all repos — nixfiles @ cb1f99a3c0a622042604efc3b6ede90fd7df262d

System and user configuration, managed by nix and home-manager

linde: configure dex

Alan Pearce
commit

cb1f99a3c0a622042604efc3b6ede90fd7df262d

parent

004e74d94b9b4c8dbc33b98839452014ba0fffe3

3 files changed, 57 insertions(+), 0 deletions(-)

jump to
A secrets/dex.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1 +-> ssh-ed25519 cvV2sw MzzfQI0psA0T3d9nCSgmJmbiV0rEoZmnaMm8e13/DSU +NtULp9HQgcMY/RadjNb3C4tNh9YWjDwrgkLIKUK+L1M +-> piv-p256 u9NeZg A2WA/ou1zL649+hHXQpeRQv44LfAt3gEIfbUmY7ELEX9 +AWZG99QU5BN11neChVUPI5mNLZLwmYH7j8QYnyh+BH0 +--- GwIdy5S/I/ujJQLtF/xfBqoKPBEaN/9xgf+Mj+jSryE +LX"g/tN|iFTuBO;>ȻApb5£Λ=ݏ$Gru1kPkWbgw@셼O+N8i?o$˺WV(h%nbgZ7I=HؒM@
M secrets/secrets.nixsecrets/secrets.nix
@@ -16,6 +16,7 @@
binarycache = [ linde ]; paperless = [ linde ]; powerdns = [ linde ]; + dex = [ linde ]; dyndns = [ nanopi ]; syncthing = [ nanopi ];
M system/linde.nixsystem/linde.nix
@@ -36,6 +36,7 @@ symlink = false;
}; acme.file = ../secrets/acme.age; binarycache.file = ../secrets/binarycache.age; + dex.file = ../secrets/dex.age; powerdns.file = ../secrets/powerdns.age; };
@@ -593,6 +594,13 @@ }
reverse_proxy 127.0.0.1:8081 ''; }; + "id.alanpearce.eu" = { + useACMEHost = "alanpearce.eu"; + extraConfig = '' + encode zstd gzip + reverse_proxy http://${config.services.dex.settings.web.http} + ''; + }; "dns.alanpearce.eu" = { useACMEHost = "alanpearce.eu"; extraConfig = ''
@@ -826,6 +834,47 @@ PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created} {title} {asn}";
PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = true; }; }; + + services.etcd = { + enable = true; + initialClusterState = "new"; # -> existing + dataDir = "/var/lib/etcd"; # TODO backup + }; + + services.dex = + let + issuer = "https://id.alanpearce.eu/"; + in + { + enable = true; + environmentFile = config.age.secrets.dex.path; + settings = { + inherit issuer; + storage = { + type = "etcd"; + config = { + endpoints = config.services.etcd.listenClientUrls; + namespace = "dex/"; + }; + }; + web.http = "127.0.0.1:5556"; + connectors = [{ + type = "github"; + id = "github"; + name = "GitHub"; + config = { + clientID = "$GITHUB_CLIENT_ID"; + clientSecret = "$GITHUB_CLIENT_SECRET"; + redirectURI = "${issuer}/callback"; + orgs = [{ + name = "alan-pearce"; + }]; + teamNameField = "slug"; + useLoginAsID = true; + }; + }]; + }; + }; services.syncthing = { enable = true;