nix/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
master
nixos-config/config/host-config/limina.nix
niten 8e184394f2 Many many changes
2024-05-21 23:16:02 -07:00

306 lines
9.1 KiB
Nix
Raw Permalink Blame History

{ config, lib, pkgs, ... }:
with lib;
let
primary-ip = "10.0.0.1";
host-config = config.fudo.hosts.${config.instance.hostname};
site-name = host-config.site;
site = config.fudo.sites.${site-name};
domain-name = host-config.domain;
domain = config.fudo.domains.${domain-name};
hostname = config.instance.hostname;
domSecrets =
config.fudo.secrets.files.domain-secrets."${config.instance.local-domain}";
hostSecrets = config.fudo.secrets.host-secrets."${hostname}";
authentikHost = "authentik.fudo.org";
# dns-proxy-port = 5335;
in {
config = {
networking = {
interfaces = {
enp1s0 = { useDHCP = true; };
intif0 = {
useDHCP = false;
ipv4 = {
addresses = [{
address = primary-ip;
prefixLength = 16;
}];
routes = [{
address = "192.168.86.0";
prefixLength = 24;
via = "10.0.0.3";
}];
};
};
intif1 = { useDHCP = false; };
intif2 = { useDHCP = false; };
};
enableIPv6 = false;
# nameservers = [ "10.0.0.1" ];
# FIXME: this should be automatic
# firewall.trustedInterfaces =
# [ "intif0" "intif1" "intif2" "lo" "docker0" ];
# nat = {
# enable = true;
# externalInterface = "enp1s0";
# internalInterfaces = [ "intif0" "intif1" "intif2" ];
# };
firewall = {
enable = true;
allowedTCPPorts = [ 80 443 25565 config.services.murmur.port ];
allowedUDPPorts = [ 25565 34197 ];
extraCommands = ''
iptables -A INPUT -s 141.98.7.36 -j DROP
'';
};
nat.forwardPorts = [
# Minecraft
{
destination = "10.0.0.12:25555";
proto = "tcp";
sourcePort = 25565;
}
{
destination = "10.0.0.12:25555";
proto = "udp";
sourcePort = 25565;
}
# Factorio
{
destination = "10.0.0.12:34197";
proto = "udp";
sourcePort = 34197;
}
];
};
fileSystems = {
"/var/lib/acme" = {
device = "/state/services/acme";
options = [ "bind" ];
};
};
fudo = {
secrets.host-secrets."${hostname}" = {
sea-cam-auth-proxy-env = {
source-file = let
token = removeSuffix "\n"
(readFile domSecrets."seattle-camera-auth-proxy.token");
in pkgs.writeText "sea-cam-auth-proxy.env" ''
AUTHENTIK_HOST=https://${authentikHost}/;
AUTHENTIK_TOKEN=${token}
AUTHENTIK_INSECURE=0
'';
target-file = "/run/sea-cam-auth-proxy/env";
};
sea-red-auth-proxy-env = {
source-file = let
token = removeSuffix "\n"
(readFile domSecrets."seattle-red-auth-proxy.token");
in pkgs.writeText "sea-red-auth-proxy.env" ''
AUTHENTIK_HOST=https://${authentikHost}/;
AUTHENTIK_TOKEN=${token}
AUTHENTIK_INSECURE=0
'';
target-file = "/run/sea-red-auth-proxy/env";
};
};
hosts.limina.external-interfaces = [ "enp1s0" ];
client.dns.external-interface = "enp1s0";
garbage-collector = {
enable = true;
timing = "weekly";
};
services = {
local-network = {
enable = true;
internal-interfaces = [ "intif0" "intif1" "intif2" ];
external-interface = "enp1s0";
dns-filter-proxy.enable = true;
};
metrics = {
prometheus.state-directory = "/state/services/prometheus";
};
auth.kerberos.state-directory = "/state/services/heimdal-kdc";
};
};
# Support for statelessness
environment.etc = {
NIXOS.source = "/state/etc/NIXOS";
"host-config.nix".source = "/state/etc/host-config.nix";
};
systemd.tmpfiles.rules = [
"L /etc/adjtime - - - - /state/etc/adjtime"
"L /root/.gnupg - - - - /state/root/gnupg"
"L /root/.ssh/id_rsa - - - - /state/root/ssh/id_rsa"
"L /root/.ssh/id_rsa.pub - - - - /state/root/ssh/id_rsa.pub"
"L /root/.ssh/known_hosts - - - - /state/root/ssh/known_hosts"
"d /state/services/acme 0755 acme acme - -"
];
security.acme.defaults.email = "niten@fudo.org";
systemd.services.nginx.requires = [ "bind.service" ];
virtualisation = {
podman = {
enable = true;
dockerSocket.enable = true;
autoPrune.enable = true;
};
docker.enable = false;
oci-containers = {
backend = "podman";
containers = {
"sea-cam-auth-proxy" = {
image = "ghcr.io/goauthentik/proxy";
autoStart = true;
environmentFiles =
[ hostSecrets.sea-cam-auth-proxy-env.target-file ];
ports = [ "9000:9000" ];
};
"sea-red-auth-proxy" = {
image = "ghcr.io/goauthentik/proxy";
autoStart = true;
environmentFiles =
[ hostSecrets.sea-red-auth-proxy-env.target-file ];
ports = [ "9001:9000" ];
};
};
};
};
services = {
nginx = {
enable = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
virtualHosts = let
authenticatedPassthrough = { target, authPort }: {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = target;
proxyWebsockets = true;
extraConfig = ''
##############################
# authentik-specific config
##############################
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
'';
};
"/outpost.goauthentik.io" = {
proxyPass = "http://127.0.0.1:${
toString authPort
}/outpost.goauthentik.io";
extraConfig = ''
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
'';
};
"@goauthentik_proxy_signin" = {
return = "302 /outpost.goauthentik.io/start?rd=$request_uri";
extraConfig = ''
add_header Set-Cookie $auth_cookie;
internal;
'';
};
};
};
in {
"sea-home.fudo.link" = {
enableACME = true;
forceSSL = true;
locations."/" = {
proxyPass = "http://home-assist.sea.fudo.org/";
extraConfig = ''
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
'';
};
};
"sea-cam.fudo.link" = authenticatedPassthrough {
target = "http://frigate.sea.fudo.org/";
authPort = 9000;
};
"sea-red.fudo.link" = authenticatedPassthrough {
target = "http://node-red.sea.fudo.org/";
authPort = 9001;
};
};
};
murmur = {
enable = true;
port = 64738;
bonjour = true;
password = "thelittleschool";
};
openssh = {
hostKeys = [
{
path = "/state/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/state/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
};
};
}
Reference in New Issue View Git Blame Copy Permalink