parent
0457f263cc
commit
b43a4971a4
6 changed files with 411 additions and 350 deletions
55
.github/workflows/test.yml
vendored
55
.github/workflows/test.yml
vendored
|
@ -24,6 +24,61 @@ jobs:
|
||||||
nix run github:Mic92/nix-fast-build -- \
|
nix run github:Mic92/nix-fast-build -- \
|
||||||
--skip-cached --no-nom \
|
--skip-cached --no-nom \
|
||||||
--flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)"
|
--flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)"
|
||||||
|
|
||||||
|
# We're just checking if the demo start without hiccup.
|
||||||
|
demos:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
strategy:
|
||||||
|
matrix:
|
||||||
|
demo:
|
||||||
|
- homeassistant#basic
|
||||||
|
- homeassistant#ldap
|
||||||
|
- nextcloud#basic
|
||||||
|
- nextcloud#ldap
|
||||||
|
- nextcloud#sso
|
||||||
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
- name: Install Nix
|
||||||
|
uses: DeterminateSystems/nix-installer-action@main
|
||||||
|
with:
|
||||||
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
|
||||||
|
- name: Setup Caching
|
||||||
|
uses: cachix/cachix-action@v12
|
||||||
|
with:
|
||||||
|
name: selfhostblocks
|
||||||
|
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||||
|
- name: Test demos
|
||||||
|
# See https://blog.stefan-koch.name/2020/12/10/qemu-guest-graceful-shutdown-from-python for
|
||||||
|
# inspiration.
|
||||||
|
run: |
|
||||||
|
set -x
|
||||||
|
|
||||||
|
rm -f nixos.qcow2
|
||||||
|
nix run nixpkgs#nixos-rebuild -- build-vm --flake ./demo/${{ matrix.demo }}
|
||||||
|
QEMU_NET_OPTS="hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm -nographic -qmp unix:/tmp/qmp-sock,server,nowait &
|
||||||
|
|
||||||
|
nix run nixpkgs#socat -- - unix-connect:/tmp/qmp-sock <<EOF
|
||||||
|
{"execute": "qmp_capabilities"}
|
||||||
|
{"execute": "system_powerdown"}
|
||||||
|
EOF
|
||||||
|
|
||||||
|
docs:
|
||||||
|
runs-on: ubuntu-latest
|
||||||
|
steps:
|
||||||
|
- name: Checkout repository
|
||||||
|
uses: actions/checkout@v3
|
||||||
|
- name: Install Nix
|
||||||
|
uses: DeterminateSystems/nix-installer-action@main
|
||||||
|
with:
|
||||||
|
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||||
|
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
|
||||||
|
- name: Setup Caching
|
||||||
|
uses: cachix/cachix-action@v12
|
||||||
|
with:
|
||||||
|
name: selfhostblocks
|
||||||
|
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||||
- name: Test building docs
|
- name: Test building docs
|
||||||
run: |
|
run: |
|
||||||
nix \
|
nix \
|
||||||
|
|
|
@ -3,16 +3,66 @@
|
||||||
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
||||||
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
||||||
|
|
||||||
The [`flake.nix`](./flake.nix) file sets up a Home Assistant server in only about [15
|
The [`flake.nix`](./flake.nix) file sets up a Home Assistant server with Self Host Blocks. There are actually 2 demos:
|
||||||
lines](./flake.nix#L31-L37) of related code. It also defines a Home Assistant server that integrates with
|
|
||||||
a [LDAP server](./flake.nix#L58-L94).
|
|
||||||
|
|
||||||
This guide will show how to deploy this setup to a Virtual Machine, like showed
|
- The `basic` demo sets up a lone Home Assistant server accessible through http.
|
||||||
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
|
- The `ldap` demo builds on top of the `basic` demo integrating Home Assistant with a LDAP provider.
|
||||||
|
|
||||||
## Deploy to the VM {#demo-homeassistant-deploy-to-the-vm}
|
<!--
|
||||||
|
They were set up by following the [manual](https://shb.skarabox.com/services-homeassistant.html).
|
||||||
|
-->
|
||||||
|
|
||||||
Build the VM and start it:
|
This guide will show how to deploy these demos to a Virtual Machine, like showed
|
||||||
|
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
|
||||||
|
|
||||||
|
## Deploy to the VM {#demo-homeassistant-deploy}
|
||||||
|
|
||||||
|
The demos are setup to either deploy to a VM through `nixos-rebuild` or through
|
||||||
|
[Colmena](https://colmena.cli.rs).
|
||||||
|
|
||||||
|
Using `nixos-rebuild` is very fast and requires less steps because it reuses your nix store.
|
||||||
|
|
||||||
|
Using `colmena` is more authentic because you are deploying to a stock VM, like you would with a
|
||||||
|
real machine but it needs to copy over all required store derivations so it takes a few minutes the
|
||||||
|
first time.
|
||||||
|
|
||||||
|
### Deploy with nixos-rebuild {#demo-homeassistant-deploy-nixosrebuild}
|
||||||
|
|
||||||
|
Assuming your current working directory is the one where this Readme file is located, the one-liner
|
||||||
|
command which builds and starts the VM configured to run Self Host Blocks' Nextcloud is:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
rm nixos.qcow2; \
|
||||||
|
nixos-rebuild build-vm --flake .#basic \
|
||||||
|
&& QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" \
|
||||||
|
./result/bin/run-nixos-vm
|
||||||
|
```
|
||||||
|
|
||||||
|
This will deploy the `basic` demo. If you want to deploy the `ldap` demo, use the `.#ldap` flake
|
||||||
|
uris.
|
||||||
|
|
||||||
|
You can even test the demos from any directory without cloning this repository by using the GitHub
|
||||||
|
uri like `github:ibizaman/selfhostblocks?path=demo/nextcloud`
|
||||||
|
|
||||||
|
It is very important to remove leftover `nixos.qcow2` files, if any.
|
||||||
|
|
||||||
|
You can ssh into the VM like this, but this is not required for the demo:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh -F ssh_config example
|
||||||
|
```
|
||||||
|
|
||||||
|
But before that works, you will need to change the permission of the ssh key like so:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
chmod 600 sshkey
|
||||||
|
```
|
||||||
|
|
||||||
|
This is only needed because git mangles with the permissions. You will not even see this change in
|
||||||
|
`git status`.
|
||||||
|
### Deploy with Colmena {#demo-homeassitant-deploy-colmena}
|
||||||
|
|
||||||
|
If you deploy with Colmena, you must first build the VM and start it:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
rm nixos.qcow2; \
|
rm nixos.qcow2; \
|
||||||
|
@ -20,6 +70,8 @@ rm nixos.qcow2; \
|
||||||
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
||||||
```
|
```
|
||||||
|
|
||||||
|
It is very important to remove leftover `nixos.qcow2` files, if any.
|
||||||
|
|
||||||
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
|
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
|
||||||
need to run the rest of the commands in another terminal.
|
need to run the rest of the commands in another terminal.
|
||||||
|
|
||||||
|
@ -55,24 +107,17 @@ You can ssh into the VM with, but this is not required for the demo:
|
||||||
ssh -F ssh_config example
|
ssh -F ssh_config example
|
||||||
```
|
```
|
||||||
|
|
||||||
Finally, we can deploy. To deploy a Home Assistant server, run:
|
### Home Assistant through HTTP {#demo-homeassistant-deploy-basic}
|
||||||
|
|
||||||
```bash
|
<!--
|
||||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
|
:::: {.note}
|
||||||
```
|
This section corresponds to the `basic` section of the [Home Assistant
|
||||||
|
manual](services-nextcloud.html#services-homeassistant-server-usage-basic).
|
||||||
|
::::
|
||||||
|
-->
|
||||||
|
|
||||||
To deploy a Home Assistant server integrated with a LDAP service, run:
|
Assuming you already deployed the `basic` demo, now you must add the following entry to the
|
||||||
|
`/etc/hosts` file on the host machine (not the VM):
|
||||||
```bash
|
|
||||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
|
|
||||||
```
|
|
||||||
|
|
||||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
|
||||||
seconds.
|
|
||||||
|
|
||||||
## Access Home Assistant Through Your Browser {#demo-homeassistant-access-through-your-browser}
|
|
||||||
|
|
||||||
Add the following entry to your `/etc/hosts` file:
|
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
networking.hosts = {
|
networking.hosts = {
|
||||||
|
@ -87,7 +132,22 @@ $ cat /etc/hosts
|
||||||
127.0.0.1 ha.example.com
|
127.0.0.1 ha.example.com
|
||||||
```
|
```
|
||||||
|
|
||||||
If you deployed the `ldap` target host, add instead:
|
Go to [http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
|
||||||
|
Assistant setup wizard which will allow you to create an admin user.
|
||||||
|
|
||||||
|
And that's the end of the demo
|
||||||
|
|
||||||
|
### Home Assistant with LDAP through HTTP {#demo-homeassistant-deploy-ldap}
|
||||||
|
|
||||||
|
<!--
|
||||||
|
:::: {.note}
|
||||||
|
This section corresponds to the `ldap` section of the [Home Assistant
|
||||||
|
manual](services-nextcloud.html#services-homeassistant-server-usage-ldap).
|
||||||
|
::::
|
||||||
|
-->
|
||||||
|
|
||||||
|
Assuming you already deployed the `ldap` demo, now you must add the following entry to the
|
||||||
|
`/etc/hosts` file on the host machine (not the VM):
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
networking.hosts = {
|
networking.hosts = {
|
||||||
|
@ -95,12 +155,14 @@ networking.hosts = {
|
||||||
};
|
};
|
||||||
```
|
```
|
||||||
|
|
||||||
If you deployed the `basic` target host, go to
|
Which produces:
|
||||||
[http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
|
|
||||||
Assistant setup wizard which will allow you to create an admin user:
|
|
||||||
|
|
||||||
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
|
```bash
|
||||||
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
$ cat /etc/hosts
|
||||||
|
127.0.0.1 ha.example.com ldap.example.com
|
||||||
|
```
|
||||||
|
|
||||||
|
Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
||||||
|
|
||||||
- username: `admin`
|
- username: `admin`
|
||||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`.
|
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`.
|
||||||
|
@ -155,16 +217,7 @@ space issue, you must increase the
|
||||||
|
|
||||||
### Secrets {#demo-homeassistant-secrets}
|
### Secrets {#demo-homeassistant-secrets}
|
||||||
|
|
||||||
_More info about the secrets._
|
_More info about the secrets can be found in the [Usage](https://shb.skarabox.com/usage.html) manual_
|
||||||
|
|
||||||
The private key in the `keys.txt` file is created with:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ nix shell nixpkgs#age --command age-keygen -o keys.txt
|
|
||||||
Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
|
||||||
```
|
|
||||||
|
|
||||||
We use the printed public key in the `admin` field of the `sops.yaml` file.
|
|
||||||
|
|
||||||
To open the `secrets.yaml` file and optionnally edit it, run:
|
To open the `secrets.yaml` file and optionnally edit it, run:
|
||||||
|
|
||||||
|
@ -198,9 +251,9 @@ You can generate random secrets with:
|
||||||
$ nix run nixpkgs#openssl -- rand -hex 64
|
$ nix run nixpkgs#openssl -- rand -hex 64
|
||||||
```
|
```
|
||||||
|
|
||||||
If you choose a password too small, ldap could refuse to start.
|
If you choose a password too small, some services could refuse to start.
|
||||||
|
|
||||||
#### Why do we need the VM's public key {#demo-homeassistant-public-key-necessity}
|
#### Why do we need the VM's public key {#demo-homeassistant-tips-public-key-necessity}
|
||||||
|
|
||||||
The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the
|
The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the
|
||||||
[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add
|
[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add
|
||||||
|
@ -209,11 +262,11 @@ in the `/run/secrets` folder on the VM. We thus need one private key for you to
|
||||||
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
|
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
|
||||||
|
|
||||||
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
|
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
|
||||||
creating the VM in the step above, a new private key and its accompanying public key were
|
creating the VM for Colmena, a new private key and its accompanying public key were automatically
|
||||||
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
|
generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and
|
||||||
public key and add it to the `secrets.yaml` which we did in the Deploy section.
|
add it to the `secrets.yaml` which we did in the Deploy section.
|
||||||
|
|
||||||
### SSH {#demo-homeassistant-ssh}
|
### SSH {#demo-homeassistant-tips-ssh}
|
||||||
|
|
||||||
The private and public ssh keys were created with:
|
The private and public ssh keys were created with:
|
||||||
|
|
||||||
|
@ -231,7 +284,7 @@ authentication, here is what you would need to do to copy over the key:
|
||||||
nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example
|
nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example
|
||||||
```
|
```
|
||||||
|
|
||||||
### Deploy {#demo-homeassistant-deploy}
|
### Deploy {#demo-homeassistant-tips-deploy}
|
||||||
|
|
||||||
If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input
|
If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input
|
||||||
selfhostblocks`.
|
selfhostblocks`.
|
||||||
|
@ -240,7 +293,7 @@ selfhostblocks`.
|
||||||
error: NAR hash mismatch in input ...
|
error: NAR hash mismatch in input ...
|
||||||
```
|
```
|
||||||
|
|
||||||
### Update Demo {#demo-homeassistant-update-demo}
|
### Update Demo {#demo-homeassistant-tips-update-demo}
|
||||||
|
|
||||||
If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy.
|
If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy.
|
||||||
|
|
||||||
|
|
|
@ -5,15 +5,8 @@
|
||||||
selfhostblocks.url = "github:ibizaman/selfhostblocks";
|
selfhostblocks.url = "github:ibizaman/selfhostblocks";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs@{ self, selfhostblocks, ... }: {
|
outputs = inputs@{ self, selfhostblocks, ... }:
|
||||||
colmena = {
|
let
|
||||||
meta = {
|
|
||||||
nixpkgs = import selfhostblocks.inputs.nixpkgs {
|
|
||||||
system = "x86_64-linux";
|
|
||||||
};
|
|
||||||
specialArgs = inputs;
|
|
||||||
};
|
|
||||||
|
|
||||||
basic = { config, ... }: {
|
basic = { config, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
|
@ -21,13 +14,6 @@
|
||||||
selfhostblocks.nixosModules.x86_64-linux.default
|
selfhostblocks.nixosModules.x86_64-linux.default
|
||||||
];
|
];
|
||||||
|
|
||||||
# Used by colmena to know which target host to deploy to.
|
|
||||||
deployment = {
|
|
||||||
targetHost = "example";
|
|
||||||
targetUser = "nixos";
|
|
||||||
targetPort = 2222;
|
|
||||||
};
|
|
||||||
|
|
||||||
shb.home-assistant = {
|
shb.home-assistant = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
|
@ -38,26 +24,9 @@
|
||||||
nixpkgs.config.permittedInsecurePackages = [
|
nixpkgs.config.permittedInsecurePackages = [
|
||||||
"openssl-1.1.1w"
|
"openssl-1.1.1w"
|
||||||
];
|
];
|
||||||
|
|
||||||
# Set to true for more debug info with `journalctl -f -u nginx`.
|
|
||||||
shb.nginx.accessLog = false;
|
|
||||||
shb.nginx.debugLog = false;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
ldap = { config, ... }: {
|
ldap = { config, ... }: {
|
||||||
imports = [
|
|
||||||
./configuration.nix
|
|
||||||
selfhostblocks.inputs.sops-nix.nixosModules.default
|
|
||||||
selfhostblocks.nixosModules.x86_64-linux.default
|
|
||||||
];
|
|
||||||
|
|
||||||
# Used by colmena to know which target host to deploy to.
|
|
||||||
deployment = {
|
|
||||||
targetHost = "example";
|
|
||||||
targetUser = "nixos";
|
|
||||||
targetPort = 2222;
|
|
||||||
};
|
|
||||||
|
|
||||||
shb.ldap = {
|
shb.ldap = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
|
@ -83,23 +52,73 @@
|
||||||
restartUnits = [ "lldap.service" ];
|
restartUnits = [ "lldap.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.home-assistant = {
|
shb.home-assistant.ldap = {
|
||||||
enable = true;
|
|
||||||
domain = "example.com";
|
|
||||||
ldap = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
host = "127.0.0.1";
|
host = "127.0.0.1";
|
||||||
port = config.shb.ldap.webUIListenPort;
|
port = config.shb.ldap.webUIListenPort;
|
||||||
userGroup = "homeassistant_user";
|
userGroup = "homeassistant_user";
|
||||||
};
|
};
|
||||||
subdomain = "ha";
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
nixpkgs.config.permittedInsecurePackages = [
|
sopsConfig = {
|
||||||
"openssl-1.1.1w"
|
sops.age.keyFile = "/etc/sops/my_key";
|
||||||
|
environment.etc."sops/my_key".source = ./keys.txt;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
nixosConfigurations = {
|
||||||
|
basic = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [
|
||||||
|
basic
|
||||||
|
sopsConfig
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
ldap = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [
|
||||||
|
basic
|
||||||
|
ldap
|
||||||
|
sopsConfig
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
colmena = {
|
||||||
|
meta = {
|
||||||
|
nixpkgs = import selfhostblocks.inputs.nixpkgs {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
};
|
||||||
|
specialArgs = inputs;
|
||||||
|
};
|
||||||
|
|
||||||
|
basic = { config, ... }: {
|
||||||
|
imports = [
|
||||||
|
basic
|
||||||
|
];
|
||||||
|
|
||||||
|
# Used by colmena to know which target host to deploy to.
|
||||||
|
deployment = {
|
||||||
|
targetHost = "example";
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
ldap = { config, ... }: {
|
||||||
|
imports = [
|
||||||
|
basic
|
||||||
|
ldap
|
||||||
|
];
|
||||||
|
|
||||||
|
# Used by colmena to know which target host to deploy to.
|
||||||
|
deployment = {
|
||||||
|
targetHost = "example";
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -3,21 +3,67 @@
|
||||||
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
||||||
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
||||||
|
|
||||||
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are actually 3 demos:
|
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are
|
||||||
|
actually 3 demos:
|
||||||
|
|
||||||
- The `basic` demo sets up a lone Nextcloud server accessible through http.
|
- The `basic` demo sets up a lone Nextcloud server accessible through http with the Preview
|
||||||
- The `ldap` demo sets up a Nextcloud server integrated with a LDAP provider.
|
Generator app enabled.
|
||||||
- The `sso` demo sets up a Nextcloud server integrated with a LDAP provider and an SSO provider.
|
- The `ldap` demo builds on top of the `basic` demo integrating Nextcloud with a LDAP provider.
|
||||||
|
- The `sso` demo builds on top of the `lsap` demo integrating Nextcloud with a SSO provider.
|
||||||
|
|
||||||
They were set up by following the [manual](https://shb.skarabox.com/services-nextcloud.html). This
|
They were set up by following the [manual](https://shb.skarabox.com/services-nextcloud.html). This
|
||||||
guide will show how to deploy these demos to a Virtual Machine, like showed
|
guide will show how to deploy these demos to a Virtual Machine, like showed
|
||||||
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
|
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
|
||||||
|
|
||||||
## Deploy to the VM {#demo-nextcloud-deploy}
|
## Deploy to the VM {#demo-nextcloud-deploy}
|
||||||
|
|
||||||
### Prerequisite {#demo-nextcloud-deploy-prereq}
|
The demos are setup to either deploy to a VM through `nixos-rebuild` or through
|
||||||
|
[Colmena](https://colmena.cli.rs).
|
||||||
|
|
||||||
Build the VM and start it:
|
Using `nixos-rebuild` is very fast and requires less steps because it reuses your nix store.
|
||||||
|
|
||||||
|
Using `colmena` is more authentic because you are deploying to a stock VM, like you would with a
|
||||||
|
real machine but it needs to copy over all required store derivations so it takes a few minutes the
|
||||||
|
first time.
|
||||||
|
|
||||||
|
### Deploy with nixos-rebuild {#demo-nextcloud-deploy-nixosrebuild}
|
||||||
|
|
||||||
|
Assuming your current working directory is the one where this Readme file is located, the one-liner
|
||||||
|
command which builds and starts the VM configured to run Self Host Blocks' Nextcloud is:
|
||||||
|
|
||||||
|
```nix
|
||||||
|
rm nixos.qcow2; \
|
||||||
|
nixos-rebuild build-vm --flake .#basic \
|
||||||
|
&& QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" \
|
||||||
|
./result/bin/run-nixos-vm
|
||||||
|
```
|
||||||
|
|
||||||
|
This will deploy the `basic` demo. If you want to deploy the `ldap` or `sso` demos, use respectively
|
||||||
|
the `.#ldap` or `.#sso` flake uris.
|
||||||
|
|
||||||
|
You can even test the demos from any directory without cloning this repository by using the GitHub
|
||||||
|
uri like `github:ibizaman/selfhostblocks?path=demo/nextcloud`
|
||||||
|
|
||||||
|
It is very important to remove leftover `nixos.qcow2` files, if any.
|
||||||
|
|
||||||
|
You can ssh into the VM like this, but this is not required for the demo:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
ssh -F ssh_config example
|
||||||
|
```
|
||||||
|
|
||||||
|
But before that works, you will need to change the permission of the ssh key like so:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
chmod 600 sshkey
|
||||||
|
```
|
||||||
|
|
||||||
|
This is only needed because git mangles with the permissions. You will not even see this change in
|
||||||
|
`git status`.
|
||||||
|
|
||||||
|
### Deploy with Colmena {#demo-nextcloud-deploy-colmena}
|
||||||
|
|
||||||
|
If you deploy with Colmena, you must first build the VM and start it:
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
rm nixos.qcow2; \
|
rm nixos.qcow2; \
|
||||||
|
@ -25,6 +71,8 @@ rm nixos.qcow2; \
|
||||||
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
||||||
```
|
```
|
||||||
|
|
||||||
|
It is very important to remove leftover `nixos.qcow2` files, if any.
|
||||||
|
|
||||||
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
|
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
|
||||||
need to run the rest of the commands in another terminal.
|
need to run the rest of the commands in another terminal.
|
||||||
|
|
||||||
|
@ -67,16 +115,8 @@ This section corresponds to the `basic` section of the [Nextcloud
|
||||||
manual](services-nextcloud.html#services-nextcloud-server-usage-basic).
|
manual](services-nextcloud.html#services-nextcloud-server-usage-basic).
|
||||||
::::
|
::::
|
||||||
|
|
||||||
To deploy a basic Nextcloud with only the Preview Generator app enabled, run:
|
Assuming you already deployed the `basic` demo, now you must add the following entry to the
|
||||||
|
`/etc/hosts` file on the host machine (not the VM):
|
||||||
```bash
|
|
||||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
|
|
||||||
```
|
|
||||||
|
|
||||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
|
||||||
seconds.
|
|
||||||
|
|
||||||
Add the following entry to the `/etc/hosts` file on the host machine (not the VM):
|
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
networking.hosts = {
|
networking.hosts = {
|
||||||
|
@ -106,17 +146,8 @@ This section corresponds to the `ldap` section of the [Nextcloud
|
||||||
manual](services-nextcloud.html#services-nextcloud-server-usage-ldap).
|
manual](services-nextcloud.html#services-nextcloud-server-usage-ldap).
|
||||||
::::
|
::::
|
||||||
|
|
||||||
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
|
Assuming you already deployed the `ldap` demo, now you must add the following entry to the
|
||||||
service, run:
|
`/etc/hosts` file on the host machine (not the VM):
|
||||||
|
|
||||||
```bash
|
|
||||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
|
|
||||||
```
|
|
||||||
|
|
||||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
|
||||||
seconds.
|
|
||||||
|
|
||||||
Add the following entry to the `/etc/hosts` file on the host machine (not the VM):
|
|
||||||
|
|
||||||
```nix
|
```nix
|
||||||
networking.hosts = {
|
networking.hosts = {
|
||||||
|
@ -134,7 +165,8 @@ $ cat /etc/hosts
|
||||||
Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
||||||
|
|
||||||
- username: `admin`
|
- username: `admin`
|
||||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
|
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is
|
||||||
|
`c2e32e54ea3e0053eb30841f818a3d9a`.
|
||||||
|
|
||||||
Create the group `nextcloud_user` and a create a user and assign them to that group.
|
Create the group `nextcloud_user` and a create a user and assign them to that group.
|
||||||
|
|
||||||
|
@ -153,32 +185,23 @@ This section corresponds to the `sso` section of the [Nextcloud
|
||||||
manual](services-nextcloud.html#services-nextcloud-server-usage-oidc).
|
manual](services-nextcloud.html#services-nextcloud-server-usage-oidc).
|
||||||
::::
|
::::
|
||||||
|
|
||||||
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
|
At this point, it is assumed you already deployed the `sso` demo. There is no host to add to
|
||||||
service and an SSO service, run:
|
`/etc/hosts` here. Instead, there is a `dnsmasq` server running in the VM and you must create a
|
||||||
|
SOCKS proxy to connect to it like so:
|
||||||
```bash
|
|
||||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on sso
|
|
||||||
```
|
|
||||||
|
|
||||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
|
||||||
seconds.
|
|
||||||
|
|
||||||
Here, there is a `dnsmasq` server running in the VM. You must create a SOCKS proxy to the `dnsmasq`
|
|
||||||
service like so:
|
|
||||||
|
|
||||||
```bash
|
```bash
|
||||||
ssh -F ssh_config -D 1080 -N example
|
ssh -F ssh_config -D 1080 -N example
|
||||||
```
|
```
|
||||||
|
|
||||||
This is a blocking call that will create a SOCKS proxy on port 1080. It is not necessary to fork
|
This is a blocking call but it is not necessary to fork this process in the background by appending
|
||||||
this process in the background by appending `&` because we will not need to use the terminal for the
|
`&` because we will not need to use the terminal for the rest of the demo.
|
||||||
rest of the demo.
|
|
||||||
|
|
||||||
Now, configure your browser to use that proxy. When that's done go to
|
Now, configure your browser to use that SOCKS proxy. When that's done go to
|
||||||
[https://ldap.example.com](https://ldap.example.com) and login with:
|
[https://ldap.example.com](https://ldap.example.com) and login with:
|
||||||
|
|
||||||
- username: `admin`
|
- username: `admin`
|
||||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
|
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is
|
||||||
|
`c2e32e54ea3e0053eb30841f818a3d9a`.
|
||||||
|
|
||||||
Create the group `nextcloud_user` and a create a user and assign them to that group.
|
Create the group `nextcloud_user` and a create a user and assign them to that group.
|
||||||
|
|
||||||
|
@ -233,39 +256,7 @@ space issue, you must increase the
|
||||||
|
|
||||||
### Secrets {#demo-nextcloud-tips-secrets}
|
### Secrets {#demo-nextcloud-tips-secrets}
|
||||||
|
|
||||||
_More info about the secrets._
|
_More info about the secrets can be found in the [Usage](https://shb.skarabox.com/usage.html) manual_
|
||||||
|
|
||||||
The private key in the `keys.txt` file is created with:
|
|
||||||
|
|
||||||
```bash
|
|
||||||
$ nix shell nixpkgs#age --command age-keygen -o keys.txt
|
|
||||||
Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
|
||||||
```
|
|
||||||
|
|
||||||
We use the printed public key in the `admin` field of the `sops.yaml` file.
|
|
||||||
|
|
||||||
The `secrets.yaml` file must follow the format:
|
|
||||||
|
|
||||||
```yaml
|
|
||||||
nextcloud:
|
|
||||||
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
|
|
||||||
onlyoffice:
|
|
||||||
jwt_secret: XXX...
|
|
||||||
sso:
|
|
||||||
secret: YYY...
|
|
||||||
lldap:
|
|
||||||
user_password: c2e32e54ea3e0053eb30841f818a3d9a
|
|
||||||
jwt_secret: ZZZ...
|
|
||||||
authelia:
|
|
||||||
jwt_secret: AAA...
|
|
||||||
storage_encryption_key: BBB...
|
|
||||||
session_secret: CCC...
|
|
||||||
hmac_secret: DDD.
|
|
||||||
private_key: |
|
|
||||||
-----BEGIN PRIVATE KEY-----
|
|
||||||
MII...
|
|
||||||
-----END PRIVATE KEY-----
|
|
||||||
```
|
|
||||||
|
|
||||||
To open the `secrets.yaml` file and optionnally edit it, run:
|
To open the `secrets.yaml` file and optionnally edit it, run:
|
||||||
|
|
||||||
|
@ -292,9 +283,9 @@ in the `/run/secrets` folder on the VM. We thus need one private key for you to
|
||||||
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
|
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
|
||||||
|
|
||||||
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
|
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
|
||||||
creating the VM in the step above, a new private key and its accompanying public key were
|
creating the VM for Colmena, a new private key and its accompanying public key were automatically
|
||||||
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
|
generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and
|
||||||
public key and add it to the `secrets.yaml` which we did in the Deploy section.
|
add it to the `secrets.yaml` which we did in the Deploy section.
|
||||||
|
|
||||||
### SSH {#demo-nextcloud-tips-ssh}
|
### SSH {#demo-nextcloud-tips-ssh}
|
||||||
|
|
||||||
|
|
|
@ -22,6 +22,7 @@ in
|
||||||
boot.loader.grub.configurationLimit = 1;
|
boot.loader.grub.configurationLimit = 1;
|
||||||
# The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase
|
# The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase
|
||||||
# the available disk space to install home-assistant.
|
# the available disk space to install home-assistant.
|
||||||
|
virtualisation.vmVariant.virtualisation.memorySize = 8192;
|
||||||
virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192;
|
virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192;
|
||||||
|
|
||||||
# Options above are needed to deploy in a VM.
|
# Options above are needed to deploy in a VM.
|
||||||
|
|
|
@ -5,15 +5,8 @@
|
||||||
selfhostblocks.url = "github:ibizaman/selfhostblocks";
|
selfhostblocks.url = "github:ibizaman/selfhostblocks";
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs@{ self, selfhostblocks, ... }: {
|
outputs = inputs@{ self, selfhostblocks, ... }:
|
||||||
colmena = {
|
let
|
||||||
meta = {
|
|
||||||
nixpkgs = import selfhostblocks.inputs.nixpkgs {
|
|
||||||
system = "x86_64-linux";
|
|
||||||
};
|
|
||||||
specialArgs = inputs;
|
|
||||||
};
|
|
||||||
|
|
||||||
basic = { config, ... }: {
|
basic = { config, ... }: {
|
||||||
imports = [
|
imports = [
|
||||||
./configuration.nix
|
./configuration.nix
|
||||||
|
@ -21,13 +14,6 @@
|
||||||
selfhostblocks.nixosModules.x86_64-linux.default
|
selfhostblocks.nixosModules.x86_64-linux.default
|
||||||
];
|
];
|
||||||
|
|
||||||
# Used by colmena to know which target host to deploy to.
|
|
||||||
deployment = {
|
|
||||||
targetHost = "example";
|
|
||||||
targetUser = "nixos";
|
|
||||||
targetPort = 2222;
|
|
||||||
};
|
|
||||||
|
|
||||||
shb.nextcloud = {
|
shb.nextcloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
|
@ -60,19 +46,6 @@
|
||||||
};
|
};
|
||||||
|
|
||||||
ldap = { config, ... }: {
|
ldap = { config, ... }: {
|
||||||
imports = [
|
|
||||||
./configuration.nix
|
|
||||||
selfhostblocks.inputs.sops-nix.nixosModules.default
|
|
||||||
selfhostblocks.nixosModules.x86_64-linux.default
|
|
||||||
];
|
|
||||||
|
|
||||||
# Used by colmena to know which target host to deploy to.
|
|
||||||
deployment = {
|
|
||||||
targetHost = "example";
|
|
||||||
targetUser = "nixos";
|
|
||||||
targetPort = 2222;
|
|
||||||
};
|
|
||||||
|
|
||||||
shb.ldap = {
|
shb.ldap = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
|
@ -98,21 +71,7 @@
|
||||||
restartUnits = [ "lldap.service" ];
|
restartUnits = [ "lldap.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nextcloud = {
|
shb.nextcloud.apps.ldap = {
|
||||||
enable = true;
|
|
||||||
domain = "example.com";
|
|
||||||
subdomain = "n";
|
|
||||||
dataDir = "/var/lib/nextcloud";
|
|
||||||
tracing = null;
|
|
||||||
|
|
||||||
# This option is only needed because we do not access Nextcloud at the default port in the VM.
|
|
||||||
port = 8080;
|
|
||||||
|
|
||||||
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
|
|
||||||
|
|
||||||
apps = {
|
|
||||||
previewgenerator.enable = true;
|
|
||||||
ldap = {
|
|
||||||
enable = true;
|
enable = true;
|
||||||
host = "127.0.0.1";
|
host = "127.0.0.1";
|
||||||
port = config.shb.ldap.ldapPort;
|
port = config.shb.ldap.ldapPort;
|
||||||
|
@ -121,17 +80,7 @@
|
||||||
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
|
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
|
||||||
userGroup = "nextcloud_user";
|
userGroup = "nextcloud_user";
|
||||||
};
|
};
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Secret needed for services.nextcloud.config.adminpassFile.
|
|
||||||
sops.secrets."nextcloud/adminpass" = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
mode = "0440";
|
|
||||||
owner = "nextcloud";
|
|
||||||
group = "nextcloud";
|
|
||||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
|
||||||
};
|
|
||||||
# Secret needed for LDAP app.
|
# Secret needed for LDAP app.
|
||||||
sops.secrets."nextcloud/ldap_admin_password" = {
|
sops.secrets."nextcloud/ldap_admin_password" = {
|
||||||
sopsFile = ./secrets.yaml;
|
sopsFile = ./secrets.yaml;
|
||||||
|
@ -141,26 +90,9 @@
|
||||||
group = "nextcloud";
|
group = "nextcloud";
|
||||||
restartUnits = [ "nextcloud-setup.service" ];
|
restartUnits = [ "nextcloud-setup.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
# Set to true for more debug info with `journalctl -f -u nginx`.
|
|
||||||
shb.nginx.accessLog = true;
|
|
||||||
shb.nginx.debugLog = false;
|
|
||||||
};
|
};
|
||||||
|
|
||||||
sso = { config, ... }: {
|
sso = { config, ... }: {
|
||||||
imports = [
|
|
||||||
./configuration.nix
|
|
||||||
selfhostblocks.inputs.sops-nix.nixosModules.default
|
|
||||||
selfhostblocks.nixosModules.x86_64-linux.default
|
|
||||||
];
|
|
||||||
|
|
||||||
# Used by colmena to know which target host to deploy to.
|
|
||||||
deployment = {
|
|
||||||
targetHost = "example";
|
|
||||||
targetUser = "nixos";
|
|
||||||
targetPort = 2222;
|
|
||||||
};
|
|
||||||
|
|
||||||
shb.certs = {
|
shb.certs = {
|
||||||
cas.selfsigned.myca = {
|
cas.selfsigned.myca = {
|
||||||
name = "My CA";
|
name = "My CA";
|
||||||
|
@ -189,99 +121,6 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
shb.nextcloud = {
|
|
||||||
enable = true;
|
|
||||||
domain = "example.com";
|
|
||||||
subdomain = "n";
|
|
||||||
ssl = config.shb.certs.certs.selfsigned.n;
|
|
||||||
dataDir = "/var/lib/nextcloud";
|
|
||||||
tracing = null;
|
|
||||||
|
|
||||||
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
|
|
||||||
|
|
||||||
apps = {
|
|
||||||
previewgenerator.enable = true;
|
|
||||||
ldap = {
|
|
||||||
enable = true;
|
|
||||||
host = "127.0.0.1";
|
|
||||||
port = config.shb.ldap.ldapPort;
|
|
||||||
dcdomain = config.shb.ldap.dcdomain;
|
|
||||||
adminName = "admin";
|
|
||||||
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
|
|
||||||
userGroup = "nextcloud_user";
|
|
||||||
};
|
|
||||||
sso = {
|
|
||||||
enable = true;
|
|
||||||
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
|
||||||
clientID = "nextcloud";
|
|
||||||
fallbackDefaultAuth = true;
|
|
||||||
|
|
||||||
secretFile = config.sops.secrets."nextcloud/sso/secret".path;
|
|
||||||
secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
# Secret needed for services.nextcloud.config.adminpassFile.
|
|
||||||
sops.secrets."nextcloud/adminpass" = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
mode = "0440";
|
|
||||||
owner = "nextcloud";
|
|
||||||
group = "nextcloud";
|
|
||||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
|
||||||
};
|
|
||||||
# Secret needed for LDAP app.
|
|
||||||
sops.secrets."nextcloud/ldap_admin_password" = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
key = "lldap/user_password";
|
|
||||||
mode = "0400";
|
|
||||||
owner = "nextcloud";
|
|
||||||
group = "nextcloud";
|
|
||||||
restartUnits = [ "nextcloud-setup.service" ];
|
|
||||||
};
|
|
||||||
sops.secrets."nextcloud/sso/secret" = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
mode = "0400";
|
|
||||||
owner = "nextcloud";
|
|
||||||
restartUnits = [ "nextcloud-setup.service" ];
|
|
||||||
};
|
|
||||||
sops.secrets."authelia/nextcloud_sso_secret" = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
key = "nextcloud/sso/secret";
|
|
||||||
mode = "0400";
|
|
||||||
owner = config.shb.authelia.autheliaUser;
|
|
||||||
};
|
|
||||||
|
|
||||||
# Set to true for more debug info with `journalctl -f -u nginx`.
|
|
||||||
shb.nginx.accessLog = true;
|
|
||||||
shb.nginx.debugLog = false;
|
|
||||||
|
|
||||||
shb.ldap = {
|
|
||||||
enable = true;
|
|
||||||
domain = "example.com";
|
|
||||||
subdomain = "ldap";
|
|
||||||
ssl = config.shb.certs.certs.selfsigned.n;
|
|
||||||
ldapPort = 3890;
|
|
||||||
webUIListenPort = 17170;
|
|
||||||
dcdomain = "dc=example,dc=com";
|
|
||||||
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
|
|
||||||
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
|
|
||||||
};
|
|
||||||
sops.secrets."lldap/user_password" = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
mode = "0440";
|
|
||||||
owner = "lldap";
|
|
||||||
group = "lldap";
|
|
||||||
restartUnits = [ "lldap.service" ];
|
|
||||||
};
|
|
||||||
sops.secrets."lldap/jwt_secret" = {
|
|
||||||
sopsFile = ./secrets.yaml;
|
|
||||||
mode = "0440";
|
|
||||||
owner = "lldap";
|
|
||||||
group = "lldap";
|
|
||||||
restartUnits = [ "lldap.service" ];
|
|
||||||
};
|
|
||||||
|
|
||||||
shb.authelia = {
|
shb.authelia = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
|
@ -339,6 +178,109 @@
|
||||||
owner = config.shb.authelia.autheliaUser;
|
owner = config.shb.authelia.autheliaUser;
|
||||||
restartUnits = [ "authelia.service" ];
|
restartUnits = [ "authelia.service" ];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
shb.nextcloud.apps.sso = {
|
||||||
|
enable = true;
|
||||||
|
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||||
|
clientID = "nextcloud";
|
||||||
|
fallbackDefaultAuth = true;
|
||||||
|
|
||||||
|
secretFile = config.sops.secrets."nextcloud/sso/secret".path;
|
||||||
|
secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
|
||||||
|
};
|
||||||
|
|
||||||
|
sops.secrets."nextcloud/sso/secret" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
mode = "0400";
|
||||||
|
owner = "nextcloud";
|
||||||
|
restartUnits = [ "nextcloud-setup.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."authelia/nextcloud_sso_secret" = {
|
||||||
|
sopsFile = ./secrets.yaml;
|
||||||
|
key = "nextcloud/sso/secret";
|
||||||
|
mode = "0400";
|
||||||
|
owner = config.shb.authelia.autheliaUser;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sopsConfig = {
|
||||||
|
sops.age.keyFile = "/etc/sops/my_key";
|
||||||
|
environment.etc."sops/my_key".source = ./keys.txt;
|
||||||
|
};
|
||||||
|
in
|
||||||
|
{
|
||||||
|
nixosConfigurations = {
|
||||||
|
basic = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [
|
||||||
|
sopsConfig
|
||||||
|
basic
|
||||||
|
];
|
||||||
|
};
|
||||||
|
ldap = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [
|
||||||
|
sopsConfig
|
||||||
|
basic
|
||||||
|
ldap
|
||||||
|
];
|
||||||
|
};
|
||||||
|
sso = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
modules = [
|
||||||
|
sopsConfig
|
||||||
|
basic
|
||||||
|
ldap
|
||||||
|
sso
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
colmena = {
|
||||||
|
meta = {
|
||||||
|
nixpkgs = import selfhostblocks.inputs.nixpkgs {
|
||||||
|
system = "x86_64-linux";
|
||||||
|
};
|
||||||
|
specialArgs = inputs;
|
||||||
|
};
|
||||||
|
|
||||||
|
basic = { config, ... }: {
|
||||||
|
imports = [
|
||||||
|
basic
|
||||||
|
];
|
||||||
|
|
||||||
|
deployment = {
|
||||||
|
targetHost = "example";
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
ldap = { config, ... }: {
|
||||||
|
imports = [
|
||||||
|
basic
|
||||||
|
ldap
|
||||||
|
];
|
||||||
|
|
||||||
|
deployment = {
|
||||||
|
targetHost = "example";
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sso = { config, ... }: {
|
||||||
|
imports = [
|
||||||
|
basic
|
||||||
|
ldap
|
||||||
|
sso
|
||||||
|
];
|
||||||
|
|
||||||
|
deployment = {
|
||||||
|
targetHost = "example";
|
||||||
|
targetUser = "nixos";
|
||||||
|
targetPort = 2222;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue