Compare commits
15 Commits
d9ef1939b2
...
a546edc30d
Author | SHA1 | Date | |
---|---|---|---|
|
a546edc30d | ||
|
30fd214734 | ||
|
ae4c55fdee | ||
|
74fd09cb16 | ||
|
b244bfad7d | ||
|
7ffddeca09 | ||
|
b93d3a33b0 | ||
|
6568784680 | ||
|
2ed81fcfe3 | ||
|
ea53e09c1a | ||
|
7e61526538 | ||
|
75b51d24e9 | ||
|
3c4caaaea5 | ||
|
9efea759e4 | ||
|
1122be76bb |
24
flake.lock
generated
24
flake.lock
generated
@ -38,11 +38,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1665475263,
|
"lastModified": 1667907331,
|
||||||
"narHash": "sha256-T4at7d+KsQNWh5rfjvOtQCaIMWjSDlSgQZKvxb+LcEY=",
|
"narHash": "sha256-bHkAwkYlBjkupPUFcQjimNS8gxWSWjOTevEuwdnp5m0=",
|
||||||
"owner": "rycee",
|
"owner": "rycee",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "17208be516fc36e2ab0ceb064d931e90eb88b2a3",
|
"rev": "6639e3a837fc5deb6f99554072789724997bc8e5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -54,11 +54,11 @@
|
|||||||
},
|
},
|
||||||
"nixos-unstable": {
|
"nixos-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1665672983,
|
"lastModified": 1669721229,
|
||||||
"narHash": "sha256-V7Va7CRKmQRy95xSdlga5nV7q3/PusZwNAF/leb5PcU=",
|
"narHash": "sha256-4Sh+gXzEVHI6E/8c7OgDW60tYKh9ZGPVoL2YXlC2Yk0=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "bb2fb1524795f2d720cd13a2eb4d35d3a7a0d888",
|
"rev": "46eabb1198af88c73036edecdf6950c19be33308",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -70,11 +70,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1665596265,
|
"lastModified": 1669546925,
|
||||||
"narHash": "sha256-H7Ku1SF+7zDEqw8QOyEDA5blMJQW9MvdfgB+K3KJNLw=",
|
"narHash": "sha256-Gvtk9agz88tBgqmCdHl5U7gYttTkiuEd8/Rq1Im0pTg=",
|
||||||
"owner": "NixOS",
|
"owner": "NixOS",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "9234f5a17e1a7820b5e91ecd4ff0de449e293383",
|
"rev": "fecf05d4861f3985e8dee73f08bc82668ef75125",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@ -115,11 +115,11 @@
|
|||||||
"nixpkgs": "nixpkgs_2"
|
"nixpkgs": "nixpkgs_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1665671907,
|
"lastModified": 1669558651,
|
||||||
"narHash": "sha256-+YXxqH7OROLJ9G4va5BZb4a8aIzulaUZbnH+R1iWoaw=",
|
"narHash": "sha256-0oZd2rdg2050yapyjX7zMWsYWptFp55YFHoEFgsVrN0=",
|
||||||
"owner": "m15a",
|
"owner": "m15a",
|
||||||
"repo": "nixpkgs-vim-extra-plugins",
|
"repo": "nixpkgs-vim-extra-plugins",
|
||||||
"rev": "6c1624b0942cdecf7f30aa4d411cb3578bc29a38",
|
"rev": "38107b1aceaccc2ac14a4697bbcea3d70fd016f6",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -33,7 +33,7 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
pkgsX64 = wrapPkgsSystem { system = x64System; };
|
pkgsX64 = wrapPkgsSystem { system = x64System; };
|
||||||
unstableX64 = wrapPkgsSystem { system = x64System; };
|
unstableX64 = wrapUnstablePkgsSystem { system = x64System; };
|
||||||
utilsX64 = import ./lib {
|
utilsX64 = import ./lib {
|
||||||
inherit nixpkgs nixos-unstable home-manager;
|
inherit nixpkgs nixos-unstable home-manager;
|
||||||
pkgs = pkgsX64;
|
pkgs = pkgsX64;
|
||||||
@ -42,14 +42,15 @@
|
|||||||
};
|
};
|
||||||
|
|
||||||
pkgsDarwin = wrapPkgsSystem { system = darwinSystem; };
|
pkgsDarwin = wrapPkgsSystem { system = darwinSystem; };
|
||||||
unstableDarwin = wrapPkgsSystem { system = darwinSystem; };
|
unstableDarwin = wrapUnstablePkgsSystem { system = darwinSystem; };
|
||||||
utilsDarwin = import ./lib {
|
utilsDarwin = import ./lib {
|
||||||
inherit nixpkgs nixos-unstable home-manager;
|
inherit nixpkgs nixos-unstable home-manager;
|
||||||
pkgs = pkgsDarwin;
|
pkgs = pkgsDarwin;
|
||||||
unstable = unstableDarwin;
|
unstable = unstableDarwin;
|
||||||
system = darwinSystem;
|
system = darwinSystem;
|
||||||
};
|
};
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
nixosConfigurations = {
|
nixosConfigurations = {
|
||||||
architect = utilsX64.host.mkHost {
|
architect = utilsX64.host.mkHost {
|
||||||
name = "architect";
|
name = "architect";
|
||||||
|
@ -3,7 +3,9 @@
|
|||||||
let
|
let
|
||||||
domain = "books.giugl.io";
|
domain = "books.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
calibre-web = {
|
calibre-web = {
|
||||||
enable = true;
|
enable = true;
|
||||||
@ -21,7 +23,7 @@ in {
|
|||||||
proxyPass = "http://127.0.0.1:8083";
|
proxyPass = "http://127.0.0.1:8083";
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
client_max_body_size 500M;
|
client_max_body_size 500M;
|
||||||
'';
|
'' + auth_block { access_role = "calibre"; };
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -29,6 +29,7 @@ let
|
|||||||
gitea_tcp
|
gitea_tcp
|
||||||
torrent_a
|
torrent_a
|
||||||
torrent_b
|
torrent_b
|
||||||
|
minecraft_tcp
|
||||||
];
|
];
|
||||||
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
|
open_udp_ports = lib.concatMapStringsSep "," (x: toString x) [
|
||||||
wireguard_udp
|
wireguard_udp
|
||||||
|
@ -3,7 +3,8 @@
|
|||||||
let
|
let
|
||||||
domain = "git.giugl.io";
|
domain = "git.giugl.io";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services.gitea = {
|
services.gitea = {
|
||||||
enable = true;
|
enable = true;
|
||||||
database.type = "sqlite3";
|
database.type = "sqlite3";
|
||||||
@ -11,7 +12,10 @@ in {
|
|||||||
appName = "Gitea";
|
appName = "Gitea";
|
||||||
rootUrl = "https://${domain}";
|
rootUrl = "https://${domain}";
|
||||||
ssh.clonePort = 22;
|
ssh.clonePort = 22;
|
||||||
settings.server.LFS_START_SERVER = true;
|
settings = {
|
||||||
|
server.LFS_START_SERVER = true;
|
||||||
|
openid.enable_openid_signin = true;
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
services.nginx.virtualHosts.${domain} = {
|
services.nginx.virtualHosts.${domain} = {
|
||||||
|
@ -1,9 +1,11 @@
|
|||||||
{ pkgs, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
domain = "media.giugl.io";
|
domain = "media.giugl.io";
|
||||||
in {
|
auth_block = (import ./openid.nix { inherit lib; }).openresty_oidc_block;
|
||||||
|
in
|
||||||
|
{
|
||||||
disabledModules = [ "services/misc/jellyfin.nix" ];
|
disabledModules = [ "services/misc/jellyfin.nix" ];
|
||||||
imports = [ ./modules/jellyfin.nix ];
|
imports = [ ./modules/jellyfin.nix ];
|
||||||
|
|
||||||
@ -17,30 +19,31 @@ in {
|
|||||||
nginx.virtualHosts.${domain} = {
|
nginx.virtualHosts.${domain} = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
extraConfig = ''
|
extraConfig = auth_block { access_role = "jellyfin"; } +
|
||||||
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
''
|
||||||
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
# External Javascript (such as cast_sender.js for Chromecast) must be whitelisted.
|
||||||
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
#add_header Content-Security-Policy "default-src https: data: blob: http://image.tmdb.org; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' https://www.gstatic.com/cv/js/sender/v1/cast_sender.js https://www.gstatic.com/eureka/clank/95/cast_sender.js https://www.gstatic.com/eureka/clank/96/cast_sender.js https://www.gstatic.com/eureka/clank/97/cast_sender.js https://www.youtube.com blob:; worker-src 'self' blob:; connect-src 'self'; object-src 'none'; frame-ancestors 'self'";
|
||||||
proxy_buffering off;
|
# Disable buffering when the nginx proxy gets very resource heavy upon streaming
|
||||||
'';
|
proxy_buffering off;
|
||||||
|
'';
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
proxyPass = "http://127.0.0.1:8096";
|
proxyPass = "http://127.0.0.1:8096";
|
||||||
# extraConfig = ''
|
# extraConfig = ''
|
||||||
# allow 10.0.0.0/24;
|
# allow 10.0.0.0/24;
|
||||||
# allow 10.3.0.0/24;
|
# allow 10.3.0.0/24;
|
||||||
# deny all;
|
# deny all;
|
||||||
# '';
|
# '';
|
||||||
};
|
};
|
||||||
|
|
||||||
locations."/socket" = {
|
locations."/socket" = {
|
||||||
proxyPass = "http://127.0.0.1:8096";
|
proxyPass = "http://127.0.0.1:8096";
|
||||||
proxyWebsockets = true;
|
proxyWebsockets = true;
|
||||||
# extraConfig = ''
|
# extraConfig = ''
|
||||||
# allow 10.0.0.0/24;
|
# allow 10.0.0.0/24;
|
||||||
# allow 10.3.0.0/24;
|
# allow 10.3.0.0/24;
|
||||||
# deny all;
|
# deny all;
|
||||||
# '';
|
# '';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -1,28 +1,44 @@
|
|||||||
{ pkgs, ... }:
|
{ pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
domain = "matrix.giugl.io";
|
domain = "runas.rocks";
|
||||||
webui_domain = "chat.giugl.io";
|
webui_domain = "webchat.runas.rocks";
|
||||||
network = import ./network.nix;
|
network = import ./network.nix;
|
||||||
db_name = "matrix-synapse";
|
db_name = "matrix-synapse-runas.rocks";
|
||||||
in {
|
in
|
||||||
|
{
|
||||||
services = {
|
services = {
|
||||||
matrix-synapse = {
|
matrix-synapse = {
|
||||||
enable = true;
|
enable = true;
|
||||||
settings = {
|
settings = {
|
||||||
server_name = "${domain}";
|
server_name = "${domain}";
|
||||||
database_name = db_name;
|
database.args.database = db_name;
|
||||||
public_baseurl = "https://${domain}";
|
public_baseurl = "https://${domain}";
|
||||||
registration_shared_secret = "runas!";
|
registration_shared_secret = "runas!";
|
||||||
url_preview_enabled = true;
|
url_preview_enabled = true;
|
||||||
dynamic_thumbnails = true;
|
dynamic_thumbnails = true;
|
||||||
withJemalloc = true;
|
withJemalloc = true;
|
||||||
# enable_registration = true;
|
|
||||||
app_service_config_files = [
|
app_service_config_files = [
|
||||||
"/var/lib/matrix-synapse/discord-registration.yaml"
|
"/var/lib/matrix-synapse/discord-registration.yaml"
|
||||||
# "/var/lib/matrix-synapse/hookshot-registration.yml"
|
# "/var/lib/matrix-synapse/hookshot-registration.yml"
|
||||||
# "/var/lib/matrix-synapse/telegram-registration.yaml"
|
# "/var/lib/matrix-synapse/telegram-registration.yaml"
|
||||||
];
|
];
|
||||||
|
|
||||||
|
oidc_providers = [{
|
||||||
|
idp_id = "keycloak";
|
||||||
|
idp_name = "Architect SSO";
|
||||||
|
issuer = "https://auth.giugl.io/realms/master";
|
||||||
|
client_id = "synapse";
|
||||||
|
client_secret = "hj7dkbAI75jIeggr1cW0JTRzAdvJUtq6";
|
||||||
|
scopes = [ "openid" "profile" ];
|
||||||
|
user_profile_method = "userinfo_endpoint";
|
||||||
|
user_mapping_provider.config = {
|
||||||
|
localpart_template = "{{ user.preferred_username }}";
|
||||||
|
display_name_template = "{{ user.name }}";
|
||||||
|
};
|
||||||
|
backchannel_logout_enabled = true;
|
||||||
|
}];
|
||||||
|
|
||||||
listeners = [{
|
listeners = [{
|
||||||
port = 8008;
|
port = 8008;
|
||||||
bind_addresses = [ "127.0.0.1" ];
|
bind_addresses = [ "127.0.0.1" ];
|
||||||
@ -35,18 +51,11 @@ in {
|
|||||||
}];
|
}];
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
|
|
||||||
#extraConfig = ''
|
|
||||||
# auto_join_rooms:
|
|
||||||
# - "#general:matrix.giugl.io"
|
|
||||||
# max_upload_size: "50M"
|
|
||||||
#'';
|
|
||||||
};
|
};
|
||||||
|
|
||||||
postgresql = {
|
postgresql = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.postgresql;
|
package = pkgs.postgresql;
|
||||||
ensureDatabases = [ db_name ];
|
|
||||||
ensureUsers = [{
|
ensureUsers = [{
|
||||||
name = db_name;
|
name = db_name;
|
||||||
ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; };
|
ensurePermissions = { "DATABASE \"${db_name}\"" = "ALL PRIVILEGES"; };
|
||||||
@ -63,22 +72,25 @@ in {
|
|||||||
'';
|
'';
|
||||||
locations."= /.well-known/matrix/server".extraConfig =
|
locations."= /.well-known/matrix/server".extraConfig =
|
||||||
let server = { "m.server" = "${domain}:443"; };
|
let server = { "m.server" = "${domain}:443"; };
|
||||||
in ''
|
in
|
||||||
|
''
|
||||||
add_header Content-Type application/json;
|
add_header Content-Type application/json;
|
||||||
return 200 '${builtins.toJSON server}';
|
return 200 '${builtins.toJSON server}';
|
||||||
'';
|
'';
|
||||||
|
|
||||||
locations."= /.well-known/matrix/client".extraConfig = let
|
locations."= /.well-known/matrix/client".extraConfig =
|
||||||
client = {
|
let
|
||||||
"m.homeserver" = { "base_url" = "https://${domain}:443"; };
|
client = {
|
||||||
"m.identity_server" = { "base_url" = "https://vector.im"; };
|
"m.homeserver" = { "base_url" = "https://${domain}:443"; };
|
||||||
};
|
"m.identity_server" = { "base_url" = "https://vector.im"; };
|
||||||
# ACAO required to allow element-web on any URL to request this json file
|
};
|
||||||
in ''
|
# ACAO required to allow element-web on any URL to request this json file
|
||||||
add_header Content-Type application/json;
|
in
|
||||||
add_header Access-Control-Allow-Origin *;
|
''
|
||||||
return 200 '${builtins.toJSON client}';
|
add_header Content-Type application/json;
|
||||||
'';
|
add_header Access-Control-Allow-Origin *;
|
||||||
|
return 200 '${builtins.toJSON client}';
|
||||||
|
'';
|
||||||
|
|
||||||
locations."/".extraConfig = ''
|
locations."/".extraConfig = ''
|
||||||
return 404;
|
return 404;
|
||||||
@ -88,6 +100,10 @@ in {
|
|||||||
locations."/_matrix" = {
|
locations."/_matrix" = {
|
||||||
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
|
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
|
||||||
};
|
};
|
||||||
|
|
||||||
|
locations."/_synapse" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8008"; # without a trailing /
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# web client
|
# web client
|
||||||
@ -114,7 +130,7 @@ in {
|
|||||||
# It's also possible to use PostgreSQL.
|
# It's also possible to use PostgreSQL.
|
||||||
settings = {
|
settings = {
|
||||||
bridge = {
|
bridge = {
|
||||||
domain = domain;
|
inherit domain;
|
||||||
homeserverUrl = "https://${domain}";
|
homeserverUrl = "https://${domain}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
@ -122,8 +138,8 @@ in {
|
|||||||
};
|
};
|
||||||
|
|
||||||
networking.extraHosts = ''
|
networking.extraHosts = ''
|
||||||
${network.architect-lan} ${domain} ${webui_domain}
|
${network.architect-lan} ${lib.concatStringsSep " " [ domain webui_domain]}
|
||||||
${network.architect-wg} ${domain} ${webui_domain}
|
${network.architect-wg} ${lib.concatStringsSep " " [ domain webui_domain ]}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
}
|
}
|
||||||
|
@ -57,7 +57,7 @@ in {
|
|||||||
ExecStart =
|
ExecStart =
|
||||||
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
|
"${pkgs.beets}/bin/beet -c ${beets_config} import --flat -q ${library_path}";
|
||||||
};
|
};
|
||||||
startAt = "daily";
|
startAt = "weekly";
|
||||||
};
|
};
|
||||||
|
|
||||||
"remove-badmp3" = {
|
"remove-badmp3" = {
|
||||||
|
@ -19,9 +19,9 @@ rec {
|
|||||||
|
|
||||||
proxy-wg = "10.4.0.1";
|
proxy-wg = "10.4.0.1";
|
||||||
architect-wg = "10.3.0.1";
|
architect-wg = "10.3.0.1";
|
||||||
galuminum-wg = "10.3.0.2";
|
giuliopc-wg = "10.3.0.2";
|
||||||
oneplus-wg = "10.3.0.3";
|
giuliophone-wg = "10.3.0.3";
|
||||||
ipad-wg = "10.3.0.4";
|
giuliodeck-wg = "10.3.0.4";
|
||||||
manduria-wg = "10.3.0.5";
|
manduria-wg = "10.3.0.5";
|
||||||
antonio-wg = "10.3.0.6";
|
antonio-wg = "10.3.0.6";
|
||||||
gbeast-wg = "10.3.0.7";
|
gbeast-wg = "10.3.0.7";
|
||||||
@ -57,14 +57,14 @@ rec {
|
|||||||
|
|
||||||
# groups
|
# groups
|
||||||
gdevices-wg =
|
gdevices-wg =
|
||||||
[ galuminum-wg oneplus-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
|
[ giuliopc-wg giuliophone-wg gbeast-wg peppiniell-wg kclvm-wg ] ++ routers-wg;
|
||||||
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
|
routers-wg = [ hotpottino-wg angellane-wg dodino-wg ];
|
||||||
c2c-wg = [ ] ++ gdevices-wg;
|
c2c-wg = [ ] ++ gdevices-wg;
|
||||||
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
|
towan-wg = [ shield-wg parisaphone-wg parisapc-wg parina-wg parina-ipad-wg ]
|
||||||
++ gdevices-wg ++ routers-wg;
|
++ gdevices-wg ++ routers-wg;
|
||||||
gamenet-wg = [
|
gamenet-wg = [
|
||||||
andrew-wg
|
andrew-wg
|
||||||
galuminum-wg
|
giuliopc-wg
|
||||||
gbeast-wg
|
gbeast-wg
|
||||||
mikey-wg
|
mikey-wg
|
||||||
andrewdesktop-wg
|
andrewdesktop-wg
|
||||||
|
@ -1,6 +1,24 @@
|
|||||||
{ services, pkgs, lib, ... }:
|
{ services, pkgs, lib, ... }:
|
||||||
|
let
|
||||||
|
serviceSkeleton = { default ? false }: {
|
||||||
|
inherit default;
|
||||||
|
|
||||||
{
|
enableACME = true;
|
||||||
|
forceSSL = true;
|
||||||
|
root = "/var/lib/nginx/error_pages";
|
||||||
|
extraConfig = "error_page 404 /index.htm;";
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = { return = "404"; };
|
||||||
|
|
||||||
|
"/index.htm" = { };
|
||||||
|
|
||||||
|
"/style.css" = { };
|
||||||
|
|
||||||
|
"/wat.jpg" = { };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
services.nginx = {
|
services.nginx = {
|
||||||
enable = true;
|
enable = true;
|
||||||
package = pkgs.openresty;
|
package = pkgs.openresty;
|
||||||
@ -9,61 +27,59 @@
|
|||||||
recommendedProxySettings = true;
|
recommendedProxySettings = true;
|
||||||
recommendedTlsSettings = true;
|
recommendedTlsSettings = true;
|
||||||
|
|
||||||
virtualHosts."architect.devs.giugl.io" = {
|
virtualHosts."architect.devs.giugl.io" = serviceSkeleton { default = true; };
|
||||||
default = true;
|
virtualHosts."runas.rocks" = serviceSkeleton {};
|
||||||
enableACME = true;
|
|
||||||
addSSL = true;
|
|
||||||
root = "/var/lib/nginx/error_pages";
|
|
||||||
extraConfig = "error_page 404 /index.htm;";
|
|
||||||
|
|
||||||
locations = {
|
appendHttpConfig =
|
||||||
"/" = { return = "404"; };
|
let
|
||||||
|
extraPureLuaPackages = with pkgs.luajitPackages; [
|
||||||
|
lua-resty-openidc
|
||||||
|
lua-resty-http
|
||||||
|
lua-resty-session
|
||||||
|
lua-resty-jwt
|
||||||
|
lua-resty-openssl
|
||||||
|
];
|
||||||
|
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
|
||||||
|
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
|
||||||
|
in
|
||||||
|
''
|
||||||
|
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
|
||||||
|
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
||||||
|
lua_ssl_verify_depth 5;
|
||||||
|
|
||||||
"/index.htm" = { };
|
# cache for OIDC discovery metadata
|
||||||
|
lua_shared_dict discovery 1m;
|
||||||
|
lua_shared_dict jwks 1m;
|
||||||
|
|
||||||
"/style.css" = { };
|
# https://github.com/openresty/lua-resty-redis/issues/159
|
||||||
|
resolver local=on ipv6=off;
|
||||||
|
|
||||||
"/wat.jpg" = { };
|
init_worker_by_lua_block {
|
||||||
};
|
function check_role (res, role)
|
||||||
};
|
if res.user.roles == nil then
|
||||||
appendHttpConfig = let
|
return false
|
||||||
extraPureLuaPackages = with pkgs.luajitPackages; [
|
end
|
||||||
lua-resty-openidc
|
|
||||||
lua-resty-http
|
|
||||||
lua-resty-session
|
|
||||||
lua-resty-jwt
|
|
||||||
lua-resty-openssl
|
|
||||||
];
|
|
||||||
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
|
|
||||||
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
|
|
||||||
in ''
|
|
||||||
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
|
|
||||||
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
|
|
||||||
lua_ssl_verify_depth 5;
|
|
||||||
|
|
||||||
# cache for OIDC discovery metadata
|
for _,v in pairs(res.user.roles) do
|
||||||
lua_shared_dict discovery 1m;
|
if string.lower(v) == role then
|
||||||
lua_shared_dict jwks 1m;
|
return true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
# https://github.com/openresty/lua-resty-redis/issues/159
|
return false
|
||||||
resolver local=on ipv6=off;
|
|
||||||
|
|
||||||
init_worker_by_lua_block {
|
|
||||||
function check_role (res, role)
|
|
||||||
if res.user.roles == nil then
|
|
||||||
return false
|
|
||||||
end
|
|
||||||
|
|
||||||
for _,v in pairs(res.user.roles) do
|
|
||||||
if string.lower(v) == role then
|
|
||||||
return true
|
|
||||||
end
|
end
|
||||||
end
|
|
||||||
|
|
||||||
return false
|
function is_ip_whitelisted(ip, whitelist)
|
||||||
end
|
for _, x in ipairs(whitelist) do
|
||||||
}
|
if ip == x then
|
||||||
'';
|
return true
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
||||||
|
return false
|
||||||
|
end
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
|
||||||
appendConfig = ''
|
appendConfig = ''
|
||||||
worker_processes 24;
|
worker_processes 24;
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
{
|
{
|
||||||
openresty_oidc_block =
|
openresty_oidc_block =
|
||||||
{ access_role ? "" }: ''
|
{ access_role ? "", whitelisted_ips ? [] }: ''
|
||||||
access_by_lua_block {
|
access_by_lua_block {
|
||||||
local opts = {
|
local opts = {
|
||||||
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
discovery = "https://auth.giugl.io/realms/master/.well-known/openid-configuration",
|
||||||
@ -12,26 +12,37 @@
|
|||||||
redirect_after_logout_uri = "/",
|
redirect_after_logout_uri = "/",
|
||||||
redirect_uri = "/redirect_uri",
|
redirect_uri = "/redirect_uri",
|
||||||
keepalive = "yes",
|
keepalive = "yes",
|
||||||
accept_none_alg = true
|
accept_none_alg = true,
|
||||||
}
|
revoke_tokens_on_logout = true,
|
||||||
|
-- access token valid for a day
|
||||||
|
access_token_expires_in = 86400
|
||||||
|
}
|
||||||
|
|
||||||
-- call introspect for OAuth 2.0 Bearer Access Token validation
|
${lib.optionalString (whitelisted_ips != []) ''
|
||||||
local res, err = require("resty.openidc").authenticate(opts)
|
local whitelist = {${lib.strings.concatMapStringsSep "," (x: "\"${x}\"") whitelisted_ips}}
|
||||||
|
|
||||||
if err then
|
if is_ip_whitelisted(ngx.var.remote_addr, whitelist) then
|
||||||
ngx.status = 403
|
return
|
||||||
ngx.say(err)
|
end
|
||||||
ngx.exit(ngx.HTTP_FORBIDDEN)
|
''}
|
||||||
end
|
|
||||||
|
|
||||||
${lib.optionalString (access_role != "") ''
|
-- call introspect for OAuth 2.0 Bearer Access Token validation
|
||||||
if not check_role(res, "${access_role}") then
|
local res, err = require("resty.openidc").authenticate(opts)
|
||||||
ngx.status = 401
|
|
||||||
ngx.header.content_type = 'text/html';
|
if err then
|
||||||
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
|
ngx.status = 403
|
||||||
ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
ngx.say(err)
|
||||||
|
ngx.exit(ngx.HTTP_FORBIDDEN)
|
||||||
end
|
end
|
||||||
''}
|
|
||||||
|
${lib.optionalString (access_role != "") ''
|
||||||
|
if not check_role(res, "${access_role}") then
|
||||||
|
ngx.status = 401
|
||||||
|
ngx.header.content_type = 'text/html';
|
||||||
|
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
|
||||||
|
ngx.exit(ngx.HTTP_UNAUTHORIZED)
|
||||||
|
end
|
||||||
|
''}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
}
|
}
|
||||||
|
@ -2,9 +2,8 @@ with import ./network.nix; {
|
|||||||
networking = {
|
networking = {
|
||||||
extraHosts = ''
|
extraHosts = ''
|
||||||
${architect-wg} architect.devs.giugl.io
|
${architect-wg} architect.devs.giugl.io
|
||||||
${galuminum-wg} galuminum.devs.giugl.io
|
${giuliopc-wg} giuliopc.devs.giugl.io
|
||||||
${oneplus-wg} oneplus.devs.giugl.io
|
${giuliophone-wg} giuliophone.devs.giugl.io
|
||||||
${ipad-wg} ipad.devs.giugl.io
|
|
||||||
${manduria-wg} manduria.devs.giugl.io
|
${manduria-wg} manduria.devs.giugl.io
|
||||||
${antonio-wg} antonio.devs.giugl.io
|
${antonio-wg} antonio.devs.giugl.io
|
||||||
${gbeast-wg} gbeast.devs.giugl.io
|
${gbeast-wg} gbeast.devs.giugl.io
|
||||||
@ -34,6 +33,7 @@ with import ./network.nix; {
|
|||||||
${parina-ipad-wg} parinaipad.devs.giugl.io
|
${parina-ipad-wg} parinaipad.devs.giugl.io
|
||||||
${nilo-wg} nilo.devs.giugl.io
|
${nilo-wg} nilo.devs.giugl.io
|
||||||
${kclvm-wg} kclvm.devs.giugl.io
|
${kclvm-wg} kclvm.devs.giugl.io
|
||||||
|
${giuliodeck-wg} giuliodeck.devs.giugl.io
|
||||||
'';
|
'';
|
||||||
|
|
||||||
wireguard = {
|
wireguard = {
|
||||||
@ -55,23 +55,17 @@ with import ./network.nix; {
|
|||||||
|
|
||||||
peers = [
|
peers = [
|
||||||
{
|
{
|
||||||
# gAluminum
|
# giuliopc
|
||||||
allowedIPs = [ galuminum-wg ];
|
allowedIPs = [ giuliopc-wg ];
|
||||||
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
|
publicKey = "pEEgSs7xmO0cfyvoQlU8lfwqdYM1ISgmPAunPtF+0xw=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
{
|
||||||
# OnePlus
|
# giuliophone
|
||||||
allowedIPs = [ oneplus-wg ];
|
allowedIPs = [ giuliophone-wg ];
|
||||||
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
|
publicKey = "zynSERy6VhxN5zBf1ih3BOAHxvigDixHB9YKnSBgYFs=";
|
||||||
}
|
}
|
||||||
|
|
||||||
{
|
|
||||||
# iPad
|
|
||||||
allowedIPs = [ ipad-wg ];
|
|
||||||
publicKey = "DPpd+P/hV1XLuvdcrCRv1sgz8BeZt1y5D6VehNuhjSQ=";
|
|
||||||
}
|
|
||||||
|
|
||||||
{
|
{
|
||||||
# Manduria
|
# Manduria
|
||||||
allowedIPs = [ manduria-wg ];
|
allowedIPs = [ manduria-wg ];
|
||||||
@ -263,6 +257,11 @@ with import ./network.nix; {
|
|||||||
allowedIPs = [ kclvm-wg ];
|
allowedIPs = [ kclvm-wg ];
|
||||||
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
|
publicKey = "jVBaY8AhgAA7myVjU/PJPDUCOjsCi23LT+pGZUoNEkE=";
|
||||||
}
|
}
|
||||||
|
{
|
||||||
|
# Giulio's Deck
|
||||||
|
allowedIPs = [ giuliodeck-wg ];
|
||||||
|
publicKey = "7TGYsYvElTLY3V7qJfggkF+kFG7Y5sUsHA88h0cYJx0=";
|
||||||
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
Loading…
Reference in New Issue
Block a user