b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

hosts/pie: update authelia, firefly, invoiceplane

Browse source
This commit is contained in:
b12f 2024-09-12 13:58:32 +02:00
parent fc71a1c816
commit 197f343bd5
Signed by: b12f
GPG key ID: 729956E1124F8F26
8 changed files with 36 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
flake.lock
View file

@ -581,11 +581,11 @@
}, },
"nixpkgs-master": { "nixpkgs-master": {
"locked": { "locked": {
"lastModified": 1724505469, "lastModified": 1726071952,
"narHash": "sha256-U0KAINJreo0RbZ2QbA4Y5EhWO7XERFRlkJdrRIncjn8=", "narHash": "sha256-HBTpIZFHQ2rgMdLOquGk4GbAU1lnyzukRYLj4dHWxTg=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "59fbe04a3baa1011fe9f6eb00a1afb7db5179933", "rev": "182ffe0f2da71206de247c535ace12659a0a62b5",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -597,11 +597,11 @@
}, },
"nixpkgs-unstable": { "nixpkgs-unstable": {
"locked": { "locked": {
"lastModified": 1724224976, "lastModified": 1725983898,
"narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", "narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", "rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
"type": "github" "type": "github"
}, },
"original": { "original": {
@ -645,11 +645,11 @@
}, },
"nixpkgs_4": { "nixpkgs_4": {
"locked": { "locked": {
"lastModified": 1724316499, "lastModified": 1725930920,
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", "narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=",
"owner": "nixos", "owner": "nixos",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", "rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658",
"type": "github" "type": "github"
}, },
"original": { "original": {

4
hosts/pie/.env.firefly
View file

@ -149,13 +149,13 @@ MAP_DEFAULT_ZOOM=6
# #
# LDAP is no longer supported :( # LDAP is no longer supported :(
# #
AUTHENTICATION_GUARD=web AUTHENTICATION_GUARD=remote_user_guard
# #
# Remote user guard settings # Remote user guard settings
# #
AUTHENTICATION_GUARD_HEADER=REMOTE_USER AUTHENTICATION_GUARD_HEADER=REMOTE_USER
AUTHENTICATION_GUARD_EMAIL= AUTHENTICATION_GUARD_EMAIL=REMOTE_EMAIL
# #
# Firefly III supports webhooks. These are security sensitive and must be enabled manually first. # Firefly III supports webhooks. These are security sensitive and must be enabled manually first.

31
hosts/pie/authelia.nix
View file

@ -9,6 +9,14 @@ with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in { in {
disabledModules = [
"services/security/authelia.nix"
];
imports = [
"${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix"
];
age.secrets."authelia-storage-encryption-key" = { age.secrets."authelia-storage-encryption-key" = {
file = "${flake.self}/secrets/authelia-storage-encryption-key.age"; file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
mode = "400"; mode = "400";
@ -83,6 +91,10 @@ in {
oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path; oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
}; };
environmentVariables = {
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
};
settings = { settings = {
theme = "light"; theme = "light";
default_2fa_method = "webauthn"; default_2fa_method = "webauthn";
@ -111,17 +123,13 @@ in {
} }
]; ];
notifier.smtp = { notifier.smtp = {
host = "mail.b12f.io"; address = "submission://mail.b12f.io:587";
port = 587;
username = "mail@b12f.io"; username = "mail@b12f.io";
sender = "auth.b12f.io <mail@b12f.io>"; sender = "auth.b12f.io <mail@b12f.io>";
identifier = "auth@b12f.io"; identifier = "auth@b12f.io";
subject = "[auth.b12f.io] {title}"; subject = "[auth.b12f.io] {title}";
}; };
identity_providers.oidc = { identity_providers.oidc = {
jwks = [{
key = ''{{- fileContent "${config.age.secrets."authelia-jwks-private-key".path}" | nindent 8 }}'';
}];
authorization_policies = { authorization_policies = {
admins = { admins = {
default_policy = "deny"; default_policy = "deny";
@ -130,20 +138,13 @@ in {
subject = "group:admins"; subject = "group:admins";
}]; }];
}; };
jellyfin = {
default_policy = "deny";
rules = [{
policy = "two_factor";
subject = "group:jellyfin-users";
}];
};
}; };
clients = [ clients = [
{ {
client_id = "jellyfin"; client_id = "jellyfin";
client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ"; client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
public = false; public = false;
authorization_policy = "jellyfin"; authorization_policy = "admins";
require_pkce = true; require_pkce = true;
pkce_challenge_method = "S256"; pkce_challenge_method = "S256";
redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ]; redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
@ -160,7 +161,7 @@ in {
}; };
}; };
systemd.services.authelia-b12f.environment.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path; systemd.services.authelia-b12f.preStart = "env";
services.restic.backups = { services.restic.backups = {
authelia = { authelia = {
@ -169,7 +170,7 @@ in {
passwordFile = config.age.secrets."restic-password".path; passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Authelia"; repository = "rclone:cloud.pub.solar:/backups/Authelia";
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
}; };
}; };
} }

4
hosts/pie/backup.nix
View file

@ -8,8 +8,8 @@
psCfg = config.pub-solar; psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in { in {
age.secrets."rclone-pie.conf" = { age.secrets."rclone-pubsolar.conf" = {
file = "${flake.self}/secrets/rclone-pie.conf.age"; file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
path = "/root/.config/rclone/rclone.conf"; path = "/root/.config/rclone/rclone.conf";
mode = "400"; mode = "400";
}; };

2
hosts/pie/firefly.nix
View file

@ -150,7 +150,7 @@ in {
backupPrepareCommand = '' backupPrepareCommand = ''
${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql" ${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql"
''; '';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
}; };
}; };
} }

2
hosts/pie/invoiceplane.nix
View file

@ -101,7 +101,7 @@ in {
PW=$(cat ${config.age.secrets."invoiceplane-db-password".path}) PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql" ${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
''; '';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
}; };
}; };
} }

6
overlays/default.nix
View file

@ -19,7 +19,11 @@
master = import inputs.nixpkgs-master {system = prev.system;}; master = import inputs.nixpkgs-master {system = prev.system;};
in { in {
factorio-headless = master.factorio-headless; factorio-headless = master.factorio-headless;
paperless-ngx = unstable.paperless-ngx; authelia = master.authelia;
paperless-ngx = master.paperless-ngx.overrideAttrs (oa: {
doCheck = false;
doInstallCheck = false;
});
waybar = master.waybar; waybar = master.waybar;
nix-inspect = unstable.nix-inspect; nix-inspect = unstable.nix-inspect;
nix = unstable.lix; nix = unstable.lix;

BIN
secrets/authelia-oidc-issuer-private-key.age
View file

Binary file not shown.