1
0
Fork 0

Compare commits

..

1 Commits

Author SHA1 Message Date
Oystein Kristoffer Tveit fc1b7db291 WIP: kerberos 2023-12-03 05:46:27 +01:00
5 changed files with 28 additions and 61 deletions

View File

@ -5,12 +5,13 @@
../../base.nix ../../base.nix
../../misc/metrics-exporters.nix ../../misc/metrics-exporters.nix
../../modules/kerberos_auth.nix
#./services/keycloak.nix #./services/keycloak.nix
# TODO: set up authentication for the following: # TODO: set up authentication for the following:
# ./services/website.nix # ./services/website.nix
./services/nginx ./services/nginx.nix
./services/gitea/default.nix ./services/gitea/default.nix
./services/webmail ./services/webmail
# ./services/mediawiki.nix # ./services/mediawiki.nix

View File

@ -1,9 +1,5 @@
{ pkgs, config, ... }: { pkgs, config, ... }:
{ {
imports = [
./ingress.nix
];
security.acme = { security.acme = {
acceptTerms = true; acceptTerms = true;
defaults.email = "drift@pvv.ntnu.no"; defaults.email = "drift@pvv.ntnu.no";

View File

@ -1,55 +0,0 @@
{ config, lib, ... }:
{
services.nginx.virtualHosts = {
"www2.pvv.ntnu.no" = {
serverAliases = [ "www2.pvv.org" "pvv.ntnu.no" "pvv.org" ];
addSSL = true;
enableACME = true;
locations = {
# Proxy home directories
"/~" = {
extraConfig = ''
proxy_redirect off;
proxy_pass https://tom.pvv.ntnu.no;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
'';
};
# Redirect old wiki entries
"/disk".return = "301 https://www.pvv.ntnu.no/pvv/Diskkjøp";
"/dok/boker.php".return = "301 https://www.pvv.ntnu.no/pvv/Bokhyllen";
"/styret/lover/".return = "301 https://www.pvv.ntnu.no/pvv/Lover";
"/styret/".return = "301 https://www.pvv.ntnu.no/pvv/Styret";
"/info/".return = "301 https://www.pvv.ntnu.no/pvv/";
"/info/maskinpark/".return = "301 https://www.pvv.ntnu.no/pvv/Maskiner";
"/medlemssider/meldinn.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemskontingent";
"/diverse/medlems-sider.php".return = "301 https://www.pvv.ntnu.no/pvv/Medlemssider";
"/cert/".return = "301 https://www.pvv.ntnu.no/pvv/CERT";
"/drift".return = "301 https://www.pvv.ntnu.no/pvv/Drift";
"/diverse/abuse.php".return = "301 https://www.pvv.ntnu.no/pvv/CERT/Abuse";
"/nerds/".return = "301 https://www.pvv.ntnu.no/pvv/Nerdepizza";
# TODO: Redirect webmail
"/webmail".return = "301 https://webmail.pvv.ntnu.no/squirrelmail";
# Redirect everything else to the main website
"/".return = "301 https://www.pvv.ntnu.no$request_uri";
# Proxy the matrix well-known files
# Host has be set before proxy_pass
# The header must be set so nginx on the other side routes it to the right place
"/.well-known/matrix/" = {
extraConfig = ''
proxy_set_header Host matrix.pvv.ntnu.no;
proxy_pass https://matrix.pvv.ntnu.no/.well-known/matrix/;
'';
};
};
};
};
}

25
modules/kerberos_auth.nix Normal file
View File

@ -0,0 +1,25 @@
{ pkgs, lib, ... }:
{
environment.systemPackages = with pkgs; [
heimdal
];
security.pam.krb5.enable = true;
environment.etc."krb5.conf".text = ''
[libdefaults]
default_realm = PVV.NTNU.NO
dns_lookup_realm = yes
dns_lookup_kdc = yes
[appdefaults]
pam = {
ignore_k5login = yes
}
[realms]
PVV.NTNU.NO = {
admin_server = kdc.pvv.ntnu.no
}
'';
}

View File

@ -3,7 +3,7 @@
{ {
users.users.jonmro = { users.users.jonmro = {
isNormalUser = true; isNormalUser = true;
extraGroups = [ "wheel" "drift" "nix-builder-users" ]; extraGroups = [ "wheel" ];
shell = pkgs.zsh; shell = pkgs.zsh;
openssh.authorizedKeys.keys = [ openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com" "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEm5PfYmfl/0fnAP/3coVlvTw3/TYNLT6r/NwJHZbLAK jonrodtang@gmail.com"