tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: tuxcord/tuxcord.nix:b32e506f549a19db744841973e9f2d5ef36f7c86
Branches Tags
tuxcord/tuxcord.nix:main tuxcord/tuxcord.nix:staging tuxcord/tuxcord.nix:styling/forgejo tuxcord/tuxcord.nix:auth/authelia tuxcord/tuxcord.nix:auth/authentik
..
compare: tuxcord/tuxcord.nix:auth/authelia
Branches Tags
tuxcord/tuxcord.nix:staging tuxcord/tuxcord.nix:styling/forgejo tuxcord/tuxcord.nix:auth/authelia tuxcord/tuxcord.nix:auth/authentik tuxcord/tuxcord.nix:main

15 Commits
b32e506f54 .. auth/authelia

Author SHA1 Message Date
javalsai 83ba8dffb2 draft: partially getting authelia to work 
its started at auth.tuxcord.test
 2026-05-05 01:15:18 +02:00
javalsai 82c76dc390 nixos/users: port tuxcord.net motd
Check / Nix flake (push) Failing after 8s
Details
Lint / Nix expressions (push) Failing after 11s
Details
2026-05-04 20:50:25 +02:00
javalsai edf7aab2f0 nixos/services: serve a strict robots.txt everywhere
Check / Nix flake (push) Failing after 8s
Details
Lint / Nix expressions (push) Failing after 9s
Details
2026-05-04 12:36:34 -04:00
ErrorNoInternet 760c5c8284 nixos/hardware: add kvm-amd module
Check / Nix flake (push) Failing after 10s
Details
Lint / Nix expressions (push) Failing after 10s
Details 
From running the virtual machine on an AMD system.
 2026-05-04 01:36:59 -04:00
ErrorNoInternet 3a5d5d27f4 nixos/networking: fix extraHosts generation 2026-05-04 01:31:27 -04:00
ErrorNoInternet 015bbc3d66 npins: update website 2026-05-04 01:31:27 -04:00
ErrorNoInternet dc374e8c04 nixos/hosts: declare fileSystems for testing hosts 2026-05-04 01:31:27 -04:00
ErrorNoInternet a708c04a9a nixos/services/openssh: enable X11 forwarding 2026-05-04 01:31:27 -04:00
javalsai a2534a3dab nixos/hosts: enable autologin for testing hosts 2026-05-04 01:31:15 -04:00
javalsai b78c41a5f7 nixos/services: add default website on nginx 2026-05-04 01:27:11 -04:00
javalsai e1f2dc3161 nixos/services: disable nginx proxy buffering 2026-05-04 01:27:11 -04:00
ErrorNoInternet f1c5f038ec nixos/impermanence: remove ssh host key persistence 
The SSH host key files are already defined in the OpenSSH module, so
there is no need to persist them with impermanence.nix.
 2026-05-04 01:27:10 -04:00
ErrorNoInternet ae0d4f5958 shells: remove neovim 
Some users may be using self-contained Neovim executables.
 2026-05-04 01:27:10 -04:00
ErrorNoInternet ded0374c57 agenix: import initial user dns keys 2026-05-04 01:27:10 -04:00
ErrorNoInternet ab0f9a2ff2 treewide: create global user list 2026-05-04 01:27:10 -04:00
7 changed files with 212 additions and 42 deletions
Expand all files Collapse all files
lib/default.nix
+15 -12
View File
@@ -1,4 +1,19 @@
rec { rec {
toList = x: if builtins.isList x then x else [ x ];
nameValuePair = name: value: { inherit name value; };
mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
attrsToList = mapAttrsToList nameValuePair;
getSSHKeys =
username:
if (builtins.hasAttr "ssh" users.${username}) then
toList users.${username}.ssh
else
builtins.warn "user ${username} declared without ssh keys" [ ];
users = import ./users.nix; users = import ./users.nix;
adminSSHKeys = builtins.concatLists ( adminSSHKeys = builtins.concatLists (
@@ -6,16 +21,4 @@ rec {
builtins.filter (user: user.value.admin or false) (attrsToList users) builtins.filter (user: user.value.admin or false) (attrsToList users)
) )
); );
attrsToList = mapAttrsToList nameValuePair;
mapAttrsToList = f: attrs: builtins.attrValues (builtins.mapAttrs f attrs);
nameValuePair = name: value: { inherit name value; };
toList = x: if builtins.isList x then x else [ x ];
getSSHKeys =
username:
if (builtins.hasAttr "ssh" users.${username}) then
toList users.${username}.ssh
else
builtins.warn "user ${username} declared without ssh key" [ ];
} }
nixos/common.nix
+9 -13
View File
@@ -100,21 +100,17 @@ in
extraHosts = extraHosts =
let let
subdomains = [ subdomains = [
"" "git"
".git" "auth"
]; ];
inherit (config.networking) fqdn;
hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
in in
builtins.foldl' ( lib.concatMapStrings (host: ''
hosts-acc: domain-prefix: 127.0.0.1 ${host}
let ::1 ${host}
host = "${domain-prefix}${config.networking.fqdn}"; '') hosts;
in
hosts-acc
+ ''
127.0.0.1 ${host}
::1 ${host}
''
) "" subdomains;
}; };
virtualisation.podman.enable = true; virtualisation.podman.enable = true;
nixos/hardware.nix
+4 -1
View File
@@ -15,7 +15,10 @@
"xhci_pci" "xhci_pci"
]; ];
kernelModules = [ "kvm-intel" ]; kernelModules = [
"kvm-amd"
"kvm-intel"
];
}; };
hardware = { hardware = {
nixos/modules/authelia.nix
+136
View File
@@ -0,0 +1,136 @@
{ config, ... }:
let
inherit (config.networking) fqdn;
acmeEnabled = config.acme.enable;
in
{
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
};
settings = {
theme = "dark";
default_redirection_url = "https://${fqdn}"; # HAS to be httpS
server.address = "127.0.0.1:3001";
log = {
level = "debug";
format = "text";
};
authentication_backend = {
file = {
path = "/var/lib/authelia-main/users_database.yml";
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = [ "auth.${fqdn}" ];
policy = "bypass";
}
{
domain = [ "*.${fqdn}" ];
policy = "one_factor";
}
];
};
session = {
name = "authelia_session";
expiration = "12h";
inactivity = "45m";
remember_me = "1M";
domain = "${fqdn}";
redis.host = "/run/redis-authelia-main/redis.sock";
};
regulation = {
max_retries = 3;
find_time = "5m";
ban_time = "15m";
};
storage = {
local = {
path = "/var/lib/authelia-main/db.sqlite3";
};
};
notifier = {
disable_startup_check = false;
filesystem = {
filename = "/var/lib/authelia-main/notification.txt";
};
};
};
};
services.redis.servers.authelia-main = {
enable = true;
user = "authelia-main";
port = 0;
unixSocket = "/run/redis-authelia-main/redis.sock";
unixSocketPerm = 600;
};
# services.openldap = {
# enable = true;
# # enable plain connections only
# urlList = [ "ldap:///" ];
# settings = {
# attrs = {
# olcLogLevel = "conns config";
# };
# children = {
# # "cn=schema".includes = [
# # "${pkgs.openldap}/etc/schema/core.ldif"
# # "${pkgs.openldap}/etc/schema/cosine.ldif"
# # "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
# # ];
# "olcDatabase={1}mdb".attrs = {
# objectClass = [
# "olcDatabaseConfig"
# "olcMdbConfig"
# ];
# olcDatabase = "{1}mdb";
# olcDbDirectory = "/var/lib/openldap/data";
# olcSuffix = "dc=example,dc=com";
# # your admin account, do not use writeText on a production system
# olcRootDN = "cn=admin,dc=example,dc=com";
# olcRootPW.path = builtins.roFile "olcRootPW" "pass";
# olcAccess = [
# # custom access rules for userPassword attributes
# ''
# {0}to attrs=userPassword
# by self write
# by anonymous auth
# by * none''
# # allow read on anything else
# ''
# {1}to *
# by * read''
# ];
# };
# };
# };
# };
}
nixos/modules/default.nix
+1
View File
@@ -1,6 +1,7 @@
{ {
imports = [ imports = [
./acme.nix ./acme.nix
./authelia.nix
./dns.nix ./dns.nix
./fail2ban.nix ./fail2ban.nix
./gitea.nix ./gitea.nix
nixos/modules/nginx.nix
+31 -13
View File
@@ -3,13 +3,20 @@ let
inherit (config.networking) fqdn; inherit (config.networking) fqdn;
mkVhost = mkVhost =
attrs: attrs: locations:
let let
acmeEnabled = config.acme.enable; acmeEnabled = config.acme.enable;
in in
{ {
forceSSL = acmeEnabled; forceSSL = acmeEnabled;
useACMEHost = if acmeEnabled then fqdn else null; useACMEHost = if acmeEnabled then fqdn else null;
locations = {
"= /robots.txt" = {
alias = disallowedRobotsTxt;
};
}
// locations;
} }
// attrs; // attrs;
@@ -21,6 +28,19 @@ let
proxy_request_buffering off; proxy_request_buffering off;
''; '';
}; };
mkSsi = webRoot: {
root = webRoot;
extraConfig = ''
ssi on;
'';
};
disallowedRobotsTxt = builtins.toFile "robots.txt" ''
User-agent: *
Disallow: /
'';
in in
{ {
services.nginx = { services.nginx = {
@@ -32,20 +52,18 @@ in
recommendedGzipSettings = true; recommendedGzipSettings = true;
recommendedOptimisation = true; recommendedOptimisation = true;
virtualHosts."${fqdn}" = mkVhost { virtualHosts = {
default = true; "${fqdn}" = mkVhost { default = true; } {
"/" = mkSsi "${self.pins.website}/web-root";
locations."/" = {
root = "${self.pins.website}/web-root";
extraConfig = ''
ssi on;
'';
}; };
};
virtualHosts."git.${fqdn}" = mkVhost { "git.${fqdn}" = mkVhost { } {
locations."/" = mkProxy config.services.gitea.settings.server.HTTP_PORT; "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
};
"auth.${fqdn}" = mkVhost { } {
"/" = mkProxy 3001;
};
}; };
}; };
nixos/users.nix
+16 -3
View File
@@ -45,8 +45,21 @@ lib.recursiveUpdate
(lib.attrsToList users) (lib.attrsToList users)
).options ).options
{ {
users.users.root = { users = {
initialPassword = "tuxcord"; motd = ''
openssh.authorizedKeys.keys = self.lib.adminSSHKeys; __ __ __
---------/\ \__ /\ \ /\ \__
---------\ \ ,_\ __ __ __ _ ___ ___ _ __ \_\ \ ___ __\ \ ,_\
----------\ \ \/ /\ \/\ \/\ \/'\ /'___\ / __`\/\`'__\/'_` \ /'_ `\ /'__`\ \ \/
-----------\ \ \_\ \ \_\ \/> <//\ \__//\ \L\ \ \ \//\ \L\ \ __/\ \/\ \/\ __/\ \ \_
------------\ \__\\ \____//\_/\_\ \____\ \____/\ \_\\ \___,_\/\_\ \_\ \_\ \____\\ \__\
-------------\/__/ \/___/ \//\/_/\/____/\/___/ \/_/ \/__,_ /\/_/\/_/\/_/\/____/ \/__/
A friendly Linux community - est. July 2023
'';
users.root = {
initialPassword = "tuxcord";
openssh.authorizedKeys.keys = self.lib.adminSSHKeys;
};
}; };
} }