nixos/hosts/architect/radarr.nix

{ lib, ... }:

let
  domain = "htrad.giugl.io";
  network = import ./network.nix;
in {
  services = {
    radarr = {
      enable = true;
      group = "media";
    };

    nginx.virtualHosts.${domain} = {
      forceSSL = true;
      enableACME = true;
      locations."/" = {
        proxyPass = "http://localhost:7878";
        extraConfig = let
          realm = "master";
          client_id = "radarr";
          client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
          redirect_uri = "https://${domain}";
        in ''
          access_by_lua_block {
            local opts = {
              redirect_uri_path = "/redirect_uri",
              accept_none_alg = true,
              discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
              client_id = "${client_id}",
              client_secret = "${client_secret}",
              logout_path = "/logout",
              redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",
              redirect_after_logout_with_id_token_hint = false,
          }

            -- call introspect for OAuth 2.0 Bearer Access Token validation
            local res, err = require("resty.openidc").authenticate(opts)

            if err then
              ngx.status = 403
              ngx.say(err)
              ngx.exit(ngx.HTTP_FORBIDDEN)
            end
          }
        '';
      };
    };
  };

  networking.extraHosts = ''
    ${network.architect-lan} ${domain}
    ${network.architect-wg} ${domain}
  '';

  users.groups.media.members = [ "radarr" ];
}
removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services. 2021-12-08 16:39:00 +00:00			`{ lib, ... }:`

			`let`
			`domain = "htrad.giugl.io";`
			`network = import ./network.nix;`
			`in {`
reorganized services in files 2021-07-07 13:13:19 +01:00			`services = {`
prossima volta committo seriamente 2022-02-15 10:58:08 +00:00			`radarr = {`
			`enable = true;`
			`group = "media";`
			`};`
reorganized services in files 2021-07-07 13:13:19 +01:00
removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services. 2021-12-08 16:39:00 +00:00			`nginx.virtualHosts.${domain} = {`
reorganized services in files 2021-07-07 13:13:19 +01:00			`forceSSL = true;`
			`enableACME = true;`
			`locations."/" = {`
			`proxyPass = "http://localhost:7878";`
radarr: Setup OpenID auth 2022-10-28 13:35:43 +01:00			`extraConfig = let`
			`realm = "master";`
			`client_id = "radarr";`
			`client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";`
			`redirect_uri = "https://${domain}";`
			`in ''`
			`access_by_lua_block {`
			`local opts = {`
			`redirect_uri_path = "/redirect_uri",`
			`accept_none_alg = true,`
			`discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",`
			`client_id = "${client_id}",`
			`client_secret = "${client_secret}",`
			`logout_path = "/logout",`
			`redirect_after_logout_uri = "https://auth.giugl.io/realms/${realm}/protocol/openid-connect/logout?redirect_uri=${redirect_uri}",`
			`redirect_after_logout_with_id_token_hint = false,`
			`}`

			`-- call introspect for OAuth 2.0 Bearer Access Token validation`
			`local res, err = require("resty.openidc").authenticate(opts)`

			`if err then`
			`ngx.status = 403`
			`ngx.say(err)`
			`ngx.exit(ngx.HTTP_FORBIDDEN)`
			`end`
			`}`
reorganized services in files 2021-07-07 13:13:19 +01:00			`'';`
			`};`
			`};`
			`};`

			`networking.extraHosts = ''`
removed implicit use of network.nix. use domain names in each service conf file. restrict access to gdevices to sensitive services. 2021-12-08 16:39:00 +00:00			`${network.architect-lan} ${domain}`
			`${network.architect-wg} ${domain}`
reorganized services in files 2021-07-07 13:13:19 +01:00			`'';`

formatting 2021-11-25 11:42:32 +00:00			`users.groups.media.members = [ "radarr" ];`
reorganized services in files 2021-07-07 13:13:19 +01:00			`}`