summary refs log tree commit diff stats
diff options
context:
space:
mode:
-rw-r--r--secrets/dex.age7
-rw-r--r--secrets/secrets.nix1
-rw-r--r--system/linde.nix49
3 files changed, 57 insertions, 0 deletions
diff --git a/secrets/dex.age b/secrets/dex.age
new file mode 100644
index 00000000..0a8726cf
--- /dev/null
+++ b/secrets/dex.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cvV2sw MzzfQI0psA0T3d9nCSgmJmbiV0rEoZmnaMm8e13/DSU
+NtULp9HQgcMY/RadjNb3C4tNh9YWjDwrgkLIKUK+L1M
+-> piv-p256 u9NeZg A2WA/ou1zL649+hHXQpeRQv44LfAt3gEIfbUmY7ELEX9
+AWZG99QU5BN11neChVUPI5mNLZLwmYH7j8QYnyh+BH0
+--- GwIdy5S/I/ujJQLtF/xfBqoKPBEaN/9xgf+Mj+jSryE
+LX"g/tN|iFTuBO;>ȻApb5£Λ=ݏ$Gru1kPkWbgw@셼O+N8i?o$˺WV(h%nbgZ7I=HؒM@
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 86d1062c..0a8c4a9d 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -16,6 +16,7 @@ let
     binarycache = [ linde ];
     paperless = [ linde ];
     powerdns = [ linde ];
+    dex = [ linde ];
 
     dyndns = [ nanopi ];
     syncthing = [ nanopi ];
diff --git a/system/linde.nix b/system/linde.nix
index cb18217a..75136576 100644
--- a/system/linde.nix
+++ b/system/linde.nix
@@ -36,6 +36,7 @@ in
       };
     acme.file = ../secrets/acme.age;
     binarycache.file = ../secrets/binarycache.age;
+    dex.file = ../secrets/dex.age;
     powerdns.file = ../secrets/powerdns.age;
   };
 
@@ -593,6 +594,13 @@ in
           reverse_proxy 127.0.0.1:8081
         '';
       };
+      "id.alanpearce.eu" = {
+        useACMEHost = "alanpearce.eu";
+        extraConfig = ''
+          encode zstd gzip
+          reverse_proxy http://${config.services.dex.settings.web.http}
+        '';
+      };
       "dns.alanpearce.eu" = {
         useACMEHost = "alanpearce.eu";
         extraConfig = ''
@@ -827,6 +835,47 @@ in
     };
   };
 
+  services.etcd = {
+    enable = true;
+    initialClusterState = "new"; # -> existing
+    dataDir = "/var/lib/etcd"; # TODO backup
+  };
+
+  services.dex =
+    let
+      issuer = "https://id.alanpearce.eu/";
+    in
+    {
+      enable = true;
+      environmentFile = config.age.secrets.dex.path;
+      settings = {
+        inherit issuer;
+        storage = {
+          type = "etcd";
+          config = {
+            endpoints = config.services.etcd.listenClientUrls;
+            namespace = "dex/";
+          };
+        };
+        web.http = "127.0.0.1:5556";
+        connectors = [{
+          type = "github";
+          id = "github";
+          name = "GitHub";
+          config = {
+            clientID = "$GITHUB_CLIENT_ID";
+            clientSecret = "$GITHUB_CLIENT_SECRET";
+            redirectURI = "${issuer}/callback";
+            orgs = [{
+              name = "alan-pearce";
+            }];
+            teamNameField = "slug";
+            useLoginAsID = true;
+          };
+        }];
+      };
+    };
+
   services.syncthing = {
     enable = true;
     dataDir = "/srv/syncthing";