diff --git a/.sops.yaml b/.sops.yaml index 9d1a86a..0df702d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -14,6 +14,7 @@ keys: - &server_nix-cache01 age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6 - &server_pgdb1 age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv - &server_nats1 age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga + - &server_auth01 age1gsljenjwwre47rh92t70j2h4fd2w25s44yknx6dtm8u7aa8syurq9s38ka creation_rules: - path_regex: secrets/[^/]+\.(yaml|json|env|ini) key_groups: @@ -33,6 +34,7 @@ creation_rules: - *server_nix-cache01 - *server_pgdb1 - *server_nats1 + - *server_auth01 - path_regex: secrets/ns3/[^/]+\.(yaml|json|env|ini) key_groups: - age: diff --git a/flake.nix b/flake.nix index 2cb1daa..e00bf7e 100644 --- a/flake.nix +++ b/flake.nix @@ -329,6 +329,22 @@ sops-nix.nixosModules.sops ]; }; + auth01 = nixpkgs.lib.nixosSystem { + inherit system; + specialArgs = { + inherit inputs self sops-nix; + }; + modules = [ + ( + { config, pkgs, ... }: + { + nixpkgs.overlays = commonOverlays; + } + ) + ./hosts/auth01 + sops-nix.nixosModules.sops + ]; + }; }; devShells = forAllSystems ( { pkgs }: diff --git a/hosts/auth01/configuration.nix b/hosts/auth01/configuration.nix new file mode 100644 index 0000000..35b6861 --- /dev/null +++ b/hosts/auth01/configuration.nix @@ -0,0 +1,65 @@ +{ + pkgs, + ... +}: + +{ + imports = [ + ../template/hardware-configuration.nix + + ../../system + ../../common/vm + ]; + + nixpkgs.config.allowUnfree = true; + # Use the systemd-boot EFI boot loader. + boot.loader.grub = { + enable = true; + device = "/dev/sda"; + configurationLimit = 3; + }; + + networking.hostName = "auth01"; + networking.domain = "home.2rjus.net"; + networking.useNetworkd = true; + networking.useDHCP = false; + services.resolved.enable = true; + networking.nameservers = [ + "10.69.13.5" + "10.69.13.6" + ]; + + systemd.network.enable = true; + systemd.network.networks."ens18" = { + matchConfig.Name = "ens18"; + address = [ + "10.69.13.18/24" + ]; + routes = [ + { Gateway = "10.69.13.1"; } + ]; + linkConfig.RequiredForOnline = "routable"; + }; + time.timeZone = "Europe/Oslo"; + + nix.settings.experimental-features = [ + "nix-command" + "flakes" + ]; + nix.settings.tarball-ttl = 0; + environment.systemPackages = with pkgs; [ + vim + wget + git + ]; + + services.qemuGuest.enable = true; + + # Open ports in the firewall. + # networking.firewall.allowedTCPPorts = [ ... ]; + # networking.firewall.allowedUDPPorts = [ ... ]; + # Or disable the firewall altogether. + networking.firewall.enable = false; + + system.stateVersion = "23.11"; # Did you read the comment? +} diff --git a/hosts/auth01/default.nix b/hosts/auth01/default.nix new file mode 100644 index 0000000..48f014f --- /dev/null +++ b/hosts/auth01/default.nix @@ -0,0 +1,7 @@ +{ ... }: +{ + imports = [ + ./configuration.nix + ../../services/lldap + ]; +} diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index f223d8a..74918e6 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -11,137 +11,146 @@ sops: - recipient: age1lznyk4ee7e7x8n92cq2n87kz9920473ks5u9jlhd3dczfzq4wamqept56u enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMTVZJWFZMVC9FQmdKTVAw - bUZidVhZQ2VqMnJ2VWI4ZGVKZTF5RCtkd1dNCkxMaGZnQUQwL0pVaDNiRWxqZXZK - aUFDYkY5Z3ZJVEVYb1J3bDgzeFdWWU0KLS0tIEtlVzVJbDFPSkZ1NmltekpXdFpx - UnViT0lDYm4yaFJWOFhWdG8rUjJ6ZFUK2dOJw3inwEXLry4lPSYTvthlvaxdZrKB - YLJyJc4LKu3x7RTdunHGz4atCpq9AQIzld2WugKooOX7BbG9D7Q7wQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKV1k4TS9UMWRrNDdHTDcr + ZUVIS2tDNzMyWG42YmpKeFQ5VEVzaFhjQnhFCmg0eURReWEyS095aWNTTStGaGJW + dFpaY29CSHJaV3B2cThBVElMS3FwdFkKLS0tIG5sV2ZIQkxoZlh3Ui9XMnIzdWhn + bUgxUzV3dkFZVm04RjlZcVRpQUdTdWMK5Oxp3SRuZ1aYeZzr1iUJZ7V1ulBNGnLH + UpQs1Z6NJC583awtb9rvFt7wiqzjtNgEUFfsllijMZEF7aa/raZi+w== -----END AGE ENCRYPTED FILE----- - recipient: age1hz2lz4k050ru3shrk5j3zk3f8azxmrp54pktw5a7nzjml4saudesx6jsl0 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TEtidnUyeHBDdFI4OWJR - MmduQ1F1WjhkSjRlekpNWmFvTW1SSmlqR2dzCmRZVlhiMWFLb0V0YmNmR3QwOENX - STlNeTlqaytCZFZ4TWw4V3BPN0pOcHcKLS0tIHVTMVlYcTdkYUx2eUJVSmhTbGhs - VFI2b3o5T1B0SnRpeUV5S1hyUC9QU2cKNQwXfmP2WrvH22GcyJmMR+pD/+OK2ur0 - 2jucauu0FRL2Vs2PgwClylcvHJr8bRY9ZYr00e+JBHEPCbSa/Wfibg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlaXcrWkJLdGxJa0lIWktY + WUtVTjVIK0tHU09LV0dpQmF5MndyNGxtREE4CktCZ3k5NHl1L3JGZ1RjS3N5M3pK + RlBOaDhWYTdCc21kQmhUbmpkNVNDSHMKLS0tIFhkSDdlRFRibTFHTExzUTh3a2cr + V0JCRWRBeU5pSG5RMGoweVlCcVYvRUkKT1bJuqO59rNMntC38+P1q2w6HXsfAcki + D+SaOqOkzMvbaj5/5lTy9LjFL7wXrXbw5wqzancF9ETjxpD6IkEnVA== -----END AGE ENCRYPTED FILE----- - recipient: age1w2q4gm2lrcgdzscq8du3ssyvk6qtzm4fcszc92z9ftclq23yyydqdga5um enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArQUlxZmNoNEFnZEtkYTl1 - MUdDTmVMNFhyczBpekQzUmpuWDVrNE9RbHlNCmFWZFZsazd0bHZNTk91eTRoL0pV - U09LNXNUNENxdlFPMFB6UFh0dE8wcXcKLS0tIGxlRG5lektodWhadmg1cjhmdnJh - YUhCejhlY2NYSW9CbDFVRDErREgwTzgKvbg+AB6Sy6GVKzxd8LGmdkMnVP/8o2B3 - v3DpLRNArzQlisjpTS0vcOxC/f9GpTzKWxGoqY8bA7zQZmsZ8Gkj0g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMXhXVnJxaFNjU1pOTUJq + NXFzN29yVHVqQVluRkRYRHhqeEU5QWpVNkEwCldJTmRodUJNeVloOEhwV3ZEeWE4 + MTRNOHlWcnJ6WlZ1Vi9EZmQzcnp4ZkkKLS0tIFgwb1AzRzl1cGpJdlE0eEVOVENa + bWZJdUpOcTEzM2kxbkE5WXdQVHRvRDQKof1kW44Bz0iWvzG5M/LxM1EmaK4z2sCV + IcLFfQBCZmcIw/besuzkLleXgBWoQJ1u9KsoJuUFRxuuPRXEE1RpMw== -----END AGE ENCRYPTED FILE----- - recipient: age1snmhmpavqy7xddmw4nuny0u4xusqmnqxqarjmghkm5zaluff84eq5xatrd enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiUmhoRSt0RzFrNnF6dXI3 - ek44Rnp4OEZLYnQ5WU1KWmlJQmNiZ3UwR1dJClhEMitZMGFva0lRSkZaN1VWVktO - WlViRkxjTUhPZ2wzbjZjWWdWa21WQVkKLS0tIC9QSkxNd2NnL1RIL1QybXg3MkpE - OXhEa2dORnlYeWpUakhPakVTRll3RUkKL4P3Q5vQmT2kG4WlLhniur7PEYq1RQM6 - OI/1gROVoqfPSzDHb680USthAkQDMsp+eR/KFn0aaa+TbLfp0e5ZuA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBubi9MWTBKNjZucFRBMGw3 + ZHZzeG1SNzNmQ1dPWXNVODJkTlJrcmRQYWdJCjZLWkh1cHRnRGdSSnYyM3g4RmEw + MHp2N3p1SEQ2OUR1VTRGT05tYjlSeVEKLS0tIFd4MzZJY09QeWhna3Q1RVBxZFpa + V0t3bWU1bzJRWmJTQ2VHemJHR2txSjQKQMWUtau+teT2v5VvClYfbIuCyY3HNcG6 + KfnuGINDQVZaTwlRksHhRljk9D44+z7HLNILiyqudnGYbiH6lbEyAQ== -----END AGE ENCRYPTED FILE----- - recipient: age12a3nyvjs8jrwmpkf3tgawel3nwcklwsr35ktmytnvhpawqwzrsfqpgcy0q enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDTmE2cXkyOVB4czhBblFu - NlVSVkVYM2FZcEFYbTVZMlE2bWxOTXJMQ0JZCldhQWJBUGxGdGFyVlVUNEZ2ZWw5 - aC9jdzRseDY3b2xaQVcyS1JiR01YOTAKLS0tIDZBemlYVkVXTzN3UFB2YVlPNGl6 - eU4wb2ZWSjExWXYxRUd4cmJvdStFWEEKc8lFqK2Yzi42ZUMy1xF1ycqohS5Zf9tL - uW6WJ9WLgGqkfDOAtuJziFnhFa6j3j6CRefFLTuVnedbmKCoDQwGjw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSbU1iUFgweGlaOVJZRTlF + ZWR0QTZUWHAvTFhocU5kWE4yV2tiMmNmVGk4CjFVbG1JQzVpV2NtSDhXZ1VaOHA1 + cEw1dUgvK3Z1QmN5QVJzZ2dpaUhhd28KLS0tIEZaT1JQYngwQ0FtNUlXZFVUeUtr + TTFYR05tSXFSVW9KVVVyb29wUTdybkEKCMXM4j1hcRwktD+Y4k2cu9okZqMpDchb + P61Ktwy0J2yMcY3OiBMTP8j1ujJ9R6iKuOX6GxzTtM0CU2fMcwormA== -----END AGE ENCRYPTED FILE----- - recipient: age1d2w5zece9647qwyq4vas9qyqegg96xwmg6c86440a6eg4uj6dd2qrq0w3l enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqbXkxVVhqRUlrNEtVOE5V - MGxyamlYS2dyYXNoOEpjQllpdm13SEEwYzBzCmVCOERHUHVMSUR4RnBjanpQZThl - cmtjeDdrNWsvM200WEcxbitNeVdMQjQKLS0tIEthdFlGcXNxYVp6ajFtVkxlWnF6 - VzFvU0NESHRGYkRGU0haeFdpVmpUelkKTF+xtOcnWz6KXzYmLuews/GuyFszuQ9n - aiw3Iv7XqwhYpYKn3Co9gxEAQjMYtCA+MCRA31msRzI+7fd5t3yNUw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQRXphVDNXeGEzWklKRVZE + TmxUbDFDelI1dDl6L0d2eDFjYThlZGRYV1NRCm1JV0RGZmYxMWRQaTFIa2hLdzhW + VXNBRTNlOE1Ba0F0WkxvYU1PYmRmK1EKLS0tIDJGK1JOcjU4ZzB6ZzNTdjJKcXZh + VXZaWSt5VDU0cVlVTGk0L0FIYVhkYlUKSGUR4HfAbUt4fF8tvdge8YWviEQijewm + NIJaHXEMSwRP8Dh0dEKtCTBYa47mjOkzI3HuBzK/GfcuCYFPRSeMwg== -----END AGE ENCRYPTED FILE----- - recipient: age1gcyfkxh4fq5zdp0dh484aj82ksz66wrly7qhnpv0r0p576sn9ekse8e9ju enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLbEVRVEpoWGhoVWFXOFN1 - YkN0RlJuNjVKWFlidHBML28wb2Q1ejYvcUdNCnRkWVBRODZxbHovQjFOb0ljamM3 - Z2N0cXRmYS8wMXlIUjhjTlk3NlZkZGcKLS0tIGZvVGEwNWMxRGN1cmJTQWltcWdS - SEp6RnkybTloblRtNm5kVGxIY1ZEVFkKSB5Ryt+3gVenl7/EF53g8u1aMMfa6/nm - 7nKoVo/gyMeUrlhRXiZItlBeIBmLm3Wplw9z8GA7s6C+PgITPRVQTg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOblcwWnBuaWNUL25XcFYy + cU5sZFFPR2VIOGdaYXBPQ216VjFDL1gzNENBCkFrbnNFM3drdVRDUEcxVHp1dDEx + Z1lQSW1NSFhacGt1RzBLMTFYbkZUTkkKLS0tIEJDNzRRTGdwbWZQOHdjVFRTckky + Ty9tdUQ0b0l5RUQ0WGZrUjJpaU9CYXMKBK1sgdMb1+okPUJMLMiu20Sx4QQd4sdL + NOxjzMTNmnV2KcZudycBA7lzI55cu59WAnDh1uldVxK6WxH9bhouCA== -----END AGE ENCRYPTED FILE----- - recipient: age1g5luz2rtel3surgzuh62rkvtey7lythrvfenyq954vmeyfpxjqkqdj3wt8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxT05XbFM4MUI4OGRFWWln - RFhVaHhpOVRkMXM4OFdUOUMwZ05KaWVsQkgwClhEemtqU3FmdG41dmpFNFRpUStm - cUtkd3lSeUYwREFGc09MQklzMk1Id2cKLS0tICtuWkdUUEtqK0RqWDFibjg0UjZQ - NDU3WWZyeExQSzJDd0QwaUdpVVZMdDQKTWOuLfuiVsoc2/+6Tgl7K7h9X4efkTIt - 9nLGZvgnS3cMqLJb5ilHNhSlYj3cWCr2p9oUIQUh5YumogBblQDzsg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVENXa2xwOVo0bkpmWU5i + dzZiVC9vZ1pMMCtYN0NpemNIcVBVVExUaG5nClJOZU5qRDVFdnE4Q0xWWTJqNXRC + dkhqVncwZDQ3a25xbkVUSzMyZW9UUUEKLS0tIDloOEpvYXdpbmw4RVdHOXZ0UHl4 + NG5sS2JDZVJlNllqUDllSnBhbkVWUTAKTjGx4hmLCuGuofeOO2jLDc7P285xW03E + vKv7dZicFtyO4EaXfYevbYH2E6PpaxkvXeM2B+RdZA70Goc5oHmyAw== -----END AGE ENCRYPTED FILE----- - recipient: age1gq8434ku0xekqmvnseeunv83e779cg03c06gwrusnymdsr3rpufqx6vr3m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlZXJsSm40MVliL0tIQVFy - VjA1Z1FiUnpEVjBqK09Jd2IzK2o3QkV6d1Q0CmlMc1g5MkkxOFhZU0JyMEFxbW1w - dUF1eEpGRm5OeW14ZGFlZDMrbkswS0EKLS0tIEtVNnp0cFBLMHY3NFVTZ0VOQlIz - SFdpSm5OQmZCeFkwelJMWUFUQ3N0UEEK96d3AQcx96IDiOzCcNh9o8VqKUBsQ86/ - jfeT45ImZADR71w35FATuPRSwjXf5ncB8VhEnkglZt28DrZ64+9fiQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlR0RUR3hPMWFuZWZxZERa + VDhtTmd6QWFMWi92Z2I0Y0tGQktZYWU0bDM0Ck5BekJqWGo2WFB4VXNaSDVYRjdC + TVlmZHNyQ1RGM2VVWGRTYit0aWRSbjgKLS0tIEcyUThOdEl5bFhGWDRBbmFsK0Ja + YmtpQWpEMFViOWVZMGUzR2NudXhzYVUKaL9rOUEw0/ixCqUNibM4VrNewxnUgCVb + DFQ5aN/7jVpmjNA6MgMuEdngnXsRu7f3rK8tqdAgt7KidZaGkIFaEQ== -----END AGE ENCRYPTED FILE----- - recipient: age1288993th0ge00reg4zqueyvmkrsvk829cs068eekjqfdprsrkeqql7mljk enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFdTc1Z1FLTk5vNy9qMnAr - bkJzOXI0Z1lZWlB1SWN3T3pTOHRzQjFEM1VFCmNUSEJLKzU0SjJlcGFoT2pNVHI0 - eDlCekhJbnlJeWZKTXM0UHp4U1QrdG8KLS0tIEpkVlB1QmdGUDJ6UUJUbER5S3VW - cEExek9VTlZpVng5VFRNSUZQR2J6OEUKN9OggPgvPxwelXby04Y1P4Q6URAc/AcL - 2QOlwIHDbEs1nmo5JfXpFwj+PH/YpwmmcEJmL/SUiXdeUwli5cfhSg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhR1dQTjVONFk1WHVqVnUy + QkdNZW4xSzF1MnBIWmpoR0NRNkdDUzZXcG5nCkpoeGc3dXpmczJ6aXZmQ0gxaGdS + QzZWNnB4Q3pHSTlzTkFheUlJVWtrZlkKLS0tIGppUFNMRzcxRzYvMk4rNU9jcTZm + ZldYdE5HQ0VxREZNQUxCUGNEdWFRcmMKWU+F0agvGt35OUzTLyqT/J1adsGOOHkQ + kvnLDPF/FO3H/WF4bip4euASsvMCLZgxYp2nAFcWin8LH7GHtPRMIg== -----END AGE ENCRYPTED FILE----- - recipient: age1vpns76ykll8jgdlu3h05cur4ew2t3k7u03kxdg8y6ypfhsfhq9fqyurjey enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3TkdIazdLdDF5V3MvZmQ1 - cmpTVVNSdE9DZHh0VlZlNGNRc0dOekpvaEhZCktqNGFHKzNhSytEcG50Qmo4Q1Zi - UkJjd3JFUnlNVFhwOWxsVEp6RVBnK0UKLS0tIDlRamhkcWE1RUdzdVM1YlduS0d2 - SUx3anRyT0tmU1BaRkQ0SVUzQzlkWncKaDqF4889dODh5RRw8S3WI5i3dRg//hmL - rlTqo+Z6cr2sr52peQRmvKEas2bhczqn6F1rTAkHd1ZOvqrOae58vg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLQlZNK3pjdTFGZ280dXhS + WitmRDBnbEVUeElYeUhkK0cyR0RFRlhGbjM0CmxUTHlJM0lpejVvb1JPL2FhLzls + YmV2TU00cW9UaHM1NWNsQXA5Q1FqUnMKLS0tIGc2YXhpRDU4V0tVQ1daVzZ1WW5F + SWYxWWQ4R0pzdTVYSEVGSHRHT3BZYjQKzjRi/Wlp66nbQ4GXjo+/VCXV0dmTLxx4 + tI7CBdN2W4QHR1q23iWjzcfgBZcgMU3dRr4AoWmu1gD55+c03jE2JQ== -----END AGE ENCRYPTED FILE----- - recipient: age1hchvlf3apn8g8jq2743pw53sd6v6ay6xu6lqk0qufrjeccan9vzsc7hdfq enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0YkVoOVl5UFk5V3NxMWZl - WXdsbVZjMktUd0dvcGdjWmJTYUs0SHJ0NzMwCkx2NnNQVVdpZGt1anlSQjF6QnYv - Q3c0MS9HZHhnRVRmUW53alN0Z25tS2MKLS0tIFY2OC9vWThtaHR2cUJlQVVuZG9a - bDdRRk1kU2REMFBOT3ROUm9lalFRTlkKNHWalFXi5w/XLCI+weeXx0jJpquvbLA3 - idkwWwkD+nfT0kqSlrYM64msQlXhvSt6pvxNHspxOf5298aKVTwzSQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoTXdRNzdWc3hwQ0s4NCsr + VTNqQ043ZS9FOFpSZDA1K2Q1SFBaVGx6SHo0CjZLV3hIVE9uK1pzcEg4Y2p1TThH + ZUpRZjFvK25xN3RPV05HVWhXVVlFRUEKLS0tIFg0bHFhWWRtNHlpK1Fja1RhdzZ0 + dmcrOVJHNmpmU251RFFDWHBKTHRYd1UKMz5TvaFjxoJ89W0ZVWn6+StCBiESRVPg + njs77Q84E1taXEmd9WtIZbEG0mJVrPZMDaliop758Z9kZnBVNkBfLw== -----END AGE ENCRYPTED FILE----- - recipient: age1a0477laj9sdh79wdas5v7hzk6au8fach74njg8epfw2rdht90qjsakkwd6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZcUJZVktpbDBLM3ZPbFNn - V0pZelRXMnpwVWJYNWxqMTQwbXU5U05yVEdjCkxGMjhvbWNjYzRtbjA4SzFRQTdS - eFJYUTl6cGJaVXFNOFZSeFZxY2RCOFkKLS0tIG5HTFZjdVc2TmxvdWxOWUJwNGxq - YmNObzVvMXlkZWFiYjBWOVJzalg4TVEKbp1w7WeiHb9318WfuUP/aGTahNmFXbS/ - n6KRpF/hqapFf08AkEUFwaIy56BwaXAyUNloV53bSsLsopnQ1fnWAw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Um4raGdaRTFIdDNQdG45 + T0NyVWRiUGlzU0VUWW1lSWorbmRMQ3FOclNrCnVnZUl0QXdWazV3UWRsam44bndH + U0tqTkJWdFhVeFRBZlkxRzk0UW5lQ2cKLS0tIGlNSkdyUmRhMUxGd3l2UllTSXEx + S1gzTFRlUGI3VmFNN3duYlJoS2xQRHMKLCuwLnxTOSUcCZZw05mb6dr/zX+4hYj1 + Tu1SasVowVK5pu3rQXoii8HC49ValPoNrm2koqekLKFheM25v52x6Q== -----END AGE ENCRYPTED FILE----- - recipient: age1ha34qeksr4jeaecevqvv2afqem67eja2mvawlmrqsudch0e7fe7qtpsekv enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdktCOVkyWTFZbTB5Slcv - bFYyOW5ZRVEvUFRwN0p5cEUxVDhqc1VtZW1NCjE5V01pRml4WHhTTnB4TTMrSDdk - aitHNldWYUxqa3F5YW9DN3VJTS81VmMKLS0tIGNDL0pMeXhDZjdrM0lJQ1VzVjhZ - cndiNWp0c2YvUjQ5UjVRL3FmQ05jK2cKk2BFPsVThpFjy6bEVEm3Kn+faLL6LX1a - MXE9HRtdGJIrPLaJ5DpGhYakFx/L4v28MNchBWH2TSXpa82EETOFZA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqMzVhMWFhVlpBUEozWFIr + TGZSdWU5YnhhSGswYjlYUkhhdnNzdS9tWDJ3CjliMlQyNFQvZXAvK29BMXRZUlNh + MlhLTmdxWEova3paMWR6ZlBieU14ZFUKLS0tIEljemdsNDE2Nmh5ZG1WVXpmb3JG + N2hOUnVUWFFWNHJIcGY4RHFSWFQ5ZGcKlY/7QTtz3V+j/sbU3ksyoNHix+yyktXb + onlqnz8+etzNrQ0Sd/TGESJ34P3C89cziKimybR4qVCwAblbXlEXxA== -----END AGE ENCRYPTED FILE----- - recipient: age1cxt8kwqzx35yuldazcc49q88qvgy9ajkz30xu0h37uw3ts97jagqgmn2ga enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2TkFQRzZXN1FEUkVRZ29k - Njd6ZXFpM0Yrd1ZWelF4aXFwQkp0NExyR0FRCkl5enNLOWpjVkRkSis3R1pNMXEz - V0NIaC9jZXZMbURMY1RqZi8wQ084UWMKLS0tIG9rN2JOSGY5Z0xtUE45c1hSbmEz - UWg1ZmFIMlk4STlMdzBOd1dLOW9ZY2sK8BYqBM/0YZ6fjgQAqSCYM9Cnh2IqP4QD - NQDBErJf0AQ8qU+CXjBSxTLBBJPnibdBJPCcOfnym16gFgMuHsqMdg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsS3NWSDg3Zk53b0QveU9R + aGt0SnJDMEZubkYxNHlLRys0a1VZL1loTjEwCnhHeC83aUZlQ2N2QUVEQ1phb1FN + RmF3ZDNHaktFM0JwekVneSsxU3c0VG8KLS0tIDFWdW80K05ueHFTZjhUV0w5dEdi + bTJuUFNZRk96Um9XNnBWdCtZaHdIR1EKc7ZwNnPFLV2zGmzBZCazZaCrNDorCe/5 + T8hXNHNL+mXt4h6yKEc5zxRLIaBNAJTya9Bqy5TIkrDYRSAa5iRwjQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age1gsljenjwwre47rh92t70j2h4fd2w25s44yknx6dtm8u7aa8syurq9s38ka + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOalRFUzIyVnVGZTQ3bi9m + OTE0b1pkTTByMDRPaHJRd1h3ZFFDT3B1VkVjClhHWU9OdWJaRzFkWnViYlRNMllV + KzVJL3hOOW10YUdXU1NRT0xkcnYxaVUKLS0tIFhkVWd2RnYveHcyd2VGUis0alVZ + RWFMcWNOS1BBZ3d1bXRXWFptb3Y5bmMKosQYnYNQWkPTeYMsVyAk6bIv9fyCkSVb + gpqDL5ZHE0fzQWuJyhdnwRz53y1ickNYJ7zNhENz8L9pOLAmR//uAA== -----END AGE ENCRYPTED FILE----- lastmodified: "2025-02-11T21:18:22Z" mac: ENC[AES256_GCM,data:5//boMp1awc/2XAkSASSCuobpkxa0E6IKf3GR8xHpMoCD30FJsCwV7PgX3fR8OuLEhOJ7UguqMNQdNqG37RMacreuDmI1J8oCFKp+3M2j4kCbXaEo8bw7WAtyjUez+SAXKzZWYmBibH0KOy6jdt+v0fdgy5hMBT4IFDofYRsyD0=,iv:6pD+SLwncpmal/FR4U8It2njvaQfUzzpALBCxa0NyME=,tag:4QN8ZFjdqck5ZgulF+FtbA==,type:str] diff --git a/services/authelia/default.nix b/services/authelia/default.nix new file mode 100644 index 0000000..41a90ef --- /dev/null +++ b/services/authelia/default.nix @@ -0,0 +1,24 @@ +{ ... }: +{ + authelia.instances."auth" = { + enable = true; + settings = { + authentication_backend = { + ldap = { + address = "ldap://127.0.0.1:389"; + implementation = "lldap"; + timeout = "5s"; + base_dn = "dc=home,dc=2rjus,dc=net"; + attributes = { + distinguished_name = "distinguishedName"; + username = "user_id"; + display_name = "displayName"; + mail = "mail"; + member_of = "memberOf"; + group_name = "cn"; + }; + }; + }; + }; + }; +} diff --git a/services/http-proxy/proxy.nix b/services/http-proxy/proxy.nix index f3614c4..e278fbd 100644 --- a/services/http-proxy/proxy.nix +++ b/services/http-proxy/proxy.nix @@ -82,6 +82,14 @@ } reverse_proxy http://jelly01.home.2rjus.net:8096 } + lldap.home.2rjus.net { + log { + output file /var/log/caddy/auth.log { + mode 644 + } + } + reverse_proxy http://auth01.home.2rjus.net:17170 + } http://http-proxy.home.2rjus.net/metrics { log { output file /var/log/caddy/caddy-metrics.log { diff --git a/services/lldap/default.nix b/services/lldap/default.nix new file mode 100644 index 0000000..750e054 --- /dev/null +++ b/services/lldap/default.nix @@ -0,0 +1,28 @@ +{ ... }: +{ + services.lldap = { + enable = true; + settings = { + ldap_base_dn = "dc=home,dc=2rjus,dc=net"; + ldap_user_email = "admin@home.2rjus.net"; + ldap_user_dn = "admin"; + ldaps_options = { + enabled = true; + port = 6360; + cert_file = "/var/lib/acme/auth01.home.2rjus.net/cert.pem"; + key_file = "/var/lib/acme/auth01.home.2rjus.net/key.pem"; + }; + }; + }; + systemd.services.lldap = { + serviceConfig = { + SupplementaryGroups = [ "acme" ]; + }; + }; + security.acme.certs."auth01.home.2rjus.net" = { + listenHTTP = ":80"; + reloadServices = [ "lldap" ]; + extraDomainNames = [ "ldap.home.2rjus.net" ]; + enableDebugLogs = true; + }; +} diff --git a/services/ns/zones-home-2rjus-net.conf b/services/ns/zones-home-2rjus-net.conf index 401d64c..04e6f6a 100644 --- a/services/ns/zones-home-2rjus-net.conf +++ b/services/ns/zones-home-2rjus-net.conf @@ -1,7 +1,7 @@ $ORIGIN home.2rjus.net. $TTL 1800 @ IN SOA ns1.home.2rjus.net. admin.test.2rjus.net. ( - 2053 ; serial number + 2060 ; serial number 3600 ; refresh 900 ; retry 1209600 ; expire @@ -61,6 +61,7 @@ nix-cache01 IN A 10.69.13.15 nix-cache IN CNAME nix-cache01 pgdb1 IN A 10.69.13.16 nats1 IN A 10.69.13.17 +auth01 IN A 10.69.13.18 ; http-proxy cnames nzbget IN CNAME http-proxy @@ -72,6 +73,11 @@ grafana IN CNAME http-proxy prometheus IN CNAME http-proxy alertmanager IN CNAME http-proxy jelly IN CNAME http-proxy +auth IN CNAME http-proxy +lldap IN CNAME http-proxy + +ldap IN CNAME auth01 + ; 22_WLAN unifi-ctrl IN A 10.69.22.5 diff --git a/system/acme.nix b/system/acme.nix new file mode 100644 index 0000000..4466c9e --- /dev/null +++ b/system/acme.nix @@ -0,0 +1,11 @@ +{ ... }: +{ + security.acme = { + acceptTerms = true; + defaults = { + server = "https://ca.home.2rjus.net/acme/acme/directory"; + email = "root@home.2rjus.net"; + dnsPropagationCheck = false; + }; + }; +} diff --git a/system/default.nix b/system/default.nix index 5fe0f51..093202e 100644 --- a/system/default.nix +++ b/system/default.nix @@ -1,6 +1,7 @@ { ... }: { imports = [ + ./acme.nix ./autoupgrade.nix ./monitoring ./packages.nix