peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/master' into nixos-21.11

Browse Source
This commit is contained in:
Giulio De Pasquale 2022-11-07 19:20:07 +01:00
commit 381c96746b
13 changed files with 251 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
hosts/architect/bazarr.nix
View File

@ -3,6 +3,7 @@
let
domain = "htbaz.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
bazarr = {
@ -15,11 +16,12 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6767";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
extraConfig = auth_block {
realm = "master";
client_id = "bazarr";
client_secret = "OPn4Mmto2m3dDPji1cjPfHy9W55M9JFq";
redirect_uri = "https://${domain}";
};
};
};
};

15
hosts/architect/deluge.nix
View File

@ -3,6 +3,7 @@
let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
deluge = {
@ -32,13 +33,17 @@ in {
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8112";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
extraConfig = auth_block {
realm = "master";
client_id = "deluge";
client_secret = "AGa1U9S1zkaM3TJVxtyx4Er76DBk1APR";
redirect_uri = "https://${domain}";
};
};
};
};

78
hosts/architect/keycloak.nix Normal file
View File

@ -0,0 +1,78 @@
{ pkgs, config, ... }:
let
network = import ./network.nix;
domain = "auth.giugl.io";
in {
services = {
keycloak = {
enable = true;
initialAdminPassword = "giulio";
database.passwordFile = "/secrets/keycloak/database.key";
settings = {
hostname = domain;
proxy = "edge";
http-port = 6654;
https-port = 6655;
hostname-strict-backchannel = true;
};
};
postgresql = {
ensureDatabases =
[ "${toString config.services.keycloak.database.name}" ];
ensureUsers = [{
name = "${toString config.services.keycloak.database.username}";
ensurePermissions = {
"DATABASE ${toString config.services.keycloak.database.name}" =
"ALL PRIVILEGES";
};
}];
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations = {
"/" = { return = "301 https://${domain}/realms/master/account"; };
"/admin" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/js" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/realms" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/resources" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/robots.txt" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

13
hosts/architect/lidarr.nix
View File

@ -3,6 +3,7 @@
let
domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
lidarr = {
@ -15,12 +16,12 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8686";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
deny 10.0.0.1;
'';
extraConfig = auth_block {
realm = "master";
client_id = "lidarr";
client_secret = "7s4dd1SEi84F4fUFsqRaQmSSucZhyTco";
redirect_uri = "https://${domain}";
};
};
};
};

22
hosts/architect/nextcloud.nix
View File

@ -3,24 +3,34 @@
let
domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379;
in {
services = {
mysql.enable = true;
mysql.package = pkgs.unstable.mysql80;
mysql = {
enable = true;
package = pkgs.unstable.mysql80;
};
redis.servers."default".enable = true;
redis = {
vmOverCommit = true;
servers."nextcloud" = {
enable = true;
port = redis_port;
};
};
nextcloud = {
enable = true;
hostName = "${domain}";
hostName = domain;
https = true;
package = pkgs.unstable.nextcloud24;
caching.redis = true;
caching = {
redis = true;
};
autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00";
logLevel = 1;
config = {
overwriteProtocol = "https";

42
hosts/architect/nginx.nix
View File

@ -1,8 +1,9 @@
{ services, ... }:
{ services, pkgs, lib, ... }:
{
services.nginx = {
enable = true;
package = pkgs.openresty;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
@ -25,6 +26,45 @@
"/wat.jpg" = { };
};
};
appendHttpConfig = let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in ''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
# https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off;
init_worker_by_lua_block {
function check_role (res, role)
if res.user.roles == nil then
return false
end
for _,v in pairs(res.user.roles) do
if string.lower(v) == role then
return true
end
end
return false
end
}
'';
appendConfig = ''
worker_processes 24;
'';

12
hosts/architect/nzbget.nix
View File

@ -3,6 +3,7 @@
let
domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
nzbget = {
@ -15,11 +16,12 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6789";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
extraConfig = auth_block {
realm = "master";
client_id = "nzbget";
client_secret = "tkjzdqnUoWTlGUYah5tgMqVPFMlOUvk9";
redirect_uri = "https://${domain}";
};
};
};
};

37
hosts/architect/openid.nix Normal file
View File

@ -0,0 +1,37 @@
{ lib }:
{
openresty_oidc_block =
{ realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
client_id = "${client_id}",
client_secret = "${client_secret}",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
'';
}

12
hosts/architect/radarr.nix
View File

@ -3,6 +3,7 @@
let
domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
radarr = {
@ -15,11 +16,12 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
extraConfig = auth_block {
realm = "master";
client_id = "radarr";
client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
redirect_uri = "https://${domain}";
};
};
};
};

12
hosts/architect/sonarr.nix
View File

@ -3,6 +3,7 @@
let
domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
sonarr = {
@ -15,11 +16,12 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8989";
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
extraConfig = auth_block {
realm = "master";
client_id = "sonarr";
client_secret = "d36ehMSPCI3xLfOGNcnSUKZWQblyGumi";
redirect_uri = "https://${domain}";
};
};
};
};

2
roles/home/common.nix
View File

@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
imports = [ ./zsh.nix ./git.nix ./neovim.nix ];
imports = [ ./zsh.nix ./git.nix ./helix.nix ];
home = { packages = with pkgs; [ rizin sshfs victor-mono home-manager ]; };
}

22
roles/home/helix.nix Normal file
View File

@ -0,0 +1,22 @@
{ config, pkgs, ... }:
{
home = {
sessionVariables = {
EDITOR = "hx";
VISUAL = "hx";
};
file.".config/helix/config.toml".text = ''
theme = "monokai"
'';
packages = with pkgs.unstable; [
helix
clang-tools
rust-analyzer
rnix-lsp
python310Packages.python-lsp-server
];
};
}

13
roles/home/neovim.nix
View File

@ -20,6 +20,8 @@
cmake-format
clang-tools
rustfmt
nixfmt
shfmt
];
plugins = with pkgs.vimPlugins; [
vim-nix
@ -38,9 +40,11 @@
cmp-nvim-lsp
(nvim-treesitter.withPlugins (_: pkgs.tree-sitter.allGrammars))
nvim-treesitter-textobjects
minimap-vim
pkgs.vimExtraPlugins.leap-nvim
];
extraConfig = ''
" syntax
syntax enable
@ -53,7 +57,7 @@
set wildmode=longest:full,full
" remapping popup menu (command autocompletion)
cnoremap <expr> <up> pumvisible() ? "<C-p>" : "<up>
cnoremap <expr> <up> pumvisible() ? "<C-p>" : "<up>"
cnoremap <expr> <down> pumvisible() ? "<C-n>" : "<down>"
cnoremap <expr> <CR> pumvisible() ? "<C-e>":"<CR>"
@ -80,6 +84,11 @@
" Enable trimmming of trailing whitespace
let g:neoformat_basic_format_trim = 1
" Config minimap
let g:minimap_width = 10
let g:minimap_auto_start = 1
let g:minimap_auto_start_win_enter = 1
lua << EOF
-- Setup leap-nvim keymappings