all repos — nixfiles @ cb1f99a3c0a622042604efc3b6ede90fd7df262d

System and user configuration, managed by nix and home-manager

linde: configure dex
Alan Pearce alan@alanpearce.eu
Tue, 21 May 2024 18:39:50 +0200
commit

cb1f99a3c0a622042604efc3b6ede90fd7df262d

parent

004e74d94b9b4c8dbc33b98839452014ba0fffe3

3 files changed, 57 insertions(+), 0 deletions(-)

jump to
A secrets/dex.age
@@ -0,0 +1,7 @@+age-encryption.org/v1
+-> ssh-ed25519 cvV2sw MzzfQI0psA0T3d9nCSgmJmbiV0rEoZmnaMm8e13/DSU
+NtULp9HQgcMY/RadjNb3C4tNh9YWjDwrgkLIKUK+L1M
+-> piv-p256 u9NeZg A2WA/ou1zL649+hHXQpeRQv44LfAt3gEIfbUmY7ELEX9
+AWZG99QU5BN11neChVUPI5mNLZLwmYH7j8QYnyh+BH0
+--- GwIdy5S/I/ujJQLtF/xfBqoKPBEaN/9xgf+Mj+jSryE
+LX"g/tN|iFTuBO;>ȻApb5£Λ=ݏ$Gru1kPkWbgw@셼O+N8i?o$˺WV(h%nbgZ7I=HؒM@
M secrets/secrets.nixsecrets/secrets.nix
@@ -16,6 +16,7 @@     binarycache = [ linde ];
     paperless = [ linde ];
     powerdns = [ linde ];
+    dex = [ linde ];
 
     dyndns = [ nanopi ];
     syncthing = [ nanopi ];
M system/linde.nixsystem/linde.nix
@@ -36,6 +36,7 @@ symlink = false;       };
     acme.file = ../secrets/acme.age;
     binarycache.file = ../secrets/binarycache.age;
+    dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
   };
 
@@ -593,6 +594,13 @@ }           reverse_proxy 127.0.0.1:8081
         '';
       };
+      "id.alanpearce.eu" = {
+        useACMEHost = "alanpearce.eu";
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy http://${config.services.dex.settings.web.http}
+        '';
+      };
       "dns.alanpearce.eu" = {
         useACMEHost = "alanpearce.eu";
         extraConfig = ''
@@ -826,6 +834,47 @@ PAPERLESS_FILENAME_FORMAT = "{correspondent}/{created} {title} {asn}";       PAPERLESS_FILENAME_FORMAT_REMOVE_NONE = true;
     };
   };
+
+  services.etcd = {
+    enable = true;
+    initialClusterState = "new"; # -> existing
+    dataDir = "/var/lib/etcd"; # TODO backup
+  };
+
+  services.dex =
+    let
+      issuer = "https://id.alanpearce.eu/";
+    in
+    {
+      enable = true;
+      environmentFile = config.age.secrets.dex.path;
+      settings = {
+        inherit issuer;
+        storage = {
+          type = "etcd";
+          config = {
+            endpoints = config.services.etcd.listenClientUrls;
+            namespace = "dex/";
+          };
+        };
+        web.http = "127.0.0.1:5556";
+        connectors = [{
+          type = "github";
+          id = "github";
+          name = "GitHub";
+          config = {
+            clientID = "$GITHUB_CLIENT_ID";
+            clientSecret = "$GITHUB_CLIENT_SECRET";
+            redirectURI = "${issuer}/callback";
+            orgs = [{
+              name = "alan-pearce";
+            }];
+            teamNameField = "slug";
+            useLoginAsID = true;
+          };
+        }];
+      };
+    };
 
   services.syncthing = {
     enable = true;