tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: tuxcord/tuxcord.nix:a78752607f561d007631381c42ab9bf123ef8303
Branches Tags
tuxcord/tuxcord.nix:main tuxcord/tuxcord.nix:staging tuxcord/tuxcord.nix:styling/forgejo tuxcord/tuxcord.nix:auth/authelia tuxcord/tuxcord.nix:auth/authentik
..
compare: tuxcord/tuxcord.nix:auth/authelia
Branches Tags
tuxcord/tuxcord.nix:staging tuxcord/tuxcord.nix:styling/forgejo tuxcord/tuxcord.nix:auth/authelia tuxcord/tuxcord.nix:auth/authentik tuxcord/tuxcord.nix:main

29 Commits
a78752607f .. auth/authelia

Author SHA1 Message Date
javalsai 83ba8dffb2 draft: partially getting authelia to work 
its started at auth.tuxcord.test
 2026-05-05 01:15:18 +02:00
javalsai 82c76dc390 nixos/users: port tuxcord.net motd
Check / Nix flake (push) Failing after 8s
Details
Lint / Nix expressions (push) Failing after 11s
Details
2026-05-04 20:50:25 +02:00
javalsai edf7aab2f0 nixos/services: serve a strict robots.txt everywhere
Check / Nix flake (push) Failing after 8s
Details
Lint / Nix expressions (push) Failing after 9s
Details
2026-05-04 12:36:34 -04:00
ErrorNoInternet 760c5c8284 nixos/hardware: add kvm-amd module
Check / Nix flake (push) Failing after 10s
Details
Lint / Nix expressions (push) Failing after 10s
Details 
From running the virtual machine on an AMD system.
 2026-05-04 01:36:59 -04:00
ErrorNoInternet 3a5d5d27f4 nixos/networking: fix extraHosts generation 2026-05-04 01:31:27 -04:00
ErrorNoInternet 015bbc3d66 npins: update website 2026-05-04 01:31:27 -04:00
ErrorNoInternet dc374e8c04 nixos/hosts: declare fileSystems for testing hosts 2026-05-04 01:31:27 -04:00
ErrorNoInternet a708c04a9a nixos/services/openssh: enable X11 forwarding 2026-05-04 01:31:27 -04:00
javalsai a2534a3dab nixos/hosts: enable autologin for testing hosts 2026-05-04 01:31:15 -04:00
javalsai b78c41a5f7 nixos/services: add default website on nginx 2026-05-04 01:27:11 -04:00
javalsai e1f2dc3161 nixos/services: disable nginx proxy buffering 2026-05-04 01:27:11 -04:00
ErrorNoInternet f1c5f038ec nixos/impermanence: remove ssh host key persistence 
The SSH host key files are already defined in the OpenSSH module, so
there is no need to persist them with impermanence.nix.
 2026-05-04 01:27:10 -04:00
ErrorNoInternet ae0d4f5958 shells: remove neovim 
Some users may be using self-contained Neovim executables.
 2026-05-04 01:27:10 -04:00
ErrorNoInternet ded0374c57 agenix: import initial user dns keys 2026-05-04 01:27:10 -04:00
ErrorNoInternet ab0f9a2ff2 treewide: create global user list 2026-05-04 01:27:10 -04:00
javalsai fb9526fec2 docs: add sections and fix typos/errors 2026-05-04 00:45:22 -04:00
ErrorNoInternet 0692e680b8 treewide: initialize npins 2026-05-04 00:45:22 -04:00
ErrorNoInternet 3a940586d5 treewide: refactor code 2026-05-04 00:45:21 -04:00
javalsai 7e7097f457 nixos/security: add acme through dns challenge 
few side refactors of this:
- no more `dns.domain`, it all must rely on `fqdn`, prevents
  inconsistencies.
- also added an specific host `tuxcord-acmetest` that uses the key zone
  for `nix.tuxcord.net` to test certificate pulling.
 2026-05-04 00:45:21 -04:00
javalsai 22b3a95bf8 docs: document installation, secrets, and setup steps 2026-05-04 00:45:21 -04:00
javalsai de4b8833bd nixos/services: make dns configuration easier 2026-05-04 00:45:21 -04:00
javalsai ac9b80573f nixos/service: add dns (bind named server) 2026-05-04 00:45:21 -04:00
javalsai 66a15a5d19 nixos/programs: add bind utils 2026-05-04 00:45:21 -04:00
javalsai 7e331f5e1a nixos/services: add gitea server 2026-05-04 00:45:21 -04:00
javalsai a8374e231f nixos/services: add nginx base configuration 2026-05-04 00:45:21 -04:00
javalsai 27b861d5a5 nixos/networking: add own fqdn to extraHosts 2026-05-04 00:45:21 -04:00
javalsai 6a29ac005c nixos/hosts: add tuxcord-vm host configuration 2026-05-04 00:45:21 -04:00
ErrorNoInternet 0b9f76dcb4 nixos: separate openssh firewall port 2026-05-04 00:45:21 -04:00
javalsai cc52b0e6cb lib/ssh: add more ssh keys 2026-05-04 00:41:23 -04:00
17 changed files with 265 additions and 83 deletions
Expand all files Collapse all files
agenix/secrets.nix
+1 -1
View File
@@ -21,5 +21,5 @@ in
map (user: {
name = "dns/tuxcord.net/${user.name}.tuxcord.net.key.age";
value.publicKeys = [ tuxcord-ca ] ++ getSSHKeys user.name;
}) (builtins.filter (user: user.value.options.ddns or false) (attrsToList users))
}) (builtins.filter (user: user.value.ddns or false) (attrsToList users))
)
lib/default.nix
+13 -10
View File
@@ -1,21 +1,24 @@
rec {
users = import ./users.nix;
toList = x: if builtins.isList x then x else [ x ];
adminSSHKeys = builtins.concatLists (
map (user: getSSHKeys user.name) (
builtins.filter (user: user.value.options.admin or false) (attrsToList users)
)
);
nameValuePair = name: value: { inherit name value; };
mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
attrsToList = mapAttrsToList nameValuePair;
mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
nameValuePair = name: value: { inherit name value; };
toList = x: if builtins.isList x then x else [ x ];
getSSHKeys =
username:
if (builtins.hasAttr "ssh" users.${username}) then
toList users.${username}.ssh
else
builtins.warn "user ${username} declared without ssh key" [ ];
builtins.warn "user ${username} declared without ssh keys" [ ];
users = import ./users.nix;
adminSSHKeys = builtins.concatLists (
map (user: getSSHKeys user.name) (
builtins.filter (user: user.value.admin or false) (attrsToList users)
)
);
}
lib/users.nix
+1 -5
View File
@@ -1,23 +1,19 @@
{
error = {
ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDzdpxex2GlFVf5G2qsh3Ixa/XCMjnbq4JSTmAev7WYJ error.nointernet@gmail.com";
options = {
admin = true;
ddns = true;
};
};
javalsai = {
ssh = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFjavnLqxIzFLIUpUWDOwhlYeoII4Qk1/9e0yWWxD/P";
options = {
admin = true;
ddns = true;
};
};
max = {
ssh = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDxVfJhzPDZ108UjB3Vj/akzlzYn27kyAw29AuYAr7gvG5vrqhLUYYmK8t+ZVWVpc1g6cK7OF1oUn2E5Qfmy6wqyZQXftAZ4OcRS0MB71W1bAcRq3rGe6KQDm8RSEeygX+zO+2Z6zQmVWgPr/I+JFQZ8wiWdP8X8djqTRdhqUD+SR3ZgTcnY3aLmeB/I56rcZQ3lKIeg/pEsyQ8weptlV0rTWamna6Z7Nw48VwWNSI+6EqfW2/4/edm0Ue8jMNqNZ0yx+kHJbudPgZgSR1SiR2rqlEEUaiQJQQV3VdY4DhGm7143ZSKUxyKlfTuQ7qR1zSIg6f5V71A37ik9YiSbBlOZO86swR4qHESoMNf608IuqRt2NdALHwozFPUCu16qnhu5JTk8twSAzrAhOk5zWQj1LYMoQEBhcFSmwir/1gE71NSjYtqXGVAdfkVmZ4uqG5+a1D7H3VXWOqu/j839M045O1ZBY6X3lKDsEJ1Z1+LCl/NojWnvPtJUHYI6+SdQ6k=";
options.admin = true;
admin = true;
};
vectorum = {
nixos/common.nix
+7 -11
View File
@@ -100,21 +100,17 @@ in
extraHosts =
let
subdomains = [
""
".git"
"git"
"auth"
];
inherit (config.networking) fqdn;
hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
in
builtins.foldl' (
hosts-acc: domain-prefix:
let
host = "${domain-prefix}${config.networking.fqdn}";
in
hosts-acc
+ ''
lib.concatMapStrings (host: ''
127.0.0.1 ${host}
::1 ${host}
''
) "" subdomains;
'') hosts;
};
virtualisation.podman.enable = true;
nixos/hardware.nix
+4 -1
View File
@@ -15,7 +15,10 @@
"xhci_pci"
];
kernelModules = [ "kvm-intel" ];
kernelModules = [
"kvm-amd"
"kvm-intel"
];
};
hardware = {
nixos/hosts/tuxcord-acmetest/default.nix
+8 -5
View File
@@ -1,11 +1,14 @@
{
acme = {
enable = true;
rfc2136.nameserver = "tuxcord.net";
};
imports = [
./storage.nix
];
dns.enable = true;
networking.fqdn = "nix.tuxcord.net";
acme.rfc2136.nameserver = "tuxcord.net";
dns.enable = true;
services.getty.autologinUser = "root";
time.timeZone = "Europe/Madrid";
}
nixos/hosts/tuxcord-acmetest/storage.nix
+6
View File
@@ -0,0 +1,6 @@
{
fileSystems."/" = {
device = "/dev/vda";
fsType = "ext4";
};
}
nixos/hosts/tuxcord-ca/storage.nix
+1
View File
@@ -32,6 +32,7 @@
device = "/dev/xvda2";
fsType = "btrfs";
options = [ "subvol=@persist" ] ++ defaultOptions;
neededForBoot = true;
};
};
}
nixos/hosts/tuxcord-test/default.nix
+7 -1
View File
@@ -1,6 +1,12 @@
{
imports = [
./storage.nix
];
networking.fqdn = "tuxcord.test";
acme.enable = false;
dns.enable = true;
networking.fqdn = "tuxcord.test";
services.getty.autologinUser = "root";
}
nixos/hosts/tuxcord-test/storage.nix
+6
View File
@@ -0,0 +1,6 @@
{
fileSystems."/" = {
device = "/dev/vda";
fsType = "ext4";
};
}
nixos/impermanence.nix
-2
View File
@@ -55,8 +55,6 @@
};
};
fileSystems."/persist".neededForBoot = true;
environment.persistence."/persist" = {
enable = true;
hideMounts = true;
nixos/modules/authelia.nix
+136
View File
@@ -0,0 +1,136 @@
{ config, ... }:
let
inherit (config.networking) fqdn;
acmeEnabled = config.acme.enable;
in
{
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
};
settings = {
theme = "dark";
default_redirection_url = "https://${fqdn}"; # HAS to be httpS
server.address = "127.0.0.1:3001";
log = {
level = "debug";
format = "text";
};
authentication_backend = {
file = {
path = "/var/lib/authelia-main/users_database.yml";
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = [ "auth.${fqdn}" ];
policy = "bypass";
}
{
domain = [ "*.${fqdn}" ];
policy = "one_factor";
}
];
};
session = {
name = "authelia_session";
expiration = "12h";
inactivity = "45m";
remember_me = "1M";
domain = "${fqdn}";
redis.host = "/run/redis-authelia-main/redis.sock";
};
regulation = {
max_retries = 3;
find_time = "5m";
ban_time = "15m";
};
storage = {
local = {
path = "/var/lib/authelia-main/db.sqlite3";
};
};
notifier = {
disable_startup_check = false;
filesystem = {
filename = "/var/lib/authelia-main/notification.txt";
};
};
};
};
services.redis.servers.authelia-main = {
enable = true;
user = "authelia-main";
port = 0;
unixSocket = "/run/redis-authelia-main/redis.sock";
unixSocketPerm = 600;
};
# services.openldap = {
# enable = true;
# # enable plain connections only
# urlList = [ "ldap:///" ];
# settings = {
# attrs = {
# olcLogLevel = "conns config";
# };
# children = {
# # "cn=schema".includes = [
# # "${pkgs.openldap}/etc/schema/core.ldif"
# # "${pkgs.openldap}/etc/schema/cosine.ldif"
# # "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
# # ];
# "olcDatabase={1}mdb".attrs = {
# objectClass = [
# "olcDatabaseConfig"
# "olcMdbConfig"
# ];
# olcDatabase = "{1}mdb";
# olcDbDirectory = "/var/lib/openldap/data";
# olcSuffix = "dc=example,dc=com";
# # your admin account, do not use writeText on a production system
# olcRootDN = "cn=admin,dc=example,dc=com";
# olcRootPW.path = builtins.roFile "olcRootPW" "pass";
# olcAccess = [
# # custom access rules for userPassword attributes
# ''
# {0}to attrs=userPassword
# by self write
# by anonymous auth
# by * none''
# # allow read on anything else
# ''
# {1}to *
# by * read''
# ];
# };
# };
# };
# };
}
nixos/modules/default.nix
+1
View File
@@ -1,6 +1,7 @@
{
imports = [
./acme.nix
./authelia.nix
./dns.nix
./fail2ban.nix
./gitea.nix
nixos/modules/nginx.nix
+31 -13
View File
@@ -3,13 +3,20 @@ let
inherit (config.networking) fqdn;
mkVhost =
attrs:
attrs: locations:
let
acmeEnabled = config.acme.enable;
in
{
forceSSL = acmeEnabled;
useACMEHost = if acmeEnabled then fqdn else null;
locations = {
"= /robots.txt" = {
alias = disallowedRobotsTxt;
};
}
// locations;
}
// attrs;
@@ -21,6 +28,19 @@ let
proxy_request_buffering off;
'';
};
mkSsi = webRoot: {
root = webRoot;
extraConfig = ''
ssi on;
'';
};
disallowedRobotsTxt = builtins.toFile "robots.txt" ''
User-agent: *
Disallow: /
'';
in
{
services.nginx = {
@@ -32,20 +52,18 @@ in
recommendedGzipSettings = true;
recommendedOptimisation = true;
virtualHosts."${fqdn}" = mkVhost {
default = true;
locations."/" = {
root = "${self.pins.website}/web-root";
extraConfig = ''
ssi on;
'';
};
virtualHosts = {
"${fqdn}" = mkVhost { default = true; } {
"/" = mkSsi "${self.pins.website}/web-root";
};
virtualHosts."git.${fqdn}" = mkVhost {
locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
"git.${fqdn}" = mkVhost { } {
"/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
};
"auth.${fqdn}" = mkVhost { } {
"/" = mkProxy 3001;
};
};
};
nixos/openssh.nix
+1
View File
@@ -4,6 +4,7 @@
settings = {
ClientAliveInterval = 300;
X11Forwarding = true;
KbdInteractiveAuthentication = false;
PasswordAuthentication = false;
nixos/users.nix
+16 -8
View File
@@ -11,12 +11,7 @@ let
"wheel"
];
mkUser =
name: uid: options:
let
admin = options.admin or false;
in
{
mkUser = name: uid: admin: {
users.users.${name} = {
inherit uid;
isNormalUser = true;
@@ -39,7 +34,7 @@ lib.recursiveUpdate
(builtins.foldl'
(attrs: user: {
options = lib.recursiveUpdate attrs.options (
mkUser user.name attrs.uid (user.value.options or { })
mkUser user.name attrs.uid (user.value.admin or false)
);
uid = attrs.uid + 1;
})
@@ -50,8 +45,21 @@ lib.recursiveUpdate
(lib.attrsToList users)
).options
{
users.users.root = {
users = {
motd = ''
__ __ __
---------/\ \__ /\ \ /\ \__
---------\ \ ,_\ __ __ __ _ ___ ___ _ __ \_\ \ ___ __\ \ ,_\
----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \ /'_ `\ /'__`\ \ \/
-----------\ \ \_\ \ \_\ \/> <//\ \__//\ \L\ \ \ \//\ \L\ \ __/\ \/\ \/\ __/\ \ \_
------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-------------\/__/ \/___/ \//\/_/\/____/\/___/ \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
A friendly Linux community - est. July 2023
'';
users.root = {
initialPassword = "tuxcord";
openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
};
};
}
npins/sources.json
+2 -2
View File
@@ -8,9 +8,9 @@
},
"branch": "main",
"submodules": false,
"revision": "a9f523c268062c0c4a8167b719be15e3e4b3ef88",
"revision": "b18dd7b863644debb0a843a5b21bb490bfe7d048",
"url": null,
"hash": "0ql14xjz0prvy3rdx6zkbpsjxvx40ivdzrwzdgfsk07jg07aki05"
"hash": "18czfxaldy0zhjprdsqzxnzj3p9qlc4canwigr13iw2wisi4ww5y"
}
},
"version": 5