jana/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

migrate media services to pocketid
Some checks failed
/ lint (push) Failing after 34s
Details

Browse source
This commit is contained in:
Jana Dönszelmann 2026-01-03 11:51:49 +01:00
parent 5f9ef795c0
commit 612b7a13a7
No known key found for this signature in database
10 changed files with 69 additions and 126 deletions
Download patch file Download diff file Expand all files Collapse all files

57
fili/services/auth/oauth2-proxy.nix
View file

@ -1,5 +1,4 @@
{
pkgs,
config,
secrets,
...
@ -9,47 +8,35 @@
sopsFile = "${secrets}/oauth2-proxy.env";
};
services.oauth2-proxy =
let
auth = import ../../lib/auth.nix {
baseUrl = "https://auth.donsz.nl";
clientId = "homeserver";
};
in
{
enable = true;
services.oauth2-proxy = {
enable = true;
provider = "oidc";
clientID = "${auth.clientId}";
oidcIssuerUrl = auth.oidcIssuerUri;
provider = "oidc";
scope = "openid profile email groups";
clientID = "38aa51e2-783e-48f0-a4b9-440e269f1217";
oidcIssuerUrl = "https://auth.donsz.nl";
reverseProxy = true;
proxyPrefix = "/oauth2";
reverseProxy = true;
proxyPrefix = "/oauth2";
keyFile = config.sops.secrets.oauth2-proxy.path;
keyFile = config.sops.secrets.oauth2-proxy.path;
loginURL = auth.apiAuthUrl;
redeemURL = auth.tokenUrl;
validateURL = auth.rfc7662TokenIntrospectionUrl;
profileURL = auth.oidcUserInfo;
email.domains = [ "*" ];
scope = "openid profile email";
email.domains = [ "*" ];
cookie = {
domain = "donsz.nl";
refresh = "1h";
secure = true;
};
extraConfig = {
whitelist-domain = [ "*.donsz.nl" ];
};
nginx.domain = "oauth2.donsz.nl";
cookie = {
domain = "donsz.nl";
refresh = "1h";
secure = true;
};
extraConfig = {
whitelist-domain = [ "*.donsz.nl" ];
insecure-oidc-allow-unverified-email = true;
};
nginx.domain = "oauth2.donsz.nl";
};
services.nginx.virtualHosts."oauth2.donsz.nl" = {
forceSSL = true;
http2 = true;

1
fili/services/forgejo.nix
View file

@ -38,6 +38,7 @@ in
extraConfig = ''
client_max_body_size 512M;
'';
locations."/" = {
proxyPass = "http://[::1]:13121";
extraConfig = ''

4
fili/services/media/jackett.nix
View file

@ -11,6 +11,10 @@ _: {
};
};
services.oauth2-proxy.nginx.virtualHosts."jackett.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
services.jackett = {
enable = true;
group = "jellyfin";

17
fili/services/media/overseerr.nix
View file

@ -3,15 +3,20 @@ let
port = 11002;
in
{
config.networking.firewall.allowedTCPPorts = [ port ];
services.nginx.virtualHosts."req.donsz.nl" = {
forceSSL = true;
http2 = true;
enableACME = true;
config.virtualisation.oci-containers.containers = {
locations."/" = {
proxyPass = "http://[::1]:${toString port}";
};
};
virtualisation.oci-containers.containers = {
overseerr = {
image = "mirror.gcr.io/fallenbagel/jellyseerr:develop";
image = "ghcr.io/fallenbagel/jellyseerr:preview-seerr";
environment = {
PORT = "5555";
TZ = "Europe/Amsterdam";
LOG_LEVEL = "debug";
};
extraOptions = [ "--network=host" ];
volumes = [

11
fili/services/media/radarr.nix
View file

@ -1,4 +1,4 @@
{ ... }:
{ pkgs, ... }:
{
services.nginx = {
virtualHosts."radarr.donsz.nl" = {
@ -11,10 +11,19 @@
};
};
};
services.oauth2-proxy.nginx.virtualHosts."radarr.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
services.radarr = {
enable = true;
group = "jellyfin";
user = "jellyfin";
environmentFiles = [
(pkgs.writeText "env" ''
RADARR__AUTH__METHOD="External"
'')
];
};
}

12
fili/services/media/sonarr.nix
View file

@ -1,4 +1,5 @@
_: {
{ pkgs, ... }:
{
services.nginx = {
virtualHosts."sonarr.donsz.nl" = {
forceSSL = true;
@ -10,10 +11,19 @@ _: {
};
};
};
services.oauth2-proxy.nginx.virtualHosts."sonarr.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
services.sonarr = {
enable = true;
group = "jellyfin";
user = "jellyfin";
environmentFiles = [
(pkgs.writeText "env" ''
SONARR__AUTH__METHOD="External"
'')
];
};
}

4
fili/services/media/torrent.nix
View file

@ -78,7 +78,9 @@
};
};
};
services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = { };
services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = {
allowed_groups = [ "torrent" ];
};
systemd.services.transmission.vpnConfinement = {
enable = true;

55
fili/services/websites/money-is-fckn-gay.nix
View file

@ -1,58 +1,3 @@
# { pkgs, flakes, ... }:
# {
# # sops.secrets.reviewqueue = {
# # sopsFile = ../../../secrets/reviewqueue.env;
# # };
# services.nginx = {
# virtualHosts."api.money.is.fckn.gay" = {
# forceSSL = true;
# http2 = true;
# enableACME = true;
# locations."/" = {
# proxyPass = "http://localhost:11009";
# proxyWebsockets = true;
# };
# };
# virtualHosts."money.is.fckn.gay" = {
# forceSSL = true;
# http2 = true;
# enableACME = true;
# locations."/" = {
# root = flakes.mifg.packages.${pkgs.system}.frontend.override {
# api_base_url = "https://api.money.is.fckn.gay";
# };
# tryFiles = "$uri $uri/ /index.html";
# };
# };
# };
# systemd.services.money = {
# description = "money is fckn gay";
# wantedBy = [ "multi-user.target" ];
# after = [ "network.target" ];
# restartIfChanged = true;
# serviceConfig = {
# ExecStart = "${flakes.mifg.packages.${pkgs.system}.backend}/bin/mifg-backend";
# Restart = "always";
# # EnvironmentFile = "/run/secrets/reviewqueue";
# StateDirectory = "money";
# };
# environment = {
# MIFG_DATABASE_LOCATION = "/var/lib/money/db.sqlite";
# MIFG_FRONTEND_ORIGIN = "https://money.is.fckn.gay";
# MIFG_PORT = "11009";
# };
# };
# }
{
pkgs,
flakes,