xin/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

overlays: add oidc-agent

Browse source
This commit is contained in:
xinyangli 2024-07-09 21:17:10 +08:00
parent cc19e46df0
commit 3771134e3a
Signed by: xin
SSH key fingerprint: SHA256:qZ/tzd8lYRtUFSrfBDBMcUqV4GHKxqeqRA3huItgvbk
10 changed files with 256 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
flake.lock
View file

@ -174,17 +174,17 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1716948383,
"narHash": "sha256-SzDKxseEcHR5KzPXLwsemyTR/kaM9whxeiJohbL04rs=",
"lastModified": 1718870667,
"narHash": "sha256-jab3Kpc8O1z3qxwVsCMHL4+18n5Wy/HHKyu1fcsF7gs=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ad57eef4ef0659193044870c731987a6df5cf56b",
"rev": "9b10b8f00cb5494795e5f51b39210fed4d2b0748",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"rev": "9b10b8f00cb5494795e5f51b39210fed4d2b0748",
"type": "github"
}
},

2
flake.nix
View file

@ -1,7 +1,7 @@
{
inputs = {
# Pin nixpkgs to a specific commit
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
nixpkgs.url = "github:nixos/nixpkgs/9b10b8f00cb5494795e5f51b39210fed4d2b0748";
nixpkgs-stable.url = "github:nixos/nixpkgs/nixos-23.05";
home-manager = {

1
home/xin/common/default.nix
View file

@ -14,7 +14,6 @@
tmux
ffmpeg
tealdeer
neofetch
rclone
inetutils

14
machines/calcite/configuration.nix
View file

@ -40,6 +40,17 @@
gamescopeSession = { enable = true; };
};
programs.oidc-agent.enable = true;
programs.oidc-agent.providers = [
{ issuer = "https://home.xinyang.life:9201";
pubclient = {
client_id = "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69";
client_secret = "UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh";
scope = "openid offline_access profile email";
};
}
];
programs.vim.defaultEditor = true;
# Keep this even if enabled in home manager
@ -97,7 +108,7 @@
# Enable CUPS to print documents.
services.printing.enable = true;
services.printing.drivers = [ pkgs.hplip ];
# services.printing.drivers = [ pkgs.hplip ];
# Enable sound with pipewire.
sound.enable = true;
@ -145,6 +156,7 @@
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
oidc-agent
# Filesystem
owncloud-client
nfs-utils

2
modules/home-manager/vscode.nix
View file

@ -17,7 +17,7 @@ let
};
};
cxxPackages = {
systemPackages = with pkgs; [ clang-tools ];
systemPackages = with pkgs; [ clang-tools cmake-format ];
extension = with inputs.nix-vscode-extensions.extensions.${pkgs.system}.vscode-marketplace; [
llvm-vs-code-extensions.vscode-clangd
(ms-vscode.cmake-tools.overrideAttrs (_: { sourceRoot = "extension"; }))

1
modules/nixos/default.nix
View file

@ -9,5 +9,6 @@
./kanidm-client.nix
./ssh-tpm-agent.nix # FIXME: Waiting for upstream merge
./forgejo-actions-runner.nix
./oidc-agent.nix
];
}

126
modules/nixos/inbounds.nix Normal file
View file

@ -0,0 +1,126 @@
{ config
, lib
, ... }:
let
cfg = config.custom.sing-box-server;
secretFileType = lib.types.submodule {
_secret = lib.types.path;
};
singTls = {
enabled = true;
server_name = config.deployment.targetHost;
key_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/key.pem";
certificate_path = config.security.acme.certs.${config.deployment.targetHost}.directory + "/cert.pem";
};
in
{
options = {
enable = lib.mkEnableOption "sing-box proxy server";
users = lib.types.listOf lib.types.submodule {
name = lib.mkOption {
type = lib.types.str;
default = "proxy";
};
password = lib.mkOption {
type = secretFileType;
};
uuid = lib.mkOption {
type = secretFileType;
};
};
wgOut = {
privKeyFile = lib.mkOption {
type = lib.types.path;
};
pubkey = lib.mkOption {
type = lib.types.str;
default = "bmXOC+F1FxEMF9dyiK2H5/1SUtzH0JuVo51h2wPfgyo=";
};
};
inbounds = {
trojan = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
};
tuic = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
};
ports = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = lib.range 6311 6313;
};
directPorts = lib.mkOption {
type = lib.types.listOf lib.types.int;
default = [ 6314 ];
};
};
};
};
config = lib.mkIf cfg.enable {
services.sing-box = {
enable = true;
settings = {
dns = {
servers = [
{
address = "1.1.1.1";
detour = "wg-out";
}
];
};
inbounds = [
# TODO: Trojan and tuic enable
{
tag = "trojan-in";
type = "trojan";
listen = "::";
listen_port = 8080;
users = map (u: removeAttrs u [ "uuid" ]) cfg.users;
tls = singTls;
}
] ++ lib.forEach (cfg.tuic.ports ++ cfg.tuic.directPorts) (port: {
tag = "tuic-in" + toString port;
type = "tuic";
listen = "::";
listen_port = port;
congestion_control = "bbr";
users = cfg.users;
tls = singTls;
});
outbounds = [
{
type = "wireguard";
tag = "wg-out";
private_key = cfg.wgOut.privKeyFile;
local_address = [
"172.16.0.2/32"
"2606:4700:110:82ed:a443:3c62:6cbc:b59b/128"
];
peers = [
{ public_key= cfg.wgOut.pubkey;
allowed_ips = [ "0.0.0.0/0" "::/0" ];
server = "162.159.192.1";
server_port = 500;
}
];
}
{ type = "direct"; tag = "direct-out"; }
{ type = "dns"; tag = "dns-out"; }
];
route = {
rules = [
{ outbound = "dns-out"; protocol = "dns"; }
] ++ lib.forEach cfg.tuic.directPorts (port: {
inbound = "tuic-in" + toString port;
outbound = "direct-out";
});
};
};
};
};
}

50
modules/nixos/oidc-agent.nix Normal file
View file

@ -0,0 +1,50 @@
{ config, lib, pkgs, ... }:
let
inherit (lib) mkIf mkEnableOption mkOption types;
cfg = config.programs.oidc-agent;
providerFormat = pkgs.formats.json {};
in
{
options.programs.oidc-agent = {
enable = mkEnableOption "OpenID Connect Agent";
package = mkOption {
type = types.package;
default = pkgs.oidc-agent;
description = ''
Which oidc-agent package to use
'';
};
providers = mkOption {
type = providerFormat.type;
default = {};
description = ''
Configuration of providers which contains a json array of json objects
each describing an issuer, see https://indigo-dc.gitbook.io/oidc-agent/configuration/issuers
'';
};
};
config = mkIf cfg.enable {
systemd.user.services.oidc-agent = {
unitConfig = {
Description = "OpenID Connect Agent";
Documentation = "man:oidc-agent(1)";
};
serviceConfig = {
ExecStart = "${cfg.package}/bin/oidc-agent -d --log-stderr -a %t/oidc-agent";
};
};
# environment.etc."oidc-agent/config".source = "${pkgs.oidc-agent}/etc/oidc-agent/config";
# environment.etc."oidc-agent/issuer.config.d".source =
# "${pkgs.oidc-agent}/etc/oidc-agent/issuer.config.d";
# environment.etc."oidc-agent/issuer.config".source =
# providerFormat.generate "oidc-agent-issuer.config" cfg.providers;
environment.extraInit = ''export OIDC_SOCK="$XDG_RUNTIME_DIR/oidc-agent"'';
};
}

2
overlays/add-pkgs.nix
View file

@ -3,6 +3,8 @@
{
nixpkgs.overlays = [
(self: super: {
oidc-agent = pkgs.callPackage ./pkgs/oidc-agent { };
python3 = super.python312;
})
];
}

58
overlays/pkgs/oidc-agent/default.nix Normal file
View file

@ -0,0 +1,58 @@
{ lib
, stdenv
, fetchFromGitHub
, curl
, webkitgtk
, libmicrohttpd
, libsecret
, qrencode
, libsodium
, pkg-config
, help2man
}:
stdenv.mkDerivation rec {
pname = "oidc-agent";
version = "5.1.0";
src = fetchFromGitHub {
owner = "indigo-dc";
repo = "oidc-agent";
rev = "v${version}";
sha256 = "sha256-cOK/rZ/jnyALLuhDM3+qvwwe4Fjkv8diQBkw7NfVo0c="
;
};
buildInputs = [
pkg-config
help2man
];
nativeBuildInputs = [
curl
webkitgtk
libmicrohttpd
libsecret
qrencode
libsodium
];
enableParallelBuilding = true;
installPhase = ''
make -j $NIX_BUILD_CORES PREFIX=$out BIN_PATH=$out LIB_PATH=$out/lib \
install_bin install_lib install_conf
'';
postFixup = ''
# Override with patched binary to be used by help2man
cp -r $out/bin/* bin
make install_man PREFIX=$out
'';
meta = with lib; {
description = "oidc-agent for managing OpenID Connect tokens on the command line";
homepage = "https://github.com/indigo-dc/oidc-agent";
maintainers = [ ];
license = licenses.mit;
};
}