main
flop 5 days ago
commit 88e3dca322
  1. 57
      flake.nix
  2. 43
      machines/auth.domain.com/configuration.nix
  3. 28
      machines/auth.domain.com/hardware-configuration.nix
  4. 32
      machines/status.domain.com/configuration.nix
  5. 77
      modules/keycloak.nix
  6. 10
      modules/users.nix

@ -0,0 +1,57 @@
{
description = "NixOS Infrastructure";
inputs = {
nixos.follows = "nixpkgs-unstable";
nixpkgs.follows = "nixpkgs-unstable";
nixpkgs-unstable.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
nixos-hardware.url = "github:NixOS/nixos-hardware";
};
outputs = { self, nixpkgs, nixos-hardware, ... }:
let
# Authorization keys for user mappings (login keys per user)
auth_keys = {
alice = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIALiceKeyPlaceholder alice@host"
];
bob = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBobKeyPlaceholder bob@host"
];
};
# Sudo keys per user (keys granting sudo, applied to root)
sudo_keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAISudoKeyPlaceholder admin@host"
];
sharedModules = [
./modules/users.nix
];
sharedArgs = {
inherit auth_keys sudo_keys;
};
in {
nixosConfigurations = {
auth.domain.com = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = sharedArgs;
modules = [
./machines/auth.domain.com/configuration.nix
./machines/auth.domain.com/hardware-configuration.nix
./modules/keycloak.nix
] ++ sharedModules;
};
status.domain.com = nixpkgs.lib.nixosSystem {
system = "x86_64-linux";
specialArgs = sharedArgs;
modules = [
./machines/status.domain.com/configuration.nix
./machines/status.domain.com/hardware-configuration.nix
] ++ sharedModules;
};
};
};
}

@ -0,0 +1,43 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
../../modules/keycloak.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "auth";
networking.domain = "domain.com";
time.timeZone = "UTC";
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
};
};
environment.systemPackages = with pkgs; [
curl
tmux
wget
bash
];
services.keycloak = {
enable = true;
hostname = "auth.domain.com";
adminPasswordFile = "/etc/keycloak-admin-password";
database = {
host = "localhost";
passwordFile = "/etc/keycloak-db-password";
};
};
system.stateVersion = "26.05";
}

@ -0,0 +1,28 @@
{ config, lib, pkgs, modulesPath, ... }:
{
imports = [
(modulesPath + "/installer/scan/not-detected.nix")
];
boot.initrd.availableKernelModules = [ "xhci_pci" "ehci_pci" "ahci" "usb_storage" "sd_mod" "sr_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-intel" ];
boot.extraModulePackages = [ ];
fileSystems."/" = {
device = "/dev/disk/by-label/nixos";
fsType = "ext4";
};
fileSystems."/boot" = {
device = "/dev/disk/by-label/boot";
fsType = "vfat";
};
swapDevices = [ { device = "/dev/disk/by-label/swap"; } ];
networking.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.intel.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

@ -0,0 +1,32 @@
{ config, lib, pkgs, ... }:
{
imports = [
./hardware-configuration.nix
];
boot.loader.grub.enable = true;
boot.loader.grub.device = "/dev/sda";
networking.hostName = "status";
networking.domain = "domain.com";
time.timeZone = "UTC";
services.openssh = {
enable = true;
settings = {
PermitRootLogin = "prohibit-password";
PasswordAuthentication = false;
};
};
environment.systemPackages = with pkgs; [
curl
tmux
wget
bash
];
system.stateVersion = "26.05";
}

@ -0,0 +1,77 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.keycloak;
in {
options.services.keycloak = {
enable = mkEnableOption "Keycloak identity provider";
database = {
host = mkOption {
type = types.str;
default = "localhost";
description = "Database host";
};
name = mkOption {
type = types.str;
default = "keycloak";
description = "Database name";
};
user = mkOption {
type = types.str;
default = "keycloak";
description = "Database user";
};
passwordFile = mkOption {
type = types.path;
description = "Path to file containing database password";
};
};
adminUser = mkOption {
type = types.str;
default = "admin";
description = "Admin username";
};
adminPasswordFile = mkOption {
type = types.path;
description = "Path to file containing admin password";
};
hostname = mkOption {
type = types.str;
description = "Keycloak hostname";
};
settings = mkOption {
type = types.attrs;
default = {};
description = "Additional Keycloak settings";
};
};
config = mkIf cfg.enable {
services.keycloak = {
enable = true;
settings = {
hostname = cfg.hostname;
hostname-strict-backchannel = true;
proxy = "edge";
db = mkDefault "postgres";
db-url = "jdbc:postgresql://${cfg.database.host}/${cfg.database.name}";
db-username = cfg.database.user;
db-password-file = cfg.database.passwordFile;
admin-user = cfg.adminUser;
admin-password-file = cfg.adminPasswordFile;
} // cfg.settings;
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
};
}

@ -0,0 +1,10 @@
{ config, lib, pkgs, auth_keys, sudo_keys, ... }:
{
users.users = {
root.openssh.authorizedKeys.keys = sudo_keys;
} // (lib.mapAttrs (name: keys: {
isNormalUser = true;
openssh.authorizedKeys.keys = keys;
}) auth_keys);
}
Loading…
Cancel
Save