diff --git a/hosts/parsons/configuration.nix b/hosts/parsons/configuration.nix index 1537bb5..937ea4a 100644 --- a/hosts/parsons/configuration.nix +++ b/hosts/parsons/configuration.nix @@ -21,6 +21,7 @@ ../../services/gitlab-runner.nix ../../services/lantifa.nix ../../services/vaultwarden.nix + ../../services/uffd.nix # ../../services/workadventure.nix ./lxc.nix diff --git a/modules/mattermost.nix b/modules/mattermost.nix index de6ca00..c2a7509 100644 --- a/modules/mattermost.nix +++ b/modules/mattermost.nix @@ -227,7 +227,7 @@ in User = cfg.user; Group = cfg.group; ExecStart = "${pkgs.mattermost}/bin/mattermost" + - (lib.optionalString (!cfg.mutableConfig) " -c ${database}"); + (if cfg.mutableConfig then " -c ${database}" else " -c ${cfg.statePath}/config/config.json"); WorkingDirectory = "${cfg.statePath}"; Restart = "always"; RestartSec = "10"; diff --git a/pkgs/default.nix b/pkgs/default.nix index beb7bd8..cbb225c 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -60,6 +60,8 @@ let ''; }; + uffd = callPackage ./uffd {}; + inherit (unstable) bottom vaultwarden vaultwarden-vault; }; diff --git a/pkgs/uffd/default.nix b/pkgs/uffd/default.nix new file mode 100644 index 0000000..9e23c8b --- /dev/null +++ b/pkgs/uffd/default.nix @@ -0,0 +1,35 @@ +{ stdenv, lib, python3Packages, fetchzip }: + +python3Packages.buildPythonPackage rec { + pname = "uffd"; + version = "2.0.1"; + + src = fetchzip { + url = + "https://git.cccv.de/uffd/uffd/-/archive/v${version}/uffd-v${version}.tar.gz"; + hash = "sha256-KP4J1bw5u7MklaPu2SBFRNyGgkKOBOpft5MMH+em5M4="; + }; + + patches = [ ./fix-setuppy.patch ./fix-userinfo.patch ]; + + propagatedBuildInputs = with python3Packages; [ + flask + flask_sqlalchemy + flask_migrate + qrcode + fido2 + oauthlib + flask-babel + argon2_cffi + itsdangerous + alembic + Mako + ]; + + postPatch = '' + sed -i -e 's/==[0-9.]\+//g' setup.py + ''; + + doCheck = false; + doInstallCheck = false; +} diff --git a/pkgs/uffd/fix-setuppy.patch b/pkgs/uffd/fix-setuppy.patch new file mode 100644 index 0000000..64ccc10 --- /dev/null +++ b/pkgs/uffd/fix-setuppy.patch @@ -0,0 +1,34 @@ +--- a/setup.py 2022-04-30 13:12:45.564651955 +0000 ++++ b/setup.py 2022-04-30 13:17:02.545809513 +0000 +@@ -41,31 +41,5 @@ + 'Flask-Babel==0.11.2', + 'alembic==1.0.0', + 'argon2-cffi==18.3.0', +- +- # The main dependencies on their own lead to version collisions and pip is +- # not very good at resolving them, so we pin the versions from Debian Buster +- # for all dependencies. +- 'certifi==2018.8.24', +- #cffi==1.12.2' +- 'cffi # v1.12.2 no longer works with python3.9. Newer versions seem to work fine.', +- 'chardet==3.0.4', +- 'click==7.0', +- 'cryptography==2.6.1', +- 'idna==2.6', +- 'itsdangerous==0.24', +- 'Jinja2==2.10', +- 'MarkupSafe==1.1.0', +- 'oauthlib==2.1.0', +- 'pyasn1==0.4.2', +- 'pycparser==2.19', +- 'requests==2.21.0', +- 'requests-oauthlib==1.0.0', +- 'six==1.12.0', +- 'SQLAlchemy==1.2.18', +- 'urllib3==1.24.1', +- 'Werkzeug==0.14.1', +- 'python-dateutil==2.7.3', +- #editor==1.0.3 +- 'Mako==1.0.7', + ], + ) diff --git a/pkgs/uffd/fix-userinfo.patch b/pkgs/uffd/fix-userinfo.patch new file mode 100644 index 0000000..555d805 --- /dev/null +++ b/pkgs/uffd/fix-userinfo.patch @@ -0,0 +1,10 @@ +--- a/uffd/oauth2/views.py 2022-04-30 20:39:53.825474990 +0000 ++++ b/uffd/oauth2/views.py 2022-04-30 20:40:12.632389377 +0000 +@@ -234,6 +234,7 @@ + id=user.unix_uid, + name=user.displayname, + nickname=user.loginname, ++ username=user.loginname, + email=user.mail, + groups=[group.name for group in user.groups] + ) diff --git a/services/gitlab.nix b/services/gitlab.nix index a735117..5de66be 100644 --- a/services/gitlab.nix +++ b/services/gitlab.nix @@ -71,26 +71,23 @@ }; omniauth = { enabled = true; - auto_sign_in_with_provider = "openid_connect"; - allow_single_sign_on = ["openid_connect"]; + auto_sign_in_with_provider = "oauth2_generic"; + allow_single_sign_on = ["oauth2_generic"]; block_auto_created_users = false; providers = [ { - name = "openid_connect"; + name = "oauth2_generic"; label = "infra4future Login"; + app_id = "gitlab"; + app_secret = { _secret = "/persist/secrets/oidc-clientsecret"; }; args = { - name = "openid_connect"; - scope = ["openid" "profile" "email"]; - response_type = "code"; - issuer = "https://auth.infra4future.de/auth/realms/forfuture"; - discovery = true; - client_auth_method = "query"; - uid_field = "username"; client_options = { - identifier = "gitlab"; - secret = { _secret = "/persist/secrets/oidc-clientsecret"; }; - redirect_uri = "https://gitlab.infra4future.de/users/auth/openid_connect/callback"; + site = "https://login.infra4future.de"; + user_info_url = "/oauth2/userinfo"; + authorize_url = "/oauth2/authorize"; + token_url = "/oauth2/token"; }; + strategy_class ="OmniAuth::Strategies::OAuth2Generic"; }; } ]; diff --git a/services/hedgedoc-hacc.nix b/services/hedgedoc-hacc.nix index 430e4fb..77b2c8e 100644 --- a/services/hedgedoc-hacc.nix +++ b/services/hedgedoc-hacc.nix @@ -55,8 +55,8 @@ hsts.preload = false; email = false; oauth2 = { - authorizationURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; - tokenURL = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; + authorizationURL = "https://login.infra4future.de/oauth2/authorize"; + tokenURL = "https://login.infra4future.de/oauth2/token"; clientID = "hedgedoc"; clientSecret = "1a730af1-4d6e-4c1d-8f7e-72375c9b8d62"; }; @@ -64,9 +64,9 @@ }; systemd.services.hedgedoc.environment = { "CMD_LOGLEVEL" = "warn"; - "CMD_OAUTH2_USER_PROFILE_URL" = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; - "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "name"; - "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "display-name"; + "CMD_OAUTH2_USER_PROFILE_URL" = "https://login.infra4future.de/oauth2/userinfo"; + "CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR" = "nickname"; + "CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR" = "name"; "CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR" = "email"; "CMD_OAUTH2_PROVIDERNAME" = "Infra4Future"; }; diff --git a/services/mattermost.nix b/services/mattermost.nix index 4e9e41b..debc1a2 100644 --- a/services/mattermost.nix +++ b/services/mattermost.nix @@ -141,9 +141,9 @@ in { Enable = true; Id = "mattermost"; Scope = ""; - AuthEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/auth"; - TokenEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/token"; - UserApiEndpoint = "https://auth.infra4future.de/auth/realms/forfuture/protocol/openid-connect/userinfo"; + AuthEndpoint = "https://login.infra4future.de/oauth2/authorize"; + TokenEndpoint = "https://login.infra4future.de/oauth2/token"; + UserApiEndpoint = "https://login.infra4future.de/oauth2/userinfo"; }; # for some reason, these don't appear to be working; the startup # process complaines and sets these back to en diff --git a/services/uffd.nix b/services/uffd.nix new file mode 100644 index 0000000..81c4a5f --- /dev/null +++ b/services/uffd.nix @@ -0,0 +1,66 @@ +{ config, lib, pkgs, profiles, modules, evalConfig, sources, ... }: + +let + uffd = pkgs.uffd; +in { + containers.uffd = { + privateNetwork = true; + hostAddress = "192.168.100.1"; + localAddress = "192.168.100.9"; + autoStart = true; + bindMounts = { + "/persist" = { + hostPath = "/persist/containers/uffd"; + isReadOnly = false; + }; + }; + path = (evalConfig {hosts = {}; groups = {};} ({ config, lib, pkgs, profiles, modules, sources, ... }: { + boot.isContainer = true; + networking.useDHCP = false; + users.users.root.hashedPassword = ""; + + imports = [ + ((import sources.nix-hexchen) {}).profiles.nopersist + ]; + + nixpkgs.config.allowUnfree = true; + networking.firewall.enable = false; + networking.defaultGateway = { + address = "192.168.100.1"; + interface = "eth0"; + }; + services.coredns = { + enable = true; + config = '' + .:53 { + forward . 1.1.1.1 + } + ''; + }; + + services.uwsgi = { + enable = true; + plugins = [ "python3" ]; + instance = { + type = "normal"; + pythonPackages = self: with self; [ uffd ]; + module = "uffd:create_app()"; + # socket = "${config.services.uwsgi.runDir}/uwsgi.sock"; + http = ":8080"; + env = [ + "CONFIG_PATH=/persist/uffd/uffd.conf" + ]; + hook-pre-app = "exec:FLASK_APP=${uffd}/lib/python3.9/site-packages/uffd flask db upgrade"; + }; + }; + })).config.system.build.toplevel; + }; + services.nginx.virtualHosts."login.infra4future.de" = { + enableACME = true; + forceSSL = true; + locations = { + "/".proxyPass = "http://${config.containers.uffd.localAddress}:8080"; + "/static".root = "${uffd}/lib/python3.9/site-packages/uffd"; + }; + }; +}