diff --git a/flake.lock b/flake.lock index 7dcd434..3fce71a 100644 --- a/flake.lock +++ b/flake.lock @@ -99,11 +99,11 @@ ] }, "locked": { - "lastModified": 1702224561, - "narHash": "sha256-kA++rUce3EHqvW3SqLf4RdaP/guKD4/un5vjlr2rZCI=", + "lastModified": 1702764954, + "narHash": "sha256-+1z/0NJ/8c0d6Um1y9wpVO8CPXHd9/psOJF9GqFS/38=", "ref": "refs/heads/master", - "rev": "b77ada84c29fc587b24b4ca838a0280272e654da", - "revCount": 8, + "rev": "dcea3067863899ee23950670e7fed2a4feccc20e", + "revCount": 13, "type": "git", "url": "ssh://git@git.o-g.at/nixpkg/tuxpkgs.git" }, diff --git a/flake.nix b/flake.nix index a48e9b4..d970532 100644 --- a/flake.nix +++ b/flake.nix @@ -46,24 +46,75 @@ self.nixosModules.default tuxpkgs.nixosModules.ory-hydra "${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix" - ({...}:{ + ({lib, ...}:{ security.acme.acceptTerms = true; security.acme.defaults.email = "acme@example.com"; services.lenticular-cloud = { enable = true; domain = "example.com"; service_domain = "account.example.com"; + settings.HYDRA_ADMIN_URL = "http://127.0.0.1:8081"; + settings.HYDRA_PUBLIC_URL = "http://127.0.0.1:8082"; + settings.PUBLIC_URL = "http://127.0.0.1:5000"; }; services.ory-hydra = { enable = true; admin_domain = "admin-hydra.local"; public_domain = "public-hydra.local"; + extra_args = ["--dev"]; + settings = { + dev = true; + urls.self = { + issuer = "http://127.0.0.1:8082"; + public = "http://127.0.0.1:8082"; + admin = "http://127.0.0.1:8081"; + }; + }; }; networking.hosts = { "::1" = [ "admin-hydra.local" "public-hydra.local" "account.example.com" ]; }; + networking.firewall.enable = false; services.getty.autologinUser = "root"; - virtualisation.qemu.options = ["-vga none"]; + services.nginx.virtualHosts = { + "admin-hydra.local" = { + addSSL = lib.mkForce false; + enableACME = lib.mkForce false; + listen = [{ + addr = "0.0.0.0"; + port = 8081; + }]; + locations."/" = { + extraConfig = '' + allow all; + ''; + }; + }; + "public-hydra.local" = { + addSSL = lib.mkForce false; + enableACME = lib.mkForce false; + listen = [{ + addr = "0.0.0.0"; + port = 8082; + }]; + }; + }; + virtualisation = { + forwardPorts = [ { + from = "host"; + host.port = 8080; + guest.port = 80; + } { + from = "host"; + host.port = 8081; + guest.port = 8081; + } { + from = "host"; + host.port = 8082; + guest.port = 8082; + } ]; + qemu.options = [ "-vga none" "-nographic" ]; + }; }) ]; }; diff --git a/lenticular_cloud/config_development.toml b/lenticular_cloud/config_development.toml index 7776405..d3e3c02 100644 --- a/lenticular_cloud/config_development.toml +++ b/lenticular_cloud/config_development.toml @@ -12,13 +12,14 @@ SQLALCHEMY_TRACK_MODIFICATIONS = false PKI_PATH = "../data/pki" DOMAIN = 'example.com' +PUBLIC_URL = 'http://localhost:5000' #SERVER_NAME = f'account.{ DOMAIN }:9090' HYDRA_REQUEST_TIMEOUT_SECONDS = 3 -HYDRA_ADMIN_URL = 'http://127.0.0.1:4445' +HYDRA_ADMIN_URL = 'http://127.0.0.1:8081' HYDRA_ADMIN_USER = 'lenticluar_cloud' HYDRA_ADMIN_PASSWORD = 'notSecure' -HYDRA_PUBLIC_URL = 'http://127.0.0.1:4444' +HYDRA_PUBLIC_URL = 'http://127.0.0.1:8082' SUBJECT_PREFIX = 'something random' OAUTH_ID = 'identiy_provider' diff --git a/lenticular_cloud/hydra.py b/lenticular_cloud/hydra.py index 91574a0..2fdaead 100644 --- a/lenticular_cloud/hydra.py +++ b/lenticular_cloud/hydra.py @@ -35,7 +35,7 @@ class HydraService: break if client is None: - domain = app.config['DOMAIN'] + public_url = app.config['PUBLIC_URL'] client = OAuth20Client( client_name="identiy_provider", # client_id=client_id, @@ -43,7 +43,7 @@ class HydraService: response_types=["code", "id_token"], scope="openid profile manage", grant_types=["authorization_code", "refresh_token"], - redirect_uris=[ f"https://{domain}/oauth/authorized" ], + redirect_uris=[ f"{public_url}/oauth/authorized" ], token_endpoint_auth_method="client_secret_basic", ) ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client) diff --git a/module.nix b/module.nix index a1e73ce..a1a0768 100644 --- a/module.nix +++ b/module.nix @@ -1,9 +1,9 @@ { config, pkgs, lib, ... }: let cfg = config.services.lenticular-cloud; - username = "lenticular_cloud"; - data_folder = "/var/lib/${username}"; python = pkgs.python3; + format = pkgs.formats.json {}; + types = lib.types; in { options = with lib.options; { @@ -13,22 +13,57 @@ in type = lib.types.str; example = "example.com"; }; + username = mkOption { + type = lib.types.str; + description = mdDoc "user to run the service"; + example = "lenticular_cloud"; + }; service_domain = mkOption { type = lib.types.str; example = "account.example.com"; }; settings = mkOption { - type = lib.types.attrs; - default = rec { - DOMAIN = cfg.domain; - DATA_FOLDER = data_folder; - PKI_PATH = "${DATA_FOLDER}/pki"; - # SQLALCHEMY_DATABASE_URI = "sqlite:////${DATA_FOLDER}/db.sqlite"; - SQLALCHEMY_DATABASE_URI = "postgresql://${username}@/${username}?host=/run/postgresql"; - HYDRA_ADMIN_URL= "https://${config.services.ory-hydra.admin_domain}"; - HYDRA_PUBLIC_URL= "https://${config.services.ory-hydra.public_domain}"; - }; + description = mdDoc '' + Lenticular cloud settings + ''; + default = { }; + + type = types.submodule { + freeformType = format.type; + options = { + DOMAIN = mkOption { + type = types.str; + description = mdDoc "Top level Domain of the service"; + default = cfg.domain; + }; + PUBLIC_URL = mkOption { + type = types.str; + description = mdDoc "public service url"; + default = "https://${cfg.service_domain}"; + }; + DATA_FOLDER = mkOption { + type = types.str; + default = "/var/lib/${cfg.username}"; + }; + PKI_PATH = mkOption { + type = types.str; + default = "${cfg.settings.DATA_FOLDER}/pki"; + }; + SQLALCHEMY_DATABASE_URI = mkOption { + type = types.str; + default = "postgresql://${username}@/${username}?host=/run/postgresql"; + }; + HYDRA_ADMIN_URL = mkOption { + type = types.str; + default = "https://${config.services.ory-hydra.admin_domain}"; + }; + HYDRA_PUBLIC_URL = mkOption { + type = types.str; + default = "https://${config.services.ory-hydra.public_domain}"; + }; + }; + }; }; }; }; @@ -44,7 +79,7 @@ in }; users."${username}" = { createHome = true; - home = data_folder; + home = "/var/lib/${username}"; description = "web server"; extraGroups = [ # "ory-hydra" @@ -60,15 +95,18 @@ in ensureUsers = [ { name = username; - ensurePermissions = { - "DATABASE ${username}" = "All PRIVILEGES"; - }; + ensureDBOwnership = true; } ]; - identMap = '' - # ArbitraryMapName systemUser DBUser - superuser_map ${username} ${username} - ''; + }; + + services.ory-hydra.settings = { + urls = { + login = "${cfg.settings.PUBLIC_URL}/auth/login"; + logout = "${cfg.settings.PUBLIC_URL}/auth/logout"; + consent = "${cfg.settings.PUBLIC_URL}/auth/consent"; + error = "${cfg.settings.PUBLIC_URL}/auth/error"; + }; }; services.nginx.enable = true; @@ -94,7 +132,7 @@ in python_path = with python.pkgs; makePythonPath [ pkgs.lenticular-cloud gevent setuptools ]; in { # CONFIG_FILE = "/etc/lenticular_cloud/production.conf"; - CONFIG_FILE = pkgs.writeText "lenticular-cloud.json" (builtins.toJSON cfg.settings); + CONFIG_FILE = format.generate "lenticular-cloud.json" cfg.settings; PYTHONPATH = "${python_path}"; # PYTHONPATH = "${lenticular-pkg.pythonPath}:${lenticular-pkg}/lib/python3.10/site-packages:${python_path}"; };