Compare commits
226 Commits
main
...
cd4c727255
| Author | SHA1 | Date | |
|---|---|---|---|
| cd4c727255 | |||
| 26cb095014 | |||
| 2a9113e07d | |||
| 42a170283d | |||
| 3d4cdaf6e9 | |||
| 21d959b592 | |||
| 0895d67489 | |||
| 86f1fc116c | |||
| b82033f857 | |||
| fbe8399886 | |||
| 036f1117be | |||
| b3eb1de9e6 | |||
| 91c2928a56 | |||
| 89ffc75db2 | |||
| 63fc0bde6e | |||
| bc765ea0c6 | |||
| df236d4ec7 | |||
| 2f24725df4 | |||
| 4708753085 | |||
| 370416edba | |||
| ee1dec3d44 | |||
| b748db9550 | |||
| 78381d15ff | |||
| 037d75af2a | |||
| 9e9338d136 | |||
| cd19d8ac06 | |||
| 6dda5f6bd5 | |||
| 836b890fab | |||
| 40ed44aa52 | |||
| 2fcbf6adb3 | |||
| f3fbf159b4 | |||
| f3b8feb50d | |||
| f6f51597cd | |||
| 5c7b5fcbfe | |||
| 07b6868d27 | |||
| 870b13ef36 | |||
| 4b8c8bdc51 | |||
| c24628b574 | |||
| c1fb77a89f | |||
| 94012aa44c | |||
| 5ff282e65c | |||
| 0bedb71d07 | |||
| 47cbbc56cb | |||
| e116efd45c | |||
| ff498d15a3 | |||
| 90c596270f | |||
| 458a9091d4 | |||
| 123d18d1e8 | |||
| f05f7b0147 | |||
| a41390dcee | |||
| 29478e2aed | |||
| 82b422883e | |||
| 4151e50a42 | |||
| 5afaf859b9 | |||
| 0cd20319fe | |||
| 468cd34fca | |||
| 882d36ff83 | |||
| dc2682c829 | |||
| f354a99d56 | |||
| bf1fbea959 | |||
| 31addeda66 | |||
| d0ca9761d7 | |||
| bbbb5831a8 | |||
| 46f4b5288b | |||
| 8293df4974 | |||
| 08866273cc | |||
| e2772e51d9 | |||
| 6bf856b702 | |||
| 93199b4359 | |||
| d3ffacf4ca | |||
| ac0e28b5ab | |||
| e76f53d887 | |||
| f67e142f53 | |||
| 8165bf6935 | |||
| 09539b5866 | |||
| 1b2a724a26 | |||
| e6e6e4af49 | |||
| e999a5bf2c | |||
| a57818e37e | |||
| 0e61b2fad4 | |||
| 9016657699 | |||
| 5462434558 | |||
| aa36fa812c | |||
| f5f28968c6 | |||
| 4c2ef6e264 | |||
| fa808f3eb2 | |||
| 7bc9ae1f2d | |||
| e53be27e96 | |||
| 88ab6e2007 | |||
| 864e698272 | |||
| 8961706503 | |||
| c637fea0d0 | |||
| 9813e7d49a | |||
| ea6db4b9bf | |||
| 2eff0969e0 | |||
| cf5648122d | |||
| b10e7a5a93 | |||
| 882a43b705 | |||
| e9868a2513 | |||
| 43a0f903b0 | |||
| 1b76ec20b4 | |||
| 6a7fcf6152 | |||
| b6bc6dd138 | |||
| 90f8387192 | |||
| 25604d6c14 | |||
| 51d60de5c0 | |||
| 5e8cd65785 | |||
| fa5845808b | |||
| 28c17d9bb6 | |||
| 89d2f9a48e | |||
| e58d323ea0 | |||
| 7465b6b24c | |||
| 59c6b68501 | |||
| 9273387170 | |||
| 55a08673f0 | |||
| 5dbb95603d | |||
| d60f8dd56f | |||
| 7d35cb319f | |||
| 8d4caac83b | |||
| ad2b492b51 | |||
| 4b68accf2f | |||
| 0d9c8a2974 | |||
| 63d2dddd1e | |||
| 55d678df19 | |||
| 88a4ab069e | |||
| c54ed4a712 | |||
| 3db4517a3b | |||
| f3dfe561ad | |||
| b58da2b2e1 | |||
| 28fa63919f | |||
| cb7e29bfe0 | |||
| ea58be6fdc | |||
| da51e61c05 | |||
| 1ca61b70d2 | |||
| eafafe876f | |||
| 21adca1fbc | |||
| 57efc58bc2 | |||
| cd5deea849 | |||
| 9f5f8751e5 | |||
| f02adc6d93 | |||
| b2f6d8cc9e | |||
| c18ac097fa | |||
| 1fc9017e7e | |||
| 8ff90e54b8 | |||
| fba3a24f16 | |||
| fcb97828f4 | |||
| e04382742f | |||
| 48b40d819b | |||
| 8b75968f11 | |||
| dda8409329 | |||
| 9a0b5171b1 | |||
| 9abb5b2f26 | |||
| 8362599b54 | |||
| c1b9c12281 | |||
| e4dcb0bd39 | |||
| a31991c507 | |||
| e1651cba2a | |||
| bb5ecbba73 | |||
| 0c79617647 | |||
| a3bc8b80c5 | |||
| 55fcf8b71a | |||
| 5aabd9acce | |||
| e652c12bf2 | |||
| 4c684cf9b1 | |||
| 0c60bbbaa8 | |||
| 097334b483 | |||
| bfd099d201 | |||
| 1fe6e43046 | |||
| 23b8ad480e | |||
| 3d1fc2a2c9 | |||
| aacca16eb2 | |||
| 5de459c347 | |||
| d898116ff4 | |||
| e2b688c836 | |||
| b5d57bf9c8 | |||
| 236f9dbdc3 | |||
| 9696ca9a6d | |||
| df523c48e5 | |||
| 4d398d5596 | |||
| 5045291097 | |||
| 2dc1632a40 | |||
| 744a2b8563 | |||
| b722d349af | |||
| 7438905618 | |||
| 908c144c73 | |||
| 6d353df19f | |||
| 7194d91b1c | |||
| d3c301db36 | |||
| 135d48d78c | |||
| d4292cd46d | |||
| 4a4d3e3604 | |||
| d076538901 | |||
| 8fedaf18cd | |||
| 4c1f9f0e78 | |||
| 1a8eb085df | |||
| 8a619d9fc6 | |||
| a76f920297 | |||
| fe93cb708e | |||
| cb29056296 | |||
| 4bc68eeeaf | |||
| 9cf9937cb7 | |||
| 593514c100 | |||
| 6ad9a0b34c | |||
| 65e3568072 | |||
| c55b06cca9 | |||
| 40dba4b959 | |||
| bc8a9d42f9 | |||
| cd5a1aeed4 | |||
| 0f2081486d | |||
| 1c022d7642 | |||
| 379f6befb3 | |||
| 868d2ce116 | |||
| 94fdfa2b33 | |||
| a73ad174ea | |||
| fba5a79ce6 | |||
| e8c9fc52fb | |||
| 8092bac6b7 | |||
| 7d80478e83 | |||
| 2cab462db5 | |||
| 0bb796fbe8 | |||
| 1f2cc94a0a | |||
| 3caf507905 | |||
| 27a5566ac6 | |||
| b439888fa8 | |||
| 093497367a | |||
| 1c0cfd1afe |
@@ -2,3 +2,4 @@ result
|
|||||||
age-key.txt
|
age-key.txt
|
||||||
.decrypted~common.yaml
|
.decrypted~common.yaml
|
||||||
.decrypted*
|
.decrypted*
|
||||||
|
.tmp
|
||||||
Generated
+24
-24
@@ -45,11 +45,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1775037210,
|
"lastModified": 1777780666,
|
||||||
"narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
|
"narHash": "sha256-8wURyQMdDkGUarSTKOGdCuFfYiwa3HbzwscUfn3STDE=",
|
||||||
"owner": "lnl7",
|
"owner": "lnl7",
|
||||||
"repo": "nix-darwin",
|
"repo": "nix-darwin",
|
||||||
"rev": "06648f4902343228ce2de79f291dd5a58ee12146",
|
"rev": "8c62fba0854ba15c8917aed18894dbccb48a3777",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -103,11 +103,11 @@
|
|||||||
},
|
},
|
||||||
"hardware": {
|
"hardware": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1776983936,
|
"lastModified": 1778143761,
|
||||||
"narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
|
"narHash": "sha256-lkesY6x2X2qxlqLM7CT2iM/0rP2JB7fruPN3h8POXmI=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
|
"rev": "3bcaa367d4c550d687a17ac792fd5cda214ee871",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -139,11 +139,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1777771528,
|
"lastModified": 1777851538,
|
||||||
"narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=",
|
"narHash": "sha256-Gp8qwTEYNoy2yvmErVGlvLOQvrtEECCAKbonW7VJef8=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51",
|
"rev": "cc09c0f9b7eaa95c2d9827338a5eb03d32505ca5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -174,11 +174,11 @@
|
|||||||
},
|
},
|
||||||
"nixUnstable": {
|
"nixUnstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1777641297,
|
"lastModified": 1778274207,
|
||||||
"narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=",
|
"narHash": "sha256-I4puXmX1iovcCHZlRmztO3vW0mAbbRvq4F8wgIMQ1MM=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0",
|
"rev": "b3da656039dc7a6240f27b2ef8cc6a3ef3bccae7",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -190,11 +190,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1777428379,
|
"lastModified": 1778003029,
|
||||||
"narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
|
"narHash": "sha256-q/nkKLDtHIyLjZpKhWk3cSK5IYsFqtMd6UtXF3ddjgA=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "755f5aa91337890c432639c60b6064bb7fe67769",
|
"rev": "0c88e1f2bdb93d5999019e99cb0e61e1fe2af4c5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -221,11 +221,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1777578337,
|
"lastModified": 1777954456,
|
||||||
"narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
|
"narHash": "sha256-hGdgeU2Nk87RAuZyYjyDjFL6LK7dAZN5RE9+hrDTkDU=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
|
"rev": "549bd84d6279f9852cae6225e372cc67fb91a4c1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -241,11 +241,11 @@
|
|||||||
"nixpkgs": "nixpkgs_2"
|
"nixpkgs": "nixpkgs_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1777763626,
|
"lastModified": 1778376280,
|
||||||
"narHash": "sha256-UFwZDbdMezNnxZwikhDR4EWiCPUiEmPXHmqLOrcG34g=",
|
"narHash": "sha256-pL2F2FF2FN7zWr5o/vG7GiYOSjp+DUNyPIYqNaLQFFs=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nur",
|
"repo": "nur",
|
||||||
"rev": "3873764e5896bd6da6cf0df17172849ea51ac5eb",
|
"rev": "828688994167eb57628c98fd1d7e1223b079cda1",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -274,11 +274,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1777338324,
|
"lastModified": 1777944972,
|
||||||
"narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
|
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
|
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|||||||
@@ -17,19 +17,11 @@
|
|||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
|
|
||||||
# hyprland = {
|
|
||||||
# url = "github:hyprwm/Hyprland";
|
|
||||||
# inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
# };
|
|
||||||
sops-nix = {
|
sops-nix = {
|
||||||
url = "github:Mic92/sops-nix";
|
url = "github:Mic92/sops-nix";
|
||||||
inputs.nixpkgs.follows = "nixpkgs";
|
inputs.nixpkgs.follows = "nixpkgs";
|
||||||
};
|
};
|
||||||
nix-colors.url = "github:misterio77/nix-colors";
|
nix-colors.url = "github:misterio77/nix-colors";
|
||||||
|
|
||||||
arion.url = "github:hercules-ci/arion";
|
|
||||||
arion.inputs.nixpkgs.follows = "nixpkgs";
|
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
outputs = inputs:
|
outputs = inputs:
|
||||||
|
|||||||
@@ -13,7 +13,6 @@
|
|||||||
./modules/nixos
|
./modules/nixos
|
||||||
syscfg
|
syscfg
|
||||||
./systems/${host}
|
./systems/${host}
|
||||||
inputs.arion.nixosModules.arion
|
|
||||||
inputs.sops-nix.nixosModules.sops
|
inputs.sops-nix.nixosModules.sops
|
||||||
inputs.home-manager.nixosModules.home-manager
|
inputs.home-manager.nixosModules.home-manager
|
||||||
{
|
{
|
||||||
|
|||||||
@@ -18,5 +18,6 @@
|
|||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
virtualisation.containers.registries.search = [ "quay.io" "docker.io" "ghcr.io" ];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -7,11 +7,13 @@
|
|||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedUDPPorts =
|
allowedUDPPorts =
|
||||||
(if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++
|
(if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++
|
||||||
|
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
|
||||||
[ ];
|
[ ];
|
||||||
|
|
||||||
allowedTCPPorts =
|
allowedTCPPorts =
|
||||||
(if config.syscfg.server ? web then [ 80 443 22 ] else [ ]) ++
|
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
|
||||||
|
(if (config.syscfg.server != false) then [ 5432 6379 ] else [ ]) ++
|
||||||
[ ];
|
[ ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -0,0 +1,4 @@
|
|||||||
|
# Missing
|
||||||
|
|
||||||
|
RSS: TTRSS / FreshRSS
|
||||||
|
Monitoring: Telegraf + InfluxDB
|
||||||
@@ -0,0 +1,92 @@
|
|||||||
|
{ config, containerCfg, pkgs, lib, builder, name, ... }:
|
||||||
|
let
|
||||||
|
version = "2026.2.2";
|
||||||
|
serverCfg = config.syscfg.server;
|
||||||
|
authentikData = builder.mkData {
|
||||||
|
name = "authentik"; dir = "authentik"; vars = {
|
||||||
|
NEXTCLOUD_DOMAIN = "${serverCfg.containers.nextcloud.subdomain or "nextcloud"}.${serverCfg.hostDomain}";
|
||||||
|
AUTHENTIK_DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
|
||||||
|
COOKIE_DOMAIN = "${serverCfg.hostDomain}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
paths = [{
|
||||||
|
path="${serverCfg.configPath}/authentik/media";
|
||||||
|
owner = "1000:1000";
|
||||||
|
mode = "0755";
|
||||||
|
}{
|
||||||
|
path="${serverCfg.configPath}/authentik/templates";
|
||||||
|
owner = "1000:1000";
|
||||||
|
mode = "0755";
|
||||||
|
}];
|
||||||
|
|
||||||
|
containers = {
|
||||||
|
server = builder.mkContainer {
|
||||||
|
subdomain = containerCfg.subdomain;
|
||||||
|
image = "ghcr.io/goauthentik/server:${version}";
|
||||||
|
port = 9000;
|
||||||
|
ip = containerCfg.ip;
|
||||||
|
secret = name;
|
||||||
|
extraEnv = {
|
||||||
|
"AUTHENTIK_REDIS__HOST" = builder.host;
|
||||||
|
"AUTHENTIK_POSTGRESQL__HOST" = builder.host;
|
||||||
|
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
|
||||||
|
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
|
||||||
|
"AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
|
||||||
|
"AUTHENTIK_EMAIL__PORT" = "587";
|
||||||
|
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
|
||||||
|
"AUTHENTIK_EMAIL__USE_TLS" = "true";
|
||||||
|
"AUTHENTIK_EMAIL__USE_SSL" = "false";
|
||||||
|
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
|
||||||
|
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
|
||||||
|
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
|
||||||
|
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
|
||||||
|
};
|
||||||
|
overrides = {
|
||||||
|
cmd = [ "server" ];
|
||||||
|
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:9000" ] else [];
|
||||||
|
volumes = [
|
||||||
|
"${serverCfg.configPath}/authentik/media:/media"
|
||||||
|
"${serverCfg.configPath}/authentik/templates:/templates"
|
||||||
|
"${authentikData}:/blueprints/custom:ro"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
worker = builder.mkContainer {
|
||||||
|
image = "ghcr.io/goauthentik/server:${version}";
|
||||||
|
secret = "authentik";
|
||||||
|
extraEnv = {
|
||||||
|
"AUTHENTIK_REDIS__HOST" = builder.host;
|
||||||
|
"AUTHENTIK_POSTGRESQL__HOST" = builder.host;
|
||||||
|
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
|
||||||
|
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
|
||||||
|
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
|
||||||
|
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
|
||||||
|
};
|
||||||
|
overrides = {
|
||||||
|
cmd = [ "worker" ];
|
||||||
|
volumes = [
|
||||||
|
"${serverCfg.configPath}/authentik/media:/media"
|
||||||
|
"${serverCfg.configPath}/authentik/templates:/templates"
|
||||||
|
"${authentikData}:/blueprints/custom:ro"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
setup = {
|
||||||
|
trigger = "worker";
|
||||||
|
script = pkgs.writeShellScript "setup" ''
|
||||||
|
# Define the command wrapper
|
||||||
|
AK="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u root authentik-worker ak"
|
||||||
|
|
||||||
|
$AK apply_blueprint /blueprints/custom/authentik.yaml
|
||||||
|
$AK apply_blueprint /blueprints/custom/traefik.yaml
|
||||||
|
${lib.optionalString (serverCfg.containers ? nextcloud) ''$AK apply_blueprint /blueprints/custom/nextcloud.yaml''}
|
||||||
|
|
||||||
|
echo "Completed Authentik Setup"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -0,0 +1,34 @@
|
|||||||
|
{ config, containerCfg, pkgs, lib, builder, name, ... }:
|
||||||
|
let
|
||||||
|
version = "latest";
|
||||||
|
serverCfg = config.syscfg.server;
|
||||||
|
in {
|
||||||
|
containers = {
|
||||||
|
server = builder.mkContainer {
|
||||||
|
subdomain = containerCfg.subdomain;
|
||||||
|
image = "collabora/code:${version}";
|
||||||
|
port = 9980;
|
||||||
|
ip = containerCfg.ip;
|
||||||
|
secret = name;
|
||||||
|
extraEnv = {
|
||||||
|
"aliasgroup1" = "https://${serverCfg.containers.nextcloud.subdomain}.${serverCfg.hostDomain}";
|
||||||
|
"server_name" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
|
||||||
|
"username" = "collabora_user";
|
||||||
|
"VIRTUAL_HOST" = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
|
||||||
|
"VIRTUAL_PORT" = "9980";
|
||||||
|
"VIRTUAL_PROTO" = "http";
|
||||||
|
"DONT_GEN_SSL_CERT" = "true";
|
||||||
|
"RESOLVE_TO_PROXY_IP" = "true";
|
||||||
|
"extra_params" = "--o:ssl.enable=false --o:ssl.termination=true";
|
||||||
|
"dictionaries" = "en fr de jp no";
|
||||||
|
};
|
||||||
|
|
||||||
|
overrides = {
|
||||||
|
volumes = [
|
||||||
|
"${pkgs.noto-fonts}/share/fonts/noto:/opt/collaboraoffice/share/fonts/truetype/noto:ro"
|
||||||
|
"${pkgs.ibm-plex}/share/fonts/opentype:/opt/collaboraoffice/share/fonts/opentype/plex:ro"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -0,0 +1,39 @@
|
|||||||
|
{ config, containerCfg, pkgs, lib, builder, name,... }:
|
||||||
|
let
|
||||||
|
serverCfg = config.syscfg.server;
|
||||||
|
ethercalc_exe = pkgs.ethercalc;
|
||||||
|
|
||||||
|
image = pkgs.dockerTools.streamLayeredImage {
|
||||||
|
name = "ethercalc";
|
||||||
|
tag = ethercalc_exe.version;
|
||||||
|
contents = [ pkgs.bashInteractive ];
|
||||||
|
config = {
|
||||||
|
Entrypoint = [ "${ethercalc_exe}/bin/ethercalc" ];
|
||||||
|
ExposedPorts = { "8080/tcp" = {}; };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
paths = [{
|
||||||
|
path="${serverCfg.dataPath}/ethercalc/";
|
||||||
|
mode = "0666";
|
||||||
|
}];
|
||||||
|
|
||||||
|
containers = {
|
||||||
|
server = builder.mkContainer {
|
||||||
|
subdomain = containerCfg.subdomain;
|
||||||
|
imageStream = image;
|
||||||
|
port = 8080;
|
||||||
|
ip = containerCfg.ip;
|
||||||
|
secret = name;
|
||||||
|
extraEnv = {
|
||||||
|
ETHERCALC_PORT = "8080";
|
||||||
|
#CONNECT TO REDIS
|
||||||
|
};
|
||||||
|
overrides = {
|
||||||
|
volumes = [
|
||||||
|
"${serverCfg.dataPath}/ethercalc:/data"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -0,0 +1,123 @@
|
|||||||
|
{ config, containerCfg, pkgs, lib, builder, name,... }:
|
||||||
|
let
|
||||||
|
serverCfg = config.syscfg.server;
|
||||||
|
etherpad_exe = pkgs.etherpad-lite;
|
||||||
|
settings = pkgs.writeText"settings.json" (builtins.toJSON {
|
||||||
|
title= "\${TITLE:Etherpad}";
|
||||||
|
showRecentPads = "\${SHOW_RECENT_PADS:true}";
|
||||||
|
favicon = "\${FAVICON:null}";
|
||||||
|
publicURL = "\${PUBLIC_URL:null}";
|
||||||
|
skinName = "\${SKIN_NAME:colibris}";
|
||||||
|
skinVariants = "\${SKIN_VARIANTS:super-light-toolbar super-light-editor light-background}";
|
||||||
|
ip = "\${IP:0.0.0.0}";
|
||||||
|
port = "\${PORT:9001}";
|
||||||
|
showSettingsInAdminPage = "\${SHOW_SETTINGS_IN_ADMIN_PAGE:true}";
|
||||||
|
enableMetrics = "\${ENABLE_METRICS:true}";
|
||||||
|
updates.tier = "off";
|
||||||
|
cleanup.enabled = false;
|
||||||
|
gdprAuthorErasure.enabled = "\${GDPR_AUTHOR_ERASURE_ENABLED:false}";
|
||||||
|
authenticationMethod = "\${AUTHENTICATION_METHOD:apikey}";
|
||||||
|
enableDarkMode = "\${ENABLE_DARK_MODE:true}";
|
||||||
|
enablePadWideSettings = "\${ENABLE_PAD_WIDE_SETTINGS:true}";
|
||||||
|
dbType = "\${DB_TYPE:dirty}";
|
||||||
|
dbSettings = {
|
||||||
|
host = "\${DB_HOST:undefined}";
|
||||||
|
port = "\${DB_PORT:undefined}";
|
||||||
|
database = "\${DB_NAME:undefined}";
|
||||||
|
user = "\${DB_USER:undefined}";
|
||||||
|
password = "\${DB_PASS:undefined}";
|
||||||
|
charset = "\${DB_CHARSET:undefined}";
|
||||||
|
filename = "\${DB_FILENAME:var/dirty.db}";
|
||||||
|
collection = "\${DB_COLLECTION:undefined}";
|
||||||
|
url = "\${DB_URL:undefined}";
|
||||||
|
};
|
||||||
|
defaultPadText = "\${DEFAULT_PAD_TEXT:P A D}";
|
||||||
|
padOptions = {
|
||||||
|
noColors = "\${PAD_OPTIONS_NO_COLORS:false}";
|
||||||
|
showControls = "\${PAD_OPTIONS_SHOW_CONTROLS:true}";
|
||||||
|
showChat = "\${PAD_OPTIONS_SHOW_CHAT:true}";
|
||||||
|
showLineNumbers = "\${PAD_OPTIONS_SHOW_LINE_NUMBERS:true}";
|
||||||
|
useMonospaceFont = "\${PAD_OPTIONS_USE_MONOSPACE_FONT:false}";
|
||||||
|
userName = "\${PAD_OPTIONS_USER_NAME:null}";
|
||||||
|
userColor = "\${PAD_OPTIONS_USER_COLOR:null}";
|
||||||
|
rtl = "\${PAD_OPTIONS_RTL:false}";
|
||||||
|
alwaysShowChat = "\${PAD_OPTIONS_ALWAYS_SHOW_CHAT:false}";
|
||||||
|
chatAndUsers = "\${PAD_OPTIONS_CHAT_AND_USERS:false}";
|
||||||
|
lang = "\${PAD_OPTIONS_LANG:null}";
|
||||||
|
fadeInactiveAuthorColors = "\${PAD_OPTIONS_FADE_INACTIVE_AUTHOR_COLORS:true}";
|
||||||
|
enforceReadableAuthorColors = "\${PAD_OPTIONS_ENFORCE_READABLE_AUTHOR_COLORS:true}";
|
||||||
|
};
|
||||||
|
|
||||||
|
requireSession = "\${REQUIRE_SESSION:false}";
|
||||||
|
editOnly = "\${EDIT_ONLY:false}";
|
||||||
|
minify = "\${MINIFY:true}";
|
||||||
|
requireAuthentication = "\${REQUIRE_AUTHENTICATION:false}";
|
||||||
|
requireAuthorization = "\${REQUIRE_AUTHORIZATION:false}";
|
||||||
|
trustProxy = "\${TRUST_PROXY:true}";
|
||||||
|
ep_headerauth.username_header = "X-authentik-username";
|
||||||
|
users.admin = {
|
||||||
|
password = "\${ADMIN_PASSWORD:null}";
|
||||||
|
is_admin = true;
|
||||||
|
};
|
||||||
|
socketTransportProtocols = ["websocket" "polling"];
|
||||||
|
socketIo.maxHttpBufferSize = "\${SOCKETIO_MAX_HTTP_BUFFER_SIZE:1000000}";
|
||||||
|
indentationOnNewLine = true;
|
||||||
|
|
||||||
|
loglevel = "\${LOGLEVEL:INFO}";
|
||||||
|
lowerCasePadIds = "\${LOWER_CASE_PAD_IDS:true}";
|
||||||
|
});
|
||||||
|
image = pkgs.dockerTools.streamLayeredImage {
|
||||||
|
name = "etherpad";
|
||||||
|
tag = etherpad_exe.version;
|
||||||
|
contents = [ pkgs.bashInteractive ];
|
||||||
|
config = {
|
||||||
|
Entrypoint = [ "${etherpad_exe}/bin/etherpad-lite" ];
|
||||||
|
ExposedPorts = { "8080/tcp" = {}; };
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
paths = [{
|
||||||
|
path="${serverCfg.configPath}/etherpad/";
|
||||||
|
mode = "0444";
|
||||||
|
}];
|
||||||
|
|
||||||
|
containers = {
|
||||||
|
server = builder.mkContainer {
|
||||||
|
subdomain = containerCfg.subdomain;
|
||||||
|
imageStream = image;
|
||||||
|
port = 8080;
|
||||||
|
ip = containerCfg.ip;
|
||||||
|
secret = name;
|
||||||
|
extraEnv = {
|
||||||
|
TITLE = "Pad";
|
||||||
|
PORT ="8080";
|
||||||
|
DB_TYPE = "postgres";
|
||||||
|
DB_HOST = builder.host;
|
||||||
|
DB_NAME = "etherpad_db";
|
||||||
|
DB_USER = "etherpad_user";
|
||||||
|
TRUST_PROXY = "true";
|
||||||
|
DB_CHARSET = "utf8mb4";
|
||||||
|
DEFAULT_PAD_TEXT = "";
|
||||||
|
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
|
||||||
|
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
|
||||||
|
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
|
||||||
|
};
|
||||||
|
overrides = {
|
||||||
|
cmd = [ "--settings" "/etc/etherpad/settings.json" "--apikey" "/etc/etherpad/APIKEY.txt" ];
|
||||||
|
volumes = [
|
||||||
|
"${settings}:/etc/etherpad/settings.json"
|
||||||
|
"${serverCfg.configPath}/etherpad/APIKEY.txt:/etc/etherpad/APIKEY.txt:ro"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
setup = {
|
||||||
|
trigger = "server";
|
||||||
|
envFile = config.sops.secrets."ETHERPAD".path;
|
||||||
|
script = pkgs.writeShellScript "setup" ''
|
||||||
|
echo "$APIKEY" > ${serverCfg.configPath}/etherpad/APIKEY.txt
|
||||||
|
chmod 444 ${serverCfg.configPath}/etherpad/APIKEY.txt
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,130 @@
|
|||||||
|
{ config, containerCfg, pkgs, lib, builder, name, ... }:
|
||||||
|
let
|
||||||
|
version = "latest";
|
||||||
|
serverCfg = config.syscfg.server;
|
||||||
|
in {
|
||||||
|
|
||||||
|
paths = [{
|
||||||
|
path="${serverCfg.dataPath}/gitea/data";
|
||||||
|
owner = "1000:1000";
|
||||||
|
mode = "0755";
|
||||||
|
}{
|
||||||
|
path="${serverCfg.dataPath}/gitea/data-runner";
|
||||||
|
owner = "1000:1000";
|
||||||
|
mode = "0755";
|
||||||
|
}];
|
||||||
|
containers = {
|
||||||
|
server = builder.mkContainer {
|
||||||
|
subdomain = containerCfg.subdomain;
|
||||||
|
image = "gitea/gitea:${version}";
|
||||||
|
port = 8080;
|
||||||
|
ip = containerCfg.ip;
|
||||||
|
secret = name;
|
||||||
|
|
||||||
|
extraEnv = { # app.ini -> GITEA__<section>__<KEY> = "<VALUE>";
|
||||||
|
GITEA__DEFAULT__APP_NAME = if(containerCfg.extra ? name) then containerCfg.extra.name else "Gitea";
|
||||||
|
GITEA__repository__DISABLED_REPO_UNITS = "repo.ext_issues,repo.ext_wiki";
|
||||||
|
GITEA__repository__DISABLE_STARS = "true";
|
||||||
|
GITEA__repository__DEFAULT_MERGE_STYLE = "squash";
|
||||||
|
# GITEA__ui__THEMES = "";
|
||||||
|
# GITEA__ui__DEFAULT_THEME = "";
|
||||||
|
|
||||||
|
# GITEA__security__SECRET_KEY = "SECRET_ENV";
|
||||||
|
# GITEA__security__INTERNAL_TOKEN = "SECRET_ENV";
|
||||||
|
# GITEA__database__PASSWD = "SECRET_ENV";
|
||||||
|
# GITEA__mailer__PASSWD="SECRET_ENV";
|
||||||
|
|
||||||
|
GITEA__database__DB_TYPE = "postgres";
|
||||||
|
GITEA__database__HOST = builder.host;
|
||||||
|
GITEA__database__NAME = "gitea_db";
|
||||||
|
GITEA__database__USER = "gitea_user";
|
||||||
|
|
||||||
|
|
||||||
|
GITEA__mailer__ENABLED = "true";
|
||||||
|
GITEA__mailer__FROM = "";
|
||||||
|
GITEA__mailer__PROTOCOL = "smtps";
|
||||||
|
GITEA__mailer__SMTP_ADDR = "";
|
||||||
|
GITEA__mailer__SMTP_PORT = "";
|
||||||
|
GITEA__mailer__USER= "";
|
||||||
|
|
||||||
|
GITEA__server__DOMAIN = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
|
||||||
|
GITEA__server__ROOT_URL = "https://${containerCfg.subdomain}.${serverCfg.hostDomain}/";
|
||||||
|
GITEA__server__PROTOCOL = "http";
|
||||||
|
GITEA__server__HTTP_PORT = "8080";
|
||||||
|
GITEA__server__LFS_START_SERVER = "true";
|
||||||
|
GITEA__security__INSTALL_LOCK = "true";
|
||||||
|
|
||||||
|
} // ( if serverCfg.containers?authentik then {
|
||||||
|
GITEA__service__ENABLE_BASIC_AUTHENTICATION = "false";
|
||||||
|
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION = "true";
|
||||||
|
GITEA__service__ENABLE_REVERSE_PROXY_AUTHENTICATION_API = "true";
|
||||||
|
GITEA__service__ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = "true";
|
||||||
|
GITEA__service__ENABLE_REVERSE_PROXY_EMAIL = "true";
|
||||||
|
GITEA__service__ENABLE_REVERSE_PROXY_FULL_NAME = "true";
|
||||||
|
GITEA__service__ALLOW_ONLY_EXTERNAL_REGISTRATION = "true";
|
||||||
|
GITEA__security__REVERSE_PROXY_LOGOUT_REDIRECT = "https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/outpost.goauthentik.io/sign_out";
|
||||||
|
GITEA__security__REVERSE_PROXY_AUTHENTICATION_USER = "X-authentik-username";
|
||||||
|
GITEA__security__REVERSE_PROXY_AUTHENTICATION_EMAIL = "X-authentik-email";
|
||||||
|
GITEA__security__REVERSE_PROXY_AUTHENTICATION_FULL_NAME = "X-authentik-name";
|
||||||
|
GITEA__security__RREVERSE_PROXY_LIMIT = "1";
|
||||||
|
GITEA__security__REVERSE_PROXY_TRUSTED_PROXIES = "127.0.0.0/8,::1/128,10.0.0.0/8";
|
||||||
|
} else {});
|
||||||
|
extraLabels = {
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}-login.rule" = "Host(`${containerCfg.subdomain}.${serverCfg.hostDomain}`) && Path(`/user/login`) ";
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}-login.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}-login.priority" = "100";
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}-login.entrypoints" = "web-secure";
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}-login.tls" = "true";
|
||||||
|
};
|
||||||
|
|
||||||
|
overrides = {
|
||||||
|
volumes = [
|
||||||
|
"${serverCfg.dataPath}/gitea/data:/data"
|
||||||
|
];
|
||||||
|
ports = [ "2222:22" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
runner = builder.mkContainer {
|
||||||
|
image = "gitea/act_runner:${version}";
|
||||||
|
secret = name;
|
||||||
|
extraEnv = {
|
||||||
|
CONFIG_FILE="/data/config.yml";
|
||||||
|
GITEA_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
|
||||||
|
GITHUB_INSTANCE_URL="https://${containerCfg.subdomain}.${serverCfg.hostDomain}";
|
||||||
|
};
|
||||||
|
|
||||||
|
overrides = {
|
||||||
|
volumes = [
|
||||||
|
"${serverCfg.dataPath}/gitea/data-runner:/data"
|
||||||
|
"/var/run/podman/podman.sock:/var/run/docker.sock"
|
||||||
|
];
|
||||||
|
# ports = [ "8088:8088" ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
|
||||||
|
setup = {
|
||||||
|
trigger = "server";
|
||||||
|
envFile = config.sops.secrets."CUSTOM".path;
|
||||||
|
script = pkgs.writeShellScript "setup" ''
|
||||||
|
# Define the command wrapper
|
||||||
|
GT="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-server gitea"
|
||||||
|
GTR="${pkgs.podman}/bin/podman --events-backend=none exec -u git gitea-runner ./act_runner"
|
||||||
|
|
||||||
|
$GT admin user create --username "$DEFAULT_ADMIN_USERNAME" --password "$DEFAULT_ADMIN_PASSWORD" --email "$DEFAULT_ADMIN_EMAIL" --admin || true
|
||||||
|
|
||||||
|
RUNNER_TOKEN=$($GT actions generate-runner-token)
|
||||||
|
$GTR register \
|
||||||
|
--instance "https://${containerCfg.subdomain}.${serverCfg.hostDomain}" \
|
||||||
|
--token "$RUNNER_TOKEN" \
|
||||||
|
--name "Runner" \
|
||||||
|
--labels "ubuntu-latest:docker://catthehacker/ubuntu:act-latest" \
|
||||||
|
--no-interactive
|
||||||
|
|
||||||
|
|
||||||
|
echo "Completed Gitea Setup"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,198 @@
|
|||||||
|
{ config, containerCfg, pkgs, lib, builder, name,... }:
|
||||||
|
let
|
||||||
|
version = "31";
|
||||||
|
serverCfg = config.syscfg.server;
|
||||||
|
in {
|
||||||
|
paths = [{
|
||||||
|
path="${serverCfg.dataPath}/nextcloud/www";
|
||||||
|
owner = "33:33";
|
||||||
|
mode = "0755";
|
||||||
|
}{
|
||||||
|
path="${serverCfg.dataPath}/nextcloud/data";
|
||||||
|
owner = "33:33";
|
||||||
|
mode = "0755";
|
||||||
|
backup = true;
|
||||||
|
}];
|
||||||
|
|
||||||
|
containers = {
|
||||||
|
server = builder.mkContainer {
|
||||||
|
subdomain = containerCfg.subdomain;
|
||||||
|
image = "nextcloud:${version}";
|
||||||
|
port = 80;
|
||||||
|
ip = containerCfg.ip;
|
||||||
|
secret = name;
|
||||||
|
extraEnv = {
|
||||||
|
REDIS_HOST = builder.host;
|
||||||
|
POSTGRES_HOST = builder.host;
|
||||||
|
POSTGRES_USER = "nextcloud_user";
|
||||||
|
POSTGRES_DB = "nextcloud_db";
|
||||||
|
AUTHENTIK_POSTGRESQL__SSLMODE = "disable";
|
||||||
|
"NEXTCLOUD_TRUSTED_DOMAINS " = "${containerCfg.subdomain}.${serverCfg.hostDomain}";
|
||||||
|
"SMTP_HOST" = serverCfg.mailServer;
|
||||||
|
"SMTP_NAME" = "mail_user";
|
||||||
|
"SMTP_PASSWORD" = "mail_password";
|
||||||
|
"MAIL_FROM_ADDRESS" = "${containerCfg.subdomain}@${serverCfg.hostDomain}";
|
||||||
|
"MAIL_DOMAIN" = serverCfg.mailDomain;
|
||||||
|
"TRUSTED_PROXIES" = "10.10.0.0/16 192.168.0.0/16";
|
||||||
|
};
|
||||||
|
extraLabels = {
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = "sts_headers,${containerCfg.subdomain}-caldav";
|
||||||
|
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.permanent" = "true";
|
||||||
|
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.regex" = "https://(.*)/.well-known/(?:card|cal)dav";
|
||||||
|
"traefik.http.middlewares.${containerCfg.subdomain}-caldav.redirectregex.replacement" = "https://$1/remote.php/dav";
|
||||||
|
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
|
||||||
|
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" = "true";
|
||||||
|
};
|
||||||
|
extraOptions = [
|
||||||
|
"--tmpfs=/tmp:rw,noexec,nosuid,size=512m"
|
||||||
|
];
|
||||||
|
overrides = {
|
||||||
|
ports = if containerCfg.port!=null then [ "${toString containerCfg.port}:80" ] else [];
|
||||||
|
volumes = [
|
||||||
|
"${serverCfg.dataPath}/nextcloud/www:/var/www/html"
|
||||||
|
"${serverCfg.dataPath}/nextcloud/data:/var/www/html/data"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
setup = {
|
||||||
|
trigger = "server";
|
||||||
|
script = pkgs.writeShellScript "setup" ''
|
||||||
|
# Define the command wrapper
|
||||||
|
OCC="${pkgs.podman}/bin/podman --events-backend=none exec --env-file ${config.sops.secrets."CUSTOM".path} -e DOMAIN=${serverCfg.hostDomain} -u www-data nextcloud-server php occ"
|
||||||
|
|
||||||
|
echo "Waiting for Nextcloud container to start..."
|
||||||
|
until $OCC status > /dev/null 2>&1; do
|
||||||
|
sleep 2
|
||||||
|
done
|
||||||
|
|
||||||
|
INSTALLED=$($OCC status --output=json | grep -o '"installed":true')
|
||||||
|
if [ -z "$INSTALLED" ]; then
|
||||||
|
echo "Running first-time setup..."
|
||||||
|
|
||||||
|
$OCC maintenance:install \
|
||||||
|
--admin-user "$DEFAULT_ADMIN_USERNAME" \
|
||||||
|
--admin-pass "$DEFAULT_ADMIN_PASSWORD"
|
||||||
|
fi
|
||||||
|
if [ -z "$INSTALLED" ] || [ -f "/tmp/force-nextcloud-setup" ]; then
|
||||||
|
rm -f "/tmp/force-nextcloud-setup"
|
||||||
|
echo "Applying Settings..."
|
||||||
|
|
||||||
|
$OCC config:system:set default_phone_region --value="CH"
|
||||||
|
$OCC config:system:set overwriteprotocol --value="https"
|
||||||
|
$OCC config:app:set core backgroundjobs_mode --value="cron"
|
||||||
|
$OCC config:system:set maintenance_window_start --type=integer --value=1
|
||||||
|
$OCC config:system:set default_language --value="en"
|
||||||
|
$OCC config:system:set default_locale --value="en_CH"
|
||||||
|
|
||||||
|
echo "Applying Apps..."
|
||||||
|
$OCC app:disable activity || true
|
||||||
|
$OCC app:disable app_api || true
|
||||||
|
$OCC app:disable comments || true
|
||||||
|
$OCC app:disable firstrunwizard || true
|
||||||
|
$OCC config:system:set show_first_run_wizard --type=bool --value=false
|
||||||
|
$OCC app:disable nextcloud_announcements || true
|
||||||
|
$OCC app:disable oauth2 || true
|
||||||
|
$OCC app:disable recommendations || true
|
||||||
|
$OCC app:disable sharebymail || true
|
||||||
|
$OCC app:disable support || true
|
||||||
|
$OCC app:disable survey_client || true
|
||||||
|
$OCC app:disable updatenotification || true
|
||||||
|
$OCC app:disable user_status || true
|
||||||
|
|
||||||
|
$OCC app:install calendar || true
|
||||||
|
$OCC app:install calendar || true
|
||||||
|
$OCC app:install contacts || true
|
||||||
|
$OCC app:install camerarawpreviews || true
|
||||||
|
$OCC app:install cospend || true
|
||||||
|
$OCC app:install deck || true
|
||||||
|
$OCC app:install files_markdown || true
|
||||||
|
$OCC app:install forms || true
|
||||||
|
$OCC app:install groupfolders || true
|
||||||
|
$OCC app:install ownpad || true
|
||||||
|
$OCC app:install previewgenerator || true
|
||||||
|
$OCC app:install richdocuments || true
|
||||||
|
${lib.optionalString (serverCfg.containers ? collabora == false) ''$OCC app:install richdocumentscode || true''}
|
||||||
|
# $OCC app:install side_menu || true
|
||||||
|
$OCC app:install spreed || true
|
||||||
|
$OCC app:install teamfolders || true
|
||||||
|
${lib.optionalString (serverCfg.containers ? authentik) ''$OCC app:install user_saml || true''}
|
||||||
|
|
||||||
|
echo "Applying Apps Settings..."
|
||||||
|
$OCC config:system:set enabledPreviewProviders --value='["OC\\Preview\\Movie", "OC\\Preview\\PNG", "OC\\Preview\\JPEG", "OC\\Preview\\GIF", "OC\\Preview\\HEIC", "OC\\Preview\\RAW"]' --type=json
|
||||||
|
$OCC config:app:set cospend allow_federation --value="yes"
|
||||||
|
|
||||||
|
${lib.optionalString (serverCfg.containers ? ethercalc) ''
|
||||||
|
$OCC config:app:set ownpad ownpad_ethercalc_enable --value="yes"
|
||||||
|
$OCC config:app:set ownpad ownpad_ethercalc_host --value="https://${serverCfg.containers.ethercalc.subdomain}.${serverCfg.hostDomain}"
|
||||||
|
''}
|
||||||
|
${lib.optionalString (serverCfg.containers ? etherpad) ''
|
||||||
|
$OCC config:app:set ownpad ownpad_etherpad_enable --value="yes"
|
||||||
|
$OCC config:app:set ownpad ownpad_etherpad_host --value="https://${serverCfg.containers.etherpad.subdomain}.${serverCfg.hostDomain}"
|
||||||
|
''}
|
||||||
|
${lib.optionalString (serverCfg.containers ? collabora) ''
|
||||||
|
$OCC config:app:set richdocuments wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}/"
|
||||||
|
$OCC config:app:set richdocuments public_wopi_url --value="https://${serverCfg.containers.collabora.subdomain}.${serverCfg.hostDomain}"
|
||||||
|
$OCC config:app:set richdocuments wopi_allowlist --value="10.0.0.0/8"
|
||||||
|
''}
|
||||||
|
${lib.optionalString (serverCfg.containers ? authentik) ''
|
||||||
|
$OCC saml:config:set 1 --general-idp0_display_name="authentik"
|
||||||
|
$OCC saml:config:set 1 --general-uid_mapping="http://schemas.goauthentik.io/2021/02/saml/username"
|
||||||
|
$OCC saml:config:set 1 --idp-entityId="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}"
|
||||||
|
$OCC saml:config:set 1 --idp-singleSignOnService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/sso/binding/redirect/"
|
||||||
|
$OCC saml:config:set 1 --idp-singleLogoutService.url="https://${serverCfg.containers.authentik.subdomain}.${serverCfg.hostDomain}/application/saml/nextcloud/slo/binding/redirect/"
|
||||||
|
AUTHENTIK_CERT=$(${pkgs.postgresql}/bin/psql -h localhost -U authentik_user -d authentik_db -At -c "SELECT certificate_data FROM authentik_crypto_certificatekeypair WHERE name = 'authentik Self-signed Certificate';")
|
||||||
|
$OCC saml:config:set 1 --idp-x509cert="$AUTHENTIK_CERT"
|
||||||
|
|
||||||
|
$OCC saml:config:set 1 --saml-attribute-mapping-displayName_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
|
||||||
|
$OCC saml:config:set 1 --saml-attribute-mapping-email_mapping="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
|
||||||
|
$OCC saml:config:set 1 --saml-attribute-mapping-group_mapping="http://schemas.xmlsoap.org/claims/Group"
|
||||||
|
|
||||||
|
$OCC config:app:set user_saml general-allowed_groups --value="admin,cloud"
|
||||||
|
$OCC group:add admin || true
|
||||||
|
$OCC group:add cloud || true
|
||||||
|
$OCC config:app:set user_saml general-group_provisioning --value="0"
|
||||||
|
$OCC config:app:set user_saml general-require_provisioning_groups --value="1"
|
||||||
|
''}
|
||||||
|
# configure side_menu ...
|
||||||
|
FOLDERS=$($OCC teamfolders:list --format=json)
|
||||||
|
${builtins.concatStringsSep "\n" (map (name: ''
|
||||||
|
if ! echo "$FOLDERS" | grep -q '"name":"${name}"'; then
|
||||||
|
$OCC teamfolders:create "${name}"
|
||||||
|
fi
|
||||||
|
'') containerCfg.extra.teamFolders or [])}
|
||||||
|
SERVERS=$($OCC federation:list-servers --format=json)
|
||||||
|
${builtins.concatStringsSep "\n" (map (domain: ''
|
||||||
|
if ! echo "$SERVERS" | grep -q "${domain}"; then
|
||||||
|
$OCC federation:add-server "https://${domain}"
|
||||||
|
fi
|
||||||
|
'') containerCfg.extra.federatedServers or [])}
|
||||||
|
$OCC config:app:set systemtags allow_user_creating --value="no"
|
||||||
|
|
||||||
|
echo "Applying Theme..."
|
||||||
|
$OCC config:app:set theming url --value="https://${containerCfg.subdomain}.${serverCfg.hostDomain}"
|
||||||
|
${lib.optionalString (containerCfg.extra ? name) ''$OCC config:app:set theming name --value="${containerCfg.extra.name}"''}
|
||||||
|
${lib.optionalString (containerCfg.extra ? slogan) ''$OCC config:app:set theming slogan --value="${containerCfg.extra.slogan}"''}
|
||||||
|
$OCC config:app:set theming background_color --value="${serverCfg.colorScheme.palette.base02}"
|
||||||
|
$OCC config:app:set theming primary_color --value="${serverCfg.colorScheme.palette.base0C}"
|
||||||
|
|
||||||
|
#$OCC theming:config logo {serverCfg.colorScheme.logo}
|
||||||
|
#$OCC theming:config logoheader {serverCfg.colorScheme.logo}
|
||||||
|
#$OCC theming:config background {serverCfg.colorScheme.bg}
|
||||||
|
|
||||||
|
else
|
||||||
|
echo "Nextcloud is already installed. Skipping setup."
|
||||||
|
fi
|
||||||
|
|
||||||
|
echo "Maintenance..."
|
||||||
|
$OCC app:update --all
|
||||||
|
$OCC maintenance:repair --include-expensive --no-interaction
|
||||||
|
$OCC db:add-missing-indices --no-interaction
|
||||||
|
|
||||||
|
echo "Completed Setup"
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
cron = [ "*/5 * * * * root ${pkgs.podman}/bin/podman --events-backend=none exec -u www-data nextcloud-server php -f /var/www/html/cron.php" ];
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,77 @@
|
|||||||
|
{ config, containerCfg, pkgs, lib, builder, name,... }:
|
||||||
|
let
|
||||||
|
serverCfg = config.syscfg.server;
|
||||||
|
image = pkgs.dockerTools.streamLayeredImage {
|
||||||
|
name = "traefik";
|
||||||
|
tag = pkgs.traefik.version;
|
||||||
|
contents = with pkgs;[ cacert tzdata ];
|
||||||
|
config = {
|
||||||
|
Entrypoint = [ "${pkgs.traefik}/bin/traefik" ];
|
||||||
|
WorkingDir = "/";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
paths = [{
|
||||||
|
path="${serverCfg.configPath}/traefik";
|
||||||
|
owner = "1000:1000";
|
||||||
|
mode = "0755";
|
||||||
|
}];
|
||||||
|
|
||||||
|
containers = {
|
||||||
|
server = builder.mkContainer {
|
||||||
|
imageStream = image;
|
||||||
|
subdomain = containerCfg.subdomain;
|
||||||
|
ip = containerCfg.ip;
|
||||||
|
port = 8080;
|
||||||
|
secret = name;
|
||||||
|
extraLabels = {
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}.priority" = "10";
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}.service" = "api@internal";
|
||||||
|
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}.middlewares" = if serverCfg.containers?authentik then "authentik" else "";
|
||||||
|
"traefik.http.middlewares.authentik.forwardauth.maxResponseBodySize" = "10485760";
|
||||||
|
"traefik.http.middlewares.authentik.forwardauth.address" = "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik";
|
||||||
|
"traefik.http.middlewares.authentik.forwardauth.trustForwardHeader" = "true";
|
||||||
|
"traefik.http.middlewares.authentik.forwardauth.authResponseHeaders" = "X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version";
|
||||||
|
} // (if containerCfg.extra ? provider || serverCfg.hostDomain != "localhost" then {
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}.tls.certresolver" = "default";
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].main" = "${serverCfg.hostDomain}";
|
||||||
|
"traefik.http.routers.${containerCfg.subdomain}.tls.domains[0].sans" = "*.${serverCfg.hostDomain}";
|
||||||
|
} else {});
|
||||||
|
extraEnv = { };
|
||||||
|
overrides = {
|
||||||
|
cmd = [
|
||||||
|
"--api"
|
||||||
|
"--log.level=INFO"
|
||||||
|
"--providers.docker=true"
|
||||||
|
"--global.checknewversion=false"
|
||||||
|
"--global.sendanonymoususage=false"
|
||||||
|
"--api.insecure=true"
|
||||||
|
"--api.dashboard=true"
|
||||||
|
"--providers.docker.exposedByDefault=false"
|
||||||
|
"--entrypoints.web.address=:80"
|
||||||
|
"--entrypoints.web-secure.address=:443"
|
||||||
|
"--entrypoints.web.http.redirections.entrypoint.to=web-secure"
|
||||||
|
"--entrypoints.web.http.redirections.entrypoint.scheme=https"
|
||||||
|
"--entrypoints.web-secure.transport.respondingtimeouts.readtimeout=0s"
|
||||||
|
"--entrypoints.web-secure.proxyprotocol.trustedips=127.0.0.1/32,192.168.1.1/16,10.10.0.0/16"
|
||||||
|
] ++ (if containerCfg.extra ? provider then [
|
||||||
|
"--certificatesresolvers.default.acme.email=acme@${serverCfg.hostDomain}"
|
||||||
|
"--certificatesresolvers.default.acme.dnschallenge=true"
|
||||||
|
"--certificatesresolvers.default.acme.dnschallenge.provider=${containerCfg.extra.provider}"
|
||||||
|
"--certificatesresolvers.default.acme.storage=/custom/acme.json"
|
||||||
|
] else (if serverCfg.hostDomain != "localhost" then [
|
||||||
|
"--certificatesresolvers.default.acme.httpchallenge=false"
|
||||||
|
"--certificatesresolvers.default.acme.tlschallenge=true"
|
||||||
|
] else [ ]));
|
||||||
|
ports = [ "443:443" "80:80" ] ++ (if containerCfg.port!=null then [ "${toString containerCfg.port}:8080" ] else []);
|
||||||
|
volumes = [
|
||||||
|
"/var/run/podman/podman.sock:/var/run/docker.sock"
|
||||||
|
# "${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
|
||||||
|
"${serverCfg.configPath}/traefik:/custom"
|
||||||
|
];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,3 @@
|
|||||||
|
{...}:{
|
||||||
|
|
||||||
|
}
|
||||||
@@ -0,0 +1,46 @@
|
|||||||
|
{ config, lib, pkgs, serverCfg }:
|
||||||
|
let
|
||||||
|
builder =
|
||||||
|
{ image ? null, imageStream ? null
|
||||||
|
, secret ? null
|
||||||
|
, subdomain ? null, ip ? null, port ? 0
|
||||||
|
, extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
|
||||||
|
, overrides ? { }
|
||||||
|
}:
|
||||||
|
let base = {
|
||||||
|
image = if imageStream != null then "${imageStream.imageName}:${imageStream.imageTag}"
|
||||||
|
else image;
|
||||||
|
imageStream = imageStream;
|
||||||
|
|
||||||
|
environmentFiles = if secret!=null then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
|
||||||
|
environment = {} // extraEnv;
|
||||||
|
|
||||||
|
labels = (if subdomain!=null then ({
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.${subdomain}.entrypoints" = "web-secure";
|
||||||
|
"traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)";
|
||||||
|
"traefik.http.routers.${subdomain}.tls" = "true";
|
||||||
|
} // lib.optionalAttrs (port!=null) {
|
||||||
|
"traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port;
|
||||||
|
}) else {
|
||||||
|
"traefik.enable" = "false";
|
||||||
|
}) // extraLabels;
|
||||||
|
|
||||||
|
extraOptions = extraOptions ++ [
|
||||||
|
"--add-host=host.containers.internal:host-gateway"
|
||||||
|
] ++ lib.optional (ip!=null) "--ip=${ip}";
|
||||||
|
};
|
||||||
|
in lib.recursiveUpdate base overrides;
|
||||||
|
in {
|
||||||
|
mkContainer = builder;
|
||||||
|
mkData = { name, dir, vars?{} }: pkgs.runCommand name vars ''
|
||||||
|
mkdir -p $out
|
||||||
|
cp -r ${./data + "/${dir}"}/. $out/
|
||||||
|
find $out -type f | while read file; do
|
||||||
|
${lib.concatStringsSep "\n" (lib.mapAttrsToList (n: v: ''
|
||||||
|
substituteInPlace "$file" --replace "@${n}@" "${toString v}"
|
||||||
|
'') vars)}
|
||||||
|
done
|
||||||
|
'';
|
||||||
|
host = "host.containers.internal";
|
||||||
|
}
|
||||||
@@ -0,0 +1,70 @@
|
|||||||
|
version: 1
|
||||||
|
metadata:
|
||||||
|
name: "Initial User Setup"
|
||||||
|
labels:
|
||||||
|
blueprint-type: core
|
||||||
|
entries:
|
||||||
|
# Optionally, disable the default enrollment flow entirely
|
||||||
|
- model: authentik_flows.flow
|
||||||
|
identifiers:
|
||||||
|
slug: "default-source-enrollment"
|
||||||
|
attrs:
|
||||||
|
designation: "enrollment"
|
||||||
|
enabled: false
|
||||||
|
# --- GROUPS ---
|
||||||
|
- model: authentik_core.group
|
||||||
|
identifiers:
|
||||||
|
name: "admin"
|
||||||
|
attrs:
|
||||||
|
is_superuser: true
|
||||||
|
|
||||||
|
- model: authentik_core.group
|
||||||
|
identifiers:
|
||||||
|
name: "cloud"
|
||||||
|
attrs:
|
||||||
|
is_superuser: false
|
||||||
|
|
||||||
|
- model: authentik_core.group
|
||||||
|
identifiers:
|
||||||
|
name: "dev"
|
||||||
|
attrs:
|
||||||
|
is_superuser: false
|
||||||
|
|
||||||
|
- model: authentik_core.group
|
||||||
|
identifiers:
|
||||||
|
name: "flix"
|
||||||
|
attrs:
|
||||||
|
is_superuser: false
|
||||||
|
|
||||||
|
- model: authentik_core.group
|
||||||
|
identifiers:
|
||||||
|
name: "family"
|
||||||
|
attrs:
|
||||||
|
is_superuser: false
|
||||||
|
|
||||||
|
# --- ADMIN USERS ---
|
||||||
|
- model: authentik_core.user
|
||||||
|
identifiers:
|
||||||
|
username: !Env DEFAULT_ADMIN_USERNAME
|
||||||
|
attrs:
|
||||||
|
name: !Env DEFAULT_ADMIN_USERNAME
|
||||||
|
email: !Env DEFAULT_ADMIN_EMAIL
|
||||||
|
password: !Env DEFAULT_ADMIN_PASSWORD
|
||||||
|
path: "users"
|
||||||
|
groups:
|
||||||
|
- !Find [authentik_core.group, [name, "admin"]]
|
||||||
|
|
||||||
|
# Disable the Initial Setup Flow
|
||||||
|
- model: authentik_flows.flow
|
||||||
|
identifiers:
|
||||||
|
slug: "initial-setup"
|
||||||
|
attrs:
|
||||||
|
authentication: "require_superuser"
|
||||||
|
enabled: false
|
||||||
|
|
||||||
|
# Disable the default 'akadmin' if it exists
|
||||||
|
- model: authentik_core.user
|
||||||
|
identifiers:
|
||||||
|
username: "akadmin"
|
||||||
|
attrs:
|
||||||
|
is_active: false
|
||||||
@@ -0,0 +1,88 @@
|
|||||||
|
version: 1
|
||||||
|
metadata:
|
||||||
|
name: nextcloud-saml-setup
|
||||||
|
entries:
|
||||||
|
# 1. Create the SAML Provider
|
||||||
|
- model: authentik_providers_saml.samlprovider
|
||||||
|
identifiers:
|
||||||
|
name: Nextcloud SAML
|
||||||
|
attrs:
|
||||||
|
authorization_flow:
|
||||||
|
!Find [
|
||||||
|
authentik_flows.flow,
|
||||||
|
[slug, default-provider-authorization-explicit-consent],
|
||||||
|
]
|
||||||
|
invalidation_flow:
|
||||||
|
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
||||||
|
|
||||||
|
# Adjust these URLs to match your Nextcloud domain
|
||||||
|
acs_url: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/acs
|
||||||
|
audience: https://@NEXTCLOUD_DOMAIN@/apps/user_saml/saml/metadata
|
||||||
|
issuer: https://@AUTHENTIK_DOMAIN@
|
||||||
|
sp_binding: post
|
||||||
|
# Map the attributes for Name, Email, and Groups
|
||||||
|
property_mappings:
|
||||||
|
- !Find [
|
||||||
|
authentik_core.propertymapping,
|
||||||
|
[name, "authentik default SAML Mapping: Name"],
|
||||||
|
]
|
||||||
|
- !Find [
|
||||||
|
authentik_core.propertymapping,
|
||||||
|
[name, "authentik default SAML Mapping: Email"],
|
||||||
|
]
|
||||||
|
- !Find [
|
||||||
|
authentik_core.propertymapping,
|
||||||
|
[name, "authentik default SAML Mapping: Groups"],
|
||||||
|
]
|
||||||
|
- !Find [
|
||||||
|
authentik_core.propertymapping,
|
||||||
|
[name, "authentik default SAML Mapping: Username"],
|
||||||
|
]
|
||||||
|
- !Find [
|
||||||
|
authentik_core.propertymapping,
|
||||||
|
[name, "authentik default SAML Mapping: User ID"],
|
||||||
|
]
|
||||||
|
|
||||||
|
# - !Find [
|
||||||
|
# authentik_providers_saml.samlpropertymapping,
|
||||||
|
# [managed, "goauthentik.io/providers/saml/ms-name"],
|
||||||
|
# ]
|
||||||
|
# - !Find [
|
||||||
|
# authentik_providers_saml.samlpropertymapping,
|
||||||
|
# [managed, "goauthentik.io/providers/saml/ms-email"],
|
||||||
|
# ]
|
||||||
|
# - !Find [
|
||||||
|
# authentik_providers_saml.samlpropertymapping,
|
||||||
|
# [managed, "goauthentik.io/providers/saml/ms-groups"],
|
||||||
|
# ]
|
||||||
|
|
||||||
|
# - !Find [
|
||||||
|
# authentik_core.propertymapping,
|
||||||
|
# [managed, goauthentik.io/providers/saml/ms-name],
|
||||||
|
# ]
|
||||||
|
# - !Find [
|
||||||
|
# authentik_core.propertymapping,
|
||||||
|
# [managed, goauthentik.io/providers/saml/ms-email],
|
||||||
|
# ]
|
||||||
|
# - !Find [
|
||||||
|
# authentik_core.propertymapping,
|
||||||
|
# [managed, goauthentik.io/providers/saml/ms-groups],
|
||||||
|
# ]
|
||||||
|
# Select your signing certificate (default is usually self-signed)
|
||||||
|
signing_kp:
|
||||||
|
!Find [
|
||||||
|
authentik_crypto.certificatekeypair,
|
||||||
|
[name, "authentik Self-signed Certificate"],
|
||||||
|
]
|
||||||
|
sign_assertion: true
|
||||||
|
sign_response: false
|
||||||
|
|
||||||
|
# 2. Create the Application
|
||||||
|
- model: authentik_core.application
|
||||||
|
identifiers:
|
||||||
|
slug: nextcloud
|
||||||
|
attrs:
|
||||||
|
name: Nextcloud
|
||||||
|
provider:
|
||||||
|
!Find [authentik_providers_saml.samlprovider, [name, Nextcloud SAML]]
|
||||||
|
group: "Cloud Services"
|
||||||
@@ -0,0 +1,45 @@
|
|||||||
|
version: 1
|
||||||
|
metadata:
|
||||||
|
name: domain-wide-proxy-setup
|
||||||
|
entries:
|
||||||
|
# 1. The Provider
|
||||||
|
- model: authentik_providers_proxy.proxyprovider
|
||||||
|
identifiers:
|
||||||
|
name: Domain Wide Proxy
|
||||||
|
attrs:
|
||||||
|
authorization_flow:
|
||||||
|
!Find [
|
||||||
|
authentik_flows.flow,
|
||||||
|
[slug, default-provider-authorization-implicit-consent],
|
||||||
|
]
|
||||||
|
invalidation_flow:
|
||||||
|
!Find [authentik_flows.flow, [slug, default-provider-invalidation-flow]]
|
||||||
|
|
||||||
|
external_host: https://@AUTHENTIK_DOMAIN@
|
||||||
|
cookie_domain: "@COOKIE_DOMAIN@"
|
||||||
|
|
||||||
|
mode: forward_domain
|
||||||
|
intercept_header_auth: true
|
||||||
|
|
||||||
|
# 2. The Application (Required to link the provider)
|
||||||
|
- model: authentik_core.application
|
||||||
|
identifiers:
|
||||||
|
slug: authentik-proxy
|
||||||
|
attrs:
|
||||||
|
name: "Domain Auth Provider"
|
||||||
|
provider:
|
||||||
|
!Find [
|
||||||
|
authentik_providers_proxy.proxyprovider,
|
||||||
|
[name, Domain Wide Proxy],
|
||||||
|
]
|
||||||
|
|
||||||
|
# 3. Add to Outpost
|
||||||
|
- model: authentik_outposts.outpost
|
||||||
|
identifiers:
|
||||||
|
name: authentik Embedded Outpost
|
||||||
|
attrs:
|
||||||
|
providers:
|
||||||
|
- !Find [
|
||||||
|
authentik_providers_proxy.proxyprovider,
|
||||||
|
[name, Domain Wide Proxy],
|
||||||
|
]
|
||||||
@@ -1,14 +1,23 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.syscfg.server.containers;
|
serverCfg = config.syscfg.server;
|
||||||
enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
|
builder = import ./builder.nix { inherit config lib pkgs serverCfg; };
|
||||||
|
enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers;
|
||||||
containerSetsList = lib.mapAttrsToList (name: containerCfg:
|
containerSetsList = lib.mapAttrsToList (name: containerCfg:
|
||||||
import (./defs + "/${name}.nix") {
|
let apps = import (./apps + "/${name}.nix") {inherit config pkgs lib containerCfg builder name;};
|
||||||
inherit config pkgs lib containerCfg;
|
in{
|
||||||
}
|
name = name;
|
||||||
) enabledConfigs;
|
containers = lib.mapAttrs' (cName: cValue:
|
||||||
|
lib.nameValuePair "${name}-${cName}" cValue
|
||||||
|
) apps.containers;
|
||||||
|
paths = apps.paths or [];
|
||||||
|
setup = apps.setup or null;
|
||||||
|
cron = apps.cron or [];
|
||||||
|
}
|
||||||
|
) enabledConfigs;
|
||||||
mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList);
|
mergedContainers = lib.attrsets.mergeAttrsList (lib.map(e: e.containers) containerSetsList);
|
||||||
allPathConfigs = lib.flatten (lib.map (e: e.paths or []) containerSetsList);
|
allPathConfigs = lib.flatten (lib.map (e: e.paths) containerSetsList);
|
||||||
|
allCronsConfigs = lib.flatten (lib.map (e: e.cron or []) containerSetsList);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
config = lib.mkIf ( enabledConfigs != {} ) {
|
config = lib.mkIf ( enabledConfigs != {} ) {
|
||||||
@@ -17,24 +26,56 @@ in
|
|||||||
backend = "podman";
|
backend = "podman";
|
||||||
containers = mergedContainers;
|
containers = mergedContainers;
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.podman-gc = {
|
|
||||||
description = "Podman garbage collection";
|
|
||||||
serviceConfig.Type = "oneshot";
|
|
||||||
script = ''
|
|
||||||
${pkgs.podman}/bin/podman container prune -f
|
|
||||||
${pkgs.podman}/bin/podman image prune -f
|
|
||||||
'';
|
|
||||||
startAt = "weekly";
|
|
||||||
};
|
|
||||||
|
|
||||||
system.activationScripts.container-setup-dirs = {
|
system.activationScripts.container-setup-dirs = {
|
||||||
deps = [ "users" "groups" ];
|
deps = [ "users" "groups" ];
|
||||||
text = lib.concatStringsSep "\n" (map (cfg: ''
|
text = lib.concatStringsSep "\n" (map (cfg:
|
||||||
mkdir -p "${cfg.path}"
|
let
|
||||||
chown ${cfg.owner} "${cfg.path}"
|
effectiveCfg = {
|
||||||
chmod ${cfg.mode} "${cfg.path}"
|
owner = "root:root";
|
||||||
|
mode = "0400";
|
||||||
|
} // cfg;
|
||||||
|
in ''
|
||||||
|
${pkgs.coreutils}/bin/mkdir -p "${effectiveCfg.path}"
|
||||||
|
${pkgs.coreutils}/bin/chown ${effectiveCfg.owner} "${effectiveCfg.path}"
|
||||||
|
${pkgs.coreutils}/bin/chmod ${effectiveCfg.mode} "${effectiveCfg.path}"
|
||||||
'') allPathConfigs);
|
'') allPathConfigs);
|
||||||
};
|
};
|
||||||
|
|
||||||
|
systemd.services = {
|
||||||
|
podman-gc = {
|
||||||
|
description = "Podman garbage collection";
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
script = ''
|
||||||
|
${pkgs.podman}/bin/podman container prune -f
|
||||||
|
${pkgs.podman}/bin/podman image prune -f
|
||||||
|
'';
|
||||||
|
startAt = "weekly";
|
||||||
|
};
|
||||||
|
} // lib.listToAttrs (lib.concatMap (containerSet:
|
||||||
|
if containerSet.setup != null then [{
|
||||||
|
name = "${containerSet.name}-setup";
|
||||||
|
value = {
|
||||||
|
description = "Run ${containerSet.name} setup";
|
||||||
|
after = [ "podman-${containerSet.name}-${containerSet.setup.trigger}.service" ];
|
||||||
|
wants = [ "podman-${containerSet.name}-${containerSet.setup.trigger}.service" ];
|
||||||
|
wantedBy = [ "multi-user.target" ];
|
||||||
|
serviceConfig = {
|
||||||
|
Type = "oneshot";
|
||||||
|
TimeoutStartSec = "360s";
|
||||||
|
EnvironmentFile = if (containerSet.setup ? envFile) then containerSet.setup.envFile else [ ];
|
||||||
|
ExecStart = "${containerSet.setup.script}";
|
||||||
|
RemainAfterExit = true;
|
||||||
|
User = "root";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}] else []
|
||||||
|
) containerSetsList);
|
||||||
|
|
||||||
|
services.cron = {
|
||||||
|
enable = true;
|
||||||
|
systemCronJobs = allCronsConfigs;
|
||||||
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
@@ -1,84 +0,0 @@
|
|||||||
{ config, containerCfg, pkgs, lib, ... }:
|
|
||||||
let
|
|
||||||
serverCfg = config.syscfg.server;
|
|
||||||
in {
|
|
||||||
paths = [{
|
|
||||||
path="${serverCfg.dataPath}/authentik/media";
|
|
||||||
owner = "1000:1000";
|
|
||||||
mode = "0755";
|
|
||||||
}{
|
|
||||||
path="${serverCfg.dataPath}/authentik/templates";
|
|
||||||
owner = "1000:1000";
|
|
||||||
mode = "0755";
|
|
||||||
}];
|
|
||||||
|
|
||||||
containers = {
|
|
||||||
|
|
||||||
auth_server = {
|
|
||||||
image = "ghcr.io/goauthentik/server:latest";
|
|
||||||
hostname = "auth_server";
|
|
||||||
volumes = [
|
|
||||||
"${serverCfg.dataPath}/authentik/media:/media"
|
|
||||||
"${serverCfg.dataPath}/authentik/templates:/templates"
|
|
||||||
];
|
|
||||||
environmentFiles = [
|
|
||||||
config.sops.secrets."AUTHENTIK".path
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
|
|
||||||
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
|
|
||||||
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
|
|
||||||
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
|
|
||||||
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
|
|
||||||
"AUTHENTIK_EMAIL__PORT" = "587";
|
|
||||||
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
|
|
||||||
"AUTHENTIK_EMAIL__USE_TLS" = "true";
|
|
||||||
"AUTHENTIK_EMAIL__USE_SSL" = "false";
|
|
||||||
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
|
|
||||||
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
|
|
||||||
};
|
|
||||||
labels = {
|
|
||||||
"traefik.enable" = "true";
|
|
||||||
"traefik.http.routers.sso.entrypoints" = "web-secure";
|
|
||||||
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
|
|
||||||
"traefik.http.routers.sso.tls" = "true";
|
|
||||||
"traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
|
|
||||||
};
|
|
||||||
cmd = [ "server" ];
|
|
||||||
extraOptions = [
|
|
||||||
"--add-host=host.containers.internal:host-gateway"
|
|
||||||
"--replace"
|
|
||||||
"--rm"
|
|
||||||
"--ip=${containerCfg.ip}"
|
|
||||||
];
|
|
||||||
ports = [
|
|
||||||
"9999:${toString containerCfg.port}"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
auth_worker = {
|
|
||||||
image = "ghcr.io/goauthentik/server:latest";
|
|
||||||
hostname = "auth_worker";
|
|
||||||
volumes = [
|
|
||||||
"${serverCfg.dataPath}/authentik/media:/media"
|
|
||||||
"${serverCfg.dataPath}/authentik/templates:/templates"
|
|
||||||
"/var/run/docker.sock:/var/run/docker.sock"
|
|
||||||
];
|
|
||||||
environmentFiles = [
|
|
||||||
config.sops.secrets."AUTHENTIK".path
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
|
|
||||||
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
|
|
||||||
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
|
|
||||||
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
|
|
||||||
};
|
|
||||||
extraOptions = [
|
|
||||||
"--add-host=host.containers.internal:host-gateway"
|
|
||||||
"--replace"
|
|
||||||
"--rm"
|
|
||||||
];
|
|
||||||
cmd = [ "worker" ];
|
|
||||||
};
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -1,152 +0,0 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
|
||||||
let serverCfg = config.syscfg.server;
|
|
||||||
in {
|
|
||||||
project.name = "cloud";
|
|
||||||
|
|
||||||
networks = {
|
|
||||||
internal = {
|
|
||||||
name = lib.mkForce "internal";
|
|
||||||
internal = true;
|
|
||||||
};
|
|
||||||
external = {
|
|
||||||
name = lib.mkForce "external";
|
|
||||||
internal = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
|
||||||
|
|
||||||
cloud_nextcloud.service = {
|
|
||||||
image = "nextcloud:27";
|
|
||||||
container_name = "cloud";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "external" ];
|
|
||||||
volumes = [
|
|
||||||
"${serverCfg.configPath}/data/nextcloud:/var/www/html"
|
|
||||||
"${serverCfg.dataPath}/data/music:/media/music"
|
|
||||||
"${serverCfg.dataPath}/data/video:/media/video"
|
|
||||||
"${serverCfg.dataPath}/data/photo:/media/photo"
|
|
||||||
];
|
|
||||||
tmpfs = [ "/tmp" ];
|
|
||||||
labels = {
|
|
||||||
"traefik.enable" = "true";
|
|
||||||
"traefik.http.routers.nextcloud.entrypoints" = "web-secure";
|
|
||||||
"traefik.http.routers.nextcloud.rule" =
|
|
||||||
"Host(`cloud.${serverCfg.hostDomain}`)";
|
|
||||||
"traefik.http.routers.nextcloud.tls" = "true";
|
|
||||||
"traefik.http.routers.nextcloud.middlewares" =
|
|
||||||
"sts_headers,nextcloud-caldav";
|
|
||||||
|
|
||||||
"traefik.http.middlewares.nextcloud-caldav.redirectregex.permanent" =
|
|
||||||
"true";
|
|
||||||
"traefik.http.middlewares.nextcloud-caldav.redirectregex.regex" =
|
|
||||||
"^https://(.*)/.well-known/(card|cal)dav";
|
|
||||||
"traefik.http.middlewares.nextcloud-caldav.redirectregex.replacement" =
|
|
||||||
"https://$\${1}/remote.php/dav/";
|
|
||||||
"traefik.http.middlewares.sts_headers.headers.stsSeconds" = "15552000";
|
|
||||||
"traefik.http.middlewares.sts_headers.headers.stsIncludeSubdomains" =
|
|
||||||
"true";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
cloud_office.service = {
|
|
||||||
image = "collabora/code:latest";
|
|
||||||
container_name = "cloud_office";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "external" ];
|
|
||||||
volumes = [ ];
|
|
||||||
environment = {
|
|
||||||
username = "COLLABORA_USER";
|
|
||||||
password = "COLLABORA_PASSWORD";
|
|
||||||
aliasgroup1 = "https://cloud.${serverCfg.hostDomain}";
|
|
||||||
server_name = "office.${serverCfg.hostDomain}";
|
|
||||||
VIRTUAL_HOST = "office.${serverCfg.hostDomain}";
|
|
||||||
VIRTUAL_PORT = "9980";
|
|
||||||
VIRTUAL_PROTO = "http";
|
|
||||||
DONT_GEN_SSL_CERT = "true";
|
|
||||||
RESOLVE_TO_PROXY_IP = "true";
|
|
||||||
NETWORK_ACCESS = "internal";
|
|
||||||
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
|
|
||||||
dictionaries = "en fr de jp";
|
|
||||||
};
|
|
||||||
labels = {
|
|
||||||
"traefik.enable" = "true";
|
|
||||||
"traefik.http.routers.collabora.entrypoints" = "web-secure";
|
|
||||||
"traefik.http.routers.collabora.rule" =
|
|
||||||
"Host(`office.${serverCfg.hostDomain}`)";
|
|
||||||
"traefik.http.routers.collabora.tls" = "true";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
cloud_etherpad.service = {
|
|
||||||
image = "etherpad/etherpad:latest";
|
|
||||||
container_name = "etherpad";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "external" ];
|
|
||||||
volumes = [
|
|
||||||
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
|
|
||||||
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
NODE_ENV = "production";
|
|
||||||
TITLE = "Helcel-Pad";
|
|
||||||
DB_TYPE = "mysql";
|
|
||||||
DB_HOST = serverCfg.dbHost;
|
|
||||||
DB_PORT = serverCfg.dbPort;
|
|
||||||
DB_NAME = "etherpad";
|
|
||||||
DB_USER = "ETHERPAD_DB_USER";
|
|
||||||
DB_PASS = "ETHERPAD_DB_PASSWORD";
|
|
||||||
DB_CHARSET = "utf8mb4";
|
|
||||||
DEFAULT_PAD_TEXT = "P A D";
|
|
||||||
PAD_OPTIONS_SHOW_LINE_NUMBERS = "true";
|
|
||||||
PAD_OPTIONS_USE_MONOSPACE_FONT = "true";
|
|
||||||
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
|
|
||||||
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
|
|
||||||
};
|
|
||||||
labels = {
|
|
||||||
"traefik.enable" = "true";
|
|
||||||
"traefik.http.routers.etherpad.entrypoints" = "web-secure";
|
|
||||||
"traefik.http.routers.etherpad.rule" =
|
|
||||||
"Host(`pad.${serverCfg.hostDomain}`)";
|
|
||||||
"traefik.http.routers.etherpad.tls" = "true";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
cloud_ethercalc.service = {
|
|
||||||
image = "audreyt/ethercalc:latest";
|
|
||||||
container_name = "ethercalc";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "external" "internal" ];
|
|
||||||
volumes = [
|
|
||||||
"${serverCfg.dataPath}/ether/etherpad/data:/opt/etherpad-lite/var"
|
|
||||||
"${serverCfg.dataPath}/ether/etherpad/APIKEY.txt:/opt/etherpad-lite/APIKEY.txt"
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
NODE_ENV = "production";
|
|
||||||
TITLE = "Helcel-Calc";
|
|
||||||
REDIS_PORT_6379_TCP_ADDR = "ethercalc-redis";
|
|
||||||
REDIS_PORT_6379_TCP_PORT = "6379";
|
|
||||||
ADMIN_PASSWORD = "ETHERPAD_ADMIN_PASSWORD";
|
|
||||||
SKIN_VARIANTS = "super-dark-toolbar light-editor dark-background";
|
|
||||||
};
|
|
||||||
labels = {
|
|
||||||
"traefik.enable" = "true";
|
|
||||||
"traefik.http.routers.ethercalc.entrypoints" = "web-secure";
|
|
||||||
"traefik.http.routers.ethercalc.rule" =
|
|
||||||
"Host(`calc.${serverCfg.hostDomain}`)";
|
|
||||||
"traefik.http.routers.ethercalc.tls" = "true";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
cloud_redis.service = {
|
|
||||||
image = "redis:latest";
|
|
||||||
container_name = "ethercalc-redis";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "internal" ];
|
|
||||||
volumes = [ "${serverCfg.dataPath}/ether/ethercalc/redis:/data" ];
|
|
||||||
environment = { };
|
|
||||||
labels = { "traefik.enable" = "false"; };
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -1,30 +0,0 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
|
||||||
let serverCfg = config.syscfg.server;
|
|
||||||
in {
|
|
||||||
project.name = "name";
|
|
||||||
|
|
||||||
networks = {
|
|
||||||
internal = {
|
|
||||||
name = lib.mkForce "internal";
|
|
||||||
internal = true;
|
|
||||||
};
|
|
||||||
external = {
|
|
||||||
name = lib.mkForce "external";
|
|
||||||
internal = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
|
||||||
|
|
||||||
NAME.service = {
|
|
||||||
image = "NAME:latest";
|
|
||||||
container_name = "NAME";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "internal" ];
|
|
||||||
volumes = [ ];
|
|
||||||
environment = { };
|
|
||||||
labels = { "traefik.enable" = "false"; };
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
}
|
|
||||||
@@ -1,81 +0,0 @@
|
|||||||
{ config, pkgs, ... }: {
|
|
||||||
project.name = "traefik";
|
|
||||||
|
|
||||||
networks = {
|
|
||||||
internal = {
|
|
||||||
name = lib.mkForce "internal";
|
|
||||||
internal = true;
|
|
||||||
};
|
|
||||||
external = {
|
|
||||||
name = lib.mkForce "external";
|
|
||||||
internal = false;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
services = {
|
|
||||||
|
|
||||||
traefik.service = {
|
|
||||||
image = "traefik:latest";
|
|
||||||
container_name = "traefik";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "internal" "external" ];
|
|
||||||
command = [
|
|
||||||
"--api"
|
|
||||||
"--providers.docker=true"
|
|
||||||
"--entrypoints.web.address=:80"
|
|
||||||
"--entrypoints.web-secure.address=:443"
|
|
||||||
];
|
|
||||||
port = [ "443" "80" ];
|
|
||||||
volumes = [
|
|
||||||
"/var/run/docker.sock:/var/run/docker.sock:ro"
|
|
||||||
"${serverCfg.configPath}/traefik/traefik.yaml:/etc/traefik/traefik.yaml"
|
|
||||||
"${serverCfg.configPath}/traefik/access.log:/etc/traefik/access.log"
|
|
||||||
"${serverCfg.configPath}/traefik/acme.json:/acme.json"
|
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
"INFOMANIAK_ACCESS_TOKEN" = config.sops.secrets.INFOMANIAK_API_KEY.path;
|
|
||||||
};
|
|
||||||
labels = { "traefik.enable" = "false"; };
|
|
||||||
};
|
|
||||||
|
|
||||||
matomo.service = {
|
|
||||||
image = "matomo:latest";
|
|
||||||
container_name = "matomo";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "external" ];
|
|
||||||
volumes = [
|
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
|
||||||
"${serverCfg.configPath}/matomo:/var/www/html/config:rw"
|
|
||||||
"${serverCfg.configPath}/traefik/access.log:/var/log/taccess.log:ro"
|
|
||||||
];
|
|
||||||
environment = { };
|
|
||||||
labels = {
|
|
||||||
"traefik.http.routers.matomo.rule" =
|
|
||||||
"Host(`matomo.${serverCfg.hostDomain}`)";
|
|
||||||
"traefik.http.routers.matomo.entrypoints" = "web-secure";
|
|
||||||
"traefik.http.routers.matomo.tls" = "true";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
searx.service = {
|
|
||||||
image = "searxng/searxng:latest";
|
|
||||||
container_name = "searx";
|
|
||||||
restart = "unless-stopped";
|
|
||||||
networks = [ "external" ];
|
|
||||||
volumes = [ "/etc/localtime:/etc/localtime:ro" ];
|
|
||||||
environment = {
|
|
||||||
"BASE_URL" = "https://searx.${serverCfg.hostDomain}";
|
|
||||||
"AUTOCOMPLETE" = "true";
|
|
||||||
"INSTANCE_NAME" = "searx${serverCfg.shortName}";
|
|
||||||
};
|
|
||||||
labels = {
|
|
||||||
"traefik.http.routers.matomo.rule" =
|
|
||||||
"Host(`searx.${serverCfg.hostDomain}`)";
|
|
||||||
"traefik.http.routers.matomo.entrypoints" = "web-secure";
|
|
||||||
"traefik.http.routers.matomo.tls" = "true";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
};
|
|
||||||
}
|
|
||||||
|
|
||||||
@@ -62,7 +62,6 @@ in {
|
|||||||
|
|
||||||
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
|
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
|
||||||
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
|
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
|
||||||
echo $PASS
|
|
||||||
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
|
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
|
||||||
echo "✅ Successfully set password for ${name}_user"
|
echo "✅ Successfully set password for ${name}_user"
|
||||||
else
|
else
|
||||||
|
|||||||
@@ -1,7 +1,8 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
{ config, lib, ... }:{
|
cfg = config.syscfg.server;
|
||||||
config = lib.mkIf (config.syscfg.server.nftables.enable) {
|
in {
|
||||||
|
config = lib.mkIf (cfg.ipfw.enable) {
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
"net.ipv4.ip_forward" = 1;
|
"net.ipv4.ip_forward" = 1;
|
||||||
"net.ipv6.conf.all.forwarding" = 1;
|
"net.ipv6.conf.all.forwarding" = 1;
|
||||||
@@ -9,13 +10,6 @@
|
|||||||
|
|
||||||
networking.nftables.enable = true;
|
networking.nftables.enable = true;
|
||||||
networking.nftables.ruleset = ''
|
networking.nftables.ruleset = ''
|
||||||
table inet filter {
|
|
||||||
chain input {
|
|
||||||
type filter hook input priority filter; policy accept;
|
|
||||||
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
|
|
||||||
|
|
||||||
}
|
|
||||||
}
|
|
||||||
table inet nat {
|
table inet nat {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
@@ -34,12 +28,12 @@
|
|||||||
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
|
iifname "${srcInt}" tcp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
|
||||||
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
|
iifname "${srcInt}" udp dport ${srcPort} counter dnat ip6 to [${dstAddr6}]:${dstPort}
|
||||||
''
|
''
|
||||||
) config.syscfg.server.nftables.ports}
|
) cfg.ipfw.ports}
|
||||||
}
|
}
|
||||||
|
|
||||||
chain postrouting {
|
chain postrouting {
|
||||||
type nat hook postrouting priority srcnat; policy accept;
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
|
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') cfg.ipfw.ifs} } masquerade
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
'';
|
'';
|
||||||
|
|||||||
@@ -0,0 +1,130 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.syscfg.server;
|
||||||
|
containers = cfg.containers;
|
||||||
|
faviconOverride = {
|
||||||
|
" ~* /favicon\.(ico|png|svg|jpg)$" = {
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Content-Type image/svg+xml;
|
||||||
|
return 200 '<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" data-name="Layer 1" viewBox="0 0 50 50"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M30.83,5A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,28.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/></svg>';
|
||||||
|
'';
|
||||||
|
# proxyPass = "http://127.0.0.1:9000";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# Function to convert your container config into an NGINX vhost
|
||||||
|
mkVhost = container: {
|
||||||
|
forceSSL = true;
|
||||||
|
# quic = true;
|
||||||
|
# http3 = true;
|
||||||
|
useACMEHost = "${cfg.hostDomain}";
|
||||||
|
locations = faviconOverride // {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://${container.ip}:${toString container.port}";
|
||||||
|
proxyWebsockets = true; # Recommended for modern apps
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
in {
|
||||||
|
config = lib.mkIf ( config.syscfg.server.web) {
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "admin@domain.org";
|
||||||
|
|
||||||
|
certs."${cfg.hostDomain}" = {
|
||||||
|
domain = "*.${cfg.hostDomain}";
|
||||||
|
extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
|
||||||
|
dnsProvider = "infomaniak";
|
||||||
|
credentialsFile = config.sops.secrets."INFOMANIAK_API_KEY".path; # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
|
||||||
|
group = "nginx";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
|
||||||
|
# appendHttpConfig = ''
|
||||||
|
# add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||||
|
# '';
|
||||||
|
commonHttpConfig = ''
|
||||||
|
proxy_buffer_size 32k;
|
||||||
|
proxy_buffers 8 16k;
|
||||||
|
proxy_busy_buffers_size 48k;
|
||||||
|
'';
|
||||||
|
|
||||||
|
virtualHosts = {
|
||||||
|
"_" = {
|
||||||
|
default = true;
|
||||||
|
forceSSL = true;
|
||||||
|
# quic = true;
|
||||||
|
# http3 = true;
|
||||||
|
useACMEHost = "${cfg.hostDomain}";
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
return 404;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"sec.${cfg.hostDomain}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
useACMEHost = "${cfg.hostDomain}";
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
proxyWebsockets = true;
|
||||||
|
proxyPass= "http://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}";
|
||||||
|
|
||||||
|
extraConfig = ''
|
||||||
|
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||||
|
error_page 401 = @goauthentik_proxy_signin;
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
|
||||||
|
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||||
|
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||||
|
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
|
||||||
|
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||||
|
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||||
|
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||||
|
|
||||||
|
proxy_set_header X-authentik-username $authentik_username;
|
||||||
|
proxy_set_header X-authentik-groups $authentik_groups;
|
||||||
|
proxy_set_header X-authentik-entitlements $authentik_entitlements;
|
||||||
|
proxy_set_header X-authentik-email $authentik_email;
|
||||||
|
proxy_set_header X-authentik-name $authentik_name;
|
||||||
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
"/outpost.goauthentik.io" = {
|
||||||
|
proxyWebsockets = true;
|
||||||
|
proxyPass = "http://${config.syscfg.server.containers.authentik.ip}:${toString config.syscfg.server.containers.authentik.port}/outpost.goauthentik.io";
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
extraConfig = ''
|
||||||
|
location @goauthentik_proxy_signin {
|
||||||
|
internal;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
return 302 https://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
} //lib.mapAttrs' (name: v:
|
||||||
|
lib.nameValuePair "${v.subdomain}.${cfg.hostDomain}" (mkVhost v)
|
||||||
|
) containers;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,16 +1,17 @@
|
|||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
let
|
let
|
||||||
listNames = config.syscfg.server.db;
|
listNames = config.syscfg.server.db;
|
||||||
containerNames = lib.mapAttrsToList (name: cfg: name)
|
containerNames = lib.mapAttrsToList (name: cfg: name)
|
||||||
(lib.filterAttrs (name: cfg: cfg.db or false) config.syscfg.server.containers);
|
(lib.filterAttrs (name: cfg: ((cfg.db or false) || (cfg.sops or false))) config.syscfg.server.containers);
|
||||||
allApps = lib.unique (listNames ++ containerNames);
|
allApps = lib.unique (listNames ++ containerNames);
|
||||||
in{
|
in{
|
||||||
config = lib.mkIf (config.syscfg.server.sops) {
|
|
||||||
sops.secrets = {
|
sops.secrets = {
|
||||||
INFOMANIAK_API_KEY = { sopsFile = ./server.yaml; };
|
CUSTOM = {
|
||||||
} // (lib.genAttrs (map (name: "${lib.toUpper name}") allApps) (name: {
|
mode = "0444";
|
||||||
owner = "postgres";
|
sopsFile = ./server.yaml;
|
||||||
|
};
|
||||||
|
} // (lib.genAttrs (map (name: lib.toUpper name) allApps) (name: {
|
||||||
|
mode = "0444";
|
||||||
sopsFile = ./server.yaml;
|
sopsFile = ./server.yaml;
|
||||||
}));
|
}));
|
||||||
};
|
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -0,0 +1,28 @@
|
|||||||
|
CUSTOM: |
|
||||||
|
DEFAULT_ADMIN_USERNAME=...
|
||||||
|
DEFAULT_ADMIN_PASSWORD=...
|
||||||
|
DEFAULT_ADMIN_EMAIL=...
|
||||||
|
TRAEFIK: |
|
||||||
|
INFOMANIAK_ACCESS_TOKEN=...
|
||||||
|
AUTHENTIK: |
|
||||||
|
DB_PASSWORD=...
|
||||||
|
POSTGRES_PASSWORD=...
|
||||||
|
AUTHENTIK_SECRET_KEY=...
|
||||||
|
AUTHENTIK_EMAIL__PASSWORD=...
|
||||||
|
NEXTCLOUD: |
|
||||||
|
DB_PASSWORD=...
|
||||||
|
POSTGRES_PASSWORD=...
|
||||||
|
COLLABORA: |
|
||||||
|
password=...
|
||||||
|
ETHERPAD: |
|
||||||
|
DB_PASSWORD=...
|
||||||
|
DB_PASS=...
|
||||||
|
ADMIN_PASSWORD=...
|
||||||
|
APIKEY=...
|
||||||
|
ETHERCALC: |
|
||||||
|
ETHERCALC_KEY=...
|
||||||
|
GITEA: |
|
||||||
|
DB_PASSWORD=...
|
||||||
|
GITEA__database__PASSWD=...
|
||||||
|
GITEA__security__SECRET_KEY=...
|
||||||
|
GITEA__security__INTERNAL_TOKEN=...
|
||||||
@@ -1,5 +1,11 @@
|
|||||||
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
|
CUSTOM: ENC[AES256_GCM,data:OVhE99dmudlV31Re2/fyFurXnRSM3RjbdVDxYp6oF4kazaseISlI4QjgIyyUNEAjeAST17Prv/t5GdyTUvoUICoVKmhQdRv5xFeB7ngTCdi7XoYW1r6HIXwz9wOf/UvPWLafSxSM,iv:/ikpvHH5sLZpTnNABUFjZoVLS+tBZSUYIUxxdXMCCcc=,tag:mS9uW33M355KErY1rQtvqQ==,type:str]
|
||||||
AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
|
TRAEFIK: ENC[AES256_GCM,data:Ei+/OL7xwNaOEg3rSaz95N78nvp51lC63XCplNzeD+bBMGcK9G7HoyQxfpaJ7S0MkuMW0ZXT2nJ4GES40GoJCZIrnEiSBm2tpjDfNjlS/rFwxx0wVfM1nsEuBf3pL5dqiCNa9+Lad2Cd,iv:d1MH0ive+E8xuUK0CIOXZeEigHJKVGlFaq0iH4KSbZA=,tag:VTARuNeotr2I0+fdOk+iqA==,type:str]
|
||||||
|
AUTHENTIK: ENC[AES256_GCM,data:dZ+Kf85ZjaZ82coYNeNOXe5zfD2M9rEeOB6jDNoaKmo3jMABhnha+iBvYJTI2NltkGzymPJQI+JV8F6GdT1l6cqcR8p0nNjQjS1BMk0rR7n8RCp6MazUTJuIjbEq6zEUrA4SXquw5gZDEp4FLo010PhoLaLinHg8OoqzjDsTxdcKevbQWmZeefDBrwXWpz6BlkRIQA3KazVb0w7l1jDTIkozUIWbvtvtk5ccGjzx3b+wCC36QYFcHHtPvFZwMDHzFPVBd90hWc/BwFfvCExONmH0S7GLFTp7I5NsBnWpT0AHUHHc5PlSR2dUy9H2DZ3IkORdNVzOaqESbYKymuWTQBDQuyI9IJdt4Cac0CV9i6p8rFXL6fQyQKZ9djHX8orpyCUeJXqFs8I6et+IzpTeZcmdv/76Q9tomBBi4k4PRMXpeff8Bn02bOSb7RSaj5NVeWxIhZkh3sEXUeva5/yrAYT30mrLpbwzWoCaKrPCPLIcFxvNrYxPUo6kVVz1jSlBurvcKefbreJGqA==,iv:Hj7aBfDLSqRBzueN8b9F9TutpjMESFloqrnirSmnH9U=,tag:1ikt1JvuhIZCx68nh/VzMA==,type:str]
|
||||||
|
NEXTCLOUD: ENC[AES256_GCM,data:IWitzubILQ5SrGdO3UQZboisqAECt5lXOqHVg4yAKxedG7ZLOgVp6jPV+4VVDC13KEkxIsiYjjNvjqnOXCdYWQIC13YZ+o2IBDI9PgavBB3nmjfi0Q7BVki6C8qCtbM5H9uFlQ3h7rkPyEbE3pHa3dY5uwgdtmvw3qKf2UAZGIJCU7dKamjuTCucGitOEG434jFQik9duHZs7EV3AZrkLXqOfdvftvdpciDb/4/K7h/4uEYSXJ94Lf0b16/NRUcR,iv:1UvcbqC3hJEHU9t6Z+N226DTJEcgM315ynYkxPKpYSM=,tag:FGkXlUw+7LRu1/cpMys7OA==,type:str]
|
||||||
|
COLLABORA: ENC[AES256_GCM,data:cLGEziks5dyxTF1jugfpQE0l0nSkDP7MpROzCxCM94jv49sguA+d/SnY1olE8ZP9iCBnlvbMZyNR7uYo88B92Pmv8wVWfeuhHiHFIXh5aaOxntpt80UMg3Jy,iv:gmFG7C893QPuZ4rEqllAlUpNIXMcGsf9+/QCPLhWLTM=,tag:WpKHCUk6zhQRfFX2d6OPbQ==,type:str]
|
||||||
|
ETHERPAD: ENC[AES256_GCM,data:PSr06GyOgY0HDNC4Hr2XUjbNUszGlfBjxDbrrKNQOqSMSVfZj4iFIGamrS72WO0un4U7IENx0T6CTBN/ELoq7J/+W9zf879uzKWuNaAulLVtBqrUbbqA7hTJpidnveZXzdwZRvlz/bU8kWAmXyhiDb2Q42Sz3BDb6duM3PO1AgG8Ko1pi2IemCPjO3uzudeT8FAlO8NnCUxKgwIKSz8CodOXFVGk66NX4xJd4ycfdNYXvKBNlzt1+WuWsZeZzeWmF7WD2dt4wWA9fWxB90fnth6ZV5LdeXjyYnzwkFOWoyNazgqV4jBv+aXKVwX4fYvspu13cVdrak3gc698bS2N1guDss4A/sfXMbtaYPGm98xXkqz1LP7sXQzKUdZf9sAS9gtOVv2tmg==,iv:uQ0Roe+XefzMjZCF3It+U2D1MWPMT5f6CPwlz0gQ5W0=,tag:wSgp0CVr6Y6M3eqcoTy8cw==,type:str]
|
||||||
|
ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWNWhDQlTc0ImJoK6efr2uyp3sVu3o+KlCNvUGhDOJ1you6socyTgRP0q7oLPC+Ln+bFP8gWG8v2nyEFY=,iv:YqvVjBFG/WZg1l4aMAiioOruWZ9zcTMr74DVW+1+2DQ=,tag:ePBXd4ddipJtxhFE1amfMg==,type:str]
|
||||||
|
GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
age:
|
age:
|
||||||
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
|
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
|
||||||
@@ -20,8 +26,8 @@ sops:
|
|||||||
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
|
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
|
||||||
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
|
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2026-05-06T01:10:20Z"
|
lastmodified: "2026-05-11T22:33:41Z"
|
||||||
mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
|
mac: ENC[AES256_GCM,data:276HHpEW56HOvKKbNPM79QrEBYDM590bOLfsgssSb79jm+LzrgLlYk2QImmXArADWby4Ai4jBPL4EahNm+a3aBazMEbwAu+EorvORE2P12W5C1ztskx5XUI3yDKY96jlZvmpXsqefa2pOQc1USk8ai/Obd5MLK06kMr2w3a7P9s=,iv:NJoe1lvw1hrWNL79Ux065UkSEDEEc0+NqlqB4tk3mAw=,tag:YTjIvEP1BO69Pa0qispMLQ==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2026-05-05T23:46:27Z"
|
- created_at: "2026-05-05T23:46:27Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
{ config, ... }: {
|
{ ... }: {
|
||||||
imports = [ ./sorahiro.nix ];
|
imports = [ ./sorahiro.nix ];
|
||||||
|
|
||||||
colorScheme.palette.border-radius = "#8";
|
colorScheme.palette.border-radius = "#8";
|
||||||
|
|||||||
@@ -1,4 +1,4 @@
|
|||||||
{ nix-colors, ... }:
|
{ ... }:
|
||||||
let use_pastelle = true;
|
let use_pastelle = true;
|
||||||
in{
|
in{
|
||||||
# usage: a = "#${config.colorScheme.palette.base00}";
|
# usage: a = "#${config.colorScheme.palette.base00}";
|
||||||
|
|||||||
@@ -82,18 +82,9 @@ let
|
|||||||
};
|
};
|
||||||
serverOpt = with lib; {
|
serverOpt = with lib; {
|
||||||
hostDomain = mkOption { type = types.str; };
|
hostDomain = mkOption { type = types.str; };
|
||||||
shortName = mkOption { type = types.str; };
|
|
||||||
mailDomain = mkOption { type = types.str; };
|
mailDomain = mkOption { type = types.str; };
|
||||||
mailServer = mkOption { type = types.str; };
|
mailServer = mkOption { type = types.str; };
|
||||||
|
|
||||||
dbHost = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "localhost";
|
|
||||||
};
|
|
||||||
dbPort = mkOption {
|
|
||||||
type = types.str;
|
|
||||||
default = "3306";
|
|
||||||
};
|
|
||||||
configPath = mkOption {
|
configPath = mkOption {
|
||||||
type = types.str;
|
type = types.str;
|
||||||
default = "/media/config";
|
default = "/media/config";
|
||||||
@@ -102,22 +93,32 @@ let
|
|||||||
type = types.str;
|
type = types.str;
|
||||||
default = "/media/data";
|
default = "/media/data";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
colorScheme = mkOption {
|
||||||
|
#type = types.submodule {
|
||||||
|
# options = {
|
||||||
|
# slug = mkOption { type = types.str; };
|
||||||
|
# name = mkOption { type = types.str; };
|
||||||
|
# palette = mkOption {
|
||||||
|
type = types.attrs; #default = {};# };
|
||||||
|
#};
|
||||||
|
# };
|
||||||
|
default = (lib.evalModules { modules =[ { freeformType = with lib.types; attrsOf anything; } ../colors ];}).config.colorScheme ;
|
||||||
|
};
|
||||||
containers = mkOption {
|
containers = mkOption {
|
||||||
type = types.attrsOf (types.submodule {
|
type = types.attrsOf (types.submodule {
|
||||||
options = {
|
options = {
|
||||||
enable = mkOption { type = types.bool;default = false; };
|
enable = mkOption { type = types.bool;default = false; };
|
||||||
db = mkOption { type = types.bool;default = false; };
|
db = mkOption { type = types.bool;default = false; };
|
||||||
ip = mkOption { type = types.str; };
|
sops = mkOption { type = types.bool;default = false; };
|
||||||
port = mkOption { type = types.port; };
|
ip = mkOption { type = types.nullOr types.str; default = null;};
|
||||||
extraParam = mkOption { type = types.str; default = ""; };
|
subdomain = mkOption { type = types.nullOr types.str; default=null;};
|
||||||
|
port = mkOption { type = types.nullOr types.port; default = null; };
|
||||||
|
extra = mkOption { type = types.attrs; default = {}; };
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
default = {};
|
default = {};
|
||||||
};
|
};
|
||||||
sops = mkOption {
|
|
||||||
type = types.bool;
|
|
||||||
default = false;
|
|
||||||
};
|
|
||||||
openssh = mkOption {
|
openssh = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
@@ -130,7 +131,7 @@ let
|
|||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
};
|
};
|
||||||
nftables = {
|
ipfw = {
|
||||||
enable = mkOption {
|
enable = mkOption {
|
||||||
type = types.bool;
|
type = types.bool;
|
||||||
default = false;
|
default = false;
|
||||||
|
|||||||
@@ -29,7 +29,7 @@
|
|||||||
openssh = true;
|
openssh = true;
|
||||||
wireguard = true;
|
wireguard = true;
|
||||||
web = true;
|
web = true;
|
||||||
nftables = {
|
ipfw = {
|
||||||
enable = true;
|
enable = true;
|
||||||
ifs = ["ens3" "wg0" ];
|
ifs = ["ens3" "wg0" ];
|
||||||
ports = [
|
ports = [
|
||||||
|
|||||||
+29
-7
@@ -21,22 +21,44 @@
|
|||||||
server = {
|
server = {
|
||||||
openssh = true;
|
openssh = true;
|
||||||
web = true;
|
web = true;
|
||||||
sops = true;
|
|
||||||
|
|
||||||
hostDomain = "test.helcel.net";
|
hostDomain = "test.helcel.net";
|
||||||
shortName = "testcel";
|
|
||||||
mailDomain = "test@helcel";
|
mailDomain = "test@helcel";
|
||||||
mailServer = "infomaniak.ch";
|
mailServer = "infomaniak.ch";
|
||||||
|
|
||||||
dbHost = "localhost";
|
|
||||||
|
|
||||||
containers = {
|
containers = {
|
||||||
#cloud = {enable = true;};
|
|
||||||
|
traefik = {
|
||||||
|
enable = true;
|
||||||
|
sops = true;
|
||||||
|
subdomain = "traefik";
|
||||||
|
extra={provider="infomaniak";};
|
||||||
|
};
|
||||||
authentik = {
|
authentik = {
|
||||||
enable = true;
|
enable = true;
|
||||||
db = true;
|
db = true;
|
||||||
ip = "10.88.0.125";
|
subdomain = "sso";
|
||||||
port = 9000 ;
|
port = 9000;
|
||||||
|
};
|
||||||
|
nextcloud = {
|
||||||
|
enable = true;
|
||||||
|
db = true;
|
||||||
|
subdomain = "cloud";
|
||||||
|
};
|
||||||
|
collabora = {
|
||||||
|
enable = true;
|
||||||
|
sops = true;
|
||||||
|
subdomain = "office";
|
||||||
|
};
|
||||||
|
etherpad = {
|
||||||
|
enable = true;
|
||||||
|
db = true;
|
||||||
|
subdomain = "pad";
|
||||||
|
};
|
||||||
|
gitea = {
|
||||||
|
enable = true;
|
||||||
|
db = true;
|
||||||
|
subdomain = "git";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user