peperunas/nixos
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Compare commits

base: peperunas:dbe6b5956f4fc8f5b9780023fb92a9c54e59ea13
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit
..
compare: peperunas:2d135b743cf34ee3722c0b46c40a75edc53023a4
Branches Tags
peperunas:master
peperunas:nixos-21.11
peperunas:laptopshit

No commits in common. "dbe6b5956f4fc8f5b9780023fb92a9c54e59ea13" and "2d135b743cf34ee3722c0b46c40a75edc53023a4" have entirely different histories.
dbe6b5956f ... 2d135b743c

12 changed files with 39 additions and 240 deletions
Show Stats Expand all files Collapse all files

12
hosts/architect/bazarr.nix
View File

@ -3,7 +3,6 @@
let
domain = "htbaz.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
bazarr = {
@ -16,12 +15,11 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6767";
extraConfig = auth_block {
realm = "master";
client_id = "bazarr";
client_secret = "OPn4Mmto2m3dDPji1cjPfHy9W55M9JFq";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

15
hosts/architect/deluge.nix
View File

@ -3,7 +3,6 @@
let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
deluge = {
@ -33,17 +32,13 @@ in {
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8112";
extraConfig = auth_block {
realm = "master";
client_id = "deluge";
client_secret = "AGa1U9S1zkaM3TJVxtyx4Er76DBk1APR";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

78
hosts/architect/keycloak.nix
View File

@ -1,78 +0,0 @@
{ pkgs, config, ... }:
let
network = import ./network.nix;
domain = "auth.giugl.io";
in {
services = {
keycloak = {
enable = true;
initialAdminPassword = "giulio";
database.passwordFile = "/secrets/keycloak/database.key";
settings = {
hostname = domain;
proxy = "edge";
http-port = 6654;
https-port = 6655;
hostname-strict-backchannel = true;
};
};
postgresql = {
ensureDatabases =
[ "${toString config.services.keycloak.database.name}" ];
ensureUsers = [{
name = "${toString config.services.keycloak.database.username}";
ensurePermissions = {
"DATABASE ${toString config.services.keycloak.database.name}" =
"ALL PRIVILEGES";
};
}];
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations = {
"/" = { return = "301 https://${domain}/realms/master/account"; };
"/admin" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/js" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/realms" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/resources" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/robots.txt" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

13
hosts/architect/lidarr.nix
View File

@ -3,7 +3,6 @@
let
domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
lidarr = {
@ -16,12 +15,12 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8686";
extraConfig = auth_block {
realm = "master";
client_id = "lidarr";
client_secret = "7s4dd1SEi84F4fUFsqRaQmSSucZhyTco";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
deny 10.0.0.1;
'';
};
};
};

22
hosts/architect/nextcloud.nix
View File

@ -3,34 +3,24 @@
let
domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379;
in {
services = {
mysql = {
enable = true;
package = pkgs.unstable.mysql80;
};
mysql.enable = true;
mysql.package = pkgs.unstable.mysql80;
redis = {
vmOverCommit = true;
servers."nextcloud" = {
enable = true;
port = redis_port;
};
};
redis.servers."default".enable = true;
nextcloud = {
enable = true;
hostName = domain;
hostName = "${domain}";
https = true;
package = pkgs.unstable.nextcloud24;
caching = {
redis = true;
};
caching.redis = true;
autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00";
logLevel = 1;
config = {
overwriteProtocol = "https";

42
hosts/architect/nginx.nix
View File

@ -1,9 +1,8 @@
{ services, pkgs, lib, ... }:
{ services, ... }:
{
services.nginx = {
enable = true;
package = pkgs.openresty;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
@ -26,45 +25,6 @@
"/wat.jpg" = { };
};
};
appendHttpConfig = let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in ''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
# https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off;
init_worker_by_lua_block {
function check_role (res, role)
if res.user.roles == nil then
return false
end
for _,v in pairs(res.user.roles) do
if string.lower(v) == role then
return true
end
end
return false
end
}
'';
appendConfig = ''
worker_processes 24;
'';

12
hosts/architect/nzbget.nix
View File

@ -3,7 +3,6 @@
let
domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
nzbget = {
@ -16,12 +15,11 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6789";
extraConfig = auth_block {
realm = "master";
client_id = "nzbget";
client_secret = "tkjzdqnUoWTlGUYah5tgMqVPFMlOUvk9";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

37
hosts/architect/openid.nix
View File

@ -1,37 +0,0 @@
{ lib }:
{
openresty_oidc_block =
{ realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
client_id = "${client_id}",
client_secret = "${client_secret}",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
'';
}

12
hosts/architect/radarr.nix
View File

@ -3,7 +3,6 @@
let
domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
radarr = {
@ -16,12 +15,11 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
extraConfig = auth_block {
realm = "master";
client_id = "radarr";
client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

12
hosts/architect/sonarr.nix
View File

@ -3,7 +3,6 @@
let
domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
sonarr = {
@ -16,12 +15,11 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8989";
extraConfig = auth_block {
realm = "master";
client_id = "sonarr";
client_secret = "d36ehMSPCI3xLfOGNcnSUKZWQblyGumi";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

2
roles/home/common.nix
View File

@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
imports = [ ./zsh.nix ./git.nix ./helix.nix ];
imports = [ ./zsh.nix ./git.nix ./neovim.nix ];
home = { packages = with pkgs; [ rizin sshfs victor-mono home-manager ]; };
}

22
roles/home/helix.nix
View File

@ -1,22 +0,0 @@
{ config, pkgs, ... }:
{
home = {
sessionVariables = {
EDITOR = "hx";
VISUAL = "hx";
};
file.".config/helix/config.toml".text = ''
theme = "monokai"
'';
packages = with pkgs.unstable; [
helix
clang-tools
rust-analyzer
rnix-lsp
python310Packages.python-lsp-server
];
};
}