddyHttpsPort = 10002;
|
|
|
|
|
|
|
|
keycloaksecretsdir = "/run/keys/keycloakcliconfig";
|
|
|
|
keycloakusers = [ "me" "friend" ];
|
|
|
|
in
|
|
|
|
rec {
|
|
|
|
users.groups = {
|
|
|
|
http = {
|
|
|
|
name = httpGroup;
|
|
|
|
};
|
|
|
|
phpfpm = {
|
|
|
|
name = phpfpmGroup;
|
|
|
|
};
|
|
|
|
keycloak = {
|
|
|
|
name = keycloakGroup;
|
|
|
|
};
|
|
|
|
keycloakcli = {
|
|
|
|
name = "keycloakcli";
|
|
|
|
};
|
|
|
|
"${vaultwarden.group}" = {
|
|
|
|
name = "${vaultwarden.group}";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
users.users = {
|
|
|
|
http = {
|
|
|
|
name = httpUser;
|
|
|
|
group = httpGroup;
|
|
|
|
home = httpRoot;
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
phpfpm = {
|
|
|
|
name = phpfpmUser;
|
|
|
|
group = phpfpmGroup;
|
|
|
|
home = phpfpmRoot;
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
keycloak = {
|
|
|
|
name = keycloakUser;
|
|
|
|
group = keycloakGroup;
|
|
|
|
# home ?
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
keycloakcli = {
|
|
|
|
name = "keycloakcli";
|
|
|
|
group = "keycloakcli";
|
|
|
|
extraGroups = [ "keys" ];
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
"${vaultwarden.user}" = {
|
|
|
|
name = vaultwarden.user;
|
|
|
|
group = vaultwarden.group;
|
|
|
|
extraGroups = [ "keys" ];
|
|
|
|
isSystemUser = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
# deployment.keys = {
|
|
|
|
# keycloakdbpassword.text = ''
|
|
|
|
# KC_DB_PASSWORD="${secret "${domain}/keycloakdbpassword"}"
|
|
|
|
# '';
|
|
|
|
|
|
|
|
# keycloakinitialadmin.text = ''
|
|
|
|
# KEYCLOAK_ADMIN_PASSWORD="${secret "${domain}/${keycloak.subdomain}/admin"}"
|
|
|
|
# '';
|
|
|
|
|
|
|
|
# # This convention is for keycloak-cli-config
|
|
|
|
# "keycloak.password" = {
|
|
|
|
# destDir = keycloaksecretsdir;
|
|
|
|
# user = "keycloakcli";
|
|
|
|
# text = secret "${domain}/${keycloak.subdomain}/admin";
|
|
|
|
# };
|
|
|
|
# "keycloakusers" =
|
|
|
|
# let
|
|
|
|
# e = str: lib.strings.escape [''\''] (lib.strings.escape [''"''] str);
|
|
|
|
# in
|
|
|
|
# {
|
|
|
|
# user = "keycloakcli";
|
|
|
|
# text = lib.concatMapStringsSep "\n"
|
|
|
|
# (name: "KEYCLOAK_USERS_${lib.strings.toUpper name}_PASSWORD=${e (secret "${domain}/${keycloak.subdomain}/${name}")}")
|
|
|
|
# keycloakusers;
|
|
|
|
# };
|
|
|
|
# }
|
|
|
|
# // vaultwarden.deployKeys domain;
|
|
|
|
|
|
|
|
security.acme = {
|
|
|
|
acceptTerms = true;
|
|
|
|
certs = {
|
|
|
|
"${domain}" = {
|
|
|
|
extraDomainNames = ["*.${domain}"];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
defaults = {
|
|
|
|
group = httpGroup;
|
|
|
|
email = "ibizapeanut@gmail.com";
|
|
|
|
dnsProvider = "linode";
|
|
|
|
dnsResolver = "8.8.8.8";
|
2023-04-09 07:05:10 +02:00
|
|
|
|
|
|
|
# For example, to use Linode to prove the dns challenge,
|
|
|
|
# the content of the file should be the following, with
|
|
|
|
# XXX replaced by your Linode API token.
|
|
|
|
# LINODE_HTTP_TIMEOUT=10
|
|
|
|
# LINODE_POLLING_INTERVAL=10
|
|
|
|
# LINODE_PROPAGATION_TIMEOUT=240
|
|
|
|
# LINODE_TOKEN=XXX
|
|
|
|
credentialsFile = "/run/secrets/linode";
|
2023-04-04 09:07:58 +02:00
|
|
|
enableDebugLogs = true;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services = {
|
|
|
|
openssh = {
|
|
|
|
enable = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
disnix = {
|
|
|
|
enable = true;
|
|
|
|
# useWebServiceInterface = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
dnsmasq = {
|
|
|
|
enable = true;
|
|
|
|
servers = [ "192.168.50.15" "192.168.50.1" ];
|
|
|
|
extraConfig =
|
|
|
|
let
|
|
|
|
subdomains = [
|
|
|
|
"machine1"
|
|
|
|
keycloak.subdomain
|
|
|
|
vaultwarden.subdomain
|
|
|
|
];
|
|
|
|
|
|
|
|
inherit domain;
|
|
|
|
in (lib.concatMapStrings
|
|
|
|
(subdomain: "address=/${subdomain}.${domain}/127.0.0.1\naddress=/${subdomain}/127.0.0.1\n")
|
|
|
|
subdomains)
|
|
|
|
;
|
|
|
|
};
|
|
|
|
|
|
|
|
# tomcat.enable = false;
|
|
|
|
|
|
|
|
postgresql = {
|
|
|
|
enable = true;
|
|
|
|
package = pkgs.postgresql_14;
|
|
|
|
|
|
|
|
port = 5432;
|
|
|
|
enableTCPIP = true;
|
|
|
|
authentication = pkgs.lib.mkOverride 10 ''
|
|
|
|
local all all trust
|
|
|
|
host all all 127.0.0.1/32 trust
|
|
|
|
host all all ::1/128 trust
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
dysnomia = {
|
|
|
|
enable = true;
|
|
|
|
enableLegacyModules = false;
|
|
|
|
extraContainerProperties = {
|
|
|
|
system = {
|
|
|
|
inherit domain;
|
|
|
|
};
|
|
|
|
postgresql-database = {
|
|
|
|
service_name = "postgresql.service";
|
|
|
|
port = builtins.toString services.postgresql.port;
|
|
|
|
};
|
|
|
|
keycloaksecrets = {
|
|
|
|
rootdir = keycloaksecretsdir;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
networking.firewall.allowedTCPPorts = [ services.postgresql.port ] ++ virtualbox.guestPorts;
|
|
|
|
};
|
|
|
|
|
|
|
|
virtualbox = rec {
|
|
|
|
portMappings = [
|
|
|
|
{ name = "ssh";
|
|
|
|
host = 22;
|
|
|
|
guest = 22;
|
|
|
|
}
|
|
|
|
{ name = "dns";
|
|
|
|
host = 53;
|
|
|
|
guest = 53;
|
|
|
|
}
|
|
|
|
{ name = "https";
|
|
|
|
host = 443;
|
|
|
|
guest = 443;
|
|
|
|
}
|
|
|
|
];
|
|
|
|
|
|
|
|
hostPorts = map (x: x.host) portMappings;
|
|
|
|
guestPorts = map (x: x.guest) portMappings;
|
|
|
|
};
|
|
|
|
}
|