darkkirb/nixos-config
1
0
Fork 0
Code Issues 1 Pull requests 3 Projects Releases Packages Wiki Activity Actions

Merge pull request #146 from DarkKirb/auth-chir-rs

Browse source 
Add auth.chir.rs
This commit is contained in:
Charlotte 🦝 Delenk 2023-01-13 21:39:18 +01:00 committed by GitHub
commit a6191c82b6
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 245 additions and 6 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
config/instance-20221213-1915.nix
View file

@ -15,6 +15,7 @@
./wireguard/public-server.nix
./services/named-submissive.nix
./services/shitalloverme.nix
./services/chir.rs
];
boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"];

1
config/nixos-8gb-fsn1-1.nix
View file

@ -31,6 +31,7 @@
./services/rspamd.nix
./wireguard/public-server.nix
./services/shitalloverme.nix
./services/chir.rs
];
boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"];

67
config/services/chir.rs/auth.nix Normal file
View file

@ -0,0 +1,67 @@
{
pkgs,
system,
chir-rs,
config,
...
}: let
d = "$";
dhallConfig = ''
let password = ${config.sops.secrets."services/chir-rs/auth/password".path} as Text
let BaseConfig =
{ Type =
{ database_url : Text
, listen_addr : Text
, redis_url : Text
}
, default.listen_addr = "[::1]:5621"
}
in BaseConfig::{
, database_url = "postgres://auth_chir_rs:${d}{password}@nixos-8gb-fsn1-1.int.chir.rs",
, listen_addr = "[::1]:7954"
, redis_url = "redis://localhost:53538/0"
}
'';
in {
systemd.services.auth-chir-rs = {
description = "auth.chir.rs";
after = ["network.target"];
wantedBy = ["multi-user.target"];
script = ''
export CONFIG_FILE=${pkgs.writeText "config.dhall" dhallConfig}
exec ${chir-rs.packages.${system}.chir-rs-auth}/bin/chir-rs-auth
'';
serviceConfig = {
Type = "simple";
User = "auth-chir-rs";
Group = "auth-chir-rs";
Restart = "always";
};
};
sops.secrets."services/chir-rs/auth/password".owner = "auth-chir-rs";
users.users.auth-chir-rs = {
description = "auth.chir.rs";
home = "/var/empty";
useDefaultShell = true;
group = "auth-chir-rs";
isSystemUser = true;
};
users.groups.auth-chir-rs = {};
services.postgresql.ensureDatabases = [
"auth_chir_rs"
];
services.postgresql.ensureUsers = [
{
name = "auth_chir_rs";
ensurePermissions = {
"DATABASE auth_chir_rs" = "ALL PRIVILEGES";
};
}
];
services.redis.servers."auth_chir_rs" = {
enable = true;
port = 53538;
save = [];
};
}

5
config/services/chir.rs/default.nix Normal file
View file

@ -0,0 +1,5 @@
{
imports = [
./auth.nix
];
}

123
flake.lock
View file

@ -1,5 +1,32 @@
{
"nodes": {
"cargo2nix": {
"inputs": {
"flake-compat": "flake-compat",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": [
"rust-overlay"
]
},
"locked": {
"lastModified": 1655189312,
"narHash": "sha256-gpJ57OgIebUpO+7F00VltxSEy6dz2x6HeJ5BcRM8rDA=",
"owner": "cargo2nix",
"repo": "cargo2nix",
"rev": "c149357cc3d17f2849c73eb7a09d07a307cdcfe8",
"type": "github"
},
"original": {
"owner": "cargo2nix",
"repo": "cargo2nix",
"type": "github"
}
},
"check-flake": {
"locked": {
"lastModified": 1662502605,
@ -15,6 +42,33 @@
"type": "github"
}
},
"chir-rs": {
"inputs": {
"cargo2nix": [
"cargo2nix"
],
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
],
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1673620617,
"narHash": "sha256-O52S5V1/T2DYeVS3+oWohpX45p1Cosd2azXkigZ9jP8=",
"owner": "DarkKirb",
"repo": "chir.rs",
"rev": "f921629e7dc7299788a3f99943e069ffa545e529",
"type": "github"
},
"original": {
"owner": "DarkKirb",
"repo": "chir.rs",
"type": "github"
}
},
"dns": {
"inputs": {
"flake-utils": [
@ -93,6 +147,22 @@
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1650374568,
"narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "b4a34015c698c7793d592d66adbab377907a2be8",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1668681692,
@ -503,7 +573,7 @@
},
"prismmc": {
"inputs": {
"flake-compat": "flake-compat",
"flake-compat": "flake-compat_2",
"libnbtplusplus": "libnbtplusplus",
"nixpkgs": [
"nixpkgs"
@ -525,6 +595,8 @@
},
"root": {
"inputs": {
"cargo2nix": "cargo2nix",
"chir-rs": "chir-rs",
"dns": "dns",
"ema": "ema",
"emanote": "emanote",
@ -540,10 +612,59 @@
"nixpkgs-noto-variable": "nixpkgs-noto-variable",
"nur": "nur",
"prismmc": "prismmc",
"rust-overlay": "rust-overlay_2",
"sops-nix": "sops-nix",
"tomlplusplus": "tomlplusplus"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"chir-rs",
"flake-utils"
],
"nixpkgs": [
"chir-rs",
"nixpkgs"
]
},
"locked": {
"lastModified": 1673404037,
"narHash": "sha256-9yhRzFiqzVQaJN5jsAIwApDolkORRQ3EJi7D4yu58ig=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "a979c85ed4691bf996af88504522b32e9611ccfe",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"rust-overlay_2": {
"inputs": {
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1673576998,
"narHash": "sha256-I6vYVejEWTao+Ze/F6VFSTFxu6/X2OPT3Eu4AM/zzec=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "ca474ccdd5f81ed742328e15dae38bb57a1006e3",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"sops-nix": {
"inputs": {
"nixpkgs": [

17
flake.nix
View file

@ -4,6 +4,18 @@ rec {
# Use NixOS unstable
inputs = {
# Sorted by name
cargo2nix = {
url = "github:cargo2nix/cargo2nix";
inputs.flake-utils.follows = "flake-utils";
inputs.nixpkgs.follows = "nixpkgs";
inputs.rust-overlay.follows = "rust-overlay";
};
chir-rs = {
url = "github:DarkKirb/chir.rs";
inputs.cargo2nix.follows = "cargo2nix";
inputs.flake-utils.follows = "flake-utils";
inputs.nixpkgs.follows = "nixpkgs";
};
dns = {
url = "github:DarkKirb/dns.nix";
inputs.flake-utils.follows = "flake-utils";
@ -49,6 +61,11 @@ rec {
url = "github:PrismLauncher/PrismLauncher";
inputs.nixpkgs.follows = "nixpkgs";
};
rust-overlay = {
url = "github:oxalica/rust-overlay";
inputs.flake-utils.follows = "flake-utils";
inputs.nixpkgs.follows = "nixpkgs";
};
sops-nix = {
url = "github:Mic92/sops-nix";
inputs.nixpkgs.follows = "nixpkgs";

7
secrets/instance-20221213-1915.yaml
View file

@ -12,6 +12,9 @@ services:
cache-key: ENC[AES256_GCM,data:e9dQNADhH+8l1hTj+CdVu0gow/LmqrQf0HWiTTlFdY81t/8zWkdHdi0Rat5AKUS6x/oBCfTskIKcoRo0Jc0MYJhmOHtDLXlT+I91bSuxVzb9d+TwmhZ/Zce1yP1OXic+/A==,iv:DZ4yCi4YjsAulDyXl3CDCTXB21p2jZIYuDhHORpTE94=,tag:zXcgyBYgFv229seRDLGzsg==,type:str]
ssh:
host-key: ENC[AES256_GCM,data:oiy1thPKRVgH0XltFQCKwGMdLZde8zp1Ag1dL/el/2jXp1be1Evtr+kkZv56nhlaJ6KpYi5VsfrfpFVnKUkcYGUMmqVf2lFDu2fPcWB+PW7nol9K+sVRhHgTPP1wz385o5bof4OnbMF9sUbV0PT/pd4yAvluKq9s2vBBb2GEZ+HDBwkurmgVrFqUb66AvCdncXTpK47qpWZQMDTMGKqv5d1hJOoCCIulX3iJ4ko2xDD7qRlFtcdLNFLw3q4R6eP+L0OqoQs8dnjpIQOLVItzHTHTTcQRVoFvD7OMYSyU5RIIxTIOoS9tWzQu/QpHpO4cgjQ/GX09uj+a6/Cy8Itavd88YeSoYEPGwBYEciYLakFpNQ8aFl0yEsEMdZbfHgOUAOlbv28Mv93+RFMs5HrdIup/lZr5PsCBSsrMVkwJNVQKTxbN34LCTGOeCkuzohAwmwEVB/Ysuh23WyFKcdkGWAwlnVvgaNT5/TsNTCCI8Hf6fJecD4imWrJAtlXG7o+mnE+f0LlixxsnMgSnlkX4,iv:mnW23zPiSDoluMjQJEUFHDkVO6IT/4+RgAlaKuie3Qw=,tag:F+KOH/MkjrF1wYCR9OzFkQ==,type:str]
chir-rs:
auth:
password: ENC[AES256_GCM,data:9tJQIoCgquUkX+FeAT0+1tfyIF9YdNT26AOyd7hiS8BgLSa8WdG+v3H0zMt48ETc8duCMTDKII0sJTtgYxtaKQ==,iv:ZukeYF4yTf7fkrkTpbUsuNkpMOgjMDGbYtUcbvfu50g=,tag:HutgW+KyEVoePVZIO+uExg==,type:str]
email:
lotte@chir.rs: ENC[AES256_GCM,data:YrJ/+VG6/ZSu8g+PQxYUqwd1RQ==,iv:IeFhCrMQ1+4KvenylyizbwmCvsCPGvTiZAw5VyZb3Zs=,tag:xoK+aBykGV2bLqHles1LMQ==,type:str]
mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:l57AwqL90zV2BIn04ZhhEB3TE0WAFNJ7Bci1ljHgYvki0mZ5TrLP4PYZ681uKdzN7xlFsDjhCQN0C+iuz3Aj0g==,iv:qXNQq+03KFTazggckGRqHbnuOHo2enmQKCSzAw6mqsY=,tag:HE+tenPWwB8FIilV2r1wRQ==,type:str]
@ -36,8 +39,8 @@ sops:
bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ
QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-14T15:34:13Z"
mac: ENC[AES256_GCM,data:9DHLfOjTVKWbsWiUDr7pu5pyh6dzoExcgjRsAd2HMtdu+R/Y04Zy5dbCJpFu4mvyRD9GJ5aI4hufYRLvFsTuO9k8aWNUbqb1IYnX+D6zzLlecCHxEJ6zhm0PhjkcuN0XxFhBQb/aCUaisP891PqHM8ZbXblIaCdl4FFX/me3Cls=,iv:MnMInA14AxnCPjLYvksSdZVfpvcIjpbLSQRMbzSYr2M=,tag:eQsCwg6S60FpZ4bxaBMiJg==,type:str]
lastmodified: "2023-01-13T19:15:53Z"
mac: ENC[AES256_GCM,data:oZpSCWI29zEQAKe/PkeTVi8zZZwCDMoWQNXqTWP5Azyqze9/NHT/OmRhq6GtBl7X0y3P78x1Zu/3SziB935STCX0HhDN8JqJvo9vlkJ71gwBhn7pzhJwiByISlAN9WQCCJaNTrvr4QmNOAPHuJUqMhPwc5C5LUBaOvwdwwTXei0=,iv:Lo5NBanWkv0A3UC1C+iaNBMl/XsbPW8MIRc9RqPBWUQ=,tag:yA45fMs2x5MCuXspaL4MwA==,type:str]
pgp:
- created_at: "2022-12-14T15:34:13Z"
enc: |

7
secrets/nixos-8gb-fsn1-1.yaml
View file

@ -25,6 +25,9 @@ services:
secret-access-key: ENC[AES256_GCM,data:RhyAyU81pmOlD4hlGkOyutLPpUI/QsleJYmubCZJfA==,iv:8BCVnPkW+sa15Cp1eG+thvDb1U5EE+GsIzgNlsSsxMw=,tag:PXDPCEzG31r4u0eF7B258g==,type:str]
matrix-token: ENC[AES256_GCM,data:QVe1KC1QE74scI64JBdTbza+naVZmwyJ0TyipVvZfnAe6csR4Ri+,iv:aZvmairwtFti+DgEoTgFxRTKtrQPb4Ji5Kml9mLQU9o=,tag:INtQW3jXNdpf8Kgqs0vPPg==,type:str]
chir.rs: ENC[AES256_GCM,data:f8Jrf6ksi6nxTExzeos+U5KXQKreViD0iGoKAEbfA1872WfhgH3VSpx2WQVCW5lTKio4pQ9Mej17W451N6bIc1U2lbQszFn+4wjXrOS9VJnB8+JV+05UGzGXmHJD8u19GG3vyMllKJLwKSsceWux7AAm9duBXoRSgEElA7sTWhGBjXXW+/yCRDKQcNdNvPpH6zHzXcApFmI7ECQKMF/Cq8Txl6yQkWIX/n3v/U8JNSzNzwllVSgx2JU7FDorqS7lrkYaz6lXuPZeiiISIIRShwYoW20uqvQvUQ1bQmDbJPsV4FXu1SynUNbHA7WbsR/Qh2bBAZozgxCy3NvfYfPkb2XANOBemFU+uRbrYMmoaucZnYBJijlc9FGfFsq10vT3BynPjCRLcZWtLTx52k83SP4NiLxkNkPPYERxwcT74IuhkyMOQdZe+EASASRWY0VVCKkGLX/v2dO/jf6gumxQ0xn5ehqGhlqq5wR8cA==,iv:S+mUPpwg1C7FW6or+7Y3fG4UjtWePYdH9N9apJ9TvHw=,tag:EH9Dix+g5tguZFDe/bfmYg==,type:str]
chir-rs:
auth:
password: ENC[AES256_GCM,data:7T4iu5rqkp8r6lxmSW1vj82uqwsASAu12CHuRqX/ee1xbrZfeUmHPJc4jRo8EKRR11RhSSEw2gcqksrGdwRltQ==,iv:kzBujm7LgzoXGiDPbDqz62ura+t2OjcrYf2vIvq2Q5M=,tag:uuh9N8O5UGMpu/ZO5C2esw==,type:str]
hydra:
gitea_token: ENC[AES256_GCM,data:8OOn7dlMaBTLNpRB9K2M+Cg4ZB9V2qFXdm7c0/2F/5CdOGfKF63a8Q==,iv:htbnKmNuaHlUw0E2PYRy3en00fni5hmwbkhDcQJRfE4=,tag:MpVnRX6HBxORghcsbEShNw==,type:str]
gitea: ENC[AES256_GCM,data:i+reN0mYGY2iMQ06atN/i6YzAg==,iv:HT1H9/UIBweErA5+YFq7aprPjPB2d0gNbt/3MKayuHI=,tag:vDGL31LBw+9sU7UHE9GYKw==,type:str]
@ -90,8 +93,8 @@ sops:
N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP
dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-12-24T13:05:17Z"
mac: ENC[AES256_GCM,data:zyDRuZOCgWQ/gAAhCpMxsSv85pUpcJryCSwtqhRWiGadvd4ZJv95t9nnChe08P0t3E9wZ+i9YeShTvycR2lye+J/mhJKl37iJhSHIBWqWMW16bj4elDsy7LJm/dzIb2s7yJgnV3Sm6aqT3hCStUtoFH23NQWxfXnVWQnGIbr7SM=,iv:TYrjVDWisStsllhH47FwWoDttV31JNgR3gOtIMolJaI=,tag:9s/5ncDtIXNVd2qyUAcm3Q==,type:str]
lastmodified: "2023-01-13T19:16:14Z"
mac: ENC[AES256_GCM,data:syVA2n+ph+gtMcs/LS9zSfrUdXF6ccBz/cN4ERBt1TpIgrU762Z9Uuidh+vwY422OBNikz6UHV5T7R5pOZkh8VBhMj0WXR1pnrOGtOldamOQAfduuMUtwt75XY1rasT2Ye+Aju5WVCv+HuRg+wBY9O0+V6KyzIlL9/j9vTnPSYo=,iv:jgo2XOk2f/MHgeFkMNZ2TvT29Q0AA+aDNGZv2wHUxZM=,tag:1EkuDg6VbI47aSt6QCrymQ==,type:str]
pgp:
- created_at: "2022-02-02T17:50:42Z"
enc: |

23
zones/chir.rs.nix
View file

@ -120,11 +120,31 @@ with dns.lib.combinators; let
];
};
createZone = merge zoneBase;
createFullZone = merge (createZone {
A = [
(ttl zoneTTL (a "130.162.60.127"))
(ttl zoneTTL (a "138.201.155.128"))
];
AAAA = [
(ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278"))
(ttl zoneTTL (aaaa "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49"))
];
HTTPS = [
{
svcPriority = 1;
targetName = ".";
alpn = ["http/1.1" "h2" "h3"];
ipv4hint = ["138.201.155.128" "130.162.60.127"];
ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49" "2603:c020:8009:f100:f09a:894d:ef57:a278"];
ttl = zoneTTL;
}
];
});
zone = createZone {
SOA = {
nameServer = "ns1.chir.rs.";
adminEmail = "lotte@chir.rs";
serial = 24;
serial = 25;
};
NS = [
"ns1.chir.rs."
@ -222,6 +242,7 @@ with dns.lib.combinators; let
];
peertube = createZone {};
mediaproxy.CNAME = ["mediaproxy-chir-rs.b-cdn.net."];
auth = createFullZone {};
int =
delegateTo [