hosts/pie: update authelia, firefly, invoiceplane
This commit is contained in:
parent
fc71a1c816
commit
197f343bd5
18
flake.lock
18
flake.lock
|
@ -581,11 +581,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-master": {
|
"nixpkgs-master": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724505469,
|
"lastModified": 1726071952,
|
||||||
"narHash": "sha256-U0KAINJreo0RbZ2QbA4Y5EhWO7XERFRlkJdrRIncjn8=",
|
"narHash": "sha256-HBTpIZFHQ2rgMdLOquGk4GbAU1lnyzukRYLj4dHWxTg=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "59fbe04a3baa1011fe9f6eb00a1afb7db5179933",
|
"rev": "182ffe0f2da71206de247c535ace12659a0a62b5",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -597,11 +597,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs-unstable": {
|
"nixpkgs-unstable": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724224976,
|
"lastModified": 1725983898,
|
||||||
"narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
|
"narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
|
"rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
@ -645,11 +645,11 @@
|
||||||
},
|
},
|
||||||
"nixpkgs_4": {
|
"nixpkgs_4": {
|
||||||
"locked": {
|
"locked": {
|
||||||
"lastModified": 1724316499,
|
"lastModified": 1725930920,
|
||||||
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
|
"narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=",
|
||||||
"owner": "nixos",
|
"owner": "nixos",
|
||||||
"repo": "nixpkgs",
|
"repo": "nixpkgs",
|
||||||
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
|
"rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658",
|
||||||
"type": "github"
|
"type": "github"
|
||||||
},
|
},
|
||||||
"original": {
|
"original": {
|
||||||
|
|
|
@ -149,13 +149,13 @@ MAP_DEFAULT_ZOOM=6
|
||||||
#
|
#
|
||||||
# LDAP is no longer supported :(
|
# LDAP is no longer supported :(
|
||||||
#
|
#
|
||||||
AUTHENTICATION_GUARD=web
|
AUTHENTICATION_GUARD=remote_user_guard
|
||||||
|
|
||||||
#
|
#
|
||||||
# Remote user guard settings
|
# Remote user guard settings
|
||||||
#
|
#
|
||||||
AUTHENTICATION_GUARD_HEADER=REMOTE_USER
|
AUTHENTICATION_GUARD_HEADER=REMOTE_USER
|
||||||
AUTHENTICATION_GUARD_EMAIL=
|
AUTHENTICATION_GUARD_EMAIL=REMOTE_EMAIL
|
||||||
|
|
||||||
#
|
#
|
||||||
# Firefly III supports webhooks. These are security sensitive and must be enabled manually first.
|
# Firefly III supports webhooks. These are security sensitive and must be enabled manually first.
|
||||||
|
|
|
@ -9,6 +9,14 @@ with lib; let
|
||||||
psCfg = config.pub-solar;
|
psCfg = config.pub-solar;
|
||||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||||
in {
|
in {
|
||||||
|
disabledModules = [
|
||||||
|
"services/security/authelia.nix"
|
||||||
|
];
|
||||||
|
|
||||||
|
imports = [
|
||||||
|
"${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix"
|
||||||
|
];
|
||||||
|
|
||||||
age.secrets."authelia-storage-encryption-key" = {
|
age.secrets."authelia-storage-encryption-key" = {
|
||||||
file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
|
file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
|
@ -83,6 +91,10 @@ in {
|
||||||
oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
|
oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environmentVariables = {
|
||||||
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
|
||||||
|
};
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
theme = "light";
|
theme = "light";
|
||||||
default_2fa_method = "webauthn";
|
default_2fa_method = "webauthn";
|
||||||
|
@ -111,17 +123,13 @@ in {
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
notifier.smtp = {
|
notifier.smtp = {
|
||||||
host = "mail.b12f.io";
|
address = "submission://mail.b12f.io:587";
|
||||||
port = 587;
|
|
||||||
username = "mail@b12f.io";
|
username = "mail@b12f.io";
|
||||||
sender = "auth.b12f.io <mail@b12f.io>";
|
sender = "auth.b12f.io <mail@b12f.io>";
|
||||||
identifier = "auth@b12f.io";
|
identifier = "auth@b12f.io";
|
||||||
subject = "[auth.b12f.io] {title}";
|
subject = "[auth.b12f.io] {title}";
|
||||||
};
|
};
|
||||||
identity_providers.oidc = {
|
identity_providers.oidc = {
|
||||||
jwks = [{
|
|
||||||
key = ''{{- fileContent "${config.age.secrets."authelia-jwks-private-key".path}" | nindent 8 }}'';
|
|
||||||
}];
|
|
||||||
authorization_policies = {
|
authorization_policies = {
|
||||||
admins = {
|
admins = {
|
||||||
default_policy = "deny";
|
default_policy = "deny";
|
||||||
|
@ -130,20 +138,13 @@ in {
|
||||||
subject = "group:admins";
|
subject = "group:admins";
|
||||||
}];
|
}];
|
||||||
};
|
};
|
||||||
jellyfin = {
|
|
||||||
default_policy = "deny";
|
|
||||||
rules = [{
|
|
||||||
policy = "two_factor";
|
|
||||||
subject = "group:jellyfin-users";
|
|
||||||
}];
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
clients = [
|
clients = [
|
||||||
{
|
{
|
||||||
client_id = "jellyfin";
|
client_id = "jellyfin";
|
||||||
client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
|
client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
|
||||||
public = false;
|
public = false;
|
||||||
authorization_policy = "jellyfin";
|
authorization_policy = "admins";
|
||||||
require_pkce = true;
|
require_pkce = true;
|
||||||
pkce_challenge_method = "S256";
|
pkce_challenge_method = "S256";
|
||||||
redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
|
redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
|
||||||
|
@ -160,7 +161,7 @@ in {
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
systemd.services.authelia-b12f.environment.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
|
systemd.services.authelia-b12f.preStart = "env";
|
||||||
|
|
||||||
services.restic.backups = {
|
services.restic.backups = {
|
||||||
authelia = {
|
authelia = {
|
||||||
|
@ -169,7 +170,7 @@ in {
|
||||||
passwordFile = config.age.secrets."restic-password".path;
|
passwordFile = config.age.secrets."restic-password".path;
|
||||||
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
|
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
|
||||||
repository = "rclone:cloud.pub.solar:/backups/Authelia";
|
repository = "rclone:cloud.pub.solar:/backups/Authelia";
|
||||||
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
|
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -8,8 +8,8 @@
|
||||||
psCfg = config.pub-solar;
|
psCfg = config.pub-solar;
|
||||||
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
||||||
in {
|
in {
|
||||||
age.secrets."rclone-pie.conf" = {
|
age.secrets."rclone-pubsolar.conf" = {
|
||||||
file = "${flake.self}/secrets/rclone-pie.conf.age";
|
file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
|
||||||
path = "/root/.config/rclone/rclone.conf";
|
path = "/root/.config/rclone/rclone.conf";
|
||||||
mode = "400";
|
mode = "400";
|
||||||
};
|
};
|
||||||
|
|
|
@ -150,7 +150,7 @@ in {
|
||||||
backupPrepareCommand = ''
|
backupPrepareCommand = ''
|
||||||
${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql"
|
${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql"
|
||||||
'';
|
'';
|
||||||
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
|
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -101,7 +101,7 @@ in {
|
||||||
PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
|
PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
|
||||||
${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
|
${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
|
||||||
'';
|
'';
|
||||||
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
|
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -19,7 +19,11 @@
|
||||||
master = import inputs.nixpkgs-master {system = prev.system;};
|
master = import inputs.nixpkgs-master {system = prev.system;};
|
||||||
in {
|
in {
|
||||||
factorio-headless = master.factorio-headless;
|
factorio-headless = master.factorio-headless;
|
||||||
paperless-ngx = unstable.paperless-ngx;
|
authelia = master.authelia;
|
||||||
|
paperless-ngx = master.paperless-ngx.overrideAttrs (oa: {
|
||||||
|
doCheck = false;
|
||||||
|
doInstallCheck = false;
|
||||||
|
});
|
||||||
waybar = master.waybar;
|
waybar = master.waybar;
|
||||||
nix-inspect = unstable.nix-inspect;
|
nix-inspect = unstable.nix-inspect;
|
||||||
nix = unstable.lix;
|
nix = unstable.lix;
|
||||||
|
|
Binary file not shown.
Loading…
Reference in a new issue