luj/snowfield
1
0
Fork 0
mirror of https://github.com/JulienMalka/snowfield.git synced 2025-06-08 10:09:04 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

delete unused code

Browse source
This commit is contained in:
Luj 2024-03-30 20:08:03 +01:00
parent 3272efc40a
commit 8c1f06fda1
Signed by: luj
GPG key ID: 6FC74C847011FD83
14 changed files with 0 additions and 1266 deletions
Download patch file Download diff file Expand all files Collapse all files

57
modules/authelia/authelia-config.nix
View file

@ -1,57 +0,0 @@
# Taken from 'config.template.yml' for Authelia v4.32.2.
# Update along with 'pkgs/authelia.nix'.
{ cfg }:
''
server:
host: 0.0.0.0
port: 9091
read_buffer_size: 4096
write_buffer_size: 4096
path: "authelia"
log.level: debug
jwt_secret: somethingsomethingrandomrecret
default_redirection_url: https://autheliafailed.julienmalka.me
authentication_backend:
disable_reset_password: false
file:
path: ${./config/users.yml}
password:
algorithm: argon2id
iterations: 1
key_length: 32
salt_length: 16
memory: 512
parallelism: 8
access_control:
default_policy: deny
rules:
- domain:
- "auth.julienmalka.me"
policy: bypass
- domain:
- "series.julienmalka.me"
policy: one_factor
session:
name: authelia_session
secret: somerandomsecret
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
domain: julienmalka.me
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
storage:
encryption_key: a_very_important_secret
local:
path: /var/lib/authelia/storage.db
notifier:
disable_startup_check: false
filesystem:
filename: /var/lib/authelia/notification.txt
''

38
modules/authelia/authelia.conf
View file

@ -1,38 +0,0 @@
# Virtual endpoint created by nginx to forward auth requests.
location /authelia {
internal;
set $upstream_authelia http://127.0.0.1:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}

7
modules/authelia/config/users.yml
View file

@ -1,7 +0,0 @@
users:
julien:
displayname: "Julien Malka"
email: julien@malka.sh
groups:
- admins
- dev

96
modules/authelia/default.nix
View file

@ -1,96 +0,0 @@
{ pkgs, lib, config, ... }:
with lib; let
cfg = config.luj.authelia;
autheliaConfig = pkgs.writeText "authelia-config.yml"
(import ./authelia-config.nix { inherit cfg; });
in
{
options.luj.authelia = {
enable = mkEnableOption "enable authelia";
};
config = mkIf cfg.enable {
systemd = {
services.authelia = {
serviceConfig = {
User = "authelia";
StateDirectory = "authelia";
RuntimeDirectory = "authelia";
StateDirectoryMode = "0700";
RuntimeDirectoryMode = "0700";
};
script = ''
exec ${pkgs.authelia}/bin/authelia --config ${autheliaConfig}
'';
};
};
users = {
users.authelia = {
group = "authelia";
isSystemUser = true;
};
groups.authelia = {
members = [ "nginx" ];
};
};
services.nginx.virtualHosts."auth.julienmalka.me" = {
enableACME = true;
forceSSL = true;
locations."/" = {
extraConfig = ''
set $upstream_authelia http://127.0.0.1:9091;
proxy_pass $upstream_authelia;
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
};
};
};
}

23
modules/authelia/secure.conf
View file

@ -1,23 +0,0 @@
# Basic Authelia Config
# Send a subsequent request to Authelia to verify if the user is authenticated
# and has the right permissions to access the resource.
auth_request /authelia;
# Set the `target_url` variable based on the request. It will be used to build the portal
# URL with the correct redirection parameter.
auth_request_set $target_url $scheme://$http_host$request_uri;
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# returned by Authelia for the backends which can consume them.
# This is not safe, as the backend must make sure that they come from the
# proxy. In the future, it's gonna be safe to just use OAuth.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
# If Authelia returns 401, then nginx redirects the user to the login portal.
# If it returns 200, then the request pass through to the backend.
# For other type of errors, nginx will handle them as usual.
error_page 401 =302 https://auth.julienmalka.me/?rd=$target_url;

37
modules/bincache/default.nix
View file

@ -1,37 +0,0 @@
{ pkgs, config, lib, inputs, ... }:
let
cfg = config.luj.bincache;
port = 5000;
in
with lib;
{
options.luj.bincache = {
enable = mkEnableOption "Enable nix bincache";
subdomain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable (recursiveUpdate
{
users.users.nix-serve = {
isSystemUser = true;
};
nix.settings.allowed-users = [ "nix-serve" ];
users.users.nix-serve.group = "nix-serve";
users.groups.nix-serve = { };
sops.secrets.bin-cache-priv-key = {
owner = "nix-serve";
};
services.nix-serve = {
enable = true;
secretKeyFile = "/run/secrets/bin-cache-priv-key";
port = port;
};
}
(mkSubdomain cfg.subdomain port));
}

101
modules/drone/default.nix
View file

@ -1,101 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.luj.drone;
drone = config.users.users.drone.name;
port = 3030;
in
{
options.luj.drone = {
enable = mkEnableOption "activate drone CI";
subdomain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable (recursiveUpdate
{
users.users.drone = {
isNormalUser = true;
createHome = true;
home = "/home/drone";
extraGroups = [ drone config.users.groups.keys.name ];
hashedPasswordFile = config.sops.secrets.user-julien-password.path;
};
users.groups.drone = { };
luj.hmgr.drone.luj.programs.git.enable = true;
nix.settings.allowed-users = [ drone ];
sops.secrets.drone = { };
sops.secrets.ssh-drone-pub = {
owner = drone;
path = "/home/drone/.ssh/id_ed25519.pub";
mode = "0644";
format = "binary";
sopsFile = ../../secrets/ssh-drone-pub;
};
sops.secrets.ssh-drone-priv = {
owner = drone;
path = "/home/drone/.ssh/id_ed25519";
mode = "0600";
format = "binary";
sopsFile = ../../secrets/ssh-drone-priv;
};
systemd.services.drone-server = {
wantedBy = [ "multi-user.target" ];
serviceConfig = {
EnvironmentFile = [ config.sops.secrets.drone.path ];
Environment = [
"DRONE_SERVER_HOST=${cfg.subdomain}.julienmalka.me"
"DRONE_SERVER_PROTO=https"
"DRONE_DATABASE_DATASOURCE=postgres:///drone?host=/run/postgresql"
"DRONE_DATABASE_DRIVER=postgres"
"DRONE_SERVER_PORT=:3030"
"DRONE_USER_CREATE=username:JulienMalka,admin:true"
"DRONE_USER_CREATE=username:camillemndn, admin:true"
"DRONE_REGISTRATION_CLOSED=true"
];
ExecStart = "${pkgs.drone}/bin/drone-server";
User = drone;
Group = drone;
};
};
services.postgresql = {
enable = true;
ensureDatabases = [ drone ];
ensureUsers = [{
name = drone;
ensurePermissions = {
"DATABASE ${drone}" = "ALL PRIVILEGES";
};
}];
};
systemd.services.drone-runner-exec = {
description = "Drone Exec Runner";
startLimitIntervalSec = 5;
serviceConfig = {
User = drone;
Group = drone;
EnvironmentFile = [ config.sops.secrets.drone.path ];
Environment = [
"DRONE_SERVER_HOST=${cfg.subdomain}.julienmalka.me"
"DRONE_SERVER_PROTO=https"
"CLIENT_DRONE_RPC_HOST=127.0.0.1:3030"
];
ExecStart = "${pkgs.drone-runner-exec}/bin/drone-runner-exec service run";
};
wantedBy = [ "multi-user.target" ];
path = [ pkgs.nixUnstable pkgs.git pkgs.openssh ];
};
}
(recursiveUpdate (mkSubdomain cfg.subdomain port) (mkVPNSubdomain cfg.subdomain port)));
}

100
modules/filerun/default.nix
View file

@ -1,100 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.luj.filerun;
mysql_root_pw = [ (builtins.readFile /run/secrets/filerun-root-passwd) ];
mysql_pw = [ (builtins.readFile /run/secrets/filerun-passwd) ];
port = 2000;
in
{
options.luj.filerun = {
enable = mkEnableOption "enable filerun service";
subdomain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable (recursiveUpdate {
sops.secrets.filerun = {};
virtualisation.docker.enable = true;
virtualisation.oci-containers.containers."filerun-mariadb" = {
image = "mariadb:10.1";
environment = {
"MYSQL_USER" = "filerun";
"MYSQL_DATABASE" = "filerundb";
"TZ" = "Europe/Paris";
};
environmentFiles = [
/run/secrets/filerun
];
volumes = [ "/home/delegator/filerun/db:/var/lib/mysql" ];
extraOptions = [ "--network=filerun-br" ];
};
systemd.services.init-filerun-network-and-files = {
description = "Create the network bridge filerun-br for filerun.";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig.Type = "oneshot";
script =
let dockercli = "${config.virtualisation.docker.package}/bin/docker";
in
''
# Put a true at the end to prevent getting non-zero return code, which will
# crash the whole service.
check=$(${dockercli} network ls | grep "filerun-br" || true)
if [ -z "$check" ]; then
${dockercli} network create filerun-br
else
echo "filerun-br already exists in docker"
fi
'';
};
users.users.filerun = {
isSystemUser = true;
uid = 250;
name = "filerun";
};
users.groups.filerun = {
gid = 350;
name = "filerun";
};
users.users.filerun.group = config.users.groups.filerun.name;
virtualisation.oci-containers.containers."filerun" = {
image = "filerun/filerun";
environment = {
"FR_DB_HOST" = "filerun-mariadb";
"FR_DB_PORT" = "3306";
"FR_DB_NAME" = "filerundb";
"FR_DB_USER" = "filerun";
"APACHE_RUN_USER" = config.users.users.filerun.name;
"APACHE_RUN_USER_ID" = "250";
"APACHE_RUN_GROUP" = config.users.groups.filerun.name;
"APACHE_RUN_GROUP_ID" = "350";
};
environmentFiles = [
/run/secrets/filerun
];
ports = [ "2000:80" ];
volumes = [
"/home/delegator/filerun/web:/var/www/html"
"/home/julien/cloud:/user-files"
];
extraOptions = [ "--network=filerun-br" ];
};
} (mkSubdomain cfg.subdomain port));
}

12
modules/status/checks.csv
View file

@ -1,12 +0,0 @@
port, 0, Lisa, lisa.julienmalka.me 45
http, 200, Homepage, https://julienmalka.me
http, 200, CI, https://ci.julienmalka.me
http, 200, Binary Cache, https://bin.julienmalka.me/nix-cache-info
http, 200, Jellyfin, https://tv.julienmalka.me
port, 0, Newton, newton.julienmalka.me 45
http, 200, Cloud, cloud.julienmalka.me
port, 0, Mail, mail.julienmalka.me 993
http, 200, Docs, https://docs.julienmalka.me
http, 200, Lambda, https://nixos.org
http, 200, Navidrome, https://music.julienmalka.me
http, 200, Bruit https://bruit.julienmalka.me
Can't render this file because it has a wrong number of fields in line 12.

52
modules/status/default.nix
View file

@ -1,52 +0,0 @@
{ lib, pkgs, config, ... }:
with lib;
let
cfg = config.luj.status;
in
{
options.luj.status = {
enable = mkEnableOption "activate status page";
nginx.enable = mkEnableOption "activate nginx";
nginx.subdomain = mkOption {
type = types.str;
};
};
config = mkIf cfg.enable (
mkMerge [{
systemd = {
timers.tinystatus = {
wantedBy = [ "timers.target" ];
partOf = [ "tinystatus.service" ];
timerConfig.OnCalendar = "*-*-* *:05,10,15,20,25,30,35,40,45,50,55:00";
timerConfig.Unit = "tinystatus.service";
};
services.tinystatus = {
serviceConfig.Type = "oneshot";
path = [ pkgs.gawk pkgs.gnused pkgs.curl pkgs.netcat pkgs.unixtools.ping ];
script = ''
mkdir -p /var/www/status
${pkgs.tinystatus}/bin/tinystatus ${./checks.csv} > /var/www/status/index.html
${pkgs.gnused}/bin/sed -i 's/tinystatus/Services status/g' /var/www/status/index.html
${pkgs.gnused}/bin/sed -i 's/80%/60%/g' /var/www/status/index.html
'';
};
};
}
(mkIf cfg.nginx.enable {
luj.nginx.enable = true;
services.nginx.virtualHosts."${cfg.nginx.subdomain}.julienmalka.me" = {
enableACME = true;
forceSSL = true;
root = "/var/www/status/";
};
})]);
}