steveej/infra
1
0
Fork 0
Code Issues 2 Pull requests Projects Releases Packages Wiki Activity Actions

feat(webserver): switch to caddy, add authelia, lldap, switch hedgedoc to LDAP auth

Browse source
This commit is contained in:
steveej 2023-07-15 21:20:45 +02:00
parent dbc544ba0d
commit c49a077711
6 changed files with 192 additions and 50 deletions
Download patch file Download diff file Expand all files Collapse all files

210
nix/os/containers/webserver.nix
View file

@ -27,56 +27,49 @@
domain = "www.stefanjunker.de";
};
security.acme = {
acceptTerms = true;
certs."www.stefanjunker.de".email = "mail@stefanjunker.de";
preliminarySelfsigned = true;
# can be used for debugging
# server = "https://acme-staging-v02.api.letsencrypt.org/directory";
};
sops.age.sshKeyPaths = ["/etc/ssh/ssh_host_ed25519_key"];
sops.secrets.hedgedoc_environment_file = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.hedgedoc.name;
};
services.nginx.enable = true;
services.nginx.recommendedProxySettings = true;
services.nginx.virtualHosts."www.stefanjunker.de" = {
default = true;
addSSL = true;
listen = [
{
addr = "0.0.0.0";
port = httpPort;
ssl = false;
}
{
addr = "0.0.0.0";
port = httpsPort;
ssl = true;
}
];
services.caddy = {
enable = true;
virtualHosts."${config.services.ddclientovh.domain}" = {
extraConfig = let
port = "${builtins.toString config.services.authelia.instances.default.settings.server.port}";
path = "${config.services.authelia.instances.default.settings.server.path}";
in ''
redir /hedgedoc* https://hedgedoc.${config.services.ddclientovh.domain}
root = "/var/www/stefanjunker.de/htdocs";
respond "Hi!"
'';
};
enableACME = true;
virtualHosts."hedgedoc.${config.services.ddclientovh.domain}" = {
extraConfig = ''
reverse_proxy http://[::1]:3000
'';
};
locations."/hedgedoc/" = {proxyPass = "http://[::1]:3000/";};
virtualHosts."authelia.${config.services.ddclientovh.domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.authelia.instances.default.settings.server.port}
'';
};
locations."/hedgedoc/socket.io/" = {
proxyPass = "http://[::1]:3000/socket.io/";
proxyWebsockets = true;
virtualHosts."lldap.${config.services.ddclientovh.domain}" = {
extraConfig = ''
reverse_proxy http://127.0.0.1:${builtins.toString config.services.lldap.settings.http_port}
'';
};
};
services.hedgedoc = {
enable = true;
settings = {
domain = "www.stefanjunker.de";
urlPath = "hedgedoc";
domain = "hedgedoc.${config.services.ddclientovh.domain}";
urlPath = "";
protocolUseSSL = true;
db = {
dialect = "sqlite";
@ -88,13 +81,18 @@
allowGravatar = false;
allowFreeURL = false;
defaultPermission = "private";
allowEmailRegister = false;
# these are set via the `environmentFile`
dropbox = {
appKey = "$DROPBOX_APPKEY";
clientID = "$DROPBOX_CLIENTID";
clientSecret = "$DROPBOX_CLIENTSECRET";
allowEmailRegister = false;
email = false;
ldap = {
url = "ldap://127.0.0.1:${builtins.toString config.services.lldap.settings.ldap_port}";
bindDn = "uid=admin,ou=people,dc=stefanjunker,dc=de";
# these are set via the `environmentFile`
bindCredentials = "$LDAP_ADMIN_PASSWORD";
searchBase = "ou=people,dc=stefanjunker,dc=de";
searchFilter = "(&(memberOf=cn=hedgedoc,ou=groups,dc=stefanjunker,dc=de)(uid={{username}}))";
useridField = "uid";
};
uploadsPath = "/var/lib/hedgedoc/uploads";
@ -102,6 +100,125 @@
environmentFile = config.sops.secrets.hedgedoc_environment_file.path;
};
sops.secrets.authelia_storageEncryptionKey = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
sops.secrets.authelia_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.authelia-default.name;
};
services.authelia.instances.default = let
baseDir = "/var/lib/authelia-default";
in {
enable = true;
secrets.storageEncryptionKeyFile = config.sops.secrets.authelia_storageEncryptionKey.path;
secrets.jwtSecretFile = config.sops.secrets.authelia_jwtSecret.path;
settings = {
theme = "auto";
default_2fa_method = "totp";
log.level = "debug";
server = {
disable_healthcheck = true;
host = "127.0.0.1";
port = 9091;
# path = "authelia";
};
storage = {
local.path = "${baseDir}/authelia.sqlite";
};
authentication_backend = {
file.path = "${baseDir}/first_factor.yaml";
file.search.email = true;
file.search.case_insensitive = false;
};
access_control = {
default_policy = "one_factor";
};
session.domain = "stefanjunker.de";
notifier = {
disable_startup_check = true;
filesystem.filename = "${baseDir}/notification.txt";
};
};
};
users.groups.lldap = {};
users.users.lldap = {
isSystemUser = true;
group = "lldap";
};
sops.secrets.lldap_jwtSecret = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_adminPassword = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
sops.secrets.lldap_environmentFile = {
sopsFile = ./webserver_secrets.yaml;
owner = config.users.users.lldap.name;
};
services.lldap = {
enable = true;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets.lldap_jwtSecret.path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets.lldap_adminPassword.path;
};
environmentFile = config.sops.secrets.lldap_environmentFile.path;
settings = {
verbose = false;
ldap_base_dn = "dc=stefanjunker,dc=de";
http_url = "https://lldap.${config.services.ddclientovh.domain}";
## Options to configure SMTP parameters, to send password reset emails.
## To set these options from environment variables, use the following format
## (example with "password"): LLDAP_SMTP_OPTIONS__PASSWORD
smtp_options = {
## Whether to enabled password reset via email, from LLDAP.
enable_password_reset = true;
## The SMTP server.
# server = "ssl0.ovh.net";
server = "smtp.gmail.com";
## The SMTP port.
# port = 465;
port = 587;
## How the connection is encrypted, either "NONE" (no encryption), "TLS" or "STARTTLS".
# smtp_encryption = "TLS";
smtp_encryption = "STARTTLS";
## The SMTP user, usually your email address.
# user = "..."
## The SMTP password.
#password="password"
## The header field, optional: how the sender appears in the email. The first
## is a free-form name, followed by an email between <>.
# from = "Postmaster <postmaster@domain.tld>";
## Same for reply-to, optional.
};
# database_url = "sqlite:///var/lib/lldap/users.db?mode=rwc";
};
};
systemd.services.lldap.serviceConfig.User = config.users.users.lldap.name;
systemd.services.lldap.serviceConfig.Group = config.users.groups.lldap.name;
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
};
inherit autoStart;
@ -125,9 +242,20 @@
hostPath = "/var/lib/container-volumes/webserver/var-lib-hedgedoc";
isReadOnly = false;
};
"/var/lib/authelia-default" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-authelia-default";
isReadOnly = false;
};
"/var/lib/lldap" = {
hostPath = "/var/lib/container-volumes/webserver/var-lib-lldap";
isReadOnly = false;
};
};
extraFlags = ["--resolv-conf=bind-host"];
# extraFlags = ["--resolv-conf=bind-host"];
# networking.useHostResolvConf = true;
privateNetwork = true;
forwardPorts = [