parent
0457f263cc
commit
b43a4971a4
6 changed files with 411 additions and 350 deletions
55
.github/workflows/test.yml
vendored
55
.github/workflows/test.yml
vendored
|
@ -24,6 +24,61 @@ jobs:
|
|||
nix run github:Mic92/nix-fast-build -- \
|
||||
--skip-cached --no-nom \
|
||||
--flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)"
|
||||
|
||||
# We're just checking if the demo start without hiccup.
|
||||
demos:
|
||||
runs-on: ubuntu-latest
|
||||
strategy:
|
||||
matrix:
|
||||
demo:
|
||||
- homeassistant#basic
|
||||
- homeassistant#ldap
|
||||
- nextcloud#basic
|
||||
- nextcloud#ldap
|
||||
- nextcloud#sso
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
|
||||
- name: Setup Caching
|
||||
uses: cachix/cachix-action@v12
|
||||
with:
|
||||
name: selfhostblocks
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
- name: Test demos
|
||||
# See https://blog.stefan-koch.name/2020/12/10/qemu-guest-graceful-shutdown-from-python for
|
||||
# inspiration.
|
||||
run: |
|
||||
set -x
|
||||
|
||||
rm -f nixos.qcow2
|
||||
nix run nixpkgs#nixos-rebuild -- build-vm --flake ./demo/${{ matrix.demo }}
|
||||
QEMU_NET_OPTS="hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm -nographic -qmp unix:/tmp/qmp-sock,server,nowait &
|
||||
|
||||
nix run nixpkgs#socat -- - unix-connect:/tmp/qmp-sock <<EOF
|
||||
{"execute": "qmp_capabilities"}
|
||||
{"execute": "system_powerdown"}
|
||||
EOF
|
||||
|
||||
docs:
|
||||
runs-on: ubuntu-latest
|
||||
steps:
|
||||
- name: Checkout repository
|
||||
uses: actions/checkout@v3
|
||||
- name: Install Nix
|
||||
uses: DeterminateSystems/nix-installer-action@main
|
||||
with:
|
||||
github-token: ${{ secrets.GITHUB_TOKEN }}
|
||||
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
|
||||
- name: Setup Caching
|
||||
uses: cachix/cachix-action@v12
|
||||
with:
|
||||
name: selfhostblocks
|
||||
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
|
||||
- name: Test building docs
|
||||
run: |
|
||||
nix \
|
||||
|
|
|
@ -3,16 +3,66 @@
|
|||
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
||||
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
||||
|
||||
The [`flake.nix`](./flake.nix) file sets up a Home Assistant server in only about [15
|
||||
lines](./flake.nix#L31-L37) of related code. It also defines a Home Assistant server that integrates with
|
||||
a [LDAP server](./flake.nix#L58-L94).
|
||||
The [`flake.nix`](./flake.nix) file sets up a Home Assistant server with Self Host Blocks. There are actually 2 demos:
|
||||
|
||||
This guide will show how to deploy this setup to a Virtual Machine, like showed
|
||||
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
|
||||
- The `basic` demo sets up a lone Home Assistant server accessible through http.
|
||||
- The `ldap` demo builds on top of the `basic` demo integrating Home Assistant with a LDAP provider.
|
||||
|
||||
## Deploy to the VM {#demo-homeassistant-deploy-to-the-vm}
|
||||
<!--
|
||||
They were set up by following the [manual](https://shb.skarabox.com/services-homeassistant.html).
|
||||
-->
|
||||
|
||||
Build the VM and start it:
|
||||
This guide will show how to deploy these demos to a Virtual Machine, like showed
|
||||
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
|
||||
|
||||
## Deploy to the VM {#demo-homeassistant-deploy}
|
||||
|
||||
The demos are setup to either deploy to a VM through `nixos-rebuild` or through
|
||||
[Colmena](https://colmena.cli.rs).
|
||||
|
||||
Using `nixos-rebuild` is very fast and requires less steps because it reuses your nix store.
|
||||
|
||||
Using `colmena` is more authentic because you are deploying to a stock VM, like you would with a
|
||||
real machine but it needs to copy over all required store derivations so it takes a few minutes the
|
||||
first time.
|
||||
|
||||
### Deploy with nixos-rebuild {#demo-homeassistant-deploy-nixosrebuild}
|
||||
|
||||
Assuming your current working directory is the one where this Readme file is located, the one-liner
|
||||
command which builds and starts the VM configured to run Self Host Blocks' Nextcloud is:
|
||||
|
||||
```nix
|
||||
rm nixos.qcow2; \
|
||||
nixos-rebuild build-vm --flake .#basic \
|
||||
&& QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" \
|
||||
./result/bin/run-nixos-vm
|
||||
```
|
||||
|
||||
This will deploy the `basic` demo. If you want to deploy the `ldap` demo, use the `.#ldap` flake
|
||||
uris.
|
||||
|
||||
You can even test the demos from any directory without cloning this repository by using the GitHub
|
||||
uri like `github:ibizaman/selfhostblocks?path=demo/nextcloud`
|
||||
|
||||
It is very important to remove leftover `nixos.qcow2` files, if any.
|
||||
|
||||
You can ssh into the VM like this, but this is not required for the demo:
|
||||
|
||||
```bash
|
||||
ssh -F ssh_config example
|
||||
```
|
||||
|
||||
But before that works, you will need to change the permission of the ssh key like so:
|
||||
|
||||
```bash
|
||||
chmod 600 sshkey
|
||||
```
|
||||
|
||||
This is only needed because git mangles with the permissions. You will not even see this change in
|
||||
`git status`.
|
||||
### Deploy with Colmena {#demo-homeassitant-deploy-colmena}
|
||||
|
||||
If you deploy with Colmena, you must first build the VM and start it:
|
||||
|
||||
```bash
|
||||
rm nixos.qcow2; \
|
||||
|
@ -20,6 +70,8 @@ rm nixos.qcow2; \
|
|||
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
||||
```
|
||||
|
||||
It is very important to remove leftover `nixos.qcow2` files, if any.
|
||||
|
||||
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
|
||||
need to run the rest of the commands in another terminal.
|
||||
|
||||
|
@ -55,24 +107,17 @@ You can ssh into the VM with, but this is not required for the demo:
|
|||
ssh -F ssh_config example
|
||||
```
|
||||
|
||||
Finally, we can deploy. To deploy a Home Assistant server, run:
|
||||
### Home Assistant through HTTP {#demo-homeassistant-deploy-basic}
|
||||
|
||||
```bash
|
||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
|
||||
```
|
||||
<!--
|
||||
:::: {.note}
|
||||
This section corresponds to the `basic` section of the [Home Assistant
|
||||
manual](services-nextcloud.html#services-homeassistant-server-usage-basic).
|
||||
::::
|
||||
-->
|
||||
|
||||
To deploy a Home Assistant server integrated with a LDAP service, run:
|
||||
|
||||
```bash
|
||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
|
||||
```
|
||||
|
||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
||||
seconds.
|
||||
|
||||
## Access Home Assistant Through Your Browser {#demo-homeassistant-access-through-your-browser}
|
||||
|
||||
Add the following entry to your `/etc/hosts` file:
|
||||
Assuming you already deployed the `basic` demo, now you must add the following entry to the
|
||||
`/etc/hosts` file on the host machine (not the VM):
|
||||
|
||||
```nix
|
||||
networking.hosts = {
|
||||
|
@ -87,7 +132,22 @@ $ cat /etc/hosts
|
|||
127.0.0.1 ha.example.com
|
||||
```
|
||||
|
||||
If you deployed the `ldap` target host, add instead:
|
||||
Go to [http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
|
||||
Assistant setup wizard which will allow you to create an admin user.
|
||||
|
||||
And that's the end of the demo
|
||||
|
||||
### Home Assistant with LDAP through HTTP {#demo-homeassistant-deploy-ldap}
|
||||
|
||||
<!--
|
||||
:::: {.note}
|
||||
This section corresponds to the `ldap` section of the [Home Assistant
|
||||
manual](services-nextcloud.html#services-homeassistant-server-usage-ldap).
|
||||
::::
|
||||
-->
|
||||
|
||||
Assuming you already deployed the `ldap` demo, now you must add the following entry to the
|
||||
`/etc/hosts` file on the host machine (not the VM):
|
||||
|
||||
```nix
|
||||
networking.hosts = {
|
||||
|
@ -95,12 +155,14 @@ networking.hosts = {
|
|||
};
|
||||
```
|
||||
|
||||
If you deployed the `basic` target host, go to
|
||||
[http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
|
||||
Assistant setup wizard which will allow you to create an admin user:
|
||||
Which produces:
|
||||
|
||||
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
|
||||
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
||||
```bash
|
||||
$ cat /etc/hosts
|
||||
127.0.0.1 ha.example.com ldap.example.com
|
||||
```
|
||||
|
||||
Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
||||
|
||||
- username: `admin`
|
||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`.
|
||||
|
@ -155,16 +217,7 @@ space issue, you must increase the
|
|||
|
||||
### Secrets {#demo-homeassistant-secrets}
|
||||
|
||||
_More info about the secrets._
|
||||
|
||||
The private key in the `keys.txt` file is created with:
|
||||
|
||||
```bash
|
||||
$ nix shell nixpkgs#age --command age-keygen -o keys.txt
|
||||
Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||
```
|
||||
|
||||
We use the printed public key in the `admin` field of the `sops.yaml` file.
|
||||
_More info about the secrets can be found in the [Usage](https://shb.skarabox.com/usage.html) manual_
|
||||
|
||||
To open the `secrets.yaml` file and optionnally edit it, run:
|
||||
|
||||
|
@ -198,9 +251,9 @@ You can generate random secrets with:
|
|||
$ nix run nixpkgs#openssl -- rand -hex 64
|
||||
```
|
||||
|
||||
If you choose a password too small, ldap could refuse to start.
|
||||
If you choose a password too small, some services could refuse to start.
|
||||
|
||||
#### Why do we need the VM's public key {#demo-homeassistant-public-key-necessity}
|
||||
#### Why do we need the VM's public key {#demo-homeassistant-tips-public-key-necessity}
|
||||
|
||||
The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the
|
||||
[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add
|
||||
|
@ -209,11 +262,11 @@ in the `/run/secrets` folder on the VM. We thus need one private key for you to
|
|||
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
|
||||
|
||||
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
|
||||
creating the VM in the step above, a new private key and its accompanying public key were
|
||||
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
|
||||
public key and add it to the `secrets.yaml` which we did in the Deploy section.
|
||||
creating the VM for Colmena, a new private key and its accompanying public key were automatically
|
||||
generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and
|
||||
add it to the `secrets.yaml` which we did in the Deploy section.
|
||||
|
||||
### SSH {#demo-homeassistant-ssh}
|
||||
### SSH {#demo-homeassistant-tips-ssh}
|
||||
|
||||
The private and public ssh keys were created with:
|
||||
|
||||
|
@ -231,7 +284,7 @@ authentication, here is what you would need to do to copy over the key:
|
|||
nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example
|
||||
```
|
||||
|
||||
### Deploy {#demo-homeassistant-deploy}
|
||||
### Deploy {#demo-homeassistant-tips-deploy}
|
||||
|
||||
If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input
|
||||
selfhostblocks`.
|
||||
|
@ -240,7 +293,7 @@ selfhostblocks`.
|
|||
error: NAR hash mismatch in input ...
|
||||
```
|
||||
|
||||
### Update Demo {#demo-homeassistant-update-demo}
|
||||
### Update Demo {#demo-homeassistant-tips-update-demo}
|
||||
|
||||
If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy.
|
||||
|
||||
|
|
|
@ -5,15 +5,8 @@
|
|||
selfhostblocks.url = "github:ibizaman/selfhostblocks";
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, selfhostblocks, ... }: {
|
||||
colmena = {
|
||||
meta = {
|
||||
nixpkgs = import selfhostblocks.inputs.nixpkgs {
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
specialArgs = inputs;
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, selfhostblocks, ... }:
|
||||
let
|
||||
basic = { config, ... }: {
|
||||
imports = [
|
||||
./configuration.nix
|
||||
|
@ -21,13 +14,6 @@
|
|||
selfhostblocks.nixosModules.x86_64-linux.default
|
||||
];
|
||||
|
||||
# Used by colmena to know which target host to deploy to.
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
|
||||
shb.home-assistant = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
|
@ -38,26 +24,9 @@
|
|||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"openssl-1.1.1w"
|
||||
];
|
||||
|
||||
# Set to true for more debug info with `journalctl -f -u nginx`.
|
||||
shb.nginx.accessLog = false;
|
||||
shb.nginx.debugLog = false;
|
||||
};
|
||||
|
||||
ldap = { config, ... }: {
|
||||
imports = [
|
||||
./configuration.nix
|
||||
selfhostblocks.inputs.sops-nix.nixosModules.default
|
||||
selfhostblocks.nixosModules.x86_64-linux.default
|
||||
];
|
||||
|
||||
# Used by colmena to know which target host to deploy to.
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
|
||||
shb.ldap = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
|
@ -83,23 +52,73 @@
|
|||
restartUnits = [ "lldap.service" ];
|
||||
};
|
||||
|
||||
shb.home-assistant = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
ldap = {
|
||||
shb.home-assistant.ldap = {
|
||||
enable = true;
|
||||
host = "127.0.0.1";
|
||||
port = config.shb.ldap.webUIListenPort;
|
||||
userGroup = "homeassistant_user";
|
||||
};
|
||||
subdomain = "ha";
|
||||
sopsFile = ./secrets.yaml;
|
||||
};
|
||||
|
||||
nixpkgs.config.permittedInsecurePackages = [
|
||||
"openssl-1.1.1w"
|
||||
sopsConfig = {
|
||||
sops.age.keyFile = "/etc/sops/my_key";
|
||||
environment.etc."sops/my_key".source = ./keys.txt;
|
||||
};
|
||||
in
|
||||
{
|
||||
nixosConfigurations = {
|
||||
basic = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
basic
|
||||
sopsConfig
|
||||
];
|
||||
};
|
||||
|
||||
ldap = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
basic
|
||||
ldap
|
||||
sopsConfig
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
colmena = {
|
||||
meta = {
|
||||
nixpkgs = import selfhostblocks.inputs.nixpkgs {
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
specialArgs = inputs;
|
||||
};
|
||||
|
||||
basic = { config, ... }: {
|
||||
imports = [
|
||||
basic
|
||||
];
|
||||
|
||||
# Used by colmena to know which target host to deploy to.
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
};
|
||||
|
||||
ldap = { config, ... }: {
|
||||
imports = [
|
||||
basic
|
||||
ldap
|
||||
];
|
||||
|
||||
# Used by colmena to know which target host to deploy to.
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
|
@ -3,21 +3,67 @@
|
|||
**This whole demo is highly insecure as all the private keys are available publicly. This is
|
||||
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
|
||||
|
||||
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are actually 3 demos:
|
||||
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are
|
||||
actually 3 demos:
|
||||
|
||||
- The `basic` demo sets up a lone Nextcloud server accessible through http.
|
||||
- The `ldap` demo sets up a Nextcloud server integrated with a LDAP provider.
|
||||
- The `sso` demo sets up a Nextcloud server integrated with a LDAP provider and an SSO provider.
|
||||
- The `basic` demo sets up a lone Nextcloud server accessible through http with the Preview
|
||||
Generator app enabled.
|
||||
- The `ldap` demo builds on top of the `basic` demo integrating Nextcloud with a LDAP provider.
|
||||
- The `sso` demo builds on top of the `lsap` demo integrating Nextcloud with a SSO provider.
|
||||
|
||||
They were set up by following the [manual](https://shb.skarabox.com/services-nextcloud.html). This
|
||||
guide will show how to deploy these demos to a Virtual Machine, like showed
|
||||
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
|
||||
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
|
||||
|
||||
## Deploy to the VM {#demo-nextcloud-deploy}
|
||||
|
||||
### Prerequisite {#demo-nextcloud-deploy-prereq}
|
||||
The demos are setup to either deploy to a VM through `nixos-rebuild` or through
|
||||
[Colmena](https://colmena.cli.rs).
|
||||
|
||||
Build the VM and start it:
|
||||
Using `nixos-rebuild` is very fast and requires less steps because it reuses your nix store.
|
||||
|
||||
Using `colmena` is more authentic because you are deploying to a stock VM, like you would with a
|
||||
real machine but it needs to copy over all required store derivations so it takes a few minutes the
|
||||
first time.
|
||||
|
||||
### Deploy with nixos-rebuild {#demo-nextcloud-deploy-nixosrebuild}
|
||||
|
||||
Assuming your current working directory is the one where this Readme file is located, the one-liner
|
||||
command which builds and starts the VM configured to run Self Host Blocks' Nextcloud is:
|
||||
|
||||
```nix
|
||||
rm nixos.qcow2; \
|
||||
nixos-rebuild build-vm --flake .#basic \
|
||||
&& QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" \
|
||||
./result/bin/run-nixos-vm
|
||||
```
|
||||
|
||||
This will deploy the `basic` demo. If you want to deploy the `ldap` or `sso` demos, use respectively
|
||||
the `.#ldap` or `.#sso` flake uris.
|
||||
|
||||
You can even test the demos from any directory without cloning this repository by using the GitHub
|
||||
uri like `github:ibizaman/selfhostblocks?path=demo/nextcloud`
|
||||
|
||||
It is very important to remove leftover `nixos.qcow2` files, if any.
|
||||
|
||||
You can ssh into the VM like this, but this is not required for the demo:
|
||||
|
||||
```bash
|
||||
ssh -F ssh_config example
|
||||
```
|
||||
|
||||
But before that works, you will need to change the permission of the ssh key like so:
|
||||
|
||||
```bash
|
||||
chmod 600 sshkey
|
||||
```
|
||||
|
||||
This is only needed because git mangles with the permissions. You will not even see this change in
|
||||
`git status`.
|
||||
|
||||
### Deploy with Colmena {#demo-nextcloud-deploy-colmena}
|
||||
|
||||
If you deploy with Colmena, you must first build the VM and start it:
|
||||
|
||||
```bash
|
||||
rm nixos.qcow2; \
|
||||
|
@ -25,6 +71,8 @@ rm nixos.qcow2; \
|
|||
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
|
||||
```
|
||||
|
||||
It is very important to remove leftover `nixos.qcow2` files, if any.
|
||||
|
||||
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
|
||||
need to run the rest of the commands in another terminal.
|
||||
|
||||
|
@ -67,16 +115,8 @@ This section corresponds to the `basic` section of the [Nextcloud
|
|||
manual](services-nextcloud.html#services-nextcloud-server-usage-basic).
|
||||
::::
|
||||
|
||||
To deploy a basic Nextcloud with only the Preview Generator app enabled, run:
|
||||
|
||||
```bash
|
||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
|
||||
```
|
||||
|
||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
||||
seconds.
|
||||
|
||||
Add the following entry to the `/etc/hosts` file on the host machine (not the VM):
|
||||
Assuming you already deployed the `basic` demo, now you must add the following entry to the
|
||||
`/etc/hosts` file on the host machine (not the VM):
|
||||
|
||||
```nix
|
||||
networking.hosts = {
|
||||
|
@ -106,17 +146,8 @@ This section corresponds to the `ldap` section of the [Nextcloud
|
|||
manual](services-nextcloud.html#services-nextcloud-server-usage-ldap).
|
||||
::::
|
||||
|
||||
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
|
||||
service, run:
|
||||
|
||||
```bash
|
||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
|
||||
```
|
||||
|
||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
||||
seconds.
|
||||
|
||||
Add the following entry to the `/etc/hosts` file on the host machine (not the VM):
|
||||
Assuming you already deployed the `ldap` demo, now you must add the following entry to the
|
||||
`/etc/hosts` file on the host machine (not the VM):
|
||||
|
||||
```nix
|
||||
networking.hosts = {
|
||||
|
@ -134,7 +165,8 @@ $ cat /etc/hosts
|
|||
Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
|
||||
|
||||
- username: `admin`
|
||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
|
||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is
|
||||
`c2e32e54ea3e0053eb30841f818a3d9a`.
|
||||
|
||||
Create the group `nextcloud_user` and a create a user and assign them to that group.
|
||||
|
||||
|
@ -153,32 +185,23 @@ This section corresponds to the `sso` section of the [Nextcloud
|
|||
manual](services-nextcloud.html#services-nextcloud-server-usage-oidc).
|
||||
::::
|
||||
|
||||
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
|
||||
service and an SSO service, run:
|
||||
|
||||
```bash
|
||||
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on sso
|
||||
```
|
||||
|
||||
The deploy will take a few minutes the first time and subsequent deploys will take around 15
|
||||
seconds.
|
||||
|
||||
Here, there is a `dnsmasq` server running in the VM. You must create a SOCKS proxy to the `dnsmasq`
|
||||
service like so:
|
||||
At this point, it is assumed you already deployed the `sso` demo. There is no host to add to
|
||||
`/etc/hosts` here. Instead, there is a `dnsmasq` server running in the VM and you must create a
|
||||
SOCKS proxy to connect to it like so:
|
||||
|
||||
```bash
|
||||
ssh -F ssh_config -D 1080 -N example
|
||||
```
|
||||
|
||||
This is a blocking call that will create a SOCKS proxy on port 1080. It is not necessary to fork
|
||||
this process in the background by appending `&` because we will not need to use the terminal for the
|
||||
rest of the demo.
|
||||
This is a blocking call but it is not necessary to fork this process in the background by appending
|
||||
`&` because we will not need to use the terminal for the rest of the demo.
|
||||
|
||||
Now, configure your browser to use that proxy. When that's done go to
|
||||
Now, configure your browser to use that SOCKS proxy. When that's done go to
|
||||
[https://ldap.example.com](https://ldap.example.com) and login with:
|
||||
|
||||
- username: `admin`
|
||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
|
||||
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is
|
||||
`c2e32e54ea3e0053eb30841f818a3d9a`.
|
||||
|
||||
Create the group `nextcloud_user` and a create a user and assign them to that group.
|
||||
|
||||
|
@ -233,39 +256,7 @@ space issue, you must increase the
|
|||
|
||||
### Secrets {#demo-nextcloud-tips-secrets}
|
||||
|
||||
_More info about the secrets._
|
||||
|
||||
The private key in the `keys.txt` file is created with:
|
||||
|
||||
```bash
|
||||
$ nix shell nixpkgs#age --command age-keygen -o keys.txt
|
||||
Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
|
||||
```
|
||||
|
||||
We use the printed public key in the `admin` field of the `sops.yaml` file.
|
||||
|
||||
The `secrets.yaml` file must follow the format:
|
||||
|
||||
```yaml
|
||||
nextcloud:
|
||||
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
|
||||
onlyoffice:
|
||||
jwt_secret: XXX...
|
||||
sso:
|
||||
secret: YYY...
|
||||
lldap:
|
||||
user_password: c2e32e54ea3e0053eb30841f818a3d9a
|
||||
jwt_secret: ZZZ...
|
||||
authelia:
|
||||
jwt_secret: AAA...
|
||||
storage_encryption_key: BBB...
|
||||
session_secret: CCC...
|
||||
hmac_secret: DDD.
|
||||
private_key: |
|
||||
-----BEGIN PRIVATE KEY-----
|
||||
MII...
|
||||
-----END PRIVATE KEY-----
|
||||
```
|
||||
_More info about the secrets can be found in the [Usage](https://shb.skarabox.com/usage.html) manual_
|
||||
|
||||
To open the `secrets.yaml` file and optionnally edit it, run:
|
||||
|
||||
|
@ -292,9 +283,9 @@ in the `/run/secrets` folder on the VM. We thus need one private key for you to
|
|||
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
|
||||
|
||||
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
|
||||
creating the VM in the step above, a new private key and its accompanying public key were
|
||||
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
|
||||
public key and add it to the `secrets.yaml` which we did in the Deploy section.
|
||||
creating the VM for Colmena, a new private key and its accompanying public key were automatically
|
||||
generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and
|
||||
add it to the `secrets.yaml` which we did in the Deploy section.
|
||||
|
||||
### SSH {#demo-nextcloud-tips-ssh}
|
||||
|
||||
|
|
|
@ -22,6 +22,7 @@ in
|
|||
boot.loader.grub.configurationLimit = 1;
|
||||
# The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase
|
||||
# the available disk space to install home-assistant.
|
||||
virtualisation.vmVariant.virtualisation.memorySize = 8192;
|
||||
virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192;
|
||||
|
||||
# Options above are needed to deploy in a VM.
|
||||
|
|
|
@ -5,15 +5,8 @@
|
|||
selfhostblocks.url = "github:ibizaman/selfhostblocks";
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, selfhostblocks, ... }: {
|
||||
colmena = {
|
||||
meta = {
|
||||
nixpkgs = import selfhostblocks.inputs.nixpkgs {
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
specialArgs = inputs;
|
||||
};
|
||||
|
||||
outputs = inputs@{ self, selfhostblocks, ... }:
|
||||
let
|
||||
basic = { config, ... }: {
|
||||
imports = [
|
||||
./configuration.nix
|
||||
|
@ -21,13 +14,6 @@
|
|||
selfhostblocks.nixosModules.x86_64-linux.default
|
||||
];
|
||||
|
||||
# Used by colmena to know which target host to deploy to.
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
|
||||
shb.nextcloud = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
|
@ -60,19 +46,6 @@
|
|||
};
|
||||
|
||||
ldap = { config, ... }: {
|
||||
imports = [
|
||||
./configuration.nix
|
||||
selfhostblocks.inputs.sops-nix.nixosModules.default
|
||||
selfhostblocks.nixosModules.x86_64-linux.default
|
||||
];
|
||||
|
||||
# Used by colmena to know which target host to deploy to.
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
|
||||
shb.ldap = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
|
@ -98,21 +71,7 @@
|
|||
restartUnits = [ "lldap.service" ];
|
||||
};
|
||||
|
||||
shb.nextcloud = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "n";
|
||||
dataDir = "/var/lib/nextcloud";
|
||||
tracing = null;
|
||||
|
||||
# This option is only needed because we do not access Nextcloud at the default port in the VM.
|
||||
port = 8080;
|
||||
|
||||
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
|
||||
|
||||
apps = {
|
||||
previewgenerator.enable = true;
|
||||
ldap = {
|
||||
shb.nextcloud.apps.ldap = {
|
||||
enable = true;
|
||||
host = "127.0.0.1";
|
||||
port = config.shb.ldap.ldapPort;
|
||||
|
@ -121,17 +80,7 @@
|
|||
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
|
||||
userGroup = "nextcloud_user";
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Secret needed for services.nextcloud.config.adminpassFile.
|
||||
sops.secrets."nextcloud/adminpass" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0440";
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||
};
|
||||
# Secret needed for LDAP app.
|
||||
sops.secrets."nextcloud/ldap_admin_password" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
|
@ -141,26 +90,9 @@
|
|||
group = "nextcloud";
|
||||
restartUnits = [ "nextcloud-setup.service" ];
|
||||
};
|
||||
|
||||
# Set to true for more debug info with `journalctl -f -u nginx`.
|
||||
shb.nginx.accessLog = true;
|
||||
shb.nginx.debugLog = false;
|
||||
};
|
||||
|
||||
sso = { config, ... }: {
|
||||
imports = [
|
||||
./configuration.nix
|
||||
selfhostblocks.inputs.sops-nix.nixosModules.default
|
||||
selfhostblocks.nixosModules.x86_64-linux.default
|
||||
];
|
||||
|
||||
# Used by colmena to know which target host to deploy to.
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
|
||||
shb.certs = {
|
||||
cas.selfsigned.myca = {
|
||||
name = "My CA";
|
||||
|
@ -189,99 +121,6 @@
|
|||
};
|
||||
};
|
||||
|
||||
shb.nextcloud = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "n";
|
||||
ssl = config.shb.certs.certs.selfsigned.n;
|
||||
dataDir = "/var/lib/nextcloud";
|
||||
tracing = null;
|
||||
|
||||
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
|
||||
|
||||
apps = {
|
||||
previewgenerator.enable = true;
|
||||
ldap = {
|
||||
enable = true;
|
||||
host = "127.0.0.1";
|
||||
port = config.shb.ldap.ldapPort;
|
||||
dcdomain = config.shb.ldap.dcdomain;
|
||||
adminName = "admin";
|
||||
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
|
||||
userGroup = "nextcloud_user";
|
||||
};
|
||||
sso = {
|
||||
enable = true;
|
||||
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
clientID = "nextcloud";
|
||||
fallbackDefaultAuth = true;
|
||||
|
||||
secretFile = config.sops.secrets."nextcloud/sso/secret".path;
|
||||
secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
# Secret needed for services.nextcloud.config.adminpassFile.
|
||||
sops.secrets."nextcloud/adminpass" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0440";
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||
};
|
||||
# Secret needed for LDAP app.
|
||||
sops.secrets."nextcloud/ldap_admin_password" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
key = "lldap/user_password";
|
||||
mode = "0400";
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
restartUnits = [ "nextcloud-setup.service" ];
|
||||
};
|
||||
sops.secrets."nextcloud/sso/secret" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0400";
|
||||
owner = "nextcloud";
|
||||
restartUnits = [ "nextcloud-setup.service" ];
|
||||
};
|
||||
sops.secrets."authelia/nextcloud_sso_secret" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
key = "nextcloud/sso/secret";
|
||||
mode = "0400";
|
||||
owner = config.shb.authelia.autheliaUser;
|
||||
};
|
||||
|
||||
# Set to true for more debug info with `journalctl -f -u nginx`.
|
||||
shb.nginx.accessLog = true;
|
||||
shb.nginx.debugLog = false;
|
||||
|
||||
shb.ldap = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "ldap";
|
||||
ssl = config.shb.certs.certs.selfsigned.n;
|
||||
ldapPort = 3890;
|
||||
webUIListenPort = 17170;
|
||||
dcdomain = "dc=example,dc=com";
|
||||
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
|
||||
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
|
||||
};
|
||||
sops.secrets."lldap/user_password" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0440";
|
||||
owner = "lldap";
|
||||
group = "lldap";
|
||||
restartUnits = [ "lldap.service" ];
|
||||
};
|
||||
sops.secrets."lldap/jwt_secret" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0440";
|
||||
owner = "lldap";
|
||||
group = "lldap";
|
||||
restartUnits = [ "lldap.service" ];
|
||||
};
|
||||
|
||||
shb.authelia = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
|
@ -339,6 +178,109 @@
|
|||
owner = config.shb.authelia.autheliaUser;
|
||||
restartUnits = [ "authelia.service" ];
|
||||
};
|
||||
|
||||
shb.nextcloud.apps.sso = {
|
||||
enable = true;
|
||||
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
clientID = "nextcloud";
|
||||
fallbackDefaultAuth = true;
|
||||
|
||||
secretFile = config.sops.secrets."nextcloud/sso/secret".path;
|
||||
secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
|
||||
};
|
||||
|
||||
sops.secrets."nextcloud/sso/secret" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0400";
|
||||
owner = "nextcloud";
|
||||
restartUnits = [ "nextcloud-setup.service" ];
|
||||
};
|
||||
sops.secrets."authelia/nextcloud_sso_secret" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
key = "nextcloud/sso/secret";
|
||||
mode = "0400";
|
||||
owner = config.shb.authelia.autheliaUser;
|
||||
};
|
||||
};
|
||||
|
||||
sopsConfig = {
|
||||
sops.age.keyFile = "/etc/sops/my_key";
|
||||
environment.etc."sops/my_key".source = ./keys.txt;
|
||||
};
|
||||
in
|
||||
{
|
||||
nixosConfigurations = {
|
||||
basic = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
sopsConfig
|
||||
basic
|
||||
];
|
||||
};
|
||||
ldap = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
sopsConfig
|
||||
basic
|
||||
ldap
|
||||
];
|
||||
};
|
||||
sso = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
|
||||
system = "x86_64-linux";
|
||||
modules = [
|
||||
sopsConfig
|
||||
basic
|
||||
ldap
|
||||
sso
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
colmena = {
|
||||
meta = {
|
||||
nixpkgs = import selfhostblocks.inputs.nixpkgs {
|
||||
system = "x86_64-linux";
|
||||
};
|
||||
specialArgs = inputs;
|
||||
};
|
||||
|
||||
basic = { config, ... }: {
|
||||
imports = [
|
||||
basic
|
||||
];
|
||||
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
};
|
||||
|
||||
ldap = { config, ... }: {
|
||||
imports = [
|
||||
basic
|
||||
ldap
|
||||
];
|
||||
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
};
|
||||
|
||||
sso = { config, ... }: {
|
||||
imports = [
|
||||
basic
|
||||
ldap
|
||||
sso
|
||||
];
|
||||
|
||||
deployment = {
|
||||
targetHost = "example";
|
||||
targetUser = "nixos";
|
||||
targetPort = 2222;
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
Loading…
Reference in a new issue