rouven.seifert/nixos-config
1
1
Fork 0
mirror of https://git.sr.ht/~rouven/nixos-config synced 2025-06-08 10:28:46 +02:00
Code Issues Projects Releases Packages Wiki Activity

Compare commits

base: rouven.seifert:3dde751ddd0bb8a1efe7d67af647c129ea648691
Branches Tags
rouven.seifert:main
..
compare: rouven.seifert:8492679843ccff6b6aa77754b59af7a4f68f34da
Branches Tags
rouven.seifert:main

No commits in common. "3dde751ddd0bb8a1efe7d67af647c129ea648691" and "8492679843ccff6b6aa77754b59af7a4f68f34da" have entirely different histories.
3dde751ddd ... 8492679843

8 changed files with 15 additions and 47 deletions
Download patch file Download diff file Expand all files Collapse all files

6
flake.lock generated
View file

@ -299,11 +299,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1747184352, "lastModified": 1747021744,
"narHash": "sha256-GBZulv50wztp5cgc405t1uOkxQYhSkMqeKLI+iSrlpk=", "narHash": "sha256-IDsM/9/tHQBlhG3tXI2fTM84AUN1uRa7JDPT1LMlGes=",
"owner": "nix-community", "owner": "nix-community",
"repo": "home-manager", "repo": "home-manager",
"rev": "7c1cefb98369cc85440642fdccc1c1394ca6dd2c", "rev": "fb061f555f821fe4fb49f8f6f2a0cc3d5728bd52",
"type": "github" "type": "github"
}, },
"original": { "original": {

10
hosts/falkenstein/modules/dns/default.nix
View file

@ -42,6 +42,14 @@ let
subdomains = subdomains =
let
# generate ACME challenge recorsd for every VirtualHost
genACMECNAMEs = hostname: lib.attrsets.genAttrs (getVirtualHosts hostname) (_label: {
subdomains._acme-challenge.CNAME = [ "challenge.acme.${domain}." ];
});
# fuckery to merge the generated attribute lists
mergeRecords = recordList: lib.attrsets.mapAttrs (_host: records: lib.attrsets.mergeAttrsList records) (lib.attrsets.zipAttrs recordList);
in
lib.attrsets.mergeAttrsList [ lib.attrsets.mergeAttrsList [
rec { rec {
nuc = { nuc = {
@ -60,7 +68,7 @@ let
_domainkey.subdomains.rspamd.TXT = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" ]; _domainkey.subdomains.rspamd.TXT = [ "v=DKIM1; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDoirUMubro4nlmY6a8JMwK9QB2agAXiJzexDU/7ba6KCggONfoSTfUHlrM/XeM1GG/9oKpngApxDPP97adJuxc8/EELyo4HjTyYD8GBFZhg0AN7V8IPaJ1o5k6dGDk8ZLh41ZCnlAVWkhVSKs5pYtzkrlJIfUSzyuoe8nuFsVe3QIDAQAB" ];
} }
(builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc")))) (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc"))))
(builtins.removeAttrs (genCNAMEs "falkenstein") ([ ":2018" "mail" "rfive.de" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc")))) (builtins.removeAttrs (genCNAMEs "falkenstein") ([ ":2018" "mail" ]))
# (mergeRecords [ # (mergeRecords [
# (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc")))) # (builtins.removeAttrs (genCNAMEs "nuc") ([ ":2018" ] ++ (builtins.filter (host: lib.strings.hasInfix "vpn" host) (getVirtualHosts "nuc"))))
# (builtins.removeAttrs (genACMECNAMEs "nuc") ([ ":2018" ])) # (builtins.removeAttrs (genACMECNAMEs "nuc") ([ ":2018" ]))

2
hosts/falkenstein/modules/mail/rspamd.nix
View file

@ -107,7 +107,7 @@
enable = true; enable = true;
}; };
}; };
caddy.virtualHosts."rspamd.vpn.${config.networking.domain}".extraConfig = '' caddy.virtualHosts."rspamd.${config.networking.domain}".extraConfig = ''
# for some reason this only works with http and not with https so we send every request through our wireguard tunnel # for some reason this only works with http and not with https so we send every request through our wireguard tunnel
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000

10
hosts/nuc/modules/adguard/default.nix
View file

@ -14,16 +14,6 @@ in
}; };
}; };
services.caddy.virtualHosts."${domain}".extraConfig = '' services.caddy.virtualHosts."${domain}".extraConfig = ''
# for some reason this only works with http and not with https so we send every request through our wireguard tunnel
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000
# forward authentication to authentik
forward_auth http://nuc.vpn.rfive.de:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
}
reverse_proxy 127.0.0.1:${toString port} reverse_proxy 127.0.0.1:${toString port}
''; '';
} }

10
hosts/nuc/modules/indexing/prowlarr.nix
View file

@ -7,16 +7,6 @@ in
enable = true; enable = true;
}; };
services.caddy.virtualHosts."${domain}".extraConfig = '' services.caddy.virtualHosts."${domain}".extraConfig = ''
# for some reason this only works with http and not with https so we send every request through our wireguard tunnel
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000
# forward authentication to authentik
forward_auth http://nuc.vpn.rfive.de:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
}
reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port} reverse_proxy 127.0.0.1:${toString config.services.prowlarr.settings.server.port}
''; '';
} }

10
hosts/nuc/modules/indexing/radarr.nix
View file

@ -7,16 +7,6 @@ in
enable = true; enable = true;
}; };
services.caddy.virtualHosts."${domain}".extraConfig = '' services.caddy.virtualHosts."${domain}".extraConfig = ''
# for some reason this only works with http and not with https so we send every request through our wireguard tunnel
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000
# forward authentication to authentik
forward_auth http://nuc.vpn.rfive.de:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
}
reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port} reverse_proxy 127.0.0.1:${toString config.services.radarr.settings.server.port}
''; '';
} }

3
hosts/nuc/modules/indexing/sonarr.nix
View file

@ -11,7 +11,8 @@ in
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000 reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000
# forward authentication to authentik # forward authentication to authentik
forward_auth http://nuc.vpn.rfive.de:9000 { @NoAccess not path /api*
forward_auth @NoAccess http://nuc.vpn.rfive.de:9000 {
uri /outpost.goauthentik.io/auth/caddy uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty # capitalization of the headers is important, otherwise they will be empty

11
hosts/nuc/modules/torrent/default.nix
View file

@ -126,17 +126,6 @@ in
}; };
}; };
services.caddy.virtualHosts."${domain}".extraConfig = '' services.caddy.virtualHosts."${domain}".extraConfig = ''
# for some reason this only works with http and not with https so we send every request through our wireguard tunnel
reverse_proxy /outpost.goauthentik.io/* http://nuc.vpn.rfive.de:9000
# forward authentication to authentik
forward_auth http://nuc.vpn.rfive.de:9000 {
uri /outpost.goauthentik.io/auth/caddy
# capitalization of the headers is important, otherwise they will be empty
copy_headers X-Authentik-Username X-Authentik-Groups X-Authentik-Email X-Authentik-Name X-Authentik-Uid X-Authentik-Jwt X-Authentik-Meta-Jwks X-Authentik-Meta-Outpost X-Authentik-Meta-Provider X-Authentik-Meta-App X-Authentik-Meta-Version
}
reverse_proxy 127.0.0.1:${toString cfg.port} reverse_proxy 127.0.0.1:${toString cfg.port}
''; '';
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [