rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-02-22 18:30:57 +01:00
Code Issues Projects Releases Packages Wiki Activity

nuc: add authentik-ldap

Browse source
This commit is contained in:
Rouven Seifert 2024-05-23 09:25:08 +02:00
parent 657ae1385e
commit 7811c95ecf
8 changed files with 23 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hosts/nuc/default.nix
View file

@ -15,7 +15,6 @@
./modules/seafile ./modules/seafile
./modules/torrent ./modules/torrent
./modules/vaultwarden ./modules/vaultwarden
# ./modules/nginx
./modules/caddy ./modules/caddy
./modules/indexing ./modules/indexing
]; ];

18
hosts/nuc/modules/authentik/default.nix
View file

@ -3,17 +3,19 @@ let
domain = "auth.${config.networking.domain}"; domain = "auth.${config.networking.domain}";
in in
{ {
age.secrets.authentik = { age.secrets.authentik-core = {
file = ../../../../secrets/nuc/authentik.age; file = ../../../../secrets/nuc/authentik/core.age;
};
age.secrets.authentik-ldap = {
file = ../../../../secrets/nuc/authentik/ldap.age;
}; };
services.authentik = { services.authentik = {
enable = true; enable = true;
environmentFile = config.age.secrets.authentik.path; environmentFile = config.age.secrets.authentik-core.path;
# nginx = { };
# enable = true; services.authentik-ldap = {
# enableACME = true; enable = true;
# host = domain; environmentFile = config.age.secrets.authentik-ldap.path;
# };
}; };
services.caddy.virtualHosts."${domain}".extraConfig = '' services.caddy.virtualHosts."${domain}".extraConfig = ''
reverse_proxy localhost:9000 reverse_proxy localhost:9000

5
hosts/nuc/modules/matrix/default.nix
View file

@ -74,7 +74,8 @@ in
# element # element
"${domainClient}".extraConfig = '' "${domainClient}".extraConfig = ''
root '${pkgs.element-web.override { file_server browse
root * ${pkgs.element-web.override {
conf = { conf = {
default_server_config = { default_server_config = {
inherit (clientConfig) "m.homeserver"; inherit (clientConfig) "m.homeserver";
@ -82,7 +83,7 @@ in
}; };
disable_3pid_login = true; disable_3pid_login = true;
}; };
}}' }}
''; '';
}; };
}; };

41
hosts/nuc/modules/nginx/default.nix
View file

@ -1,41 +0,0 @@
{ pkgs, lib, config, ... }:
{
# set default options for virtualHosts
options = with lib; {
services.nginx.virtualHosts = mkOption {
type = types.attrsOf (types.submodule
({ name, ... }: {
# split up nginx access logs per vhost
enableACME = true;
forceSSL = true;
# enable http3 for all hosts
quic = true;
http3 = true;
extraConfig = ''
access_log /var/log/nginx/${name}_access.log;
error_log /var/log/nginx/${name}_error.log;
add_header Alt-Svc 'h3=":443"; ma=86400';
'';
})
);
};
};
config = {
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
services.nginx = {
enable = true;
package = pkgs.nginxQuic;
recommendedTlsSettings = true;
recommendedProxySettings = true;
recommendedGzipSettings = true;
recommendedOptimisation = true;
};
security.acme = {
acceptTerms = true;
defaults = {
email = "rouven@${config.networking.domain}";
};
};
};
}

2
hosts/nuc/modules/seafile/default.nix
View file

@ -35,7 +35,7 @@ in
redir /accounts/login /oauth/login redir /accounts/login /oauth/login
reverse_proxy unix//run/seahub/gunicorn.sock reverse_proxy unix//run/seahub/gunicorn.sock
route /media/* { route /media/* {
root '${pkgs.seahub}' root * ${pkgs.seahub}
} }
route /seafhttp/* { route /seafhttp/* {

3
secrets.nix
View file

@ -22,7 +22,8 @@ in
"secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ]; "secrets/nuc/vaultwarden.age".publicKeys = [ rouven nuc ];
"secrets/nuc/mullvad.age".publicKeys = [ rouven nuc ]; "secrets/nuc/mullvad.age".publicKeys = [ rouven nuc ];
"secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ]; "secrets/nuc/keycloak/db.age".publicKeys = [ rouven nuc ];
"secrets/nuc/authentik.age".publicKeys = [ rouven nuc ]; "secrets/nuc/authentik/core.age".publicKeys = [ rouven nuc ];
"secrets/nuc/authentik/ldap.age".publicKeys = [ rouven nuc ];
"secrets/nuc/cache.age".publicKeys = [ rouven nuc ]; "secrets/nuc/cache.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/passphrase.age".publicKeys = [ rouven nuc ];
"secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ]; "secrets/nuc/borg/key.age".publicKeys = [ rouven nuc ];

0
secrets/nuc/authentik.age → secrets/nuc/authentik/core.age
View file

7
secrets/nuc/authentik/ldap.age Normal file
View file

@ -0,0 +1,7 @@
age-encryption.org/v1
-> ssh-ed25519 uWbAHQ 3GSNWb2Oly++M5tvybIiDwr2yMJ/1OGDlfXMMsjFkkI
yQpVNnYmv0SOtSy6K6KBuCPpOWJ1D//tWL4QkfbQqCI
-> ssh-ed25519 2TRdXg Eme+V3YHksjnqGsbWILJWyiLyh2EqqZ2VbylKVa9TAY
tJyYG2C6cykSUipTFzbAh5/UkUZ5KOsJjOeis/+sMks
--- tEpEe7Vh4XVOFgAQHCx42pFcx7P2XV4LqFXVJsv/Ug8
%Öºo$û"²øؽ0Ö—2š'¹nÍØHèÙ¶¿£l„Áõæ§7àjŽ nôeˆ¾¥‰/¯-\?·Š3z«GóáꙬ"<22>r£Â*ÅÁÐ0‡¡Ð£ð;meÛ.Ù<>1@9¿…šßê¿ ®¾F!†«Û…*%á>º,Ì<>æRèó)yjU´lœªFݨ÷…ú1ÿ>‡V<>ó p%š¸“çüiM*w»Äß