Compare commits
25 Commits
main
..
593514c100
| Author | SHA1 | Date | |
|---|---|---|---|
| 593514c100 | |||
| 6ad9a0b34c | |||
| 65e3568072 | |||
| c55b06cca9 | |||
| 40dba4b959 | |||
| bc8a9d42f9 | |||
| cd5a1aeed4 | |||
| 0f2081486d | |||
| 1c022d7642 | |||
| 379f6befb3 | |||
| 868d2ce116 | |||
| 94fdfa2b33 | |||
| a73ad174ea | |||
| fba5a79ce6 | |||
| e8c9fc52fb | |||
| 8092bac6b7 | |||
| 7d80478e83 | |||
| 2cab462db5 | |||
| 0bb796fbe8 | |||
| 1f2cc94a0a | |||
| 3caf507905 | |||
| 27a5566ac6 | |||
| b439888fa8 | |||
| 093497367a | |||
| 1c0cfd1afe |
@@ -12,13 +12,13 @@ jobs:
|
|||||||
build-nixos:
|
build-nixos:
|
||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- uses: actions/checkout@v7
|
- uses: actions/checkout@v6
|
||||||
|
|
||||||
- name: "Install Nix ❄️"
|
- name: "Install Nix ❄️"
|
||||||
uses: cachix/install-nix-action@v31
|
uses: cachix/install-nix-action@v31
|
||||||
|
|
||||||
# - uses: DeterminateSystems/nix-installer-action@v4
|
# - uses: DeterminateSystems/nix-installer-action@v4
|
||||||
- uses: DeterminateSystems/magic-nix-cache-action@v14
|
- uses: DeterminateSystems/magic-nix-cache-action@v13
|
||||||
- uses: DeterminateSystems/flake-checker-action@v12
|
- uses: DeterminateSystems/flake-checker-action@v12
|
||||||
|
|
||||||
- name: "Install Cachix ❄️"
|
- name: "Install Cachix ❄️"
|
||||||
|
|||||||
@@ -13,7 +13,7 @@ jobs:
|
|||||||
runs-on: ubuntu-latest
|
runs-on: ubuntu-latest
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: Checkout repository
|
||||||
uses: actions/checkout@v7
|
uses: actions/checkout@v6
|
||||||
- name: Install nix
|
- name: Install nix
|
||||||
uses: DeterminateSystems/nix-installer-action@v22
|
uses: DeterminateSystems/nix-installer-action@v22
|
||||||
with:
|
with:
|
||||||
|
|||||||
Generated
+33
-49
@@ -45,11 +45,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1783395956,
|
"lastModified": 1775037210,
|
||||||
"narHash": "sha256-AAbexQvDoK+6GFJdhY6kqjA+6ECKRkidgWxkn4gMwAA=",
|
"narHash": "sha256-KM2WYj6EA7M/FVZVCl3rqWY+TFV5QzSyyGE2gQxeODU=",
|
||||||
"owner": "lnl7",
|
"owner": "lnl7",
|
||||||
"repo": "nix-darwin",
|
"repo": "nix-darwin",
|
||||||
"rev": "d5bd9cd77aea4c0a8f49e7fd85545671a208ed15",
|
"rev": "06648f4902343228ce2de79f291dd5a58ee12146",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -102,15 +102,12 @@
|
|||||||
}
|
}
|
||||||
},
|
},
|
||||||
"hardware": {
|
"hardware": {
|
||||||
"inputs": {
|
|
||||||
"nixpkgs": "nixpkgs"
|
|
||||||
},
|
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1783792734,
|
"lastModified": 1776983936,
|
||||||
"narHash": "sha256-50rvY9GdFvpYDcMLcD/4cWSi0hVxArT5wsGlVsHy8eY=",
|
"narHash": "sha256-ZOQyNqSvJ8UdrrqU1p7vaFcdL53idK+LOM8oRWEWh6o=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixos-hardware",
|
"repo": "nixos-hardware",
|
||||||
"rev": "8efb4337e857949f4cfac86d12ef1066f417f31f",
|
"rev": "2096f3f411ce46e88a79ae4eafcfc9df8ed41c61",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -142,11 +139,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1779506708,
|
"lastModified": 1777771528,
|
||||||
"narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=",
|
"narHash": "sha256-YycygK6n7KeW1YCobdFJcORWzkmrvNcp6xT+IovA0d4=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "home-manager",
|
"repo": "home-manager",
|
||||||
"rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f",
|
"rev": "0585fbf645640973e3398863bbaf3bd1ddce4a51",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -177,11 +174,11 @@
|
|||||||
},
|
},
|
||||||
"nixUnstable": {
|
"nixUnstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1783791668,
|
"lastModified": 1777641297,
|
||||||
"narHash": "sha256-zbcZ1dmBTPfJ7Mlqh/yLEPGpgJnwuv4Xr1xucy2WqMA=",
|
"narHash": "sha256-WNGcmeOZ8Tr9dq6ztCspYbzWFswr2mPebM9LpsfGxPk=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "716c7a2664ca8325617b8a7fbb609273f2c4cae7",
|
"rev": "c6d65881c5624c9cae5ea6cedef24699b0c0a4c0",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -193,15 +190,18 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs": {
|
"nixpkgs": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1767892417,
|
"lastModified": 1777428379,
|
||||||
"narHash": "sha256-8bW3q88CEg2u4hSP66Vf4lpbLonHz7hqDNBMcCY7E9U=",
|
"narHash": "sha256-ypxFOeDz+CqADEQNL72haqGjvZQdBR5Vc7pyx2JDttI=",
|
||||||
"rev": "3497aa5c9457a9d88d71fa93a4a8368816fbeeba",
|
"owner": "nixos",
|
||||||
"type": "tarball",
|
"repo": "nixpkgs",
|
||||||
"url": "https://releases.nixos.org/nixos/unstable/nixos-26.05pre924538.3497aa5c9457/nixexprs.tar.xz"
|
"rev": "755f5aa91337890c432639c60b6064bb7fe67769",
|
||||||
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
"type": "tarball",
|
"owner": "nixos",
|
||||||
"url": "https://channels.nixos.org/nixos-unstable/nixexprs.tar.xz"
|
"ref": "nixos-25.11",
|
||||||
|
"repo": "nixpkgs",
|
||||||
|
"type": "github"
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
"nixpkgs-lib": {
|
"nixpkgs-lib": {
|
||||||
@@ -221,27 +221,11 @@
|
|||||||
},
|
},
|
||||||
"nixpkgs_2": {
|
"nixpkgs_2": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1782847189,
|
"lastModified": 1777578337,
|
||||||
"narHash": "sha256-twXPFqFsrrY5r28Zh7Homgcp2gUMBgQ6WDS98Q/3xFI=",
|
"narHash": "sha256-Ad49moKWeXtKBJNy2ebiTQUEgdLyvGmTeykAQ9xM+Z4=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "b6018f87da91d19d0ab4cf979885689b469cdd41",
|
"rev": "15f4ee454b1dce334612fa6843b3e05cf546efab",
|
||||||
"type": "github"
|
|
||||||
},
|
|
||||||
"original": {
|
|
||||||
"owner": "nixos",
|
|
||||||
"ref": "nixos-25.11",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"type": "github"
|
|
||||||
}
|
|
||||||
},
|
|
||||||
"nixpkgs_3": {
|
|
||||||
"locked": {
|
|
||||||
"lastModified": 1783522502,
|
|
||||||
"narHash": "sha256-iffAls3iaNTyJC2faYcUXSI+Gp02cDjYl+MygxKl2GI=",
|
|
||||||
"owner": "nixos",
|
|
||||||
"repo": "nixpkgs",
|
|
||||||
"rev": "0bb7ec54c8483066ec9d7720e780a5caa71f8612",
|
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -254,14 +238,14 @@
|
|||||||
"nur": {
|
"nur": {
|
||||||
"inputs": {
|
"inputs": {
|
||||||
"flake-parts": "flake-parts_2",
|
"flake-parts": "flake-parts_2",
|
||||||
"nixpkgs": "nixpkgs_3"
|
"nixpkgs": "nixpkgs_2"
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1783812717,
|
"lastModified": 1777763626,
|
||||||
"narHash": "sha256-/ShoG1aG4RN+002Y69CQk0HJ8U/DRw5PHGJcgqB/rLQ=",
|
"narHash": "sha256-UFwZDbdMezNnxZwikhDR4EWiCPUiEmPXHmqLOrcG34g=",
|
||||||
"owner": "nix-community",
|
"owner": "nix-community",
|
||||||
"repo": "nur",
|
"repo": "nur",
|
||||||
"rev": "f677cb4b829c9df339277c6e80200b1c98320463",
|
"rev": "3873764e5896bd6da6cf0df17172849ea51ac5eb",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
@@ -278,7 +262,7 @@
|
|||||||
"home-manager": "home-manager",
|
"home-manager": "home-manager",
|
||||||
"nix-colors": "nix-colors",
|
"nix-colors": "nix-colors",
|
||||||
"nixUnstable": "nixUnstable",
|
"nixUnstable": "nixUnstable",
|
||||||
"nixpkgs": "nixpkgs_2",
|
"nixpkgs": "nixpkgs",
|
||||||
"nur": "nur",
|
"nur": "nur",
|
||||||
"sops-nix": "sops-nix"
|
"sops-nix": "sops-nix"
|
||||||
}
|
}
|
||||||
@@ -290,11 +274,11 @@
|
|||||||
]
|
]
|
||||||
},
|
},
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1783174389,
|
"lastModified": 1777338324,
|
||||||
"narHash": "sha256-aCWC8ngycU7OdJrU2+Je3qf+1a2ykuBvpPhZT/9tXMc=",
|
"narHash": "sha256-bc+ZZCmOTNq86/svGnw0tVpH7vJaLYvGLLKFYP08Q8E=",
|
||||||
"owner": "Mic92",
|
"owner": "Mic92",
|
||||||
"repo": "sops-nix",
|
"repo": "sops-nix",
|
||||||
"rev": "f1406619a3884cd5c47992a70b8b35c9c0fcb4c9",
|
"rev": "8eaee5c45428b28b8c47a83e4c09dccec5f279b5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|||||||
@@ -7,11 +7,12 @@
|
|||||||
firewall = {
|
firewall = {
|
||||||
enable = true;
|
enable = true;
|
||||||
allowedUDPPorts =
|
allowedUDPPorts =
|
||||||
(if config.syscfg.server ? wireguard then [ 1515 ] else [ ]) ++
|
(if (config.syscfg.server != false && config.syscfg.server.wireguard) then [ 1515 ] else [ ]) ++
|
||||||
|
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
|
||||||
[ ];
|
[ ];
|
||||||
|
|
||||||
allowedTCPPorts =
|
allowedTCPPorts =
|
||||||
(if config.syscfg.server ? web then [ 80 443 22 ] else [ ]) ++
|
(if (config.syscfg.server != false && config.syscfg.server.web) then [ 80 443 22 ] else [ ]) ++
|
||||||
[ ];
|
[ ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|||||||
@@ -0,0 +1,34 @@
|
|||||||
|
{ config, lib, serverCfg }:
|
||||||
|
let
|
||||||
|
builder =
|
||||||
|
{ image, secret ? ""
|
||||||
|
, subdomain ? "", ip ? "", port ? 0
|
||||||
|
, extraEnv ? { }, extraLabels ? { }, extraOptions ? [ ]
|
||||||
|
, overrides ? { }
|
||||||
|
}:
|
||||||
|
let base = {
|
||||||
|
inherit image;
|
||||||
|
|
||||||
|
environmentFiles = if secret !="" then [ config.sops.secrets."${lib.toUpper secret}".path ] else [];
|
||||||
|
environment = {} // extraEnv;
|
||||||
|
|
||||||
|
labels = if subdomain!="" then ({
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.${subdomain}.entrypoints" = "web-secure";
|
||||||
|
"traefik.http.routers.${subdomain}.rule" = "Host(`${subdomain}.${serverCfg.hostDomain}`)";
|
||||||
|
"traefik.http.routers.${subdomain}.tls" = "true";
|
||||||
|
} // lib.optionalAttrs (port != 0) {
|
||||||
|
"traefik.http.services.${subdomain}.loadbalancer.server.port" = toString port;
|
||||||
|
}) else {
|
||||||
|
"traefik.enable" = "false";
|
||||||
|
} // extraLabels;
|
||||||
|
|
||||||
|
extraOptions = extraOptions ++ [
|
||||||
|
"--add-host=host.containers.internal:host-gateway"
|
||||||
|
] ++ lib.optional (ip != "") "--ip=${ip}";
|
||||||
|
};
|
||||||
|
in lib.recursiveUpdate base overrides;
|
||||||
|
in {
|
||||||
|
mkContainer = builder;
|
||||||
|
host = "host.containers.internal";
|
||||||
|
}
|
||||||
@@ -1,9 +1,10 @@
|
|||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
let
|
let
|
||||||
cfg = config.syscfg.server.containers;
|
serverCfg = config.syscfg.server;
|
||||||
enabledConfigs = lib.filterAttrs (name: c: c.enable) cfg;
|
builder = import ./builder.nix { inherit config lib serverCfg; };
|
||||||
|
enabledConfigs = lib.filterAttrs (name: c: c.enable) serverCfg.containers;
|
||||||
containerSetsList = lib.mapAttrsToList (name: containerCfg:
|
containerSetsList = lib.mapAttrsToList (name: containerCfg:
|
||||||
let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg;};
|
let defs = import (./defs + "/${name}.nix") {inherit config pkgs lib containerCfg builder;};
|
||||||
in{
|
in{
|
||||||
containers = lib.mapAttrs' (cName: cValue:
|
containers = lib.mapAttrs' (cName: cValue:
|
||||||
lib.nameValuePair "${name}-${cName}" cValue
|
lib.nameValuePair "${name}-${cName}" cValue
|
||||||
|
|||||||
@@ -1,5 +1,6 @@
|
|||||||
{ config, containerCfg, pkgs, lib, ... }:
|
{ config, containerCfg, pkgs, lib, builder, ... }:
|
||||||
let
|
let
|
||||||
|
version = "2026.2.2";
|
||||||
serverCfg = config.syscfg.server;
|
serverCfg = config.syscfg.server;
|
||||||
in {
|
in {
|
||||||
paths = [{
|
paths = [{
|
||||||
@@ -13,66 +14,57 @@ in {
|
|||||||
}];
|
}];
|
||||||
|
|
||||||
containers = {
|
containers = {
|
||||||
|
server = builder.mkContainer {
|
||||||
server = {
|
subdomain = containerCfg.subdomain;
|
||||||
image = "ghcr.io/goauthentik/server:latest";
|
image = "ghcr.io/goauthentik/server:${version}";
|
||||||
volumes = [
|
port = containerCfg.port;
|
||||||
"${serverCfg.dataPath}/authentik/media:/media"
|
ip = containerCfg.ip;
|
||||||
"${serverCfg.dataPath}/authentik/templates:/templates"
|
secret = "authentik";
|
||||||
];
|
extraEnv = {
|
||||||
environmentFiles = [
|
"AUTHENTIK_REDIS__HOST" = builder.host;
|
||||||
config.sops.secrets."AUTHENTIK".path
|
"AUTHENTIK_POSTGRESQL__HOST" = builder.host;
|
||||||
];
|
|
||||||
environment = {
|
|
||||||
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
|
|
||||||
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
|
|
||||||
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
|
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
|
||||||
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
|
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
|
||||||
"AUTHENTIK_EMAIL__HOST" = "${serverCfg.mailDomain}";
|
"AUTHENTIK_EMAIL__HOST" = serverCfg.mailDomain;
|
||||||
"AUTHENTIK_EMAIL__PORT" = "587";
|
"AUTHENTIK_EMAIL__PORT" = "587";
|
||||||
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
|
"AUTHENTIK_EMAIL__USERNAME" = "noreply@${serverCfg.hostDomain}";
|
||||||
"AUTHENTIK_EMAIL__USE_TLS" = "true";
|
"AUTHENTIK_EMAIL__USE_TLS" = "true";
|
||||||
"AUTHENTIK_EMAIL__USE_SSL" = "false";
|
"AUTHENTIK_EMAIL__USE_SSL" = "false";
|
||||||
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
|
"AUTHENTIK_EMAIL__TIMEOUT" = "10";
|
||||||
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
|
"AUTHENTIK_EMAIL__FROM" = "sso@noreply.${serverCfg.hostDomain}";
|
||||||
|
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
|
||||||
|
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
|
||||||
};
|
};
|
||||||
labels = {
|
overrides = {
|
||||||
"traefik.enable" = "true";
|
|
||||||
"traefik.http.routers.sso.entrypoints" = "web-secure";
|
|
||||||
"traefik.http.routers.sso.rule" = "Host(`sso.${serverCfg.hostDomain}`)";
|
|
||||||
"traefik.http.routers.sso.tls" = "true";
|
|
||||||
"traefik.http.services.sso.loadbalancer.server.port" = "${toString containerCfg.port}";
|
|
||||||
};
|
|
||||||
cmd = [ "server" ];
|
cmd = [ "server" ];
|
||||||
extraOptions = [
|
ports = if containerCfg.pubPort != 0 && containerCfg.port != 0 then [ "${toString containerCfg.pubPort}:${toString containerCfg.port}" ] else [];
|
||||||
"--add-host=host.containers.internal:host-gateway"
|
|
||||||
"--ip=${containerCfg.ip}"
|
|
||||||
];
|
|
||||||
ports = [
|
|
||||||
"9999:${toString containerCfg.port}"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
worker = {
|
|
||||||
image = "ghcr.io/goauthentik/server:latest";
|
|
||||||
volumes = [
|
volumes = [
|
||||||
"${serverCfg.dataPath}/authentik/media:/media"
|
"${serverCfg.dataPath}/authentik/media:/media"
|
||||||
"${serverCfg.dataPath}/authentik/templates:/templates"
|
"${serverCfg.dataPath}/authentik/templates:/templates"
|
||||||
"/var/run/docker.sock:/var/run/docker.sock"
|
|
||||||
];
|
];
|
||||||
environmentFiles = [
|
};
|
||||||
config.sops.secrets."AUTHENTIK".path
|
};
|
||||||
];
|
|
||||||
environment = {
|
worker = builder.mkContainer {
|
||||||
"AUTHENTIK_REDIS__HOST" = "host.containers.internal";
|
image = "ghcr.io/goauthentik/server:${version}";
|
||||||
"AUTHENTIK_POSTGRESQL__HOST" = "host.containers.internal";
|
secret = "authentik";
|
||||||
|
extraEnv = {
|
||||||
|
"AUTHENTIK_REDIS__HOST" = builder.host;
|
||||||
|
"AUTHENTIK_POSTGRESQL__HOST" = builder.host;
|
||||||
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
|
"AUTHENTIK_POSTGRESQL__USER" = "authentik_user";
|
||||||
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
|
"AUTHENTIK_POSTGRESQL__NAME" = "authentik_db";
|
||||||
|
"AUTHENTIK_DISABLE_UPDATE_CHECK" = "true";
|
||||||
|
"AUTHENTIK_POSTGRESQL__SSLMODE" = "disable";
|
||||||
};
|
};
|
||||||
extraOptions = [
|
# extraOptions = [ "--user=:994" ]; #PODMAN GROUP FOR SOCKET ACCESS
|
||||||
"--add-host=host.containers.internal:host-gateway"
|
overrides = {
|
||||||
];
|
|
||||||
cmd = [ "worker" ];
|
cmd = [ "worker" ];
|
||||||
|
volumes = [
|
||||||
|
"${serverCfg.dataPath}/authentik/media:/media"
|
||||||
|
"${serverCfg.dataPath}/authentik/templates:/templates"
|
||||||
|
# "/var/run/podman/podman.sock:/var/run/docker.sock" #PODMAN GROUP FOR SOCKET ACCESS
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -62,7 +62,6 @@ in {
|
|||||||
|
|
||||||
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
|
if [ -f "${config.sops.secrets."${lib.toUpper name}".path}" ]; then
|
||||||
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
|
PASS=$(grep "^DB_PASSWORD=" "${config.sops.secrets."${lib.toUpper name}".path}" | cut -d'=' -f2-)
|
||||||
echo $PASS
|
|
||||||
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
|
if $PSQL -tAc "ALTER USER ${name}_user WITH PASSWORD '$PASS';" ; then
|
||||||
echo "✅ Successfully set password for ${name}_user"
|
echo "✅ Successfully set password for ${name}_user"
|
||||||
else
|
else
|
||||||
|
|||||||
@@ -1,3 +1,3 @@
|
|||||||
{ config, pkgs, lib, ... }:{
|
{ config, pkgs, lib, ... }:{
|
||||||
imports = [ ./containers ./database ./nftables ./openssh ./sops ];
|
imports = [ ./containers ./database ./nftables ./nginx ./openssh ./sops ];
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,7 +1,7 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
let
|
||||||
{ config, lib, ... }:{
|
cfg = config.syscfg.server;
|
||||||
config = lib.mkIf (config.syscfg.server.nftables.enable) {
|
in{
|
||||||
boot.kernel.sysctl = {
|
boot.kernel.sysctl = {
|
||||||
"net.ipv4.ip_forward" = 1;
|
"net.ipv4.ip_forward" = 1;
|
||||||
"net.ipv6.conf.all.forwarding" = 1;
|
"net.ipv6.conf.all.forwarding" = 1;
|
||||||
@@ -11,11 +11,18 @@
|
|||||||
networking.nftables.ruleset = ''
|
networking.nftables.ruleset = ''
|
||||||
table inet filter {
|
table inet filter {
|
||||||
chain input {
|
chain input {
|
||||||
type filter hook input priority filter; policy accept;
|
type filter hook input priority filter; policy drop;
|
||||||
tcp dport {5432, 6379} ip saddr { 10.0.0.0/8 169.254.0.0/16 } accept
|
ct state established,related accept
|
||||||
|
iifname "lo" accept
|
||||||
|
tcp dport {422, 22} accept
|
||||||
|
${if builtins.length cfg.db > 0 then ''tcp dport {5432, 6379} ip saddr { 10.0.0.0/8, 169.254.0.0/16 } accept'' else ""}
|
||||||
|
${if cfg.web then ''tcp dport {80, 443} accept
|
||||||
|
udp dport {80, 443} accept'' else ""}
|
||||||
|
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
${if cfg.nftables.enable then ''
|
||||||
table inet nat {
|
table inet nat {
|
||||||
chain prerouting {
|
chain prerouting {
|
||||||
type nat hook prerouting priority dstnat; policy accept;
|
type nat hook prerouting priority dstnat; policy accept;
|
||||||
@@ -41,7 +48,6 @@
|
|||||||
type nat hook postrouting priority srcnat; policy accept;
|
type nat hook postrouting priority srcnat; policy accept;
|
||||||
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
|
oifname { ${lib.concatMapStringsSep ", " (iface: ''"${iface}"'') config.syscfg.server.nftables.ifs} } masquerade
|
||||||
}
|
}
|
||||||
}
|
}'' else ""}
|
||||||
'';
|
'';
|
||||||
};
|
|
||||||
}
|
}
|
||||||
@@ -0,0 +1,133 @@
|
|||||||
|
{ config, lib, pkgs, ... }:
|
||||||
|
let
|
||||||
|
cfg = config.syscfg.server;
|
||||||
|
containers = cfg.containers;
|
||||||
|
faviconOverride = {
|
||||||
|
" ~* /favicon\.(ico|png|svg|jpg)$" = {
|
||||||
|
extraConfig = ''
|
||||||
|
add_header Content-Type image/svg+xml;
|
||||||
|
return 200 '<svg xmlns="http://www.w3.org/2000/svg" id="Layer_1" data-name="Layer 1" viewBox="0 0 50 50"><defs><style>.cls-1{fill:#fd4b2d;}</style></defs><path class="cls-1" d="M30.83,5A23.23,23.23,0,0,0,10.41,67.13h10.8C26,63,32.94,61.8,38,67.13H49.39C44.93,61.09,38.24,55,30.83,55Z"/><path class="cls-1" d="M46.25,28.11c-14.89,31.15-41,4.6-25-11H10.41c-8.47,14.76,3.24,34.68,20.42,34.23,13.28,0,24.24-19.72,24.24-23.21,0-1.54-2.14-6.25-5.68-11H38A40.52,40.52,0,0,1,46.25,78.11Zm.4-.91Z"/></svg>';
|
||||||
|
'';
|
||||||
|
# proxyPass = "http://127.0.0.1:9000";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
# Function to convert your container config into an NGINX vhost
|
||||||
|
mkVhost = container: {
|
||||||
|
forceSSL = true;
|
||||||
|
# quic = true;
|
||||||
|
# http3 = true;
|
||||||
|
useACMEHost = "${cfg.hostDomain}";
|
||||||
|
locations = faviconOverride // {
|
||||||
|
"/" = {
|
||||||
|
proxyPass = "http://${container.ip}:${toString container.port}";
|
||||||
|
proxyWebsockets = true; # Recommended for modern apps
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
in {
|
||||||
|
config = lib.mkIf ( config.syscfg.server.web) {
|
||||||
|
security.acme = {
|
||||||
|
acceptTerms = true;
|
||||||
|
defaults.email = "admin@domain.org";
|
||||||
|
|
||||||
|
certs."${cfg.hostDomain}" = {
|
||||||
|
domain = "*.${cfg.hostDomain}";
|
||||||
|
extraDomainNames = [ "${cfg.hostDomain}" ]; # Adds the root too
|
||||||
|
dnsProvider = "infomaniak";
|
||||||
|
credentialsFile = config.sops.secrets."INFOMANIAK_API_KEY".path; # File containing your API token (e.g. CLOUDFLARE_DNS_API_TOKEN=...)
|
||||||
|
group = "nginx";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
services.nginx = {
|
||||||
|
enable = true;
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
recommendedTlsSettings = true;
|
||||||
|
recommendedGzipSettings = true;
|
||||||
|
|
||||||
|
# appendHttpConfig = ''
|
||||||
|
# add_header Alt-Svc 'h3=":443"; ma=86400';
|
||||||
|
# '';
|
||||||
|
commonHttpConfig = ''
|
||||||
|
proxy_buffer_size 32k;
|
||||||
|
proxy_buffers 8 16k;
|
||||||
|
proxy_busy_buffers_size 48k;
|
||||||
|
port_in_redirect off;
|
||||||
|
'';
|
||||||
|
|
||||||
|
virtualHosts = {
|
||||||
|
"_" = {
|
||||||
|
default = true;
|
||||||
|
forceSSL = true;
|
||||||
|
# quic = true;
|
||||||
|
# http3 = true;
|
||||||
|
useACMEHost = "${cfg.hostDomain}";
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
return 404;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
"sec.${cfg.hostDomain}" = {
|
||||||
|
forceSSL = true;
|
||||||
|
# quic = true;
|
||||||
|
# http3 = true;
|
||||||
|
useACMEHost = "${cfg.hostDomain}";
|
||||||
|
|
||||||
|
locations = {
|
||||||
|
"/" = {
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
|
proxy_set_header X-Original-URI $scheme://$http_host$request_uri;
|
||||||
|
auth_request /outpost.goauthentik.io/auth/nginx;
|
||||||
|
error_page 401 = @goauthentik_proxy_signin;
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
|
||||||
|
auth_request_set $authentik_username $upstream_http_x_authentik_username;
|
||||||
|
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
|
||||||
|
auth_request_set $authentik_entitlements $upstream_http_x_authentik_entitlements;
|
||||||
|
auth_request_set $authentik_email $upstream_http_x_authentik_email;
|
||||||
|
auth_request_set $authentik_name $upstream_http_x_authentik_name;
|
||||||
|
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
|
||||||
|
|
||||||
|
proxy_set_header X-authentik-username $authentik_username;
|
||||||
|
proxy_set_header X-authentik-groups $authentik_groups;
|
||||||
|
proxy_set_header X-authentik-entitlements $authentik_entitlements;
|
||||||
|
proxy_set_header X-authentik-email $authentik_email;
|
||||||
|
proxy_set_header X-authentik-name $authentik_name;
|
||||||
|
proxy_set_header X-authentik-uid $authentik_uid;
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
|
"/outpost.goauthentik.io" = {
|
||||||
|
proxyPass = "http://${config.syscfg.server.containers.authentik.ip}:${toString config.syscfg.server.containers.authentik.port}/outpost.goauthentik.io";
|
||||||
|
extraConfig = ''
|
||||||
|
proxy_set_header Host $host;
|
||||||
|
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
|
||||||
|
proxy_set_header X-Original-URI $scheme://$http_host$request_uri;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
proxy_pass_request_body off;
|
||||||
|
proxy_set_header Content-Length "";
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
extraConfig = ''
|
||||||
|
location @goauthentik_proxy_signin {
|
||||||
|
internal;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
return 302 https://${cfg.containers.authentik.subdomain}.${cfg.hostDomain}/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
|
||||||
|
}
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
} //lib.mapAttrs' (name: v:
|
||||||
|
lib.nameValuePair "${v.subdomain}.${cfg.hostDomain}" (mkVhost v)
|
||||||
|
) containers;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
@@ -1,5 +1,6 @@
|
|||||||
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:QhjQoCMxogXAPtvUbf/EWkqsFAndn73LBuTqj5essjruekynH287D/CYN/cwfcnDqZoh6Z4A9p08uUmXzqmTiralAhsCoc+Ljb/monmsruc=,iv:8rMGNc9398jnFXZm34fOht6fMNDAcDZ68B1jwoQPn2Q=,tag:ZlQnPaxkCktpwiC6HzmFVg==,type:str]
|
INFOMANIAK_API_KEY: ENC[AES256_GCM,data:LFAT94Wr/rggjpIkFa2RINJTSRIcrFAfgtZzI75hyGUK/sHuIgNtsvBJnztwKcUG99mC9hRjj8NoRtBHDM9JU+VNWi1rJVCq3jQg5kuU1Dk/js5lJRpqBJOfeigxfxkU+JiDcujNK7Q/,iv:DEvTTcdEvbmHsSx+qX+QDm1ISR5y7L4fKKLXjUFCopE=,tag:46uXjEHmnzH1P9Kb5z8j8g==,type:str]
|
||||||
AUTHENTIK: ENC[AES256_GCM,data:jNcqbLEMbaQ7mmn4dK4LFguecDDxrBsQZaqfQeQ+iGel6mD4jAC6rNdGC8H8NepRWmc0ZjNC6Fe4EaGllbjq/50SqlB47DtyuuCwOZFP6fiU4sD13B7t0Fg/7xMomqnRnJ+3UyVzt6PgEzzQNoPPpHxVGpR+TJnROhflcmCKi/JdAR6dspNqJEbrjp4LVk28Rp9Od6lbsOGphRb79z/DKA1QYRPuE7QU7Edzqqy09g5nKjGxIxjWNEYPt0WiD3537eBICfWm5krs8jxyf6TSiGasHSgSDyJSbnoNkPzSf9A5Jwtulu1jFgjvY/v+qhs9649USp1MzogSAfDZBNC4irge/lb5EPPIQ31EC/Dybza9dX/h6cR/KyQm5GsxBBJzm33rzC/4aCCRlcsAl5eO4JZn4MZta4yHss2UQHQ48i15OSdBwwTbTt240UbrIIje0hfOM6R+Uk3VOY/+VtBV/D+0ks2SUEKMvWgqJDhDh4FVqeR0a9dpLhOAvaWryAAETjlHljOrcF3Q3WooZbBDvLyMMtsHIeF1JDqwghI3,iv:8RdNbsnVVu4awW6yrpLGxAtM7o6uN5vgZIotmT6osW8=,tag:rNaCeG6STXINm42x1b2jcw==,type:str]
|
AUTHENTIK: ENC[AES256_GCM,data:2A9hFi6aq46CHqu51iHMuvaBBSBseR+0Qy7a1q7356j0z4uzTR2fPaLITXsrGZavFWiPEsDwZuFPsG8p4CHWdEmPoXtOFB6AnX8RS7mKPMFGJiAkOUyxcoErlh6NWw0EfV3r6GSNl5Rhubv19mWOwSnPSUSNROgJUrfJR5AiZKZqeX/85IjGUNx8xAXmfcZnb/pPX1ir45f/2+HW/9qg3+cNSG2xi8mzEfw9X1Nt+lvvIj+PJm9PrvY15pl68O/qMQK4LhCwnJ8kRitR5kk3R0eCEz6Ix46+7ELbFKP8g22ksHalzsKdwQozmzlspD0horDolJK04ZR4Bay9+Ovq2hqcMb9Nbbv+WkxUg7VnAmP18tBJ2mwk/p8DMfZ3/lSIffBR/cKXU2Nz4ZctH5ShCy7ul+wk32waKu75xsBv7l3Ka2RYUJLLmTk6NeU1ol/lfVqusLy7kuDdawG0fgCpjd0gJQCv0l+zA75psj1ZfAJxTEY6Fa1INic82/05yhz3YAss2pI2uTFD296Tb2a4cw13fL9kwbs=,iv:u7o7aC7NHyl0myD24ibBZWcw10xYm9+KDo/scvBU42E=,tag:hgMT4f8MRBu8DNLcZxcbgQ==,type:str]
|
||||||
|
_: ENC[AES256_GCM,data:wX0EGbxH4aNXsyVYkTifC6MMlqDlDNiTxj6GVHz3SrNtjfBeye8nsObCknQahaT98RLUIeQh4lFXyZjcSB9jwcacIu5GNFNRHN4BhCE8T8Ui/YZqb7Pd8A87hfCd+bRmROc4Hm4=,iv:28kfp8uVbbBkmEe8qPZESXZuciNYXpV4BQAl5tFRung=,tag:FqKvCH4Zzf/D8uffC1j8nQ==,type:str]
|
||||||
sops:
|
sops:
|
||||||
age:
|
age:
|
||||||
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
|
- recipient: age1sxzuhh2fcd4pmaz4mdqq95t683d32ft22w9t2r7pk258u0s8wymsqdj7lg
|
||||||
@@ -20,8 +21,8 @@ sops:
|
|||||||
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
|
S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk
|
||||||
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
|
d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2026-05-06T01:10:20Z"
|
lastmodified: "2026-05-07T23:18:58Z"
|
||||||
mac: ENC[AES256_GCM,data:O4RLfEE6z0uDRpZdL47Or+z/PTeJ+zgzXN9kJS6Nebs9Uhw0XUJUPGhAocLokiMin5sQcpxXG5Q8oc2rAkq2GDbtna4u26dtNkd2Q/vtly6DqUaIRXXt3TL5cfJwMNa76fp+ERKLwGbBG+/BFWajzYJtcE257I8t3X4UmAdqYmE=,iv:uYLh8LnGobf7t3Ur7drEiA6n3Vv0e0yhlja6Uww8jiU=,tag:ZK3OCCsiMPtKl28lrGKtqQ==,type:str]
|
mac: ENC[AES256_GCM,data:zuxxX9DECskSquiKWqPkaIQiIdgNSKsKJMF1k3Vk+ATrVgwMw+KHV9B6hQkNfKRhjLO7oEOcYdOJW/xeUytAVJKgUGBAVqrWrDuPHBOfD+PE5OTdaiNz29fUCnBF11SZ2Sec2J9ZbUY7lVQeFBFpjWyE5ObF7ySVV17C5w1GajM=,iv:4dSiYJDKw2NofbhwVQ8tGr1GTCB37DSbyKCPtIgV2B8=,tag:UED5v+rgxo44H5YwU05pBw==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2026-05-05T23:46:27Z"
|
- created_at: "2026-05-05T23:46:27Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|||||||
@@ -107,8 +107,10 @@ let
|
|||||||
options = {
|
options = {
|
||||||
enable = mkOption { type = types.bool;default = false; };
|
enable = mkOption { type = types.bool;default = false; };
|
||||||
db = mkOption { type = types.bool;default = false; };
|
db = mkOption { type = types.bool;default = false; };
|
||||||
ip = mkOption { type = types.str; };
|
ip = mkOption { type = types.nullOr types.str; default = null;};
|
||||||
port = mkOption { type = types.port; };
|
subdomain = mkOption { type = types.nullOr types.str; default=null;};
|
||||||
|
port = mkOption { type = types.port; default = 0; };
|
||||||
|
pubPort = mkOption { type = types.port; default = 0; };
|
||||||
extraParam = mkOption { type = types.str; default = ""; };
|
extraParam = mkOption { type = types.str; default = ""; };
|
||||||
};
|
};
|
||||||
});
|
});
|
||||||
|
|||||||
@@ -22,6 +22,7 @@
|
|||||||
openssh = true;
|
openssh = true;
|
||||||
web = true;
|
web = true;
|
||||||
sops = true;
|
sops = true;
|
||||||
|
db = [ "_" ];
|
||||||
|
|
||||||
hostDomain = "test.helcel.net";
|
hostDomain = "test.helcel.net";
|
||||||
shortName = "testcel";
|
shortName = "testcel";
|
||||||
@@ -35,6 +36,7 @@
|
|||||||
authentik = {
|
authentik = {
|
||||||
enable = true;
|
enable = true;
|
||||||
db = true;
|
db = true;
|
||||||
|
subdomain = "sso";
|
||||||
ip = "10.88.0.125";
|
ip = "10.88.0.125";
|
||||||
port = 9000 ;
|
port = 9000 ;
|
||||||
};
|
};
|
||||||
|
|||||||
Reference in New Issue
Block a user