diff options
author | Emile <git@emile.space> | 2024-09-19 10:48:16 +0200 |
---|---|---|
committer | Emile <git@emile.space> | 2024-09-19 10:48:16 +0200 |
commit | e833c13c177288b2a7b9168a784e0e6562c025b6 (patch) | |
tree | 1661dad1694989e2d83e6c2fca7b5602a61c574b /nix/hosts/corrino/www | |
parent | dcde3882d5460368e3c0499a54330f84a6995d62 (diff) |
big format using nixfmt
Diffstat (limited to 'nix/hosts/corrino/www')
20 files changed, 1125 insertions, 1127 deletions
diff --git a/nix/hosts/corrino/www/cs.emile.space.nix b/nix/hosts/corrino/www/cs.emile.space.nix index 4f1b91e..7aefc64 100644 --- a/nix/hosts/corrino/www/cs.emile.space.nix +++ b/nix/hosts/corrino/www/cs.emile.space.nix @@ -2,53 +2,58 @@ let - # get's all repos configured in cgit and converts them into some JSON that is used by hound - repos = builtins.toJSON - (lib.mergeAttrsList - (map - (x: {"${x.name}" = { url = "file://${x.path}"; }; }) - (lib.mapAttrsToList - (name: value: value // { name = "${name}"; }) - config.services.cgit.main.repos))); -in { - services.nginx.virtualHosts."cs.emile.space" = { - forceSSL = true; - enableACME = true; - locations = { - "/" = { + # get's all repos configured in cgit and converts them into some JSON that is used by hound + repos = builtins.toJSON ( + lib.mergeAttrsList ( + map + (x: { + "${x.name}" = { + url = "file://${x.path}"; + }; + }) + (lib.mapAttrsToList (name: value: value // { name = "${name}"; }) config.services.cgit.main.repos) + ) + ); +in +{ + services.nginx.virtualHosts."cs.emile.space" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { proxyPass = "http://${config.services.hound.listen}"; - }; - }; - }; + }; + }; + }; - # add hound user to git group so the local repos can be read + # add hound user to git group so the local repos can be read # users.users.hound.extraGroups = [ "git" ]; - users.groups."git".members = [ "hound" ]; + users.groups."git".members = [ "hound" ]; - # The `.gitignore` of the user `hound` should contain the following: - # - # [safe] + # The `.gitignore` of the user `hound` should contain the following: + # + # [safe] # directory = /var/lib/git/repositories/* # directory = /var/lib/git/repositories/faila.git # directory = /var/lib/git/repositories/faila2.git - services.hound = { - enable = true; - - config = '' - { - "dbpath": "/var/lib/hound/data", - "max-concurrent-indexers" : 6, - "vcs-config" : { - "git" : { - "detect-ref" : true - } - }, - "repos" : ${repos} - } - ''; - - listen = "127.0.0.1:${toString config.emile.ports.hound}"; - }; + services.hound = { + enable = true; + + config = '' + { + "dbpath": "/var/lib/hound/data", + "max-concurrent-indexers" : 6, + "vcs-config" : { + "git" : { + "detect-ref" : true + } + }, + "repos" : ${repos} + } + ''; + + listen = "127.0.0.1:${toString config.emile.ports.hound}"; + }; } diff --git a/nix/hosts/corrino/www/ctf.emile.space.nix b/nix/hosts/corrino/www/ctf.emile.space.nix index 6eee75f..28c9419 100644 --- a/nix/hosts/corrino/www/ctf.emile.space.nix +++ b/nix/hosts/corrino/www/ctf.emile.space.nix @@ -17,9 +17,7 @@ containers = { "ctfd" = { image = "ctfd/ctfd"; - ports = [ - "${toString config.emile.ports.ctf}:8000" - ]; + ports = [ "${toString config.emile.ports.ctf}:8000" ]; }; }; }; diff --git a/nix/hosts/corrino/www/db.emile.space.nix b/nix/hosts/corrino/www/db.emile.space.nix index 7cb365e..3385319 100644 --- a/nix/hosts/corrino/www/db.emile.space.nix +++ b/nix/hosts/corrino/www/db.emile.space.nix @@ -15,7 +15,7 @@ containers = { "noco" = { image = "nocodb/nocodb:latest"; - volumes = [ "nocodb:/usr/app/data" ]; + volumes = [ "nocodb:/usr/app/data" ]; ports = [ "${toString config.emile.ports.nocodb}:8080" ]; }; }; diff --git a/nix/hosts/corrino/www/git/cgit.nix b/nix/hosts/corrino/www/git/cgit.nix index b48157a..edbbe2f 100644 --- a/nix/hosts/corrino/www/git/cgit.nix +++ b/nix/hosts/corrino/www/git/cgit.nix @@ -1,603 +1,607 @@ -{ config, lib, pkgs, ... }: +{ + config, + lib, + pkgs, + ... +}: let - repodirs = builtins.concatStringsSep "\n" - (map - (x: "directory = ${x}") - (lib.lists.flatten - (map - (x: lib.attrValues (lib.getAttrs [ "path" ] x)) - (lib.mapAttrsToList - (name: value: value) - config.services.cgit.main.repos)))); + repodirs = builtins.concatStringsSep "\n" ( + map (x: "directory = ${x}") ( + lib.lists.flatten ( + map (x: lib.attrValues (lib.getAttrs [ "path" ] x)) ( + lib.mapAttrsToList (name: value: value) config.services.cgit.main.repos + ) + ) + ) + ); in { environment.systemPackages = with pkgs; [ - md4c # used to get md2html for rendering the READMEs within cgit-pink - ]; - - # set all the repos as safe - environment.etc = { - gitconfig = { - text = '' - [http] - sslCAinfo = /etc/ssl/certs/ca-certificates.crt - [safe] - ${repodirs} - ''; - }; - }; - + md4c # used to get md2html for rendering the READMEs within cgit-pink + ]; + + # set all the repos as safe + environment.etc = { + gitconfig = { + text = '' + [http] + sslCAinfo = /etc/ssl/certs/ca-certificates.crt + [safe] + ${repodirs} + ''; + }; + }; + services = { - nginx.virtualHosts."git.emile.space" = { - forceSSL = true; - enableACME = true; - }; - - cgit.main = { - enable = true; - package = pkgs.cgit-pink; - nginx.virtualHost = "git.emile.space"; - nginx.location = "/"; - repos = { + nginx.virtualHosts."git.emile.space" = { + forceSSL = true; + enableACME = true; + }; + + cgit.main = { + enable = true; + package = pkgs.cgit-pink; + nginx.virtualHost = "git.emile.space"; + nginx.location = "/"; + repos = { # ops - hefe = { - desc = "Yet another monorepo (the big nix config)"; - path = "/var/lib/git/repositories/hefe.git"; - section = "Infra"; - owner = "emile"; - }; - vokobe = { - desc = "A custom static site generator written in rust"; - path = "/var/lib/git/repositories/vokobe.git"; - section = "Infra"; - owner = "emile"; - }; - massscan-docker = { - desc = "A Dockerfile for massscan"; - path = "/var/lib/git/repositories/massscan-docker.git"; - section = "Infra"; - owner = "emile"; - }; - metrics-bundler = { - desc = "A super basic metrics bundler"; - path = "/var/lib/git/repositories/metrics-bundler.git"; - section = "Infra"; - owner = "emile"; - }; - - # matrix - matrix-sdk = { - desc = "A simpler matrix sdk"; - path = "/var/lib/git/repositories/matrix-sdk.git"; - section = "Matrix"; - owner = "emile"; - }; - matrix-weather-bot = { - desc = "A basic weather bot using matrix-sdk"; - path = "/var/lib/git/repositories/matrix-weather-bot.git"; - section = "Matrix"; - owner = "emile"; - }; - + hefe = { + desc = "Yet another monorepo (the big nix config)"; + path = "/var/lib/git/repositories/hefe.git"; + section = "Infra"; + owner = "emile"; + }; + vokobe = { + desc = "A custom static site generator written in rust"; + path = "/var/lib/git/repositories/vokobe.git"; + section = "Infra"; + owner = "emile"; + }; + massscan-docker = { + desc = "A Dockerfile for massscan"; + path = "/var/lib/git/repositories/massscan-docker.git"; + section = "Infra"; + owner = "emile"; + }; + metrics-bundler = { + desc = "A super basic metrics bundler"; + path = "/var/lib/git/repositories/metrics-bundler.git"; + section = "Infra"; + owner = "emile"; + }; + + # matrix + matrix-sdk = { + desc = "A simpler matrix sdk"; + path = "/var/lib/git/repositories/matrix-sdk.git"; + section = "Matrix"; + owner = "emile"; + }; + matrix-weather-bot = { + desc = "A basic weather bot using matrix-sdk"; + path = "/var/lib/git/repositories/matrix-weather-bot.git"; + section = "Matrix"; + owner = "emile"; + }; # radare2 - radare2-GoReSym = { - desc = "A script to load goresym symbols into radare2"; - path = "/var/lib/git/repositories/radare2-GoReSym.git"; - section = "Radare2"; - owner = "emile"; - }; - r2wars = { - desc = "A golang implementation of radare2"; - path = "/var/lib/git/repositories/r2wars.git"; - section = "Radare2"; - owner = "emile"; - }; - r2wars-web = { - desc = "The software behind https://r2wa.rs"; - path = "/var/lib/git/repositories/r2wars-web.git"; - section = "Radare2"; - owner = "emile"; - }; - r2wars-rs = { - desc = "A rust implementation of radare2"; - path = "/var/lib/git/repositories/r2wars-rs.git"; - section = "Radare2"; - owner = "emile"; - }; - - # ctf - ctf_clusters = { - desc = "visualizing CTF clusters at DEFCON CTF Finals 2022"; - path = "/var/lib/git/repositories/ctf_clusters.git"; - section = "CTF"; - owner = "emile"; - }; - lambda = { - desc = "hacktm ctf 2023 / misc / know your lambda calculus"; - path = "/var/lib/git/repositories/lambda.git"; - section = "CTF"; - owner = "emile"; - }; - ctfdget = { - desc = "Simply fetch all challenges from a CTF from CTFd."; - path = "/var/lib/git/repositories/ctfdget.git"; - section = "CTF"; - owner = "emile"; - }; + radare2-GoReSym = { + desc = "A script to load goresym symbols into radare2"; + path = "/var/lib/git/repositories/radare2-GoReSym.git"; + section = "Radare2"; + owner = "emile"; + }; + r2wars = { + desc = "A golang implementation of radare2"; + path = "/var/lib/git/repositories/r2wars.git"; + section = "Radare2"; + owner = "emile"; + }; + r2wars-web = { + desc = "The software behind https://r2wa.rs"; + path = "/var/lib/git/repositories/r2wars-web.git"; + section = "Radare2"; + owner = "emile"; + }; + r2wars-rs = { + desc = "A rust implementation of radare2"; + path = "/var/lib/git/repositories/r2wars-rs.git"; + section = "Radare2"; + owner = "emile"; + }; + + # ctf + ctf_clusters = { + desc = "visualizing CTF clusters at DEFCON CTF Finals 2022"; + path = "/var/lib/git/repositories/ctf_clusters.git"; + section = "CTF"; + owner = "emile"; + }; + lambda = { + desc = "hacktm ctf 2023 / misc / know your lambda calculus"; + path = "/var/lib/git/repositories/lambda.git"; + section = "CTF"; + owner = "emile"; + }; + ctfdget = { + desc = "Simply fetch all challenges from a CTF from CTFd."; + path = "/var/lib/git/repositories/ctfdget.git"; + section = "CTF"; + owner = "emile"; + }; # keyboard - zmk-config = { - desc = "ferris sweep zmk config"; - path = "/var/lib/git/repositories/zmk-config.git"; - section = "Keyboard"; - owner = "emile"; - }; - - # chaosdorf - map = { - desc = "A map of the chaosdorf hackspace"; - path = "/var/lib/git/repositories/map.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - freitagsfoo = { - desc = "A service to submit talks for freitagsfoo"; - path = "/var/lib/git/repositories/freitagsfoo.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - inventory = { - desc = "A common-lisp mapping and inventory system"; - path = "/var/lib/git/repositories/inventory.git"; - section = "Chaosdorf"; - owner = "emile"; - }; - - # jugend forscht - SatelliteComputation = { - desc = "Estimating possible Satellite collisions"; - path = "/var/lib/git/repositories/SatelliteComputation.git"; - section = "Jugend Forscht 2017"; - owner = "emile"; - }; - GalaxyGeneration = { - desc = "Generating Galaxies"; - path = "/var/lib/git/repositories/GalaxyGeneration.git"; - section = "Jugend Forscht 2018"; - owner = "emile"; - }; - - brute-force = { - desc = "A simple benchmark showing how slow this can be"; - path = "/var/lib/git/repositories/galaxy-sim-brute-force.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - generatePointcloud = { - desc = "Generate pointclouds using the NFW profile"; - path = "/var/lib/git/repositories/generatePointcloud.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - quadtree = { - desc = "Simple quadtree implementation"; - path = "/var/lib/git/repositories/quadtree.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - viewer = { - desc = "A viewer for galaxies stored in trees"; - path = "/var/lib/git/repositories/viewer.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - structs = { - desc = "All of the structures used in the GalaxySimulator"; - path = "/var/lib/git/repositories/structs.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - simulator-container-rewrite = { - desc = "Clean rewrite of the simulator-container"; - path = "/var/lib/git/repositories/simulator-container-rewrite.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - simulator-container = { - desc = "Simulating the new position of a galaxye"; - path = "/var/lib/git/repositories/simulator-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - pres = { - desc = "Presentation material"; - path = "/var/lib/git/repositories/pres.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - manager-container = { - desc = "The overall manager"; - path = "/var/lib/git/repositories/manager-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - generator-container = { - desc = "Generates point clouds using the NFW profile"; - path = "/var/lib/git/repositories/generator-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - frontpage = { - desc = "Web page showing people what the project is about"; - path = "/var/lib/git/repositories/frontpage.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - distributor = { - desc = "Distributing tasks"; - path = "/var/lib/git/repositories/distributor-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-controller = { - desc = "Interaction with the Database"; - path = "/var/lib/git/repositories/db-controller.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-container = { - desc = "The main database"; - path = "/var/lib/git/repositories/db-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - db-actions = { - desc = "Actions to be performed on the batabase"; - path = "/var/lib/git/repositories/db-actions.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - Writeup = { - desc = "Writeups using LaTeX"; - path = "/var/lib/git/repositories/Writeup.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - Source = { - desc = "Code from the beginning"; - path = "/var/lib/git/repositories/Source.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - NFW-container = { - desc = "A container purely for generating galaxies"; - path = "/var/lib/git/repositories/NFW-container.git"; - section = "Jugend Forscht 2019"; - owner = "emile"; - }; - - # games - "0h-gamejam-game" = { - desc = "Created a game in 0 hours"; - path = "/var/lib/git/repositories/0hour-gamejam-game.git"; - section = "Games"; - owner = "emile"; - }; - - # 3D - "3D" = { - desc = "3D models"; - path = "/var/lib/git/repositories/3D.git"; - section = "3D"; - owner = "emile"; - }; - - # http - faila = { - desc = "The caddy fileserver look, but int pure golang"; - path = "/var/lib/git/repositories/faila.git"; - section = "HTTP"; - owner = "emile"; - }; - faila2 = { - desc = "faila, but simpler"; - path = "/var/lib/git/repositories/faila2.git"; - section = "HTTP"; - owner = "emile"; - }; - gofuzz = { - desc = "wfuzz, but in go. Didn't know ffuf at the time"; - path = "/var/lib/git/repositories/gofuzz.git"; - section = "HTTP"; - owner = "emile"; - }; - graphClicker = { - desc = "A metrics bundler, but with a simple web interface"; - path = "/var/lib/git/repositories/graphClicker.git"; - section = "HTTP"; - owner = "emile"; - }; - randomHttp = { - desc = "A simple HTTP server returning random HTTP codes"; - path = "/var/lib/git/repositories/randomHTTP.git"; - section = "HTTP"; - owner = "emile"; - }; - redir = { - desc = "A webserver with the soul purpose of redirecting."; - path = "/var/lib/git/repositories/redir.git"; - section = "HTTP"; - owner = "emile"; - }; - reqlog = { - desc = "A simple request logger"; - path = "/var/lib/git/repositories/reqlog.git"; - section = "HTTP"; - owner = "emile"; - }; - - # honeypot - ssh-catch-test = { - desc = "A simple honeypot emulating an ssh server."; - path = "/var/lib/git/repositories/ssh-catch-test.git"; - section = "Honeypot"; - owner = "emile"; - }; - honeypot-monitoring = { - desc = "Grafana + Prometheus monitoring"; - path = "/var/lib/git/repositories/honeypot-monitoring.git"; - section = "Honeypot"; - owner = "emile"; - }; - ftp-grab-password = { - desc = "Grab ftp creds (made by twink0r)"; - path = "/var/lib/git/repositories/ftp-grab-password.git"; - section = "Honeypot"; - owner = "emile"; - }; - log-analyzer = { - desc = "Analyse the logs"; - path = "/var/lib/git/repositories/honeypot-log-analyzer.git"; - section = "Honeypot"; - owner = "emile"; - }; - http-grab-basicauth = { - desc = "Grab basicauth creds (made by maride)"; - path = "/var/lib/git/repositories/http-grab-basicauth.git"; - section = "Honeypot"; - owner = "emile"; - }; - http-grab-url = { - desc = "Grab urls (made by twink0r)"; - path = "/var/lib/git/repositories/http-grab-url.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-keypass = { - desc = "Grab keys from ssh logins (made by maride)"; - path = "/var/lib/git/repositories/ssh-grab-keypass.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-passwords = { - desc = "Grab passwords from ssh logins (made by maride)"; - path = "/var/lib/git/repositories/ssh-grab-passwords.git"; - section = "Honeypot"; - owner = "emile"; - }; - ssh-grab-passwords-map = { - desc = "A nice visual map of the login attempts"; - path = "/var/lib/git/repositories/ssh-grab-passwords-map.git"; - section = "Honeypot"; - owner = "emile"; - }; + zmk-config = { + desc = "ferris sweep zmk config"; + path = "/var/lib/git/repositories/zmk-config.git"; + section = "Keyboard"; + owner = "emile"; + }; + + # chaosdorf + map = { + desc = "A map of the chaosdorf hackspace"; + path = "/var/lib/git/repositories/map.git"; + section = "Chaosdorf"; + owner = "emile"; + }; + freitagsfoo = { + desc = "A service to submit talks for freitagsfoo"; + path = "/var/lib/git/repositories/freitagsfoo.git"; + section = "Chaosdorf"; + owner = "emile"; + }; + inventory = { + desc = "A common-lisp mapping and inventory system"; + path = "/var/lib/git/repositories/inventory.git"; + section = "Chaosdorf"; + owner = "emile"; + }; + + # jugend forscht + SatelliteComputation = { + desc = "Estimating possible Satellite collisions"; + path = "/var/lib/git/repositories/SatelliteComputation.git"; + section = "Jugend Forscht 2017"; + owner = "emile"; + }; + GalaxyGeneration = { + desc = "Generating Galaxies"; + path = "/var/lib/git/repositories/GalaxyGeneration.git"; + section = "Jugend Forscht 2018"; + owner = "emile"; + }; + + brute-force = { + desc = "A simple benchmark showing how slow this can be"; + path = "/var/lib/git/repositories/galaxy-sim-brute-force.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + generatePointcloud = { + desc = "Generate pointclouds using the NFW profile"; + path = "/var/lib/git/repositories/generatePointcloud.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + quadtree = { + desc = "Simple quadtree implementation"; + path = "/var/lib/git/repositories/quadtree.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + viewer = { + desc = "A viewer for galaxies stored in trees"; + path = "/var/lib/git/repositories/viewer.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + structs = { + desc = "All of the structures used in the GalaxySimulator"; + path = "/var/lib/git/repositories/structs.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + simulator-container-rewrite = { + desc = "Clean rewrite of the simulator-container"; + path = "/var/lib/git/repositories/simulator-container-rewrite.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + simulator-container = { + desc = "Simulating the new position of a galaxye"; + path = "/var/lib/git/repositories/simulator-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + pres = { + desc = "Presentation material"; + path = "/var/lib/git/repositories/pres.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + manager-container = { + desc = "The overall manager"; + path = "/var/lib/git/repositories/manager-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + generator-container = { + desc = "Generates point clouds using the NFW profile"; + path = "/var/lib/git/repositories/generator-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + frontpage = { + desc = "Web page showing people what the project is about"; + path = "/var/lib/git/repositories/frontpage.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + distributor = { + desc = "Distributing tasks"; + path = "/var/lib/git/repositories/distributor-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + db-controller = { + desc = "Interaction with the Database"; + path = "/var/lib/git/repositories/db-controller.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + db-container = { + desc = "The main database"; + path = "/var/lib/git/repositories/db-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + db-actions = { + desc = "Actions to be performed on the batabase"; + path = "/var/lib/git/repositories/db-actions.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + Writeup = { + desc = "Writeups using LaTeX"; + path = "/var/lib/git/repositories/Writeup.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + Source = { + desc = "Code from the beginning"; + path = "/var/lib/git/repositories/Source.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + NFW-container = { + desc = "A container purely for generating galaxies"; + path = "/var/lib/git/repositories/NFW-container.git"; + section = "Jugend Forscht 2019"; + owner = "emile"; + }; + + # games + "0h-gamejam-game" = { + desc = "Created a game in 0 hours"; + path = "/var/lib/git/repositories/0hour-gamejam-game.git"; + section = "Games"; + owner = "emile"; + }; + + # 3D + "3D" = { + desc = "3D models"; + path = "/var/lib/git/repositories/3D.git"; + section = "3D"; + owner = "emile"; + }; + + # http + faila = { + desc = "The caddy fileserver look, but int pure golang"; + path = "/var/lib/git/repositories/faila.git"; + section = "HTTP"; + owner = "emile"; + }; + faila2 = { + desc = "faila, but simpler"; + path = "/var/lib/git/repositories/faila2.git"; + section = "HTTP"; + owner = "emile"; + }; + gofuzz = { + desc = "wfuzz, but in go. Didn't know ffuf at the time"; + path = "/var/lib/git/repositories/gofuzz.git"; + section = "HTTP"; + owner = "emile"; + }; + graphClicker = { + desc = "A metrics bundler, but with a simple web interface"; + path = "/var/lib/git/repositories/graphClicker.git"; + section = "HTTP"; + owner = "emile"; + }; + randomHttp = { + desc = "A simple HTTP server returning random HTTP codes"; + path = "/var/lib/git/repositories/randomHTTP.git"; + section = "HTTP"; + owner = "emile"; + }; + redir = { + desc = "A webserver with the soul purpose of redirecting."; + path = "/var/lib/git/repositories/redir.git"; + section = "HTTP"; + owner = "emile"; + }; + reqlog = { + desc = "A simple request logger"; + path = "/var/lib/git/repositories/reqlog.git"; + section = "HTTP"; + owner = "emile"; + }; + + # honeypot + ssh-catch-test = { + desc = "A simple honeypot emulating an ssh server."; + path = "/var/lib/git/repositories/ssh-catch-test.git"; + section = "Honeypot"; + owner = "emile"; + }; + honeypot-monitoring = { + desc = "Grafana + Prometheus monitoring"; + path = "/var/lib/git/repositories/honeypot-monitoring.git"; + section = "Honeypot"; + owner = "emile"; + }; + ftp-grab-password = { + desc = "Grab ftp creds (made by twink0r)"; + path = "/var/lib/git/repositories/ftp-grab-password.git"; + section = "Honeypot"; + owner = "emile"; + }; + log-analyzer = { + desc = "Analyse the logs"; + path = "/var/lib/git/repositories/honeypot-log-analyzer.git"; + section = "Honeypot"; + owner = "emile"; + }; + http-grab-basicauth = { + desc = "Grab basicauth creds (made by maride)"; + path = "/var/lib/git/repositories/http-grab-basicauth.git"; + section = "Honeypot"; + owner = "emile"; + }; + http-grab-url = { + desc = "Grab urls (made by twink0r)"; + path = "/var/lib/git/repositories/http-grab-url.git"; + section = "Honeypot"; + owner = "emile"; + }; + ssh-grab-keypass = { + desc = "Grab keys from ssh logins (made by maride)"; + path = "/var/lib/git/repositories/ssh-grab-keypass.git"; + section = "Honeypot"; + owner = "emile"; + }; + ssh-grab-passwords = { + desc = "Grab passwords from ssh logins (made by maride)"; + path = "/var/lib/git/repositories/ssh-grab-passwords.git"; + section = "Honeypot"; + owner = "emile"; + }; + ssh-grab-passwords-map = { + desc = "A nice visual map of the login attempts"; + path = "/var/lib/git/repositories/ssh-grab-passwords-map.git"; + section = "Honeypot"; + owner = "emile"; + }; # fuzzing - stdin-to-tcp = { - desc = "Bending stdin to tcp"; - path = "/var/lib/git/repositories/stdin-to-tcp.git"; - section = "Fuzzing"; - owner = "emile"; - }; - - # firmware - firmware = { - desc = "Gathering firmware via nix"; - path = "/var/lib/git/repositories/firmware.git"; - section = "Firmware"; - owner = "emile"; - }; - - # crypto - Substitution-Cracker = { - desc = "Some code for cracking substitution ciphers"; - path = "/var/lib/git/repositories/Substitution-Cracker.git"; - section = "Crypto"; - owner = "emile"; - }; - - # fun - giff = { - desc = "A party service: give it gifs and it'll play them"; - path = "/var/lib/git/repositories/giff.git"; - section = "Fun"; - owner = "emile"; - }; - pixeltsunami = { - desc = "The obligatory pixelflut client"; - path = "/var/lib/git/repositories/pixeltsunami.git"; - section = "Fun"; - owner = "emile"; - }; - - # circus - companion = { - desc = "The companion spawned for one user."; - path = "/var/lib/git/repositories/companion.git"; - section = "Circus"; - owner = "emile"; - }; - compose = { - desc = "The docker-compose foo"; - path = "/var/lib/git/repositories/compose.git"; - section = "Circus"; - owner = "emile"; - }; - container-manager = { - desc = "The meta container managemer"; - path = "/var/lib/git/repositories/container-manager.git"; - section = "Circus"; - owner = "emile"; - }; - landingpage = { - desc = "The landing page"; - path = "/var/lib/git/repositories/landingpage.git"; - section = "Circus"; - owner = "emile"; - }; - manager = { - desc = "The manager"; - path = "/var/lib/git/repositories/manager.git"; - section = "Circus"; - owner = "emile"; - }; - register = { - desc = "The registration"; - path = "/var/lib/git/repositories/register.git"; - section = "Circus"; - owner = "emile"; - }; - scoreboard = { - desc = "The scoreboard"; - path = "/var/lib/git/repositories/scoreboard.git"; - section = "Circus"; - owner = "emile"; - }; - static = { - desc = "Some static files"; - path = "/var/lib/git/repositories/static.git"; - section = "Circus"; - owner = "emile"; - }; - vpn = { - desc = "The VPN stuff"; - path = "/var/lib/git/repositories/vpn.git"; - section = "Circus"; - owner = "emile"; - }; - - # articles - barnes-hut = { - desc = "A one pager compressing the JuFo19 project"; - path = "/var/lib/git/repositories/barnes-hut.git"; - section = "Articles"; - owner = "emile"; - }; - - # satellite - tle = { - desc = "golang tle lib"; - path = "/var/lib/git/repositories/tle.git"; - section = "Satellite"; - owner = "emile"; - }; - tle2json = { - desc = "golang tle to json"; - path = "/var/lib/git/repositories/tle2json.git"; - section = "Satellite"; - owner = "emile"; - }; - }; - settings = { - css = "https://emile.space/cgit.css"; - root-title = "git.emile.space"; - root-desc = ""; - - enable-index-owner = 0; # why show this? I own 'em all! - enable-commit-graph = 1; - max-repo-count = 5000; # like: why not? - - readme = ":README.md"; - about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; - source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; - - summary-log = 50; + stdin-to-tcp = { + desc = "Bending stdin to tcp"; + path = "/var/lib/git/repositories/stdin-to-tcp.git"; + section = "Fuzzing"; + owner = "emile"; + }; + + # firmware + firmware = { + desc = "Gathering firmware via nix"; + path = "/var/lib/git/repositories/firmware.git"; + section = "Firmware"; + owner = "emile"; + }; + + # crypto + Substitution-Cracker = { + desc = "Some code for cracking substitution ciphers"; + path = "/var/lib/git/repositories/Substitution-Cracker.git"; + section = "Crypto"; + owner = "emile"; + }; + + # fun + giff = { + desc = "A party service: give it gifs and it'll play them"; + path = "/var/lib/git/repositories/giff.git"; + section = "Fun"; + owner = "emile"; + }; + pixeltsunami = { + desc = "The obligatory pixelflut client"; + path = "/var/lib/git/repositories/pixeltsunami.git"; + section = "Fun"; + owner = "emile"; + }; + + # circus + companion = { + desc = "The companion spawned for one user."; + path = "/var/lib/git/repositories/companion.git"; + section = "Circus"; + owner = "emile"; + }; + compose = { + desc = "The docker-compose foo"; + path = "/var/lib/git/repositories/compose.git"; + section = "Circus"; + owner = "emile"; + }; + container-manager = { + desc = "The meta container managemer"; + path = "/var/lib/git/repositories/container-manager.git"; + section = "Circus"; + owner = "emile"; + }; + landingpage = { + desc = "The landing page"; + path = "/var/lib/git/repositories/landingpage.git"; + section = "Circus"; + owner = "emile"; + }; + manager = { + desc = "The manager"; + path = "/var/lib/git/repositories/manager.git"; + section = "Circus"; + owner = "emile"; + }; + register = { + desc = "The registration"; + path = "/var/lib/git/repositories/register.git"; + section = "Circus"; + owner = "emile"; + }; + scoreboard = { + desc = "The scoreboard"; + path = "/var/lib/git/repositories/scoreboard.git"; + section = "Circus"; + owner = "emile"; + }; + static = { + desc = "Some static files"; + path = "/var/lib/git/repositories/static.git"; + section = "Circus"; + owner = "emile"; + }; + vpn = { + desc = "The VPN stuff"; + path = "/var/lib/git/repositories/vpn.git"; + section = "Circus"; + owner = "emile"; + }; + + # articles + barnes-hut = { + desc = "A one pager compressing the JuFo19 project"; + path = "/var/lib/git/repositories/barnes-hut.git"; + section = "Articles"; + owner = "emile"; + }; + + # satellite + tle = { + desc = "golang tle lib"; + path = "/var/lib/git/repositories/tle.git"; + section = "Satellite"; + owner = "emile"; + }; + tle2json = { + desc = "golang tle to json"; + path = "/var/lib/git/repositories/tle2json.git"; + section = "Satellite"; + owner = "emile"; + }; + }; + settings = { + css = "https://emile.space/cgit.css"; + root-title = "git.emile.space"; + root-desc = ""; + + enable-index-owner = 0; # why show this? I own 'em all! + enable-commit-graph = 1; + max-repo-count = 5000; # like: why not? + + readme = ":README.md"; + about-filter = "${pkgs.cgit-pink}/lib/cgit/filters/about-formatting.sh"; + source-filter = "${pkgs.cgit-pink}/lib/cgit/filters/syntax-highlighting.py"; + + summary-log = 50; # mobile friendly - head-include = builtins.toFile "cgit_head.html" '' - <meta name="viewport" content="width=device-width initial-scale=1.0"/> - ''; - - footer = builtins.toFile "cgit_footer.html" '' - <div class="footer"> - <div class="float-left"> - generated by <a href='https://git.causal.agency/cgit-pink/'>cgit-pink ${pkgs.cgit-pink.version}</a> - </div> - <div class="float-right"> - <a href="https://social.emile.space/@hanemile/feed.rss" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/rss.svg" alt="rss feed of @hanemile@chaos.social mastodon" height="32px"></a> - <a href="https://lieu.cblgh.org/" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/lieu.svg" alt="lieu webring search engine" height="32px"></a> - <a href="https://webring.xxiivv.com/#emile" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/webring.svg" alt="XXIIVV webring" height="32px"></a> - <a rel="me" href="https://social.emile.space/@hanemile" target="_blank" class="icon"><img class="webring" src="https://emile.space/activitypub.svg" alt="activitypub" height="32px"/></a> - </div> - ''; - - }; - }; - - # access control - gitolite = { - enable = true; - - dataDir = "/var/lib/git"; - - user = "git"; - group = "git"; - - description = "emile"; - - adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"; - extraGitoliteRc = '' - $RC{UMASK} = 0027; - $RC{GIT_CONFIG_KEYS} = '.*'; - ''; - }; - - # exposing stuff - gitDaemon = { - enable = false; - - user = "git"; - group = "git"; - - repositories = []; # use all repos under basePath - exportAll = true; - basePath = "/var/lib/git/repositories"; - - listenAddress = "git.emile.space"; - port = config.emile.ports.gitDaemon; - - options = "--timeout=30"; # extra Config - }; - }; + head-include = builtins.toFile "cgit_head.html" '' + <meta name="viewport" content="width=device-width initial-scale=1.0"/> + ''; + + footer = builtins.toFile "cgit_footer.html" '' + <div class="footer"> + <div class="float-left"> + generated by <a href='https://git.causal.agency/cgit-pink/'>cgit-pink ${pkgs.cgit-pink.version}</a> + </div> + <div class="float-right"> + <a href="https://social.emile.space/@hanemile/feed.rss" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/rss.svg" alt="rss feed of @hanemile@chaos.social mastodon" height="32px"></a> + <a href="https://lieu.cblgh.org/" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/lieu.svg" alt="lieu webring search engine" height="32px"></a> + <a href="https://webring.xxiivv.com/#emile" target="_blank" rel="noopener" class="icon"><img class="webring" src="https://emile.space/webring.svg" alt="XXIIVV webring" height="32px"></a> + <a rel="me" href="https://social.emile.space/@hanemile" target="_blank" class="icon"><img class="webring" src="https://emile.space/activitypub.svg" alt="activitypub" height="32px"/></a> + </div> + ''; + + }; + }; + + # access control + gitolite = { + enable = true; + + dataDir = "/var/lib/git"; + + user = "git"; + group = "git"; + + description = "emile"; + + adminPubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPZi43zHEsoWaQomLGaftPE5k0RqVrZyiTtGqZlpWsew emile@caladan"; + extraGitoliteRc = '' + $RC{UMASK} = 0027; + $RC{GIT_CONFIG_KEYS} = '.*'; + ''; + }; + + # exposing stuff + gitDaemon = { + enable = false; + + user = "git"; + group = "git"; + + repositories = [ ]; # use all repos under basePath + exportAll = true; + basePath = "/var/lib/git/repositories"; + + listenAddress = "git.emile.space"; + port = config.emile.ports.gitDaemon; + + options = "--timeout=30"; # extra Config + }; + }; users.extraUsers.nginx.extraGroups = [ "git" ]; - # Have to use lib.mkForce below, as the gitolite and gitDaemon user both - # configure the git user and group (differently) + # Have to use lib.mkForce below, as the gitolite and gitDaemon user both + # configure the git user and group (differently) users.users.git = { isSystemUser = true; useDefaultShell = true; - description = lib.mkForce "cgit-pink, gitolite and gitDaemon"; + description = lib.mkForce "cgit-pink, gitolite and gitDaemon"; group = "git"; extraGroups = [ "gitea" ]; home = "/var/lib/git"; uid = lib.mkForce 127; }; users.groups.git = { - gid = lib.mkForce 127; - }; + gid = lib.mkForce 127; + }; } diff --git a/nix/hosts/corrino/www/git/default.nix b/nix/hosts/corrino/www/git/default.nix index 9c76441..92fb85b 100644 --- a/nix/hosts/corrino/www/git/default.nix +++ b/nix/hosts/corrino/www/git/default.nix @@ -1,7 +1,5 @@ { ... }: { - imports = [ - ./cgit.nix - ]; + imports = [ ./cgit.nix ]; } diff --git a/nix/hosts/corrino/www/git/git.nix b/nix/hosts/corrino/www/git/git.nix index d815f9c..3a2b9da 100644 --- a/nix/hosts/corrino/www/git/git.nix +++ b/nix/hosts/corrino/www/git/git.nix @@ -1,8 +1,14 @@ -{ lib, pkgs, config, ... }: +{ + lib, + pkgs, + config, + ... +}: let cfg = config.services.gitea; -in { +in +{ services.nginx.virtualHosts."git.emile.space" = { forceSSL = true; enableACME = true; @@ -21,24 +27,22 @@ in { }; }; - # auth via authelia - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "git"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ - "https://git.emile.space/user/oauth2/authelia/callback" - ]; - scopes = [ - "openid" - "email" - "profile" - ]; - } + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "git"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$4bi9wRkfcqnjbdmgt7rU.g$pQ2mC6GW4.BQwanGKKFhFyIx6Y.WY80xd/YpmlYOPnlnGBWpp0dSOTv6a/2yqSA5D.EuRkGCyeexSE5FdCK2TA"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://git.emile.space/user/oauth2/authelia/callback" ]; + scopes = [ + "openid" + "email" + "profile" + ]; + } ]; services.gitea = rec { diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index eaf88b5..8e7d529 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -7,16 +7,16 @@ addSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; - proxyWebsockets = true; + proxyPass = "http://${toString config.services.grafana.settings.server.http_addr}:${toString config.services.grafana.settings.server.http_port}/"; + proxyWebsockets = true; }; }; "prometheus.emile.space" = { addSSL = true; enableACME = true; locations."/" = { - proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/"; - proxyWebsockets = true; + proxyPass = "http://${config.services.prometheus.listenAddress}:${toString config.services.prometheus.port}/"; + proxyWebsockets = true; }; }; }; diff --git a/nix/hosts/corrino/www/grafana_full.emile.space.nix b/nix/hosts/corrino/www/grafana_full.emile.space.nix index 8a9aa02..3dc05dc 100644 --- a/nix/hosts/corrino/www/grafana_full.emile.space.nix +++ b/nix/hosts/corrino/www/grafana_full.emile.space.nix @@ -2,7 +2,8 @@ let cfg = config.services.grafana; -in { +in +{ services.nginx.virtualHosts."git.emile.space" = { forceSSL = true; enableACME = true; @@ -69,7 +70,7 @@ in { allow_sign_up = false; # Set to false to prohibit users from creating new organizations. - allow_org_create = false; + allow_org_create = false; }; smtp = { @@ -79,11 +80,11 @@ in { # StartTLS policy when connecting to server. # null or one of "OpportunisticStartTLS", "MandatoryStartTLS", "NoStartTLS" startTLS_policy = null; - + # Verify SSL for SMTP server. skip_verify = false; - # Password used for authentication. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider + # Password used for authentication. Please note that the contents of this option will end up in a world-readable Nix store. Use the file provider pointing at a reasonably secured file in the local filesystem to work around that. Look at the documentation for details: https://grafana.com/docs/grafana/latest/setup-grafana/configure-grafana/#file-provider password = ""; # File path to a key file. @@ -201,13 +202,13 @@ in { disable_brute_force_login_protection = false; # Define a whitelist of allowed IP addresses or domains, with ports, to be used in data source URLs with the Grafana data source proxy. Format: ip_or_domain:port separated by spaces. PostgreSQL, MySQL, and MSSQL data sources do not use the proxy and are therefore unaffected by this setting. - data_source_proxy_whitelist = []; + data_source_proxy_whitelist = [ ]; # List of additional allowed URLs to pass by the CSRF check. Suggested when authentication comes from an IdP. - csrf_trusted_origins = []; + csrf_trusted_origins = [ ]; # List of allowed headers to be set by the user. Suggested to use for if authentication lives behind reverse proxies. - csrf_additional_headers = []; + csrf_additional_headers = [ ]; # Set to true if you host Grafana behind HTTPS. cookie_secure = true; @@ -437,4 +438,4 @@ in { }; }; -} \ No newline at end of file +} diff --git a/nix/hosts/corrino/www/hydra.emile.space.nix b/nix/hosts/corrino/www/hydra.emile.space.nix index 6628a67..e89888b 100644 --- a/nix/hosts/corrino/www/hydra.emile.space.nix +++ b/nix/hosts/corrino/www/hydra.emile.space.nix @@ -22,9 +22,7 @@ enable = true; package = pkgs.hydra_unstable.overrideAttrs (old: { - patches = (if old ? patches then old.patches else []) ++ [ - ./hydra.patch - ]; + patches = (if old ? patches then old.patches else [ ]) ++ [ ./hydra.patch ]; }); listenHost = "*"; @@ -35,11 +33,10 @@ gcRootsDir = "/nix/var/nix/gcroots/hydra"; # a standalone hydra will require you to unset the buildMachinesFiles list to avoid using a nonexistant /etc/nix/hosts - buildMachinesFiles = []; + buildMachinesFiles = [ ]; # you will probably also want, otherwise *everything* will be built from scratch useSubstitutes = true; - # notification settings smtpHost = "mail.emile.space"; notificationSender = "hydra@emile.space"; @@ -59,6 +56,6 @@ </git-input> binary_cache_public_uri = https://nix-cache.emile.space ''; - # evaluator_restrict_eval = false + # evaluator_restrict_eval = false }; } diff --git a/nix/hosts/corrino/www/irc.emile.space.nix b/nix/hosts/corrino/www/irc.emile.space.nix index f738d62..ac00445 100644 --- a/nix/hosts/corrino/www/irc.emile.space.nix +++ b/nix/hosts/corrino/www/irc.emile.space.nix @@ -1,155 +1,155 @@ { config, ... }: { - # Create a tls cert for the irc server - security.acme.certs = { - "irc.emile.space" = { - webroot = "/var/lib/acme/acme-challenge/"; - email = "acme@emile.space"; - postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service"; - }; - }; + # Create a tls cert for the irc server + security.acme.certs = { + "irc.emile.space" = { + webroot = "/var/lib/acme/acme-challenge/"; + email = "acme@emile.space"; + postRun = "cp fullchain.pem /home/ergo/ && cp key.pem /home/ergo && chown ergo:ergo /home/ergo/*.pem && systemctl reload ergo.service"; + }; + }; - # Allow ergo to access the created cert - # The systemd server runs using a dynamic user, so the below inserts the .pem files - # into "/run/credentials/ergochat.service/key.pem" - systemd.services.ergochat.serviceConfig = { - LoadCredential = [ - "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem" - "key.pem:/var/lib/acme/irc.emile.space/key.pem" - ]; - }; + # Allow ergo to access the created cert + # The systemd server runs using a dynamic user, so the below inserts the .pem files + # into "/run/credentials/ergochat.service/key.pem" + systemd.services.ergochat.serviceConfig = { + LoadCredential = [ + "fullchain.pem:/var/lib/acme/irc.emile.space/fullchain.pem" + "key.pem:/var/lib/acme/irc.emile.space/key.pem" + ]; + }; - # allow connections to the port from the "outside" + # allow connections to the port from the "outside" networking.firewall.allowedTCPPorts = [ config.emile.ports.irc.ssl ]; - services.ergochat = { - enable = true; + services.ergochat = { + enable = true; - # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml - settings = { - accounts = { - authentication-enabled = true; - multiclient = { - allowed-by-default = true; - always-on = "opt-out"; - auto-away = "opt-out"; - enabled = true; - }; - registration = { - enabled = true; - allow-before-connect = true; - bcrypt-cost = 4; - email-verification = { - enabled = false; - }; - throttling = { - duration = "10m"; - enabled = true; - max-attempts = 30; - }; - }; - }; - channels = { - default-modes = "+ntC"; - registration = { - enabled = true; - }; - }; - datastore = { - autoupgrade = true; - path = "/var/lib/ergo/ircd.db"; - }; - history = { - enabled = true; - autoreplay-on-join = 0; - autoresize-window = "3d"; - channel-length = 2048; - chathistory-maxmessages = 100; - client-length = 256; - restrictions = { - expire-time = "1w"; - grace-period = "1h"; - query-cutoff = "none"; - }; - retention = { - allow-individual-delete = false; - enable-account-indexing = false; - }; - tagmsg-storage = { - default = false; - whitelist = [ - "+draft/react" - "+react" - ]; - }; - znc-maxmessages = 2048; - }; - limits = { - awaylen = 390; - channellen = 64; - identlen = 20; - kicklen = 390; - nicklen = 32; - topiclen = 390; - }; - network = { - name = "emilespace"; - }; - server = { - casemapping = "permissive"; - check-ident = false; - enforce-utf = true; - forward-confirm-hostnames = false; - ip-cloaking = { - enabled = false; - }; - ip-limits = { - count = false; - throttle = false; - }; - listeners = { - # sts only port - ":6667".sts-only = true; + # https://raw.githubusercontent.com/ergochat/ergo/master/default.yaml + settings = { + accounts = { + authentication-enabled = true; + multiclient = { + allowed-by-default = true; + always-on = "opt-out"; + auto-away = "opt-out"; + enabled = true; + }; + registration = { + enabled = true; + allow-before-connect = true; + bcrypt-cost = 4; + email-verification = { + enabled = false; + }; + throttling = { + duration = "10m"; + enabled = true; + max-attempts = 30; + }; + }; + }; + channels = { + default-modes = "+ntC"; + registration = { + enabled = true; + }; + }; + datastore = { + autoupgrade = true; + path = "/var/lib/ergo/ircd.db"; + }; + history = { + enabled = true; + autoreplay-on-join = 0; + autoresize-window = "3d"; + channel-length = 2048; + chathistory-maxmessages = 100; + client-length = 256; + restrictions = { + expire-time = "1w"; + grace-period = "1h"; + query-cutoff = "none"; + }; + retention = { + allow-individual-delete = false; + enable-account-indexing = false; + }; + tagmsg-storage = { + default = false; + whitelist = [ + "+draft/react" + "+react" + ]; + }; + znc-maxmessages = 2048; + }; + limits = { + awaylen = 390; + channellen = 64; + identlen = 20; + kicklen = 390; + nicklen = 32; + topiclen = 390; + }; + network = { + name = "emilespace"; + }; + server = { + casemapping = "permissive"; + check-ident = false; + enforce-utf = true; + forward-confirm-hostnames = false; + ip-cloaking = { + enabled = false; + }; + ip-limits = { + count = false; + throttle = false; + }; + listeners = { + # sts only port + ":6667".sts-only = true; - # loopback listeners - # "127.0.0.1:6668" = {}; - # "[::]:6668" = {}; + # loopback listeners + # "127.0.0.1:6668" = {}; + # "[::]:6668" = {}; - ":${toString config.emile.ports.irc.ssl}" = { - tls = { - cert = "/run/credentials/ergochat.service/fullchain.pem"; - key = "/run/credentials/ergochat.service/key.pem"; - }; + ":${toString config.emile.ports.irc.ssl}" = { + tls = { + cert = "/run/credentials/ergochat.service/fullchain.pem"; + key = "/run/credentials/ergochat.service/key.pem"; + }; - # for cloud load balancers setting a PROXY header, NOT reverse proxies... - proxy = false; + # for cloud load balancers setting a PROXY header, NOT reverse proxies... + proxy = false; - min-tls-version = 1.2; - }; - }; - lookup-hostnames = false; - max-sendq = "1M"; - name = "emile.space"; - relaymsg = { - enabled = false; - }; - sts = { - enabled = true; # redirect from plain to tls if supported + min-tls-version = 1.2; + }; + }; + lookup-hostnames = false; + max-sendq = "1M"; + name = "emile.space"; + relaymsg = { + enabled = false; + }; + sts = { + enabled = true; # redirect from plain to tls if supported - # how long clients should be forced to use TLS for. - # (Emile): no clue why, can I set something like \infty here? - duration = "12m"; + # how long clients should be forced to use TLS for. + # (Emile): no clue why, can I set something like \infty here? + duration = "12m"; - }; - }; - logging = [ - { - method = "stderr"; - type = "* -userinput -useroutput"; - level = "debug"; - } - ]; - }; - }; + }; + }; + logging = [ + { + method = "stderr"; + type = "* -userinput -useroutput"; + level = "debug"; + } + ]; + }; + }; } diff --git a/nix/hosts/corrino/www/magic-hash.emile.space.nix b/nix/hosts/corrino/www/magic-hash.emile.space.nix index f41fb80..48d0f47 100644 --- a/nix/hosts/corrino/www/magic-hash.emile.space.nix +++ b/nix/hosts/corrino/www/magic-hash.emile.space.nix @@ -17,9 +17,7 @@ containers = { "ctfd" = { image = "magic-hash"; - ports = [ - "${toString config.emile.ports.magic-hash}:80" - ]; + ports = [ "${toString config.emile.ports.magic-hash}:80" ]; environment = { # this is not encouraged, but should work for the weekend (this is a diff --git a/nix/hosts/corrino/www/netbox.emile.space.nix b/nix/hosts/corrino/www/netbox.emile.space.nix index fdfadc0..25ea7e3 100644 --- a/nix/hosts/corrino/www/netbox.emile.space.nix +++ b/nix/hosts/corrino/www/netbox.emile.space.nix @@ -23,7 +23,7 @@ dataDir = "/var/lib/netbox"; settings.ALLOWED_HOSTS = [ "*" ]; enableLdap = false; - settings = {}; + settings = { }; secretKeyFile = config.age.secrets.netbox_secret.path; port = config.emile.ports.netbox; listenAddress = "[::1]"; @@ -60,4 +60,3 @@ # }; # users.users.nginx.extraGroups = [ "netbox" ]; } - diff --git a/nix/hosts/corrino/www/nix-cache/default.nix b/nix/hosts/corrino/www/nix-cache/default.nix index da2537c..de4a849 100644 --- a/nix/hosts/corrino/www/nix-cache/default.nix +++ b/nix/hosts/corrino/www/nix-cache/default.nix @@ -1,7 +1,5 @@ { ... }: { - imports = [ - ./nix-cache.emile.space.nix - ]; + imports = [ ./nix-cache.emile.space.nix ]; } diff --git a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix index 690e422..c8f7264 100644 --- a/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix +++ b/nix/hosts/corrino/www/nix-cache/nix-cache.emile.space.nix @@ -1,10 +1,10 @@ { ... }: { - services.nginx.virtualHosts."nix-cache.emile.space" = { - forceSSL = false; - enableACME = false; - }; + services.nginx.virtualHosts."nix-cache.emile.space" = { + forceSSL = false; + enableACME = false; + }; # locations = { # "/" = { # root = "/var/www/emile.space"; @@ -12,10 +12,10 @@ # add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # ''; # }; - # }; - # locations."= /" = { - # index = "/index.txt"; - # }; + # }; + # locations."= /" = { + # index = "/index.txt"; + # }; # locations."= /index.txt" = { # root = ./index.txt; # }; @@ -32,27 +32,27 @@ # ''; # }; # locations."/" = { - # proxyPass = "http://${config.services.harmonia.settings.bind}"; - # extraConfig = '' - # proxy_set_header Host $host; - # proxy_redirect http:// https://; - # proxy_http_version 1.1; - # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - # proxy_set_header Upgrade $http_upgrade; - # proxy_set_header Connection $connection_upgrade; + # proxyPass = "http://${config.services.harmonia.settings.bind}"; + # extraConfig = '' + # proxy_set_header Host $host; + # proxy_redirect http:// https://; + # proxy_http_version 1.1; + # proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + # proxy_set_header Upgrade $http_upgrade; + # proxy_set_header Connection $connection_upgrade; - # zstd on; - # zstd_types application/x-nix-archive; - # ''; - # }; - # }; + # zstd on; + # zstd_types application/x-nix-archive; + # ''; + # }; + # }; - # services.harmonia = { - # enable = true; + # services.harmonia = { + # enable = true; - # # TODO(emile): manage this using age - # signKeyPath = "/var/lib/secrets/harmonia.secret"; + # # TODO(emile): manage this using age + # signKeyPath = "/var/lib/secrets/harmonia.secret"; - # settings.bind = "[::1]:${toString config.emile.ports.harmonia}"; - # }; + # settings.bind = "[::1]:${toString config.emile.ports.harmonia}"; + # }; } diff --git a/nix/hosts/corrino/www/photo/default.nix b/nix/hosts/corrino/www/photo/default.nix index dd555e4..46266ae 100644 --- a/nix/hosts/corrino/www/photo/default.nix +++ b/nix/hosts/corrino/www/photo/default.nix @@ -1,8 +1,8 @@ { ... }: { - imports = [ - ./photoprism.nix - # ./immich.nix - ]; + imports = [ + ./photoprism.nix + # ./immich.nix + ]; } diff --git a/nix/hosts/corrino/www/s3.emile.space.nix b/nix/hosts/corrino/www/s3.emile.space.nix index f1300f7..b4646ad 100644 --- a/nix/hosts/corrino/www/s3.emile.space.nix +++ b/nix/hosts/corrino/www/s3.emile.space.nix @@ -21,19 +21,19 @@ }; }; - services.minio = { - enable = true; - region = "eu-north-1-hel-1a"; # corrino is in the helsinki hetzner dc + services.minio = { + enable = true; + region = "eu-north-1-hel-1a"; # corrino is in the helsinki hetzner dc - listenAddress = "[::1]:${toString config.emile.ports.minio.s3}"; + listenAddress = "[::1]:${toString config.emile.ports.minio.s3}"; - browser = true; - consoleAddress = "[::1]:${toString config.emile.ports.minio.web}"; + browser = true; + consoleAddress = "[::1]:${toString config.emile.ports.minio.web}"; - dataDir = [ "/minio/data" ]; - configDir = "/minio/config"; + dataDir = [ "/minio/data" ]; + configDir = "/minio/config"; - rootCredentialsFile = config.age.secrets.minio_root_credz.path; - # accessKey - }; + rootCredentialsFile = config.age.secrets.minio_root_credz.path; + # accessKey + }; } diff --git a/nix/hosts/corrino/www/social.emile.space.nix b/nix/hosts/corrino/www/social.emile.space.nix index 9f9a6f1..47c5015 100644 --- a/nix/hosts/corrino/www/social.emile.space.nix +++ b/nix/hosts/corrino/www/social.emile.space.nix @@ -2,14 +2,14 @@ { - # the reverse proxy to gotosocial + # the reverse proxy to gotosocial services.nginx.virtualHosts."social.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://127.0.0.1:${toString config.emile.ports.gotosocial}"; - proxyWebsockets = true; + proxyWebsockets = true; extraConfig = '' client_max_body_size 40M; ''; @@ -18,79 +18,74 @@ }; }; - # Redirects from emile.space to social.emile.space - # Without this, other instances have problems getting from the username - # @hanemile@emile.space to the host social.emile.space - # https://docs.gotosocial.org/en/latest/advanced/host-account-domain/ + # Redirects from emile.space to social.emile.space + # Without this, other instances have problems getting from the username + # @hanemile@emile.space to the host social.emile.space + # https://docs.gotosocial.org/en/latest/advanced/host-account-domain/ services.nginx.virtualHosts."emile.space" = { locations = { - "/.well-known/webfinger".extraConfig = '' - rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent; + "/.well-known/webfinger".extraConfig = '' + rewrite ^.*$ https://social.emile.space/.well-known/webfinger permanent; ''; - "/.well-known/host-meta".extraConfig = '' - rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent; - ''; + "/.well-known/host-meta".extraConfig = '' + rewrite ^.*$ https://social.emile.space/.well-known/host-meta permanent; + ''; - "/.well-known/nodeinfo".extraConfig = '' - rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent; - ''; - }; - }; + "/.well-known/nodeinfo".extraConfig = '' + rewrite ^.*$ https://social.emile.space/.well-known/nodeinfo permanent; + ''; + }; + }; + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "gotosocial"; - # auth via authelia - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "gotosocial"; + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://social.emile.space/auth/callback" ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + } + ]; - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$oDpZ5FuO965TbjPoophJXw$dbkAwWFvLN1h1Zh9US2ZOE5ilPRdEHMdGF/x0uorou2UqURrXF0KQmXxsV38F2yYMS7u/ecramKlvfMwsqHOcg"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ - "https://social.emile.space/auth/callback" - ]; - scopes = [ - "openid" - "email" - "profile" - "groups" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ - "code" - ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - } - ]; - - services.gotosocial = { - enable = true; - package = pkgs.gotosocial; - settings = { - host = "social.emile.space"; - port = config.emile.ports.gotosocial; - bind-address = "127.0.0.1"; - account-domain = "emile.space"; - db-type = "sqlite"; - db-address = "/var/lib/gotosocial/database.sqlite"; - protocol = "https"; - storage-local-base-path = "/var/lib/gotosocial/storage"; - oidc-idp-name = "authelia"; - oidc-client-id = "gotosocial"; - advanced-rate-limit-requests = 0; - accounts-allow-custom-css = true; - }; - environmentFile = config.age.secrets.gotosocial_environment_file.path; - }; + services.gotosocial = { + enable = true; + package = pkgs.gotosocial; + settings = { + host = "social.emile.space"; + port = config.emile.ports.gotosocial; + bind-address = "127.0.0.1"; + account-domain = "emile.space"; + db-type = "sqlite"; + db-address = "/var/lib/gotosocial/database.sqlite"; + protocol = "https"; + storage-local-base-path = "/var/lib/gotosocial/storage"; + oidc-idp-name = "authelia"; + oidc-client-id = "gotosocial"; + advanced-rate-limit-requests = 0; + accounts-allow-custom-css = true; + }; + environmentFile = config.age.secrets.gotosocial_environment_file.path; + }; systemd.services.gotosocial = { after = [ "authelia-main.service" ]; diff --git a/nix/hosts/corrino/www/sso.emile.space.nix b/nix/hosts/corrino/www/sso.emile.space.nix index 0f77197..e51db9a 100644 --- a/nix/hosts/corrino/www/sso.emile.space.nix +++ b/nix/hosts/corrino/www/sso.emile.space.nix @@ -1,214 +1,212 @@ { config, pkgs, ... }: let - authelia_port = config.services.authelia.instances.main.settings.server.port; -in { - - services.nginx.virtualHosts."sso.emile.space" = { - forceSSL = true; - enableACME = true; - - locations = { - "/" = { - proxyPass = "http://127.0.0.1:${toString authelia_port}"; - - extraConfig = '' - ## Headers - proxy_set_header Host $host; - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-URI $request_uri; - proxy_set_header X-Forwarded-Ssl on; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Real-IP $remote_addr; - - ## Basic Proxy Configuration - client_body_buffer_size 128k; - proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. - proxy_redirect http:// $scheme://; - proxy_http_version 1.1; - proxy_cache_bypass $cookie_session; - proxy_no_cache $cookie_session; - proxy_buffers 64 256k; - - ## Trusted Proxies Configuration - ## Please read the following documentation before configuring this: - ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies - # set_real_ip_from 10.0.0.0/8; - # set_real_ip_from 172.16.0.0/12; - # set_real_ip_from 192.168.0.0/16; - # set_real_ip_from fc00::/7; - set_real_ip_from 127.0.0.1/32; - real_ip_header X-Forwarded-For; - real_ip_recursive on; - - ## Advanced Proxy Configuration - send_timeout 5m; - proxy_read_timeout 360; - proxy_send_timeout 360; - proxy_connect_timeout 360; - ''; - }; - - "/api/verify" = { - proxyPass = "http://127.0.0.1:${toString authelia_port}"; - }; - - "/api/authz/" = { - proxyPass = "http://127.0.0.1:${toString authelia_port}"; - }; - }; - }; - - # set the permissions for the secrets... - age.secrets = { - # ... passwed via environment vars - authelia_session_secret.owner = "authelia-main"; - authelia_session_secret.group = "authelia-main"; - authelia_mail_password.owner = "authelia-main"; - authelia_mail_password.group = "authelia-main"; - - # ... passed via the services.authelia.instances.main.secrets attribute - authelia_storage_encryption_key.owner = "authelia-main"; - authelia_storage_encryption_key.group = "authelia-main"; - authelia_jwt_secret.owner = "authelia-main"; - authelia_jwt_secret.group = "authelia-main"; - authelia_oidc_issuer_private_key.owner = "authelia-main"; - authelia_oidc_issuer_private_key.group = "authelia-main"; - authelia_oidc_hmac_secret.owner = "authelia-main"; - authelia_oidc_hmac_secret.group = "authelia-main"; - }; - - - services.authelia.instances = { - main = { - enable = true; - package = pkgs.authelia; - - # pass some of the secrets in as env-vars - environmentVariables = with config.age.secrets; { - AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path; - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path; - }; - secrets = with config.age.secrets; { - manual = true; - - # some other secrets can be defined here, but not all... - storageEncryptionKeyFile = authelia_storage_encryption_key.path; - jwtSecretFile = authelia_jwt_secret.path; - oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path; - oidcHmacSecretFile = authelia_oidc_hmac_secret.path; - }; - settings = { - theme = "dark"; - - server = { - host = "127.0.0.1"; - port = config.emile.ports.authelia; - }; - - # we're using a file to store the user information - authentication_backend = { - refresh_interval = "20s"; - file = { - path = "/var/lib/authelia-main/user.yml"; - watch = true; - password = { - algorithm = "argon2id"; - iterations = 3; - key_length = 32; - salt_length = 16; - memory = 65; - parallelism = 4; - }; - }; - }; - - storage.local.path = "/var/lib/authelia-main/db.sqlite"; - - session = { - domain = "sso.emile.space"; - expiration = 3600; # 1 hour - inactivity = 300; # 5 minutes - }; - - notifier = { - disable_startup_check = false; - smtp = { - host = "mail.emile.space"; - port = 587; - timeout = "30s"; - username = "mail@emile.space"; - - sender = "mail@emile.space"; - subject = "[Authelia] {title}"; - - disable_require_tls = false; - disable_starttls = false; - disable_html_emails = true; - - tls = { - server_name = "mail.emile.space"; - skip_verify = true; - minimum_version = "TLS1.3"; - }; - }; - }; - - identity_providers = { - oidc = { - # regenerate keys like this: - # ; nix run nixpkgs#authelia -- crypto certificate rsa generate - # current serial: deb83f17e27e663f544a16ad2947631d - - enable_client_debug_messages = false; - minimum_parameter_entropy = 8; - enforce_pkce = "public_clients_only"; - enable_pkce_plain_challenge = false; - cors = { - endpoints = [ - "authorization" - "token" - "revocation" - "introspection" - ]; - allowed_origins = [ - "https://emile.space" - ]; - allowed_origins_from_client_redirect_uris = false; - }; - }; - }; - - access_control = { - default_policy = "deny"; - rules = [ - { - domain = "*.emile.space"; - policy = "two_factor"; - } - ]; - }; - - totp = { - disable = false; - issuer = "sso.emile.space"; - algorithm = "sha1"; - digits = 6; - period = 30; - skew = 1; - secret_size = 32; - }; - - ntp = { - address = "time.cloudflare.com:123"; - version = 3; - max_desync = "3s"; - disable_startup_check = false; - disable_failure = false; - }; - }; - }; - }; + authelia_port = config.services.authelia.instances.main.settings.server.port; +in +{ + + services.nginx.virtualHosts."sso.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + + extraConfig = '' + ## Headers + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-URI $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + ## Basic Proxy Configuration + client_body_buffer_size 128k; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + ## Trusted Proxies Configuration + ## Please read the following documentation before configuring this: + ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies + # set_real_ip_from 10.0.0.0/8; + # set_real_ip_from 172.16.0.0/12; + # set_real_ip_from 192.168.0.0/16; + # set_real_ip_from fc00::/7; + set_real_ip_from 127.0.0.1/32; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + ''; + }; + + "/api/verify" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + }; + + "/api/authz/" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + }; + }; + }; + + # set the permissions for the secrets... + age.secrets = { + # ... passwed via environment vars + authelia_session_secret.owner = "authelia-main"; + authelia_session_secret.group = "authelia-main"; + authelia_mail_password.owner = "authelia-main"; + authelia_mail_password.group = "authelia-main"; + + # ... passed via the services.authelia.instances.main.secrets attribute + authelia_storage_encryption_key.owner = "authelia-main"; + authelia_storage_encryption_key.group = "authelia-main"; + authelia_jwt_secret.owner = "authelia-main"; + authelia_jwt_secret.group = "authelia-main"; + authelia_oidc_issuer_private_key.owner = "authelia-main"; + authelia_oidc_issuer_private_key.group = "authelia-main"; + authelia_oidc_hmac_secret.owner = "authelia-main"; + authelia_oidc_hmac_secret.group = "authelia-main"; + }; + + services.authelia.instances = { + main = { + enable = true; + package = pkgs.authelia; + + # pass some of the secrets in as env-vars + environmentVariables = with config.age.secrets; { + AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path; + AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path; + }; + secrets = with config.age.secrets; { + manual = true; + + # some other secrets can be defined here, but not all... + storageEncryptionKeyFile = authelia_storage_encryption_key.path; + jwtSecretFile = authelia_jwt_secret.path; + oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path; + oidcHmacSecretFile = authelia_oidc_hmac_secret.path; + }; + settings = { + theme = "dark"; + + server = { + host = "127.0.0.1"; + port = config.emile.ports.authelia; + }; + + # we're using a file to store the user information + authentication_backend = { + refresh_interval = "20s"; + file = { + path = "/var/lib/authelia-main/user.yml"; + watch = true; + password = { + algorithm = "argon2id"; + iterations = 3; + key_length = 32; + salt_length = 16; + memory = 65; + parallelism = 4; + }; + }; + }; + + storage.local.path = "/var/lib/authelia-main/db.sqlite"; + + session = { + domain = "sso.emile.space"; + expiration = 3600; # 1 hour + inactivity = 300; # 5 minutes + }; + + notifier = { + disable_startup_check = false; + smtp = { + host = "mail.emile.space"; + port = 587; + timeout = "30s"; + username = "mail@emile.space"; + + sender = "mail@emile.space"; + subject = "[Authelia] {title}"; + + disable_require_tls = false; + disable_starttls = false; + disable_html_emails = true; + + tls = { + server_name = "mail.emile.space"; + skip_verify = true; + minimum_version = "TLS1.3"; + }; + }; + }; + + identity_providers = { + oidc = { + # regenerate keys like this: + # ; nix run nixpkgs#authelia -- crypto certificate rsa generate + # current serial: deb83f17e27e663f544a16ad2947631d + + enable_client_debug_messages = false; + minimum_parameter_entropy = 8; + enforce_pkce = "public_clients_only"; + enable_pkce_plain_challenge = false; + cors = { + endpoints = [ + "authorization" + "token" + "revocation" + "introspection" + ]; + allowed_origins = [ "https://emile.space" ]; + allowed_origins_from_client_redirect_uris = false; + }; + }; + }; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "*.emile.space"; + policy = "two_factor"; + } + ]; + }; + + totp = { + disable = false; + issuer = "sso.emile.space"; + algorithm = "sha1"; + digits = 6; + period = 30; + skew = 1; + secret_size = 32; + }; + + ntp = { + address = "time.cloudflare.com:123"; + version = 3; + max_desync = "3s"; + disable_startup_check = false; + disable_failure = false; + }; + }; + }; + }; } diff --git a/nix/hosts/corrino/www/tickets.emile.space.nix b/nix/hosts/corrino/www/tickets.emile.space.nix index a53b878..fb12961 100644 --- a/nix/hosts/corrino/www/tickets.emile.space.nix +++ b/nix/hosts/corrino/www/tickets.emile.space.nix @@ -17,7 +17,10 @@ pretix = { enable = true; package = pkgs.pretix; - plugins = with config.services.pretix.package.plugins; [ passbook pages ]; + plugins = with config.services.pretix.package.plugins; [ + passbook + pages + ]; user = "pretix"; group = "pretix"; gunicorn.extraArgs = [ diff --git a/nix/hosts/corrino/www/tmp.emile.space.nix b/nix/hosts/corrino/www/tmp.emile.space.nix index eeb7f8b..395c4dd 100644 --- a/nix/hosts/corrino/www/tmp.emile.space.nix +++ b/nix/hosts/corrino/www/tmp.emile.space.nix @@ -10,7 +10,7 @@ extraConfig = '' add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; autoindex on; - ''; + ''; }; }; }; |