1
0
Fork 0

test demos

closes #128 and closes #53
This commit is contained in:
ibizaman 2024-01-24 22:50:45 -08:00 committed by Pierre Penninckx
parent 0457f263cc
commit b43a4971a4
6 changed files with 411 additions and 350 deletions

View file

@ -24,6 +24,61 @@ jobs:
nix run github:Mic92/nix-fast-build -- \
--skip-cached --no-nom \
--flake ".#checks.$(nix eval --raw --impure --expr builtins.currentSystem)"
# We're just checking if the demo start without hiccup.
demos:
runs-on: ubuntu-latest
strategy:
matrix:
demo:
- homeassistant#basic
- homeassistant#ldap
- nextcloud#basic
- nextcloud#ldap
- nextcloud#sso
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
- name: Setup Caching
uses: cachix/cachix-action@v12
with:
name: selfhostblocks
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Test demos
# See https://blog.stefan-koch.name/2020/12/10/qemu-guest-graceful-shutdown-from-python for
# inspiration.
run: |
set -x
rm -f nixos.qcow2
nix run nixpkgs#nixos-rebuild -- build-vm --flake ./demo/${{ matrix.demo }}
QEMU_NET_OPTS="hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm -nographic -qmp unix:/tmp/qmp-sock,server,nowait &
nix run nixpkgs#socat -- - unix-connect:/tmp/qmp-sock <<EOF
{"execute": "qmp_capabilities"}
{"execute": "system_powerdown"}
EOF
docs:
runs-on: ubuntu-latest
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: Install Nix
uses: DeterminateSystems/nix-installer-action@main
with:
github-token: ${{ secrets.GITHUB_TOKEN }}
extra-conf: "system-features = nixos-test benchmark big-parallel kvm"
- name: Setup Caching
uses: cachix/cachix-action@v12
with:
name: selfhostblocks
authToken: '${{ secrets.CACHIX_AUTH_TOKEN }}'
- name: Test building docs
run: |
nix \

View file

@ -3,16 +3,66 @@
**This whole demo is highly insecure as all the private keys are available publicly. This is
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
The [`flake.nix`](./flake.nix) file sets up a Home Assistant server in only about [15
lines](./flake.nix#L31-L37) of related code. It also defines a Home Assistant server that integrates with
a [LDAP server](./flake.nix#L58-L94).
The [`flake.nix`](./flake.nix) file sets up a Home Assistant server with Self Host Blocks. There are actually 2 demos:
This guide will show how to deploy this setup to a Virtual Machine, like showed
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
- The `basic` demo sets up a lone Home Assistant server accessible through http.
- The `ldap` demo builds on top of the `basic` demo integrating Home Assistant with a LDAP provider.
## Deploy to the VM {#demo-homeassistant-deploy-to-the-vm}
<!--
They were set up by following the [manual](https://shb.skarabox.com/services-homeassistant.html).
-->
Build the VM and start it:
This guide will show how to deploy these demos to a Virtual Machine, like showed
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
## Deploy to the VM {#demo-homeassistant-deploy}
The demos are setup to either deploy to a VM through `nixos-rebuild` or through
[Colmena](https://colmena.cli.rs).
Using `nixos-rebuild` is very fast and requires less steps because it reuses your nix store.
Using `colmena` is more authentic because you are deploying to a stock VM, like you would with a
real machine but it needs to copy over all required store derivations so it takes a few minutes the
first time.
### Deploy with nixos-rebuild {#demo-homeassistant-deploy-nixosrebuild}
Assuming your current working directory is the one where this Readme file is located, the one-liner
command which builds and starts the VM configured to run Self Host Blocks' Nextcloud is:
```nix
rm nixos.qcow2; \
nixos-rebuild build-vm --flake .#basic \
&& QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" \
./result/bin/run-nixos-vm
```
This will deploy the `basic` demo. If you want to deploy the `ldap` demo, use the `.#ldap` flake
uris.
You can even test the demos from any directory without cloning this repository by using the GitHub
uri like `github:ibizaman/selfhostblocks?path=demo/nextcloud`
It is very important to remove leftover `nixos.qcow2` files, if any.
You can ssh into the VM like this, but this is not required for the demo:
```bash
ssh -F ssh_config example
```
But before that works, you will need to change the permission of the ssh key like so:
```bash
chmod 600 sshkey
```
This is only needed because git mangles with the permissions. You will not even see this change in
`git status`.
### Deploy with Colmena {#demo-homeassitant-deploy-colmena}
If you deploy with Colmena, you must first build the VM and start it:
```bash
rm nixos.qcow2; \
@ -20,6 +70,8 @@ rm nixos.qcow2; \
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
```
It is very important to remove leftover `nixos.qcow2` files, if any.
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
need to run the rest of the commands in another terminal.
@ -55,24 +107,17 @@ You can ssh into the VM with, but this is not required for the demo:
ssh -F ssh_config example
```
Finally, we can deploy. To deploy a Home Assistant server, run:
### Home Assistant through HTTP {#demo-homeassistant-deploy-basic}
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
```
<!--
:::: {.note}
This section corresponds to the `basic` section of the [Home Assistant
manual](services-nextcloud.html#services-homeassistant-server-usage-basic).
::::
-->
To deploy a Home Assistant server integrated with a LDAP service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
```
The deploy will take a few minutes the first time and subsequent deploys will take around 15
seconds.
## Access Home Assistant Through Your Browser {#demo-homeassistant-access-through-your-browser}
Add the following entry to your `/etc/hosts` file:
Assuming you already deployed the `basic` demo, now you must add the following entry to the
`/etc/hosts` file on the host machine (not the VM):
```nix
networking.hosts = {
@ -87,7 +132,22 @@ $ cat /etc/hosts
127.0.0.1 ha.example.com
```
If you deployed the `ldap` target host, add instead:
Go to [http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
Assistant setup wizard which will allow you to create an admin user.
And that's the end of the demo
### Home Assistant with LDAP through HTTP {#demo-homeassistant-deploy-ldap}
<!--
:::: {.note}
This section corresponds to the `ldap` section of the [Home Assistant
manual](services-nextcloud.html#services-homeassistant-server-usage-ldap).
::::
-->
Assuming you already deployed the `ldap` demo, now you must add the following entry to the
`/etc/hosts` file on the host machine (not the VM):
```nix
networking.hosts = {
@ -95,12 +155,14 @@ networking.hosts = {
};
```
If you deployed the `basic` target host, go to
[http://ha.example.com:8080](http://ha.example.com:8080) and you will be greeted with the Home
Assistant setup wizard which will allow you to create an admin user:
Which produces:
And that's the end of the demo. Otherwise if you deployed the `ldap` target host, go first to
[http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
```bash
$ cat /etc/hosts
127.0.0.1 ha.example.com ldap.example.com
```
Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
- username: `admin`
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `fccb94f0f64bddfe299c81410096499a`.
@ -155,16 +217,7 @@ space issue, you must increase the
### Secrets {#demo-homeassistant-secrets}
_More info about the secrets._
The private key in the `keys.txt` file is created with:
```bash
$ nix shell nixpkgs#age --command age-keygen -o keys.txt
Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
```
We use the printed public key in the `admin` field of the `sops.yaml` file.
_More info about the secrets can be found in the [Usage](https://shb.skarabox.com/usage.html) manual_
To open the `secrets.yaml` file and optionnally edit it, run:
@ -198,9 +251,9 @@ You can generate random secrets with:
$ nix run nixpkgs#openssl -- rand -hex 64
```
If you choose a password too small, ldap could refuse to start.
If you choose a password too small, some services could refuse to start.
#### Why do we need the VM's public key {#demo-homeassistant-public-key-necessity}
#### Why do we need the VM's public key {#demo-homeassistant-tips-public-key-necessity}
The [`sops.yaml`](./sops.yaml) file describes what private keys can decrypt and encrypt the
[`secrets.yaml`](./secrets.yaml) file containing the application secrets. Usually, you will create and add
@ -209,11 +262,11 @@ in the `/run/secrets` folder on the VM. We thus need one private key for you to
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
creating the VM in the step above, a new private key and its accompanying public key were
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
public key and add it to the `secrets.yaml` which we did in the Deploy section.
creating the VM for Colmena, a new private key and its accompanying public key were automatically
generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and
add it to the `secrets.yaml` which we did in the Deploy section.
### SSH {#demo-homeassistant-ssh}
### SSH {#demo-homeassistant-tips-ssh}
The private and public ssh keys were created with:
@ -231,7 +284,7 @@ authentication, here is what you would need to do to copy over the key:
nix shell nixpkgs#openssh --command ssh-copy-id -i sshkey -F ssh_config example
```
### Deploy {#demo-homeassistant-deploy}
### Deploy {#demo-homeassistant-tips-deploy}
If you get a NAR hash mismatch error like hereunder, you need to run `nix flake lock --update-input
selfhostblocks`.
@ -240,7 +293,7 @@ selfhostblocks`.
error: NAR hash mismatch in input ...
```
### Update Demo {#demo-homeassistant-update-demo}
### Update Demo {#demo-homeassistant-tips-update-demo}
If you update the Self Host Blocks configuration in `flake.nix` file, you can just re-deploy.

View file

@ -5,15 +5,8 @@
selfhostblocks.url = "github:ibizaman/selfhostblocks";
};
outputs = inputs@{ self, selfhostblocks, ... }: {
colmena = {
meta = {
nixpkgs = import selfhostblocks.inputs.nixpkgs {
system = "x86_64-linux";
};
specialArgs = inputs;
};
outputs = inputs@{ self, selfhostblocks, ... }:
let
basic = { config, ... }: {
imports = [
./configuration.nix
@ -21,13 +14,6 @@
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.home-assistant = {
enable = true;
domain = "example.com";
@ -38,26 +24,9 @@
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
];
# Set to true for more debug info with `journalctl -f -u nginx`.
shb.nginx.accessLog = false;
shb.nginx.debugLog = false;
};
ldap = { config, ... }: {
imports = [
./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.ldap = {
enable = true;
domain = "example.com";
@ -83,23 +52,73 @@
restartUnits = [ "lldap.service" ];
};
shb.home-assistant = {
enable = true;
domain = "example.com";
ldap = {
shb.home-assistant.ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.webUIListenPort;
userGroup = "homeassistant_user";
};
subdomain = "ha";
sopsFile = ./secrets.yaml;
};
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1w"
sopsConfig = {
sops.age.keyFile = "/etc/sops/my_key";
environment.etc."sops/my_key".source = ./keys.txt;
};
in
{
nixosConfigurations = {
basic = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
basic
sopsConfig
];
};
ldap = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
basic
ldap
sopsConfig
];
};
};
colmena = {
meta = {
nixpkgs = import selfhostblocks.inputs.nixpkgs {
system = "x86_64-linux";
};
specialArgs = inputs;
};
basic = { config, ... }: {
imports = [
basic
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
};
ldap = { config, ... }: {
imports = [
basic
ldap
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
};
};
};
}

View file

@ -3,21 +3,67 @@
**This whole demo is highly insecure as all the private keys are available publicly. This is
only done for convenience as it is just a demo. Do not expose the VM to the internet.**
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are actually 3 demos:
The [`flake.nix`](./flake.nix) file sets up a Nextcloud server with Self Host Blocks. There are
actually 3 demos:
- The `basic` demo sets up a lone Nextcloud server accessible through http.
- The `ldap` demo sets up a Nextcloud server integrated with a LDAP provider.
- The `sso` demo sets up a Nextcloud server integrated with a LDAP provider and an SSO provider.
- The `basic` demo sets up a lone Nextcloud server accessible through http with the Preview
Generator app enabled.
- The `ldap` demo builds on top of the `basic` demo integrating Nextcloud with a LDAP provider.
- The `sso` demo builds on top of the `lsap` demo integrating Nextcloud with a SSO provider.
They were set up by following the [manual](https://shb.skarabox.com/services-nextcloud.html). This
guide will show how to deploy these demos to a Virtual Machine, like showed
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules), in 4 commands.
[here](https://nixos.wiki/wiki/NixOS_modules#Developing_modules).
## Deploy to the VM {#demo-nextcloud-deploy}
### Prerequisite {#demo-nextcloud-deploy-prereq}
The demos are setup to either deploy to a VM through `nixos-rebuild` or through
[Colmena](https://colmena.cli.rs).
Build the VM and start it:
Using `nixos-rebuild` is very fast and requires less steps because it reuses your nix store.
Using `colmena` is more authentic because you are deploying to a stock VM, like you would with a
real machine but it needs to copy over all required store derivations so it takes a few minutes the
first time.
### Deploy with nixos-rebuild {#demo-nextcloud-deploy-nixosrebuild}
Assuming your current working directory is the one where this Readme file is located, the one-liner
command which builds and starts the VM configured to run Self Host Blocks' Nextcloud is:
```nix
rm nixos.qcow2; \
nixos-rebuild build-vm --flake .#basic \
&& QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" \
./result/bin/run-nixos-vm
```
This will deploy the `basic` demo. If you want to deploy the `ldap` or `sso` demos, use respectively
the `.#ldap` or `.#sso` flake uris.
You can even test the demos from any directory without cloning this repository by using the GitHub
uri like `github:ibizaman/selfhostblocks?path=demo/nextcloud`
It is very important to remove leftover `nixos.qcow2` files, if any.
You can ssh into the VM like this, but this is not required for the demo:
```bash
ssh -F ssh_config example
```
But before that works, you will need to change the permission of the ssh key like so:
```bash
chmod 600 sshkey
```
This is only needed because git mangles with the permissions. You will not even see this change in
`git status`.
### Deploy with Colmena {#demo-nextcloud-deploy-colmena}
If you deploy with Colmena, you must first build the VM and start it:
```bash
rm nixos.qcow2; \
@ -25,6 +71,8 @@ rm nixos.qcow2; \
QEMU_NET_OPTS="hostfwd=tcp::2222-:2222,hostfwd=tcp::8080-:80" ./result/bin/run-nixos-vm
```
It is very important to remove leftover `nixos.qcow2` files, if any.
This last call is blocking, so I advice adding a `&` at the end of the command otherwise you will
need to run the rest of the commands in another terminal.
@ -67,16 +115,8 @@ This section corresponds to the `basic` section of the [Nextcloud
manual](services-nextcloud.html#services-nextcloud-server-usage-basic).
::::
To deploy a basic Nextcloud with only the Preview Generator app enabled, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on basic
```
The deploy will take a few minutes the first time and subsequent deploys will take around 15
seconds.
Add the following entry to the `/etc/hosts` file on the host machine (not the VM):
Assuming you already deployed the `basic` demo, now you must add the following entry to the
`/etc/hosts` file on the host machine (not the VM):
```nix
networking.hosts = {
@ -106,17 +146,8 @@ This section corresponds to the `ldap` section of the [Nextcloud
manual](services-nextcloud.html#services-nextcloud-server-usage-ldap).
::::
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on ldap
```
The deploy will take a few minutes the first time and subsequent deploys will take around 15
seconds.
Add the following entry to the `/etc/hosts` file on the host machine (not the VM):
Assuming you already deployed the `ldap` demo, now you must add the following entry to the
`/etc/hosts` file on the host machine (not the VM):
```nix
networking.hosts = {
@ -134,7 +165,8 @@ $ cat /etc/hosts
Go first to [http://ldap.example.com:8080](http://ldap.example.com:8080) and login with:
- username: `admin`
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is
`c2e32e54ea3e0053eb30841f818a3d9a`.
Create the group `nextcloud_user` and a create a user and assign them to that group.
@ -153,32 +185,23 @@ This section corresponds to the `sso` section of the [Nextcloud
manual](services-nextcloud.html#services-nextcloud-server-usage-oidc).
::::
To deploy a Nextcloud configuration with the Preview Generator app and integrated with a LDAP
service and an SSO service, run:
```bash
SSH_CONFIG_FILE=ssh_config nix run nixpkgs#colmena --impure -- apply --on sso
```
The deploy will take a few minutes the first time and subsequent deploys will take around 15
seconds.
Here, there is a `dnsmasq` server running in the VM. You must create a SOCKS proxy to the `dnsmasq`
service like so:
At this point, it is assumed you already deployed the `sso` demo. There is no host to add to
`/etc/hosts` here. Instead, there is a `dnsmasq` server running in the VM and you must create a
SOCKS proxy to connect to it like so:
```bash
ssh -F ssh_config -D 1080 -N example
```
This is a blocking call that will create a SOCKS proxy on port 1080. It is not necessary to fork
this process in the background by appending `&` because we will not need to use the terminal for the
rest of the demo.
This is a blocking call but it is not necessary to fork this process in the background by appending
`&` because we will not need to use the terminal for the rest of the demo.
Now, configure your browser to use that proxy. When that's done go to
Now, configure your browser to use that SOCKS proxy. When that's done go to
[https://ldap.example.com](https://ldap.example.com) and login with:
- username: `admin`
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is `c2e32e54ea3e0053eb30841f818a3d9a`.
- password: the value of the field `lldap.user_password` in the `secrets.yaml` file which is
`c2e32e54ea3e0053eb30841f818a3d9a`.
Create the group `nextcloud_user` and a create a user and assign them to that group.
@ -233,39 +256,7 @@ space issue, you must increase the
### Secrets {#demo-nextcloud-tips-secrets}
_More info about the secrets._
The private key in the `keys.txt` file is created with:
```bash
$ nix shell nixpkgs#age --command age-keygen -o keys.txt
Public key: age1algdv9xwjre3tm7969eyremfw2ftx4h8qehmmjzksrv7f2qve9dqg8pug7
```
We use the printed public key in the `admin` field of the `sops.yaml` file.
The `secrets.yaml` file must follow the format:
```yaml
nextcloud:
adminpass: 43bb4b8f82fc645ce3260b5db803c5a8
onlyoffice:
jwt_secret: XXX...
sso:
secret: YYY...
lldap:
user_password: c2e32e54ea3e0053eb30841f818a3d9a
jwt_secret: ZZZ...
authelia:
jwt_secret: AAA...
storage_encryption_key: BBB...
session_secret: CCC...
hmac_secret: DDD.
private_key: |
-----BEGIN PRIVATE KEY-----
MII...
-----END PRIVATE KEY-----
```
_More info about the secrets can be found in the [Usage](https://shb.skarabox.com/usage.html) manual_
To open the `secrets.yaml` file and optionnally edit it, run:
@ -292,9 +283,9 @@ in the `/run/secrets` folder on the VM. We thus need one private key for you to
[`secrets.yaml`](./secrets.yaml) file and one in the VM for it to decrypt the secrets.
Your private key is already pre-generated in this repo, it's the [`sshkey`](./sshkey) file. But when
creating the VM in the step above, a new private key and its accompanying public key were
automatically generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the
public key and add it to the `secrets.yaml` which we did in the Deploy section.
creating the VM for Colmena, a new private key and its accompanying public key were automatically
generated under `/etc/ssh/ssh_host_ed25519_key` in the VM. We just need to get the public key and
add it to the `secrets.yaml` which we did in the Deploy section.
### SSH {#demo-nextcloud-tips-ssh}

View file

@ -22,6 +22,7 @@ in
boot.loader.grub.configurationLimit = 1;
# The NixOS /nix/.rw-store mountpoint is backed by tmpfs which uses memory. We need to increase
# the available disk space to install home-assistant.
virtualisation.vmVariant.virtualisation.memorySize = 8192;
virtualisation.vmVariantWithBootLoader.virtualisation.memorySize = 8192;
# Options above are needed to deploy in a VM.

View file

@ -5,15 +5,8 @@
selfhostblocks.url = "github:ibizaman/selfhostblocks";
};
outputs = inputs@{ self, selfhostblocks, ... }: {
colmena = {
meta = {
nixpkgs = import selfhostblocks.inputs.nixpkgs {
system = "x86_64-linux";
};
specialArgs = inputs;
};
outputs = inputs@{ self, selfhostblocks, ... }:
let
basic = { config, ... }: {
imports = [
./configuration.nix
@ -21,13 +14,6 @@
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.nextcloud = {
enable = true;
domain = "example.com";
@ -60,19 +46,6 @@
};
ldap = { config, ... }: {
imports = [
./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.ldap = {
enable = true;
domain = "example.com";
@ -98,21 +71,7 @@
restartUnits = [ "lldap.service" ];
};
shb.nextcloud = {
enable = true;
domain = "example.com";
subdomain = "n";
dataDir = "/var/lib/nextcloud";
tracing = null;
# This option is only needed because we do not access Nextcloud at the default port in the VM.
port = 8080;
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
apps = {
previewgenerator.enable = true;
ldap = {
shb.nextcloud.apps.ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.ldapPort;
@ -121,17 +80,7 @@
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
userGroup = "nextcloud_user";
};
};
};
# Secret needed for services.nextcloud.config.adminpassFile.
sops.secrets."nextcloud/adminpass" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
# Secret needed for LDAP app.
sops.secrets."nextcloud/ldap_admin_password" = {
sopsFile = ./secrets.yaml;
@ -141,26 +90,9 @@
group = "nextcloud";
restartUnits = [ "nextcloud-setup.service" ];
};
# Set to true for more debug info with `journalctl -f -u nginx`.
shb.nginx.accessLog = true;
shb.nginx.debugLog = false;
};
sso = { config, ... }: {
imports = [
./configuration.nix
selfhostblocks.inputs.sops-nix.nixosModules.default
selfhostblocks.nixosModules.x86_64-linux.default
];
# Used by colmena to know which target host to deploy to.
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
shb.certs = {
cas.selfsigned.myca = {
name = "My CA";
@ -189,99 +121,6 @@
};
};
shb.nextcloud = {
enable = true;
domain = "example.com";
subdomain = "n";
ssl = config.shb.certs.certs.selfsigned.n;
dataDir = "/var/lib/nextcloud";
tracing = null;
adminPassFile = config.sops.secrets."nextcloud/adminpass".path;
apps = {
previewgenerator.enable = true;
ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.ldap.ldapPort;
dcdomain = config.shb.ldap.dcdomain;
adminName = "admin";
adminPasswordFile = config.sops.secrets."nextcloud/ldap_admin_password".path;
userGroup = "nextcloud_user";
};
sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
clientID = "nextcloud";
fallbackDefaultAuth = true;
secretFile = config.sops.secrets."nextcloud/sso/secret".path;
secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
};
};
};
# Secret needed for services.nextcloud.config.adminpassFile.
sops.secrets."nextcloud/adminpass" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "phpfpm-nextcloud.service" ];
};
# Secret needed for LDAP app.
sops.secrets."nextcloud/ldap_admin_password" = {
sopsFile = ./secrets.yaml;
key = "lldap/user_password";
mode = "0400";
owner = "nextcloud";
group = "nextcloud";
restartUnits = [ "nextcloud-setup.service" ];
};
sops.secrets."nextcloud/sso/secret" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = "nextcloud";
restartUnits = [ "nextcloud-setup.service" ];
};
sops.secrets."authelia/nextcloud_sso_secret" = {
sopsFile = ./secrets.yaml;
key = "nextcloud/sso/secret";
mode = "0400";
owner = config.shb.authelia.autheliaUser;
};
# Set to true for more debug info with `journalctl -f -u nginx`.
shb.nginx.accessLog = true;
shb.nginx.debugLog = false;
shb.ldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ssl = config.shb.certs.certs.selfsigned.n;
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPasswordFile = config.sops.secrets."lldap/user_password".path;
jwtSecretFile = config.sops.secrets."lldap/jwt_secret".path;
};
sops.secrets."lldap/user_password" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
sops.secrets."lldap/jwt_secret" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "lldap";
group = "lldap";
restartUnits = [ "lldap.service" ];
};
shb.authelia = {
enable = true;
domain = "example.com";
@ -339,6 +178,109 @@
owner = config.shb.authelia.autheliaUser;
restartUnits = [ "authelia.service" ];
};
shb.nextcloud.apps.sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
clientID = "nextcloud";
fallbackDefaultAuth = true;
secretFile = config.sops.secrets."nextcloud/sso/secret".path;
secretFileForAuthelia = config.sops.secrets."authelia/nextcloud_sso_secret".path;
};
sops.secrets."nextcloud/sso/secret" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = "nextcloud";
restartUnits = [ "nextcloud-setup.service" ];
};
sops.secrets."authelia/nextcloud_sso_secret" = {
sopsFile = ./secrets.yaml;
key = "nextcloud/sso/secret";
mode = "0400";
owner = config.shb.authelia.autheliaUser;
};
};
sopsConfig = {
sops.age.keyFile = "/etc/sops/my_key";
environment.etc."sops/my_key".source = ./keys.txt;
};
in
{
nixosConfigurations = {
basic = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
sopsConfig
basic
];
};
ldap = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
sopsConfig
basic
ldap
];
};
sso = selfhostblocks.inputs.nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
modules = [
sopsConfig
basic
ldap
sso
];
};
};
colmena = {
meta = {
nixpkgs = import selfhostblocks.inputs.nixpkgs {
system = "x86_64-linux";
};
specialArgs = inputs;
};
basic = { config, ... }: {
imports = [
basic
];
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
};
ldap = { config, ... }: {
imports = [
basic
ldap
];
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
};
sso = { config, ... }: {
imports = [
basic
ldap
sso
];
deployment = {
targetHost = "example";
targetUser = "nixos";
targetPort = 2222;
};
};
};
};