Compare commits

..

No commits in common. "dbe6b5956f4fc8f5b9780023fb92a9c54e59ea13" and "2d135b743cf34ee3722c0b46c40a75edc53023a4" have entirely different histories.

12 changed files with 39 additions and 240 deletions

View File

@ -3,7 +3,6 @@
let
domain = "htbaz.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
bazarr = {
@ -16,12 +15,11 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6767";
extraConfig = auth_block {
realm = "master";
client_id = "bazarr";
client_secret = "OPn4Mmto2m3dDPji1cjPfHy9W55M9JFq";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

View File

@ -3,7 +3,6 @@
let
domain = "htdel.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
deluge = {
@ -33,17 +32,13 @@ in {
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8112";
extraConfig = auth_block {
realm = "master";
client_id = "deluge";
client_secret = "AGa1U9S1zkaM3TJVxtyx4Er76DBk1APR";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

View File

@ -1,78 +0,0 @@
{ pkgs, config, ... }:
let
network = import ./network.nix;
domain = "auth.giugl.io";
in {
services = {
keycloak = {
enable = true;
initialAdminPassword = "giulio";
database.passwordFile = "/secrets/keycloak/database.key";
settings = {
hostname = domain;
proxy = "edge";
http-port = 6654;
https-port = 6655;
hostname-strict-backchannel = true;
};
};
postgresql = {
ensureDatabases =
[ "${toString config.services.keycloak.database.name}" ];
ensureUsers = [{
name = "${toString config.services.keycloak.database.username}";
ensurePermissions = {
"DATABASE ${toString config.services.keycloak.database.name}" =
"ALL PRIVILEGES";
};
}];
};
nginx.virtualHosts.${domain} = {
forceSSL = true;
enableACME = true;
locations = {
"/" = { return = "301 https://${domain}/realms/master/account"; };
"/admin" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/js" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/realms" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/resources" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
"/robots.txt" = {
proxyPass = "http://127.0.0.1:${
toString config.services.keycloak.settings.http-port
}";
};
};
};
};
networking.extraHosts = ''
${network.architect-lan} ${domain}
${network.architect-wg} ${domain}
'';
}

View File

@ -3,7 +3,6 @@
let
domain = "htlid.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
lidarr = {
@ -16,12 +15,12 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8686";
extraConfig = auth_block {
realm = "master";
client_id = "lidarr";
client_secret = "7s4dd1SEi84F4fUFsqRaQmSSucZhyTco";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
deny 10.0.0.1;
'';
};
};
};

View File

@ -3,34 +3,24 @@
let
domain = "cloud.giugl.io";
network = import ./network.nix;
redis_port = 6379;
in {
services = {
mysql = {
enable = true;
package = pkgs.unstable.mysql80;
};
mysql.enable = true;
mysql.package = pkgs.unstable.mysql80;
redis = {
vmOverCommit = true;
servers."nextcloud" = {
enable = true;
port = redis_port;
};
};
redis.servers."default".enable = true;
nextcloud = {
enable = true;
hostName = domain;
hostName = "${domain}";
https = true;
package = pkgs.unstable.nextcloud24;
caching = {
redis = true;
};
caching.redis = true;
autoUpdateApps.enable = true;
autoUpdateApps.startAt = "05:00:00";
logLevel = 1;
config = {
overwriteProtocol = "https";

View File

@ -1,9 +1,8 @@
{ services, pkgs, lib, ... }:
{ services, ... }:
{
services.nginx = {
enable = true;
package = pkgs.openresty;
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
@ -26,45 +25,6 @@
"/wat.jpg" = { };
};
};
appendHttpConfig = let
extraPureLuaPackages = with pkgs.luajitPackages; [
lua-resty-openidc
lua-resty-http
lua-resty-session
lua-resty-jwt
lua-resty-openssl
];
luaPath = pkg: "${pkg}/share/lua/5.1/?.lua";
makeLuaPath = lib.concatMapStringsSep ";" luaPath;
in ''
lua_package_path '${makeLuaPath extraPureLuaPackages};;';
lua_ssl_trusted_certificate /etc/ssl/certs/ca-certificates.crt;
lua_ssl_verify_depth 5;
# cache for OIDC discovery metadata
lua_shared_dict discovery 1m;
lua_shared_dict jwks 1m;
# https://github.com/openresty/lua-resty-redis/issues/159
resolver local=on ipv6=off;
init_worker_by_lua_block {
function check_role (res, role)
if res.user.roles == nil then
return false
end
for _,v in pairs(res.user.roles) do
if string.lower(v) == role then
return true
end
end
return false
end
}
'';
appendConfig = ''
worker_processes 24;
'';

View File

@ -3,7 +3,6 @@
let
domain = "htnzb.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
nzbget = {
@ -16,12 +15,11 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:6789";
extraConfig = auth_block {
realm = "master";
client_id = "nzbget";
client_secret = "tkjzdqnUoWTlGUYah5tgMqVPFMlOUvk9";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

View File

@ -1,37 +0,0 @@
{ lib }:
{
openresty_oidc_block =
{ realm, client_id, client_secret, redirect_uri, access_role ? "" }: ''
access_by_lua_block {
local opts = {
discovery = "https://auth.giugl.io/realms/${realm}/.well-known/openid-configuration",
client_id = "${client_id}",
client_secret = "${client_secret}",
logout_path = "/logout",
redirect_after_logout_uri = "/",
redirect_uri = "/redirect_uri",
keepalive = "yes",
accept_none_alg = true
}
-- call introspect for OAuth 2.0 Bearer Access Token validation
local res, err = require("resty.openidc").authenticate(opts)
if err then
ngx.status = 403
ngx.say(err)
ngx.exit(ngx.HTTP_FORBIDDEN)
end
${lib.optionalString (access_role != "") ''
if not check_role(res, "${access_role}") then
ngx.status = 401
ngx.header.content_type = 'text/html';
ngx.say("You are not authorized to access this page. Please contact Er Pepotto.")
ngx.exit(ngx.HTTP_UNAUTHORIZED)
end
''}
}
'';
}

View File

@ -3,7 +3,6 @@
let
domain = "htrad.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
radarr = {
@ -16,12 +15,11 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:7878";
extraConfig = auth_block {
realm = "master";
client_id = "radarr";
client_secret = "DCoeN4PwqGrAoG6Mqw73orrUjojJ1fmn";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

View File

@ -3,7 +3,6 @@
let
domain = "htson.giugl.io";
network = import ./network.nix;
auth_block = (import ./openid.nix).openresty_oidc_block;
in {
services = {
sonarr = {
@ -16,12 +15,11 @@ in {
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:8989";
extraConfig = auth_block {
realm = "master";
client_id = "sonarr";
client_secret = "d36ehMSPCI3xLfOGNcnSUKZWQblyGumi";
redirect_uri = "https://${domain}";
};
extraConfig = ''
allow 10.0.0.0/24;
${lib.concatMapStrings (x: "allow ${x};") network.gdevices-wg}
deny all;
'';
};
};
};

View File

@ -1,7 +1,7 @@
{ config, pkgs, ... }:
{
imports = [ ./zsh.nix ./git.nix ./helix.nix ];
imports = [ ./zsh.nix ./git.nix ./neovim.nix ];
home = { packages = with pkgs; [ rizin sshfs victor-mono home-manager ]; };
}

View File

@ -1,22 +0,0 @@
{ config, pkgs, ... }:
{
home = {
sessionVariables = {
EDITOR = "hx";
VISUAL = "hx";
};
file.".config/helix/config.toml".text = ''
theme = "monokai"
'';
packages = with pkgs.unstable; [
helix
clang-tools
rust-analyzer
rnix-lsp
python310Packages.python-lsp-server
];
};
}