msyds/sydnix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(www): www

Browse Source
This commit is contained in:
Madeleine Sydney Slaga
2025-07-03 11:50:41 -06:00
parent e2fe66647f
commit 133fa83309
10 changed files with 215 additions and 47 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
modules/nixos/deertopia/lldap/pam.nix
View File

@@ -7,6 +7,16 @@ in {
};
# See https://github.com/lldap/lldap/blob/main/example_configs/pam/README.md.
# Required imperative configuration: you will need to add the following custom
# attributes to the user schema in the LLDAP web UI.
#
# • uidNumber (integer)
# • gidNumber (integer, multiple values)
# • homeDirectory (string)
# • unixShell (string)
# • sshPublicKey (string) (only if youre setting up SSH Public Key Sync)
config = lib.mkIf cfg.enable {
sydnix.sops.secrets =
let
@@ -19,6 +29,32 @@ in {
sssd-environment = {};
};
# TODO: The existence of a dynamic set of users leads to some complexities
# when combined with Impermanence. Static users (i.e. those defined in the
# NixOS config) shall opt in to Impermanence via the Home-manager setting,
# but "dynamic" users (i.e. those per LDAP/PAM) should be persisted
# unconditionally. Implementing this behaviour takes quite the hack:
#
# • /home is persisted.
#
# • A impersistent directory /transient-home is created.
#
# • "Dynamic" users are assigned subdirectories of /home like usual.
# Since /home is persisted, so are the users' individual home
# directories.
#
# • The home directories of "static" users (that are opted in to
# Impermanence) are created at /transient-home/«user» and bind-mounted
# to /home/«user».
security.pam.services."ldap".makeHomeDir = true;
# For synchronizations of SSH keys.
services.openssh.settings = {
AuthorizedKeysCommand = lib.getExe' pkgs.sssd "sss_ssh_authorizedkeys";
AuthorizedKeysCommandUser = "nobody";
};
services.sssd =
let
inherit (config.sydnix.deertopia.lldap) baseDN;
@@ -71,7 +107,7 @@ in {
ldap_user_shell = unixShell
# Uncomment for SSH Key Sync setup
#ldap_user_ssh_public_key = sshPublicKey
ldap_user_ssh_public_key = sshPublicKey
# Group mappings
# Put your LDAP dc here

30
modules/nixos/deertopia/nginx.nix
View File

@@ -101,35 +101,5 @@ in
};
})
(builtins.attrNames cfg.vhosts));
# services.nginx.virtualHosts."deertopia.net" = {
# root = "${cfg.www.root}/www";
# # addSSL = true;
# forceSSL = true;
# enableACME = true;
# locations."/" = {
# index = "index.html";
# };
# };
# system.activationScripts.initialiseDeertopiaRoot.text =
# let
# # FIXME: Use `lib.strings.toShellVar`.
# inherit (cfg) root group user;
# in ''
# mkdir -p "${root}"
# chown -R "${user}:${group}" "${root}"
# chmod -R 775 "${root}"
# ${lib.toShellVar "dirs"
# (builtins.catAttrs "directory" (builtins.attrValues cfg.vhosts))}
# for i in "''${dirs[@]}"; do
# mkdir -p "$i"
# chown -R "${user}:${group}" "$i"
# chmod -R 775 "$i"
# done
# '';
};
}

58
modules/nixos/deertopia/www.nix Normal file
View File

@@ -0,0 +1,58 @@
{ config, lib, pkgs, ... }:
let cfg = config.sydnix.deertopia.www;
in {
options.sydnix.deertopia.www = {
enable = lib.mkEnableOption "www.deertopia.net";
};
config = lib.mkIf cfg.enable {
users.groups.www = {};
users.users.nginx.extraGroups = [ "www" ];
systemd.tmpfiles.settings."10-www" =
let
f = user:
let e = { inherit user; group = "www"; mode = "2755"; };
in { z = e; v = e; };
in {
"/www" = f "root";
"/www/~msyds" = f "msyds";
"/www/~liv" = f "liv";
};
sydnix.impermanence.directories = [ "/www" ];
sydnix.deertopia.nginx.vhosts."www" = {
vhostName = "deertopia.net";
directory = "/www";
vhost = {
forceSSL = true;
enableACME = true;
extraConfig = ''
location /~msyds/ {
index index.html;
}
location /~liv/ {
index index.html;
}
location / {
index index.html;
}
'';
# locations."/" = {
# index = "index.html";
# };
# locations."/~msyds" = {
# index = "\\~msyds/index.html";
# };
# locations."/~liv" = {
# index = "\\~liv/index.html";
# };
};
};
};
}