xun/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

clean up hopper configuration

Browse source
This commit is contained in:
xunuwu 2025-02-11 01:06:08 +01:00
parent fb35ab4c18
commit f0ab5391f7
Signed by: xun
SSH key fingerprint: SHA256:Uot/1WoAjWAeqLOHA5vYy4phhVydsH7jCPmBjaPZfgI
22 changed files with 9 additions and 899 deletions
Download patch file Download diff file Expand all files Collapse all files

319
sys/machines/hopper/lab/default.nix
View file

@ -11,21 +11,13 @@
domain = "xunuwu.xyz";
caddyPort = 8336;
slskdUiPort = 23488;
caddyLocal = 8562;
ncPort = 46523;
adguardWebPort = 23489;
kanidmPort = 8300;
oauth2ProxyPort = 23490;
in {
imports = [
./samba.nix
inputs.authentik-nix.nixosModules.default
];
## TODO use kanidm
## TODO use impermanence
## TODO setup fail2ban mayb
users.groups.media = {};
users.users.media = {
isSystemUser = true;
@ -43,13 +35,6 @@ in {
credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
extraDomainNames = [domain];
};
"kanidm.${domain}" = {
domain = "kanidm.${domain}";
group = "kanidm";
dnsProvider = "cloudflare";
reloadServices = ["caddy.service" "kanidm.service"];
credentialFiles.CF_DNS_API_TOKEN_FILE = config.sops.secrets.cloudflare.path;
};
};
};
@ -86,7 +71,6 @@ in {
443 # caddy
1900 # jellyfin discovery
7359 # jellyfin discovery
# 9001
];
in (l.map (x: {
from = x;
@ -112,33 +96,18 @@ in {
services.caddy = {
enable = true;
virtualHosts = builtins.mapAttrs (n: v:
{
virtualHosts = {
jellyfin = {
useACMEHost = domain;
hostName = "${n}.${domain}:${toString caddyPort}";
}
// v) {
jellyfin.extraConfig = ''
reverse_proxy {
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
to localhost:8096
}
'';
kanidm = {
useACMEHost = null;
hostName = "jellyfin.${domain}:${toString caddyPort}";
extraConfig = ''
reverse_proxy https://127.0.0.1:${toString kanidmPort} {
reverse_proxy {
header_up X-Forwarded-For {http.request.header.CF-Connecting-IP}
header_up Host {upstream_hostport}
header_down Access-Control-Allow-Origin "*"
transport http {
tls_server_name ${config.services.kanidm.serverSettings.domain}
}
to localhost:8096
}
'';
};
slskd = {
useACMEHost = null;
hostName = "slskd.hopper.xun.host:80";
extraConfig = ''
reverse_proxy localhost:${toString config.services.slskd.settings.web.port}
@ -146,131 +115,19 @@ in {
};
transmission = {
useACMEHost = null;
hostName = "transmission.hopper.xun.host:80";
extraConfig = ''
reverse_proxy localhost:${toString config.services.transmission.settings.rpc-port}
'';
};
dash = {
useACMEHost = null;
hostName = "dash.hopper.xun.host:80";
extraConfig = ''
# Requests to /oauth2/* are proxied to oauth2-proxy without authentication.
# You can't use `reverse_proxy /oauth2/* oauth2-proxy.internal:4180` here because the reverse_proxy directive has lower precedence than the handle directive.
handle /oauth2/* {
reverse_proxy unix//run/oauth2-proxy/oauth2-proxy.sock {
# oauth2-proxy requires the X-Real-IP and X-Forwarded-{Proto,Host,Uri} headers.
# The reverse_proxy directive automatically sets X-Forwarded-{For,Proto,Host} headers.
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Uri {uri}
}
}
# Requests to other paths are first processed by oauth2-proxy for authentication.
handle {
forward_auth unix//run/oauth2-proxy/oauth2-proxy.sock {
uri /oauth2/auth
# oauth2-proxy requires the X-Real-IP and X-Forwarded-{Proto,Host,Uri} headers.
# The forward_auth directive automatically sets the X-Forwarded-{For,Proto,Host,Method,Uri} headers.
header_up X-Real-IP {remote_host}
# If needed, you can copy headers from the oauth2-proxy response to the request sent to the upstream.
# Make sure to configure the --set-xauthrequest flag to enable this feature.
#copy_headers X-Auth-Request-User X-Auth-Request-Email
# If oauth2-proxy returns a 401 status, redirect the client to the sign-in page.
@error status 401
handle_response @error {
redir * /oauth2/sign_in?rd={scheme}://{host}{uri}
}
}
reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}
}
reverse_proxy localhost:${toString config.services.homepage-dashboard.listenPort}
'';
};
oauth2-proxy = {
hostName = "oauth2.${domain}:${toString caddyPort}";
extraConfig = "reverse_proxy unix//run/oauth2-proxy/oauth2-proxy.sock";
};
navidrome = {
useACMEHost = null;
hostName = "navidrome.hopper.xun.host:80";
extraConfig = ''
reverse_proxy unix//var/lib/navidrome/navidrome.sock
'';
};
navidrome2 = {
hostName = "navidrome.${domain}:${toString caddyPort}";
extraConfig = ''
# Requests to /oauth2/* are proxied to oauth2-proxy without authentication.
# You can't use `reverse_proxy /oauth2/* oauth2-proxy.internal:4180` here because the reverse_proxy directive has lower precedence than the handle directive.
handle /oauth2/* {
reverse_proxy unix//run/oauth2-proxy/oauth2-proxy.sock {
# oauth2-proxy requires the X-Real-IP and X-Forwarded-{Proto,Host,Uri} headers.
# The reverse_proxy directive automatically sets X-Forwarded-{For,Proto,Host} headers.
header_up X-Real-IP {remote_host}
header_up X-Forwarded-Uri {uri}
}
}
# Requests to other paths are first processed by oauth2-proxy for authentication.
handle {
forward_auth unix//run/oauth2-proxy/oauth2-proxy.sock {
uri /oauth2/auth
# oauth2-proxy requires the X-Real-IP and X-Forwarded-{Proto,Host,Uri} headers.
# The forward_auth directive automatically sets the X-Forwarded-{For,Proto,Host,Method,Uri} headers.
header_up X-Real-IP {remote_host}
# If needed, you can copy headers from the oauth2-proxy response to the request sent to the upstream.
# Make sure to configure the --set-xauthrequest flag to enable this feature.
#copy_headers X-Auth-Request-User X-Auth-Request-Email
# If oauth2-proxy returns a 401 status, redirect the client to the sign-in page.
@error status 401
handle_response @error {
redir * /oauth2/sign_in?rd={scheme}://{host}{uri}
}
}
reverse_proxy unix//var/lib/navidrome/navidrome.sock
}
'';
};
# slskd-pub = {
# hostName = "slskd.${domain}:${toString caddyPort}";
# extraConfig = ''
# handle /oauth2/* {
# reverse_proxy unix//run/oauth2-proxy/oauth2-proxy.sock
# }
# handle {
# forward_auth unix//run/oauth2-proxy/oauth2-proxy.sock {
# uri /oauth2/auth
#
# header_up X-Real-IP {remote_host}
#
# @bad status 4xx
# handle_response @bad {
# redir * /oauth2/start
# }
# }
# reverse_proxy localhost:${toString config.services.slskd.settings.web.port}
# }
# '';
# };
# prometheus = {
# useACMEHost = null;
# hostName = "prometheus.hopper.xun.host:80";
# extraConfig = ''
# reverse_proxy ${toString config.vpnNamespaces."wg".bridgeAddress}:9001
# '';
# };
other = {
useACMEHost = domain;
hostName = ":${toString caddyPort}";
extraConfig = ''
respond 404 {
@ -279,7 +136,6 @@ in {
'';
};
otherPriv = {
useACMEHost = null;
hostName = ":80";
extraConfig = ''
respond 404 {
@ -335,12 +191,6 @@ in {
icon = "jellyfin";
};
}
{
"navidrome" = {
href = "http://navidrome.hopper.xun.host";
icon = "jellyfin";
};
}
{
"adguard home" = {
href = "http://${config.networking.hostName}:${toString config.services.adguardhome.port}";
@ -353,37 +203,11 @@ in {
icon = "prometheus";
};
}
{
"kanidm" = {
href = "https://kanidm.${domain}";
icon = "kanidm";
};
}
];
}
];
};
# TODO finish setting up authentik
# services.authentik = {
# enable = true;
# settings = {
# disable_startup_analytics = true;
# error_reporting.enabled = false;
# avatars = "initials";
# };
# };
# TODO finish setting up navidrome
users.groups.${config.services.navidrome.group}.members = ["caddy"]; # for socket file :)
services.navidrome = {
enable = true;
settings = {
MusicFolder = "/media/library/music";
Address = "unix:/var/lib/navidrome/navidrome.sock";
};
};
systemd.services.jellyfin.vpnConfinement = {
enable = true;
vpnNamespace = "wg";
@ -480,142 +304,15 @@ in {
credentialsFile = config.sops.secrets.transmission.path;
};
# TODO use this for sso with some things maybe
# services.tailscaleAuth = {
# enable = true;
# user = config.services.caddy.user;
# group = config.services.caddy.group;
# };
# systemd.services.oauth2-proxy.vpnConfinement = {
# enable = true;
# vpnNamespace = "wg";
# };
systemd.services.oauth2-proxy = {
after = ["kanidm.service"];
serviceConfig = {
RuntimeDirectory = "oauth2-proxy";
UMask = "007";
};
};
users.groups.oauth2-proxy.members = ["caddy"];
services.oauth2-proxy = {
enable = true;
clientID = "oauth2-proxy";
cookie = {
expire = "5m";
# secure = false;
};
email.domains = ["*"];
httpAddress = "unix:///run/oauth2-proxy/oauth2-proxy.sock";
scope = "openid profile email";
redirectURL = "https://oauth2.${domain}/oauth2/callback";
keyFile = config.sops.secrets.oauth2-proxy.path;
reverseProxy = true;
approvalPrompt = "auto";
setXauthrequest = true;
provider = "oidc";
redeemURL = "https://${config.services.kanidm.serverSettings.domain}/oauth2/token";
loginURL = "https://${config.services.kanidm.serverSettings.domain}/ui/oauth2";
oidcIssuerUrl = "https://${config.services.kanidm.serverSettings.domain}/oauth2/openid/oauth2-proxy";
validateURL = "https://${config.services.kanidm.serverSettings.domain}/oauth2/token/introspect";
profileURL = "https://${config.services.kanidm.serverSettings.domain}/oauth2/openid/oauth2-proxy/userinfo";
# redeemURL = "https://${config.services.kanidm.serverSettings.domain}/oauth2/token";
# loginURL = "https://${config.services.kanidm.serverSettings.domain}/ui/oauth2";
# validateURL = "https://${config.services.kanidm.serverSettings.domain}/oauth2/openid/oauth2-proxy";
# oidcIssuerUrl = "https://kanidm.${domain}/oauth2/openid/oauth2-proxy";
# profileURL = "https://kanidm.${domain}/oauth2/openid/oauth2-proxy/userinfo";
extraConfig = {
code-challenge-method = "S256"; # PKCE
whitelist-domain = "dash.hopper.xun.host";
# oidc-issuer-url = "https://${config.services.kanidm.serverSettings.domain}";
# insecure-oidc-skip-issuer-verification = "true";
# insecure-oidc-allow-unverified-email = "true";
# scope = "openid profile email groups";
};
};
systemd.services.kanidm = {
vpnConfinement = {
enable = true;
vpnNamespace = "wg";
};
serviceConfig = {
InaccessiblePaths = lib.mkForce [];
};
};
boot.kernel.sysctl."fs.inotify.max_user_watches" = 99999999;
services.kanidm = {
package = pkgs.kanidm_1_4.override {enableSecretProvisioning = true;};
enableServer = true;
serverSettings = {
domain = "kanidm.${domain}";
origin = "https://kanidm.${domain}";
bindaddress = "127.0.0.1:${toString kanidmPort}";
ldapbindaddress = "[::1]:3636";
trust_x_forward_for = true;
tls_chain = "${config.security.acme.certs."kanidm.${domain}".directory}/fullchain.pem";
tls_key = "${config.security.acme.certs."kanidm.${domain}".directory}/key.pem";
};
provision = {
enable = true;
adminPasswordFile = config.sops.secrets."kanidm/admin_pass".path;
idmAdminPasswordFile = config.sops.secrets."kanidm/idm_admin_pass".path;
persons = {
"xun" = {
displayName = "xun";
legalName = "xun";
mailAddresses = ["xunuwu@gmail.com"];
groups = [
"oauth2-proxy.access"
"oauth2-proxy.adguardhome"
"oauth2-proxy.analytics"
];
};
};
groups."oauth2-proxy.access" = {};
groups."oauth2-proxy.adguardhome" = {};
# groups."oauth2-proxy.openwebui" = {};
groups."oauth2-proxy.analytics" = {};
systems.oauth2.oauth2-proxy = {
displayName = "Oauth2 Proxy";
originUrl = "https://oauth2.${domain}/oauth2/callback";
originLanding = "https://oauth2.${domain}/";
# basicSecretFile = config.age.secrets..path;
preferShortUsername = true;
scopeMaps."oauth2-proxy.access" = [
"openid"
"profile"
"email"
];
claimMaps.groups = {
joinType = "array";
valuesByGroup."oauth2-proxy.adguardhome" = ["access_adguardhome"];
# valuesByGroup."oauth2-proxy.openwebui" = ["access_openwebui"];
valuesByGroup."oauth2-proxy.analytics" = ["access_analytics"];
};
};
};
};
services.adguardhome = {
enable = true;
mutableSettings = false;
port = adguardWebPort;
# host = "100.115.105.144";
settings = {
dhcp.enabled = false;
dns = {
# port = adguardDnsPort;
upstream_dns = [
"quic://dns.nextdns.io"
"https://cloudflare-dns.com/dns-query"
@ -646,6 +343,4 @@ in {
];
};
};
## TODO: add forgejo
}