Compare commits

...

25 Commits

Author SHA1 Message Date
soraefir 593514c100 fix ssh 2026-05-08 01:21:56 +02:00
soraefir 6ad9a0b34c Env 2026-05-08 01:19:04 +02:00
soraefir 65e3568072 Db 2026-05-08 01:18:02 +02:00
soraefir c55b06cca9 fix nft 2026-05-08 01:15:56 +02:00
soraefir 40dba4b959 Fix nftable 2026-05-08 01:15:27 +02:00
soraefir bc8a9d42f9 Fix nftable 2026-05-08 01:09:51 +02:00
soraefir cd5a1aeed4 temp fix 2026-05-08 01:08:59 +02:00
soraefir 0f2081486d Wops 2026-05-08 01:08:07 +02:00
soraefir 1c022d7642 Fix secret 2026-05-08 00:53:00 +02:00
soraefir 379f6befb3 fix 2026-05-08 00:44:13 +02:00
soraefir 868d2ce116 fix 2026-05-08 00:29:12 +02:00
soraefir 94fdfa2b33 Test acme 2026-05-08 00:17:46 +02:00
soraefir a73ad174ea Fix 2026-05-08 00:14:41 +02:00
soraefir fba5a79ce6 Fix parenthesis 2026-05-08 00:12:17 +02:00
soraefir e8c9fc52fb Update 2026-05-08 00:06:21 +02:00
soraefir 8092bac6b7 nginx 2026-05-07 00:03:43 +02:00
soraefir 7d80478e83 more fixes authentik 2026-05-06 23:47:09 +02:00
soraefir 2cab462db5 Fix authentik worker 2026-05-06 23:45:21 +02:00
soraefir 0bb796fbe8 Fix cfg 2026-05-06 23:42:29 +02:00
soraefir 1f2cc94a0a Fix builder 2026-05-06 23:39:28 +02:00
soraefir 3caf507905 Fix attempt 2026-05-06 23:35:03 +02:00
soraefir 27a5566ac6 Rename file 2026-05-06 23:31:12 +02:00
soraefir b439888fa8 Fix naming 2026-05-06 23:30:08 +02:00
soraefir 093497367a container builder 2026-05-06 23:28:49 +02:00
soraefir 1c0cfd1afe change podman building 2026-05-06 22:59:11 +02:00
11 changed files with 244 additions and 76 deletions
@@ -7,11 +7,12 @@
firewall = { firewall = {
enable = true; enable = true;
allowedUDPPorts = allowedUDPPorts =
(if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++ (if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
[ ]; [ ];
allowedTCPPorts = allowedTCPPorts =
(if config.syscfg.server ? web then [ 80 443 22 ] else [ ]) ++ (if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
[ ]; [ ];
}; };
}; };
+34
View File
@@ -0,0 +1,34 @@
{ config, lib, serverCfg }:
let
builder =
{ image, secret ? ""
, subdomain ? "", ip ? "", port ? 0
, extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
, overrides ? { }
}:
let base = {
inherit image;
environmentFiles = if secret !="" then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
environment = {} // extraEnv;
labels = if subdomain!="" then ({
"traefik.enable" = "true";
"traefik.http.routers.${subdomain}.entrypoints" = "web-secure";
"traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)";
"traefik.http.routers.${subdomain}.tls" = "true";
} // lib.optionalAttrs (port != 0) {
"traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port;
}) else {
"traefik.enable" = "false";
} // extraLabels;
extraOptions = extraOptions ++ [
"--add-host=host.containers.internal:host-gateway"
] ++ lib.optional (ip != "") "--ip=${ip}";
};
in lib.recursiveUpdate base overrides;
in {
mkContainer = builder;
host = "host.containers.internal";
}
+10 -6
View File
@@ -1,12 +1,16 @@
{ config, pkgs, lib, ... }: { config, pkgs, lib, ... }:
let let
cfg = config.syscfg.server.containers; serverCfg = config.syscfg.server;
enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg; builder = import ./builder.nix { inherit config lib serverCfg; };
enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers;
containerSetsList = lib.mapAttrsToList (name: containerCfg: containerSetsList = lib.mapAttrsToList (name: containerCfg:
import (./defs + "/${name}.nix") { let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg builder;};
inherit config pkgs lib containerCfg; in{
} containers = lib.mapAttrs' (cName: cValue:
) enabledConfigs; lib.nameValuePair "${name}-${cName}" cValue
) defs.containers;
}
) enabledConfigs;
mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList); mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList);
allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList); allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
in in
+38 -52
View File
@@ -1,5 +1,6 @@
{ config, containerCfg, pkgs, lib, ... }: { config, containerCfg, pkgs, lib, builder, ... }:
let let
version = "2026.2.2";
serverCfg = config.syscfg.server; serverCfg = config.syscfg.server;
in { in {
paths = [{ paths = [{
@@ -13,72 +14,57 @@ in {
}]; }];
containers = { containers = {
server = builder.mkContainer {
auth_server = { subdomain = containerCfg.subdomain;
image = "ghcr.io/goauthentik/server:latest"; image = "ghcr.io/goauthentik/server:${version}";
hostname = "auth_server"; port = containerCfg.port;
volumes = [ ip = containerCfg.ip;
"${serverCfg.dataPath}/authentik/media:/media" secret = "authentik";
"${serverCfg.dataPath}/authentik/templates:/templates" extraEnv = {
]; "AUTHENTIK_REDIS__HOST" = builder.host;
environmentFiles = [ "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}"; "AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
"AUTHENTIK_EMAIL__PORT" = "587"; "AUTHENTIK_EMAIL__PORT" = "587";
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}"; "AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
"AUTHENTIK_EMAIL__USE_TLS" = "true"; "AUTHENTIK_EMAIL__USE_TLS" = "true";
"AUTHENTIK_EMAIL__USE_SSL" = "false"; "AUTHENTIK_EMAIL__USE_SSL" = "false";
"AUTHENTIK_EMAIL__TIMEOUT" = "10"; "AUTHENTIK_EMAIL__TIMEOUT" = "10";
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}"; "AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
}; };
labels = { overrides = {
"traefik.enable" = "true"; cmd = [ "server" ];
"traefik.http.routers.sso.entrypoints" = "web-secure"; ports = if containerCfg.pubPort != 0 && containerCfg.port != 0 then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)"; volumes = [
"traefik.http.routers.sso.tls" = "true"; "${serverCfg.dataPath}/authentik/media:/media"
"traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}"; "${serverCfg.dataPath}/authentik/templates:/templates"
];
}; };
cmd = [ "server" ];
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
"--ip=${containerCfg.ip}"
];
ports = [
"9999:${toString containerCfg.port}"
];
}; };
auth_worker = { worker = builder.mkContainer {
image = "ghcr.io/goauthentik/server:latest"; image = "ghcr.io/goauthentik/server:${version}";
hostname = "auth_worker"; secret = "authentik";
volumes = [ extraEnv = {
"${serverCfg.dataPath}/authentik/media:/media" "AUTHENTIK_REDIS__HOST" = builder.host;
"${serverCfg.dataPath}/authentik/templates:/templates" "AUTHENTIK_POSTGRESQL__HOST" = builder.host;
"/var/run/docker.sock:/var/run/docker.sock"
];
environmentFiles = [
config.sops.secrets."AUTHENTIK".path
];
environment = {
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user"; "AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db"; "AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
};
# extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
overrides = {
cmd = [ "worker" ];
volumes = [
"${serverCfg.dataPath}/authentik/media:/media"
"${serverCfg.dataPath}/authentik/templates:/templates"
# "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
];
}; };
extraOptions = [
"--add-host=host.containers.internal:host-gateway"
"--replace"
"--rm"
];
cmd = [ "worker" ];
}; };
}; };
} }
-1
View File
@@ -62,7 +62,6 @@ in {
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-) PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
echo $PASS
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
echo " Successfully set password for ${name}_user" echo " Successfully set password for ${name}_user"
else else
+1 -1
View File
@@ -1,3 +1,3 @@
{ config, pkgs, lib, ... }:{ { config, pkgs, lib, ... }:{
imports = [ ./containers ./database ./nftables ./openssh ./sops ]; imports = [ ./containers ./database ./nftables ./nginx ./openssh ./sops ];
} }
+14 -8
View File
@@ -1,7 +1,7 @@
{ config, lib, ... }:
let
{ config, lib, ... }:{ cfg = config.syscfg.server;
config = lib.mkIf (config.syscfg.server.nftables.enable) { in{
boot.kernel.sysctl = { boot.kernel.sysctl = {
"net.ipv4.ip_forward" = 1; "net.ipv4.ip_forward" = 1;
"net.ipv6.conf.all.forwarding" = 1; "net.ipv6.conf.all.forwarding" = 1;
@@ -11,11 +11,18 @@
networking.nftables.ruleset = '' networking.nftables.ruleset = ''
table inet filter { table inet filter {
chain input { chain input {
type filter hook input priority filter; policy accept; type filter hook input priority filter; policy drop;
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept ct state established,related accept
iifname "lo" accept
tcp dport {422, 22} accept
${if builtins.length cfg.db > 0 then ''tcp dport {5432, 6379} ip saddr { 10.0.0.0/8, 169.254.0.0/16 } accept'' else ""}
${if cfg.web then ''tcp dport {80, 443} accept
udp dport {80, 443} accept'' else ""}
} }
} }
${if cfg.nftables.enable then ''
table inet nat { table inet nat {
chain prerouting { chain prerouting {
type nat hook prerouting priority dstnat; policy accept; type nat hook prerouting priority dstnat; policy accept;
@@ -41,7 +48,6 @@
type nat hook postrouting priority srcnat; policy accept; type nat hook postrouting priority srcnat; policy accept;
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
} }
} }'' else ""}
''; '';
};
} }
+133
View File
@@ -0,0 +1,133 @@
{ config, lib, pkgs, ... }:
let
cfg = config.syscfg.server;
containers = cfg.containers;
faviconOverride = {
" ~* /favicon\.(ico|png|svg|jpg)$" = {
extraConfig = ''
add_header Content-Type image/svg+xml;
return 200 '<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" data-name="Layer 1" viewBox="0 0 50 50"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M30.83,5A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,28.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/></svg>';
'';
# proxyPass = "http://127.0.0.1:9000";
};
};
# Function to convert your container config into an NGINX vhost
mkVhost = container: {
forceSSL = true;
# quic = true;
# http3 = true;
useACMEHost = "${cfg.hostDomain}";
locations = faviconOverride // {
"/" = {
proxyPass = "http://${container.ip}:${toString container.port}";
proxyWebsockets = true; # Recommended for modern apps
};
};
};
in {
config = lib.mkIf ( config.syscfg.server.web) {
security.acme = {
acceptTerms = true;
defaults.email = "admin@domain.org";
certs."${cfg.hostDomain}" = {
domain = "*.${cfg.hostDomain}";
extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
dnsProvider = "infomaniak";
credentialsFile = config.sops.secrets."INFOMANIAK_API_KEY".path; # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
group = "nginx";
};
};
services.nginx = {
enable = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
recommendedGzipSettings = true;
# appendHttpConfig = ''
# add_header Alt-Svc 'h3=":443"; ma=86400';
# '';
commonHttpConfig = ''
proxy_buffer_size 32k;
proxy_buffers 8 16k;
proxy_busy_buffers_size 48k;
port_in_redirect off;
'';
virtualHosts = {
"_" = {
default = true;
forceSSL = true;
# quic = true;
# http3 = true;
useACMEHost = "${cfg.hostDomain}";
locations = {
"/" = {
extraConfig = ''
return 404;
'';
};
};
};
"sec.${cfg.hostDomain}" = {
forceSSL = true;
# quic = true;
# http3 = true;
useACMEHost = "${cfg.hostDomain}";
locations = {
"/" = {
extraConfig = ''
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-URI $scheme://$http_host$request_uri;
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-entitlements $authentik_entitlements;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
'';
};
"/outpost.goauthentik.io" = {
proxyPass = "http://${config.syscfg.server.containers.authentik.ip}:${toString config.syscfg.server.containers.authentik.port}/outpost.goauthentik.io";
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Original-URI $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
'';
};
};
extraConfig = ''
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 https://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
'';
};
} //lib.mapAttrs' (name: v:
lib.nameValuePair "${v.subdomain}.${cfg.hostDomain}" (mkVhost v)
) containers;
};
};
}
+5 -4
View File
@@ -1,5 +1,6 @@
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str] INFOMANIAK_API_KEY: ENC[AES256_GCM,data:LFAT94Wr/rggjpIkFa2RINJTSRIcrFAfgtZzI75hyGUK/sHuIgNtsvBJnztwKcUG99mC9hRjj8NoRtBHDM9JU+VNWi1rJVCq3jQg5kuU1Dk/js5lJRpqBJOfeigxfxkU+JiDcujNK7Q/,iv:DEvTTcdEvbmHsSx+qX+QDm1ISR5y7L4fKKLXjUFCopE=,tag:46uXjEHmnzH1P9Kb5z8j8g==,type:str]
AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str] AUTHENTIK: ENC[AES256_GCM,data:2A9hFi6aq46CHqu51iHMuvaBBSBseR+0Qy7a1q7356j0z4uzTR2fPaLITXsrGZavFWiPEsDwZuFPsG8p4CHWdEmPoXtOFB6AnX8RS7mKPMFGJiAkOUyxcoErlh6NWw0EfV3r6GSNl5Rhubv19mWOwSnPSUSNROgJUrfJR5AiZKZqeX/85IjGUNx8xAXmfcZnb/pPX1ir45f/2+HW/9qg3+cNSG2xi8mzEfw9X1Nt+lvvIj+PJm9PrvY15pl68O/qMQK4LhCwnJ8kRitR5kk3R0eCEz6Ix46+7ELbFKP8g22ksHalzsKdwQozmzlspD0horDolJK04ZR4Bay9+Ovq2hqcMb9Nbbv+WkxUg7VnAmP18tBJ2mwk/p8DMfZ3/lSIffBR/cKXU2Nz4ZctH5ShCy7ul+wk32waKu75xsBv7l3Ka2RYUJLLmTk6NeU1ol/lfVqusLy7kuDdawG0fgCpjd0gJQCv0l+zA75psj1ZfAJxTEY6Fa1INic82/05yhz3YAss2pI2uTFD296Tb2a4cw13fL9kwbs=,iv:u7o7aC7NHyl0myD24ibBZWcw10xYm9+KDo/scvBU42E=,tag:hgMT4f8MRBu8DNLcZxcbgQ==,type:str]
_: ENC[AES256_GCM,data:wX0EGbxH4aNXsyVYkTifC6MMlqDlDNiTxj6GVHz3SrNtjfBeye8nsObCknQahaT98RLUIeQh4lFXyZjcSB9jwcacIu5GNFNRHN4BhCE8T8Ui/YZqb7Pd8A87hfCd+bRmROc4Hm4=,iv:28kfp8uVbbBkmEe8qPZESXZuciNYXpV4BQAl5tFRung=,tag:FqKvCH4Zzf/D8uffC1j8nQ==,type:str]
sops: sops:
age: age:
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg - recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
@@ -20,8 +21,8 @@ sops:
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-05-06T01:10:20Z" lastmodified: "2026-05-07T23:18:58Z"
mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str] mac: ENC[AES256_GCM,data:zuxxX9DECskSquiKWqPkaIQiIdgNSKsKJMF1k3Vk+ATrVgwMw+KHV9B6hQkNfKRhjLO7oEOcYdOJW/xeUytAVJKgUGBAVqrWrDuPHBOfD+PE5OTdaiNz29fUCnBF11SZ2Sec2J9ZbUY7lVQeFBFpjWyE5ObF7ySVV17C5w1GajM=,iv:4dSiYJDKw2NofbhwVQ8tGr1GTCB37DSbyKCPtIgV2B8=,tag:UED5v+rgxo44H5YwU05pBw==,type:str]
pgp: pgp:
- created_at: "2026-05-05T23:46:27Z" - created_at: "2026-05-05T23:46:27Z"
enc: |- enc: |-
+4 -2
View File
@@ -107,8 +107,10 @@ let
options = { options = {
enable = mkOption { type = types.bool;default = false; }; enable = mkOption { type = types.bool;default = false; };
db = mkOption { type = types.bool;default = false; }; db = mkOption { type = types.bool;default = false; };
ip = mkOption { type = types.str; }; ip = mkOption { type = types.nullOr types.str; default = null;};
port = mkOption { type = types.port; }; subdomain = mkOption { type = types.nullOr types.str; default=null;};
port = mkOption { type = types.port; default = 0; };
pubPort = mkOption { type = types.port; default = 0; };
extraParam = mkOption { type = types.str; default = ""; }; extraParam = mkOption { type = types.str; default = ""; };
}; };
}); });
+2
View File
@@ -22,6 +22,7 @@
openssh = true; openssh = true;
web = true; web = true;
sops = true; sops = true;
db = [ "_" ];
hostDomain = "test.helcel.net"; hostDomain = "test.helcel.net";
shortName = "testcel"; shortName = "testcel";
@@ -35,6 +36,7 @@
authentik = { authentik = {
enable = true; enable = true;
db = true; db = true;
subdomain = "sso";
ip = "10.88.0.125"; ip = "10.88.0.125";
port = 9000 ; port = 9000 ;
}; };