Compare commits
16 Commits
2d135b743c
...
dbe6b5956f
| Author | SHA1 | Date | |
|---|---|---|---|
|
dbe6b5956f | ||
|
|
4bb5af4b5a | ||
|
|
2a7af4e910 | ||
|
|
09e3ef237b | ||
|
|
60546992b2 | ||
|
|
9180f31c3c | ||
|
|
1be49e4835 | ||
|
|
35dbc4f40e | ||
|
|
4975e3434f | ||
|
|
7c3485f585 | ||
|
|
c9e46ec073 | ||
|
|
69ffff50e0 | ||
|
|
c1a2c8238b | ||
|
|
dddc557b46 | ||
|
|
9a2c8886ed | ||
|
|
a6f81150e7 |
@ -3,6 +3,7 @@
|
||||
let
|
||||
domain = "htbaz.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix).openresty_oidc_block;
|
||||
in {
|
||||
services = {
|
||||
bazarr = {
|
||||
@ -15,11 +16,12 @@ in {
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:6767";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
'';
|
||||
extraConfig = auth_block {
|
||||
realm = "master";
|
||||
client_id = "bazarr";
|
||||
client_secret = "OPn4Mmto2m3dDPji1cjPfHy9W55M9JFq";
|
||||
redirect_uri = "https://${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
let
|
||||
domain = "htdel.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix).openresty_oidc_block;
|
||||
in {
|
||||
services = {
|
||||
deluge = {
|
||||
@ -32,13 +33,17 @@ in {
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:8112";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
'';
|
||||
extraConfig = auth_block {
|
||||
realm = "master";
|
||||
client_id = "deluge";
|
||||
client_secret = "AGa1U9S1zkaM3TJVxtyx4Er76DBk1APR";
|
||||
redirect_uri = "https://${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
78
hosts/architect/keycloak.nix
Normal file
78
hosts/architect/keycloak.nix
Normal file
@ -0,0 +1,78 @@
|
||||
{ pkgs, config, ... }:
|
||||
|
||||
let
|
||||
network = import ./network.nix;
|
||||
domain = "auth.giugl.io";
|
||||
in {
|
||||
services = {
|
||||
keycloak = {
|
||||
enable = true;
|
||||
initialAdminPassword = "giulio";
|
||||
database.passwordFile = "/secrets/keycloak/database.key";
|
||||
settings = {
|
||||
hostname = domain;
|
||||
proxy = "edge";
|
||||
http-port = 6654;
|
||||
https-port = 6655;
|
||||
hostname-strict-backchannel = true;
|
||||
};
|
||||
};
|
||||
|
||||
postgresql = {
|
||||
ensureDatabases =
|
||||
[ "${toString config.services.keycloak.database.name}" ];
|
||||
ensureUsers = [{
|
||||
name = "${toString config.services.keycloak.database.username}";
|
||||
ensurePermissions = {
|
||||
"DATABASE ${toString config.services.keycloak.database.name}" =
|
||||
"ALL PRIVILEGES";
|
||||
};
|
||||
}];
|
||||
};
|
||||
|
||||
nginx.virtualHosts.${domain} = {
|
||||
forceSSL = true;
|
||||
enableACME = true;
|
||||
|
||||
locations = {
|
||||
"/" = { return = "301 https://${domain}/realms/master/account"; };
|
||||
|
||||
"/admin" = {
|
||||
proxyPass = "http://127.0.0.1:${
|
||||
toString config.services.keycloak.settings.http-port
|
||||
}";
|
||||
};
|
||||
|
||||
"/js" = {
|
||||
proxyPass = "http://127.0.0.1:${
|
||||
toString config.services.keycloak.settings.http-port
|
||||
}";
|
||||
};
|
||||
|
||||
"/realms" = {
|
||||
proxyPass = "http://127.0.0.1:${
|
||||
toString config.services.keycloak.settings.http-port
|
||||
}";
|
||||
};
|
||||
|
||||
"/resources" = {
|
||||
proxyPass = "http://127.0.0.1:${
|
||||
toString config.services.keycloak.settings.http-port
|
||||
}";
|
||||
};
|
||||
|
||||
"/robots.txt" = {
|
||||
proxyPass = "http://127.0.0.1:${
|
||||
toString config.services.keycloak.settings.http-port
|
||||
}";
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
networking.extraHosts = ''
|
||||
${network.architect-lan} ${domain}
|
||||
${network.architect-wg} ${domain}
|
||||
'';
|
||||
}
|
||||
@ -3,6 +3,7 @@
|
||||
let
|
||||
domain = "htlid.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix).openresty_oidc_block;
|
||||
in {
|
||||
services = {
|
||||
lidarr = {
|
||||
@ -15,12 +16,12 @@ in {
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:8686";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
deny 10.0.0.1;
|
||||
'';
|
||||
extraConfig = auth_block {
|
||||
realm = "master";
|
||||
client_id = "lidarr";
|
||||
client_secret = "7s4dd1SEi84F4fUFsqRaQmSSucZhyTco";
|
||||
redirect_uri = "https://${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -3,24 +3,34 @@
|
||||
let
|
||||
domain = "cloud.giugl.io";
|
||||
network = import ./network.nix;
|
||||
redis_port = 6379;
|
||||
in {
|
||||
services = {
|
||||
mysql.enable = true;
|
||||
mysql.package = pkgs.unstable.mysql80;
|
||||
mysql = {
|
||||
enable = true;
|
||||
package = pkgs.unstable.mysql80;
|
||||
};
|
||||
|
||||
redis.servers."default".enable = true;
|
||||
redis = {
|
||||
vmOverCommit = true;
|
||||
servers."nextcloud" = {
|
||||
enable = true;
|
||||
port = redis_port;
|
||||
};
|
||||
};
|
||||
|
||||
nextcloud = {
|
||||
enable = true;
|
||||
hostName = "${domain}";
|
||||
hostName = domain;
|
||||
https = true;
|
||||
package = pkgs.unstable.nextcloud24;
|
||||
|
||||
caching.redis = true;
|
||||
caching = {
|
||||
redis = true;
|
||||
};
|
||||
|
||||
autoUpdateApps.enable = true;
|
||||
autoUpdateApps.startAt = "05:00:00";
|
||||
logLevel = 1;
|
||||
|
||||
config = {
|
||||
overwriteProtocol = "https";
|
||||
|
||||
@ -1,8 +1,9 @@
|
||||
{ services, ... }:
|
||||
{ services, pkgs, lib, ... }:
|
||||
|
||||
{
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
package = pkgs.openresty;
|
||||
recommendedGzipSettings = true;
|
||||
recommendedOptimisation = true;
|
||||
recommendedProxySettings = true;
|
||||
@ -25,6 +26,45 @@
|
||||
"/wat.jpg" = { };
|
||||
};
|
||||
};
|
||||
appendHttpConfig = let
|
||||
extraPureLuaPackages = with pkgs.luajitPackages; [
|
||||
lua-resty-openidc
|
||||
lua-resty-http
|
||||
lua-resty-session
|
||||
lua-resty-jwt
|
||||
lua-resty-openssl
|
||||
];
|
||||
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
|
||||
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
|
||||
in ''
|
||||
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
|
||||
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
||||
lua_ssl_verify_depth 5;
|
||||
|
||||
# cache for OIDC discovery metadata
|
||||
lua_shared_dict discovery 1m;
|
||||
lua_shared_dict jwks 1m;
|
||||
|
||||
# https://github.com/openresty/lua-resty-redis/issues/159
|
||||
resolver local=on ipv6=off;
|
||||
|
||||
init_worker_by_lua_block {
|
||||
function check_role (res, role)
|
||||
if res.user.roles == nil then
|
||||
return false
|
||||
end
|
||||
|
||||
for _,v in pairs(res.user.roles) do
|
||||
if string.lower(v) == role then
|
||||
return true
|
||||
end
|
||||
end
|
||||
|
||||
return false
|
||||
end
|
||||
}
|
||||
'';
|
||||
|
||||
appendConfig = ''
|
||||
worker_processes 24;
|
||||
'';
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
let
|
||||
domain = "htnzb.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix).openresty_oidc_block;
|
||||
in {
|
||||
services = {
|
||||
nzbget = {
|
||||
@ -15,11 +16,12 @@ in {
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:6789";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
'';
|
||||
extraConfig = auth_block {
|
||||
realm = "master";
|
||||
client_id = "nzbget";
|
||||
client_secret = "tkjzdqnUoWTlGUYah5tgMqVPFMlOUvk9";
|
||||
redirect_uri = "https://${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
37
hosts/architect/openid.nix
Normal file
37
hosts/architect/openid.nix
Normal file
@ -0,0 +1,37 @@
|
||||
{ lib }:
|
||||
|
||||
{
|
||||
openresty_oidc_block =
|
||||
{ realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
|
||||
access_by_lua_block {
|
||||
local opts = {
|
||||
discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
|
||||
client_id = "${client_id}",
|
||||
client_secret = "${client_secret}",
|
||||
logout_path = "/logout",
|
||||
redirect_after_logout_uri = "/",
|
||||
redirect_uri = "/redirect_uri",
|
||||
keepalive = "yes",
|
||||
accept_none_alg = true
|
||||
}
|
||||
|
||||
-- call introspect for OAuth 2.0 Bearer Access Token validation
|
||||
local res, err = require("resty.openidc").authenticate(opts)
|
||||
|
||||
if err then
|
||||
ngx.status = 403
|
||||
ngx.say(err)
|
||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||
end
|
||||
|
||||
${lib.optionalString (access_role != "") ''
|
||||
if not check_role(res, "${access_role}") then
|
||||
ngx.status = 401
|
||||
ngx.header.content_type = 'text/html';
|
||||
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
|
||||
ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
||||
end
|
||||
''}
|
||||
}
|
||||
'';
|
||||
}
|
||||
@ -3,6 +3,7 @@
|
||||
let
|
||||
domain = "htrad.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix).openresty_oidc_block;
|
||||
in {
|
||||
services = {
|
||||
radarr = {
|
||||
@ -15,11 +16,12 @@ in {
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:7878";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
'';
|
||||
extraConfig = auth_block {
|
||||
realm = "master";
|
||||
client_id = "radarr";
|
||||
client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
|
||||
redirect_uri = "https://${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -3,6 +3,7 @@
|
||||
let
|
||||
domain = "htson.giugl.io";
|
||||
network = import ./network.nix;
|
||||
auth_block = (import ./openid.nix).openresty_oidc_block;
|
||||
in {
|
||||
services = {
|
||||
sonarr = {
|
||||
@ -15,11 +16,12 @@ in {
|
||||
enableACME = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://localhost:8989";
|
||||
extraConfig = ''
|
||||
allow 10.0.0.0/24;
|
||||
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
|
||||
deny all;
|
||||
'';
|
||||
extraConfig = auth_block {
|
||||
realm = "master";
|
||||
client_id = "sonarr";
|
||||
client_secret = "d36ehMSPCI3xLfOGNcnSUKZWQblyGumi";
|
||||
redirect_uri = "https://${domain}";
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
imports = [ ./zsh.nix ./git.nix ./neovim.nix ];
|
||||
imports = [ ./zsh.nix ./git.nix ./helix.nix ];
|
||||
|
||||
home = { packages = with pkgs; [ rizin sshfs victor-mono home-manager ]; };
|
||||
}
|
||||
|
||||
22
roles/home/helix.nix
Normal file
22
roles/home/helix.nix
Normal file
@ -0,0 +1,22 @@
|
||||
{ config, pkgs, ... }:
|
||||
|
||||
{
|
||||
home = {
|
||||
sessionVariables = {
|
||||
EDITOR = "hx";
|
||||
VISUAL = "hx";
|
||||
};
|
||||
|
||||
file.".config/helix/config.toml".text = ''
|
||||
theme = "monokai"
|
||||
'';
|
||||
|
||||
packages = with pkgs.unstable; [
|
||||
helix
|
||||
clang-tools
|
||||
rust-analyzer
|
||||
rnix-lsp
|
||||
python310Packages.python-lsp-server
|
||||
];
|
||||
};
|
||||
}
|
||||
Loading…
Reference in New Issue
Block a user