This commit is contained in:
parent
5f9ef795c0
commit
612b7a13a7
10 changed files with 69 additions and 126 deletions
|
|
@ -1,20 +0,0 @@
|
|||
{ baseUrl, clientId }:
|
||||
{
|
||||
inherit clientId;
|
||||
|
||||
userAuthUrl = "${baseUrl}/ui/oauth2";
|
||||
apiAuthUrl = "${baseUrl}/oauth2/authorise";
|
||||
tokenUrl = "${baseUrl}/oauth2/token";
|
||||
|
||||
rfc7662TokenIntrospectionUrl = "${baseUrl}/oauth2/token/introspect";
|
||||
rfc7009TokenRevokeUrl = "${baseUrl}/oauth2/token/revoke";
|
||||
|
||||
oauth2Rfc8414Discovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/oauth-authorization-server";
|
||||
|
||||
oidcIssuerUri = "${baseUrl}/oauth2/openid/${clientId}";
|
||||
oidcDiscovery = "${baseUrl}/oauth2/openid/${clientId}/.well-known/openid-configuration";
|
||||
|
||||
oidcUserInfo = "${baseUrl}/oauth2/openid/${clientId}/userinfo";
|
||||
oidcTokenSigningPubkey = "${baseUrl}/openid/${clientId}/public_key.jwk";
|
||||
|
||||
}
|
||||
|
|
@ -1,5 +1,4 @@
|
|||
{
|
||||
pkgs,
|
||||
config,
|
||||
secrets,
|
||||
...
|
||||
|
|
@ -9,32 +8,19 @@
|
|||
sopsFile = "${secrets}/oauth2-proxy.env";
|
||||
};
|
||||
|
||||
services.oauth2-proxy =
|
||||
let
|
||||
auth = import ../../lib/auth.nix {
|
||||
baseUrl = "https://auth.donsz.nl";
|
||||
clientId = "homeserver";
|
||||
};
|
||||
in
|
||||
{
|
||||
services.oauth2-proxy = {
|
||||
enable = true;
|
||||
|
||||
provider = "oidc";
|
||||
clientID = "${auth.clientId}";
|
||||
oidcIssuerUrl = auth.oidcIssuerUri;
|
||||
|
||||
proxyPrefix = "/oauth2";
|
||||
scope = "openid profile email groups";
|
||||
clientID = "38aa51e2-783e-48f0-a4b9-440e269f1217";
|
||||
oidcIssuerUrl = "https://auth.donsz.nl";
|
||||
reverseProxy = true;
|
||||
|
||||
proxyPrefix = "/oauth2";
|
||||
|
||||
keyFile = config.sops.secrets.oauth2-proxy.path;
|
||||
|
||||
loginURL = auth.apiAuthUrl;
|
||||
redeemURL = auth.tokenUrl;
|
||||
validateURL = auth.rfc7662TokenIntrospectionUrl;
|
||||
profileURL = auth.oidcUserInfo;
|
||||
|
||||
scope = "openid profile email";
|
||||
|
||||
email.domains = [ "*" ];
|
||||
|
||||
cookie = {
|
||||
|
|
@ -45,6 +31,7 @@
|
|||
|
||||
extraConfig = {
|
||||
whitelist-domain = [ "*.donsz.nl" ];
|
||||
insecure-oidc-allow-unverified-email = true;
|
||||
};
|
||||
|
||||
nginx.domain = "oauth2.donsz.nl";
|
||||
|
|
|
|||
|
|
@ -38,6 +38,7 @@ in
|
|||
extraConfig = ''
|
||||
client_max_body_size 512M;
|
||||
'';
|
||||
|
||||
locations."/" = {
|
||||
proxyPass = "http://[::1]:13121";
|
||||
extraConfig = ''
|
||||
|
|
|
|||
|
|
@ -11,6 +11,10 @@ _: {
|
|||
};
|
||||
};
|
||||
|
||||
services.oauth2-proxy.nginx.virtualHosts."jackett.donsz.nl" = {
|
||||
allowed_groups = [ "torrent" ];
|
||||
};
|
||||
|
||||
services.jackett = {
|
||||
enable = true;
|
||||
group = "jellyfin";
|
||||
|
|
|
|||
|
|
@ -3,15 +3,20 @@ let
|
|||
port = 11002;
|
||||
in
|
||||
{
|
||||
config.networking.firewall.allowedTCPPorts = [ port ];
|
||||
services.nginx.virtualHosts."req.donsz.nl" = {
|
||||
forceSSL = true;
|
||||
http2 = true;
|
||||
enableACME = true;
|
||||
|
||||
config.virtualisation.oci-containers.containers = {
|
||||
locations."/" = {
|
||||
proxyPass = "http://[::1]:${toString port}";
|
||||
};
|
||||
};
|
||||
|
||||
virtualisation.oci-containers.containers = {
|
||||
overseerr = {
|
||||
image = "mirror.gcr.io/fallenbagel/jellyseerr:develop";
|
||||
image = "ghcr.io/fallenbagel/jellyseerr:preview-seerr";
|
||||
environment = {
|
||||
PORT = "5555";
|
||||
TZ = "Europe/Amsterdam";
|
||||
LOG_LEVEL = "debug";
|
||||
};
|
||||
extraOptions = [ "--network=host" ];
|
||||
volumes = [
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
{ ... }:
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
services.nginx = {
|
||||
virtualHosts."radarr.donsz.nl" = {
|
||||
|
|
@ -11,10 +11,19 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
services.oauth2-proxy.nginx.virtualHosts."radarr.donsz.nl" = {
|
||||
allowed_groups = [ "torrent" ];
|
||||
};
|
||||
|
||||
services.radarr = {
|
||||
enable = true;
|
||||
group = "jellyfin";
|
||||
user = "jellyfin";
|
||||
|
||||
environmentFiles = [
|
||||
(pkgs.writeText "env" ''
|
||||
RADARR__AUTH__METHOD="External"
|
||||
'')
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -1,4 +1,5 @@
|
|||
_: {
|
||||
{ pkgs, ... }:
|
||||
{
|
||||
services.nginx = {
|
||||
virtualHosts."sonarr.donsz.nl" = {
|
||||
forceSSL = true;
|
||||
|
|
@ -10,10 +11,19 @@ _: {
|
|||
};
|
||||
};
|
||||
};
|
||||
services.oauth2-proxy.nginx.virtualHosts."sonarr.donsz.nl" = {
|
||||
allowed_groups = [ "torrent" ];
|
||||
};
|
||||
|
||||
services.sonarr = {
|
||||
enable = true;
|
||||
group = "jellyfin";
|
||||
user = "jellyfin";
|
||||
|
||||
environmentFiles = [
|
||||
(pkgs.writeText "env" ''
|
||||
SONARR__AUTH__METHOD="External"
|
||||
'')
|
||||
];
|
||||
};
|
||||
}
|
||||
|
|
|
|||
|
|
@ -78,7 +78,9 @@
|
|||
};
|
||||
};
|
||||
};
|
||||
services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = { };
|
||||
services.oauth2-proxy.nginx.virtualHosts."dl.donsz.nl" = {
|
||||
allowed_groups = [ "torrent" ];
|
||||
};
|
||||
|
||||
systemd.services.transmission.vpnConfinement = {
|
||||
enable = true;
|
||||
|
|
|
|||
|
|
@ -1,58 +1,3 @@
|
|||
# { pkgs, flakes, ... }:
|
||||
# {
|
||||
# # sops.secrets.reviewqueue = {
|
||||
# # sopsFile = ../../../secrets/reviewqueue.env;
|
||||
# # };
|
||||
|
||||
# services.nginx = {
|
||||
# virtualHosts."api.money.is.fckn.gay" = {
|
||||
# forceSSL = true;
|
||||
# http2 = true;
|
||||
# enableACME = true;
|
||||
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://localhost:11009";
|
||||
# proxyWebsockets = true;
|
||||
# };
|
||||
# };
|
||||
# virtualHosts."money.is.fckn.gay" = {
|
||||
# forceSSL = true;
|
||||
# http2 = true;
|
||||
# enableACME = true;
|
||||
|
||||
# locations."/" = {
|
||||
# root = flakes.mifg.packages.${pkgs.system}.frontend.override {
|
||||
# api_base_url = "https://api.money.is.fckn.gay";
|
||||
# };
|
||||
# tryFiles = "$uri $uri/ /index.html";
|
||||
# };
|
||||
# };
|
||||
# };
|
||||
|
||||
# systemd.services.money = {
|
||||
# description = "money is fckn gay";
|
||||
|
||||
# wantedBy = [ "multi-user.target" ];
|
||||
# after = [ "network.target" ];
|
||||
|
||||
# restartIfChanged = true;
|
||||
|
||||
# serviceConfig = {
|
||||
# ExecStart = "${flakes.mifg.packages.${pkgs.system}.backend}/bin/mifg-backend";
|
||||
# Restart = "always";
|
||||
# # EnvironmentFile = "/run/secrets/reviewqueue";
|
||||
# StateDirectory = "money";
|
||||
|
||||
# };
|
||||
|
||||
# environment = {
|
||||
# MIFG_DATABASE_LOCATION = "/var/lib/money/db.sqlite";
|
||||
# MIFG_FRONTEND_ORIGIN = "https://money.is.fckn.gay";
|
||||
# MIFG_PORT = "11009";
|
||||
# };
|
||||
# };
|
||||
# }
|
||||
|
||||
{
|
||||
pkgs,
|
||||
flakes,
|
||||
|
|
|
|||
14
flake.lock
generated
14
flake.lock
generated
|
|
@ -444,11 +444,11 @@
|
|||
},
|
||||
"nixpkgs_11": {
|
||||
"locked": {
|
||||
"lastModified": 1767396863,
|
||||
"narHash": "sha256-/qG+/C6dWiPFo1f8z/g1Q5A0+PiMUB/ICcTSlkMd8OU=",
|
||||
"lastModified": 1767439050,
|
||||
"narHash": "sha256-UHXvixX4PjyzuTtyEU0GAe4W7sIVFBBntCNPHkZTRrA=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "f705fe458bf028c51895eb8737d32ac2a080a355",
|
||||
"rev": "7fe910442588191a2a22848196daebc9f7cc48b7",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
|
|
@ -696,11 +696,11 @@
|
|||
"nixpkgs": "nixpkgs_11"
|
||||
},
|
||||
"locked": {
|
||||
"lastModified": 1767403261,
|
||||
"narHash": "sha256-4C/M+I9fghBdiRgrnXtzXJPR9HX/+GN3iONmDVU/Unk=",
|
||||
"lastModified": 1767440370,
|
||||
"narHash": "sha256-3jSo/IeyV2/ZsSx2+w/VAFVbIaNudXTALTUR2z6rbwo=",
|
||||
"ref": "refs/heads/main",
|
||||
"rev": "4ffbf8389f64612e42bdc65f082a02e0730df5fb",
|
||||
"revCount": 3,
|
||||
"rev": "0484a0ef06c4be3c647efc3ee0071349494bec49",
|
||||
"revCount": 5,
|
||||
"type": "git",
|
||||
"url": "ssh://forgejo@git.donsz.nl/jana/server-secrets.git"
|
||||
},
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue