Luj/snowfield
1
0
Fork 0
mirror of https://github.com/JulienMalka/snowfield.git synced 2025-04-04 03:01:05 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'main' of github.com:JulienMalka/nix-config

Browse source
This commit is contained in:
Julien Malka 2022-03-10 15:25:33 +01:00
commit 8ebcb7ef4f
No known key found for this signature in database
GPG key ID: 3C68E13964FEA07F
6 changed files with 121 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
flake.lock generated
View file

@ -86,10 +86,7 @@
"neovim-flake": { "neovim-flake": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"nixpkgs": [ "nixpkgs": "nixpkgs"
"neovim-nightly-overlay",
"nixpkgs"
]
}, },
"locked": { "locked": {
"dir": "contrib", "dir": "contrib",
@ -131,16 +128,16 @@
}, },
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1646011258, "lastModified": 1645433236,
"narHash": "sha256-+aen4zu5uVp52arEcgL2maCS0zQDuG1t+Azwd/O1gN4=", "narHash": "sha256-4va4MvJ076XyPp5h8sm5eMQvCrJ6yZAbBmyw95dGyw4=",
"owner": "NixOS", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "a25df4c2b79c4343bcc72ad671200e5a3e286c41", "rev": "7f9b6e2babf232412682c09e57ed666d8f84ac2d",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "nixos",
"ref": "nixos-21.11", "ref": "nixos-unstable",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@ -175,6 +172,22 @@
"type": "indirect" "type": "indirect"
} }
}, },
"nixpkgs_2": {
"locked": {
"lastModified": 1646011258,
"narHash": "sha256-+aen4zu5uVp52arEcgL2maCS0zQDuG1t+Azwd/O1gN4=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "a25df4c2b79c4343bcc72ad671200e5a3e286c41",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-21.11",
"repo": "nixpkgs",
"type": "github"
}
},
"nur": { "nur": {
"locked": { "locked": {
"lastModified": 1646051576, "lastModified": 1646051576,
@ -194,7 +207,7 @@
"home-manager": "home-manager", "home-manager": "home-manager",
"homepage": "homepage", "homepage": "homepage",
"neovim-nightly-overlay": "neovim-nightly-overlay", "neovim-nightly-overlay": "neovim-nightly-overlay",
"nixpkgs": "nixpkgs", "nixpkgs": "nixpkgs_2",
"nur": "nur", "nur": "nur",
"simple-nixos-mailserver": "simple-nixos-mailserver", "simple-nixos-mailserver": "simple-nixos-mailserver",
"sops-nix": "sops-nix", "sops-nix": "sops-nix",

5
machines/lambda/default.nix
View file

@ -24,6 +24,11 @@
]; ];
# File systems configuration for using the installer's partition layout # File systems configuration for using the installer's partition layout
nix.package = lib.mkForce pkgs.nixUnstable;
fileSystems = { fileSystems = {
"/" = { "/" = {
device = "/dev/disk/by-label/NIXOS_SD"; device = "/dev/disk/by-label/NIXOS_SD";

30
modules/authelia/configuration.yml → modules/authelia/authelia-config.nix
View file

@ -1,16 +1,21 @@
host: 0.0.0.0 # Taken from 'config.template.yml' for Authelia v4.32.2.
port: 9091 # Update along with 'pkgs/authelia.nix'.
{ cfg }:
''
server: server:
host: 0.0.0.0
port: 9091
read_buffer_size: 4096 read_buffer_size: 4096
write_buffer_size: 4096 write_buffer_size: 4096
path: "authelia" path: "authelia"
log_level: debug log.level: debug
jwt_secret: somethingsomethingrandomrecret jwt_secret: somethingsomethingrandomrecret
default_redirection_url: https://auth.julienmalka.me default_redirection_url: https://autheliafailed.julienmalka.me
authentication_backend: authentication_backend:
disable_reset_password: false disable_reset_password: false
file: file:
path: /config/users_database.yml path: ${./config/users.yml}
password: password:
algorithm: argon2id algorithm: argon2id
iterations: 1 iterations: 1
@ -18,19 +23,24 @@ authentication_backend:
salt_length: 16 salt_length: 16
memory: 512 memory: 512
parallelism: 8 parallelism: 8
access_control: access_control:
default_policy: deny default_policy: deny
rules: rules:
- domain: - domain:
- series.julienmalka.me - "auth.julienmalka.me"
policy: bypass
- domain:
- "series.julienmalka.me"
policy: one_factor policy: one_factor
session: session:
name: authelia_session name: authelia_session
secret: somerandomsecret secret: somerandomsecret
expiration: 1h expiration: 1h
inactivity: 5m inactivity: 5m
remember_me_duration: 1M remember_me_duration: 1M
domain: series.julienmalka.me domain: julienmalka.me
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 2m find_time: 2m
@ -38,8 +48,10 @@ regulation:
storage: storage:
encryption_key: a_very_important_secret encryption_key: a_very_important_secret
local: local:
path: /config/db.sqlite3 path: /var/lib/authelia/storage.db
notifier: notifier:
disable_startup_check: false disable_startup_check: false
filesystem: filesystem:
filename: /config/notification.txt filename: /var/lib/authelia/notification.txt
''

0
modules/authelia/users.yml → modules/authelia/config/users.yml
View file

126
modules/authelia/default.nix
View file

@ -1,6 +1,8 @@
{ pkgs, lib, config, ... }: { pkgs, lib, config, ... }:
with lib; let with lib; let
cfg = config.luj.authelia; cfg = config.luj.authelia;
autheliaConfig = pkgs.writeText "authelia-config.yml"
(import ./authelia-config.nix { inherit cfg; });
in in
{ {
options.luj.authelia = { options.luj.authelia = {
@ -8,72 +10,86 @@ in
}; };
config = mkIf cfg.enable { config = mkIf cfg.enable {
virtualisation.docker.enable = true; systemd = {
virtualisation.oci-containers.containers."authelia" = { services.authelia = {
image = "authelia/authelia";
environment = {
"TZ" = "Europe/Paris";
};
volumes = [
"/srv/authelia:/config/"
];
ports = [ "9091:9091" ];
serviceConfig = {
User = "authelia";
StateDirectory = "authelia";
RuntimeDirectory = "authelia";
StateDirectoryMode = "0700";
RuntimeDirectoryMode = "0700";
};
script = ''
exec ${pkgs.authelia}/bin/authelia --config ${autheliaConfig}
'';
};
}; };
services.nginx.appendHttpConfig = '' users = {
server { users.authelia = {
server_name auth.julienmalka.me; group = "authelia";
listen 80; isSystemUser = true;
return 301 https://$server_name$request_uri; };
}
server { groups.authelia = {
server_name auth.julienmalka.me; members = [ "nginx" ];
listen 443 ssl http2; };
};
location / {
set $upstream_authelia http://127.0.0.1:9091;
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config services.nginx.virtualHosts."auth.julienmalka.me" = {
send_timeout 5m; enableACME = true;
proxy_read_timeout 360; forceSSL = true;
proxy_send_timeout 360; locations."/" = {
proxy_connect_timeout 360; extraConfig = ''
set $upstream_authelia http://127.0.0.1:9091;
proxy_pass $upstream_authelia;
# Basic Proxy Config client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP #Timeout if the real server is dead
set_real_ip_from 10.0.0.0/8; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16; # Advanced Proxy Config
set_real_ip_from fc00::/7; send_timeout 5m;
real_ip_header X-Forwarded-For; proxy_read_timeout 360;
real_ip_recursive on; proxy_send_timeout 360;
} proxy_connect_timeout 360;
}
''; # Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
};
};
}; };
} }

5
modules/status/checks.csv
View file

@ -3,15 +3,10 @@ http, 200, Homepage, https://julienmalka.me
http, 200, CI, https://ci.julienmalka.me http, 200, CI, https://ci.julienmalka.me
http, 200, Binary Cache, https://bin.julienmalka.me/nix-cache-info http, 200, Binary Cache, https://bin.julienmalka.me/nix-cache-info
http, 200, Jellyfin, https://tv.julienmalka.me http, 200, Jellyfin, https://tv.julienmalka.me
http, 200, Deluge, https://downloads.julienmalka.me
http, 200, Sonarr, https://series.julienmalka.me
http, 200, Radarr, https://films.julienmalka.me
http, 200, Jackett, https://jackett.julienmalka.me/UI/Dashboard
port, 0, Newton, newton.julienmalka.me 45 port, 0, Newton, newton.julienmalka.me 45
http, 200, Cloud, cloud.julienmalka.me http, 200, Cloud, cloud.julienmalka.me
port, 0, Mail, mail.julienmalka.me 993 port, 0, Mail, mail.julienmalka.me 993
http, 200, Docs, https://docs.julienmalka.me http, 200, Docs, https://docs.julienmalka.me
http, 200, Lambda, https://nixos.org http, 200, Lambda, https://nixos.org
http, 200, Lidarr, https://songs.julienmalka.me
http, 200, Navidrome, https://music.julienmalka.me http, 200, Navidrome, https://music.julienmalka.me
http, 200, Bruit https://bruit.julienmalka.me http, 200, Bruit https://bruit.julienmalka.me

Can't render this file because it has a wrong number of fields in line 12.