linde: configure dex

1 files changed, 49 insertions, 0 deletions

diff --git a/system/linde.nix b/system/linde.nix
index cb18217a..75136576 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -36,6 +36,7 @@ in
       };
     acme.file = ../secrets/acme.age;
     binarycache.file = ../secrets/binarycache.age;
+    dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
   };
 
@@ -593,6 +594,13 @@ in
           reverse_proxy 127.0.0.1:8081
         '';
       };
+      "id.alanpearce.eu" = {
+        useACMEHost = "alanpearce.eu";
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy http://${config.services.dex.settings.web.http}
+        '';
+      };
       "dns.alanpearce.eu" = {
         useACMEHost = "alanpearce.eu";
         extraConfig = ''
@@ -827,6 +835,47 @@ in
     };
   };
 
+  services.etcd = {
+    enable = true;
+    initialClusterState = "new"; # -> existing
+    dataDir = "/var/lib/etcd"; # TODO backup
+  };
+
+  services.dex =
+    let
+      issuer = "https://id.alanpearce.eu/";
+    in
+    {
+      enable = true;
+      environmentFile = config.age.secrets.dex.path;
+      settings = {
+        inherit issuer;
+        storage = {
+          type = "etcd";
+          config = {
+            endpoints = config.services.etcd.listenClientUrls;
+            namespace = "dex/";
+          };
+        };
+        web.http = "127.0.0.1:5556";
+        connectors = [{
+          type = "github";
+          id = "github";
+          name = "GitHub";
+          config = {
+            clientID = "$GITHUB_CLIENT_ID";
+            clientSecret = "$GITHUB_CLIENT_SECRET";
+            redirectURI = "${issuer}/callback";
+            orgs = [{
+              name = "alan-pearce";
+            }];
+            teamNameField = "slug";
+            useLoginAsID = true;
+          };
+        }];
+      };
+    };
+
   services.syncthing = {
     enable = true;
     dataDir = "/srv/syncthing";