diff options
Diffstat (limited to 'config')
| -rw-r--r-- | config/keycloak.nix | 54 | ||||
| -rw-r--r-- | config/router.nix | 29 | ||||
| -rw-r--r-- | config/web-server.nix | 8 |
3 files changed, 37 insertions, 54 deletions
diff --git a/config/keycloak.nix b/config/keycloak.nix index 7327bfb..fb02dc2 100644 --- a/config/keycloak.nix +++ b/config/keycloak.nix @@ -1,46 +1,16 @@ { config, lib, pkgs, ... }: -with lib; -let - cfg = config.services.keycloak; - defaultConfig = "${pkgs.keycloak}/standalone/configuration"; - - keycloakConfig = pkgs.runCommand "keycloak-config" {} '' - mkdir $out - cp ${defaultConfig}/application-roles.properties $out/ - cp ${defaultConfig}/application-users.properties $out/ - cp ${defaultConfig}/mgmt-groups.properties $out/ - cp ${defaultConfig}/mgmt-users.properties $out/ - cp ${defaultConfig}/standalone.xml $out/ - { - grep -v FILE ${defaultConfig}/logging.properties - echo "logger.handlers=CONSOLE" - echo "handler.CONSOLE.level=ALL" - } > $out/logging.properties - ''; - -in { - options = { - services.keycloak = { - enable = mkEnableOption "Keycloak Identity and Access Management Server"; - }; - }; - - config = mkIf cfg.enable { - systemd.services.keycloak = { - description = "Keycloak Identity and Access Management Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -p /var/lib/keycloak/logs - mkdir -p /var/lib/keycloak/config - cp ${keycloakConfig}/*.properties /var/lib/keycloak/config - ''; - serviceConfig = { - ExecStart = "${pkgs.keycloak}/bin/standalone.sh -Djboss.server.base.dir=/var/lib/keycloak -Djboss.server.config.dir=/var/lib/keycloak/config --read-only-server-config=${keycloakConfig}/standalone.xml"; - }; - }; +{ + age.secrets."dragon-keycloak.age".file = ../secrets/dragon-keycloak.age; + services.postgresql.enable = true; + services.keycloak = { + enable = true; + settings.hostname = "auth.orbekk.com"; + settings.log-level = "INFO"; + settings.http-port = (import ../data/aliases.nix).services.keycloak.http-port; + settings.hostname-strict-https = false; + settings.proxy = "edge"; + database.type = "postgresql"; + database.passwordFile = config.age.secrets."dragon-keycloak.age".path; }; } - - diff --git a/config/router.nix b/config/router.nix index 9f3fe54..0ad0f33 100644 --- a/config/router.nix +++ b/config/router.nix @@ -16,6 +16,8 @@ in { services.tftpd.enable = true; services.openntpd.enable = true; + environment.systemPackages = with pkgs; [ iptables ]; + networking.useDHCP = false; networking.networkmanager.enable = lib.mkForce false; @@ -167,7 +169,9 @@ in { domain (ip ip6) table mangle { chain PREROUTING { interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark}; - saddr $NET_HE MARK set-mark ${toString heMark} + # Route HE traffic via tunnel. + saddr $NET_HE MARK set-mark ${toString heMark}; + saddr 2001:470:1f06:1194::2/64 MARK set-mark ${toString heMark}; } } ''; @@ -208,10 +212,10 @@ in { noipv6rs interface ${wan-dev} dhcp - ipv6rs - iaid 0 + # ipv6rs + # iaid 0 # ia_na 1 - ia_pd 0//56 ${wan-dev}/10/64 ${lan-dev}.100/100/64 + # ia_pd 0//56 ${wan-dev}/10/64 ${lan-dev}.100/100/64 ''; }; systemd.services.dhcpcd = { @@ -289,6 +293,7 @@ in { # ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true # ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he # ip -6 route flush cache + ip -6 rule add fwmark ${toString heMark} table he ''; }; @@ -322,11 +327,17 @@ in { prefixLength = 64; } ]; - routes = [{ - address = "::"; - prefixLength = 0; - options = { table = "he"; }; - }]; + routes = [ + { + address = "::"; + prefixLength = 0; + } + { + address = "::"; + prefixLength = 0; + options = { table = "he"; }; + } + ]; }; networking.interfaces."${lan-dev}".useDHCP = false; diff --git a/config/web-server.nix b/config/web-server.nix index ba6ab07..18afded 100644 --- a/config/web-server.nix +++ b/config/web-server.nix @@ -1,8 +1,7 @@ { config, lib, pkgs, ... }: let - mpd_loc = (import ../data/aliases.nix).services.mpd; - mpdweb_loc = (import ../data/aliases.nix).services.mpdweb; - pjournal_loc = (import ../data/aliases.nix).services.pjournal; + aliases = import ../data/aliases.nix; + keycloak_loc = aliases.services.keycloak; in { security.acme.acceptTerms = true; security.acme.defaults.email = "kj@orbekk.com"; @@ -69,6 +68,9 @@ in { ''; }; }; + "auth.orbekk.com" = template // { + locations."/".proxyPass = "http://localhost:${toString keycloak_loc.http-port}"; + }; "git.orbekk.com" = template // { locations."/".proxyPass = "http://localhost:11103"; }; |