From dfb2138a2dddfa7bd0d17eba894c4ff1ee75a98f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Charlotte=20=F0=9F=A6=9D=20Delenk?= Date: Fri, 13 Jan 2023 20:20:47 +0100 Subject: [PATCH] Add auth.chir.rs --- config/instance-20221213-1915.nix | 1 + config/nixos-8gb-fsn1-1.nix | 1 + config/services/chir.rs/auth.nix | 67 +++++++++++++++ config/services/chir.rs/default.nix | 5 ++ flake.lock | 123 +++++++++++++++++++++++++++- flake.nix | 17 ++++ secrets/instance-20221213-1915.yaml | 7 +- secrets/nixos-8gb-fsn1-1.yaml | 7 +- zones/chir.rs.nix | 23 +++++- 9 files changed, 245 insertions(+), 6 deletions(-) create mode 100644 config/services/chir.rs/auth.nix create mode 100644 config/services/chir.rs/default.nix diff --git a/config/instance-20221213-1915.nix b/config/instance-20221213-1915.nix index 91e5bed5..828aa5a3 100644 --- a/config/instance-20221213-1915.nix +++ b/config/instance-20221213-1915.nix @@ -15,6 +15,7 @@ ./wireguard/public-server.nix ./services/named-submissive.nix ./services/shitalloverme.nix + ./services/chir.rs ]; boot.initrd.availableKernelModules = ["xhci_pci" "virtio_pci" "usbhid"]; diff --git a/config/nixos-8gb-fsn1-1.nix b/config/nixos-8gb-fsn1-1.nix index 07c0bbc0..9ff1e2ed 100644 --- a/config/nixos-8gb-fsn1-1.nix +++ b/config/nixos-8gb-fsn1-1.nix @@ -31,6 +31,7 @@ ./services/rspamd.nix ./wireguard/public-server.nix ./services/shitalloverme.nix + ./services/chir.rs ]; boot.initrd.availableKernelModules = ["ata_piix" "virtio_pci" "virtio_scsi" "xhci_pci" "sd_mod" "sr_mod"]; diff --git a/config/services/chir.rs/auth.nix b/config/services/chir.rs/auth.nix new file mode 100644 index 00000000..9a6b8617 --- /dev/null +++ b/config/services/chir.rs/auth.nix @@ -0,0 +1,67 @@ +{ + pkgs, + system, + chir-rs, + config, + ... +}: let + d = "$"; + dhallConfig = '' + let password = ${config.sops.secrets."services/chir-rs/auth/password".path} as Text + let BaseConfig = + { Type = + { database_url : Text + , listen_addr : Text + , redis_url : Text + } + , default.listen_addr = "[::1]:5621" + } + + in BaseConfig::{ + , database_url = "postgres://auth_chir_rs:${d}{password}@nixos-8gb-fsn1-1.int.chir.rs", + , listen_addr = "[::1]:7954" + , redis_url = "redis://localhost:53538/0" + } + ''; +in { + systemd.services.auth-chir-rs = { + description = "auth.chir.rs"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + script = '' + export CONFIG_FILE=${pkgs.writeText "config.dhall" dhallConfig} + exec ${chir-rs.packages.${system}.chir-rs-auth}/bin/chir-rs-auth + ''; + serviceConfig = { + Type = "simple"; + User = "auth-chir-rs"; + Group = "auth-chir-rs"; + Restart = "always"; + }; + }; + sops.secrets."services/chir-rs/auth/password".owner = "auth-chir-rs"; + users.users.auth-chir-rs = { + description = "auth.chir.rs"; + home = "/var/empty"; + useDefaultShell = true; + group = "auth-chir-rs"; + isSystemUser = true; + }; + users.groups.auth-chir-rs = {}; + services.postgresql.ensureDatabases = [ + "auth_chir_rs" + ]; + services.postgresql.ensureUsers = [ + { + name = "auth_chir_rs"; + ensurePermissions = { + "DATABASE auth_chir_rs" = "ALL PRIVILEGES"; + }; + } + ]; + services.redis.servers."auth_chir_rs" = { + enable = true; + port = 53538; + save = []; + }; +} diff --git a/config/services/chir.rs/default.nix b/config/services/chir.rs/default.nix new file mode 100644 index 00000000..12f5c325 --- /dev/null +++ b/config/services/chir.rs/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./auth.nix + ]; +} diff --git a/flake.lock b/flake.lock index 86ccaf24..da2a7174 100644 --- a/flake.lock +++ b/flake.lock @@ -1,5 +1,32 @@ { "nodes": { + "cargo2nix": { + "inputs": { + "flake-compat": "flake-compat", + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": [ + "rust-overlay" + ] + }, + "locked": { + "lastModified": 1655189312, + "narHash": "sha256-gpJ57OgIebUpO+7F00VltxSEy6dz2x6HeJ5BcRM8rDA=", + "owner": "cargo2nix", + "repo": "cargo2nix", + "rev": "c149357cc3d17f2849c73eb7a09d07a307cdcfe8", + "type": "github" + }, + "original": { + "owner": "cargo2nix", + "repo": "cargo2nix", + "type": "github" + } + }, "check-flake": { "locked": { "lastModified": 1662502605, @@ -15,6 +42,33 @@ "type": "github" } }, + "chir-rs": { + "inputs": { + "cargo2nix": [ + "cargo2nix" + ], + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ], + "rust-overlay": "rust-overlay" + }, + "locked": { + "lastModified": 1673620617, + "narHash": "sha256-O52S5V1/T2DYeVS3+oWohpX45p1Cosd2azXkigZ9jP8=", + "owner": "DarkKirb", + "repo": "chir.rs", + "rev": "f921629e7dc7299788a3f99943e069ffa545e529", + "type": "github" + }, + "original": { + "owner": "DarkKirb", + "repo": "chir.rs", + "type": "github" + } + }, "dns": { "inputs": { "flake-utils": [ @@ -93,6 +147,22 @@ } }, "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1650374568, + "narHash": "sha256-Z+s0J8/r907g149rllvwhb4pKi8Wam5ij0st8PwAh+E=", + "owner": "edolstra", + "repo": "flake-compat", + "rev": "b4a34015c698c7793d592d66adbab377907a2be8", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "flake-compat_2": { "flake": false, "locked": { "lastModified": 1668681692, @@ -503,7 +573,7 @@ }, "prismmc": { "inputs": { - "flake-compat": "flake-compat", + "flake-compat": "flake-compat_2", "libnbtplusplus": "libnbtplusplus", "nixpkgs": [ "nixpkgs" @@ -525,6 +595,8 @@ }, "root": { "inputs": { + "cargo2nix": "cargo2nix", + "chir-rs": "chir-rs", "dns": "dns", "ema": "ema", "emanote": "emanote", @@ -540,10 +612,59 @@ "nixpkgs-noto-variable": "nixpkgs-noto-variable", "nur": "nur", "prismmc": "prismmc", + "rust-overlay": "rust-overlay_2", "sops-nix": "sops-nix", "tomlplusplus": "tomlplusplus" } }, + "rust-overlay": { + "inputs": { + "flake-utils": [ + "chir-rs", + "flake-utils" + ], + "nixpkgs": [ + "chir-rs", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673404037, + "narHash": "sha256-9yhRzFiqzVQaJN5jsAIwApDolkORRQ3EJi7D4yu58ig=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "a979c85ed4691bf996af88504522b32e9611ccfe", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, + "rust-overlay_2": { + "inputs": { + "flake-utils": [ + "flake-utils" + ], + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1673576998, + "narHash": "sha256-I6vYVejEWTao+Ze/F6VFSTFxu6/X2OPT3Eu4AM/zzec=", + "owner": "oxalica", + "repo": "rust-overlay", + "rev": "ca474ccdd5f81ed742328e15dae38bb57a1006e3", + "type": "github" + }, + "original": { + "owner": "oxalica", + "repo": "rust-overlay", + "type": "github" + } + }, "sops-nix": { "inputs": { "nixpkgs": [ diff --git a/flake.nix b/flake.nix index c53f6742..c1059d19 100644 --- a/flake.nix +++ b/flake.nix @@ -4,6 +4,18 @@ rec { # Use NixOS unstable inputs = { # Sorted by name + cargo2nix = { + url = "github:cargo2nix/cargo2nix"; + inputs.flake-utils.follows = "flake-utils"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.rust-overlay.follows = "rust-overlay"; + }; + chir-rs = { + url = "github:DarkKirb/chir.rs"; + inputs.cargo2nix.follows = "cargo2nix"; + inputs.flake-utils.follows = "flake-utils"; + inputs.nixpkgs.follows = "nixpkgs"; + }; dns = { url = "github:DarkKirb/dns.nix"; inputs.flake-utils.follows = "flake-utils"; @@ -49,6 +61,11 @@ rec { url = "github:PrismLauncher/PrismLauncher"; inputs.nixpkgs.follows = "nixpkgs"; }; + rust-overlay = { + url = "github:oxalica/rust-overlay"; + inputs.flake-utils.follows = "flake-utils"; + inputs.nixpkgs.follows = "nixpkgs"; + }; sops-nix = { url = "github:Mic92/sops-nix"; inputs.nixpkgs.follows = "nixpkgs"; diff --git a/secrets/instance-20221213-1915.yaml b/secrets/instance-20221213-1915.yaml index 0b0499b6..79e88cf8 100644 --- a/secrets/instance-20221213-1915.yaml +++ b/secrets/instance-20221213-1915.yaml @@ -12,6 +12,9 @@ services: cache-key: ENC[AES256_GCM,data:e9dQNADhH+8l1hTj+CdVu0gow/LmqrQf0HWiTTlFdY81t/8zWkdHdi0Rat5AKUS6x/oBCfTskIKcoRo0Jc0MYJhmOHtDLXlT+I91bSuxVzb9d+TwmhZ/Zce1yP1OXic+/A==,iv:DZ4yCi4YjsAulDyXl3CDCTXB21p2jZIYuDhHORpTE94=,tag:zXcgyBYgFv229seRDLGzsg==,type:str] ssh: host-key: ENC[AES256_GCM,data:oiy1thPKRVgH0XltFQCKwGMdLZde8zp1Ag1dL/el/2jXp1be1Evtr+kkZv56nhlaJ6KpYi5VsfrfpFVnKUkcYGUMmqVf2lFDu2fPcWB+PW7nol9K+sVRhHgTPP1wz385o5bof4OnbMF9sUbV0PT/pd4yAvluKq9s2vBBb2GEZ+HDBwkurmgVrFqUb66AvCdncXTpK47qpWZQMDTMGKqv5d1hJOoCCIulX3iJ4ko2xDD7qRlFtcdLNFLw3q4R6eP+L0OqoQs8dnjpIQOLVItzHTHTTcQRVoFvD7OMYSyU5RIIxTIOoS9tWzQu/QpHpO4cgjQ/GX09uj+a6/Cy8Itavd88YeSoYEPGwBYEciYLakFpNQ8aFl0yEsEMdZbfHgOUAOlbv28Mv93+RFMs5HrdIup/lZr5PsCBSsrMVkwJNVQKTxbN34LCTGOeCkuzohAwmwEVB/Ysuh23WyFKcdkGWAwlnVvgaNT5/TsNTCCI8Hf6fJecD4imWrJAtlXG7o+mnE+f0LlixxsnMgSnlkX4,iv:mnW23zPiSDoluMjQJEUFHDkVO6IT/4+RgAlaKuie3Qw=,tag:F+KOH/MkjrF1wYCR9OzFkQ==,type:str] + chir-rs: + auth: + password: ENC[AES256_GCM,data:9tJQIoCgquUkX+FeAT0+1tfyIF9YdNT26AOyd7hiS8BgLSa8WdG+v3H0zMt48ETc8duCMTDKII0sJTtgYxtaKQ==,iv:ZukeYF4yTf7fkrkTpbUsuNkpMOgjMDGbYtUcbvfu50g=,tag:HutgW+KyEVoePVZIO+uExg==,type:str] email: lotte@chir.rs: ENC[AES256_GCM,data:YrJ/+VG6/ZSu8g+PQxYUqwd1RQ==,iv:IeFhCrMQ1+4KvenylyizbwmCvsCPGvTiZAw5VyZb3Zs=,tag:xoK+aBykGV2bLqHles1LMQ==,type:str] mdelenk@hs-mittweida.de: ENC[AES256_GCM,data:l57AwqL90zV2BIn04ZhhEB3TE0WAFNJ7Bci1ljHgYvki0mZ5TrLP4PYZ681uKdzN7xlFsDjhCQN0C+iuz3Aj0g==,iv:qXNQq+03KFTazggckGRqHbnuOHo2enmQKCSzAw6mqsY=,tag:HE+tenPWwB8FIilV2r1wRQ==,type:str] @@ -36,8 +39,8 @@ sops: bVJUcDZLWTk3MiszOWp4enRRQmNsajQKF8QJs/Wb0SqnvsQEkRKlS1Ms9xLIdyvZ QCFAPclaOfaTLTiRJWXjDneBkMBduYKkRPiXCR+Bn7i4z8ixLXFmWw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-14T15:34:13Z" - mac: ENC[AES256_GCM,data:9DHLfOjTVKWbsWiUDr7pu5pyh6dzoExcgjRsAd2HMtdu+R/Y04Zy5dbCJpFu4mvyRD9GJ5aI4hufYRLvFsTuO9k8aWNUbqb1IYnX+D6zzLlecCHxEJ6zhm0PhjkcuN0XxFhBQb/aCUaisP891PqHM8ZbXblIaCdl4FFX/me3Cls=,iv:MnMInA14AxnCPjLYvksSdZVfpvcIjpbLSQRMbzSYr2M=,tag:eQsCwg6S60FpZ4bxaBMiJg==,type:str] + lastmodified: "2023-01-13T19:15:53Z" + mac: ENC[AES256_GCM,data:oZpSCWI29zEQAKe/PkeTVi8zZZwCDMoWQNXqTWP5Azyqze9/NHT/OmRhq6GtBl7X0y3P78x1Zu/3SziB935STCX0HhDN8JqJvo9vlkJ71gwBhn7pzhJwiByISlAN9WQCCJaNTrvr4QmNOAPHuJUqMhPwc5C5LUBaOvwdwwTXei0=,iv:Lo5NBanWkv0A3UC1C+iaNBMl/XsbPW8MIRc9RqPBWUQ=,tag:yA45fMs2x5MCuXspaL4MwA==,type:str] pgp: - created_at: "2022-12-14T15:34:13Z" enc: | diff --git a/secrets/nixos-8gb-fsn1-1.yaml b/secrets/nixos-8gb-fsn1-1.yaml index aab4fef7..c272e2f1 100644 --- a/secrets/nixos-8gb-fsn1-1.yaml +++ b/secrets/nixos-8gb-fsn1-1.yaml @@ -25,6 +25,9 @@ services: secret-access-key: ENC[AES256_GCM,data:RhyAyU81pmOlD4hlGkOyutLPpUI/QsleJYmubCZJfA==,iv:8BCVnPkW+sa15Cp1eG+thvDb1U5EE+GsIzgNlsSsxMw=,tag:PXDPCEzG31r4u0eF7B258g==,type:str] matrix-token: ENC[AES256_GCM,data:QVe1KC1QE74scI64JBdTbza+naVZmwyJ0TyipVvZfnAe6csR4Ri+,iv:aZvmairwtFti+DgEoTgFxRTKtrQPb4Ji5Kml9mLQU9o=,tag:INtQW3jXNdpf8Kgqs0vPPg==,type:str] chir.rs: ENC[AES256_GCM,data:f8Jrf6ksi6nxTExzeos+U5KXQKreViD0iGoKAEbfA1872WfhgH3VSpx2WQVCW5lTKio4pQ9Mej17W451N6bIc1U2lbQszFn+4wjXrOS9VJnB8+JV+05UGzGXmHJD8u19GG3vyMllKJLwKSsceWux7AAm9duBXoRSgEElA7sTWhGBjXXW+/yCRDKQcNdNvPpH6zHzXcApFmI7ECQKMF/Cq8Txl6yQkWIX/n3v/U8JNSzNzwllVSgx2JU7FDorqS7lrkYaz6lXuPZeiiISIIRShwYoW20uqvQvUQ1bQmDbJPsV4FXu1SynUNbHA7WbsR/Qh2bBAZozgxCy3NvfYfPkb2XANOBemFU+uRbrYMmoaucZnYBJijlc9FGfFsq10vT3BynPjCRLcZWtLTx52k83SP4NiLxkNkPPYERxwcT74IuhkyMOQdZe+EASASRWY0VVCKkGLX/v2dO/jf6gumxQ0xn5ehqGhlqq5wR8cA==,iv:S+mUPpwg1C7FW6or+7Y3fG4UjtWePYdH9N9apJ9TvHw=,tag:EH9Dix+g5tguZFDe/bfmYg==,type:str] + chir-rs: + auth: + password: ENC[AES256_GCM,data:7T4iu5rqkp8r6lxmSW1vj82uqwsASAu12CHuRqX/ee1xbrZfeUmHPJc4jRo8EKRR11RhSSEw2gcqksrGdwRltQ==,iv:kzBujm7LgzoXGiDPbDqz62ura+t2OjcrYf2vIvq2Q5M=,tag:uuh9N8O5UGMpu/ZO5C2esw==,type:str] hydra: gitea_token: ENC[AES256_GCM,data:8OOn7dlMaBTLNpRB9K2M+Cg4ZB9V2qFXdm7c0/2F/5CdOGfKF63a8Q==,iv:htbnKmNuaHlUw0E2PYRy3en00fni5hmwbkhDcQJRfE4=,tag:MpVnRX6HBxORghcsbEShNw==,type:str] gitea: ENC[AES256_GCM,data:i+reN0mYGY2iMQ06atN/i6YzAg==,iv:HT1H9/UIBweErA5+YFq7aprPjPB2d0gNbt/3MKayuHI=,tag:vDGL31LBw+9sU7UHE9GYKw==,type:str] @@ -90,8 +93,8 @@ sops: N1lNTTRhSDFsczd4VjNudUU2NEt4MUEKdVJIJmaoGcwUHa0BGB45jqYnm9aPVZxP dl1vkMx8EAiKhWKbBwQm5fFZcNh371rspGE7KOXmwNbNWef5bVfHpQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-12-24T13:05:17Z" - mac: ENC[AES256_GCM,data:zyDRuZOCgWQ/gAAhCpMxsSv85pUpcJryCSwtqhRWiGadvd4ZJv95t9nnChe08P0t3E9wZ+i9YeShTvycR2lye+J/mhJKl37iJhSHIBWqWMW16bj4elDsy7LJm/dzIb2s7yJgnV3Sm6aqT3hCStUtoFH23NQWxfXnVWQnGIbr7SM=,iv:TYrjVDWisStsllhH47FwWoDttV31JNgR3gOtIMolJaI=,tag:9s/5ncDtIXNVd2qyUAcm3Q==,type:str] + lastmodified: "2023-01-13T19:16:14Z" + mac: ENC[AES256_GCM,data:syVA2n+ph+gtMcs/LS9zSfrUdXF6ccBz/cN4ERBt1TpIgrU762Z9Uuidh+vwY422OBNikz6UHV5T7R5pOZkh8VBhMj0WXR1pnrOGtOldamOQAfduuMUtwt75XY1rasT2Ye+Aju5WVCv+HuRg+wBY9O0+V6KyzIlL9/j9vTnPSYo=,iv:jgo2XOk2f/MHgeFkMNZ2TvT29Q0AA+aDNGZv2wHUxZM=,tag:1EkuDg6VbI47aSt6QCrymQ==,type:str] pgp: - created_at: "2022-02-02T17:50:42Z" enc: | diff --git a/zones/chir.rs.nix b/zones/chir.rs.nix index c3007b54..d1ee0c75 100644 --- a/zones/chir.rs.nix +++ b/zones/chir.rs.nix @@ -120,11 +120,31 @@ with dns.lib.combinators; let ]; }; createZone = merge zoneBase; + createFullZone = merge (createZone { + A = [ + (ttl zoneTTL (a "130.162.60.127")) + (ttl zoneTTL (a "138.201.155.128")) + ]; + AAAA = [ + (ttl zoneTTL (aaaa "2603:c020:8009:f100:f09a:894d:ef57:a278")) + (ttl zoneTTL (aaaa "2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49")) + ]; + HTTPS = [ + { + svcPriority = 1; + targetName = "."; + alpn = ["http/1.1" "h2" "h3"]; + ipv4hint = ["138.201.155.128" "130.162.60.127"]; + ipv6hint = ["2a01:4f8:1c17:d953:b4e1:8ff:e658:6f49" "2603:c020:8009:f100:f09a:894d:ef57:a278"]; + ttl = zoneTTL; + } + ]; + }); zone = createZone { SOA = { nameServer = "ns1.chir.rs."; adminEmail = "lotte@chir.rs"; - serial = 24; + serial = 25; }; NS = [ "ns1.chir.rs." @@ -222,6 +242,7 @@ with dns.lib.combinators; let ]; peertube = createZone {}; mediaproxy.CNAME = ["mediaproxy-chir-rs.b-cdn.net."]; + auth = createFullZone {}; int = delegateTo [