setup rauthy
1 file changed, 108 insertions(+), 17 deletions(-)
changed files
M system/linde.nix → system/linde.nix
@@ -55,6 +55,7 @@ mode = "400"; symlink = false; file = ../secrets/golink.age; }; + rauthy.file = ../secrets/rauthy.age; }; boot.loader.efi.efiSysMountPoint = "/boot/efi";@@ -201,7 +202,7 @@ 6885 # DHT 6922 config.services.transmission.settings.peer-port ]; - trustedInterfaces = [ "tailscale0" ]; + trustedInterfaces = [ "tailscale0" "podman0" ]; }; resolvconf = { enable = false;@@ -395,23 +396,41 @@ gsqlite3-dnssec=yes ''; }; - services.postfix = - let - localUser = "alan"; - forwardingAddress = email; - in - { - enable = true; - destination = [ ]; - domain = config.networking.domain; - virtual = '' - @${config.networking.hostName}.${config.networking.domain} ${localUser} - ${localUser} ${forwardingAddress} - ''; - config = { - inet_interfaces = "loopback-only"; - }; + services.postfix = { + enable = true; + enableSubmission = true; + submissionOptions = { + smtpd_client_restrictions = "permit_inet_interfaces,reject"; + smtpd_tls_security_level = "none"; + }; + enableSubmissions = true; + destination = [ ]; + domain = domain; + virtual = '' + @${config.networking.hostName}.${domain} alan + alan ${email} + ''; + config = { + inet_interfaces = "loopback-only"; + smtp_bind_address = "0.0.0.0"; + smtp_bind_address6 = "::"; + }; + masterConfig."10.88.0.1:587" = { + type = "inet"; + private = false; + command = "smtpd"; + args = [ + "-o" + "inet_interfaces=10.88.0.1" + "-o" + "mynetworks=10.88.0.0/16" + "-o" + "smtpd_client_restrictions=permit_mynetworks,reject" + "-o" + "smtpd_tls_security_level=none" + ]; }; + }; users.groups.ntfy = { }; users.users.ntfy = {@@ -533,6 +552,12 @@ log { output discard } reverse_proxy 127.0.0.1:8081 + ''; + }; + "iam.alin.ovh" = { + extraConfig = '' + encode zstd gzip + reverse_proxy http://127.0.0.1:8080 ''; }; "id.alanpearce.eu" = {@@ -896,6 +921,72 @@ DynamicUser = lib.mkForce false; User = user.name; Group = user.group; }; + + users.groups.rauthy = { }; + users.users.rauthy = { + isSystemUser = true; + createHome = true; + home = "/srv/rauthy"; + group = "rauthy"; + }; + virtualisation.oci-containers = { + backend = "podman"; + containers = { + rauthy = + let + domain = "alin.ovh"; + toml = pkgs.formats.toml { }; + cfg = { + bootstrap = { + admin_email = "admin@${domain}"; + }; + cluster = { + node_id = 1; + wal_ignore_lock = true; + }; + encryption = { + keys = [ "4babe063/HXY+N6xpGNaCZ5QsfIJB7jJscqmZfy/9UrGc3V2Kyi8=" ]; + key_active = "9f93e3c7"; + }; + email = { + smtp_url = "host.containers.internal"; + smtp_port = 587; + smtp_from = "Rauthy <rauthy@${domain}>"; + smtp_username = "rauthy"; + smtp_password = "rauthy"; + smtp_danger_insecure = true; + }; + server = { + scheme = "http"; + pub_url = "iam.${domain}"; + proxy_mode = true; + trusted_proxies = [ + "10.0.0.0/8" + ]; + }; + webauthn = { + rp_id = domain; + rp_origin = "https://iam.${domain}:443"; + }; + }; + in + { + image = "ghcr.io/sebadob/rauthy:0.30.1"; + ports = [ "8080:8080" ]; + user = "971:969"; + volumes = [ + "${toml.generate "config.toml" cfg}:/app/config.toml" + "/srv/rauthy:/app/data" + ]; + environment = { + SMTP_URL = "host.containers.internal"; + SMTP_DANGER_INSECURE = "true"; + }; + environmentFiles = [ config.age.secrets.rauthy.path ]; + serviceName = "rauthy"; + }; + }; + }; services.redis = { servers = {