peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:d9ef1939b2d9456a80a32ec55c7ea083762c499c
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
...
compare: peperunas:a546edc30d781c41ef2167d901e85751d7126be5
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

15 Commits
d9ef1939b2 ... a546edc30d

Author SHA1 Message Date
Giulio De Pasquale
a546edc30d Lock update 2022-11-29 14:53:35 +01:00
Giulio De Pasquale
30fd214734 nginx, openid: Allow IP whitelist to bypass OpenID auth 2022-11-29 14:53:17 +01:00
Giulio De Pasquale
ae4c55fdee gitea: Enable OpenID signin 2022-11-29 13:24:48 +01:00
Giulio De Pasquale
74fd09cb16 openid: Extend access token validity to one day 2022-11-29 13:03:26 +01:00
Giulio De Pasquale
b244bfad7d openid: Revoke tokens on logout 2022-11-29 12:56:40 +01:00
Giulio De Pasquale
7ffddeca09 nginx: Add default runas.rocks virtualhost 2022-11-27 11:24:35 +01:00
Giulio De Pasquale
b93d3a33b0 Rename giulio devices, add Steam deck to Wireguard 2022-11-27 11:24:12 +01:00
Giulio De Pasquale
6568784680 matrix: Add OpenID connection and transfer to runas.rocks 2022-11-27 11:23:09 +01:00
Giulio De Pasquale
2ed81fcfe3 flake: Formatting 2022-11-22 13:05:53 +01:00
Giulio De Pasquale
ea53e09c1a flake: Use correct wrapper function for unstable packages 2022-11-22 13:02:39 +01:00
Giulio De Pasquale
7e61526538 calibre: Add OpenID auth 2022-11-22 12:59:27 +01:00
Giulio De Pasquale
75b51d24e9 firewall: Allow connections to Minecraft from WAN 2022-11-20 14:56:32 +01:00
Giulio De Pasquale
3c4caaaea5 jellyfin: Go through SSO auth 2022-11-20 14:55:59 +01:00
Giulio De Pasquale
9efea759e4 navidrome: Move beets-import script execution from daily to weekly 2022-11-15 01:12:54 +01:00
Giulio De Pasquale
1122be76bb nginx: Fix indentation 2022-11-15 01:11:39 +01:00
12 changed files with 206 additions and 153 deletions
Show Stats Expand all files Collapse all files

24
flake.lock generated
View File

@ -38,11 +38,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1665475263, "lastModified": 1667907331,
"narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=", "narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
"owner": "rycee", "owner": "rycee",
"repo": "home-manager", "repo": "home-manager",
"rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3", "rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -54,11 +54,11 @@
}, },
"nixos-unstable": { "nixos-unstable": {
"locked": { "locked": {
"lastModified": 1665672983, "lastModified": 1669721229,
"narHash": "sha256-V7Va7CRKmQRy95xSdlga5nV7q3/PusZwNAF/leb5PcU=", "narHash": "sha256-4Sh+gXzEVHI6E/8c7OgDW60tYKh9ZGPVoL2YXlC2Yk0=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "bb2fb1524795f2d720cd13a2eb4d35d3a7a0d888", "rev": "46eabb1198af88c73036edecdf6950c19be33308",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -70,11 +70,11 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1665596265, "lastModified": 1669546925,
"narHash": "sha256-H7Ku1SF+7zDEqw8QOyEDA5blMJQW9MvdfgB+K3KJNLw=", "narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "9234f5a17e1a7820b5e91ecd4ff0de449e293383", "rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -115,11 +115,11 @@
"nixpkgs": "nixpkgs_2" "nixpkgs": "nixpkgs_2"
}, },
"locked": { "locked": {
"lastModified": 1665671907, "lastModified": 1669558651,
"narHash": "sha256-+YXxqH7OROLJ9G4va5BZb4a8aIzulaUZbnH+R1iWoaw=", "narHash": "sha256-0oZd2rdg2050yapyjX7zMWsYWptFp55YFHoEFgsVrN0=",
"owner": "m15a", "owner": "m15a",
"repo": "nixpkgs-vim-extra-plugins", "repo": "nixpkgs-vim-extra-plugins",
"rev": "6c1624b0942cdecf7f30aa4d411cb3578bc29a38", "rev": "38107b1aceaccc2ac14a4697bbcea3d70fd016f6",
"type": "github" "type": "github"
}, },
"original": { "original": {

7
flake.nix
View File

@ -33,7 +33,7 @@
}; };
pkgsX64 = wrapPkgsSystem { system = x64System; }; pkgsX64 = wrapPkgsSystem { system = x64System; };
unstableX64 = wrapPkgsSystem { system = x64System; }; unstableX64 = wrapUnstablePkgsSystem { system = x64System; };
utilsX64 = import ./lib { utilsX64 = import ./lib {
inherit nixpkgs nixos-unstable home-manager; inherit nixpkgs nixos-unstable home-manager;
pkgs = pkgsX64; pkgs = pkgsX64;
@ -42,14 +42,15 @@
}; };
pkgsDarwin = wrapPkgsSystem { system = darwinSystem; }; pkgsDarwin = wrapPkgsSystem { system = darwinSystem; };
unstableDarwin = wrapPkgsSystem { system = darwinSystem; }; unstableDarwin = wrapUnstablePkgsSystem { system = darwinSystem; };
utilsDarwin = import ./lib { utilsDarwin = import ./lib {
inherit nixpkgs nixos-unstable home-manager; inherit nixpkgs nixos-unstable home-manager;
pkgs = pkgsDarwin; pkgs = pkgsDarwin;
unstable = unstableDarwin; unstable = unstableDarwin;
system = darwinSystem; system = darwinSystem;
}; };
in { in
{
nixosConfigurations = { nixosConfigurations = {
architect = utilsX64.host.mkHost { architect = utilsX64.host.mkHost {
name = "architect"; name = "architect";

6
hosts/architect/calibre.nix
View File

@ -3,7 +3,9 @@
let let
domain = "books.giugl.io"; domain = "books.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in { auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
services = { services = {
calibre-web = { calibre-web = {
enable = true; enable = true;
@ -21,7 +23,7 @@ in {
proxyPass = "http://127.0.0.1:8083"; proxyPass = "http://127.0.0.1:8083";
extraConfig = '' extraConfig = ''
client_max_body_size 500M; client_max_body_size 500M;
''; '' + auth_block { access_role = "calibre"; };
}; };
}; };
}; };

1
hosts/architect/firewall.nix
View File

@ -29,6 +29,7 @@ let
gitea_tcp gitea_tcp
torrent_a torrent_a
torrent_b torrent_b
minecraft_tcp
]; ];
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [ open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
wireguard_udp wireguard_udp

8
hosts/architect/gitea.nix
View File

@ -3,7 +3,8 @@
let let
domain = "git.giugl.io"; domain = "git.giugl.io";
network = import ./network.nix; network = import ./network.nix;
in { in
{
services.gitea = { services.gitea = {
enable = true; enable = true;
database.type = "sqlite3"; database.type = "sqlite3";
@ -11,7 +12,10 @@ in {
appName = "Gitea"; appName = "Gitea";
rootUrl = "https://${domain}"; rootUrl = "https://${domain}";
ssh.clonePort = 22; ssh.clonePort = 22;
settings.server.LFS_START_SERVER = true; settings = {
server.LFS_START_SERVER = true;
openid.enable_openid_signin = true;
};
}; };
services.nginx.virtualHosts.${domain} = { services.nginx.virtualHosts.${domain} = {

39
hosts/architect/jellyfin.nix
View File

@ -1,9 +1,11 @@
{ pkgs, ... }: { pkgs, lib, ... }:
let let
network = import ./network.nix; network = import ./network.nix;
domain = "media.giugl.io"; domain = "media.giugl.io";
in { auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
in
{
disabledModules = [ "services/misc/jellyfin.nix" ]; disabledModules = [ "services/misc/jellyfin.nix" ];
imports = [ ./modules/jellyfin.nix ]; imports = [ ./modules/jellyfin.nix ];
@ -17,30 +19,31 @@ in {
nginx.virtualHosts.${domain} = { nginx.virtualHosts.${domain} = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = auth_block { access_role = "jellyfin"; } +
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted. ''
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'"; # External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
# Disable buffering when the nginx proxy gets very resource heavy upon streaming #add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
proxy_buffering off; # Disable buffering when the nginx proxy gets very resource heavy upon streaming
''; proxy_buffering off;
'';
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:8096";
# extraConfig = '' # extraConfig = ''
# allow 10.0.0.0/24; # allow 10.0.0.0/24;
# allow 10.3.0.0/24; # allow 10.3.0.0/24;
# deny all; # deny all;
# ''; # '';
}; };
locations."/socket" = { locations."/socket" = {
proxyPass = "http://127.0.0.1:8096"; proxyPass = "http://127.0.0.1:8096";
proxyWebsockets = true; proxyWebsockets = true;
# extraConfig = '' # extraConfig = ''
# allow 10.0.0.0/24; # allow 10.0.0.0/24;
# allow 10.3.0.0/24; # allow 10.3.0.0/24;
# deny all; # deny all;
# ''; # '';
}; };
}; };
}; };

74
hosts/architect/matrix.nix
View File

@ -1,28 +1,44 @@
{ pkgs, ... }: { pkgs, lib, ... }:
let let
domain = "matrix.giugl.io"; domain = "runas.rocks";
webui_domain = "chat.giugl.io"; webui_domain = "webchat.runas.rocks";
network = import ./network.nix; network = import ./network.nix;
db_name = "matrix-synapse"; db_name = "matrix-synapse-runas.rocks";
in { in
{
services = { services = {
matrix-synapse = { matrix-synapse = {
enable = true; enable = true;
settings = { settings = {
server_name = "${domain}"; server_name = "${domain}";
database_name = db_name; database.args.database = db_name;
public_baseurl = "https://${domain}"; public_baseurl = "https://${domain}";
registration_shared_secret = "runas!"; registration_shared_secret = "runas!";
url_preview_enabled = true; url_preview_enabled = true;
dynamic_thumbnails = true; dynamic_thumbnails = true;
withJemalloc = true; withJemalloc = true;
# enable_registration = true;
app_service_config_files = [ app_service_config_files = [
"/var/lib/matrix-synapse/discord-registration.yaml" "/var/lib/matrix-synapse/discord-registration.yaml"
# "/var/lib/matrix-synapse/hookshot-registration.yml" # "/var/lib/matrix-synapse/hookshot-registration.yml"
# "/var/lib/matrix-synapse/telegram-registration.yaml" # "/var/lib/matrix-synapse/telegram-registration.yaml"
]; ];
oidc_providers = [{
idp_id = "keycloak";
idp_name = "Architect SSO";
issuer = "https://auth.giugl.io/realms/master";
client_id = "synapse";
client_secret = "hj7dkbAI75jIeggr1cW0JTRzAdvJUtq6";
scopes = [ "openid" "profile" ];
user_profile_method = "userinfo_endpoint";
user_mapping_provider.config = {
localpart_template = "{{ user.preferred_username }}";
display_name_template = "{{ user.name }}";
};
backchannel_logout_enabled = true;
}];
listeners = [{ listeners = [{
port = 8008; port = 8008;
bind_addresses = [ "127.0.0.1" ]; bind_addresses = [ "127.0.0.1" ];
@ -35,18 +51,11 @@ in {
}]; }];
}]; }];
}; };
#extraConfig = ''
# auto_join_rooms:
# - "#general:matrix.giugl.io"
# max_upload_size: "50M"
#'';
}; };
postgresql = { postgresql = {
enable = true; enable = true;
package = pkgs.postgresql; package = pkgs.postgresql;
ensureDatabases = [ db_name ];
ensureUsers = [{ ensureUsers = [{
name = db_name; name = db_name;
ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; }; ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; };
@ -63,22 +72,25 @@ in {
''; '';
locations."= /.well-known/matrix/server".extraConfig = locations."= /.well-known/matrix/server".extraConfig =
let server = { "m.server" = "${domain}:443"; }; let server = { "m.server" = "${domain}:443"; };
in '' in
''
add_header Content-Type application/json; add_header Content-Type application/json;
return 200 '${builtins.toJSON server}'; return 200 '${builtins.toJSON server}';
''; '';
locations."= /.well-known/matrix/client".extraConfig = let locations."= /.well-known/matrix/client".extraConfig =
client = { let
"m.homeserver" = { "base_url" = "https://${domain}:443"; }; client = {
"m.identity_server" = { "base_url" = "https://vector.im"; }; "m.homeserver" = { "base_url" = "https://${domain}:443"; };
}; "m.identity_server" = { "base_url" = "https://vector.im"; };
# ACAO required to allow element-web on any URL to request this json file };
in '' # ACAO required to allow element-web on any URL to request this json file
add_header Content-Type application/json; in
add_header Access-Control-Allow-Origin *; ''
return 200 '${builtins.toJSON client}'; add_header Content-Type application/json;
''; add_header Access-Control-Allow-Origin *;
return 200 '${builtins.toJSON client}';
'';
locations."/".extraConfig = '' locations."/".extraConfig = ''
return 404; return 404;
@ -88,6 +100,10 @@ in {
locations."/_matrix" = { locations."/_matrix" = {
proxyPass = "http://127.0.0.1:8008"; # without a trailing / proxyPass = "http://127.0.0.1:8008"; # without a trailing /
}; };
locations."/_synapse" = {
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
};
}; };
# web client # web client
@ -114,7 +130,7 @@ in {
# It's also possible to use PostgreSQL. # It's also possible to use PostgreSQL.
settings = { settings = {
bridge = { bridge = {
domain = domain; inherit domain;
homeserverUrl = "https://${domain}"; homeserverUrl = "https://${domain}";
}; };
}; };
@ -122,8 +138,8 @@ in {
}; };
networking.extraHosts = '' networking.extraHosts = ''
${network.architect-lan} ${domain} ${webui_domain} ${network.architect-lan} ${lib.concatStringsSep " " [ domain webui_domain]}
${network.architect-wg} ${domain} ${webui_domain} ${network.architect-wg} ${lib.concatStringsSep " " [ domain webui_domain ]}
''; '';
} }

2
hosts/architect/navidrome.nix
View File

@ -57,7 +57,7 @@ in {
ExecStart = ExecStart =
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}"; "${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
}; };
startAt = "daily"; startAt = "weekly";
}; };
"remove-badmp3" = { "remove-badmp3" = {

10
hosts/architect/network.nix
View File

@ -19,9 +19,9 @@ rec {
proxy-wg = "10.4.0.1"; proxy-wg = "10.4.0.1";
architect-wg = "10.3.0.1"; architect-wg = "10.3.0.1";
galuminum-wg = "10.3.0.2"; giuliopc-wg = "10.3.0.2";
oneplus-wg = "10.3.0.3"; giuliophone-wg = "10.3.0.3";
ipad-wg = "10.3.0.4"; giuliodeck-wg = "10.3.0.4";
manduria-wg = "10.3.0.5"; manduria-wg = "10.3.0.5";
antonio-wg = "10.3.0.6"; antonio-wg = "10.3.0.6";
gbeast-wg = "10.3.0.7"; gbeast-wg = "10.3.0.7";
@ -57,14 +57,14 @@ rec {
# groups # groups
gdevices-wg = gdevices-wg =
[ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg; [ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ]; routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
c2c-wg = [ ] ++ gdevices-wg; c2c-wg = [ ] ++ gdevices-wg;
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ] towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
++ gdevices-wg ++ routers-wg; ++ gdevices-wg ++ routers-wg;
gamenet-wg = [ gamenet-wg = [
andrew-wg andrew-wg
galuminum-wg giuliopc-wg
gbeast-wg gbeast-wg
mikey-wg mikey-wg
andrewdesktop-wg andrewdesktop-wg

112
hosts/architect/nginx.nix
View File

@ -1,6 +1,24 @@
{ services, pkgs, lib, ... }: { services, pkgs, lib, ... }:
let
serviceSkeleton = { default ? false }: {
inherit default;
{ enableACME = true;
forceSSL = true;
root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;";
locations = {
"/" = { return = "404"; };
"/index.htm" = { };
"/style.css" = { };
"/wat.jpg" = { };
};
};
in {
services.nginx = { services.nginx = {
enable = true; enable = true;
package = pkgs.openresty; package = pkgs.openresty;
@ -9,61 +27,59 @@
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
virtualHosts."architect.devs.giugl.io" = { virtualHosts."architect.devs.giugl.io" = serviceSkeleton { default = true; };
default = true; virtualHosts."runas.rocks" = serviceSkeleton {};
enableACME = true;
addSSL = true;
root = "/var/lib/nginx/error_pages";
extraConfig = "error_page 404 /index.htm;";
locations = { appendHttpConfig =
"/" = { return = "404"; }; let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in
''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
"/index.htm" = { }; # cache for OIDC discovery metadata
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
"/style.css" = { }; # https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off;
"/wat.jpg" = { }; init_worker_by_lua_block {
}; function check_role (res, role)
}; if res.user.roles == nil then
appendHttpConfig = let return false
extraPureLuaPackages = with pkgs.luajitPackages; [ end
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in ''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata for _,v in pairs(res.user.roles) do
lua_shared_dict discovery 1m; if string.lower(v) == role then
lua_shared_dict jwks 1m; return true
end
end
# https://github.com/openresty/lua-resty-redis/issues/159 return false
resolver local=on ipv6=off;
init_worker_by_lua_block {
function check_role (res, role)
if res.user.roles == nil then
return false
end
for _,v in pairs(res.user.roles) do
if string.lower(v) == role then
return true
end end
end
return false function is_ip_whitelisted(ip, whitelist)
end for _, x in ipairs(whitelist) do
} if ip == x then
''; return true
end
end
return false
end
}
'';
appendConfig = '' appendConfig = ''
worker_processes 24; worker_processes 24;

45
hosts/architect/openid.nix
View File

@ -2,7 +2,7 @@
{ {
openresty_oidc_block = openresty_oidc_block =
{ access_role ? "" }: '' { access_role ? "", whitelisted_ips ? [] }: ''
access_by_lua_block { access_by_lua_block {
local opts = { local opts = {
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration", discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
@ -12,26 +12,37 @@
redirect_after_logout_uri = "/", redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri", redirect_uri = "/redirect_uri",
keepalive = "yes", keepalive = "yes",
accept_none_alg = true accept_none_alg = true,
} revoke_tokens_on_logout = true,
-- access token valid for a day
access_token_expires_in = 86400
}
-- call introspect for OAuth 2.0 Bearer Access Token validation ${lib.optionalString (whitelisted_ips != []) ''
local res, err = require("resty.openidc").authenticate(opts) local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
if err then if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
ngx.status = 403 return
ngx.say(err) end
ngx.exit(ngx.HTTP_FORBIDDEN) ''}
end
${lib.optionalString (access_role != "") '' -- call introspect for OAuth 2.0 Bearer Access Token validation
if not check_role(res, "${access_role}") then local res, err = require("resty.openidc").authenticate(opts)
ngx.status = 401
ngx.header.content_type = 'text/html'; if err then
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.") ngx.status = 403
ngx.exit(ngx.HTTP_UNAUTHORIZED) ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end end
''}
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
} }
''; '';
} }

25
hosts/architect/wireguard.nix
View File

@ -2,9 +2,8 @@ with import ./network.nix; {
networking = { networking = {
extraHosts = '' extraHosts = ''
${architect-wg} architect.devs.giugl.io ${architect-wg} architect.devs.giugl.io
${galuminum-wg} galuminum.devs.giugl.io ${giuliopc-wg} giuliopc.devs.giugl.io
${oneplus-wg} oneplus.devs.giugl.io ${giuliophone-wg} giuliophone.devs.giugl.io
${ipad-wg} ipad.devs.giugl.io
${manduria-wg} manduria.devs.giugl.io ${manduria-wg} manduria.devs.giugl.io
${antonio-wg} antonio.devs.giugl.io ${antonio-wg} antonio.devs.giugl.io
${gbeast-wg} gbeast.devs.giugl.io ${gbeast-wg} gbeast.devs.giugl.io
@ -34,6 +33,7 @@ with import ./network.nix; {
${parina-ipad-wg} parinaipad.devs.giugl.io ${parina-ipad-wg} parinaipad.devs.giugl.io
${nilo-wg} nilo.devs.giugl.io ${nilo-wg} nilo.devs.giugl.io
${kclvm-wg} kclvm.devs.giugl.io ${kclvm-wg} kclvm.devs.giugl.io
${giuliodeck-wg} giuliodeck.devs.giugl.io
''; '';
wireguard = { wireguard = {
@ -55,23 +55,17 @@ with import ./network.nix; {
peers = [ peers = [
{ {
# gAluminum # giuliopc
allowedIPs = [ galuminum-wg ]; allowedIPs = [ giuliopc-wg ];
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw="; publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
} }
{ {
# OnePlus # giuliophone
allowedIPs = [ oneplus-wg ]; allowedIPs = [ giuliophone-wg ];
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs="; publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
} }
{
# iPad
allowedIPs = [ ipad-wg ];
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
}
{ {
# Manduria # Manduria
allowedIPs = [ manduria-wg ]; allowedIPs = [ manduria-wg ];
@ -263,6 +257,11 @@ with import ./network.nix; {
allowedIPs = [ kclvm-wg ]; allowedIPs = [ kclvm-wg ];
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE="; publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
} }
{
# Giulio's Deck
allowedIPs = [ giuliodeck-wg ];
publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0=";
}
]; ];
}; };
}; };