summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--config/keycloak.nix54
-rw-r--r--config/router.nix29
-rw-r--r--config/web-server.nix8
-rw-r--r--data/dns/db.orbekk.shared.zone2
-rw-r--r--machines/dragon.nix1
-rwxr-xr-xtools/update-dns.sh3
6 files changed, 41 insertions, 56 deletions
diff --git a/config/keycloak.nix b/config/keycloak.nix
index 7327bfb..fb02dc2 100644
--- a/config/keycloak.nix
+++ b/config/keycloak.nix
@@ -1,46 +1,16 @@
{ config, lib, pkgs, ... }:
-with lib;
-let
- cfg = config.services.keycloak;
- defaultConfig = "${pkgs.keycloak}/standalone/configuration";
-
- keycloakConfig = pkgs.runCommand "keycloak-config" {} ''
- mkdir $out
- cp ${defaultConfig}/application-roles.properties $out/
- cp ${defaultConfig}/application-users.properties $out/
- cp ${defaultConfig}/mgmt-groups.properties $out/
- cp ${defaultConfig}/mgmt-users.properties $out/
- cp ${defaultConfig}/standalone.xml $out/
- {
- grep -v FILE ${defaultConfig}/logging.properties
- echo "logger.handlers=CONSOLE"
- echo "handler.CONSOLE.level=ALL"
- } > $out/logging.properties
- '';
-
-in {
- options = {
- services.keycloak = {
- enable = mkEnableOption "Keycloak Identity and Access Management Server";
- };
- };
-
- config = mkIf cfg.enable {
- systemd.services.keycloak = {
- description = "Keycloak Identity and Access Management Server";
- after = [ "network.target" ];
- wantedBy = [ "multi-user.target" ];
- preStart = ''
- mkdir -p /var/lib/keycloak/logs
- mkdir -p /var/lib/keycloak/config
- cp ${keycloakConfig}/*.properties /var/lib/keycloak/config
- '';
- serviceConfig = {
- ExecStart = "${pkgs.keycloak}/bin/standalone.sh -Djboss.server.base.dir=/var/lib/keycloak -Djboss.server.config.dir=/var/lib/keycloak/config --read-only-server-config=${keycloakConfig}/standalone.xml";
- };
- };
+{
+ age.secrets."dragon-keycloak.age".file = ../secrets/dragon-keycloak.age;
+ services.postgresql.enable = true;
+ services.keycloak = {
+ enable = true;
+ settings.hostname = "auth.orbekk.com";
+ settings.log-level = "INFO";
+ settings.http-port = (import ../data/aliases.nix).services.keycloak.http-port;
+ settings.hostname-strict-https = false;
+ settings.proxy = "edge";
+ database.type = "postgresql";
+ database.passwordFile = config.age.secrets."dragon-keycloak.age".path;
};
}
-
-
diff --git a/config/router.nix b/config/router.nix
index 9f3fe54..0ad0f33 100644
--- a/config/router.nix
+++ b/config/router.nix
@@ -16,6 +16,8 @@ in {
services.tftpd.enable = true;
services.openntpd.enable = true;
+ environment.systemPackages = with pkgs; [ iptables ];
+
networking.useDHCP = false;
networking.networkmanager.enable = lib.mkForce false;
@@ -167,7 +169,9 @@ in {
domain (ip ip6) table mangle {
chain PREROUTING {
interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark};
- saddr $NET_HE MARK set-mark ${toString heMark}
+ # Route HE traffic via tunnel.
+ saddr $NET_HE MARK set-mark ${toString heMark};
+ saddr 2001:470:1f06:1194::2/64 MARK set-mark ${toString heMark};
}
}
'';
@@ -208,10 +212,10 @@ in {
noipv6rs
interface ${wan-dev}
dhcp
- ipv6rs
- iaid 0
+ # ipv6rs
+ # iaid 0
# ia_na 1
- ia_pd 0//56 ${wan-dev}/10/64 ${lan-dev}.100/100/64
+ # ia_pd 0//56 ${wan-dev}/10/64 ${lan-dev}.100/100/64
'';
};
systemd.services.dhcpcd = {
@@ -289,6 +293,7 @@ in {
# ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true
# ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he
# ip -6 route flush cache
+ ip -6 rule add fwmark ${toString heMark} table he
'';
};
@@ -322,11 +327,17 @@ in {
prefixLength = 64;
}
];
- routes = [{
- address = "::";
- prefixLength = 0;
- options = { table = "he"; };
- }];
+ routes = [
+ {
+ address = "::";
+ prefixLength = 0;
+ }
+ {
+ address = "::";
+ prefixLength = 0;
+ options = { table = "he"; };
+ }
+ ];
};
networking.interfaces."${lan-dev}".useDHCP = false;
diff --git a/config/web-server.nix b/config/web-server.nix
index ba6ab07..18afded 100644
--- a/config/web-server.nix
+++ b/config/web-server.nix
@@ -1,8 +1,7 @@
{ config, lib, pkgs, ... }:
let
- mpd_loc = (import ../data/aliases.nix).services.mpd;
- mpdweb_loc = (import ../data/aliases.nix).services.mpdweb;
- pjournal_loc = (import ../data/aliases.nix).services.pjournal;
+ aliases = import ../data/aliases.nix;
+ keycloak_loc = aliases.services.keycloak;
in {
security.acme.acceptTerms = true;
security.acme.defaults.email = "kj@orbekk.com";
@@ -69,6 +68,9 @@ in {
'';
};
};
+ "auth.orbekk.com" = template // {
+ locations."/".proxyPass = "http://localhost:${toString keycloak_loc.http-port}";
+ };
"git.orbekk.com" = template // {
locations."/".proxyPass = "http://localhost:11103";
};
diff --git a/data/dns/db.orbekk.shared.zone b/data/dns/db.orbekk.shared.zone
index 3cbe339..b1a53ea 100644
--- a/data/dns/db.orbekk.shared.zone
+++ b/data/dns/db.orbekk.shared.zone
@@ -1,7 +1,7 @@
$TTL 600
@ IN SOA ns1.he.net. root.orbekk.com. (
$serial; serial
- 601; refresh
+ 602; refresh
900; retry
2419200; expire
3600;
diff --git a/machines/dragon.nix b/machines/dragon.nix
index fa14d32..5a3aa91 100644
--- a/machines/dragon.nix
+++ b/machines/dragon.nix
@@ -4,6 +4,7 @@ in {
imports = [
../config/router.nix
# ../config/borg-backup.nix
+ ../config/keycloak.nix
../config/dns.nix
../config/web-server.nix
../config/cgit.nix
diff --git a/tools/update-dns.sh b/tools/update-dns.sh
index fa3f4e5..a08ac26 100755
--- a/tools/update-dns.sh
+++ b/tools/update-dns.sh
@@ -22,7 +22,8 @@ ip_4="$(ip -br -4 addr list dev ${INTERFACE} | awk -F' *|/' '{print $3}')"
if [[ -n "$ip_4" ]]; then
update A $(hostname).dynamic.orbekk.com $ip_4
fi
-ip_6="$(ip -br -6 addr list scope global dev ${INTERFACE} | awk -F' *|/' '{print $3}')"
+ip_6="2001:470:8e2e:20::d"
+#ip_6="$(ip -br -6 addr list scope global dev ${INTERFACE} | awk -F' *|/' '{print $3}')"
if [[ -n "$ip_6" ]]; then
update AAAA $(hostname).dynamic.orbekk.com $ip_6
fi