b12f/os
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

hosts/pie: update authelia, firefly, invoiceplane

Browse source
This commit is contained in:
b12f 2024-09-12 13:58:32 +02:00
parent fc71a1c816
commit 197f343bd5
Signed by: b12f
GPG key ID: 729956E1124F8F26
8 changed files with 36 additions and 31 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
flake.lock
View file

@ -581,11 +581,11 @@
},
"nixpkgs-master": {
"locked": {
"lastModified": 1724505469,
"narHash": "sha256-U0KAINJreo0RbZ2QbA4Y5EhWO7XERFRlkJdrRIncjn8=",
"lastModified": 1726071952,
"narHash": "sha256-HBTpIZFHQ2rgMdLOquGk4GbAU1lnyzukRYLj4dHWxTg=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "59fbe04a3baa1011fe9f6eb00a1afb7db5179933",
"rev": "182ffe0f2da71206de247c535ace12659a0a62b5",
"type": "github"
},
"original": {
@ -597,11 +597,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1724224976,
"narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=",
"lastModified": 1725983898,
"narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "c374d94f1536013ca8e92341b540eba4c22f9c62",
"rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43",
"type": "github"
},
"original": {
@ -645,11 +645,11 @@
},
"nixpkgs_4": {
"locked": {
"lastModified": 1724316499,
"narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=",
"lastModified": 1725930920,
"narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841",
"rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658",
"type": "github"
},
"original": {

4
hosts/pie/.env.firefly
View file

@ -149,13 +149,13 @@ MAP_DEFAULT_ZOOM=6
#
# LDAP is no longer supported :(
#
AUTHENTICATION_GUARD=web
AUTHENTICATION_GUARD=remote_user_guard
#
# Remote user guard settings
#
AUTHENTICATION_GUARD_HEADER=REMOTE_USER
AUTHENTICATION_GUARD_EMAIL=
AUTHENTICATION_GUARD_EMAIL=REMOTE_EMAIL
#
# Firefly III supports webhooks. These are security sensitive and must be enabled manually first.

31
hosts/pie/authelia.nix
View file

@ -9,6 +9,14 @@ with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
disabledModules = [
"services/security/authelia.nix"
];
imports = [
"${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix"
];
age.secrets."authelia-storage-encryption-key" = {
file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
mode = "400";
@ -83,6 +91,10 @@ in {
oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
};
environmentVariables = {
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
};
settings = {
theme = "light";
default_2fa_method = "webauthn";
@ -111,17 +123,13 @@ in {
}
];
notifier.smtp = {
host = "mail.b12f.io";
port = 587;
address = "submission://mail.b12f.io:587";
username = "mail@b12f.io";
sender = "auth.b12f.io <mail@b12f.io>";
identifier = "auth@b12f.io";
subject = "[auth.b12f.io] {title}";
};
identity_providers.oidc = {
jwks = [{
key = ''{{- fileContent "${config.age.secrets."authelia-jwks-private-key".path}" | nindent 8 }}'';
}];
authorization_policies = {
admins = {
default_policy = "deny";
@ -130,20 +138,13 @@ in {
subject = "group:admins";
}];
};
jellyfin = {
default_policy = "deny";
rules = [{
policy = "two_factor";
subject = "group:jellyfin-users";
}];
};
};
clients = [
{
client_id = "jellyfin";
client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
public = false;
authorization_policy = "jellyfin";
authorization_policy = "admins";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
@ -160,7 +161,7 @@ in {
};
};
systemd.services.authelia-b12f.environment.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
systemd.services.authelia-b12f.preStart = "env";
services.restic.backups = {
authelia = {
@ -169,7 +170,7 @@ in {
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Authelia";
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}

4
hosts/pie/backup.nix
View file

@ -8,8 +8,8 @@
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
age.secrets."rclone-pie.conf" = {
file = "${flake.self}/secrets/rclone-pie.conf.age";
age.secrets."rclone-pubsolar.conf" = {
file = "${flake.self}/secrets/rclone-pubsolar.conf.age";
path = "/root/.config/rclone/rclone.conf";
mode = "400";
};

2
hosts/pie/firefly.nix
View file

@ -150,7 +150,7 @@ in {
backupPrepareCommand = ''
${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql"
'';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}

2
hosts/pie/invoiceplane.nix
View file

@ -101,7 +101,7 @@ in {
PW=$(cat ${config.age.secrets."invoiceplane-db-password".path})
${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql"
'';
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
};
};
}

6
overlays/default.nix
View file

@ -19,7 +19,11 @@
master = import inputs.nixpkgs-master {system = prev.system;};
in {
factorio-headless = master.factorio-headless;
paperless-ngx = unstable.paperless-ngx;
authelia = master.authelia;
paperless-ngx = master.paperless-ngx.overrideAttrs (oa: {
doCheck = false;
doInstallCheck = false;
});
waybar = master.waybar;
nix-inspect = unstable.nix-inspect;
nix = unstable.lix;

BIN
secrets/authelia-oidc-issuer-private-key.age
View file

Binary file not shown.