Compare commits
11 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
 ErrorNoInternet
|
0dd5e51f41
|
||
|
ErrorNoInternet
|
06e685d0b1
|
||
|
ErrorNoInternet
|
20219d60d4
|
||
|
ErrorNoInternet
|
ee82325b6e
|
||
 javalsai
|
b8bc3edbff | ||
|
javalsai
|
427a905799 | ||
|
javalsai
|
b597977b8a | ||
|
ErrorNoInternet
|
16bcec48f8
|
||
|
ErrorNoInternet
|
9c2bee177c
|
||
|
ErrorNoInternet
|
84199dd8eb
|
||
|
ErrorNoInternet
|
1c502afbcd
|
+4
-4
@@ -1,11 +1,11 @@
|
||||
rec {
|
||||
toList = x: if builtins.isList x then x else [ x ];
|
||||
|
||||
nameValuePair = name: value: { inherit name value; };
|
||||
attrsToList = mapAttrsToList nameValuePair;
|
||||
|
||||
mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
|
||||
|
||||
attrsToList = mapAttrsToList nameValuePair;
|
||||
nameValuePair = name: value: { inherit name value; };
|
||||
|
||||
toList = x: if builtins.isList x then x else [ x ];
|
||||
|
||||
getSSHKeys =
|
||||
username:
|
||||
|
||||
+1
-4
@@ -99,10 +99,7 @@ in
|
||||
|
||||
extraHosts =
|
||||
let
|
||||
subdomains = [
|
||||
"git"
|
||||
"auth"
|
||||
];
|
||||
subdomains = [ "git" ];
|
||||
|
||||
inherit (config.networking) fqdn;
|
||||
hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
|
||||
|
||||
+1
-4
@@ -15,10 +15,7 @@
|
||||
"xhci_pci"
|
||||
];
|
||||
|
||||
kernelModules = [
|
||||
"kvm-amd"
|
||||
"kvm-intel"
|
||||
];
|
||||
kernelModules = [ "kvm-intel" ];
|
||||
};
|
||||
|
||||
hardware = {
|
||||
|
||||
@@ -1,136 +0,0 @@
|
||||
{ config, ... }:
|
||||
let
|
||||
inherit (config.networking) fqdn;
|
||||
|
||||
acmeEnabled = config.acme.enable;
|
||||
in
|
||||
{
|
||||
services.authelia.instances.main = {
|
||||
enable = true;
|
||||
|
||||
secrets = {
|
||||
jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
|
||||
storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
|
||||
sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
|
||||
};
|
||||
|
||||
settings = {
|
||||
theme = "dark";
|
||||
default_redirection_url = "https://${fqdn}"; # HAS to be httpS
|
||||
|
||||
server.address = "127.0.0.1:3001";
|
||||
|
||||
log = {
|
||||
level = "debug";
|
||||
format = "text";
|
||||
};
|
||||
|
||||
authentication_backend = {
|
||||
file = {
|
||||
path = "/var/lib/authelia-main/users_database.yml";
|
||||
};
|
||||
};
|
||||
|
||||
access_control = {
|
||||
default_policy = "deny";
|
||||
rules = [
|
||||
{
|
||||
domain = [ "auth.${fqdn}" ];
|
||||
policy = "bypass";
|
||||
}
|
||||
{
|
||||
domain = [ "*.${fqdn}" ];
|
||||
policy = "one_factor";
|
||||
}
|
||||
];
|
||||
};
|
||||
|
||||
session = {
|
||||
name = "authelia_session";
|
||||
expiration = "12h";
|
||||
inactivity = "45m";
|
||||
remember_me = "1M";
|
||||
domain = "${fqdn}";
|
||||
redis.host = "/run/redis-authelia-main/redis.sock";
|
||||
};
|
||||
|
||||
regulation = {
|
||||
max_retries = 3;
|
||||
find_time = "5m";
|
||||
ban_time = "15m";
|
||||
};
|
||||
|
||||
storage = {
|
||||
local = {
|
||||
path = "/var/lib/authelia-main/db.sqlite3";
|
||||
};
|
||||
};
|
||||
|
||||
notifier = {
|
||||
disable_startup_check = false;
|
||||
filesystem = {
|
||||
filename = "/var/lib/authelia-main/notification.txt";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
services.redis.servers.authelia-main = {
|
||||
enable = true;
|
||||
user = "authelia-main";
|
||||
port = 0;
|
||||
unixSocket = "/run/redis-authelia-main/redis.sock";
|
||||
unixSocketPerm = 600;
|
||||
};
|
||||
|
||||
# services.openldap = {
|
||||
# enable = true;
|
||||
|
||||
# # enable plain connections only
|
||||
# urlList = [ "ldap:///" ];
|
||||
|
||||
# settings = {
|
||||
# attrs = {
|
||||
# olcLogLevel = "conns config";
|
||||
# };
|
||||
|
||||
# children = {
|
||||
# # "cn=schema".includes = [
|
||||
# # "${pkgs.openldap}/etc/schema/core.ldif"
|
||||
# # "${pkgs.openldap}/etc/schema/cosine.ldif"
|
||||
# # "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
|
||||
# # ];
|
||||
|
||||
# "olcDatabase={1}mdb".attrs = {
|
||||
# objectClass = [
|
||||
# "olcDatabaseConfig"
|
||||
# "olcMdbConfig"
|
||||
# ];
|
||||
|
||||
# olcDatabase = "{1}mdb";
|
||||
# olcDbDirectory = "/var/lib/openldap/data";
|
||||
|
||||
# olcSuffix = "dc=example,dc=com";
|
||||
|
||||
# # your admin account, do not use writeText on a production system
|
||||
# olcRootDN = "cn=admin,dc=example,dc=com";
|
||||
# olcRootPW.path = builtins.roFile "olcRootPW" "pass";
|
||||
|
||||
# olcAccess = [
|
||||
# # custom access rules for userPassword attributes
|
||||
# ''
|
||||
# {0}to attrs=userPassword
|
||||
# by self write
|
||||
# by anonymous auth
|
||||
# by * none''
|
||||
|
||||
# # allow read on anything else
|
||||
# ''
|
||||
# {1}to *
|
||||
# by * read''
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
}
|
||||
@@ -1,7 +1,6 @@
|
||||
{
|
||||
imports = [
|
||||
./acme.nix
|
||||
./authelia.nix
|
||||
./dns.nix
|
||||
./fail2ban.nix
|
||||
./gitea.nix
|
||||
|
||||
+13
-31
@@ -3,20 +3,13 @@ let
|
||||
inherit (config.networking) fqdn;
|
||||
|
||||
mkVhost =
|
||||
attrs: locations:
|
||||
attrs:
|
||||
let
|
||||
acmeEnabled = config.acme.enable;
|
||||
in
|
||||
{
|
||||
forceSSL = acmeEnabled;
|
||||
useACMEHost = if acmeEnabled then fqdn else null;
|
||||
|
||||
locations = {
|
||||
"= /robots.txt" = {
|
||||
alias = disallowedRobotsTxt;
|
||||
};
|
||||
}
|
||||
// locations;
|
||||
}
|
||||
// attrs;
|
||||
|
||||
@@ -28,19 +21,6 @@ let
|
||||
proxy_request_buffering off;
|
||||
'';
|
||||
};
|
||||
|
||||
mkSsi = webRoot: {
|
||||
root = webRoot;
|
||||
|
||||
extraConfig = ''
|
||||
ssi on;
|
||||
'';
|
||||
};
|
||||
|
||||
disallowedRobotsTxt = builtins.toFile "robots.txt" ''
|
||||
User-agent: *
|
||||
Disallow: /
|
||||
'';
|
||||
in
|
||||
{
|
||||
services.nginx = {
|
||||
@@ -52,18 +32,20 @@ in
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
|
||||
virtualHosts = {
|
||||
"${fqdn}" = mkVhost { default = true; } {
|
||||
"/" = mkSsi "${self.pins.website}/web-root";
|
||||
virtualHosts."${fqdn}" = mkVhost {
|
||||
default = true;
|
||||
|
||||
locations."/" = {
|
||||
root = "${self.pins.website}/web-root";
|
||||
|
||||
extraConfig = ''
|
||||
ssi on;
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
"git.${fqdn}" = mkVhost { } {
|
||||
"/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
|
||||
};
|
||||
|
||||
"auth.${fqdn}" = mkVhost { } {
|
||||
"/" = mkProxy 3001;
|
||||
};
|
||||
virtualHosts."git.${fqdn}" = mkVhost {
|
||||
locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
+1
-14
@@ -45,21 +45,8 @@ lib.recursiveUpdate
|
||||
(lib.attrsToList users)
|
||||
).options
|
||||
{
|
||||
users = {
|
||||
motd = ''
|
||||
__ __ __
|
||||
---------/\ \__ /\ \ /\ \__
|
||||
---------\ \ ,_\ __ __ __ _ ___ ___ _ __ \_\ \ ___ __\ \ ,_\
|
||||
----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \ /'_ `\ /'__`\ \ \/
|
||||
-----------\ \ \_\ \ \_\ \/> <//\ \__//\ \L\ \ \ \//\ \L\ \ __/\ \/\ \/\ __/\ \ \_
|
||||
------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
|
||||
-------------\/__/ \/___/ \//\/_/\/____/\/___/ \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
|
||||
A friendly Linux community - est. July 2023
|
||||
'';
|
||||
|
||||
users.root = {
|
||||
users.users.root = {
|
||||
initialPassword = "tuxcord";
|
||||
openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user