refactor nixos dev setup
This commit is contained in:
parent
0494fb336f
commit
fbbe6e2c87
|
@ -99,11 +99,11 @@
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1702224561,
|
"lastModified": 1702764954,
|
||||||
"narHash": "sha256-kA++rUce3EHqvW3SqLf4RdaP/guKD4/un5vjlr2rZCI=",
|
"narHash": "sha256-+1z/0NJ/8c0d6Um1y9wpVO8CPXHd9/psOJF9GqFS/38=",
|
||||||
"ref": "refs/heads/master",
|
"ref": "refs/heads/master",
|
||||||
"rev": "b77ada84c29fc587b24b4ca838a0280272e654da",
|
"rev": "dcea3067863899ee23950670e7fed2a4feccc20e",
|
||||||
"revCount": 8,
|
"revCount": 13,
|
||||||
"type": "git",
|
"type": "git",
|
||||||
"url": "ssh://git@git.o-g.at/nixpkg/tuxpkgs.git"
|
"url": "ssh://git@git.o-g.at/nixpkg/tuxpkgs.git"
|
||||||
},
|
},
|
||||||
|
|
55
flake.nix
55
flake.nix
|
@ -46,24 +46,75 @@
|
||||||
self.nixosModules.default
|
self.nixosModules.default
|
||||||
tuxpkgs.nixosModules.ory-hydra
|
tuxpkgs.nixosModules.ory-hydra
|
||||||
"${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
|
"${nixpkgs}/nixos/modules/virtualisation/qemu-vm.nix"
|
||||||
({...}:{
|
({lib, ...}:{
|
||||||
security.acme.acceptTerms = true;
|
security.acme.acceptTerms = true;
|
||||||
security.acme.defaults.email = "acme@example.com";
|
security.acme.defaults.email = "acme@example.com";
|
||||||
services.lenticular-cloud = {
|
services.lenticular-cloud = {
|
||||||
enable = true;
|
enable = true;
|
||||||
domain = "example.com";
|
domain = "example.com";
|
||||||
service_domain = "account.example.com";
|
service_domain = "account.example.com";
|
||||||
|
settings.HYDRA_ADMIN_URL = "http://127.0.0.1:8081";
|
||||||
|
settings.HYDRA_PUBLIC_URL = "http://127.0.0.1:8082";
|
||||||
|
settings.PUBLIC_URL = "http://127.0.0.1:5000";
|
||||||
};
|
};
|
||||||
services.ory-hydra = {
|
services.ory-hydra = {
|
||||||
enable = true;
|
enable = true;
|
||||||
admin_domain = "admin-hydra.local";
|
admin_domain = "admin-hydra.local";
|
||||||
public_domain = "public-hydra.local";
|
public_domain = "public-hydra.local";
|
||||||
|
extra_args = ["--dev"];
|
||||||
|
settings = {
|
||||||
|
dev = true;
|
||||||
|
urls.self = {
|
||||||
|
issuer = "http://127.0.0.1:8082";
|
||||||
|
public = "http://127.0.0.1:8082";
|
||||||
|
admin = "http://127.0.0.1:8081";
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
networking.hosts = {
|
networking.hosts = {
|
||||||
"::1" = [ "admin-hydra.local" "public-hydra.local" "account.example.com" ];
|
"::1" = [ "admin-hydra.local" "public-hydra.local" "account.example.com" ];
|
||||||
};
|
};
|
||||||
|
networking.firewall.enable = false;
|
||||||
services.getty.autologinUser = "root";
|
services.getty.autologinUser = "root";
|
||||||
virtualisation.qemu.options = ["-vga none"];
|
services.nginx.virtualHosts = {
|
||||||
|
"admin-hydra.local" = {
|
||||||
|
addSSL = lib.mkForce false;
|
||||||
|
enableACME = lib.mkForce false;
|
||||||
|
listen = [{
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
port = 8081;
|
||||||
|
}];
|
||||||
|
locations."/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
allow all;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"public-hydra.local" = {
|
||||||
|
addSSL = lib.mkForce false;
|
||||||
|
enableACME = lib.mkForce false;
|
||||||
|
listen = [{
|
||||||
|
addr = "0.0.0.0";
|
||||||
|
port = 8082;
|
||||||
|
}];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
virtualisation = {
|
||||||
|
forwardPorts = [ {
|
||||||
|
from = "host";
|
||||||
|
host.port = 8080;
|
||||||
|
guest.port = 80;
|
||||||
|
} {
|
||||||
|
from = "host";
|
||||||
|
host.port = 8081;
|
||||||
|
guest.port = 8081;
|
||||||
|
} {
|
||||||
|
from = "host";
|
||||||
|
host.port = 8082;
|
||||||
|
guest.port = 8082;
|
||||||
|
} ];
|
||||||
|
qemu.options = [ "-vga none" "-nographic" ];
|
||||||
|
};
|
||||||
})
|
})
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
|
@ -12,13 +12,14 @@ SQLALCHEMY_TRACK_MODIFICATIONS = false
|
||||||
|
|
||||||
PKI_PATH = "../data/pki"
|
PKI_PATH = "../data/pki"
|
||||||
DOMAIN = 'example.com'
|
DOMAIN = 'example.com'
|
||||||
|
PUBLIC_URL = 'http://localhost:5000'
|
||||||
#SERVER_NAME = f'account.{ DOMAIN }:9090'
|
#SERVER_NAME = f'account.{ DOMAIN }:9090'
|
||||||
|
|
||||||
HYDRA_REQUEST_TIMEOUT_SECONDS = 3
|
HYDRA_REQUEST_TIMEOUT_SECONDS = 3
|
||||||
HYDRA_ADMIN_URL = 'http://127.0.0.1:4445'
|
HYDRA_ADMIN_URL = 'http://127.0.0.1:8081'
|
||||||
HYDRA_ADMIN_USER = 'lenticluar_cloud'
|
HYDRA_ADMIN_USER = 'lenticluar_cloud'
|
||||||
HYDRA_ADMIN_PASSWORD = 'notSecure'
|
HYDRA_ADMIN_PASSWORD = 'notSecure'
|
||||||
HYDRA_PUBLIC_URL = 'http://127.0.0.1:4444'
|
HYDRA_PUBLIC_URL = 'http://127.0.0.1:8082'
|
||||||
SUBJECT_PREFIX = 'something random'
|
SUBJECT_PREFIX = 'something random'
|
||||||
|
|
||||||
OAUTH_ID = 'identiy_provider'
|
OAUTH_ID = 'identiy_provider'
|
||||||
|
|
|
@ -35,7 +35,7 @@ class HydraService:
|
||||||
break
|
break
|
||||||
|
|
||||||
if client is None:
|
if client is None:
|
||||||
domain = app.config['DOMAIN']
|
public_url = app.config['PUBLIC_URL']
|
||||||
client = OAuth20Client(
|
client = OAuth20Client(
|
||||||
client_name="identiy_provider",
|
client_name="identiy_provider",
|
||||||
# client_id=client_id,
|
# client_id=client_id,
|
||||||
|
@ -43,7 +43,7 @@ class HydraService:
|
||||||
response_types=["code", "id_token"],
|
response_types=["code", "id_token"],
|
||||||
scope="openid profile manage",
|
scope="openid profile manage",
|
||||||
grant_types=["authorization_code", "refresh_token"],
|
grant_types=["authorization_code", "refresh_token"],
|
||||||
redirect_uris=[ f"https://{domain}/oauth/authorized" ],
|
redirect_uris=[ f"{public_url}/oauth/authorized" ],
|
||||||
token_endpoint_auth_method="client_secret_basic",
|
token_endpoint_auth_method="client_secret_basic",
|
||||||
)
|
)
|
||||||
ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client)
|
ret = create_o_auth_2_client.sync(json_body=client, _client=self.hydra_client)
|
||||||
|
|
80
module.nix
80
module.nix
|
@ -1,9 +1,9 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.services.lenticular-cloud;
|
cfg = config.services.lenticular-cloud;
|
||||||
username = "lenticular_cloud";
|
|
||||||
data_folder = "/var/lib/${username}";
|
|
||||||
python = pkgs.python3;
|
python = pkgs.python3;
|
||||||
|
format = pkgs.formats.json {};
|
||||||
|
types = lib.types;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options = with lib.options; {
|
options = with lib.options; {
|
||||||
|
@ -13,22 +13,57 @@ in
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
example = "example.com";
|
example = "example.com";
|
||||||
};
|
};
|
||||||
|
username = mkOption {
|
||||||
|
type = lib.types.str;
|
||||||
|
description = mdDoc "user to run the service";
|
||||||
|
example = "lenticular_cloud";
|
||||||
|
};
|
||||||
service_domain = mkOption {
|
service_domain = mkOption {
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
example = "account.example.com";
|
example = "account.example.com";
|
||||||
};
|
};
|
||||||
settings = mkOption {
|
settings = mkOption {
|
||||||
type = lib.types.attrs;
|
description = mdDoc ''
|
||||||
default = rec {
|
Lenticular cloud settings
|
||||||
DOMAIN = cfg.domain;
|
'';
|
||||||
DATA_FOLDER = data_folder;
|
|
||||||
PKI_PATH = "${DATA_FOLDER}/pki";
|
|
||||||
# SQLALCHEMY_DATABASE_URI = "sqlite:////${DATA_FOLDER}/db.sqlite";
|
|
||||||
SQLALCHEMY_DATABASE_URI = "postgresql://${username}@/${username}?host=/run/postgresql";
|
|
||||||
HYDRA_ADMIN_URL= "https://${config.services.ory-hydra.admin_domain}";
|
|
||||||
HYDRA_PUBLIC_URL= "https://${config.services.ory-hydra.public_domain}";
|
|
||||||
};
|
|
||||||
|
|
||||||
|
default = { };
|
||||||
|
|
||||||
|
type = types.submodule {
|
||||||
|
freeformType = format.type;
|
||||||
|
options = {
|
||||||
|
DOMAIN = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = mdDoc "Top level Domain of the service";
|
||||||
|
default = cfg.domain;
|
||||||
|
};
|
||||||
|
PUBLIC_URL = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
description = mdDoc "public service url";
|
||||||
|
default = "https://${cfg.service_domain}";
|
||||||
|
};
|
||||||
|
DATA_FOLDER = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "/var/lib/${cfg.username}";
|
||||||
|
};
|
||||||
|
PKI_PATH = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "${cfg.settings.DATA_FOLDER}/pki";
|
||||||
|
};
|
||||||
|
SQLALCHEMY_DATABASE_URI = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "postgresql://${username}@/${username}?host=/run/postgresql";
|
||||||
|
};
|
||||||
|
HYDRA_ADMIN_URL = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "https://${config.services.ory-hydra.admin_domain}";
|
||||||
|
};
|
||||||
|
HYDRA_PUBLIC_URL = mkOption {
|
||||||
|
type = types.str;
|
||||||
|
default = "https://${config.services.ory-hydra.public_domain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -44,7 +79,7 @@ in
|
||||||
};
|
};
|
||||||
users."${username}" = {
|
users."${username}" = {
|
||||||
createHome = true;
|
createHome = true;
|
||||||
home = data_folder;
|
home = "/var/lib/${username}";
|
||||||
description = "web server";
|
description = "web server";
|
||||||
extraGroups = [
|
extraGroups = [
|
||||||
# "ory-hydra"
|
# "ory-hydra"
|
||||||
|
@ -60,15 +95,18 @@ in
|
||||||
ensureUsers = [
|
ensureUsers = [
|
||||||
{
|
{
|
||||||
name = username;
|
name = username;
|
||||||
ensurePermissions = {
|
ensureDBOwnership = true;
|
||||||
"DATABASE ${username}" = "All PRIVILEGES";
|
|
||||||
};
|
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
identMap = ''
|
};
|
||||||
# ArbitraryMapName systemUser DBUser
|
|
||||||
superuser_map ${username} ${username}
|
services.ory-hydra.settings = {
|
||||||
'';
|
urls = {
|
||||||
|
login = "${cfg.settings.PUBLIC_URL}/auth/login";
|
||||||
|
logout = "${cfg.settings.PUBLIC_URL}/auth/logout";
|
||||||
|
consent = "${cfg.settings.PUBLIC_URL}/auth/consent";
|
||||||
|
error = "${cfg.settings.PUBLIC_URL}/auth/error";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.enable = true;
|
services.nginx.enable = true;
|
||||||
|
@ -94,7 +132,7 @@ in
|
||||||
python_path = with python.pkgs; makePythonPath [ pkgs.lenticular-cloud gevent setuptools ];
|
python_path = with python.pkgs; makePythonPath [ pkgs.lenticular-cloud gevent setuptools ];
|
||||||
in {
|
in {
|
||||||
# CONFIG_FILE = "/etc/lenticular_cloud/production.conf";
|
# CONFIG_FILE = "/etc/lenticular_cloud/production.conf";
|
||||||
CONFIG_FILE = pkgs.writeText "lenticular-cloud.json" (builtins.toJSON cfg.settings);
|
CONFIG_FILE = format.generate "lenticular-cloud.json" cfg.settings;
|
||||||
PYTHONPATH = "${python_path}";
|
PYTHONPATH = "${python_path}";
|
||||||
# PYTHONPATH = "${lenticular-pkg.pythonPath}:${lenticular-pkg}/lib/python3.10/site-packages:${python_path}";
|
# PYTHONPATH = "${lenticular-pkg.pythonPath}:${lenticular-pkg}/lib/python3.10/site-packages:${python_path}";
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue