xeovalyte/nix
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added multiple services

Browse Source
This commit is contained in:
xeovalyte 2024-10-17 19:28:08 +02:00
parent 9a273df98a
commit 4eefcd1933
No known key found for this signature in database
27 changed files with 3083 additions and 81 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
homelab/README.md
View File

@ -3,3 +3,11 @@
# Configure caddy cloudflare
Find instructions on [caddy-dns cloudflare](https://github.com/caddy-dns/cloudflare)
# Services
| Name | Use | Domain | Auth |
| --- | --- | --- | --- |
| Adguard | DNS | https://adguard.timo.bmrs.nl/ | local |
| Caddy | Reverse proxy | - | - |
| Forgejo | Git | https://git.timo.bmrs.nl/ | Openid |
| Ldap | User directory | https://ldap.timo.bmrs.nl/ | - |

1
homelab/authelia/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
keys/

2
homelab/authelia/README.md Normal file
View File

@ -0,0 +1,2 @@
- Follow [This](https://www.authelia.com/configuration/identity-providers/openid-connect/provider/) guide for generating keys
- Store the keys in the /keys directory

2
homelab/authelia/config/.gitignore vendored
View File

@ -1,2 +0,0 @@
db.sqlite3
notifications.txt

158
homelab/authelia/config/configuration.yml
View File

@ -632,9 +632,30 @@ access_control:
rules:
## Rules applied to everyone
- domain: '*.timo.bmrs.nl'
- domain: 'auth.timo.bmrs.nl'
policy: 'bypass'
- domain: 'adguard.timo.bmrs.nl'
policy: 'two_factor'
subject: 'group:adguard'
- domain: 'bitwarden.timo.bmrs.nl'
policy: 'two_factor'
- domain: 'git.timo.bmrs.nl'
policy: 'bypass'
- domain: 'home.timo.bmrs.nl'
policy: 'one_factor'
- domain: 'ldap.timo.bmrs.nl'
policy: 'two_factor'
subject: 'group:admin'
- domain: 'uptime.timo.bmrs.nl'
policy: 'bypass'
## Domain Regex examples. Generally we recommend just using a standard domain.
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
# policy: 'one_factor'
@ -1138,62 +1159,58 @@ notifier:
##
## Identity Providers
##
# identity_providers:
identity_providers:
##
## OpenID Connect (Identity Provider)
##
## It's recommended you read the documentation before configuration of this section:
## https://www.authelia.com/c/oidc
# oidc:
oidc:
## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
# hmac_secret: 'this_is_a_secret_abc123abc123abc'
hmac_secret: $HMAC_SECRET
## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's
## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key.
# jwks:
# -
## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters.
## This value is automatically generated if not provided. It's recommended to not configure this.
# key_id: 'example'
jwks:
-
## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters.
## This value is automatically generated if not provided. It's recommended to not configure this.
# key_id: 'exmple'
## The key algorithm used with this key.
# algorithm: 'RS256'
## The key algorithm used with this key.
algorithm: 'RS256'
## The key use expected with this key. Currently only 'sig' is supported.
# use: 'sig'
## The key use expected with this key. Currently only 'sig' is supported.
use: 'sig'
## Required Private Key in PEM DER form.
# key: |
# -----BEGIN RSA PRIVATE KEY-----
# ...
# -----END RSA PRIVATE KEY-----
## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain
## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one.
# certificate_chain: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
## Required Private Key in PEM DER form.
key: |
{{- fileContent "/keys/private.pem" | nindent 10 }}
## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain
## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one.
# certificate_chain: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
## Enables additional debug messages.
# enable_client_debug_messages: false
enable_client_debug_messages: false
## SECURITY NOTICE: It's not recommended changing this option and values below 8 are strongly discouraged.
# minimum_parameter_entropy: 8
minimum_parameter_entropy: 8
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
## for security reasons.
# enforce_pkce: 'public_clients_only'
enforce_pkce: 'public_clients_only'
## SECURITY NOTICE: It's not recommended changing this option. We encourage you to read the documentation and fully
## understanding it before enabling this option.
# enable_jwt_access_token_stateless_introspection: false
enable_jwt_access_token_stateless_introspection: false
## The signing algorithm used for signing the discovery and metadata responses. An issuer JWK with a matching
## algorithm must be available when configured. Most clients completely ignore this and it has a performance cost.
@ -1205,68 +1222,68 @@ notifier:
## Authorization Policies which can be utilized by clients. The 'policy_name' is an arbitrary value that you pick
## which is utilized as the value for the 'authorization_policy' on the client.
# authorization_policies:
# policy_name:
# default_policy: 'two_factor'
# rules:
# - policy: 'one_factor'
# subject: 'group:services'
authorization_policies:
forgejo:
default_policy: 'deny'
rules:
- policy: 'two_factor'
subject: 'group:forgejo'
## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
## syntax the lifespans can be customized per-client.
# lifespans:
lifespans:
## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all
## grant types but you can override this behaviour using the custom lifespans.
# access_token: '1 hour'
# authorize_code: '1 minute'
# id_token: '1 hour'
# refresh_token: '90 minutes'
access_token: '1 hour'
authorize_code: '1 minute'
id_token: '1 hour'
refresh_token: '90 minutes'
## Cross-Origin Resource Sharing (CORS) settings.
# cors:
cors:
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
# endpoints:
# - 'authorization'
# - 'pushed-authorization-request'
# - 'token'
# - 'revocation'
# - 'introspection'
# - 'userinfo'
endpoints:
- 'authorization'
- 'pushed-authorization-request'
- 'token'
- 'revocation'
- 'introspection'
- 'userinfo'
## List of allowed origins.
## Any origin with https is permitted unless this option is configured or the
## allowed_origins_from_client_redirect_uris option is enabled.
# allowed_origins:
# - 'https://example.com'
allowed_origins:
- 'https://timo.bmrs.nl'
## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
## provided they have the scheme http or https and do not have the hostname of localhost.
# allowed_origins_from_client_redirect_uris: false
allowed_origins_from_client_redirect_uris: false
## Clients is a list of known clients and their configuration.
# clients:
# -
clients:
-
## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
## configuration.
# client_id: 'myapp'
client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
# client_name: 'My Application'
client_name: 'Forgejo'
## The client secret is a shared secret between Authelia and the consumer of this client.
# yamllint disable-line rule:line-length
# client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}'
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
## necessary. It is critical to read the documentation for more information.
# sector_identifier_uri: 'https://example.com/sector.json'
## Sets the client to public. This should typically not be set, please see the documentation for usage.
# public: false
public: false
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
# redirect_uris:
# - 'https://oidc.example.com:8080/oauth2/callback'
redirect_uris:
- 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback'
## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
## URIs to fetch Request Objects.
@ -1277,11 +1294,10 @@ notifier:
# audience: []
## Scopes this client is allowed to request.
# scopes:
# - 'openid'
# - 'groups'
# - 'email'
# - 'profile'
scopes:
- 'openid'
- 'email'
- 'profile'
## Grant Types configures which grants this client can obtain.
## It's not recommended to define this unless you know what you're doing.
@ -1300,7 +1316,7 @@ notifier:
## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
## authorization policies section.
# authorization_policy: 'two_factor'
authorization_policy: 'forgejo'
## The custom lifespan name to use for this client. This must be configured independent of the client before
## utilization. Custom lifespans are reusable similar to authorization policies.
@ -1326,7 +1342,7 @@ notifier:
## The permitted client authentication method for the Token Endpoint for this client.
## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
## defaults to 'none' per the specifications.
# token_endpoint_auth_method: 'client_secret_basic'
token_endpoint_auth_method: 'client_secret_basic'
## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
@ -1368,7 +1384,7 @@ notifier:
## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
## available. Has no effect if userinfo_signing_key_id is configured.
# userinfo_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
## configured.

11
homelab/authelia/docker-compose.yml
View File

@ -3,15 +3,21 @@ services:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
volumes:
- ./config:/config
depends_on:
- lldap
volumes:
- ./config/configuration.yml:/config/configuration.yml
- ./config/keys:/keys
- data_authelia:/config
environment:
X_AUTHELIA_CONFIG_FILTERS: template
JWT_SECRET: ${AUTHELIA_JWT_SECRET}
SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ${LLDAP_ADMIN_PASSWORD}
HMAC_SECRET: ${AUTHELIA_HMAC_SECRET}
CLIENT_SECRET_FORGEJO: ${AUTHELIA_CLIENT_SECRET_FORGEJO}
CLIENT_ID_FORGEJO: ${AUTHELIA_CLIENT_ID_FORGEJO}
lldap:
image: lldap/lldap:latest
@ -27,6 +33,7 @@ services:
volumes:
data_lldap:
data_authelia:
networks:
default:

5
homelab/caddy/caddyfiles/Caddyfile
View File

@ -12,5 +12,10 @@ localhost {
resolvers 1.1.1.1
}
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
import routes/*
}

5
homelab/caddy/caddyfiles/routes/adguard
View File

@ -1,9 +1,4 @@
@adguard host adguard.timo.bmrs.nl
handle @adguard {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
}
reverse_proxy adguardhome:3000
}

4
homelab/caddy/caddyfiles/routes/forgejo Normal file
View File

@ -0,0 +1,4 @@
@forgejo host git.timo.bmrs.nl
handle @forgejo {
reverse_proxy forgejo:3000
}

4
homelab/caddy/caddyfiles/routes/homepage Normal file
View File

@ -0,0 +1,4 @@
@homepage host home.timo.bmrs.nl
handle @homepage {
reverse_proxy homepage:3000
}

4
homelab/caddy/caddyfiles/routes/uptime-kuma Normal file
View File

@ -0,0 +1,4 @@
@uptime-kuma host uptime.timo.bmrs.nl
handle @uptime-kuma {
reverse_proxy uptime-kuma:3001
}

4
homelab/caddy/caddyfiles/routes/vaultwarden Normal file
View File

@ -0,0 +1,4 @@
@vaultwarden host bitwarden.timo.bmrs.nl
handle @vaultwarden {
reverse_proxy vaultwarden:80
}

6
homelab/caddy/docker-compose.yml
View File

@ -16,12 +16,16 @@ services:
environment:
CF_ZONE_TOKEN: ${CF_ZONE_TOKEN}
CF_API_TOKEN: ${CF_API_TOKEN}
networks:
proxy:
aliases:
- auth.timo.bmrs.nl
volumes:
data:
config:
networks:
default:
proxy:
name: proxy
external: true

2755
homelab/forgejo/config/app.ini Normal file
View File

File diff suppressed because it is too large Load Diff

40
homelab/forgejo/docker-compose.yml Normal file
View File

@ -0,0 +1,40 @@
services:
forgejo:
image: codeberg.org/forgejo/forgejo:9
container_name: forgejo
restart: unless-stopped
depends_on:
- db
ports:
- 222:22
volumes:
- data:/data
- ./config/app.ini:/etc/forgejo/app.ini
- /etc/timezone:/etc/timezone:ro
- /etc/localtime:/etc/localtime:ro
environment:
FORGEJO__database__DB_TYPE: postgres
FORGEJO__database__HOST: "db:5432"
FORGEJO__database__NAME: forgejo
FORGEJO__database__USER: forgejo
FORGEJO__database__PASSWD: ${DB_PASSWORD}
db:
image: postgres:14
container_name: forgejo-db
restart: unless-stopped
volumes:
- data_db:/var/lib/postgresql/data
environment:
POSTGRES_USER: forgejo
POSTGRES_PASSWORD: ${DB_PASSWORD}
POSTGES_DB: forgejo
volumes:
data:
data_db:
networks:
default:
name: proxy
external: true

1
homelab/homepage/config/.gitignore vendored Normal file
View File

@ -0,0 +1 @@
logs/

3
homelab/homepage/config/bookmarks.yaml Normal file
View File

@ -0,0 +1,3 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/configs/bookmarks

0
homelab/homepage/config/custom.css Normal file
View File

0
homelab/homepage/config/custom.js Normal file
View File

10
homelab/homepage/config/docker.yaml Normal file
View File

@ -0,0 +1,10 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/configs/docker/
# my-docker:
# host: 127.0.0.1
# port: 2375
docker:
socket: /var/run/docker.sock

2
homelab/homepage/config/kubernetes.yaml Normal file
View File

@ -0,0 +1,2 @@
---
# sample kubernetes config

55
homelab/homepage/config/services.yaml Normal file
View File

@ -0,0 +1,55 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/configs/services
- Primary Services:
- Adguard:
href: https://adguard.timo.bmrs.nl/
description: DNS
icon: adguard-home
server: docker
container: adguardhome
widget:
type: adguard
url: http://adguardhome:3000
username: xeovalyte
password: {{HOMEPAGE_VAR_ADGUARD_PASSWORD}}
- Forgejo:
href: https://git.timo.bmrs.nl/
description: Git
icon: forgejo
server: docker
container: forgejo
- Uptime Kuma:
href: https://uptime.timo.bmrs.nl/
description: Uptime monitoring
icon: uptime-kuma
server: docker
container: uptime-kuma
- Vaultwarden:
href: https://bitwarden.timo.bmrs.nl/
description: Password manager
icon: bitwarden
server: docker
container: vaultwarden
- Backend Services:
- Authelia:
description: SSO
icon: authelia
server: docker
container: authelia
- Caddy:
description: Reverse proxy
icon: caddy
server: docker
container: caddy
- LLDAP:
description: Active directory
server: docker
container: lldap

21
homelab/homepage/config/settings.yaml Normal file
View File

@ -0,0 +1,21 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/configs/settings
providers:
openweathermap: openweathermapapikey
weatherapi: weatherapiapikey
title: Xeovalyte's Dashboard
color: slate
headerStyle: boxedWidgets
layout:
Primary Services:
style: row
columns: 3
Backend Services:
style: row
columns: 4

12
homelab/homepage/config/widgets.yaml Normal file
View File

@ -0,0 +1,12 @@
---
# For configuration options and examples, please see:
# https://gethomepage.dev/configs/service-widgets
- resources:
cpu: true
memory: true
disk: /
- search:
provider: duckduckgo
target: _blank

19
homelab/homepage/docker-compose.yml Normal file
View File

@ -0,0 +1,19 @@
services:
homepage:
image: ghcr.io/gethomepage/homepage:latest
container_name: homepage
restart: unless-stopped
volumes:
- ./config:/app/config
- logs:/app/config/logs
- /run/user/1000/docker.sock:/var/run/docker.sock
environment:
HOMEPAGE_VAR_ADGUARD_PASSWORD: $ADGUARD_PASSWORD
volumes:
logs:
networks:
default:
name: proxy
external: true

15
homelab/uptime-kuma/docker-compose.yml Normal file
View File

@ -0,0 +1,15 @@
services:
uptime-kuma:
image: louislam/uptime-kuma:1
container_name: uptime-kuma
restart: unless-stopped
volumes:
- data:/app/data
volumes:
data:
networks:
default:
name: proxy
external: true

17
homelab/vaultwarden/docker-compose.yml Normal file
View File

@ -0,0 +1,17 @@
services:
vaultwarden:
image: vaultwarden/server:latest
container_name: vaultwarden
restart: unless-stopped
volumes:
- data:/data
environment:
SIGNUPS_ALLOWED: "true"
volumes:
data:
networks:
default:
name: proxy
external: true