diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 43ac4da..e96f896 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -24,6 +24,61 @@ jobs: nix run github:Mic92/nix-fast-build -- \ --skip-cached --no-nom \ --flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)" + + # We're just checking if the demo start without hiccup. + demos: + runs-on: ubuntu-latest + strategy: + matrix: + demo: + - homeassistant#basic + - homeassistant#ldap + - nextcloud#basic + - nextcloud#ldap + - nextcloud#sso + steps: + - name: Checkout repository + uses: actions/checkout@v3 + - name: Install Nix + uses: DeterminateSystems/nix-installer-action@main + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + extra-conf: "system-features = nixos-test benchmark big-parallel kvm" + - name: Setup Caching + uses: cachix/cachix-action@v12 + with: + name: selfhostblocks + authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}' + - name: Test demos + # See https://blog.stefan-koch.name/2020/12/10/qemu-guest-graceful-shutdown-from-python for + # inspiration. + run: | + set -x + + rm -f nixos.qcow2 + nix run nixpkgs#nixos-rebuild -- build-vm --flake ./demo/${{ matrix.demo }} + QEMU_NET_OPTS="hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm -nographic -qmp unix:/tmp/qmp-sock,server,nowait & + + nix run nixpkgs#socat -- - unix-connect:/tmp/qmp-sock < -Build the VM and start it: +This guide will show how to deploy these demos to a Virtual Machine, like showed +[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules). + +## Deploy to the VM {#demo-homeassistant-deploy} + +The demos are setup to either deploy to a VM through `nixos-rebuild` or through +[Colmena](https://colmena.cli.rs). + +Using `nixos-rebuild` is very fast and requires less steps because it reuses your nix store. + +Using `colmena` is more authentic because you are deploying to a stock VM, like you would with a +real machine but it needs to copy over all required store derivations so it takes a few minutes the +first time. + +### Deploy with nixos-rebuild {#demo-homeassistant-deploy-nixosrebuild} + +Assuming your current working directory is the one where this Readme file is located, the one-liner +command which builds and starts the VM configured to run Self Host Blocks' Nextcloud is: + +```nix +rm nixos.qcow2; \ + nixos-rebuild build-vm --flake .#basic \ + && QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" \ + ./result/bin/run-nixos-vm +``` + +This will deploy the `basic` demo. If you want to deploy the `ldap` demo, use the `.#ldap` flake +uris. + +You can even test the demos from any directory without cloning this repository by using the GitHub +uri like `github:ibizaman/selfhostblocks?path=demo/nextcloud` + +It is very important to remove leftover `nixos.qcow2` files, if any. + +You can ssh into the VM like this, but this is not required for the demo: + +```bash +ssh -F ssh_config example +``` + +But before that works, you will need to change the permission of the ssh key like so: + +```bash +chmod 600 sshkey +``` + +This is only needed because git mangles with the permissions. You will not even see this change in +`git status`. +### Deploy with Colmena {#demo-homeassitant-deploy-colmena} + +If you deploy with Colmena, you must first build the VM and start it: ```bash rm nixos.qcow2; \ @@ -20,6 +70,8 @@ rm nixos.qcow2; \ QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm ``` +It is very important to remove leftover `nixos.qcow2` files, if any. + This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will need to run the rest of the commands in another terminal. @@ -55,24 +107,17 @@ You can ssh into the VM with, but this is not required for the demo: ssh -F ssh_config example ``` -Finally, we can deploy. To deploy a Home Assistant server, run: +### Home Assistant through HTTP {#demo-homeassistant-deploy-basic} -```bash -SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic -``` + -To deploy a Home Assistant server integrated with a LDAP service, run: - -```bash -SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap -``` - -The deploy will take a few minutes the first time and subsequent deploys will take around 15 -seconds. - -## Access Home Assistant Through Your Browser {#demo-homeassistant-access-through-your-browser} - -Add the following entry to your `/etc/hosts` file: +Assuming you already deployed the `basic` demo, now you must add the following entry to the +`/etc/hosts` file on the host machine (not the VM): ```nix networking.hosts = { @@ -87,7 +132,22 @@ $ cat /etc/hosts 127.0.0.1 ha.example.com ``` -If you deployed the `ldap` target host, add instead: +Go to [http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home +Assistant setup wizard which will allow you to create an admin user. + +And that's the end of the demo + +### Home Assistant with LDAP through HTTP {#demo-homeassistant-deploy-ldap} + + + +Assuming you already deployed the `ldap` demo, now you must add the following entry to the +`/etc/hosts` file on the host machine (not the VM): ```nix networking.hosts = { @@ -95,12 +155,14 @@ networking.hosts = { }; ``` -If you deployed the `basic` target host, go to -[http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home -Assistant setup wizard which will allow you to create an admin user: +Which produces: -And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to -[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: +```bash +$ cat /etc/hosts +127.0.0.1 ha.example.com ldap.example.com +``` + +Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: - username: `admin` - password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`. @@ -155,16 +217,7 @@ space issue, you must increase the ### Secrets {#demo-homeassistant-secrets} -_More info about the secrets._ - -The private key in the `keys.txt` file is created with: - -```bash -$ nix shell nixpkgs#age --command age-keygen -o keys.txt -Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 -``` - -We use the printed public key in the `admin` field of the `sops.yaml` file. +_More info about the secrets can be found in the [Usage](https://shb.skarabox.com/usage.html) manual_ To open the `secrets.yaml` file and optionnally edit it, run: @@ -198,9 +251,9 @@ You can generate random secrets with: $ nix run nixpkgs#openssl -- rand -hex 64 ``` -If you choose a password too small, ldap could refuse to start. +If you choose a password too small, some services could refuse to start. -#### Why do we need the VM's public key {#demo-homeassistant-public-key-necessity} +#### Why do we need the VM's public key {#demo-homeassistant-tips-public-key-necessity} The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the [`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add @@ -209,11 +262,11 @@ in the `/run/secrets` folder on the VM. We thus need one private key for you to [`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets. Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when -creating the VM in the step above, a new private key and its accompanying public key were -automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the -public key and add it to the `secrets.yaml` which we did in the Deploy section. +creating the VM for Colmena, a new private key and its accompanying public key were automatically +generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and +add it to the `secrets.yaml` which we did in the Deploy section. -### SSH {#demo-homeassistant-ssh} +### SSH {#demo-homeassistant-tips-ssh} The private and public ssh keys were created with: @@ -231,7 +284,7 @@ authentication, here is what you would need to do to copy over the key: nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example ``` -### Deploy {#demo-homeassistant-deploy} +### Deploy {#demo-homeassistant-tips-deploy} If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input selfhostblocks`. @@ -240,7 +293,7 @@ selfhostblocks`. error: NAR hash mismatch in input ... ``` -### Update Demo {#demo-homeassistant-update-demo} +### Update Demo {#demo-homeassistant-tips-update-demo} If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy. diff --git a/demo/homeassistant/flake.nix b/demo/homeassistant/flake.nix index 7e48d4f..bc20515 100644 --- a/demo/homeassistant/flake.nix +++ b/demo/homeassistant/flake.nix @@ -5,29 +5,15 @@ selfhostblocks.url = "github:ibizaman/selfhostblocks"; }; - outputs = inputs@{ self, selfhostblocks, ... }: { - colmena = { - meta = { - nixpkgs = import selfhostblocks.inputs.nixpkgs { - system = "x86_64-linux"; - }; - specialArgs = inputs; - }; - - basic = { config, ... }: { + outputs = inputs@{ self, selfhostblocks, ... }: + let + basic = { config, ... }: { imports = [ ./configuration.nix selfhostblocks.inputs.sops-nix.nixosModules.default selfhostblocks.nixosModules.x86_64-linux.default ]; - # Used by colmena to know which target host to deploy to. - deployment = { - targetHost = "example"; - targetUser = "nixos"; - targetPort = 2222; - }; - shb.home-assistant = { enable = true; domain = "example.com"; @@ -38,26 +24,9 @@ nixpkgs.config.permittedInsecurePackages = [ "openssl-1.1.1w" ]; - - # Set to true for more debug info with `journalctl -f -u nginx`. - shb.nginx.accessLog = false; - shb.nginx.debugLog = false; }; - ldap = { config, ... }: { - imports = [ - ./configuration.nix - selfhostblocks.inputs.sops-nix.nixosModules.default - selfhostblocks.nixosModules.x86_64-linux.default - ]; - - # Used by colmena to know which target host to deploy to. - deployment = { - targetHost = "example"; - targetUser = "nixos"; - targetPort = 2222; - }; - + ldap = { config, ... }: { shb.ldap = { enable = true; domain = "example.com"; @@ -83,23 +52,73 @@ restartUnits = [ "lldap.service" ]; }; - shb.home-assistant = { + shb.home-assistant.ldap = { enable = true; - domain = "example.com"; - ldap = { - enable = true; - host = "127.0.0.1"; - port = config.shb.ldap.webUIListenPort; - userGroup = "homeassistant_user"; + host = "127.0.0.1"; + port = config.shb.ldap.webUIListenPort; + userGroup = "homeassistant_user"; + }; + }; + + sopsConfig = { + sops.age.keyFile = "/etc/sops/my_key"; + environment.etc."sops/my_key".source = ./keys.txt; + }; + in + { + nixosConfigurations = { + basic = selfhostblocks.inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + basic + sopsConfig + ]; + }; + + ldap = selfhostblocks.inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + basic + ldap + sopsConfig + ]; }; - subdomain = "ha"; - sopsFile = ./secrets.yaml; }; - nixpkgs.config.permittedInsecurePackages = [ - "openssl-1.1.1w" - ]; + colmena = { + meta = { + nixpkgs = import selfhostblocks.inputs.nixpkgs { + system = "x86_64-linux"; + }; + specialArgs = inputs; + }; + + basic = { config, ... }: { + imports = [ + basic + ]; + + # Used by colmena to know which target host to deploy to. + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + }; + + ldap = { config, ... }: { + imports = [ + basic + ldap + ]; + + # Used by colmena to know which target host to deploy to. + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + }; + }; }; - }; - }; } diff --git a/demo/nextcloud/README.md b/demo/nextcloud/README.md index 9f85145..33f50b2 100644 --- a/demo/nextcloud/README.md +++ b/demo/nextcloud/README.md @@ -3,21 +3,67 @@ **This whole demo is highly insecure as all the private keys are available publicly. This is only done for convenience as it is just a demo. Do not expose the VM to the internet.** -The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are actually 3 demos: +The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are +actually 3 demos: -- The `basic` demo sets up a lone Nextcloud server accessible through http. -- The `ldap` demo sets up a Nextcloud server integrated with a LDAP provider. -- The `sso` demo sets up a Nextcloud server integrated with a LDAP provider and an SSO provider. +- The `basic` demo sets up a lone Nextcloud server accessible through http with the Preview + Generator app enabled. +- The `ldap` demo builds on top of the `basic` demo integrating Nextcloud with a LDAP provider. +- The `sso` demo builds on top of the `lsap` demo integrating Nextcloud with a SSO provider. They were set up by following the [manual](https://shb.skarabox.com/services-nextcloud.html). This guide will show how to deploy these demos to a Virtual Machine, like showed -[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands. +[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules). ## Deploy to the VM {#demo-nextcloud-deploy} -### Prerequisite {#demo-nextcloud-deploy-prereq} +The demos are setup to either deploy to a VM through `nixos-rebuild` or through +[Colmena](https://colmena.cli.rs). -Build the VM and start it: +Using `nixos-rebuild` is very fast and requires less steps because it reuses your nix store. + +Using `colmena` is more authentic because you are deploying to a stock VM, like you would with a +real machine but it needs to copy over all required store derivations so it takes a few minutes the +first time. + +### Deploy with nixos-rebuild {#demo-nextcloud-deploy-nixosrebuild} + +Assuming your current working directory is the one where this Readme file is located, the one-liner +command which builds and starts the VM configured to run Self Host Blocks' Nextcloud is: + +```nix +rm nixos.qcow2; \ + nixos-rebuild build-vm --flake .#basic \ + && QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" \ + ./result/bin/run-nixos-vm +``` + +This will deploy the `basic` demo. If you want to deploy the `ldap` or `sso` demos, use respectively +the `.#ldap` or `.#sso` flake uris. + +You can even test the demos from any directory without cloning this repository by using the GitHub +uri like `github:ibizaman/selfhostblocks?path=demo/nextcloud` + +It is very important to remove leftover `nixos.qcow2` files, if any. + +You can ssh into the VM like this, but this is not required for the demo: + +```bash +ssh -F ssh_config example +``` + +But before that works, you will need to change the permission of the ssh key like so: + +```bash +chmod 600 sshkey +``` + +This is only needed because git mangles with the permissions. You will not even see this change in +`git status`. + +### Deploy with Colmena {#demo-nextcloud-deploy-colmena} + +If you deploy with Colmena, you must first build the VM and start it: ```bash rm nixos.qcow2; \ @@ -25,6 +71,8 @@ rm nixos.qcow2; \ QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm ``` +It is very important to remove leftover `nixos.qcow2` files, if any. + This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will need to run the rest of the commands in another terminal. @@ -67,16 +115,8 @@ This section corresponds to the `basic` section of the [Nextcloud manual](services-nextcloud.html#services-nextcloud-server-usage-basic). :::: -To deploy a basic Nextcloud with only the Preview Generator app enabled, run: - -```bash -SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic -``` - -The deploy will take a few minutes the first time and subsequent deploys will take around 15 -seconds. - -Add the following entry to the `/etc/hosts` file on the host machine (not the VM): +Assuming you already deployed the `basic` demo, now you must add the following entry to the +`/etc/hosts` file on the host machine (not the VM): ```nix networking.hosts = { @@ -106,17 +146,8 @@ This section corresponds to the `ldap` section of the [Nextcloud manual](services-nextcloud.html#services-nextcloud-server-usage-ldap). :::: -To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP -service, run: - -```bash -SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap -``` - -The deploy will take a few minutes the first time and subsequent deploys will take around 15 -seconds. - -Add the following entry to the `/etc/hosts` file on the host machine (not the VM): +Assuming you already deployed the `ldap` demo, now you must add the following entry to the +`/etc/hosts` file on the host machine (not the VM): ```nix networking.hosts = { @@ -134,7 +165,8 @@ $ cat /etc/hosts Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with: - username: `admin` -- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`. +- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is + `c2e32e54ea3e0053eb30841f818a3d9a`. Create the group `nextcloud_user` and a create a user and assign them to that group. @@ -153,32 +185,23 @@ This section corresponds to the `sso` section of the [Nextcloud manual](services-nextcloud.html#services-nextcloud-server-usage-oidc). :::: -To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP -service and an SSO service, run: - -```bash -SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on sso -``` - -The deploy will take a few minutes the first time and subsequent deploys will take around 15 -seconds. - -Here, there is a `dnsmasq` server running in the VM. You must create a SOCKS proxy to the `dnsmasq` -service like so: +At this point, it is assumed you already deployed the `sso` demo. There is no host to add to +`/etc/hosts` here. Instead, there is a `dnsmasq` server running in the VM and you must create a +SOCKS proxy to connect to it like so: ```bash ssh -F ssh_config -D 1080 -N example ``` -This is a blocking call that will create a SOCKS proxy on port 1080. It is not necessary to fork -this process in the background by appending `&` because we will not need to use the terminal for the -rest of the demo. +This is a blocking call but it is not necessary to fork this process in the background by appending +`&` because we will not need to use the terminal for the rest of the demo. -Now, configure your browser to use that proxy. When that's done go to +Now, configure your browser to use that SOCKS proxy. When that's done go to [https://ldap.example.com](https://ldap.example.com) and login with: - username: `admin` -- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`. +- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is + `c2e32e54ea3e0053eb30841f818a3d9a`. Create the group `nextcloud_user` and a create a user and assign them to that group. @@ -233,39 +256,7 @@ space issue, you must increase the ### Secrets {#demo-nextcloud-tips-secrets} -_More info about the secrets._ - -The private key in the `keys.txt` file is created with: - -```bash -$ nix shell nixpkgs#age --command age-keygen -o keys.txt -Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7 -``` - -We use the printed public key in the `admin` field of the `sops.yaml` file. - -The `secrets.yaml` file must follow the format: - -```yaml -nextcloud: - adminpass: 43bb4b8f82fc645ce3260b5db803c5a8 - onlyoffice: - jwt_secret: XXX... - sso: - secret: YYY... -lldap: - user_password: c2e32e54ea3e0053eb30841f818a3d9a - jwt_secret: ZZZ... -authelia: - jwt_secret: AAA... - storage_encryption_key: BBB... - session_secret: CCC... - hmac_secret: DDD. - private_key: | - -----BEGIN PRIVATE KEY----- - MII... - -----END PRIVATE KEY----- -``` +_More info about the secrets can be found in the [Usage](https://shb.skarabox.com/usage.html) manual_ To open the `secrets.yaml` file and optionnally edit it, run: @@ -292,9 +283,9 @@ in the `/run/secrets` folder on the VM. We thus need one private key for you to [`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets. Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when -creating the VM in the step above, a new private key and its accompanying public key were -automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the -public key and add it to the `secrets.yaml` which we did in the Deploy section. +creating the VM for Colmena, a new private key and its accompanying public key were automatically +generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and +add it to the `secrets.yaml` which we did in the Deploy section. ### SSH {#demo-nextcloud-tips-ssh} diff --git a/demo/nextcloud/configuration.nix b/demo/nextcloud/configuration.nix index a63c4ac..6609098 100644 --- a/demo/nextcloud/configuration.nix +++ b/demo/nextcloud/configuration.nix @@ -22,6 +22,7 @@ in boot.loader.grub.configurationLimit = 1; # The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase # the available disk space to install home-assistant. + virtualisation.vmVariant.virtualisation.memorySize = 8192; virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192; # Options above are needed to deploy in a VM. diff --git a/demo/nextcloud/flake.nix b/demo/nextcloud/flake.nix index 6f6fd73..d9d68c9 100644 --- a/demo/nextcloud/flake.nix +++ b/demo/nextcloud/flake.nix @@ -5,15 +5,8 @@ selfhostblocks.url = "github:ibizaman/selfhostblocks"; }; - outputs = inputs@{ self, selfhostblocks, ... }: { - colmena = { - meta = { - nixpkgs = import selfhostblocks.inputs.nixpkgs { - system = "x86_64-linux"; - }; - specialArgs = inputs; - }; - + outputs = inputs@{ self, selfhostblocks, ... }: + let basic = { config, ... }: { imports = [ ./configuration.nix @@ -21,13 +14,6 @@ selfhostblocks.nixosModules.x86_64-linux.default ]; - # Used by colmena to know which target host to deploy to. - deployment = { - targetHost = "example"; - targetUser = "nixos"; - targetPort = 2222; - }; - shb.nextcloud = { enable = true; domain = "example.com"; @@ -60,19 +46,6 @@ }; ldap = { config, ... }: { - imports = [ - ./configuration.nix - selfhostblocks.inputs.sops-nix.nixosModules.default - selfhostblocks.nixosModules.x86_64-linux.default - ]; - - # Used by colmena to know which target host to deploy to. - deployment = { - targetHost = "example"; - targetUser = "nixos"; - targetPort = 2222; - }; - shb.ldap = { enable = true; domain = "example.com"; @@ -98,40 +71,16 @@ restartUnits = [ "lldap.service" ]; }; - shb.nextcloud = { + shb.nextcloud.apps.ldap = { enable = true; - domain = "example.com"; - subdomain = "n"; - dataDir = "/var/lib/nextcloud"; - tracing = null; - - # This option is only needed because we do not access Nextcloud at the default port in the VM. - port = 8080; - - adminPassFile = config.sops.secrets."nextcloud/adminpass".path; - - apps = { - previewgenerator.enable = true; - ldap = { - enable = true; - host = "127.0.0.1"; - port = config.shb.ldap.ldapPort; - dcdomain = config.shb.ldap.dcdomain; - adminName = "admin"; - adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path; - userGroup = "nextcloud_user"; - }; - }; + host = "127.0.0.1"; + port = config.shb.ldap.ldapPort; + dcdomain = config.shb.ldap.dcdomain; + adminName = "admin"; + adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path; + userGroup = "nextcloud_user"; }; - # Secret needed for services.nextcloud.config.adminpassFile. - sops.secrets."nextcloud/adminpass" = { - sopsFile = ./secrets.yaml; - mode = "0440"; - owner = "nextcloud"; - group = "nextcloud"; - restartUnits = [ "phpfpm-nextcloud.service" ]; - }; # Secret needed for LDAP app. sops.secrets."nextcloud/ldap_admin_password" = { sopsFile = ./secrets.yaml; @@ -141,26 +90,9 @@ group = "nextcloud"; restartUnits = [ "nextcloud-setup.service" ]; }; - - # Set to true for more debug info with `journalctl -f -u nginx`. - shb.nginx.accessLog = true; - shb.nginx.debugLog = false; }; sso = { config, ... }: { - imports = [ - ./configuration.nix - selfhostblocks.inputs.sops-nix.nixosModules.default - selfhostblocks.nixosModules.x86_64-linux.default - ]; - - # Used by colmena to know which target host to deploy to. - deployment = { - targetHost = "example"; - targetUser = "nixos"; - targetPort = 2222; - }; - shb.certs = { cas.selfsigned.myca = { name = "My CA"; @@ -189,99 +121,6 @@ }; }; - shb.nextcloud = { - enable = true; - domain = "example.com"; - subdomain = "n"; - ssl = config.shb.certs.certs.selfsigned.n; - dataDir = "/var/lib/nextcloud"; - tracing = null; - - adminPassFile = config.sops.secrets."nextcloud/adminpass".path; - - apps = { - previewgenerator.enable = true; - ldap = { - enable = true; - host = "127.0.0.1"; - port = config.shb.ldap.ldapPort; - dcdomain = config.shb.ldap.dcdomain; - adminName = "admin"; - adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path; - userGroup = "nextcloud_user"; - }; - sso = { - enable = true; - endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; - clientID = "nextcloud"; - fallbackDefaultAuth = true; - - secretFile = config.sops.secrets."nextcloud/sso/secret".path; - secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path; - }; - }; - }; - - # Secret needed for services.nextcloud.config.adminpassFile. - sops.secrets."nextcloud/adminpass" = { - sopsFile = ./secrets.yaml; - mode = "0440"; - owner = "nextcloud"; - group = "nextcloud"; - restartUnits = [ "phpfpm-nextcloud.service" ]; - }; - # Secret needed for LDAP app. - sops.secrets."nextcloud/ldap_admin_password" = { - sopsFile = ./secrets.yaml; - key = "lldap/user_password"; - mode = "0400"; - owner = "nextcloud"; - group = "nextcloud"; - restartUnits = [ "nextcloud-setup.service" ]; - }; - sops.secrets."nextcloud/sso/secret" = { - sopsFile = ./secrets.yaml; - mode = "0400"; - owner = "nextcloud"; - restartUnits = [ "nextcloud-setup.service" ]; - }; - sops.secrets."authelia/nextcloud_sso_secret" = { - sopsFile = ./secrets.yaml; - key = "nextcloud/sso/secret"; - mode = "0400"; - owner = config.shb.authelia.autheliaUser; - }; - - # Set to true for more debug info with `journalctl -f -u nginx`. - shb.nginx.accessLog = true; - shb.nginx.debugLog = false; - - shb.ldap = { - enable = true; - domain = "example.com"; - subdomain = "ldap"; - ssl = config.shb.certs.certs.selfsigned.n; - ldapPort = 3890; - webUIListenPort = 17170; - dcdomain = "dc=example,dc=com"; - ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path; - jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path; - }; - sops.secrets."lldap/user_password" = { - sopsFile = ./secrets.yaml; - mode = "0440"; - owner = "lldap"; - group = "lldap"; - restartUnits = [ "lldap.service" ]; - }; - sops.secrets."lldap/jwt_secret" = { - sopsFile = ./secrets.yaml; - mode = "0440"; - owner = "lldap"; - group = "lldap"; - restartUnits = [ "lldap.service" ]; - }; - shb.authelia = { enable = true; domain = "example.com"; @@ -339,7 +178,110 @@ owner = config.shb.authelia.autheliaUser; restartUnits = [ "authelia.service" ]; }; + + shb.nextcloud.apps.sso = { + enable = true; + endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; + clientID = "nextcloud"; + fallbackDefaultAuth = true; + + secretFile = config.sops.secrets."nextcloud/sso/secret".path; + secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path; + }; + + sops.secrets."nextcloud/sso/secret" = { + sopsFile = ./secrets.yaml; + mode = "0400"; + owner = "nextcloud"; + restartUnits = [ "nextcloud-setup.service" ]; + }; + sops.secrets."authelia/nextcloud_sso_secret" = { + sopsFile = ./secrets.yaml; + key = "nextcloud/sso/secret"; + mode = "0400"; + owner = config.shb.authelia.autheliaUser; + }; + }; + + sopsConfig = { + sops.age.keyFile = "/etc/sops/my_key"; + environment.etc."sops/my_key".source = ./keys.txt; + }; + in + { + nixosConfigurations = { + basic = selfhostblocks.inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + sopsConfig + basic + ]; + }; + ldap = selfhostblocks.inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + sopsConfig + basic + ldap + ]; + }; + sso = selfhostblocks.inputs.nixpkgs.lib.nixosSystem { + system = "x86_64-linux"; + modules = [ + sopsConfig + basic + ldap + sso + ]; + }; + }; + + colmena = { + meta = { + nixpkgs = import selfhostblocks.inputs.nixpkgs { + system = "x86_64-linux"; + }; + specialArgs = inputs; + }; + + basic = { config, ... }: { + imports = [ + basic + ]; + + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + }; + + ldap = { config, ... }: { + imports = [ + basic + ldap + ]; + + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + }; + + sso = { config, ... }: { + imports = [ + basic + ldap + sso + ]; + + deployment = { + targetHost = "example"; + targetUser = "nixos"; + targetPort = 2222; + }; + }; + }; }; - }; - }; }