migrate media services to pocketid

fili/lib/auth.nix

@@ -1,20 +0,0 @@
-{ baseUrl, clientId }:
-{
-  inherit clientId;
-
-  userAuthUrl = "${baseUrl}/ui/oauth2";
-  apiAuthUrl = "${baseUrl}/oauth2/authorise";
-  tokenUrl = "${baseUrl}/oauth2/token";
-
-  rfc7662TokenIntrospectionUrl = "${baseUrl}/oauth2/token/introspect";
-  rfc7009TokenRevokeUrl = "${baseUrl}/oauth2/token/revoke";
-
-  oauth2Rfc8414Discovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/oauth-authorization-server";
-
-  oidcIssuerUri = "${baseUrl}/oauth2/openid/${clientId}";
-  oidcDiscovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/openid-configuration";
-
-  oidcUserInfo = "${baseUrl}/oauth2/openid/${clientId}/userinfo";
-  oidcTokenSigningPubkey = "${baseUrl}/openid/${clientId}/public_key.jwk";
-
-}

fili/services/auth/oauth2-proxy.nix

@@ -1,5 +1,4 @@
 {
-  pkgs,
   config,
   secrets,
   ...
@@ -9,47 +8,35 @@
     sopsFile = "${secrets}/oauth2-proxy.env";
   };
 
-  services.oauth2-proxy =
+  services.oauth2-proxy = {
-    let
+    enable = true;
-      auth = import ../../lib/auth.nix {
-        baseUrl = "https://auth.donsz.nl";
-        clientId = "homeserver";
-      };
-    in
-    {
-      enable = true;
 
-      provider = "oidc";
+    provider = "oidc";
-      clientID = "${auth.clientId}";
+    scope = "openid profile email groups";
-      oidcIssuerUrl = auth.oidcIssuerUri;
+    clientID = "38aa51e2-783e-48f0-a4b9-440e269f1217";
+    oidcIssuerUrl = "https://auth.donsz.nl";
+    reverseProxy = true;
 
-      proxyPrefix = "/oauth2";
+    proxyPrefix = "/oauth2";
-      reverseProxy = true;
 
-      keyFile = config.sops.secrets.oauth2-proxy.path;
+    keyFile = config.sops.secrets.oauth2-proxy.path;
 
-      loginURL = auth.apiAuthUrl;
+    email.domains = [ "*" ];
-      redeemURL = auth.tokenUrl;
-      validateURL = auth.rfc7662TokenIntrospectionUrl;
-      profileURL = auth.oidcUserInfo;
 
-      scope = "openid profile email";
+    cookie = {
-
+      domain = "donsz.nl";
-      email.domains = [ "*" ];
+      refresh = "1h";
-
+      secure = true;
-      cookie = {
-        domain = "donsz.nl";
-        refresh = "1h";
-        secure = true;
-      };
-
-      extraConfig = {
-        whitelist-domain = [ "*.donsz.nl" ];
-      };
-
-      nginx.domain = "oauth2.donsz.nl";
     };
 
+    extraConfig = {
+      whitelist-domain = [ "*.donsz.nl" ];
+      insecure-oidc-allow-unverified-email = true;
+    };
+
+    nginx.domain = "oauth2.donsz.nl";
+  };
+
   services.nginx.virtualHosts."oauth2.donsz.nl" = {
     forceSSL = true;
     http2 = true;

fili/services/forgejo.nix

@@ -38,6 +38,7 @@ in
     extraConfig = ''
       client_max_body_size 512M;
     '';
+
     locations."/" = {
       proxyPass = "http://[::1]:13121";
       extraConfig = ''

fili/services/media/jackett.nix

@@ -11,6 +11,10 @@ _: {
     };
   };
 
+  services.oauth2-proxy.nginx.virtualHosts."jackett.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
+
   services.jackett = {
     enable = true;
     group = "jellyfin";

fili/services/media/overseerr.nix

@@ -3,15 +3,20 @@ let
   port = 11002;
 in
 {
-  config.networking.firewall.allowedTCPPorts = [ port ];
+  services.nginx.virtualHosts."req.donsz.nl" = {
+    forceSSL = true;
+    http2 = true;
+    enableACME = true;
 
-  config.virtualisation.oci-containers.containers = {
+    locations."/" = {
+      proxyPass = "http://[::1]:${toString port}";
+    };
+  };
+
+  virtualisation.oci-containers.containers = {
     overseerr = {
-      image = "mirror.gcr.io/fallenbagel/jellyseerr:develop";
+      image = "ghcr.io/fallenbagel/jellyseerr:preview-seerr";
       environment = {
-        PORT = "5555";
-        TZ = "Europe/Amsterdam";
-        LOG_LEVEL = "debug";
       };
       extraOptions = [ "--network=host" ];
       volumes = [

fili/services/media/radarr.nix

@@ -1,4 +1,4 @@
-{ ... }:
+{ pkgs, ... }:
 {
   services.nginx = {
     virtualHosts."radarr.donsz.nl" = {
@@ -11,10 +11,19 @@
       };
     };
   };
+  services.oauth2-proxy.nginx.virtualHosts."radarr.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
 
   services.radarr = {
     enable = true;
     group = "jellyfin";
     user = "jellyfin";
+
+    environmentFiles = [
+      (pkgs.writeText "env" ''
+        RADARR__AUTH__METHOD="External"
+      '')
+    ];
   };
 }

fili/services/media/sonarr.nix

@@ -1,4 +1,5 @@
-_: {
+{ pkgs, ... }:
+{
   services.nginx = {
     virtualHosts."sonarr.donsz.nl" = {
       forceSSL = true;
@@ -10,10 +11,19 @@ _: {
       };
     };
   };
+  services.oauth2-proxy.nginx.virtualHosts."sonarr.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
 
   services.sonarr = {
     enable = true;
     group = "jellyfin";
     user = "jellyfin";
+
+    environmentFiles = [
+      (pkgs.writeText "env" ''
+        SONARR__AUTH__METHOD="External"
+      '')
+    ];
   };
 }

fili/services/media/torrent.nix

@@ -78,7 +78,9 @@
       };
     };
   };
-  services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = { };
+  services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = {
+    allowed_groups = [ "torrent" ];
+  };
 
   systemd.services.transmission.vpnConfinement = {
     enable = true;

fili/services/websites/money-is-fckn-gay.nix

@@ -1,58 +1,3 @@
-# { pkgs, flakes, ... }:
-# {
-#   # sops.secrets.reviewqueue = {
-#   # sopsFile = ../../../secrets/reviewqueue.env;
-#   # };
-
-#   services.nginx = {
-#     virtualHosts."api.money.is.fckn.gay" = {
-#       forceSSL = true;
-#       http2 = true;
-#       enableACME = true;
-
-#       locations."/" = {
-#         proxyPass = "http://localhost:11009";
-#         proxyWebsockets = true;
-#       };
-#     };
-#     virtualHosts."money.is.fckn.gay" = {
-#       forceSSL = true;
-#       http2 = true;
-#       enableACME = true;
-
-#       locations."/" = {
-#         root = flakes.mifg.packages.${pkgs.system}.frontend.override {
-#           api_base_url = "https://api.money.is.fckn.gay";
-#         };
-#         tryFiles = "$uri $uri/ /index.html";
-#       };
-#     };
-#   };
-
-#   systemd.services.money = {
-#     description = "money is fckn gay";
-
-#     wantedBy = [ "multi-user.target" ];
-#     after = [ "network.target" ];
-
-#     restartIfChanged = true;
-
-#     serviceConfig = {
-#       ExecStart = "${flakes.mifg.packages.${pkgs.system}.backend}/bin/mifg-backend";
-#       Restart = "always";
-#       # EnvironmentFile = "/run/secrets/reviewqueue";
-#       StateDirectory = "money";
-
-#     };
-
-#     environment = {
-#       MIFG_DATABASE_LOCATION = "/var/lib/money/db.sqlite";
-#       MIFG_FRONTEND_ORIGIN = "https://money.is.fckn.gay";
-#       MIFG_PORT = "11009";
-#     };
-#   };
-# }
-
 {
   pkgs,
   flakes,

flake.lock

@@ -444,11 +444,11 @@
     },
     "nixpkgs_11": {
       "locked": {
-        "lastModified": 1767396863,
+        "lastModified": 1767439050,
-        "narHash": "sha256-/qG+/C6dWiPFo1f8z/g1Q5A0+PiMUB/ICcTSlkMd8OU=",
+        "narHash": "sha256-UHXvixX4PjyzuTtyEU0GAe4W7sIVFBBntCNPHkZTRrA=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "f705fe458bf028c51895eb8737d32ac2a080a355",
+        "rev": "7fe910442588191a2a22848196daebc9f7cc48b7",
         "type": "github"
       },
       "original": {
@@ -696,11 +696,11 @@
         "nixpkgs": "nixpkgs_11"
       },
       "locked": {
-        "lastModified": 1767403261,
+        "lastModified": 1767440370,
-        "narHash": "sha256-4C/M+I9fghBdiRgrnXtzXJPR9HX/+GN3iONmDVU/Unk=",
+        "narHash": "sha256-3jSo/IeyV2/ZsSx2+w/VAFVbIaNudXTALTUR2z6rbwo=",
         "ref": "refs/heads/main",
-        "rev": "4ffbf8389f64612e42bdc65f082a02e0730df5fb",
+        "rev": "0484a0ef06c4be3c647efc3ee0071349494bec49",
-        "revCount": 3,
+        "revCount": 5,
         "type": "git",
         "url": "ssh://forgejo@git.donsz.nl/jana/server-secrets.git"
       },