Compare commits
3 Commits
158f0cb7ee
...
99b6c6ac27
Author | SHA1 | Date |
---|---|---|
Felix Albrigtsen | 99b6c6ac27 | |
Felix Albrigtsen | 70959b5092 | |
Felix Albrigtsen | 6653de02e5 |
|
@ -31,7 +31,7 @@ Other installed packages and tools are described in the config files (like ./hos
|
|||
- [Hedgedoc](https://md.feal.no) ([source](./hosts/defiant/services/hedgedoc.nix)) - Collaborative markdown notes editor
|
||||
- HomeAssistant ([source](./hosts/defiant/services/home-assistant.nix))- Home automation / IOT controller
|
||||
- [VaultWarden](https://pw.feal.no) ([source](./hosts/defiant/services/vaultwarden.nix)) - BitWarden Password Manager backend
|
||||
- [Kanidm](https://auth.feal.no) ([source](./hosts/voyager/services/kanidm.nix)) - Authentication provider with support for OAuth2/OIDC, LDAPS, SSH, etc.
|
||||
- [KeyCloak](https://iam.feal.no) ([source](./hosts/defiant/services/nextcloud.nix)) - Authentication provider, giving SSO with OIDC or SAML
|
||||
- [Jellyfin](https://jf.feal.no) ([source](./hosts/voyager/services/jellyfin.nix)) - Local media streaming
|
||||
|
||||
## Networking
|
||||
|
|
|
@ -164,11 +164,11 @@
|
|||
},
|
||||
"nixpkgs_3": {
|
||||
"locked": {
|
||||
"lastModified": 1717144377,
|
||||
"narHash": "sha256-F/TKWETwB5RaR8owkPPi+SPJh83AQsm6KrQAlJ8v/uA=",
|
||||
"lastModified": 1718086528,
|
||||
"narHash": "sha256-hoB7B7oPgypePz16cKWawPfhVvMSXj4G/qLsfFuhFjw=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "805a384895c696f802a9bf5bf4720f37385df547",
|
||||
"rev": "47b604b07d1e8146d5398b42d3306fdebd343986",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
|
@ -55,7 +55,6 @@ in {
|
|||
systemd.services.hedgedoc = {
|
||||
requires = [
|
||||
"postgresql.service"
|
||||
# "kanidm.service"
|
||||
];
|
||||
serviceConfig = let
|
||||
workDir = "/var/lib/hedgedoc";
|
||||
|
|
|
@ -54,14 +54,6 @@ in {
|
|||
'';
|
||||
} // overrides;
|
||||
in {
|
||||
"auth.feal.no" = publicProxy "" {
|
||||
locations."/" = {
|
||||
proxyPass = "https://voyager.home.feal.no:8300";
|
||||
extraConfig = ''
|
||||
proxy_ssl_verify off;
|
||||
'';
|
||||
};
|
||||
};
|
||||
"cloud.feal.no" = publicProxy "" {
|
||||
locations."/" = {
|
||||
proxyPass = "http://voyager.home.feal.no";
|
||||
|
|
|
@ -38,7 +38,7 @@
|
|||
};
|
||||
};
|
||||
|
||||
# TODO: kanidm, timemachine, calibre(?), nextcloud
|
||||
# TODO: timemachine, nextcloud, komga, calibre
|
||||
|
||||
};
|
||||
|
||||
|
|
|
@ -13,7 +13,6 @@
|
|||
./services/calibre.nix
|
||||
./services/fancontrol.nix
|
||||
./services/jellyfin.nix
|
||||
./services/kanidm.nix
|
||||
./services/komga.nix
|
||||
./services/nextcloud.nix
|
||||
./services/nginx
|
||||
|
|
|
@ -1,36 +0,0 @@
|
|||
{ config, pkgs, lib, ... }:
|
||||
let
|
||||
cfg = config.services.kanidm;
|
||||
certPath = "/etc/ssl-snakeoil/auth_feal_no";
|
||||
ldapbindaddress = "0.0.0.0:636";
|
||||
in {
|
||||
# Kanidm - Identity management / auth provider
|
||||
services.kanidm = {
|
||||
enableServer = true;
|
||||
serverSettings = {
|
||||
origin = "https://${cfg.serverSettings.domain}";
|
||||
domain = "auth.feal.no";
|
||||
bindaddress = "0.0.0.0:8300";
|
||||
inherit ldapbindaddress;
|
||||
|
||||
tls_chain = "/run/credentials/kanidm.service/cert.crt";
|
||||
tls_key = "/run/credentials/kanidm.service/cert.key";
|
||||
};
|
||||
};
|
||||
|
||||
systemd.services.kanidm = {
|
||||
serviceConfig.LoadCredential = [
|
||||
"cert.crt:${certPath}.crt"
|
||||
"cert.key:${certPath}.key"
|
||||
];
|
||||
};
|
||||
|
||||
environment = {
|
||||
systemPackages = [ pkgs.kanidm ];
|
||||
etc."kanidm/config".text = ''
|
||||
uri="${cfg.serverSettings.origin}"
|
||||
'';
|
||||
};
|
||||
|
||||
networking.firewall.allowedTCPPorts = [ 8300 ];
|
||||
}
|
|
@ -21,10 +21,33 @@ in {
|
|||
};
|
||||
|
||||
settings = {
|
||||
trusted_proxies = [ "192.168.10.175" ]; # defiant
|
||||
default_phone_region = "NO";
|
||||
log_type = "file";
|
||||
overwriteprotocol = "https";
|
||||
trusted_proxies = [ "192.168.10.175" ]; # defiant
|
||||
|
||||
# Docs: https://github.com/pulsejet/nextcloud-oidc-login
|
||||
oidc_login_auto_redirect = true;
|
||||
oidc_login_button_text = "Log in with KeyCloak";
|
||||
oidc_login_client_id = "nextcloud";
|
||||
oidc_login_client_secret = "dont_put_secrets_here_use_secretFile";
|
||||
oidc_login_code_challenge_method = "S256";
|
||||
oidc_login_end_session_redirect' = true;
|
||||
oidc_login_logout_url = "https://cloud.feal.no/apps/oidc_login/oidc";
|
||||
oidc_login_provider_url = "https://iam.feal.no/realms/feal.no";
|
||||
oidc_login_redir_fallback = true;
|
||||
|
||||
oidc_login_attributes = {
|
||||
id = "preferred_username";
|
||||
mail = "email";
|
||||
name = "name";
|
||||
login_filter = "nextcloud-roles";
|
||||
};
|
||||
oidc_login_filter_allowed_values = [ "nextcloud-user" ];
|
||||
oidc_login_disable_registration = false;
|
||||
};
|
||||
|
||||
secretFile = config.sops.secrets."nextcloud/secretsjson".path;
|
||||
|
||||
phpOptions = {
|
||||
"opcache.interned_strings_buffer" = "16";
|
||||
|
@ -49,6 +72,12 @@ in {
|
|||
group = "nextcloud";
|
||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||
};
|
||||
sops.secrets."nextcloud/secretsjson" = {
|
||||
mode = "0440";
|
||||
owner = "nextcloud";
|
||||
group = "nextcloud";
|
||||
restartUnits = [ "phpfpm-nextcloud.service" ];
|
||||
};
|
||||
|
||||
services.postgresql = {
|
||||
ensureDatabases = [ "nextcloud" ];
|
||||
|
@ -79,7 +108,7 @@ in {
|
|||
ProtectKernelTunables = true;
|
||||
ProtectProc = "invisible";
|
||||
ReadWritePaths = [ "/tank/nextcloud" "/run/phpfpm" "/run/systemd" ];
|
||||
ReadPaths = [ "/run/secrets" "/nix/store" ];
|
||||
ReadOnlyPaths = [ "/run/secrets" "/nix/store" ];
|
||||
RemoveIPC = true;
|
||||
RestrictSUIDSGID = true;
|
||||
UMask = "0007";
|
||||
|
|
|
@ -12,6 +12,7 @@ transmission:
|
|||
vpncreds: ENC[AES256_GCM,data:KWm6AGlJze0Of9Nkz0moaQCAXMwylsZ+BIZR4BnbuDRbjKRMJSWCOFBSbG3esGprLhoCnYwc9mghSeoP2AQRAT++sERpxX3JTHF9QuauNmhRWb1xLsOfQAu6vsA/0dTshQr8ivhJSnEz57rasdOraovYjVsRXd7cuclajPoS4nl3+1/IrSkAlxNzx8F0PMmyOrvoPVMmqQ4PcKFfkXc1f59O2iJ19Bmt/x5yIxU=,iv:VAYlqL8Pb5J4g+W3QClrgRftYw5UofXmG9cfEsZdLr4=,tag:zJIxYaGEedFjM8IsBfnQog==,type:str]
|
||||
nextcloud:
|
||||
adminpass: ENC[AES256_GCM,data:r2Z6KsQ1hP90/Bf8J804a5D7BTS7,iv:f3TkiPVxw8lAPcyStWqOZuhF4p/5nUPkzL2j/yjsnyg=,tag:c2JWdxZUjkHQWNWDILBrRQ==,type:str]
|
||||
secretsjson: ENC[AES256_GCM,data:xvUdDoTaTum/gkDBujSfHeunAmwmYhZMY7zY72Ct9wly9gpcbNrJNiwuWSgBP3uYtwArce+n6co33OYZvV8rs/Q=,iv:6nLq9ZxgBHKbjD8I1PbjWf/9XthTSrm3lOwx/YX+Tc4=,tag:UN+c2fjUHK1lpyRsTBpOUw==,type:str]
|
||||
borg:
|
||||
transmission: ENC[AES256_GCM,data:VGP23BjX6rjMbcEMA6O7UEX6,iv:C0ehtDSO0eMkIYbwi9wYAKncOBrNCiJB4S5tJ1rxctI=,tag:RNcGwihAxOwCt3XOSoCvfw==,type:str]
|
||||
postgres: ENC[AES256_GCM,data:nA+Ga56rG8XippMmHsOLEik=,iv:41llHBWEU7ESiUetJC/SkcjHG+beXs/ur8QTmxDGFE8=,tag:92n88ZtrDQWz0gYZmuWD8g==,type:str]
|
||||
|
@ -50,8 +51,8 @@ sops:
|
|||
NENEM2VLRDBzTWM0ckdPVThaeE0xL2MKTAvsDKgaoj0Fz9CoNbP6s1kROlDbbXtB
|
||||
4rFRGN+WZJrBioz5nN4kR7mVFKa4w6z6Pu3D5WLyK7UQQkZJ64avdw==
|
||||
-----END AGE ENCRYPTED FILE-----
|
||||
lastmodified: "2024-04-29T10:10:29Z"
|
||||
mac: ENC[AES256_GCM,data:hfiomMGmIvm2HFxrvRXB4lIjOpaMlP//35PT2AG9PKqR4MIuBR9jZDHoGUnddjfESNH7++YUvND7Qafxax8AMiCYEhUUfgn2rkO/ycVvI8y9cIQQv8OMzmPZF82Uu9loWoq4dnR/kHkQKWv7XhoGzqI4Z/ObfxESwPqSr6mAlsI=,iv:VnY/WLmVwrSt0jHs0uDzr8iP4BYOSlwLGn0g4QYnxIo=,tag:r+8hvmFS7aIdEvepKQV33Q==,type:str]
|
||||
lastmodified: "2024-06-12T18:57:43Z"
|
||||
mac: ENC[AES256_GCM,data:46xA8exSUbaEJBufvzt5TbUXQa4956sGQUh9hS8a1nhXasDkdwTtGgSfZq/ENcL/VoEz0ORVJ43OwVE+TV1j9aOzwck96c/KDKTp4iEVbRfcsK/PMccf2FJke3TUmSV6f1hFBpGHpdujghHQTiGct+XQNuuI3RPXYLEYPJrqyeY=,iv:fzQL+ymHTP6XET9YlaCaW1ZGUJaZzCM0neGzMveoSt4=,tag:rsDV5tkU5pTlq4YTel6V1g==,type:str]
|
||||
pgp: []
|
||||
unencrypted_suffix: _unencrypted
|
||||
version: 3.8.1
|
||||
|
|
Loading…
Reference in New Issue