diff options
| -rw-r--r-- | flake.nix | 4 | ||||
| -rw-r--r-- | lib/default.nix | 13 | ||||
| -rw-r--r-- | lib/nginx/default.nix | 66 | ||||
| -rw-r--r-- | modules/acme/default.nix | 9 | ||||
| -rw-r--r-- | modules/default.nix | 1 | ||||
| -rw-r--r-- | modules/powerdns/default.nix | 69 | ||||
| -rw-r--r-- | modules/tlmp/default.nix | 21 |
7 files changed, 177 insertions, 6 deletions
@@ -12,7 +12,7 @@ outputs = inputs@{ self, nixpkgs, flake-parts, nixinate, ... }: flake-parts.lib.mkFlake { inherit inputs; } { - imports = [ nixinate.flakeModule ]; + imports = [ nixinate.flakeModule ./lib ]; flake = let system = "x86_64-linux"; @@ -30,7 +30,7 @@ # vultr-image = mkSystem [ common users image vultr ]; ettves = mkSystem [ (import ./machines/ettves) common users wireguard crypto kubernetes zfs teamspeak postgresql quassel powerdns acme ]; - phaenn = mkSystem [ (import ./machines/phaenn) common users wireguard crypto kubernetes zfs ]; + phaenn = mkSystem [ (import ./machines/phaenn) common users wireguard crypto kubernetes zfs acme tlmp ]; fra01 = mkSystem [ (import ./machines/fra01) common users wireguard crypto kubernetes vultr bgp powerdns ]; nyc01 = mkSystem [ (import ./machines/nyc01) common users wireguard crypto kubernetes vultr bgp powerdns ]; sin01 = mkSystem [ (import ./machines/sin01) common users wireguard crypto kubernetes vultr bgp powerdns ]; diff --git a/lib/default.nix b/lib/default.nix new file mode 100644 index 0000000..61c0760 --- /dev/null +++ b/lib/default.nix @@ -0,0 +1,13 @@ +{ config, lib, pkgs, ... }: + +{ + flake = { + lib = + let + callLibs = file: import file { inherit lib; }; + in + { + nginx = callLibs ./nginx; + }; + }; +} diff --git a/lib/nginx/default.nix b/lib/nginx/default.nix new file mode 100644 index 0000000..3fdb697 --- /dev/null +++ b/lib/nginx/default.nix @@ -0,0 +1,66 @@ +{ lib }: + +{ + proxyDomain = cert: proxyPass: { + addSSL = true; + useACMEHost = cert; + locations."/" = { + inherit proxyPass; + proxyWebsockets = true; + extraConfig = '' + proxy_pass_header Authorization; + ''; + }; + }; + + proxyDomainAuth = cert: proxyPass: { + addSSL = true; + useACMEHost = cert; + locations."/" = { + inherit proxyPass; + proxyWebsockets = true; + extraConfig = '' + auth_request /outpost.goauthentik.io/auth/nginx; + error_page 401 = @goauthentik_proxy_signin; + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + + # translate headers from the outposts back to the actual upstream + auth_request_set $authentik_username $upstream_http_x_authentik_username; + auth_request_set $authentik_groups $upstream_http_x_authentik_groups; + auth_request_set $authentik_email $upstream_http_x_authentik_email; + auth_request_set $authentik_name $upstream_http_x_authentik_name; + auth_request_set $authentik_uid $upstream_http_x_authentik_uid; + + proxy_set_header X-authentik-username $authentik_username; + proxy_set_header X-authentik-groups $authentik_groups; + proxy_set_header X-authentik-email $authentik_email; + proxy_set_header X-authentik-name $authentik_name; + proxy_set_header X-authentik-uid $authentik_uid; + ''; + }; + + locations."/outpost.goauthentik.io" = { + proxyPass = "https://auth.vapor.systems/outpost.goauthentik.io"; + proxyWebsockets = true; + extraConfig = '' + proxy_ssl_server_name on; + + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + add_header Set-Cookie $auth_cookie; + auth_request_set $auth_cookie $upstream_http_set_cookie; + proxy_pass_request_body off; + proxy_set_header Content-Length ""; + ''; + }; + + locations."@goauthentik_proxy_signin" = { + extraConfig = '' + internal; + add_header Set-Cookie $auth_cookie; + return 302 /outpost.goauthentik.io/start?rd=$request_uri; + ''; + }; + }; +} diff --git a/modules/acme/default.nix b/modules/acme/default.nix index 91f6aa0..0556710 100644 --- a/modules/acme/default.nix +++ b/modules/acme/default.nix @@ -9,4 +9,13 @@ credentialsFile = "/etc/secrets/pdns_api.env"; }; }; + + secrets = { + pdnsAPI = { + source = ../../secrets/pdns/pdns_api.env; + dest = "/etc/secrets/pdns_api.env"; + }; + }; + + users.users.nginx.extraGroups = [ "acme" ]; } diff --git a/modules/default.nix b/modules/default.nix index 0bd0349..6912276 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -17,4 +17,5 @@ postgresql = import ./postgresql; quassel = import ./quassel; powerdns = import ./powerdns; + tlmp = import ./tlmp; } diff --git a/modules/powerdns/default.nix b/modules/powerdns/default.nix index cca6a03..d110875 100644 --- a/modules/powerdns/default.nix +++ b/modules/powerdns/default.nix @@ -64,11 +64,72 @@ in secretFile = "/etc/secrets/pdns_api.env"; }; - secrets = { - pdnsAPI = { - source = ../../secrets/pdns/pdns_api.env; - dest = "/etc/secrets/pdns_api.env"; + services.powerdns-admin = { + enable = true; + secretKeyFile = "/var/lib/pdns/secret.key"; + saltFile = "/var/lib/pdns/salt"; + extraArgs = [ "-b" "10.10.0.1:8000" ]; + config = '' + SQLALCHEMY_DATABASE_URI = 'postgresql://powerdnsadmin@/pdns?host=/run/postgresql' + # SAML_ENABLED = True + # SAML_DEBUG = True + # SAML_METADATA_URL = 'https://auth.vapor.systems/application/saml/powerdns/metadata/' + # SAML_METADATA_CACHE_LIFETIME = 1 + # SAML_LOGOUT_URL = 'https://auth.vapor.systems/application/saml/powerdns/slo/binding/redirect/' + # SAML_SP_ENTITY_ID = 'pdns-admin' + # SAML_SP_CONTACT_NAME = 'me' + # SAML_SP_CONTACT_MAIL = 'me' + # SAML_NAMEID_FORMAT = 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent' + # SAML_ATTRIBUTE_USERNAME = 'http://schemas.goauthentik.io/2021/02/saml/username' + # SAML_ATTRIBUTE_NAME = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name' + # SAML_ATTRIBUTE_EMAIL = 'http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress' + # SAML_ATTRIBUTE_GROUP = 'http://schemas.xmlsoap.org/claims/Group' + # SAML_GROUP_ADMIN_NAME = 'admin' + # SAML_SIGN_REQUEST = False + # SAML_ASSERTION_ENCRYPTED = False + # SAML_WANT_MESSAGE_SIGNED = False + # SAML_CERT = '/var/lib/pdns/saml.crt' + ''; + }; + + security.acme.certs = { + "vapor.systems" = { + extraDomainNames = [ "*.vapor.systems" ]; }; }; + + services.nginx = { + enable = true; + defaultListenAddresses = [ "178.63.224.13" ]; + virtualHosts."ns.vapor.systems" = { + addSSL = true; + useACMEHost = "vapor.systems"; + locations."/" = { + proxyPass = "http://10.10.0.1:8000"; + proxyWebsockets = true; + extraConfig = + "proxy_pass_header Authorization;" + ; + }; + }; + }; + + systemd.services.powerdns-admin.serviceConfig = { + BindPaths = [ "/run/postgresql" ]; + }; + + services.postgresql = { + ensureDatabases = [ "pdns" ]; + ensureUsers = [ + { + name = "pdns"; + ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; }; + } + { + name = "powerdnsadmin"; + ensurePermissions = { "DATABASE pdns" = "ALL PRIVILEGES"; }; + } + ]; + }; }; } diff --git a/modules/tlmp/default.nix b/modules/tlmp/default.nix new file mode 100644 index 0000000..16f9ff5 --- /dev/null +++ b/modules/tlmp/default.nix @@ -0,0 +1,21 @@ +{ self, config, lib, pkgs, ... }: + +with self.lib.nginx; +{ + security.acme.certs = { + "media.cocaine.farm" = { + extraDomainNames = [ "*.media.cocaine.farm" ]; + }; + }; + + services.nginx = { + enable = true; + virtualHosts = { + "media.cocaine.farm" = (proxyDomain "media.cocaine.farm" "http://10.101.94.10:80"); + "sonarr.media.cocaine.farm" = proxyDomainAuth "media.cocaine.farm" "http://10.101.73.6:80"; + "radarr.media.cocaine.farm" = proxyDomainAuth "media.cocaine.farm" "http://10.101.22.234:80"; + "jackett.media.cocaine.farm" = proxyDomainAuth "media.cocaine.farm" "http://10.101.20.23:80"; + # "torrent.media.cocaine.farm" = proxyDomainAuth "media.cocaine.farm" "http://10.101.73.6:80"; + }; + }; +} |