From 405ac10b60ea5ae0570c519744fef7c41a1b1c87 Mon Sep 17 00:00:00 2001 From: Kjetil Orbekk Date: Sat, 24 Sep 2022 13:03:53 -0400 Subject: Upgrade --- config/keycloak.nix | 54 ++++++++++-------------------------------- config/router.nix | 29 ++++++++++++++++------- config/web-server.nix | 8 ++++--- data/dns/db.orbekk.shared.zone | 2 +- machines/dragon.nix | 1 + tools/update-dns.sh | 3 ++- 6 files changed, 41 insertions(+), 56 deletions(-) diff --git a/config/keycloak.nix b/config/keycloak.nix index 7327bfb..fb02dc2 100644 --- a/config/keycloak.nix +++ b/config/keycloak.nix @@ -1,46 +1,16 @@ { config, lib, pkgs, ... }: -with lib; -let - cfg = config.services.keycloak; - defaultConfig = "${pkgs.keycloak}/standalone/configuration"; - - keycloakConfig = pkgs.runCommand "keycloak-config" {} '' - mkdir $out - cp ${defaultConfig}/application-roles.properties $out/ - cp ${defaultConfig}/application-users.properties $out/ - cp ${defaultConfig}/mgmt-groups.properties $out/ - cp ${defaultConfig}/mgmt-users.properties $out/ - cp ${defaultConfig}/standalone.xml $out/ - { - grep -v FILE ${defaultConfig}/logging.properties - echo "logger.handlers=CONSOLE" - echo "handler.CONSOLE.level=ALL" - } > $out/logging.properties - ''; - -in { - options = { - services.keycloak = { - enable = mkEnableOption "Keycloak Identity and Access Management Server"; - }; - }; - - config = mkIf cfg.enable { - systemd.services.keycloak = { - description = "Keycloak Identity and Access Management Server"; - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - preStart = '' - mkdir -p /var/lib/keycloak/logs - mkdir -p /var/lib/keycloak/config - cp ${keycloakConfig}/*.properties /var/lib/keycloak/config - ''; - serviceConfig = { - ExecStart = "${pkgs.keycloak}/bin/standalone.sh -Djboss.server.base.dir=/var/lib/keycloak -Djboss.server.config.dir=/var/lib/keycloak/config --read-only-server-config=${keycloakConfig}/standalone.xml"; - }; - }; +{ + age.secrets."dragon-keycloak.age".file = ../secrets/dragon-keycloak.age; + services.postgresql.enable = true; + services.keycloak = { + enable = true; + settings.hostname = "auth.orbekk.com"; + settings.log-level = "INFO"; + settings.http-port = (import ../data/aliases.nix).services.keycloak.http-port; + settings.hostname-strict-https = false; + settings.proxy = "edge"; + database.type = "postgresql"; + database.passwordFile = config.age.secrets."dragon-keycloak.age".path; }; } - - diff --git a/config/router.nix b/config/router.nix index 9f3fe54..0ad0f33 100644 --- a/config/router.nix +++ b/config/router.nix @@ -16,6 +16,8 @@ in { services.tftpd.enable = true; services.openntpd.enable = true; + environment.systemPackages = with pkgs; [ iptables ]; + networking.useDHCP = false; networking.networkmanager.enable = lib.mkForce false; @@ -167,7 +169,9 @@ in { domain (ip ip6) table mangle { chain PREROUTING { interface ${lan-dev}.30 MARK set-mark ${toString mullvadMark}; - saddr $NET_HE MARK set-mark ${toString heMark} + # Route HE traffic via tunnel. + saddr $NET_HE MARK set-mark ${toString heMark}; + saddr 2001:470:1f06:1194::2/64 MARK set-mark ${toString heMark}; } } ''; @@ -208,10 +212,10 @@ in { noipv6rs interface ${wan-dev} dhcp - ipv6rs - iaid 0 + # ipv6rs + # iaid 0 # ia_na 1 - ia_pd 0//56 ${wan-dev}/10/64 ${lan-dev}.100/100/64 + # ia_pd 0//56 ${wan-dev}/10/64 ${lan-dev}.100/100/64 ''; }; systemd.services.dhcpcd = { @@ -289,6 +293,7 @@ in { # ip -6 rule add from 2001:470:8e2e::/48 lookup he prio 0 || true # ip -6 route replace default dev he0 src 2001:470:8e2e:20::d table he # ip -6 route flush cache + ip -6 rule add fwmark ${toString heMark} table he ''; }; @@ -322,11 +327,17 @@ in { prefixLength = 64; } ]; - routes = [{ - address = "::"; - prefixLength = 0; - options = { table = "he"; }; - }]; + routes = [ + { + address = "::"; + prefixLength = 0; + } + { + address = "::"; + prefixLength = 0; + options = { table = "he"; }; + } + ]; }; networking.interfaces."${lan-dev}".useDHCP = false; diff --git a/config/web-server.nix b/config/web-server.nix index ba6ab07..18afded 100644 --- a/config/web-server.nix +++ b/config/web-server.nix @@ -1,8 +1,7 @@ { config, lib, pkgs, ... }: let - mpd_loc = (import ../data/aliases.nix).services.mpd; - mpdweb_loc = (import ../data/aliases.nix).services.mpdweb; - pjournal_loc = (import ../data/aliases.nix).services.pjournal; + aliases = import ../data/aliases.nix; + keycloak_loc = aliases.services.keycloak; in { security.acme.acceptTerms = true; security.acme.defaults.email = "kj@orbekk.com"; @@ -69,6 +68,9 @@ in { ''; }; }; + "auth.orbekk.com" = template // { + locations."/".proxyPass = "http://localhost:${toString keycloak_loc.http-port}"; + }; "git.orbekk.com" = template // { locations."/".proxyPass = "http://localhost:11103"; }; diff --git a/data/dns/db.orbekk.shared.zone b/data/dns/db.orbekk.shared.zone index 3cbe339..b1a53ea 100644 --- a/data/dns/db.orbekk.shared.zone +++ b/data/dns/db.orbekk.shared.zone @@ -1,7 +1,7 @@ $TTL 600 @ IN SOA ns1.he.net. root.orbekk.com. ( $serial; serial - 601; refresh + 602; refresh 900; retry 2419200; expire 3600; diff --git a/machines/dragon.nix b/machines/dragon.nix index fa14d32..5a3aa91 100644 --- a/machines/dragon.nix +++ b/machines/dragon.nix @@ -4,6 +4,7 @@ in { imports = [ ../config/router.nix # ../config/borg-backup.nix + ../config/keycloak.nix ../config/dns.nix ../config/web-server.nix ../config/cgit.nix diff --git a/tools/update-dns.sh b/tools/update-dns.sh index fa3f4e5..a08ac26 100755 --- a/tools/update-dns.sh +++ b/tools/update-dns.sh @@ -22,7 +22,8 @@ ip_4="$(ip -br -4 addr list dev ${INTERFACE} | awk -F' *|/' '{print $3}')" if [[ -n "$ip_4" ]]; then update A $(hostname).dynamic.orbekk.com $ip_4 fi -ip_6="$(ip -br -6 addr list scope global dev ${INTERFACE} | awk -F' *|/' '{print $3}')" +ip_6="2001:470:8e2e:20::d" +#ip_6="$(ip -br -6 addr list scope global dev ${INTERFACE} | awk -F' *|/' '{print $3}')" if [[ -n "$ip_6" ]]; then update AAAA $(hostname).dynamic.orbekk.com $ip_6 fi -- cgit v1.2.3