diff --git a/hosts/elisabeth/guests.nix b/hosts/elisabeth/guests.nix index 0799754..4f94739 100644 --- a/hosts/elisabeth/guests.nix +++ b/hosts/elisabeth/guests.nix @@ -57,6 +57,48 @@ in { + virtualHostExtraConfig; }; }; + proxyProtect = hostName: cfg: + lib.mkMerge [ + (blockOf hostName cfg) + { + virtualHosts.${domainOf hostName} = { + locations."/".extraConfig = '' + auth_request /oauth2/auth; + error_page 401 = /oauth2/sign_in; + + # pass information via X-User and X-Email headers to backend, + # requires running with --set-xauthrequest flag + auth_request_set $user $upstream_http_x_auth_request_user; + auth_request_set $email $upstream_http_x_auth_request_email; + proxy_set_header X-User $user; + proxy_set_header X-Email $email; + + # if you enabled --cookie-refresh, this is needed for it to work with auth_request + auth_request_set $auth_cookie $upstream_http_set_cookie; + add_header Set-Cookie $auth_cookie; + ''; + locations."/oauth2/" = { + proxyPass = "http://oauth2-proxy"; + extraConfig = '' + proxy_set_header X-Scheme $scheme; + proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; + ''; + }; + + locations."= /oauth2/auth" = { + proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=${hostName}_access"; + extraConfig = '' + internal; + + proxy_set_header X-Scheme $scheme; + # nginx auth_request includes headers but not body + proxy_set_header Content-Length ""; + proxy_pass_request_body off; + ''; + }; + }; + } + ]; in lib.mkMerge [ { @@ -111,96 +153,10 @@ in { (blockOf "vaultwarden" {maxBodySize = "1G";}) (blockOf "forgejo" {maxBodySize = "1G";}) (blockOf "immich" {maxBodySize = "5G";}) - (lib.mkMerge - [ - ( - blockOf "adguardhome" - { - } - ) - { - virtualHosts.${domainOf "adguardhome"} = { - locations."/".extraConfig = '' - auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; - - # pass information via X-User and X-Email headers to backend, - # requires running with --set-xauthrequest flag - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --cookie-refresh, this is needed for it to work with auth_request - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - ''; - locations."/oauth2/" = { - proxyPass = "http://oauth2-proxy"; - extraConfig = '' - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; - ''; - }; - - locations."= /oauth2/auth" = { - proxyPass = "http://oauth2-proxy/oauth2/auth?allowed_groups=adguardhome_access"; - extraConfig = '' - internal; - - proxy_set_header X-Scheme $scheme; - # nginx auth_request includes headers but not body - proxy_set_header Content-Length ""; - proxy_pass_request_body off; - ''; - }; - }; - } - ]) - (lib.mkMerge [ - (blockOf "oauth2-proxy" {}) - { - virtualHosts.${domainOf "oauth2-proxy"} = { - locations."/".extraConfig = '' - auth_request /oauth2/auth; - error_page 401 = /oauth2/sign_in; - - # pass information via X-User and X-Email headers to backend, - # requires running with --set-xauthrequest flag - auth_request_set $user $upstream_http_x_auth_request_user; - auth_request_set $email $upstream_http_x_auth_request_email; - proxy_set_header X-User $user; - proxy_set_header X-Email $email; - - # if you enabled --cookie-refresh, this is needed for it to work with auth_request - auth_request_set $auth_cookie $upstream_http_set_cookie; - add_header Set-Cookie $auth_cookie; - ''; - - locations."/oauth2/" = { - proxyPass = "http://oauth2-proxy"; - extraConfig = '' - proxy_set_header X-Scheme $scheme; - proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri; - ''; - }; - - locations."= /oauth2/auth" = { - proxyPass = "http://oauth2-proxy/oauth2/auth"; - extraConfig = '' - internal; - - proxy_set_header X-Scheme $scheme; - # nginx auth_request includes headers but not body - proxy_set_header Content-Length ""; - proxy_pass_request_body off; - ''; - }; - }; - } - ]) + (proxyProtect "adguardhome" {}) + (proxyProtect "oauth2-proxy" {}) (blockOf "paperless" {maxBodySize = "5G";}) - (blockOf "ttrss" {port = 80;}) + (proxyProtect "ttrss" {port = 80;}) (blockOf "yourspotify" {port = 80;}) (blockOf "apispotify" { port = 3000; diff --git a/hosts/elisabeth/secrets/kanidm/secrets.nix.age b/hosts/elisabeth/secrets/kanidm/secrets.nix.age index 08c0487..adf443c 100644 Binary files a/hosts/elisabeth/secrets/kanidm/secrets.nix.age and b/hosts/elisabeth/secrets/kanidm/secrets.nix.age differ diff --git a/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age b/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age deleted file mode 100644 index 18f75d3..0000000 --- a/hosts/elisabeth/secrets/ttrss/generated/freshrsspasswd.age +++ /dev/null @@ -1,15 +0,0 @@ -age-encryption.org/v1 --> X25519 KeayMdkWoIyLZu47yQdC+NKUeBli7y/KhyFrbvQKMjo -RFNC0waSc89REZ+uRWTYyKYcM0oW9Q8m92buzX9OlaY --> piv-p256 XTQkUA Aqrx2ok2XeZvJWsPvOi7o7T3/PvZcZ5naOEvSouqGDxt -PW6G4aqvzq4JoJecPp7bP4Rzc6rgAV4NaTfeRCF5OYA --> piv-p256 ZFgiIw A7pQOh63jVeS6WHnWusY2FuLk8ezS/lu6h+LmTqgArA3 -4IkRO5JXgBggCYSI0lOaccyqVmHupOiFqZZwHsdlBDc --> piv-p256 5vmPtQ A7kRH2YuvwTE+wCqpvE8FBlHthHv8cMWVLQOWxbKbgHq -OudUFhREd4J2cQQG9eEeKIjAqHkp+XznKFpvsJjgEHk --> piv-p256 ZFgiIw AsojcZKNzLUdTgOekkqwisrOy7t8hup9sVla7PbL1RKH -cpG56veIp+cpW9JXsK2/4NXQ7kJM7g1Hg/sEnFSuW8k --> ~yTrd-grease ox]5\ *89S8!# -Bfh0HDXNORM8GT6noqoh2KcVvUOksp09VOfG/dUFCC4DUUo ---- EJSmnzU8XIhaFIkPRjyFZxi+kEHap903mrUuc2MpUkY -sl3ip}ܨd*mE =FC}J2ɽpMv,spD]L3 \ No newline at end of file diff --git a/modules/actual.nix b/modules/actual.nix new file mode 100644 index 0000000..2c63c08 --- /dev/null +++ b/modules/actual.nix @@ -0,0 +1,2 @@ +{ +} diff --git a/modules/netbird-client.nix b/modules/netbird-client.nix index 3e6c60a..ebc223e 100644 --- a/modules/netbird-client.nix +++ b/modules/netbird-client.nix @@ -228,11 +228,6 @@ in { UMask = "0077"; }; - unitConfig = { - StartLimitInterval = 5; - StartLimitBurst = 10; - }; - stopIfChanged = false; } ) diff --git a/modules/netbird-server.nix b/modules/netbird-server.nix index 80a2ace..b0c2c6c 100644 --- a/modules/netbird-server.nix +++ b/modules/netbird-server.nix @@ -167,7 +167,7 @@ in { services.coturn = mkIf cfg.enableCoturn { enable = true; - realm = cfg.dorain; + realm = cfg.domain; lt-cred-mech = true; no-cli = true; diff --git a/modules/services/kanidm.nix b/modules/services/kanidm.nix index 5dcc958..bb387e0 100644 --- a/modules/services/kanidm.nix +++ b/modules/services/kanidm.nix @@ -88,6 +88,8 @@ in { preferShortUsername = true; }; + groups."rss.access" = {}; + groups."nextcloud.access" = { members = ["nextcloud.admins"]; }; diff --git a/modules/services/netbird.nix b/modules/services/netbird.nix index 74ae540..4329ba8 100644 --- a/modules/services/netbird.nix +++ b/modules/services/netbird.nix @@ -19,9 +19,9 @@ }; }; services.netbird-server = { + enableCoturn = true; enable = true; domain = "netbird.${config.secrets.secrets.global.domains.web}"; - # TODO remove oidcConfigEndpoint = "https://auth.${config.secrets.secrets.global.domains.web}/oauth2/openid/netbird/.well-known/openid-configuration"; singleAccountModeDomain = "netbird.patrick"; }; diff --git a/modules/services/ttrss.nix b/modules/services/ttrss.nix index 89f9d90..e68a7bb 100644 --- a/modules/services/ttrss.nix +++ b/modules/services/ttrss.nix @@ -1,18 +1,14 @@ {config, ...}: { - age.secrets.freshrsspasswd = { - generator.script = "alnum"; - owner = config.services.freshrss.user; - }; wireguard.elisabeth = { client.via = "elisabeth"; firewallRuleForNode.elisabeth.allowedTCPPorts = [80]; }; services.freshrss = { enable = true; - passwordFile = config.age.secrets.freshrsspasswd.path; defaultUser = "patrick"; baseUrl = "https://rss.lel.lol"; virtualHost = "rss.lel.lol"; + authType = "none"; }; environment.persistence."/persist".directories = [ { diff --git a/pkgs/actual.nix b/pkgs/actual.nix index 1b5e73c..79d7e08 100644 --- a/pkgs/actual.nix +++ b/pkgs/actual.nix @@ -67,11 +67,5 @@ stdenv.mkDerivation rec { ''; meta = with lib; { - description = "Single-column Fediverse client for desktop"; - homepage = "https://whalebird.social"; - sourceProvenance = with sourceTypes; [fromSource]; - license = licenses.gpl3Only; - maintainers = with maintainers; [wolfangaukang colinsane weathercold]; - platforms = ["x86_64-linux" "aarch64-linux"]; }; }