Skynet/nixos
7
1
Fork 0
Code Issues 43 Pull requests 1 Projects Releases Packages Wiki Activity Actions

feat: we now have a sso/oauth server ther we can use to connect services to
Some checks failed
Build_Deploy / linter (push) Successful in 11s
Details
Build_Deploy / build (push) Successful in 47s
Details
Build_Deploy / deploy_dns (push) Successful in 1m29s
Details
Build_Deploy / deploy_active (active) (push) Successful in 1m36s
Details
Build_Deploy / deploy_active (active-ext) (push) Failing after 44s
Details
Build_Deploy / deploy_active (active-core) (push) Successful in 6m43s
Details

Browse source 
Currently works with Proxmox (VE and MG) and Forgejo
This commit is contained in:
silver 2025-03-23 00:06:29 +00:00
parent 70263f4b1f
commit 69ec3abb3b
Signed by: silver
GPG key ID: 36F93D61BAD3FD7D
4 changed files with 107 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

77
applications/sso.nix Normal file
View file

@ -0,0 +1,77 @@
{
lib,
config,
...
}:
with lib; let
name = "sso";
cfg = config.services.skynet."${name}";
in {
imports = [
];
options.services.skynet."${name}" = {
enable = mkEnableOption "Keycloak server";
datasource = {
name = mkOption {
type = types.str;
};
url = mkOption {
type = types.str;
};
};
};
config = mkIf cfg.enable {
services.skynet.dns.records = [
{
record = "${name}";
r_type = "CNAME";
value = config.services.skynet.host.name;
}
];
services.skynet.acme.domains = [
"${name}.skynet.ie"
];
age.secrets.keycloak_pw.file = ../secrets/keycloak/pw.age;
services.nginx.virtualHosts = {
"${name}.skynet.ie" = {
forceSSL = true;
useACMEHost = "skynet";
locations = {
"/" = {
proxyPass = "http://localhost:${toString config.services.keycloak.settings.http-port}/";
};
};
};
};
services.postgresql.enable = true;
services.keycloak = {
enable = true;
initialAdminPassword = "sharky_loves_sso";
database = {
type = "postgresql";
createLocally = true;
username = "keycloak";
passwordFile = config.age.secrets.keycloak_pw.path;
};
settings = {
hostname = "${name}.skynet.ie";
http-port = 38080;
proxy-headers = "xforwarded";
http-enabled = true;
};
};
};
}

3
machines/kitt.nix
View file

@ -31,6 +31,7 @@ in {
../applications/discord.nix
../applications/bitwarden/vaultwarden.nix
../applications/bitwarden/bitwarden_sync.nix
../applications/sso.nix
];
deployment = {
@ -54,5 +55,7 @@ in {
# committee/admin services
vaultwarden.enable = true;
sso.enable = true;
};
}

20
secrets/keycloak/pw.age Normal file
View file

@ -0,0 +1,20 @@
age-encryption.org/v1
-> ssh-ed25519 V1pwNA /0giXND9iXet45Qdm45LbVQlIN1JYDiIJ1EFpMn+QgM
qxCesmTuF6auI9upI0V9rJSiSfzENLLHXIMrDewjvf4
-> ssh-ed25519 4PzZog iSvze8+tKCozFbiXcc8BGfQ0qrlVUHNEPc0E13505wY
+queuxWzkBHBR7q1pHhBahdSqgKYmpOZ2avC+S4u2tk
-> ssh-ed25519 dA0vRg MAQ9mfNn3wwB0hFaV/Wg6nxM1vafopAeJynREcbSvAA
VjD1Sy41PEy1TQ5Wc/R9gh1gN/T8y/bUAdItWRz64GQ
-> ssh-ed25519 5Nd93w RAh3fYyjUmldiUFkw59/JZDTgZ+jrVd31akiV1UgYGM
HvoJTTxM+sCkXIDv0+FtN4ACkTy7tqr/BNeTrR8Jumo
-> ssh-ed25519 q8eJgg c4+/61Jhm+/QyV0s3ikemMqhWBRb+ous4kl7Psx5/WU
GUqakK0Rrsgg48U9QkcpV20zvQAswk/anoACzORuxiU
-> ssh-ed25519 KVr8rw /mBl8ejPUBEwVsDVFcwWfW1i0tIG5JH/OWlRSrRk+TM
K3SJpjAm6VDtsBk6HyDdLgbImh4If5Od2qu+sL8Dj9Y
-> ssh-ed25519 fia1eQ khFHXNgPUQ39oTpd1lWycrMUin8Ii2pawwFY1vIhRSs
2XhIsPrtN+XOBlTR/sEaaG5XCLlsIroYspOaEz+cM2U
-> ssh-ed25519 IzAMqA u6W5klKqqGx22yCJx0yGgwPs3vs+iAeH5z36isWL8Co
Ij4ncciynno2m9ZKtAegFy5mjAGS86jM7NrCL73LROc
--- mINzTQYjXCu318AiJxgsF7az4LUGc9iVS7hcyfFNTQs
m½Ö.ØÝ>iõ~‡ 8$§pB†ÀÑ<C380>zhœä:´Ôq “'S£:„LdðšÿÚ
¡” ñŸQQøLÙŠ<0E>Ï{,;ѵÙä~© #

7
secrets/secrets.nix
View file

@ -99,6 +99,10 @@ let
bitwarden = [
kitt
];
sso = [
kitt
];
in {
# nix run github:ryantm/agenix -- -e secret1.age
@ -148,6 +152,9 @@ in {
"bitwarden/secret.age".publicKeys = users ++ bitwarden;
"bitwarden/details.age".publicKeys = users ++ bitwarden;
# Keycloak/sso
"keycloak/pw.age".publicKeys = users ++ sso;
# grafana
"grafana/pw.age".publicKeys = users ++ grafana;
}