diff options
Diffstat (limited to 'nix')
51 files changed, 1735 insertions, 848 deletions
diff --git a/nix/hosts/caladan/darwin-configuration.nix b/nix/hosts/caladan/darwin-configuration.nix index ef18642..6fdbdaa 100644 --- a/nix/hosts/caladan/darwin-configuration.nix +++ b/nix/hosts/caladan/darwin-configuration.nix @@ -85,10 +85,10 @@ { hostName = "corrino.emile.space"; system = "x86_64-linux"; - maxJobs = 16; + maxJobs = 10; speedFactor = 2; - # Feature | Derivations requiring it + # Feature | Derivations requiring it # ----------------|----------------------------------------------------- # kvm | Everything which builds inside a vm, like NixOS tests # nixos-test | Machine can run NixOS tests @@ -110,8 +110,9 @@ ]; }; - nixpkgs = { - config.allowUnfree = true; + nixpkgs.config = { + allowUnfree = true; + allowUnsupportedSystem = true; }; services.nix-daemon.enable = true; diff --git a/nix/hosts/caladan/emacs_config.el b/nix/hosts/caladan/emacs_config.el index 0ed5786..01cf5bd 100644 --- a/nix/hosts/caladan/emacs_config.el +++ b/nix/hosts/caladan/emacs_config.el @@ -17,10 +17,7 @@ (unless (package-installed-p package) (package-install package))) -(when (display-graphic-p) - (tool-bar-mode 0) - (scroll-bar-mode 'left)) - +(scroll-bar-mode -1) (load-theme 'leuven) ;; light theme (setq pixel-scroll-precision-mode 1) (xterm-mouse-mode 1) @@ -42,9 +39,6 @@ (display-buffer-no-window) (allow-no-window . t))) -(when (not (display-graphic-p)) - (menu-bar-mode -1)) - ;; general purpose emacs settings (use-package emacs :init @@ -148,7 +142,6 @@ completion-category-overrides '((file (styles partial-completion))))) - ;; markdown mode ;; https://jblevins.org/projects/markdown-mode/ (defvar markdown-command) @@ -181,7 +174,7 @@ :ensure nil ; no need to install it as it is built-in, but needs to be activated :hook (after-init . delete-selection-mode)) -;; Configure the Lisp program for SLIME +;; Configure the Lisp program for SLY (add-to-list 'exec-path "/Users/emile/.nix-profile/bin") (defvar inferior-lisp-program "sbcl") @@ -206,14 +199,5 @@ (use-package breadcrumb :ensure t) -;(setq circe-network-options -; '(("Libera Chat" -; :tls t -; :tls-keylist (("/Users/emile/libera.crt" -; "/Users/emile/libera.key")) -; :sasl-external t -; :nick "hanemile" -; :channels ("#test")))) - (provide '.emacs) ;;; emacs_config.el ends here diff --git a/nix/hosts/caladan/home_emile.nix b/nix/hosts/caladan/home_emile.nix index 86d6965..545c4d5 100644 --- a/nix/hosts/caladan/home_emile.nix +++ b/nix/hosts/caladan/home_emile.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ lib, pkgs, ... }: { home = { @@ -60,6 +60,18 @@ ''; }; + neovim = let + custom_plugins = pkgs.callPackage ./nvim_plugins.nix { }; + in { + enable = true; + plugins = with pkgs.vimPlugins // custom_plugins; [ + neovim-ayu + lisp.vlime + ]; + extraConfig = '' + ''; + }; + emacs = { enable = true; package = pkgs.emacs; @@ -174,7 +186,7 @@ nixos-rebuild # editor - unstable.helix + unstable-darwin.helix ## formatter nixfmt-rfc-style # official formatter for nix code @@ -200,6 +212,7 @@ # go foo go delve + gotools # c foo cmake @@ -249,6 +262,10 @@ drawio + # cargo rustup + cargo + + # custom libc-database # blender diff --git a/nix/hosts/caladan/nvim_plugins.nix b/nix/hosts/caladan/nvim_plugins.nix new file mode 100644 index 0000000..7f07816 --- /dev/null +++ b/nix/hosts/caladan/nvim_plugins.nix @@ -0,0 +1,21 @@ +{ vimUtils, fetchgit, ... }: + +let + build = ({name, owner, rev, sha256}: vimUtils.buildVimPlugin { + inherit name; + src = fetchgit { + inherit rev sha256; + url = "https://github.com/${owner}/${name}"; + }; + dependencies = []; + }); +in { + lisp = { + vlime = build { + name = "vlime"; + owner = "l04m33"; + rev = "065b95f3ac7a455314c2bdefeb2b792f290034df"; + sha256 = "1bmmskdwvbl6lvbnjp9lls86rz0vzmk73y644bjb9ix9ygmjbia4"; + }; + }; +} diff --git a/nix/hosts/caladan/overlay.nix b/nix/hosts/caladan/overlay.nix index c9bdd79..8f3b810 100644 --- a/nix/hosts/caladan/overlay.nix +++ b/nix/hosts/caladan/overlay.nix @@ -33,11 +33,6 @@ rm tools/utils/passwd_test.go ''; }); - - # helix-2303 = self.callPackage ../../pkgs/helix-2303 { }; - # r2 = self.callPackage ../../pkgs/radare2-5.8.4 { }; - # ansel = self.callPackage ../../pkgs/ansel { }; - # typst = self.callPackage ../pkgs/radare2-5.8.4 { }; }) ]; config = { diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index d453b34..2f8954b 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -27,6 +27,8 @@ in ./www/git ./www/nix-cache + ./www/goapp.emile.space.nix + # screego # web @@ -42,8 +44,9 @@ in ./www/photo - # ./www/tickets.emile.space.nix + ./www/tickets.emile.space.nix # ./www/talks.emile.space.nix + ./www/miniflux.emile.space.nix # ./www/stream.emile.space.nix ./www/md.emile.space.nix ./www/social.emile.space.nix @@ -554,13 +557,25 @@ in }; "/mnt/storagebox-bx11" = { - device = "//u331921.your-storagebox.de/backup"; - fsType = "cifs"; - options = - let - automount_opts = "_netdev,x-systemd.automount,noauto,x-systemd.idle-timeout=60,x-systemd.device-timeout=5s,x-systemd.mount-timeout=5s"; - in - [ "${automount_opts},credentials=${config.age.secrets.storage_box_bx11_password.path}" ]; + device = "u331921@u331921.your-storagebox.de:/home/backup"; + fsType = "sshfs"; + options = [ # Filesystem options + "allow_other" # for non-root access + "_netdev" # this is a network fs + + # We don't mount on demand, as that will cause services like navidrome to fail + # as the share doesn't yet exist. + #"x-systemd.automount" # mount on demand, rather than boot + + #"debug" # print debug logging + # warning: this causes the one-shot service to never exit + + # SSH options + "StrictHostKeyChecking=no" # prevent the connection from failing if the host's key hasn't been trusted yet + "ServerAliveInterval=15" # keep connections alive + "Port=23" + "IdentityFile=/root/.ssh/id_ed25519" + ]; }; }; diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix index 10ae593..bb64934 100644 --- a/nix/hosts/corrino/ports.nix +++ b/nix/hosts/corrino/ports.nix @@ -24,6 +24,7 @@ restic = 8002; nocodb = 8003; goatcounter = 8004; + goapp = 8005; r2wars-web = 8089; ctf = 8338; magic-hash = 8339; diff --git a/nix/hosts/corrino/secrets/garage_admin_metrics_secret.age b/nix/hosts/corrino/secrets/garage_admin_metrics_secret.age new file mode 100644 index 0000000..e1af7da --- /dev/null +++ b/nix/hosts/corrino/secrets/garage_admin_metrics_secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q 7QkcpYGeeMsbW0GcXzNGPTc0jUf4ydpMiTO6ZxEIKGY +OOxq2hMORsmUzBuoqOIPNJeLqJB0seve9PhorS6PKNs +-> ssh-ed25519 m8VklA pF7mWG6tviFC6qD88dxoQRnXGfR0AuanVyY+bh8XgV0 +mrk4HgEs3i8y5P+BSGM1psweXpY/xO+8vK/DsXyhyiY +--- zqEl/ZN/3jEgMZ/IbPbyTHGZJDDENLOnoQezaACeoSs +l,±W`\6yh. oV(?Em,;(@0dVA=4v \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/garage_admin_token_secret.age b/nix/hosts/corrino/secrets/garage_admin_token_secret.age new file mode 100644 index 0000000..2a18a6b --- /dev/null +++ b/nix/hosts/corrino/secrets/garage_admin_token_secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q hcMMVkZSsObrOFjetml2z4eH+EfnuSsna+GaXEeMUA4 +y6lFBj49cMhOGuJBpILHsykpBMpKDHZpFXR4E4zZEbg +-> ssh-ed25519 m8VklA Z6zLilTWlGWG17Q6jBx13m3KYs3gE93TPLq0CidHeTA +eqMN5mDMasi/Nw2y5Kgwy2COna+3zbbFTTUrD/O26ls +--- QdVyqrTLmEcGSB37Ft3Ur0Ry9Jk9DyHFI6fo88tnsgI +X`wY,<A$XeDGe ;െ>1nsNr_Y\`)F#{< \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/garage_env.age b/nix/hosts/corrino/secrets/garage_env.age new file mode 100644 index 0000000..becb511 --- /dev/null +++ b/nix/hosts/corrino/secrets/garage_env.age Binary files differdiff --git a/nix/hosts/corrino/secrets/garage_rpc_secret.age b/nix/hosts/corrino/secrets/garage_rpc_secret.age index e228d0d..ce8a65a 100644 --- a/nix/hosts/corrino/secrets/garage_rpc_secret.age +++ b/nix/hosts/corrino/secrets/garage_rpc_secret.age Binary files differdiff --git a/nix/hosts/corrino/secrets/goapp_oidc_secret.age b/nix/hosts/corrino/secrets/goapp_oidc_secret.age new file mode 100644 index 0000000..ca96981 --- /dev/null +++ b/nix/hosts/corrino/secrets/goapp_oidc_secret.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q Efi2feeWex0ApMR1lvO6osGzW58wiT24zLxcvWlThyc +/UnBx5j3slzIBoNhbdp9ccdk/p8rFdr/i602sO3abi4 +-> ssh-ed25519 m8VklA o9Y9PUYV9RTcQIu2PLouB9336WdJVhtrEy61UTF62WU +NQ+VueAUIqP4LGazGz/cOKtDmao4LKRWLj7fT2/0g5c +--- jjCarc6U6Mxp3VtnS7mElpuJhKjc4fjUTd6dicekLgg +AU.#z̥8wwWS1)R?'}l n/TC'>&<b_EƔōKBBylD,@(<4~̌rգ \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/goapp_oidc_session_key.age b/nix/hosts/corrino/secrets/goapp_oidc_session_key.age new file mode 100644 index 0000000..938f97f --- /dev/null +++ b/nix/hosts/corrino/secrets/goapp_oidc_session_key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q BAvDdIEUEgmo963+9Wd5VLJgrp3MBISvWR3+27bfJW8 +NOEj2ObYe/cM2CaqzmbgexSEUNZIEo1ZmvlamJaSOjo +-> ssh-ed25519 m8VklA d/hwd3rGkPD3GDdlOP2XUsi687VH+tfKrAsKnImk+kI +gFAyyMZT5DK7da7YXOf/5gUd4Bi9cEe3ddMKUMuctMU +--- 9tVE+AAvptrlMZe5+UGJGzH9usnxa+ZICbikcRT0PYI +g!X+/0P ;*{Vp!4sa I+/\IԖ,op웘DP7";pPp +%cUڜ8 \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/miniflux_admin_file.age b/nix/hosts/corrino/secrets/miniflux_admin_file.age new file mode 100644 index 0000000..3e00b9b --- /dev/null +++ b/nix/hosts/corrino/secrets/miniflux_admin_file.age @@ -0,0 +1,7 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q OGds4NLmRiMmVjPTORP3jLe3iEkqrDyTqW4V7ceFfRk +FFdZcsT9ZruNhpY5cb674qpQpK0qzHNwRPCfHvYaKcE +-> ssh-ed25519 m8VklA 84XSPja8dzJEUVR5olwNONVzNn5QrsX+R+WeBHqxXDo +5CVpnTDcO0EG3NsHdFsSABWNBIe3Xe16me13JIOlfos +--- rlIUU/0gYwxIXmpRI5/3mmZXJ+JrG/tE/3IBtpo4uT4 +-9JNVG.l.e?&r;V#ahSJWjhvѳt;3ϫk(^QU *czFbwPZuqĉ \ No newline at end of file diff --git a/nix/hosts/corrino/secrets/miniflux_oidc_secret.age b/nix/hosts/corrino/secrets/miniflux_oidc_secret.age new file mode 100644 index 0000000..c16754e --- /dev/null +++ b/nix/hosts/corrino/secrets/miniflux_oidc_secret.age Binary files differdiff --git a/nix/hosts/corrino/secrets/tailscale-corrino-cert.age b/nix/hosts/corrino/secrets/tailscale-corrino-cert.age new file mode 100644 index 0000000..07252cc --- /dev/null +++ b/nix/hosts/corrino/secrets/tailscale-corrino-cert.age Binary files differdiff --git a/nix/hosts/corrino/secrets/tailscale-corrino-key.age b/nix/hosts/corrino/secrets/tailscale-corrino-key.age new file mode 100644 index 0000000..36c132e --- /dev/null +++ b/nix/hosts/corrino/secrets/tailscale-corrino-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 gvwQ2Q P6b4m51AxFbXT3OOkgMe/BPZi3240e/Gii3weyMtPxI +fRVIno8tPqh4F6e6TOj6YiW2uL9T3uqkro6EZ1mPXOc +-> ssh-ed25519 m8VklA lRMfdLzmoVybkJJvTlY1lZgkMt1R0wyjA/NFcdRFKDM +CLyqRXYetMUbsGhL8NRQ333WIy/TnJwhWX8UpxyLmbw +--- zTjX+CIXtDurBc+TaT7zQ0xn/5Xx3mIrKkAviqMgn4c +:$+D\[Q.pS<HQWMTLTGxZV'^pNDGF*ڢ:6`ˉ`aMdbN\ȣ ClH7>i_! %neUVI4sA6_kP4-=.dxqt+)4`+E2R&0__$V}Hojܾ}aB|//@L#IK3Dt +C?4?u}7! \ No newline at end of file diff --git a/nix/hosts/corrino/vm.nix b/nix/hosts/corrino/vm.nix index 37d1356..78d818f 100644 --- a/nix/hosts/corrino/vm.nix +++ b/nix/hosts/corrino/vm.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, ... }: { services.emile.libvirtnix = { @@ -15,6 +15,19 @@ uuid = "E34DE478-1402-45BB-B3FD-FC960549258E"; genid = "CA1E2462-1E9D-404C-8DDB-19EEF9D9651B"; + os = { + nvram = { + type = "network"; + source = { + mirror = { + abi = "copy"; + ready = "yes"; + type = "network"; + }; + }; + }; + }; + packages = { libvirt = pkgs.libvirt; qemu = pkgs.qemu; diff --git a/nix/hosts/corrino/www/goapp.emile.space.nix b/nix/hosts/corrino/www/goapp.emile.space.nix new file mode 100644 index 0000000..361e95a --- /dev/null +++ b/nix/hosts/corrino/www/goapp.emile.space.nix @@ -0,0 +1,89 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."goapp.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://${config.services.emile.goapp-frontend.host}:${toString config.services.emile.goapp-frontend.port}"; + }; + }; + }; + + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "goapp"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$LPXJRoGR9RyTcaT6cADljg$FK8RV5CnKj5ano4fXmRzzvXcX/00F7k/G6nd67t.8iewpwyq8FntV4JgYZSV8AynYMxz1qnL4j3BzITLCM0KgQ"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + "https://goapp.emile.space/oauth2/callback" + ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + + environment.systemPackages = with pkgs; [ goapp-frontend ]; + + # deploy: + # - push code + # - build in order to get the new hash (nix build .#goapp-frontend-pkg) + # - update hash in the package (//nix/templates/goapp/frontent/default.nix) + # - deploy + # + # https://goapp.emile.space/oauth2/callback?code=authelia_ac_iZKCXtRMnj2yjUAmiSkg_LBWjiME2-ghE6KMkxdb6Zw.nDLgCVpu9ctH1llEKUml5rr8szd3bkZYaGa_MAOtNLI&iss=https%3A%2F%2Fsso.emile.space&scope=openid+profile+email+groups&state=random-string-here + # + # Unable to exchange authorization code for tokens + # + # unable to exchange authorization code for tokens: oauth2: "invalid_client" "Client authentication failed (e.g., unknown client, no client authentication included, or unsupported authentication method)." + + services.emile.goapp-frontend = { + enable = true; + package = pkgs.goapp-frontend; + + host = "127.0.0.1"; + port = config.emile.ports.goapp; + public-url = "https://goapp.emile.space/"; + + oidc = { + id = "goapp"; + issuer = "https://sso.emile.space"; + cookie-name = "oidc-client"; + scopes = [ + "openid" + "profile" + "email" + "groups" + ]; + # secret-path = "/run/goapp-frontend_oidc_secret"; + secret-path = config.age.secrets.goapp_oidc_secret.path; + }; + + # TODO(emile): change these when going live + session-key-path = config.age.secrets.goapp_oidc_secret.path; + + logfile-path = "/var/log/goapp-frontend.log"; + database-path = "/var/lib/goapp-frontend/main.db"; + sessiondb-path = "/var/lib/goapp-frontend/session.db"; + }; +} diff --git a/nix/hosts/corrino/www/grafana.emile.space.nix b/nix/hosts/corrino/www/grafana.emile.space.nix index 22b444f..f8674a2 100644 --- a/nix/hosts/corrino/www/grafana.emile.space.nix +++ b/nix/hosts/corrino/www/grafana.emile.space.nix @@ -91,19 +91,30 @@ provision = { dashboards.settings = { }; datasources.settings = { + deleteDatasources = [ + { name = "Prometheus"; orgId = 1; } + { name = "Lampadas"; orgId = 1; } + ]; datasources = [ { url = "http://localhost:${toString config.services.prometheus.port}"; type = "prometheus"; - name = "Prometheus"; + name = "Prometheus Corrino"; editable = false; access = "proxy"; # server = "proxy", browser = "direct" } { - name = "loki"; - url = "http://${config.services.loki.configuration.common.instance_addr}:${toString config.services.loki.configuration.server.http_listen_port}"; - type = "loki"; + url = "http://lampadas:9009"; + type = "prometheus"; + name = "Prometheus Lampadas"; + editable = false; + access = "proxy"; # server = "proxy", browser = "direct" } + # { + # name = "loki"; + # url = "http://${config.services.loki.configuration.common.instance_addr}:${toString config.services.loki.configuration.server.http_listen_port}"; + # type = "loki"; + # } ]; }; diff --git a/nix/hosts/corrino/www/mc.emile.space.nix b/nix/hosts/corrino/www/mc.emile.space.nix new file mode 100644 index 0000000..8250a1d --- /dev/null +++ b/nix/hosts/corrino/www/mc.emile.space.nix @@ -0,0 +1,150 @@ +{ config, pkgs, ... }: + +{ + services.minecraft-server = { + package = pkgs.minecraft-server; + serverProperties = { + server-port = 43000; + + # 0 peaceful + # 1 easy + # 2 normal + # 3 hard + difficulty = 1; + + # 0 survival + # 1 creative + # 2 adventure + # 5 default + # "spectator" spectator + # gamemode = "survival"; + gamemode = 0; + + max-players = 10; + motd = "Neurodivergenter Hexenzirkel"; + enable-rcon = true; + "rcon.password" = "hunter2"; + enable-command-block = false; + enable-query = false; + spawn-protection = 0; + + white-list = true; + }; + openFirewall = true; + + whitelist = { + "emileemail" = "a7614a53-b8b8-47b7-91cf-860e7c7f325f"; + "dodonator23" = "f93506b6-76e8-437d-927d-dceeb833a33f"; + "ChaosAyumi" = "223040ec-ca30-4238-8b58-c81597c30426"; + "xerunala" = "962e41c8-1da8-4592-9a2f-e36cdb20d5a6"; + "rappet" = "588377a5-362f-4ea1-8195-9cf97dd7a884"; + }; + + jvmOpts = "-Xms4092M -Xmx4092M"; + eula = true; + enable = true; + declarative = true; + dataDir = "/var/lib/minecraft"; + }; + + services.nginx.virtualHosts."mc.emile.space" = { + forceSSL = true; + enableACME = true; + }; + + services.bluemap = { + enable = true; + + enableNginx = true; + host = "mc.emile.space"; + + webappSettings = { + enabled = true; + webroot = config.services.bluemap.webRoot; + }; + + # webserverSettings = {}; + webserverSettings.enabled = false; # using nginx; + webRoot = "/var/lib/bluemap/web"; + + # coreSettings = {}; + coreSettings.data = "/var/lib/bluemap"; + coreSettings.metrics = false; # don't send data to the devs + + storage = { + "file" = { + root = "${config.services.bluemap.webRoot}/maps"; + }; + }; + # storage.<name>.storage-type + + maps = let + worldpath = "/var/lib/minecraft/world"; + in { + "overworld" = { + world = "${worldpath}"; + ambient-light = 0.1; + cave-detection-ocean-floor = -5; + dimension = "minecraft:overworld"; + }; + + "nether" = { + world = "${worldpath}/DIM-1"; + sorting = 100; + sky-color = "#290000"; + void-color = "#150000"; + ambient-light = 0.6; + world-sky-light = 0; + remove-caves-below-y = -10000; + cave-detection-ocean-floor = -5; + cave-detection-uses-block-light = true; + max-y = 90; + dimension = "minecraft:the_nether"; + }; + + "end" = { + world = "${worldpath}/DIM1"; + sorting = 200; + sky-color = "#080010"; + void-color = "#080010"; + ambient-light = 0.6; + world-sky-light = 0; + remove-caves-below-y = -10000; + cave-detection-ocean-floor = -5; + dimension = "minecraft:the_end"; + }; + }; + + # A set of resourcepacks, datapacks, and mods to extract resources from, loaded in alphabetical order. + packs = {}; + + # How often to trigger rendering the map, in the format of a systemd timer onCalendar configuration. See systemd.timer(5). + # + # This one means "every three hours": + # *-*-* */3:00:00 + onCalendar = "*-*-* *:00:00"; + + eula = true; + + enableRender = true; + + # The world used by the default map ruleset. If you configure your own maps you do not need to set this. + # defaultWorld = "${config.services.minecraft.dataDir}/world"; + + addons = {}; + }; + + services.restic.backups."minecraft" = { + repository = "/mnt/storagebox-bx11/minecraft"; + paths = [ "/var/lib/minecraft" ]; + timerConfig = null; + passwordFile = config.age.secrets.restic_password.path; + initialize = true; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; +} diff --git a/nix/hosts/corrino/www/md.emile.space.nix b/nix/hosts/corrino/www/md.emile.space.nix index 6088ea0..d94c06c 100644 --- a/nix/hosts/corrino/www/md.emile.space.nix +++ b/nix/hosts/corrino/www/md.emile.space.nix @@ -6,7 +6,7 @@ enableACME = true; locations = { "/" = { - proxyPass = "http://127.0.0.1:${toString config.services.hedgedoc.settings.port}"; + proxyPass = "http://[${config.services.hedgedoc.settings.host}]:${toString config.services.hedgedoc.settings.port}"; }; }; }; @@ -14,10 +14,10 @@ # auth via authelia services.authelia.instances.main.settings.identity_providers.oidc.clients = [ { - id = "HedgeDoc"; + client_id = "HedgeDoc"; # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; + client_secret = "$pbkdf2-sha512$310000$l4Kyec7Q9oY2GAhWA/xMig$P/MYFmulfgsDNyyiclUzd6le0oSiOvqCIvl4op5DkXtVTxLWlMA3ZwhJ6Z7u.OfIREuEM2htH6asxWPhBhkpNQ"; public = false; authorization_policy = "two_factor"; redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ]; @@ -47,7 +47,7 @@ environmentFile = config.age.secrets.hedgedoc_environment_variables.path; settings = { - host = "127.0.0.1"; + host = "::1"; port = config.emile.ports.md; domain = "md.emile.space"; @@ -85,6 +85,20 @@ }; }; + services.restic.backups."hedgedoc" = { + repository = "/mnt/storagebox-bx11/hedgedoc"; + paths = [ "/var/lib/hedgedoc" ]; + timerConfig = null; + passwordFile = config.age.secrets.restic_password.path; + initialize = true; + pruneOpts = [ + "--keep-daily 7" + "--keep-weekly 5" + "--keep-monthly 12" + "--keep-yearly 75" + ]; + }; + # backups # services.restic.backups."hedgedoc" = { # user = "u331921"; diff --git a/nix/hosts/corrino/www/miniflux.emile.space.nix b/nix/hosts/corrino/www/miniflux.emile.space.nix new file mode 100644 index 0000000..f5b9817 --- /dev/null +++ b/nix/hosts/corrino/www/miniflux.emile.space.nix @@ -0,0 +1,73 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."miniflux.emile.space" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${config.services.miniflux.config.LISTEN_ADDR}"; + }; + }; + }; + + # auth via authelia + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "miniflux"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$rlOuqUDGc/kl3bw7JgcSpg$4COyNudsu/7L8qhnxfcQld5Fy.ru/JUp7RCI7dCHZMtzxRnhckW8A7uz3Xeuc7.BjCIwc4GdWusPt6.TiH6Kpw"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ "https://miniflux.emile.space/oauth2/oidc/callback" ]; + scopes = [ + "openid" + "email" + "profile" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + + services.miniflux = { + enable = true; + package = pkgs.miniflux; + config = { + BASE_URL = "https://miniflux.emile.space"; + + # Cleanup job frequency to remove old sessions and archive entries. + CLEANUP_FREQUENCY = 48; + + # Set to 1 to enable maintenance mode. Maintenance mode disables the web ui and show a text message to the users. + # MAINTENANCE_MODE = 1; + # MAINTENANCE_MESSAGE = "updating foo"; + + OAUTH2_CLIENT_ID = "miniflux"; + OAUTH2_CLIENT_SECRET_FILE = config.age.secrets.miniflux_oidc_secret.path; + OAUTH2_OIDC_DISCOVERY_ENDPOINT = "sso.emile.space"; + OAUTH2_OIDC_PROVIDER_NAME = "authelia"; + OAUTH2_PROVIDER = "oidc"; + OAUTH2_REDIRECT_URL = "https://miniflux.emile.space/oauth2/oidc/callback"; + + LISTEN_ADDR = "[::1]:${toString config.emile.ports.miniflux}"; + }; + createDatabaseLocally = true; + + # File containing the ADMIN_USERNAME and ADMIN_PASSWORD (length >= 6) in the format of an EnvironmentFile=, as described by systemd.exec(5). + adminCredentialsFile = config.age.secrets.miniflux_admin_file.path; + }; + + + +} diff --git a/nix/hosts/corrino/www/sb.emile.space.nix b/nix/hosts/corrino/www/sb.emile.space.nix new file mode 100644 index 0000000..0522e25 --- /dev/null +++ b/nix/hosts/corrino/www/sb.emile.space.nix @@ -0,0 +1,114 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."sb.emile.space" = { + forceSSL = true; + enableACME = true; + locations = { + "/" = { + proxyPass = "http://${config.services.silverbullet.listenAddress}:${toString config.services.silverbullet.listenPort}"; + extraConfig = '' + ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. + auth_request /internal/authelia/authz; + + ## Save the upstream metadata response headers from Authelia to variables. + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + + ## Inject the metadata response headers from the variables into the request made to the backend. + proxy_set_header Remote-User $user; + proxy_set_header Remote-Groups $groups; + proxy_set_header Remote-Email $email; + proxy_set_header Remote-Name $name; + + ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' + ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url + ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily. + + ## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint. + auth_request_set $redirection_url $upstream_http_location; + + ## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url. + error_page 401 =302 $redirection_url; + + ## Legacy Method: Set $target_url to the original requested URL. + ## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module. + # set $target_url $scheme://$http_host$request_uri; + + ## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd' + ## URL parameter set to $target_url. This requires users update 'auth.example.com/' with their external authelia URL. + # error_page 401 =302 https://sso.emile.space/?rd=$target_url; + ''; + }; + "/internal/authelia/authz" = { + extraConfig = '' + ## Essential Proxy Configuration + internal; + proxy_pass https://sso.emile.space/api/authz/auth-request; + + ## Headers + ## The headers starting with X-* are required. + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Content-Length ""; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + proxy_pass_request_body off; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + client_body_buffer_size 128k; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; + ''; + }; + }; + }; + + # auth via authelia + # services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + # { + # id = "silverbullet"; + + # # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + # secret = "$pbkdf2-sha512$310000$mxk7uITQOZNYEqeinigQnw$wsF2S6RPL2zVRg1X0bAuINh8Lu5PuA/2/FYJSy3i/Ig5vtCzaIFb0xYEcus4jkqTIgyp3aBxtgSzAKjQKC.QKg"; + # public = false; + # authorization_policy = "two_factor"; + # redirect_uris = [ "https://md.emile.space/auth/oauth2/callback" ]; + # scopes = [ + # "openid" + # "email" + # "profile" + # ]; + # grant_types = [ + # "refresh_token" + # "authorization_code" + # ]; + # response_types = [ "code" ]; + # response_modes = [ + # "form_post" + # "query" + # "fragment" + # ]; + # token_endpoint_auth_method = "client_secret_post"; + # } + # ]; + + services.silverbullet = { + enable = true; + spaceDir = "/var/lib/silverbullet"; + listenPort = 3000; + listenAddress = "[::1]"; + }; +} diff --git a/nix/hosts/corrino/www/sso.emile.space.nix b/nix/hosts/corrino/www/sso.emile.space.nix index 44e30bb..6ffff80 100644 --- a/nix/hosts/corrino/www/sso.emile.space.nix +++ b/nix/hosts/corrino/www/sso.emile.space.nix @@ -141,9 +141,22 @@ in storage.local.path = "/var/lib/authelia-main/db.sqlite"; session = { - domain = "sso.emile.space"; - expiration = 3600; # 1 hour - inactivity = 300; # 5 minutes + # domain = "sso.emile.space"; + # expiration = 3600; # 1 hour + # inactivity = 300; # 5 minutes + + cookies = [ + { + domain = "emile.space"; + authelia_url = "https://sso.emile.space"; + # The period of time the user can be inactive for until the session is destroyed. Useful if you want long session timers but don’t want unused devices to be vulnerable. + inactivity = "1h"; + # The period of time before the cookie expires and the session is destroyed. This is overridden by remember_me when the remember me box is checked. + expiration = "1d"; + # The period of time before the cookie expires and the session is destroyed when the remember me box is checked. Setting this to -1 disables this feature entirely for this session cookie domain + remember_me = "3M"; + } + ]; }; notifier = { @@ -196,6 +209,16 @@ in default_policy = "deny"; rules = [ { + # silverbullet needs access to these without auth + domain = "sb.emile.space"; + policy = "bypass"; + resources = [ + "/.client/manifest.json$" + "/.client/[a-zA-Z0-9_-]+.png$" + "/service_worker.js$" + ]; + } + { domain = "*.emile.space"; policy = "two_factor"; } diff --git a/nix/hosts/corrino/www/templates/goapp/default.nix b/nix/hosts/corrino/www/templates/goapp/default.nix deleted file mode 100644 index 716d6ab..0000000 --- a/nix/hosts/corrino/www/templates/goapp/default.nix +++ /dev/null @@ -1,30 +0,0 @@ - -{ - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "goapp"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$WUai4pp1ZVJDrJ8j6ICLiQ$NOMMaCZ3gt.x.a09MWatMkJWQIaH0QeWgRXSbuD2iWRwR.N6MWmJA6QO.LIKcxn6l.zHZN4bO1Ztsrbo9010Tw"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://127.0.0.1:8080/auth/oauth2/callback" ]; - scopes = [ - "openid" - "email" - "profile" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ "code" ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - token_endpoint_auth_method = "client_secret_post"; - } - ]; -} diff --git a/nix/hosts/lampadas/configuration.nix b/nix/hosts/lampadas/configuration.nix index cc829d8..007f8a1 100644 --- a/nix/hosts/lampadas/configuration.nix +++ b/nix/hosts/lampadas/configuration.nix @@ -2,7 +2,7 @@ # your system. Help is available in the configuration.nix(5) man page, on # https://search.nixos.org/options and in the NixOS manual (`nixos-help`). -{ pkgs, lib, ... }: +{ config, pkgs, lib, ... }: let emile_keys = [ @@ -17,12 +17,34 @@ in ./hardware-configuration.nix ]; + hardware.fancontrol = { + enable = true; + config = '' + # Configuration file generated by pwmconfig, changes will be lost + INTERVAL=10 + DEVPATH=hwmon0=devices/platform/coretemp.0 hwmon1=devices/platform/nct6775.672 + DEVNAME=hwmon0=coretemp hwmon1=nct6798 + FCTEMPS=hwmon1/pwm3=hwmon0/temp2_input hwmon1/pwm2=hwmon1/temp2_input + FCFANS=hwmon1/pwm3=hwmon1/fan3_input hwmon1/pwm2=hwmon1/fan2_input + MINTEMP=hwmon1/pwm3=35 hwmon1/pwm2=35 + MAXTEMP=hwmon1/pwm3=75 hwmon1/pwm2=75 + MINSTART=hwmon1/pwm3=255 hwmon1/pwm2=255 + MINSTOP=hwmon1/pwm3=30 hwmon1/pwm2=30 + MINPWM=hwmon1/pwm3=30 hwmon1/pwm2=30 + MAXPWM=hwmon1/pwm3=255 hwmon1/pwm2=255 + ''; + }; + boot = { loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; }; kernelParams = [ "ip=dhcp" ]; + kernelModules = [ + # fan speed modules, detected using `sensors-detect` + "coretemp" "nct6775" + ]; initrd = { availableKernelModules = [ "r8169" ]; systemd.users.root.shell = "/bin/cryptsetup-askpass"; @@ -159,10 +181,41 @@ in }; # metric exporters - prometheus.exporters = { - node.enable = true; # port 9100 - systemd.enable = true; # port 9558 - smartctl.enable = true; # port 9633 + prometheus = { + enable = true; + port = 9090; + listenAddress = "100.87.209.97"; + scrapeConfigs = [ + { + job_name = "node"; + static_configs = [{ + targets = [ + "localhost:${toString config.services.prometheus.exporters.node.port}" + ]; + }]; + } + { + job_name = "systemd"; + static_configs = [{ + targets = [ + "localhost:${toString config.services.prometheus.exporters.systemd.port}" + ]; + }]; + } + { + job_name = "smartctl"; + static_configs = [{ + targets = [ + "localhost:${toString config.services.prometheus.exporters.smartctl.port}" + ]; + }]; + } + ]; + exporters = { + node.enable = true; # port 9100 + systemd.enable = true; # port 9558 + smartctl.enable = true; # port 9633 + }; }; # shares diff --git a/nix/lib/flake-helper.nix b/nix/lib/flake-helper.nix index ddace97..f841fa5 100644 --- a/nix/lib/flake-helper.nix +++ b/nix/lib/flake-helper.nix @@ -83,8 +83,6 @@ rec { { ... }: { nixpkgs.overlays = [ - self.overlays.emile - ( if system == "x86_64-linux" then self.overlays.x86_64-linux @@ -94,6 +92,11 @@ rec { null ) + # no clue why, but when rebuilding corrino and this not being commented, + # something in the hardware.bluetooth module breaks + # + # (if system == "aarch64-darwin" then self.overlays.unstable-darwin else null) + (_: _: { inherit (agenix.packages."x86_64-linux") agenix; }) (_: _: { @@ -197,8 +200,12 @@ rec { user = "root"; # user to install as sshUser = sshUser; # user to ssh to as - # make sure people can use sudo - sshOpts = ["-A" "-t" "-S"]; + # make sure people can use sudo + sshOpts = [ + "-A" + "-t" + "-S" + ]; # sshOpts = [ "-o" "ProxyCommand=none" ]; # make sure to add the nix foo on the darwin hosts to ~/.zshenv diff --git a/nix/modules/goapp-frontend/default.nix b/nix/modules/goapp-frontend/default.nix new file mode 100644 index 0000000..c5f62aa --- /dev/null +++ b/nix/modules/goapp-frontend/default.nix @@ -0,0 +1,134 @@ +{ + config, + lib, + pkgs, + ... +}: + +let + cfg = config.services.emile.goapp-frontend; +in +with lib; +{ + options.services.emile.goapp-frontend = { + enable = mkEnableOption "Enable goapp-frontend"; + package = mkPackageOption pkgs "goapp-frontend" { }; + + # ip, port and external host to listen on + host = mkOption { + type = types.str; + default = "127.0.0.1"; + example = "0.0.0.0"; + description = "The host the service listens on"; + }; + port = mkOption { + type = types.int; + default = 8080; + example = 8080; + description = "The port the service listens on"; + }; + public-url = mkOption { + type = types.str; + default = "http://localhost:8080/"; + example = "https://goapp.emile.space/"; + description = '' + The domain that the service can be reached from externally. This is used by oidc for redirects and thus should be set, as you'll probably be running this behind some kind of reverse proxy. + ''; + }; + + # the oidc config + oidc = mkOption { + type = types.submodule { + options = { + id = mkOption { + type = types.str; + default = ""; + example = "AiliavahweiweeG5"; + description = "The oidc id"; + }; + issuer = mkOption { + type = types.str; + default = ""; + example = "https://sso.emile.space"; + description = "The oidc identity provider"; + }; + cookie-name = mkOption { + type = types.str; + default = "oidc-client"; + example = "CookieMcCookieface"; + description = "The oidc cookie name"; + }; + scopes = mkOption { + type = types.listOf types.str; + default = [ "openid" "profile" "email" "groups" ]; + example = [ "openid" "profile" "email" ]; + description = "The openid scopes to request"; + }; + secret-path = mkOption { + type = types.str; + default = ""; + example = "/run/goapp_oidc_secret"; + description = "The path to the oidc secret"; + }; + }; + }; + }; + + # paths to files + session-key-path = mkOption { + type = types.str; + default = ""; + example = "/run/sesionkey"; + description = "The path to a file containing the sessionKey"; + }; + logfile-path = mkOption { + type = types.str; + default = "/var/log/goapp-frontend.log"; + example = "/var/log/goapp-frontend.log"; + description = "The path to where the logfile should be written"; + }; + + database-path = mkOption { + type = types.str; + default = "/var/lib/goapp-frontend/main.db"; + example = "/var/lib/goapp-frontend/main.db"; + description = "The path to the main database"; + }; + sessiondb-path = mkOption { + type = types.str; + default = "/var/lib/goapp-frontend/sessions.db"; + example = "/var/lib/goapp-frontend/sessions.db"; + description = "The path to the sessions database"; + }; + }; + + config = mkIf cfg.enable { + systemd.services.goapp-frontend = { + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + RestartSec = 5; + Restart = "on-failure"; + }; + environment = { + VERSION = pkgs.goapp-frontend.version; + }; + path = [ pkgs.goapp-frontend ]; + serviceConfig.ExecStart = '' + ${pkgs.goapp-frontend}/bin/frontend \ + --host ${cfg.host} \ + --port ${toString cfg.port} \ + --public-url ${cfg.public-url} \ + --id ${cfg.oidc.id} \ + --issuer ${cfg.oidc.issuer} \ + --cookie-name ${cfg.oidc.cookie-name} \ + --scopes ${concatStringsSep "," cfg.oidc.scopes} \ + --oidc-secret-path ${cfg.oidc.secret-path} \ + --logfilepath ${cfg.logfile-path} \ + --databasepath ${cfg.database-path} \ + --sessiondbpath ${cfg.sessiondb-path} \ + --sessionkeypath ${cfg.session-key-path} \ + --templatespath ${pkgs.goapp-frontend}/templates + ''; + }; + }; +} diff --git a/nix/modules/libvirtnix/config.nix b/nix/modules/libvirtnix/config.nix new file mode 100644 index 0000000..e1a8d28 --- /dev/null +++ b/nix/modules/libvirtnix/config.nix @@ -0,0 +1,59 @@ +{ + services.emile.libvirtnix = { + enable = true; + vm = { + "alan" = { + vm_type = "kvm"; + id = "1337"; + name = "blub"; + uuid = "cafebabe-d474-452b-80f4-c951c39bcf74"; + + metadata.libosinfo = "https://libosinfo.org/xmlns/libvirt/domain/1.0"; + metadata.libosinfo_os = "https://nixos.org/nixos/unknown"; + + memory.unit = "KiB"; + memory.value = 2097152; + + currentMemory.unit = "KiB"; + currentMemory.value = 2097152; + + vcpu.placement = "static"; + vcpu.count = 3; + + resource.partition = "/machine"; + + os = { + type = { + arch = "x86_64"; + machine = "pc-q35-3.1"; + value = "hvm"; + }; + + loader = { + readonly = "yes"; + type = "pflash"; + value = "/usr/share/OVMF/OVMF_CODE.fd"; + }; + + nvram.value = "/var/lib/libvirt/qemu/nvram/fileserver2_VARS.fd"; + + boot.dev = "hd"; + }; + + features = { + acpi = true; + apic = true; + vmport = { + state = "off"; + }; + }; + + cpu = { + mode = "host-passthrough"; + check = "none"; + migratable = "on"; + }; + }; + }; + }; +} diff --git a/nix/modules/libvirtnix/domain.nix b/nix/modules/libvirtnix/domain.nix index a028c7d..22cd891 100644 --- a/nix/modules/libvirtnix/domain.nix +++ b/nix/modules/libvirtnix/domain.nix @@ -1,701 +1,483 @@ -{ pkgs, lib, ... }: - +{ config, lib, ... }: + +let + mkTag = import ./xml.nix { inherit lib; }; + pkgs = import <nixpkgs> { }; + + stringOption = + { + default ? "", + }: + lib.mkOption { + type = lib.types.str; + default = "${default}"; + }; +in { - options = with lib; { - - # meta, this allows defining the package used for each vm individually, defaults should be sane - packages = mkOption { - type = types.submodule { - options = { - libvirt = mkPackageOption pkgs "libvirt" { }; - qemu = mkPackageOption pkgs "qemu" { }; + options = { + services.emile.libvirtnix = + let + cpu = lib.mkOption { + type = lib.types.submodule { + options = { + mode = lib.mkOption { + type = lib.types.str; + example = "host-passthrough"; + default = ""; + }; + check = lib.mkOption { + type = lib.types.str; + example = "none"; + default = ""; + }; + migratable = lib.mkOption { + type = lib.types.str; + example = "on"; + default = ""; + }; + }; + }; }; - }; - }; - - # attributs for the root `<domain ...>` node - type = mkOption { - type = types.enum [ - "xen" - "hvm" - "kvm" - "qemu" - "lxc" - ]; - default = "kvm"; - example = "qemu"; - description = '' - hypervisor used for running the domain - allowed values are driver specific, if missing, plz send PR - - hvm since since 8.1.0 and QEMU 2.12 - ''; - }; - - id = mkOption { - type = types.int; - default = 0; - example = 42; - }; + features = lib.mkOption { + type = lib.types.submodule { + options = { + acpi = lib.mkEnableOption "enable acpi"; + apic = lib.mkEnableOption "enable apic"; + + vmport = lib.mkOption { + type = lib.types.submodule { + options = { + state = lib.mkOption { + type = lib.types.str; + example = "off"; + default = ""; + }; + }; + }; + }; + }; + }; + }; + + os_boot = lib.mkOption { + type = lib.types.submodule { + options = { + dev = lib.mkOption { + type = lib.types.str; + example = "hd"; + default = ""; + }; + }; + }; + }; + + os_nvram = lib.mkOption { + type = lib.types.submodule { + options = { + value = lib.mkOption { + type = lib.types.str; + example = "/var/lib/libvirt/qemu/nvram/fileserver2_VARS.fd"; + default = ""; + }; + }; + }; + }; + + os_loader = lib.mkOption { + type = lib.types.submodule { + options = { + readonly = lib.mkOption { + type = lib.types.str; + example = "yes"; + default = ""; + }; + type = lib.mkOption { + type = lib.types.str; + example = "pflash"; + default = ""; + }; + value = lib.mkOption { + type = lib.types.str; + example = "/usr/share/OVMF/OVMF_CODE.fd"; + default = ""; + }; + }; + }; + }; + + os_type = lib.mkOption { + type = lib.types.submodule { + options = { + arch = lib.mkOption { + type = lib.types.str; + example = "x86_64"; + default = ""; + }; + machine = lib.mkOption { + type = lib.types.str; + example = "pc-q35-3.1"; + default = ""; + }; + value = lib.mkOption { + type = lib.types.str; + example = "hvm"; + default = ""; + }; + }; + }; + }; - # General metadata - name = mkOption { - type = types.str; - example = "MyGuest"; - }; + os = lib.mkOption { + description = "os"; + type = lib.types.submodule { + options = { + type = os_type; + loader = os_loader; + nvram = os_nvram; + boot = os_boot; + }; + }; + }; - uuid = mkOption { - type = types.str; - example = "3e3fce45-4f53-4fa7-bb32-11f34168b82b"; - }; + resource = lib.mkOption { + description = "resource"; + type = lib.types.submodule { + options = { + partition = lib.mkOption { + type = lib.types.str; + example = "/machine"; + default = ""; + }; + }; + }; + }; - genid = mkOption { - type = types.str; - example = "43dc0cf8-809b-4adb-9bea-a9abb5f3d90e"; - }; + vcpu = lib.mkOption { + description = "vcpu"; + type = lib.types.submodule { + options = { + placement = lib.mkOption { + # TODO(emile): fill up + type = lib.types.enum [ "static" ]; + example = "static"; + default = "static"; + }; + count = lib.mkOption { + type = lib.types.int; + example = 4; + default = 1; + }; + }; + }; + }; - title = mkOption { - type = types.str; - example = "A short description - title - of the domain"; - }; + mem = lib.mkOption { + description = "memory"; + type = lib.types.submodule { + options = { + unit = lib.mkOption { + # TODO(emile): fill up + type = lib.types.enum [ + "KiB" + "MiB" + "GiB" + "TiB" + ]; + example = "KiB"; + default = "KiB"; + }; + value = lib.mkOption { + type = lib.types.int; + example = 2097152; + default = 1000; + }; + }; + }; + }; - description = mkOption { - type = types.str; - example = "Some human readable description"; - }; + memory = mem; + currentMemory = mem; + + metadata = lib.mkOption { + description = "metadata submodule"; + type = lib.types.submodule { + options = { + libosinfo = lib.mkOption { + type = lib.types.str; + example = "https://libosinfo.org/xmlns/libvirt/domain/1.0"; + default = ""; + }; + libosinfo_os = lib.mkOption { + type = lib.types.str; + example = "https://nixos.org/nixos/unknown"; + default = ""; + }; + }; + }; + }; - metadata = mkOption { - type = types.str; - default = ""; - example = '' - <metadata> - <app1:foo xmlns:app1="http://app1.org/app1/">..</app1:foo> - <app2:bar xmlns:app2="http://app1.org/app2/">..</app2:bar> - </metadata> - ''; - }; + vm = lib.types.submodule { + options = { + vm_type = stringOption { default = "kvm"; }; + id = stringOption { }; + name = stringOption { }; + uuid = stringOption { }; + + inherit + metadata + memory + currentMemory + vcpu + resource + os + features + cpu + ; + }; + }; + in + { + enable = lib.mkEnableOption "Enable r2wars-web"; + + + # Temporary output we write the domain to, in order to inspect the correctness of + # the generated xml + output.domain = lib.mkOption { type = lib.types.path; }; + + # An attrset of VMs + vm = lib.mkOption { + description = "VMs to define"; + type = lib.types.attrsOf vm; + }; + }; + }; - os = mkOption { - type = types.submodule { - options = { - firmware = mkOption { - type = types.enum [ - "bios" - "efi" + config = lib.mkIf config.services.emile.libvirtnix.enable { + services.emile.libvirtnix = + let + vm = config.services.emile.libvirtnix.vm; + + cpu = + vm_name: + mkTag { + name = "cpu"; + args = let + mode = vm.${vm_name}.cpu.mode; + check = vm.${vm_name}.cpu.check; + migratable= vm.${vm_name}.cpu.migratable; + in [ + (if (mode != null) + then {key = "mode"; val = mode;} + else "") + (if (check != null) + then {key = "check"; val = check;} + else "") + (if (migratable != null) + then {key = "migratable"; val = migratable;} + else "") ]; - default = "efi"; - example = "bios"; + closing = false; }; - type = mkOption { - type = types.enum [ - "hvm" - "linux" + + features = + vm_name: + mkTag { + name = "features"; + children = let + acpi = vm_name: mkTag { + name = "acpi"; + closing = false; + }; + apic = vm_name: mkTag { + name = "apic"; + closing = false; + }; + vmport = vm_name: mkTag { + name = "vmport"; + args = [ + { key = "state"; val = vm.${vm_name}.features.vmport.state; } + ]; + closing = false; + }; + in [ + (if (vm.${vm_name}.features.acpi != false) then (acpi vm_name) else "") + (if (vm.${vm_name}.features.apic != false) then (apic vm_name) else "") + (if (vm.${vm_name}.features.vmport != null) then (vmport vm_name) else "") ]; - default = "hvm"; - example = "linux"; }; - arch = mkOption { type = types.str; }; - machine = mkOption { type = types.str; }; - - # TODO(emile): features - # Search for the following... - # > When using firmware auto-selection there are different features enabled in the firmwares - # ... here: https://libvirt.org/formatdomain.html - # can't bother to implement this now - # features = mkOption { - # type = types.submodule { - # options = { - # enabled = { - # type = types.enum [ "yes" "no" ]; - # }; - # name = {}; - # }; - # }; - # }; - - # such as: - # <loader readonly='yes' secure='yes' type='pflash'>/usr/share/OVMF/OVMF_CODE.fd</loader> - loader = mkOption { - type = types.submodule { - options = { - readonly = mkOption { - type = types.enum [ - "yes" - "no" - ]; - }; - type = mkOption { - type = types.enum [ - "rom" - "pflash" - ]; - }; - secure = mkOption { - type = types.enum [ - "yes" - "no" - ]; - }; - stateless = mkOption { - type = types.enum [ - "yes" - "no" - ]; - }; - format = mkOption { - type = types.enum [ - "raw" - "qcow2" - ]; - }; - value = mkOption { - type = types.str; - example = "/usr/share/OVMF/OVMF_CODE.fd"; - }; + os = + vm_name: + mkTag { + name = "os"; + children = let + os_type = vm_name: mkTag { + name = "type"; + args = [ + { key = "arch"; val = vm.${vm_name}.os.type.arch; } + { key = "machine"; val = vm.${vm_name}.os.type.machine; } + ]; + value = vm.${vm_name}.os.type.value; }; - }; + os_loader = vm_name: mkTag { + name = "loader"; + args = [ + { key = "readonly"; val = vm.${vm_name}.os.loader.readonly; } + { key = "pflash"; val = vm.${vm_name}.os.loader.type; } + ]; + value = vm.${vm_name}.os.loader.value; + }; + os_nvram = vm_name: mkTag { + name = "nvram"; + value = vm.${vm_name}.os.nvram.value; + }; + os_boot = vm_name: mkTag { + name = "type"; + args = [ + { key = "dev"; val = vm.${vm_name}.os.boot.dev; } + ]; + closing = false; + }; + in [ + (os_type vm_name) + (os_loader vm_name) + (os_nvram vm_name) + (os_boot vm_name) + ]; }; - # <nvram type='network'> - # <source protocol='iscsi' name='iqn.2013-07.com.example:iscsi-nopool/0'> - # <host name='example.com' port='6000'/> - # <auth username='myname'> - # <secret type='iscsi' usage='mycluster_myname'/> - # </auth> - # </source> - # </nvram> - - # nvram = { - # type = "network"; - # source = { - # protocol = "iscsi"; - # name = "iqn.2013-07.com.example:iscsi-nopool/0"; - # }; - # }; - - nvram = mkOption { - type = types.submodule { - options = { - type = mkOption { - type = types.enum [ - "file" - "block" - "dir" - "network" - "volume" - "nvme" - "vhostuser" - "vhostvdpa" - ]; - default = ""; - }; - - source = mkOption { - type = types.submodule { - options = { - # TODO(emile): figure out how to conditionally allow setting the options below - # if the type defined above has been set - - # if type == file - file = mkOption { type = types.str; }; - fdgroup = mkOption { type = types.str; }; - - # if type == block - dev = mkOption { type = types.str; }; - - # if type == dir - dir = mkOption { type = types.str; }; - - # if type == network - protocol = mkOption { - type = types.enum [ - "nbd" - "iscsi" - "rbd" - "sheepdog" - "gluster" - "vxhs" - "nfs" - "http" - "https" - "ftp" - "ftps" - "tftp" - "ssh" - ]; - }; - name = mkOption { type = types.str; }; - tls = mkOption { - type = types.enum [ - "yes" - "no" - ]; - }; - tlsHostname = mkOption { type = types.str; }; - query = mkOption { type = types.str; }; - - # if type == volume - pool = mkOption { type = types.str; }; - volume = mkOption { type = types.str; }; - mode = mkOption { - type = types.enum [ - "direct" - "host" - ]; - default = "host"; - }; - - # if type == nvme - type = mkOption { - type = types.enum [ "pci" ]; - default = "pci"; - description = '' - When the type is `nvme`, only `pci` is supported - When the type is `vhostuser`, only `unix` is supported - - (I've got not clue how to model this is nix, it's essentially an attribute that is overloaded based on another value) - ''; - }; - managed = mkOption { - type = types.enum [ - "yes" - "no" - ]; - }; - namespace = mkOption { - type = types.int; - default = 0; - }; - - # if type == vhostuser - # type = see the type in the nvme section above - path = mkOption { type = types.str; }; - - # if type == vhostvdpa - # dev = (defined above in the "type == block" section) - - # if type == file - # if type == block - # if type == volume - seclabel = mkOption { type = types.str; }; - - index = mkOption { - type = types.int; - default = 0; - }; - - # TODO(emile): implement checks here - # start here and scroll down a bit to the table - # https://libvirt.org/formatdomain.html#hard-drives-floppy-disks-cdroms - # if type == network - host = mkOption { - type = types.submodule { - options = { - name = mkOption { type = types.str; }; - port = mkOption { - type = types.int; - default = 0; - }; - transport = mkOption { type = types.str; }; - socket = mkOption { type = types.str; }; - - }; - }; - }; - - snapshot = mkOption { - type = types.submodule { - options = { - name = mkOption { type = types.str; }; - }; - }; - }; - - config = mkOption { - type = types.submodule { - options = { - file = mkOption { type = types.str; }; - }; - }; - }; - - # Since 3.9.0, the auth element is supported for a disk type "network" that is using a source element with the protocol attributes "rbd", "iscsi", or "ssh". - auth = mkOption { - type = types.submodule { - options = { - type = mkOption { - # type = types.enum [ "chap" ]; - # freeform, yet "chap" is one of the allowed options, I don't know others (yet) - type = types.str; - }; - username = mkOption { type = types.str; }; - - # https://libvirt.org/formatsecret.html - secret = mkOption { - type = types.submodule { - options = { - ephemeral = mkOption { - type = types.enum [ - "yes" - "no" - ]; - default = "no"; - }; - private = mkOption { - type = types.enum [ - "yes" - "no" - ]; - default = "no"; - }; - - uuid = types.submodule { - options = { - value = mkOption { - type = types.str; - default = ""; - }; - }; - }; - description = types.submodule { - options = { - value = mkOption { - type = types.str; - default = ""; - }; - }; - }; - - usage = types.submodule { - options = { - type = mkOption { - type = types.enum [ - "volume" - "ceph" - "iscsi" - "tls" - "vtpm" - ]; - default = ""; - }; - value = mkOption { - type = types.str; - default = ""; - }; - - name = mkOption { - type = types.submodule { - options = { - value = mkOption { type = types.str; }; - }; - }; - }; - - volume = mkOption { - type = types.submodule { - options = { - value = mkOption { type = types.str; }; - }; - }; - }; - - # when using the "iscsi" type - target = mkOption { - type = types.submodule { - options = { - value = mkOption { type = types.str; }; - }; - }; - }; - - }; - }; - - }; - }; - }; # end of secret - - }; - }; - }; # end of auth - - # https://libvirt.org/formatstorageencryption.html - encryption = mkOption { - type = types.submodule { - options = { - type = mkOption { type = types.str; }; - - # mandatory - format = mkOption { - type = types.enum [ - "default" - "qcow" - "luks" - "luks2" - "luks-any" - ]; - }; - - engine = mkOption { - type = types.enum [ - "qemu" - "librbd" - ]; - }; - - secrets = mkOption { - type = types.listOf (mkOption { - type = types.submodule { - options = { - - # mandatory - type = mkOption { type = types.enum [ "volume" ]; }; - - # uuid or usage - uuid = mkOption { type = types.str; }; - usage = mkOption { type = types.str; }; - - }; - }; - }); - }; # end of secrets - - cipher = mkOption { - type = types.submodule { - options = { - name = mkOption { - type = types.str; - example = "'aes', 'des', 'cast5', 'serpent', 'twofish', etc."; - }; - size = mkOption { - type = types.str; - example = "'256', '192', '128', etc."; - }; - mode = mkOption { - type = types.str; - example = "'cbc', 'xts', 'ecb', etc."; - }; - hash = mkOption { - type = types.str; - example = "'md5', 'sha1', 'sha256', etc."; - }; - }; - }; - }; # end of cipher - - ivgen = mkOption { - type = types.submodule { - options = { - name = mkOption { - type = types.str; - example = "'plain', 'plain64', 'essiv', etc."; - }; - hash = mkOption { - type = types.str; - example = "'md5', 'sha1', 'sha256'"; - }; - }; - }; - }; # end of ivygen - }; - }; - }; # end of encryption - - # TODO(emile): reservations - # Looking at the following, it seems like this can use the source element recursively - # Haven't looked into how to define recursive nix options yet... - # https://github.com/virt-manager/virt-manager/blob/5ddd3456a0ca9836a98fc6ca4f0b2eaab268bf47/tests/data/cli/compare/virt-install-many-devices.xml#L398-L400 - - # TODO(emile): initiator - - # Based on this here: - # https://github.com/virt-manager/virt-manager/blob/5ddd3456a0ca9836a98fc6ca4f0b2eaab268bf47/tests/data/cli/compare/virt-install-many-devices.xml#L440 - address = mkOption { - type = types.submodule { - options = { - domain = mkOption { type = types.int; }; - bus = mkOption { type = types.int; }; - slot = mkOption { type = types.int; }; - function = mkOption { type = types.int; }; - }; - }; - }; # end of address - - # TODO(emile): slices - # Didn't find any usage of it, why is there documentation for it then? - - ssl = mkOption { - type = types.submodule { - options = { - verify = mkOption { - type = types.enum [ - "yes" - "no" - ]; - }; - }; - }; - }; # end of ssl - - # TODO(emile): cookies for http and https - - readahead = mkOption { - type = types.submodule { - options = { - size = mkOption { type = types.int; }; - }; - }; - }; # end of readahead - - timeout = mkOption { - type = types.submodule { - options = { - seconds = mkOption { type = types.int; }; - }; - }; - }; # end of timeout - - identity = mkOption { - type = types.submodule { - options = { - user = mkOption { type = types.str; }; - group = mkOption { type = types.str; }; - - # if ssh - # required - username = mkOption { type = types.str; }; - - # one of these: - agentsock = mkOption { type = types.str; }; - keyfile = mkOption { type = types.str; }; - }; - }; - }; # end of identity - - # disk type "vhostuser" - reconnect = mkOption { - type = types.submodule { - options = { - # mandatory - enabled = mkOption { - type = types.enum [ - "yes" - "no" - ]; - }; - timeout = mkOption { - type = types.int; - description = "seconds"; - }; - - # optional for disk type network and protocol nbd - delay = mkOption { - type = types.int; - default = 0; - description = "seconds"; - }; - }; - }; - }; # end of reconnect - - # disk type "ssh" - knownHosts = mkOption { - type = types.submodule { - options = { - path = mkOption { type = types.str; }; - }; - }; - }; # end of knownHosts - - dataStore = mkOption { - type = types.submodule { - options = { - # TODO(emile): can accept the same types as a `source` element - type = mkOption { type = types.str; }; - - # TODO(emile): can accept format and source subelements - # this is (once again) recursive for the source, stil need to figure - # out how to handle this, just not now - }; - }; - }; # end of dataStore + resource = + vm_name: + mkTag { + name = "resource"; + children = [ + (mkTag { + name = "partition"; + value = "${toString vm.${vm_name}.resource.partition}"; + }) + ]; + }; - startupPolicy = mkOption { - type = types.enum [ - "mandatory" - "requisite" - "optional" - ]; - default = "mandatory"; - }; # end of startupPolicy + vcpu = + vm_name: + mkTag { + name = "vcpu"; + args = [ + { + key = "placement"; + val = vm.${vm_name}.vcpu.placement; + } + ]; + value = "${toString vm.${vm_name}.vcpu.count}"; + }; - backingStore = mkOption { - type = types.submodule { - options = { - type = mkOption { - # TODO(emile): can accept the same types as a `source` element - type = types.str; - }; + currentMemory = + vm_name: + mkTag { + name = "currentMemory"; + args = [ + { + key = "unit"; + val = vm.${vm_name}.currentMemory.unit; + } + ]; + value = "${toString vm.${vm_name}.currentMemory.value}"; + }; + memory = + vm_name: + mkTag { + name = "memory"; + args = [ + { + key = "unit"; + val = vm.${vm_name}.memory.unit; + } + ]; + value = "${toString vm.${vm_name}.memory.value}"; + }; - index = mkOption { - # TODO(emile): figure out if this can just be an int - type = types.str; - }; + libosinfo_os = + vm_name: + mkTag { + name = "libosinfo:os"; + args = [ + { + key = "id"; + val = vm.${vm_name}.metadata.libosinfo_os; + } + ]; + closing = false; + }; - # TODO(emile): can use the following sub elements: - # - format - # - source - # - backingStore - }; - }; - }; # end of backingStore + libosinfo_libosinfo = + vm_name: + mkTag { + name = "libosinfo:libosinfo"; + args = [ + { + key = "xmlns:libosinfo"; + val = vm.${vm_name}.metadata.libosinfo; + } + ]; + children = [ + (libosinfo_os vm_name) + ]; + }; - mirror = mkOption { - type = types.submodule { - options = { - api = mkOption { - type = types.enum [ - "copy" - "active-commit" - ]; - }; - ready = mkOption { - type = types.enum [ - "yes" - "abort" - "pivot" - ]; - }; - # TODO(emile): can use the following sub elements: - # - type (disk types) - # - format - # - source - # - file - }; - }; - }; # end of mirror + metadata = + vm_name: + mkTag { + name = "metadata"; + children = [ (libosinfo_libosinfo vm_name) ]; + }; - }; - }; - }; # end of source + uuid = + vm_name: + mkTag { + name = "uuid"; + value = vm.${vm_name}.uuid; + }; - }; - }; - }; # end of nvram + name = + vm_name: + mkTag { + name = "name"; + value = vm.${vm_name}.name; + }; - }; + # the vm_name has to be passed in, as we want to accesses the value for the given vm when + # generating the config + domain = + vm_name: + mkTag { + name = "domain"; + args = [ + { + key = "type"; + val = vm.${vm_name}.vm_type; + } + { + key = "id"; + val = vm.${vm_name}.id; + } + ]; + children = [ + (name vm_name) + (uuid vm_name) + (metadata vm_name) + (memory vm_name) + (currentMemory vm_name) + (vcpu vm_name) + (resource vm_name) + (os vm_name) + (features vm_name) + (cpu vm_name) + ]; + }; + in + { + output.domain = pkgs.writeText "libvirt-domain-config.xml" (domain "alan"); }; - }; - - memory = lib.mkOption { - type = lib.types.int; - default = 1024; - example = 2048; - description = '' - The amount of memory to provide to the VM - ''; - }; }; } diff --git a/nix/modules/libvirtnix/test.nix b/nix/modules/libvirtnix/test.nix new file mode 100644 index 0000000..8542b7e --- /dev/null +++ b/nix/modules/libvirtnix/test.nix @@ -0,0 +1,10 @@ +let + pkgs = import <nixpkgs> {}; +in + pkgs.lib.evalModules { + modules = [ + # ./secret.nix + ./domain.nix + ./config.nix + ]; + } diff --git a/nix/modules/libvirtnix/xml.nix b/nix/modules/libvirtnix/xml.nix new file mode 100644 index 0000000..134a878 --- /dev/null +++ b/nix/modules/libvirtnix/xml.nix @@ -0,0 +1,45 @@ +{ lib, ... }: + +# takes a few args and creats a valid xml tag pair out of it +# +# testTag = mkTag { +# name = "name"; +# args = [ +# { +# key = "arg1"; +# val = "arg1val"; +# } +# { +# key = "arg2"; +# val = "arg2val"; +# } +# ]; +# value = "qwe"; +# children = [ +# (mkTag { name = "nested"; args = []; value = "qwe"; children = [];}) +# ]; +# }; +# +# <name arg1=arg1val arg2=arg2val> +# value +# {children} +# </name> +{ + name, # name of the tag to be used, such as `secret`, `description`, ... + args ? [ ], # args, [ { key="a"; val="b"; } { key="c"; val="d"; } ] + value ? "", # the value to place in the middle + children ? [ ], # the child elements + closing ? true, # add a closing tag +}: +let + args_str = + " " + lib.strings.concatStrings (lib.strings.intersperse " " (map (x: "${x.key}='${x.val}'") args)); + child_evaled = lib.strings.concatStrings children; + + cond = condition: value: if condition then value else ""; + + closingTag = if closing == true then "</${name}>" else ""; +in +"<${name}${ + lib.optionalString (args != [ ]) args_str +}${cond (closing == false) "/"}>${value}${child_evaled}${lib.optionalString (closing) closingTag}" diff --git a/nix/modules/x86_64-linux.nix b/nix/modules/x86_64-linux.nix index e5dbc64..62945b3 100644 --- a/nix/modules/x86_64-linux.nix +++ b/nix/modules/x86_64-linux.nix @@ -4,6 +4,7 @@ ./r2wars-web ./remarvin ./filebrowser - ./libvirtnix + # ./libvirtnix + ./goapp-frontend ]; } diff --git a/nix/pkgs/glibc-all-in-one/default.nix b/nix/pkgs/glibc-all-in-one/default.nix new file mode 100644 index 0000000..bbb0824 --- /dev/null +++ b/nix/pkgs/glibc-all-in-one/default.nix @@ -0,0 +1,25 @@ +{ pkgs ? import <nixpkgs> {}, lib, fetchFromGitHub }: + +pkgs.stdenv.mkDerivation rec { + name = "glibc-all-in-one"; + version = "master"; + + src = fetchFromGitHub { + owner = "fr0ster"; + repo = "glibc-all-in-one"; + rev = version; + sha256 = "Zysjhr76TenMarnoKo+M8DrTNbsnaXSoFZO1puPVoxU="; + }; + + buildPhase = ''''; + + installPhase = '' + ''; + + meta = { + description = ""; + homepage = "https://github.com/fr0ster/glibc-all-in-one"; + license = lib.licenses.mit; + maintainers = with lib.maintainers; [ hanemile ]; + }; + } diff --git a/nix/pkgs/overlay.nix b/nix/pkgs/overlay.nix deleted file mode 100644 index e213533..0000000 --- a/nix/pkgs/overlay.nix +++ /dev/null @@ -1,9 +0,0 @@ -final: prev: { - vokobe = final.callPackage ./vokobe { inherit (final) naersk; }; - r2wars-web = final.callPackage ./r2wars-web { }; - remarvin = final.callPackage ./remarvin { }; - - pretalx_old = prev.pretalx.overrideAttrs ( old: { - version = "2024.1.0"; - }); -} diff --git a/nix/pkgs/x86_64-linux.nix b/nix/pkgs/x86_64-linux.nix index f5e8b60..c186cc4 100644 --- a/nix/pkgs/x86_64-linux.nix +++ b/nix/pkgs/x86_64-linux.nix @@ -2,5 +2,5 @@ final: prev: { vokobe = final.callPackage ./vokobe { inherit (final) naersk; }; r2wars-web = final.callPackage ./r2wars-web { }; remarvin = final.callPackage ./remarvin { }; - libc-database = final.callPackage ./libc-database {}; + # libc-database = final.callPackage ./libc-database {}; } diff --git a/nix/templates/ctf/flake.lock b/nix/templates/ctf/flake.lock new file mode 100644 index 0000000..b756d8d --- /dev/null +++ b/nix/templates/ctf/flake.lock @@ -0,0 +1,141 @@ +{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1740603184, + "narHash": "sha256-t+VaahjQAWyA+Ctn2idyo1yxRIYpaDxMgHkgCNiMJa4=", + "ref": "nixos-24.11", + "rev": "f44bd8ca21e026135061a0a57dcf3d0775b67a49", + "shallow": true, + "type": "git", + "url": "ssh://git@github.com/nixos/nixpkgs.git" + }, + "original": { + "ref": "nixos-24.11", + "shallow": true, + "type": "git", + "url": "ssh://git@github.com/nixos/nixpkgs.git" + } + }, + "nixpkgs_2": { + "locked": { + "lastModified": 1736241350, + "narHash": "sha256-CHd7yhaDigUuJyDeX0SADbTM9FXfiWaeNyY34FL1wQU=", + "owner": "NixOS", + "repo": "nixpkgs", + "rev": "8c9fd3e564728e90829ee7dbac6edc972971cd0f", + "type": "github" + }, + "original": { + "owner": "NixOS", + "ref": "nixpkgs-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "pwndbg": { + "inputs": { + "nixpkgs": "nixpkgs_2", + "pyproject-build-systems": "pyproject-build-systems", + "pyproject-nix": "pyproject-nix", + "uv2nix": "uv2nix" + }, + "locked": { + "lastModified": 1740333626, + "narHash": "sha256-OcwULIZcWOC1FNGa0SNGtyMyfbwTsBj17LBPpGOZL78=", + "ref": "refs/heads/dev", + "rev": "ef090ebf5eb75713b1f97c3d9aa3d7be636b0c3a", + "revCount": 2284, + "type": "git", + "url": "ssh://git@github.com/pwndbg/pwndbg" + }, + "original": { + "type": "git", + "url": "ssh://git@github.com/pwndbg/pwndbg" + } + }, + "pyproject-build-systems": { + "inputs": { + "nixpkgs": [ + "pwndbg", + "nixpkgs" + ], + "pyproject-nix": [ + "pwndbg", + "pyproject-nix" + ], + "uv2nix": [ + "pwndbg", + "uv2nix" + ] + }, + "locked": { + "lastModified": 1737338290, + "narHash": "sha256-gnXlfFEHA+/jMH7R+7y3JxrI3WfOjgBhzzJNuFW70UU=", + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "rev": "e1487e5cefda0c7990bdd2e660bee20971680e45", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "build-system-pkgs", + "type": "github" + } + }, + "pyproject-nix": { + "inputs": { + "nixpkgs": [ + "pwndbg", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1738204167, + "narHash": "sha256-J5M2sj3x4ocM93shScT/3Z4XWHZhwwW1NyQK+C+8Mys=", + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "rev": "0d9f4b90cee1b5c5d6c142ef22de1e246e003ccc", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "pyproject.nix", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs", + "pwndbg": "pwndbg" + } + }, + "uv2nix": { + "inputs": { + "nixpkgs": [ + "pwndbg", + "nixpkgs" + ], + "pyproject-nix": [ + "pwndbg", + "pyproject-nix" + ] + }, + "locked": { + "lastModified": 1738653454, + "narHash": "sha256-tAFX8mPZtZ+zVE/+bwPC3U+u5MxjpNP0gG24DG26jVs=", + "owner": "pyproject-nix", + "repo": "uv2nix", + "rev": "05b0c148bc53aebc6a906b6d0ac41dde5954cd47", + "type": "github" + }, + "original": { + "owner": "pyproject-nix", + "repo": "uv2nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/templates/ctf/flake.nix b/nix/templates/ctf/flake.nix index e8b75b9..f185bb7 100644 --- a/nix/templates/ctf/flake.nix +++ b/nix/templates/ctf/flake.nix @@ -1,14 +1,20 @@ { - description = "ctf"; + description = '' + One Flake to rule them all^W^Wcommon CTF problems, namely broken infa. + + Usage: + ; nix flake init -t git+https://github.com/hanemile/hefe\#ctf + ''; nixConfig.bash-prompt = "\[ctf\]; "; inputs = { - nixpkgs.url = "github:NixOS/nixpkgs"; + nixpkgs.url = "git+ssh://git@github.com/nixos/nixpkgs.git?shallow=1&ref=nixos-24.11"; + pwndbg.url = "git+ssh://git@github.com/pwndbg/pwndbg"; }; # Flake outputs outputs = - { nixpkgs, ... }: + { nixpkgs, pwndbg, ... }@inputs: let # Systems supported allSystems = [ @@ -21,30 +27,46 @@ # Helper to provide system-specific attributes nameValuePair = name: value: { inherit name value; }; genAttrs = names: f: builtins.listToAttrs (map (n: nameValuePair n (f n)) names); - forAllSystems = f: genAttrs allSystems (system: f { pkgs = import nixpkgs { inherit system; }; }); + forAllSystems = f: genAttrs allSystems (system: f { + pkgs = import nixpkgs { inherit system; }; + pwndbg = inputs.pwndbg.packages.${system}.default; + }); in { # Development environment output devShells = forAllSystems ( - { pkgs }: + { pkgs, pwndbg }: { default = - let - python = pkgs.python311; # Use Python 3.11 - in pkgs.mkShell { - packages = - with pkgs; - [ qemu ] - ++ [ - # Python plus helper tools - (python.withPackages ( - ps: with ps; [ - pwntools - pycryptodome - ] - )) - ]; + shellHook = '' + cat << EOF > solve.py + from pwn import * + + context.gdbinit="${pwndbg}/share/pwndbg/gdbinit.py" + + # exe = ELF("./a.out") + + p = remote("138.199.213.51", 31335) + #p = gdb.debug(exe.path, gdbscript='''' + # break main + # c + # '''') + + p.sendlineafter(b"> ", b"asd") + + p.interactive() + EOF + ''; + packages = [ + pkgs.gcc + pwndbg + (pkgs.python311.withPackages ( ps: with ps; [ + pwntools + pwndbg + pycryptodome + ])) + ]; }; } ); diff --git a/nix/templates/ctf/solve.py b/nix/templates/ctf/solve.py new file mode 100644 index 0000000..acc4a75 --- /dev/null +++ b/nix/templates/ctf/solve.py @@ -0,0 +1,15 @@ +from pwn import * + +context.gdbinit="/nix/store/jhvjf5drzzqq54xghzz94h0a6wsn1fs1-pwndbg/share/pwndbg/gdbinit.py" + +# exe = ELF("./a.out") + +p = remote("138.199.213.51", 31335) +#p = gdb.debug(exe.path, gdbscript=''' +# break main +# c +# ''') + +p.sendlineafter(b"> ", b"asd") + +p.interactive() diff --git a/nix/templates/goapp/flake.nix b/nix/templates/goapp/flake.nix index 1ca876f..385f1bf 100644 --- a/nix/templates/goapp/flake.nix +++ b/nix/templates/goapp/flake.nix @@ -12,20 +12,26 @@ overlays = [ ]; }; + # take a name and return an attrset with a corresponding package and docker container package-and-docker = name: (let - pkgname = name + "-pkg"; + # define the name for the package and docker container + pkgname = name; dockername = name + "-docker"; + # import the package itself package = import ./${name} { inherit pkgs name; }; + + # define the container + container = pkgs.dockerTools.buildImage { + name = "${name}"; # TODO(emile): this could simply be `inherit name;` iinw + config.Cmd = [ "${package}/bin/${name}" ]; + }; in { # the raw package ${pkgname} = package; # the docker image - ${dockername} = pkgs.dockerTools.buildImage { - name = "${name}"; - config.Cmd = [ "${package}/bin/${name}" ]; - }; + ${dockername} = container; }); in { diff --git a/nix/templates/goapp/frontend/default.nix b/nix/templates/goapp/frontend/default.nix index 42ccb79..7b5caa8 100644 --- a/nix/templates/goapp/frontend/default.nix +++ b/nix/templates/goapp/frontend/default.nix @@ -4,13 +4,20 @@ let version = "0.0.1"; in pkgs.buildGoModule { - name = "${name}-${version}"; pname = "${name}"; version = "${version}"; src = ./.; - subPackages = [ "src" ]; - vendorHash = "sha256-VXuhsXejduIcthawj4qu7hruBEDegj27YY0ym5srMQY="; - doCheck = true; + # use the dependencies directly from the vendor/ folder + # vendorHash = null; + + vendorHash = "sha256-dXWwAP0XM24cAcDV87XHQX9dLg6TDQ7ZVfEFgW/Q+J4="; + + doCheck = false; + + postInstall = '' + cp -r templates $out + mv $out/bin/{src,${name}} + ''; } diff --git a/nix/templates/goapp/frontend/go.mod b/nix/templates/goapp/frontend/go.mod index fecf4ac..a71f5a0 100644 --- a/nix/templates/goapp/frontend/go.mod +++ b/nix/templates/goapp/frontend/go.mod @@ -1,20 +1,20 @@ -module github.com/hanemile/goapp/backend +module github.com/hanemile/goapp/frontend go 1.23.5 require ( + github.com/coreos/go-oidc/v3 v3.12.0 github.com/gorilla/handlers v1.5.2 github.com/gorilla/mux v1.8.1 github.com/gorilla/securecookie v1.1.2 github.com/gorilla/sessions v1.4.0 github.com/mattn/go-sqlite3 v1.14.24 - golang.org/x/crypto v0.33.0 + github.com/spf13/cobra v1.9.1 golang.org/x/oauth2 v0.21.0 modernc.org/sqlite v1.34.5 ) require ( - github.com/coreos/go-oidc/v3 v3.12.0 // indirect github.com/dustin/go-humanize v1.0.1 // indirect github.com/felixge/httpsnoop v1.0.4 // indirect github.com/go-jose/go-jose/v4 v4.0.2 // indirect @@ -23,8 +23,8 @@ require ( github.com/mattn/go-isatty v0.0.20 // indirect github.com/ncruces/go-strftime v0.1.9 // indirect github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect - github.com/spf13/cobra v1.9.1 // indirect github.com/spf13/pflag v1.0.6 // indirect + golang.org/x/crypto v0.33.0 // indirect golang.org/x/sys v0.30.0 // indirect modernc.org/libc v1.55.3 // indirect modernc.org/mathutil v1.6.0 // indirect diff --git a/nix/templates/goapp/frontend/go.sum b/nix/templates/goapp/frontend/go.sum index 365e2c5..15bbb6f 100644 --- a/nix/templates/goapp/frontend/go.sum +++ b/nix/templates/goapp/frontend/go.sum @@ -1,6 +1,8 @@ github.com/coreos/go-oidc/v3 v3.12.0 h1:sJk+8G2qq94rDI6ehZ71Bol3oUHy63qNYmkiSjrc/Jo= github.com/coreos/go-oidc/v3 v3.12.0/go.mod h1:gE3LgjOgFoHi9a4ce4/tJczr0Ai2/BoDhf0r5lltWI0= github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY= github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto= github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= @@ -31,6 +33,8 @@ github.com/mattn/go-sqlite3 v1.14.24 h1:tpSp2G2KyMnnQu99ngJ47EIkWVmliIizyZBfPrBW github.com/mattn/go-sqlite3 v1.14.24/go.mod h1:Uh1q+B4BYcTPb+yiD3kU8Ct7aC0hY9fxUwlHK0RXw+Y= github.com/ncruces/go-strftime v0.1.9 h1:bY0MQC28UADQmHmaF5dgpLmImcShSi2kHU9XLdhx/f4= github.com/ncruces/go-strftime v0.1.9/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls= +github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= +github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE= github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -38,6 +42,8 @@ github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo= github.com/spf13/cobra v1.9.1/go.mod h1:nDyEzZ8ogv936Cinf6g1RU9MRY64Ir93oCnqb9wxYW0= github.com/spf13/pflag v1.0.6 h1:jFzHGLGAlb3ruxLB8MhbI6A8+AQX/2eW4qeyNZXNp2o= github.com/spf13/pflag v1.0.6/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= +github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= +github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= golang.org/x/crypto v0.33.0 h1:IOBPskki6Lysi0lo9qQvbxiQ+FvsCC/YWOecCHAixus= golang.org/x/crypto v0.33.0/go.mod h1:bVdXmD7IV/4GdElGPozy6U7lWdRXA4qyRVGJV57uQ5M= golang.org/x/mod v0.16.0 h1:QX4fJ0Rr5cPQCF7O9lh9Se4pmwfwskqZfq5moyldzic= @@ -50,6 +56,7 @@ golang.org/x/sys v0.30.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/tools v0.19.0 h1:tfGCXNR1OsFG+sVdLAitlpjAvD/I6dHDKnYrpEZUHkw= golang.org/x/tools v0.19.0/go.mod h1:qoJWxmGSIBmAeriMx19ogtrEPrGtDbPK634QFIcLAhc= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= +gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= modernc.org/cc/v4 v4.21.4 h1:3Be/Rdo1fpr8GrQ7IVw9OHtplU4gWbb+wNgeoBMmGLQ= modernc.org/cc/v4 v4.21.4/go.mod h1:HM7VJTZbUCR3rV8EYBi9wxnJ0ZBRiGE5OeGXNA0IsLQ= diff --git a/nix/templates/goapp/frontend/run.sh b/nix/templates/goapp/frontend/run.sh index fb3c7b3..b2624f3 100755 --- a/nix/templates/goapp/frontend/run.sh +++ b/nix/templates/goapp/frontend/run.sh @@ -1,3 +1,4 @@ +# these are tests creds that aren't valid, try it :D export CLIENT_ID=goapp export CLIENT_SECRET=KGFO5LQnUxu1Zs.35gOem3MaG8odthg1U0v0.kScVPS6TPTWVRnAdT_nj4PYYSfuU6jdzTM6 export CLIENT_CALLBACK_URL=http://localhost:8080/oauth2/callback @@ -6,4 +7,5 @@ export SESSION_KEY=aes1Itheich4aeQu9Ouz7ahcaiVoogh9 go run ./... \ --id goapp \ --issuer "https://sso.emile.space" \ - --secret "KGFO5LQnUxu1Zs.35gOem3MaG8odthg1U0v0.kScVPS6TPTWVRnAdT_nj4PYYSfuU6jdzTM6" + --secret "KGFO5LQnUxu1Zs.35gOem3MaG8odthg1U0v0.kScVPS6TPTWVRnAdT_nj4PYYSfuU6jdzTM6" \ + $@ diff --git a/nix/templates/goapp/frontend/server.log b/nix/templates/goapp/frontend/server.log index 4b6cff5..6c4d6dc 100644 --- a/nix/templates/goapp/frontend/server.log +++ b/nix/templates/goapp/frontend/server.log @@ -177,3 +177,5 @@ ::1 - - [19/Feb/2025:19:43:29 +0100] "GET /oauth2/callback?code=authelia_ac_8UdV__GJCN9gxJrYa629TC3FToyDDhsbacPbJzhvcJ4.uPw2-_N4jQr7xf7JNZ_IZBNHEq-eeOFoZup7Vwjx1Y0&iss=https%3A%2F%2Fsso.emile.space&scope=openid+profile+email+groups&state=random-string-here HTTP/1.1" 500 142 ::1 - - [19/Feb/2025:19:49:22 +0100] "GET / HTTP/1.1" 200 6587 ::1 - - [19/Feb/2025:19:49:23 +0100] "GET /login HTTP/1.1" 302 242 +::1 - - [19/Feb/2025:19:56:09 +0100] "GET / HTTP/1.1" 200 6587 +::1 - - [19/Feb/2025:19:56:12 +0100] "GET /login HTTP/1.1" 302 242 diff --git a/nix/templates/goapp/frontend/src/handlers.go b/nix/templates/goapp/frontend/src/handlers.go index 8fdd325..2cbacde 100644 --- a/nix/templates/goapp/frontend/src/handlers.go +++ b/nix/templates/goapp/frontend/src/handlers.go @@ -12,7 +12,7 @@ import ( ) func indexHandler(w http.ResponseWriter, r *http.Request) { - session, err := globalState.sessions.Get(r, "session") + session, err := globalState.sessions.Get(r, options.CookieName) if err != nil { log.Println("error getting the session") } @@ -37,9 +37,14 @@ func indexHandler(w http.ResponseWriter, r *http.Request) { }, }, } - tpl.NextLinks = []Link{ - {"Login", "/login"}, - } + + // session.Values["id_token"] = claimsIDToken + // session.Values["userinfo"] = claimsUserInfo + // session.Values["logged"] = true + // + log.Println("logged", session.Values["logged"]) + log.Println("id-token", session.Values["id_token"]) + log.Println("userinfo", session.Values["userinfo"]) if logged, ok := session.Values["logged"].(bool); ok && logged { tpl.LoggedIn = true @@ -68,6 +73,10 @@ func indexHandler(w http.ResponseWriter, r *http.Request) { tpl.Claims.UserInfo.Name = filterText(tpl.Claims.UserInfo.Name, options.Filters) tpl.RawToken = rawTokens[tpl.Claims.IDToken.JWTIdentifier] tpl.AuthorizeCodeURL = acURLs[tpl.Claims.IDToken.JWTIdentifier].String() + + tpl.NextLinks = []Link{{"Logout", "/logout"}} + } else { + tpl.NextLinks = []Link{{"Login", "/login"}} } w.Header().Add("Content-Type", "text/html") @@ -129,12 +138,11 @@ func logoutHandler(w http.ResponseWriter, r *http.Request) { http.Redirect(w, r, "/", http.StatusFound) } -func oauthCallbackHandler(res http.ResponseWriter, req *http.Request) { +func oauthCallbackHandler(w http.ResponseWriter, r *http.Request) { log.Println("hit the oauth callback handler") - if req.FormValue("error") != "" { - log.Printf("got an error from the idp: %s", req.FormValue("error")) - http.Redirect(res, req, fmt.Sprintf("/error?%s", req.Form.Encode()), http.StatusFound) - + if r.FormValue("error") != "" { + log.Printf("got an error from the idp: %s", r.FormValue("error")) + http.Redirect(w, r, fmt.Sprintf("/error?%s", r.Form.Encode()), http.StatusFound) return } @@ -146,24 +154,32 @@ func oauthCallbackHandler(res http.ResponseWriter, req *http.Request) { ok bool ) + log.Println(r.URL) + // The state should be checked here in production - if token, err = oauth2Config.Exchange(req.Context(), req.URL.Query().Get("code")); err != nil { + if token, err = oauth2Config.Exchange( + r.Context(), + r.URL.Query().Get("code"), + // oauth2.SetAuthURLParam("client_id", oauth2Config.ClientID), + // oauth2.SetAuthURLParam("client_secret", oauth2Config.ClientSecret), + ); err != nil { log.Println("Unable to exchange authorization code for tokens") - writeErr(res, err, "unable to exchange authorization code for tokens", http.StatusInternalServerError) + log.Println(err) + writeErr(w, err, "unable to exchange authorization code for tokens", http.StatusInternalServerError) return } // Extract the ID Token from OAuth2 token. if idTokenRaw, ok = token.Extra("id_token").(string); !ok { log.Println("missing id token") - writeErr(res, nil, "missing id token", http.StatusInternalServerError) + writeErr(w, nil, "missing id token", http.StatusInternalServerError) return } // Parse and verify ID Token payload. - if idToken, err = verifier.Verify(req.Context(), idTokenRaw); err != nil { + if idToken, err = verifier.Verify(r.Context(), idTokenRaw); err != nil { log.Printf("unable to verify id token or token is invalid: %+v", idTokenRaw) - writeErr(res, err, "unable to verify id token or token is invalid", http.StatusInternalServerError) + writeErr(w, err, "unable to verify id token or token is invalid", http.StatusInternalServerError) return } @@ -172,15 +188,15 @@ func oauthCallbackHandler(res http.ResponseWriter, req *http.Request) { if err = idToken.Claims(&claimsIDToken); err != nil { log.Printf("unable to decode id token claims: %+v", &claimsIDToken) - writeErr(res, err, "unable to decode id token claims", http.StatusInternalServerError) + writeErr(w, err, "unable to decode id token claims", http.StatusInternalServerError) return } var userinfo *oidc.UserInfo - if userinfo, err = provider.UserInfo(req.Context(), oauth2.StaticTokenSource(token)); err != nil { + if userinfo, err = provider.UserInfo(r.Context(), oauth2.StaticTokenSource(token)); err != nil { log.Printf("unable to retreive userinfo claims") - writeErr(res, err, "unable to retrieve userinfo claims", http.StatusInternalServerError) + writeErr(w, err, "unable to retrieve userinfo claims", http.StatusInternalServerError) return } @@ -188,15 +204,15 @@ func oauthCallbackHandler(res http.ResponseWriter, req *http.Request) { if err = userinfo.Claims(&claimsUserInfo); err != nil { log.Printf("unable to decode userinfo claims") - writeErr(res, err, "unable to decode userinfo claims", http.StatusInternalServerError) + writeErr(w, err, "unable to decode userinfo claims", http.StatusInternalServerError) return } var session *sessions.Session - if session, err = globalState.sessions.Get(req, options.CookieName); err != nil { + if session, err = globalState.sessions.Get(r, options.CookieName); err != nil { log.Printf("unable to get session from cookie") - writeErr(res, err, "unable to get session from cookie", http.StatusInternalServerError) + writeErr(w, err, "unable to get session from cookie", http.StatusInternalServerError) return } @@ -204,11 +220,11 @@ func oauthCallbackHandler(res http.ResponseWriter, req *http.Request) { session.Values["userinfo"] = claimsUserInfo session.Values["logged"] = true rawTokens[claimsIDToken.JWTIdentifier] = idTokenRaw - acURLs[claimsIDToken.JWTIdentifier] = req.URL + acURLs[claimsIDToken.JWTIdentifier] = r.URL - if err = session.Save(req, res); err != nil { + if err = session.Save(r, w); err != nil { log.Printf("unable to save session") - writeErr(res, err, "unable to save session", http.StatusInternalServerError) + writeErr(w, err, "unable to save session", http.StatusInternalServerError) return } @@ -216,11 +232,11 @@ func oauthCallbackHandler(res http.ResponseWriter, req *http.Request) { if redirectUrl, ok = session.Values["redirect-url"].(string); ok { log.Printf("all fine!") - http.Redirect(res, req, redirectUrl, http.StatusFound) + http.Redirect(w, r, redirectUrl, http.StatusFound) return } - http.Redirect(res, req, "/", http.StatusFound) + http.Redirect(w, r, "/", http.StatusFound) } func writeErr(w http.ResponseWriter, err error, msg string, statusCode int) { diff --git a/nix/templates/goapp/frontend/src/init.go b/nix/templates/goapp/frontend/src/init.go index 97e58f0..75fd87d 100644 --- a/nix/templates/goapp/frontend/src/init.go +++ b/nix/templates/goapp/frontend/src/init.go @@ -2,8 +2,10 @@ package main import ( "context" + // "crypto/tls" "fmt" "log" + // "net/http" "net/url" "os" "strings" @@ -32,12 +34,17 @@ func dbInit() { func sessionInit() { log.Println("[i] Setting up Session Storage...") + session_key, err := os.ReadFile(options.SessionKeyPath) + if err != nil { + log.Println("Could not read Session key") + panic(err) + } store, err := NewSqliteStore( sessiondbPath, "sessions", "/", 3600, - []byte(os.Getenv("SESSION_KEY"))) + session_key) if err != nil { panic(err) } @@ -60,17 +67,29 @@ func oauth2Init() (err error) { } verifier = provider.Verifier(&oidc.Config{ClientID: options.ClientID}) + + clientSecretBytes, err := os.ReadFile(options.ClientSecretPath) + if err != nil { + panic(err) + } + clientSecret := strings.TrimSpace(string(clientSecretBytes)) + log.Printf("[ ] ClientID: %s", options.ClientID) - log.Printf("[ ] ClientSecret: %s", options.ClientSecret) + log.Printf("[ ] ClientSecret: %s", clientSecret) log.Printf("[ ] redirectURL: %s", redirectURL.String()) log.Printf("[ ] providerEndpoint: %+v", provider.Endpoint()) log.Printf("[ ] Scopes: %s", options.Scopes) + log.Printf("[ ] Endpoint: %+v", provider.Endpoint()) + oauth2Config = oauth2.Config{ ClientID: options.ClientID, - ClientSecret: options.ClientSecret, + ClientSecret: clientSecret, RedirectURL: redirectURL.String(), Endpoint: provider.Endpoint(), Scopes: strings.Split(options.Scopes, ","), } + + oauth2Config.Endpoint.AuthStyle = oauth2.AuthStyleInParams + return nil } diff --git a/nix/templates/goapp/frontend/src/main.go b/nix/templates/goapp/frontend/src/main.go index fcf4224..72ec7ee 100644 --- a/nix/templates/goapp/frontend/src/main.go +++ b/nix/templates/goapp/frontend/src/main.go @@ -38,18 +38,21 @@ func main() { rootCmd := &cobra.Command{Use: "goapp", RunE: root} - rootCmd.Flags().StringVar(&options.Host, "host", "0.0.0.0", "Specifies the tcp host to listen on") + rootCmd.Flags().StringVar(&options.Host, "host", "127.0.0.1", "Specifies the tcp host to listen on") rootCmd.Flags().IntVar(&options.Port, "port", 8080, "Specifies the port to listen on") rootCmd.Flags().StringVar(&options.PublicURL, "public-url", "http://localhost:8080/", "Specifies the root URL to generate the redirect URI") rootCmd.Flags().StringVar(&options.ClientID, "id", "", "Specifies the OpenID Connect Client ID") - rootCmd.Flags().StringVarP(&options.ClientSecret, "secret", "s", "", "Specifies the OpenID Connect Client Secret") + rootCmd.Flags().StringVarP(&options.ClientSecretPath, "oidc-secret-path", "s", "", "Specifies the OpenID Connect Client Secret path") rootCmd.Flags().StringVarP(&options.Issuer, "issuer", "i", "", "Specifies the URL for the OpenID Connect OP") rootCmd.Flags().StringVar(&options.Scopes, "scopes", "openid,profile,email,groups", "Specifies the OpenID Connect scopes to request") rootCmd.Flags().StringVar(&options.CookieName, "cookie-name", "oidc-client", "Specifies the storage cookie name to use") rootCmd.Flags().StringSliceVar(&options.Filters, "filters", []string{}, "If specified filters the specified text from html output (not json) out of the email addresses, display names, audience, etc") rootCmd.Flags().StringSliceVar(&options.GroupsFilter, "groups-filter", []string{}, "If specified only shows the groups in this list") - rootCmd.Flags().StringVar(&options.LogFilePath, "logpath", "./server.log", "Specifies the path to store the server logs at") + rootCmd.Flags().StringVar(&options.LogFilePath, "logfilepath", "./server.log", "Specifies the path to store the server logs at") rootCmd.Flags().StringVar(&options.TemplatesPath, "templatespath", "./templates", "Specifies the path to where the templates are stored") + rootCmd.Flags().StringVar(&options.DatabasePath, "databasepath", "./main.db", "Specifies the path to where the database is stored") + rootCmd.Flags().StringVar(&options.SessionDBPath, "sessiondbpath", "./sessions.db", "Specifies the path to where the session database is stored") + rootCmd.Flags().StringVar(&options.SessionKeyPath, "sessionkeypath", "", "Specifies the path to where the session key is stored") _ = rootCmd.MarkFlagRequired("id") _ = rootCmd.MarkFlagRequired("secret") diff --git a/nix/templates/goapp/frontend/src/types.go b/nix/templates/goapp/frontend/src/types.go index 7efcc70..97e0db5 100644 --- a/nix/templates/goapp/frontend/src/types.go +++ b/nix/templates/goapp/frontend/src/types.go @@ -50,16 +50,19 @@ type ClamsAddress struct { } type Options struct { - Host string - Port int - LogFilePath string - TemplatesPath string - ClientID string - ClientSecret string - Issuer string - PublicURL string - Scopes string - CookieName string - Filters []string - GroupsFilter []string + ClientID string + ClientSecretPath string + CookieName string + DatabasePath string + Filters []string + GroupsFilter []string + Host string + Issuer string + LogFilePath string + Port int + PublicURL string + Scopes string + SessionDBPath string + SessionKeyPath string + TemplatesPath string } diff --git a/nix/templates/goapp/frontend/templates/index.html b/nix/templates/goapp/frontend/templates/index.html index 1d21f3d..e4693af 100644 --- a/nix/templates/goapp/frontend/templates/index.html +++ b/nix/templates/goapp/frontend/templates/index.html @@ -5,6 +5,8 @@ <h1>goapp</h1> +{{ . }} + {{- if .LoggedIn }} <p id="welcome">Logged in as {{ or .Claims.UserInfo.PreferredUsername .Claims.IDToken.Subject "unknown" }}!</p> <p><a href="/logout" id="log-out">Log out</a></p> |