From 4100097801550fe86399453b7922875015f34ff9 Mon Sep 17 00:00:00 2001 From: Emile Date: Sat, 22 Feb 2025 22:44:31 +0100 Subject: goapp frontend now works on corrino added an overlay (which took quite some time, as I forgot to include the self parameter in the argument list...) that allows using the goapp on corrino. So now you can... ... use the template ... see the package status after it has been built using hydra ... build the package from the packages exposed by the flake ... use the package on machines including it using an overlay I'm actually quite satisfied with this and hope people find this helpful --- nix/hosts/corrino/configuration.nix | 4 +- nix/hosts/corrino/ports.nix | 1 + nix/hosts/corrino/secrets/goapp_oidc_secret.age | Bin 0 -> 395 bytes nix/hosts/corrino/vm.nix | 15 ++++- nix/hosts/corrino/www/goapp.emile.space.nix | 78 ++++++++++++++++++++++ nix/hosts/corrino/www/templates/goapp/default.nix | 30 --------- 6 files changed, 96 insertions(+), 32 deletions(-) create mode 100644 nix/hosts/corrino/secrets/goapp_oidc_secret.age create mode 100644 nix/hosts/corrino/www/goapp.emile.space.nix delete mode 100644 nix/hosts/corrino/www/templates/goapp/default.nix (limited to 'nix/hosts/corrino') diff --git a/nix/hosts/corrino/configuration.nix b/nix/hosts/corrino/configuration.nix index d453b34..52e9ecf 100644 --- a/nix/hosts/corrino/configuration.nix +++ b/nix/hosts/corrino/configuration.nix @@ -27,6 +27,8 @@ in ./www/git ./www/nix-cache + ./www/goapp.emile.space.nix + # screego # web @@ -42,7 +44,7 @@ in ./www/photo - # ./www/tickets.emile.space.nix + ./www/tickets.emile.space.nix # ./www/talks.emile.space.nix # ./www/stream.emile.space.nix ./www/md.emile.space.nix diff --git a/nix/hosts/corrino/ports.nix b/nix/hosts/corrino/ports.nix index 10ae593..bb64934 100644 --- a/nix/hosts/corrino/ports.nix +++ b/nix/hosts/corrino/ports.nix @@ -24,6 +24,7 @@ restic = 8002; nocodb = 8003; goatcounter = 8004; + goapp = 8005; r2wars-web = 8089; ctf = 8338; magic-hash = 8339; diff --git a/nix/hosts/corrino/secrets/goapp_oidc_secret.age b/nix/hosts/corrino/secrets/goapp_oidc_secret.age new file mode 100644 index 0000000..a842003 Binary files /dev/null and b/nix/hosts/corrino/secrets/goapp_oidc_secret.age differ diff --git a/nix/hosts/corrino/vm.nix b/nix/hosts/corrino/vm.nix index 37d1356..78d818f 100644 --- a/nix/hosts/corrino/vm.nix +++ b/nix/hosts/corrino/vm.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ pkgs, ... }: { services.emile.libvirtnix = { @@ -15,6 +15,19 @@ uuid = "E34DE478-1402-45BB-B3FD-FC960549258E"; genid = "CA1E2462-1E9D-404C-8DDB-19EEF9D9651B"; + os = { + nvram = { + type = "network"; + source = { + mirror = { + abi = "copy"; + ready = "yes"; + type = "network"; + }; + }; + }; + }; + packages = { libvirt = pkgs.libvirt; qemu = pkgs.qemu; diff --git a/nix/hosts/corrino/www/goapp.emile.space.nix b/nix/hosts/corrino/www/goapp.emile.space.nix new file mode 100644 index 0000000..4a486aa --- /dev/null +++ b/nix/hosts/corrino/www/goapp.emile.space.nix @@ -0,0 +1,78 @@ +{ config, pkgs, ... }: + +{ + services.nginx.virtualHosts."goapp.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://${config.services.emile.goapp-frontend.host}:${toString config.services.emile.goapp-frontend.port}"; + }; + }; + }; + + services.authelia.instances.main.settings.identity_providers.oidc.clients = [ + { + id = "goapp"; + + # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 + secret = "$pbkdf2-sha512$310000$/Ht5DUFmIeu/7Ty2PWHXnw$.uJIN1vmZMyGjCAoA0PzUcVaTMIH36AK80KvOZAHVXgLr1Y9ZOrRjoiwK.srHAO29mrcw1BNpCjFTYdWOoympg"; + public = false; + authorization_policy = "two_factor"; + redirect_uris = [ + # "http://localhost:8080/oauth2/callback" + "https://goapp.emile.space/oauth2/callback" + ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_types = [ "code" ]; + response_modes = [ + "form_post" + "query" + "fragment" + ]; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + + environment.systemPackages = with pkgs; [ goapp-frontend ]; + + # deploy: + # - push code + # - build in order to get the new hash (nix build .#goapp-frontend-pkg) + # - update hash in the package (//nix/templates/goapp/frontent/default.nix) + # - deploy + + # services.emile.goapp-frontend = { + # enable = true; + # package = pkgs.goapp-frontend; + + # host = "127.0.0.1"; + # port = config.emile.ports.goapp-frontend; + # public-url = "https://goapp-frontend.emile.space/"; + + # oidc = { + # id = "goapp-frontend"; + # issuer = "https://sso.emile.space"; + # cookie-name = "oidc-client"; + # scopes = [ "openid" "profile" "email" "groups" ]; + # secret-path = "/run/goapp-frontend_oidc_secret"; + # }; + + # # TODO(emile): change these when going live + # session-key-path = config.age.secrets.goapp-frontend_oidc_secret.path; + + # logfile-path = "/var/log/goapp-frontend.log"; + # database-path = "/var/lib/goapp-frontend/main.db"; + # sessiondb-path = "/var/lib/goapp-frontend/session.db"; + # }; +} diff --git a/nix/hosts/corrino/www/templates/goapp/default.nix b/nix/hosts/corrino/www/templates/goapp/default.nix deleted file mode 100644 index 716d6ab..0000000 --- a/nix/hosts/corrino/www/templates/goapp/default.nix +++ /dev/null @@ -1,30 +0,0 @@ - -{ - services.authelia.instances.main.settings.identity_providers.oidc.clients = [ - { - id = "goapp"; - - # ; nix run nixpkgs#authelia -- crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986 - secret = "$pbkdf2-sha512$310000$WUai4pp1ZVJDrJ8j6ICLiQ$NOMMaCZ3gt.x.a09MWatMkJWQIaH0QeWgRXSbuD2iWRwR.N6MWmJA6QO.LIKcxn6l.zHZN4bO1Ztsrbo9010Tw"; - public = false; - authorization_policy = "two_factor"; - redirect_uris = [ "https://127.0.0.1:8080/auth/oauth2/callback" ]; - scopes = [ - "openid" - "email" - "profile" - ]; - grant_types = [ - "refresh_token" - "authorization_code" - ]; - response_types = [ "code" ]; - response_modes = [ - "form_post" - "query" - "fragment" - ]; - token_endpoint_auth_method = "client_secret_post"; - } - ]; -} -- cgit 1.4.1