From dfe03458882a0cec5a206453e6a9b53b82530456 Mon Sep 17 00:00:00 2001 From: oddlama Date: Tue, 12 Mar 2024 19:40:09 +0100 Subject: [PATCH] feat: move some services to other domain --- hosts/sentinel/net.nix | 2 +- hosts/sentinel/oauth2.nix | 4 ++-- hosts/sentinel/secrets/local.nix.age | Bin 837 -> 742 bytes hosts/sire/guests/grafana.nix | 4 ++-- hosts/sire/guests/immich.nix | 5 +---- hosts/sire/guests/influxdb.nix | 2 +- hosts/sire/guests/loki.nix | 2 +- hosts/sire/guests/paperless.nix | 2 +- hosts/ward/guests/adguardhome.nix | 7 +++---- hosts/ward/guests/forgejo.nix | 3 +-- hosts/ward/guests/kanidm.nix | 23 ++++++++++++++--------- hosts/ward/guests/radicale.nix | 9 ++------- hosts/ward/guests/vaultwarden.nix | 4 +--- hosts/zackbiene/home-assistant.nix | 2 +- secrets/global.nix.age | Bin 2262 -> 2340 bytes 15 files changed, 31 insertions(+), 38 deletions(-) diff --git a/hosts/sentinel/net.nix b/hosts/sentinel/net.nix index 5ba010b..006beda 100644 --- a/hosts/sentinel/net.nix +++ b/hosts/sentinel/net.nix @@ -1,6 +1,6 @@ {config, ...}: { networking.hostId = config.repo.secrets.local.networking.hostId; - networking.domain = config.repo.secrets.local.personalDomain; + networking.domain = config.repo.secrets.global.domains.me; # Forwarding required for forgejo 9922->22 boot.kernel.sysctl."net.ipv4.ip_forward" = 1; diff --git a/hosts/sentinel/oauth2.nix b/hosts/sentinel/oauth2.nix index 3fc580e..7e80012 100644 --- a/hosts/sentinel/oauth2.nix +++ b/hosts/sentinel/oauth2.nix @@ -5,8 +5,8 @@ }: { meta.oauth2_proxy = { enable = true; - cookieDomain = config.repo.secrets.local.personalDomain; - portalDomain = "oauth2.${config.repo.secrets.local.personalDomain}"; + cookieDomain = config.repo.secrets.global.domains.me; + portalDomain = "oauth2.${config.repo.secrets.global.domains.me}"; # TODO portal redirect to dashboard (in case someone clicks on kanidm "Web services") }; diff --git a/hosts/sentinel/secrets/local.nix.age b/hosts/sentinel/secrets/local.nix.age index 5575df7a066720751a0458daadb225feeb115e6a..e6ade60b020527990b7f354916d9e0781d9ac088 100644 GIT binary patch delta 722 zcmV;@0xkW;2Id8jAb&}EFIri8Pjf;wPfl7?R5D?DPdG?pW_EW)WK%eLYFTzNVJl~3 zQ(-nzcM3C7c2h()YH>74OIS}=ZD&SlOiM6NXIg7^a$-_ZT1;_lS!ZchO=);RSqd#a zAaH4REpRe5HXwL$Q)M_&AVD-jS206zMORHvWJhaBYDsZ+Sbs`#dP6ldLPB9hVs2=8 zcV}cVRY5stQDzEkQem(&KU3_4bZszV+)w+i86(`gG4Aq|-0 z&kG~s2}?A#hZevuGteX!7D=aLHG@?EK4*aQDbAZ@e%u-k z@Pw#&K?;dljszLuyiU;1-|U~BZEu!*gqRk_8B20ln9Yc~HdG|Pel-}}{r$~?QffZ? zmY{lQm9v#gk4a^~WaNFDPV*0-dRp=0ADZE!Wng8d-GLUwVtz};&|M2??=hFh$>_a# EMo2j+ZU6uP delta 818 zcmV-21I_&A1;qxCAb(XNLUC0&HaB=fNLe{JWpZ>v zQ&?0(a|%d7M`~b7de{J|KNwAS7pFL_#1dX<>2-dN@aLba^y6Q$tQ@PAg9_ zK{ZixFi%lQDiGYRYh?~H*ipD zS7>l=Hc&573N0-yATLx{SWsv%Ls~O3?Dp$ z(j3q>H2;-T^=xcdETeEWCvJM`uQw%JnHS)qMHd8M1Kv1T`TsFi;lQk4%85eRt)ZKg zQTi5)2Y;1C83s}-)BcsR=ru3!BQPl+cnmLtR!k>;ONoSwDuYD-`vhMz((j?0C|yW^ zUn`$jCd_26=q-O8l=!JyE4<`c zp8EioJWemsDU-!fBV(K#+iX}=JGJ^$;2Z$;v47+r;S^xh)IAs5P}Oi{bEK*mz>z^@JvHZ&!yQneyQU?v^FZhHd410x&ih3(NtAOHXW diff --git a/hosts/sire/guests/grafana.nix b/hosts/sire/guests/grafana.nix index 8237c07..9a2f5ab 100644 --- a/hosts/sire/guests/grafana.nix +++ b/hosts/sire/guests/grafana.nix @@ -4,7 +4,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - grafanaDomain = "grafana.${sentinelCfg.repo.secrets.local.personalDomain}"; + grafanaDomain = "grafana.${config.repo.secrets.global.domains.me}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.grafana.settings.server.http_port]; @@ -124,7 +124,7 @@ in { use_pkce = true; # Allow mapping oauth2 roles to server admin allow_assign_grafana_admin = true; - role_attribute_path = "contains(scopes[*], 'server_admin') && 'GrafanaAdmin' || contains(scopes[*], 'admin') && 'Admin' || contains(scopes[*], 'editor') && 'Editor' || 'Viewer'"; + role_attribute_path = "contains(groups[*], 'server_admin') && 'GrafanaAdmin' || contains(groups[*], 'admin') && 'Admin' || contains(groups[*], 'editor') && 'Editor' || 'Viewer'"; }; }; diff --git a/hosts/sire/guests/immich.nix b/hosts/sire/guests/immich.nix index d9dbe8d..5ccf41c 100644 --- a/hosts/sire/guests/immich.nix +++ b/hosts/sire/guests/immich.nix @@ -5,7 +5,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - immichDomain = "immich.${sentinelCfg.repo.secrets.local.personalDomain}"; + immichDomain = "immich.${config.repo.secrets.global.domains.me}"; ipImmichMachineLearning = "10.89.0.10"; ipImmichMicroservices = "10.89.0.11"; @@ -74,9 +74,6 @@ lightStyle = ""; }; newVersionCheck.enabled = true; - # XXX: Immich's oauth cannot use PKCE and uses legacy crypto so we need to run: - # kanidm system oauth2 warning-insecure-client-disable-pkce immich - # kanidm system oauth2 warning-enable-legacy-crypto immich oauth = rec { enabled = true; autoLaunch = false; diff --git a/hosts/sire/guests/influxdb.nix b/hosts/sire/guests/influxdb.nix index 1355d5b..f241b71 100644 --- a/hosts/sire/guests/influxdb.nix +++ b/hosts/sire/guests/influxdb.nix @@ -6,7 +6,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - influxdbDomain = "influxdb.${sentinelCfg.repo.secrets.local.personalDomain}"; + influxdbDomain = "influxdb.${config.repo.secrets.global.domains.me}"; influxdbPort = 8086; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [influxdbPort]; diff --git a/hosts/sire/guests/loki.nix b/hosts/sire/guests/loki.nix index 3935f89..542d779 100644 --- a/hosts/sire/guests/loki.nix +++ b/hosts/sire/guests/loki.nix @@ -4,7 +4,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - lokiDomain = "loki.${sentinelCfg.repo.secrets.local.personalDomain}"; + lokiDomain = "loki.${config.repo.secrets.global.domains.me}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.loki.configuration.server.http_listen_port]; diff --git a/hosts/sire/guests/paperless.nix b/hosts/sire/guests/paperless.nix index a221916..cc96bb9 100644 --- a/hosts/sire/guests/paperless.nix +++ b/hosts/sire/guests/paperless.nix @@ -5,7 +5,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - paperlessDomain = "paperless.${sentinelCfg.repo.secrets.local.personalDomain}"; + paperlessDomain = "paperless.${config.repo.secrets.global.domains.me}"; paperlessBackupDir = "/var/cache/paperless-backup"; in { microvm.mem = 1024 * 9; diff --git a/hosts/ward/guests/adguardhome.nix b/hosts/ward/guests/adguardhome.nix index 6750e94..8da43d9 100644 --- a/hosts/ward/guests/adguardhome.nix +++ b/hosts/ward/guests/adguardhome.nix @@ -5,8 +5,7 @@ pkgs, ... }: let - sentinelCfg = nodes.sentinel.config; - adguardhomeDomain = "adguardhome.${sentinelCfg.repo.secrets.local.personalDomain}"; + adguardhomeDomain = "adguardhome.${config.repo.secrets.global.domains.me}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [config.services.adguardhome.settings.bind_port]; @@ -81,8 +80,8 @@ in { # wireguard address for influxdb rewrites = [ { - domain = sentinelCfg.networking.providedDomains.influxdb; - answer = sentinelCfg.repo.secrets.local.personalDomain; + domain = nodes.sentinel.config.networking.providedDomains.influxdb; + answer = config.repo.secrets.global.domains.me; } ]; filters = [ diff --git a/hosts/ward/guests/forgejo.nix b/hosts/ward/guests/forgejo.nix index 467abf2..8d89481 100644 --- a/hosts/ward/guests/forgejo.nix +++ b/hosts/ward/guests/forgejo.nix @@ -6,8 +6,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - # XXX: other domain on other proxy? - forgejoDomain = "git.${sentinelCfg.repo.secrets.local.personalDomain}"; + forgejoDomain = "git.${config.repo.secrets.global.domains.me}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [ config.services.forgejo.settings.server.HTTP_PORT diff --git a/hosts/ward/guests/kanidm.nix b/hosts/ward/guests/kanidm.nix index e9666cb..e319c30 100644 --- a/hosts/ward/guests/kanidm.nix +++ b/hosts/ward/guests/kanidm.nix @@ -3,9 +3,9 @@ nodes, ... }: let - inherit (sentinelCfg.repo.secrets.local) personalDomain; + inherit (config.repo.secrets.global) domains; sentinelCfg = nodes.sentinel.config; - kanidmDomain = "auth.${personalDomain}"; + kanidmDomain = "auth.${domains.me}"; kanidmPort = 8300; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [kanidmPort]; @@ -122,24 +122,29 @@ in { displayName = "Immich"; originUrl = "https://${sentinelCfg.networking.providedDomains.immich}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-immich.path; + preferShortUsername = true; + # XXX: PKCE is currently not supported by immich + allowInsecureClientDisablePkce = true; scopeMaps."immich.access" = ["openid" "email" "profile"]; }; # Grafana groups."grafana.access" = {}; - groups."grafana.admins" = {}; groups."grafana.editors" = {}; + groups."grafana.admins" = {}; groups."grafana.server-admins" = {}; systems.oauth2.grafana = { displayName = "Grafana"; originUrl = "https://${sentinelCfg.networking.providedDomains.grafana}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-grafana.path; scopeMaps."grafana.access" = ["openid" "email" "profile"]; - # FIXME: use new group claims k thx - supplementaryScopeMaps = { - "grafana.admins" = ["admin"]; - "grafana.editors" = ["editor"]; - "grafana.server-admins" = ["server_admin"]; + claimMaps.groups = { + joinType = "array"; + valuesByGroup = { + "grafana.editors" = ["editor"]; + "grafana.admins" = ["admin"]; + "grafana.server-admins" = ["server_admin"]; + }; }; }; @@ -167,7 +172,7 @@ in { groups."web-sentinel.influxdb" = {}; systems.oauth2.web-sentinel = { displayName = "Web Sentinel"; - originUrl = "https://oauth2.${personalDomain}/"; + originUrl = "https://oauth2.${domains.me}/"; basicSecretFile = config.age.secrets.kanidm-oauth2-web-sentinel.path; scopeMaps."web-sentinel.access" = ["openid" "email"]; claimMaps.groups = { diff --git a/hosts/ward/guests/radicale.nix b/hosts/ward/guests/radicale.nix index 8e4afa9..bb66532 100644 --- a/hosts/ward/guests/radicale.nix +++ b/hosts/ward/guests/radicale.nix @@ -1,10 +1,5 @@ -{ - config, - nodes, - ... -}: let - sentinelCfg = nodes.sentinel.config; - radicaleDomain = "radicale.${sentinelCfg.repo.secrets.local.personalDomain}"; +{config, ...}: let + radicaleDomain = "radicale.${config.repo.secrets.global.domains.personal}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [ 8000 diff --git a/hosts/ward/guests/vaultwarden.nix b/hosts/ward/guests/vaultwarden.nix index 15706c8..a1f40d5 100644 --- a/hosts/ward/guests/vaultwarden.nix +++ b/hosts/ward/guests/vaultwarden.nix @@ -1,11 +1,9 @@ { config, lib, - nodes, ... }: let - sentinelCfg = nodes.sentinel.config; - vaultwardenDomain = "pw.${sentinelCfg.repo.secrets.local.personalDomain}"; + vaultwardenDomain = "pw.${config.repo.secrets.global.domains.personal}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [ config.services.vaultwarden.config.rocketPort diff --git a/hosts/zackbiene/home-assistant.nix b/hosts/zackbiene/home-assistant.nix index 3faeca5..f61ca0b 100644 --- a/hosts/zackbiene/home-assistant.nix +++ b/hosts/zackbiene/home-assistant.nix @@ -5,7 +5,7 @@ ... }: let sentinelCfg = nodes.sentinel.config; - homeDomain = "home.${sentinelCfg.repo.secrets.local.personalDomain}"; + homeDomain = "home.${sentinelCfg.repo.secrets.global.domains.personal}"; in { meta.wireguard-proxy.sentinel.allowedTCPPorts = [80]; diff --git a/secrets/global.nix.age b/secrets/global.nix.age index fad7907964da2e9762bc2a39bc85e96a2720a31f..ac37e4535dbb7f80677e022482010513c9b6117a 100644 GIT binary patch delta 2332 zcmV+%3FG$G5u_53A%8DoGD}iocx)?DZelPvHezNlZfJINFiBTwbyak3FGoXjHD^y( zQgK#Q3TAdhD`+?{MR_q|Vp4QuX>>15YiKiWNqSXiD=}p=H&82VLo0PuOfg1T3N1b$ zaA|fea56PEAb4?8WjIkFK{#hGNNPetOLawRP%uVOWHl>PLw_(WcsXfO&S zEbQ6RR^o0xd-bq*KjBA|7^&Uzs`>B*(}=wN*TA%II>)5P7<%H8jQ4vm0BkEtpt3b& zV+j{!w7=fik!-40AkJ3>v~Qz2gH?;F%zY}JM%U6YOTagh`3T+bc`p#z3G?$AQX?1t z!FvI02Y-Pwy$RnCvKwPW7`Sql3~b~-;VQ9b%(iOUadiKOY^OSFnmwn|vS8ceYqt44U+3yoilmHa>i-uz>5-|;g;d8T(%`nCQ^_CR+Yjn~(s znAgwzp93@{>UkhIjRgaYy2}rMV4{fx&ST{ zVSi-{R9V#Jzf@}V?9(@3az?$3_p<^n*7&pSHZQ%#mWeI*h6n;I#*Oz3uFql@h8t@G zZPZka8-v3lPshPz;^ZdXv6%YI8H^iCCi~Pzi+35Dyk<-?_p!&E;dVj6;yO-hPX%LK zv=X0#ukESKYmaC+)|fMxP#G@OC$CIQ#ebQE7XzRKgPOVA3SS3ss5^u4S(NFoMHt$m zo;8`gtbMEi#HxHCVt@*Gw9*(lT9AADX3|k8ZgW#-%Je6JTFT_1#-K-+E8}l;d^9m8 zyNO39NqY(-q+q)EYSi6Vs8@Sv(Bi7A&@v)@e9mK=gqUxEX61iKkZUK|V|1z^%zqvR z999R4O96uMF3Y=2{ReNqgm%HReR+%mSowG?${cW~t4S6tVf*NjzHS3l_h(1f(-oPX zdTlQ~;YO_>@(vaY^^DfPb_RjUDHZ1&uo<}}dR$Y!Y(}h>W|NEv8QJf1yj$o(49_&y zW;uaQcAzcquF1V{Z8wrj-5Uu{Wq)n)R>nGI=YV2_W=~Z)Ax8p86!Rc0@e69ML=H z9)c=)jN0i0tekA@L;+RF`mX=!KdouOV!82lSnTqq*bwJkxGN}d%4%~%Du1NN#3kd~ z?c64q62hJ28*-vT|Nlrh9U^);;pdWG36)f6Hv+EOl>~B=Pk_%7V}d6NC}Qip9>F(s z5ViRWUfnAguZJwtHdv&8C(0JPD)DOW0I`O!Dko7wt2uiTk!o4-aUnJ^xIAxms|BdQ zFo=)x)Q%cM)!Aw+IH`_~w11?0(nY%HoFra-GY3pCqjDQoZCIK%b@6qma>k@gd7J)5 zqWq-2U68DElh_C(5-D6iTp00uvu6{O6nrK34@#LQnWCO>hhQ!fEFq9M3(XmgNO z-o_^RgZ?&}(=Kqc&u$%7D_5u_cuhBKLqUHuf`r=5u*q`o13vb{R)3gH5~k$5Xi?}4 z*e;vmqubm|(eWZF(eJ2nhinvrw4c+e?yG`k>jE~9t-0DQ0SZ zCcjeNxUb~Iu=6ujr+=p!Sa{9u>6fJDd|edAH`Dto2ym2z$s~)6EqKOvpZ&7Y76>jm zqqn{vdVdN|f*2Xb3Vv|ULI&{hXM;5#9^L9w1yKud=kRvTz0;8nPv~D<0=N%O6vr?e zIi($dI<{u%kh zui-LSA%8~=gG&5s?<4HI!;IV-f#?{#YIYwhZr*=zdGD6eKktxgaQ$?d7=3#5iUMzg z5b>N-I{-5Ot(ra>3 z%sXV;*9#H%Q_0R^OKKF+a>5-61yUnuZ+`AK+7+N5vmqytJCSj7qFD469d&ZXNqPff CO+ozt delta 2253 zcmV;;2r~Di64nurA%AB_XG>FNZ8ZmpRC6$5P+3t( zQ7d*UT60n_bAMPfSW-4va(8%PMK)zNSTAWqF+@jDMo=|3ZFyP>D`GZTYG_$>bt^S8 zLqm6HcVa?WD>P3lb8TffO>;IuLSkw`cT`nlOEzL*byPNbR7P)RGGuH@b9QSAEiEk| zab-1bGct8}F*s2$H8w{pIWIAEa931$O=LJwSu<&AVt;3OXjd>uMK5hM3gNB7>ErbD z_*9p>k5_12+0Kg-rQ_4;@zkVB)_87CQs441yyE~FyKl7PrU2|fY)?OS%_G&3a1b-l zh@sVD;@f`pH}G}qGiJpW@qzlpShWvxvyb#6#gjAjY~G1y;z~tWsB{ z*;}s3b$=w9(w)()Mi$B~Rvikk!wjk>)hNRXa(HN|Sc2DXLB)!z)?M|1U(SOE&;&M& zeif0ztmh!Ioyp*!mcx5A)@p;RY3Yy=eTFf?Uud01>XYeD$V%Ce;Wsms0!6AHYp55* z6m~)2RS1rig(rdsJvN?6;~5?aVDcf+=SQO~w0|DT0EO@C=mq` zZDF6oJ{>^B!w6N*DoIN${Q3x3S5hOfe4uHu)xRfP_|zU)OnCqm@oNX?IBQCAnlP1b zH!Eho(J+W4=Ra(Ax^UwSfk06+Nb~!9pL~x#-p&FKSS|yc71wUN|G&5VWl);`=n^g! z0e?V*f!jr&?Kf2x2^)#j4ydKYEic z=l3Ohk?!0jWvQ@}mkaPU)Lm-9iBGbPUpq}o z_$m2Y0ymNqMUv(b_H2GpGP=?SYvkSzTUkqRehRP-{#=t|i-JLtNQSbQgs)%B`+$X? zWVs2y7|;IqEi;ApJ+t0>n#o@^?xWG04_=+?#g^AgjrZj9jkOVcjRZ3MNtv}6RDT<) zP-b0vRO&@f7)r|iXnc(Dh)Uz>_Qqdb*;T`hz5IGEUHmBW*Y7l%o^emAjo+{#G_Ll6 z0#j&g?rF6RB?6)4=*qz2d|SWyvv#XtOBP;5=;++F{l zrxBI^dv(N2l_R!)BPqM!pgPh0%zr)!G0N8>b>fI|D?~-_VyLc%!tz>7T2{3|E11Co zh_vSPzl!RBd&IS1(0ystH|$Ih^OWqErnH=eP0S1O0+AE7&y!8EFKL}fsXgIQQt za_fB_$jETPWdPNUH_0nc=M;_Vi{=_C`HQ8nY}qgbx>KpZi;O{?96Z6vgjRvR4D;OJ zONFrKfq~h6?xc+(sc~kXLu#7z{xdS&3*hz!?`-B*DM~MG6_ezFn@AjqEml$FoXni` z^RAQrO~a2_+ph-E2>&El+kf{dpuA*msL6QPG|?poy2OfEMVZde6ye^DwgMxHyrcYI zk{2iU*beJY$E_JB51o!wa4PLp@0-G5MRfqN$+#L!HXn{wSsfY3HT7rk&vjy z5G#Dt6TRyjHN?|f8CbjOL8FK09s_aV;BJ>^M(IAHP21 zM6}dThj454GWd~Zdce2%i!HU zFnVDy^#iQrjCJllx_>=liOO=n*u|~I4X?jH8^_&|jC#X!1FU!lN9sUMW6R@ zKFL!wT-8@#)``M;iRzL1FfA4xw)og9 zapEZu{%^%BLZl{{t|!m^#*{2!B|ge{qm8`}`WU=r5_kBZ;cJ)RBV25X+x1CYr+D3- z+I99_t6$e134fm>;!$a13}(WE2U2|;3-)H|lutO~B0T%pHl zn&_M!gJrHY$3v$lm>np@Op#BiB)da~A=gQ|bVbM{lz&hXVD^RD@>_JCgrDF8KELU{ ztgN|4vkxiAGIMp7Xk`g**n1clDhs*q9;kx`G*jIcnSem_hnJ{f9(m673ljDXFBukA zIUC%2Ncv#9V~F0xw53@!JprFJ1a?nasMH z^lydQxkf98Pk*YPvsl~G9OdG8c4OXMqC%qW{wfGiJFOo*{8Jwg