Merge branch 'main' of ssh://gitea.xeovalyte.dev:2222/xeovalyte/nix

merge
2024-11-24 21:01:26 +01:00 · 2024-11-24 21:01:26 +01:00 · 9ab12a589f
commit 9ab12a589f
parent 36c3f13acb cb838549be
16 changed files with 2724 additions and 164 deletions
--- a/homelab/authelia/config/configuration.yml
+++ b/homelab/authelia/config/configuration.yml
@ -645,9 +645,18 @@ access_control:
    - domain: 'cloud.timo.bmrs.nl'
      policy: 'bypass'
    - domain: 'dozzle.timo.bmrs.nl'
      policy: 'one_factor'
    - domain: 'homeassistant.timo.bmrs.nl'
      policy: 'bypass'
    - domain: 'office.timo.bmrs.nl'
      policy: 'bypass'
    - domain: 'paperless.timo.bmrs.nl'
      policy: 'bypass'
    - domain: 'git.timo.bmrs.nl'
      policy: 'bypass'
@ -658,8 +667,10 @@ access_control:
      policy: 'bypass'
    - domain: 'ldap.timo.bmrs.nl'
-      policy: 'two_factor'
+      policy: 'bypass'
-      subject: 'group:admin'
+
    - domain: 'search.timo.bmrs.nl'
      policy: 'bypass'
    - domain: 'uptime.timo.bmrs.nl'
      policy: 'bypass'
@ -777,7 +788,7 @@ session:
      ##   - The above 'domain' option MUST either:
      ##      - Match the host portion of this URI.
      ##      - Match the suffix of the host portion when prefixed with '.'.
-      # default_redirection_url: 'https://www.example.com'
+      default_redirection_url: 'https://www.timo.bmrs.nl'
      ## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
      ## Please read https://www.authelia.com/c/session#same_site
@ -1238,6 +1249,12 @@ identity_providers:
          - policy: 'two_factor'
            subject: 'group:forgejo'
      paperless:
        default_policy: 'deny'
        rules:
          - policy: 'two_factor'
            subject: 'group:paperless'
    ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
    ## syntax the lifespans can be customized per-client.
    lifespans:
@ -1271,173 +1288,33 @@ identity_providers:
    ## Clients is a list of known clients and their configuration.
    clients:
-      -
+      - client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
        ## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
        ## configuration.
        client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
        ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
        client_name: 'Forgejo'
        ## The client secret is a shared secret between Authelia and the consumer of this client.
        # yamllint disable-line rule:line-length
        client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}'
        ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
        ## necessary. It is critical to read the documentation for more information.
        # sector_identifier_uri: 'https://example.com/sector.json'
        ## Sets the client to public. This should typically not be set, please see the documentation for usage.
        public: false
        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
        redirect_uris:
          - 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback'
        ## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
        ## URIs to fetch Request Objects.
        # request_uris:
          # - 'https://oidc.example.com:8080/oidc/request-object.jwk'
        ## Audience this client is allowed to request.
        # audience: []
        ## Scopes this client is allowed to request.
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        ## Grant Types configures which grants this client can obtain.
        ## It's not recommended to define this unless you know what you're doing.
        # grant_types:
          # - 'authorization_code'
        ## Response Types configures which responses this client can be sent.
        ## It's not recommended to define this unless you know what you're doing.
        # response_types:
          # - 'code'
        ## Response Modes configures which response modes this client supports.
        # response_modes:
          # - 'form_post'
          # - 'query'
        ## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
        ## authorization policies section.
        authorization_policy: 'forgejo'
        ## The custom lifespan name to use for this client. This must be configured independent of the client before
        ## utilization. Custom lifespans are reusable similar to authorization policies.
        # lifespan: ''
        ## The consent mode controls how consent is obtained.
        # consent_mode: 'auto'
        ## This value controls the duration a consent on this client remains remembered when the consent mode is
        ## configured as 'auto' or 'pre-configured' in the duration common syntax.
        # pre_configured_consent_duration: '1 week'
        ## Requires the use of Pushed Authorization Requests for this client when set to true.
        # require_pushed_authorization_requests: false
        ## Enforces the use of PKCE for this client when set to true.
        # require_pkce: false
        ## Enforces the use of PKCE for this client when configured, and enforces the specified challenge method.
        ## Options are 'plain' and 'S256'.
        # pkce_challenge_method: 'S256'
        ## The permitted client authentication method for the Token Endpoint for this client.
        ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
        ## defaults to 'none' per the specifications.
        token_endpoint_auth_method: 'client_secret_basic'
        ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
        ## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
        # token_endpoint_auth_signing_alg: 'RS256'
        ## The signing algorithm which must be used for request objects. A client JWK with a matching algorithm must be
        ## available if configured.
        # request_object_signing_alg: 'RS256'
        ## The signing algorithm used for signing the authorization response. An issuer JWK with a matching algorithm
        ## must be available when configured. Configuring this value enables the  JWT Secured Authorization Response
        ## Mode (JARM) for this client. JARM is not understood by a majority of clients so you should only configure
        ## this when you know it's supported.
        ## Has no effect if authorization_signed_response_key_id is configured.
        # authorization_signed_response_alg: 'none'
        ## The signing key id used for signing the authorization response. An issuer JWK with a matching key id must be
        ## available when configured. Configuring this value enables the JWT Secured Authorization Response Mode (JARM)
        ## for this client. JARM is not understood by a majority of clients so you should only configure this when you
        ## know it's supported.
        # authorization_signed_response_key_id: ''
        ## The signing algorithm used for ID Tokens. An issuer JWK with a matching algorithm must be available when
        ## configured. Has no effect if id_token_signed_response_key_id is configured.
        # id_token_signed_response_alg: 'RS256'
        ## The signing key id used for ID Tokens. An issuer JWK with a matching key id must be available when
        ## configured.
        # id_token_signed_response_key_id: ''
        ## The signing algorithm used for Access Tokens. An issuer JWK with a matching algorithm must be available.
        ## Has no effect if access_token_signed_response_key_id is configured. Values other than 'none' enable RFC9068
        ## for this client.
        # access_token_signed_response_alg: 'none'
        ## The signing key id used for Access Tokens. An issuer JWK with a matching key id must be available when
        ## configured. Values other than a blank value enable RFC9068 for this client.
        # access_token_signed_response_key_id: ''
        ## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
        ## available. Has no effect if userinfo_signing_key_id is configured.
        userinfo_signed_response_alg: 'none'
-        ## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
+      - client_id: '{{ env "CLIENT_ID_PAPERLESS" }}'
-        ## configured.
+        client_name: 'Forgejo'
-        # userinfo_signed_response_key_id: ''
+        client_secret: '{{ env "CLIENT_SECRET_PAPERLESS" }}'
        public: false
        redirect_uris:
          - 'https://paperless.timo.bmrs.nl/accounts/oidc/authelia/login/callback/'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
          - 'groups'
        authorization_policy: 'paperless'
        token_endpoint_auth_method: 'client_secret_basic'
        userinfo_signed_response_alg: 'none'
        ## The signing algorithm used for Introspection responses. An issuer JWK with a matching algorithm must be
        ## available when configured. Has no effect if introspection_signed_response_key_id is configured.
        # introspection_signed_response_alg: 'none'
        ## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available
        ## when configured.
        # introspection_signed_response_key_id: ''
        ## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
        ## URL of the HTTPS endpoint which serves the keys. Please note the 'jwks_uri' and the 'jwks' option below
        ## are mutually exclusive.
        # jwks_uri: 'https://app.example.com/jwks.json'
        ## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
        ## List of JWKs known and registered with this client. It's recommended to use the 'jwks_uri' option if
        ## available due to key rotation. Please note the 'jwks' and the 'jwks_uri' option above are mutually exclusive.
        # jwks:
          # -
            ## Key ID used to match the JWT's to an individual identifier. This option is required if configured.
            # key_id: 'example'
            ## The key algorithm expected with this key.
            # algorithm: 'RS256'
            ## The key use expected with this key. Currently only 'sig' is supported.
            # use: 'sig'
            ## Required Public Key in PEM DER form.
            # key: |
              # -----BEGIN RSA PUBLIC KEY-----
              # ...
              # -----END RSA PUBLIC KEY-----
            ## The matching certificate chain in PEM DER form that matches the key if available.
            # certificate_chain: |
              # -----BEGIN CERTIFICATE-----
              # ...
              # -----END CERTIFICATE-----
              # -----BEGIN CERTIFICATE-----
              # ...
              # -----END CERTIFICATE-----
 ...
--- a/homelab/authelia/docker-compose.yml
+++ b/homelab/authelia/docker-compose.yml
@ -18,6 +18,8 @@ services:
      HMAC_SECRET: ${AUTHELIA_HMAC_SECRET}
      CLIENT_SECRET_FORGEJO: ${AUTHELIA_CLIENT_SECRET_FORGEJO}
      CLIENT_ID_FORGEJO: ${AUTHELIA_CLIENT_ID_FORGEJO}
      CLIENT_SECRET_PAPERLESS: ${AUTHELIA_CLIENT_SECRET_PAPERLESS}
      CLIENT_ID_PAPERLESS: ${AUTHELIA_CLIENT_ID_PAPERLESS}
  lldap:
    image: lldap/lldap:latest
--- a/homelab/caddy/caddyfiles/routes/dozzle
+++ b/homelab/caddy/caddyfiles/routes/dozzle
@ -0,0 +1,9 @@
@dozzle host dozzle.timo.bmrs.nl
 handle @dozzle {
 	forward_auth authelia:9091 {
 		uri /api/authz/forward-auth
 		copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
 	}
 	reverse_proxy dozzle:8080
 }
--- a/homelab/caddy/caddyfiles/routes/homeassistant
+++ b/homelab/caddy/caddyfiles/routes/homeassistant
@ -0,0 +1,4 @@
@homeassistant host homeassistant.timo.bmrs.nl
 handle @homeassistant {
 	reverse_proxy homeassistant:8123
 }
--- a/homelab/caddy/caddyfiles/routes/paperless-ngx
+++ b/homelab/caddy/caddyfiles/routes/paperless-ngx
@ -0,0 +1,4 @@
@paperless-ngx host paperless.timo.bmrs.nl
 handle @paperless-ngx {
 	reverse_proxy paperless-ngx:8000
 }
--- a/homelab/caddy/caddyfiles/routes/searxng
+++ b/homelab/caddy/caddyfiles/routes/searxng
@ -0,0 +1,4 @@
@searxng host search.timo.bmrs.nl
 handle @searxng {
 	reverse_proxy searxng:8080
 }
--- a/homelab/dozzle/docker-compose.yml
+++ b/homelab/dozzle/docker-compose.yml
@ -0,0 +1,15 @@
 services:
  dozzle:
    image: amir20/dozzle:latest
    container_name: dozzle
    restart: unless-stopped
    volumes:
      - /run/user/1000/docker.sock:/var/run/docker.sock:ro
    environment:
      DOZZLE_ENABLE_ACTIONS: true
      DOZZLE_AUTH_PROVIDER: forward-proxy
 networks:
  default:
    external: true
    name: proxy
--- a/homelab/homeassistant/config/configuration.yaml
+++ b/homelab/homeassistant/config/configuration.yaml
@ -0,0 +1,15 @@
 # Loads default set of integrations. Do not remove.
 default_config:
 # Load frontend themes from the themes folder
 frontend:
  themes: !include_dir_merge_named themes
 automation: !include automations.yaml
 script: !include scripts.yaml
 scene: !include scenes.yaml
 http:
  use_x_forwarded_for: true
  trusted_proxies:
    - 172.18.0.0/24
--- a/homelab/homeassistant/docker-compose.yml
+++ b/homelab/homeassistant/docker-compose.yml
@ -0,0 +1,17 @@
 services:
  homeassistant:
    image: ghcr.io/home-assistant/home-assistant:stable
    container_name: homeassistant
    restart: unless-stopped
    volumes:
      - config:/config
      - ./config/configuration.yaml:/config/configuration.yaml
      - /etc/localtime:/etc/localtime:ro
 volumes:
  config:
 networks:
  default:
    name: proxy
    external: true
--- a/homelab/paperless-ngx/README.md
+++ b/homelab/paperless-ngx/README.md
@ -0,0 +1,3 @@
 # Paperless NGX
 - Create super user: `docker compose exec paperless-ngx python3 manage.py createsuperuser`
 - Follow [Paperless wiki](https://www.authelia.com/integration/openid-connect/paperless/) for configuring oauth
--- a/homelab/paperless-ngx/docker-compose.yml
+++ b/homelab/paperless-ngx/docker-compose.yml
@ -0,0 +1,50 @@
 services:
  paperless-ngx:
    image: ghcr.io/paperless-ngx/paperless-ngx:latest
    container_name: paperless-ngx
    restart: unless-stopped
    depends_on:
      - broker
      - db
    volumes:
      - data:/usr/src/paperless/data
      - media:/usr/src/paperless/media
    environment:
      PAPERLESS_REDIS: redis://paperless-ngx-broker:6379
      PAPERLESS_DBHOST: paperless-ngx-db
      PAPERLESS_DBPASS: ${POSTGRES_PASSWORD}
      PAPERLESS_URL: https://paperless.timo.bmrs.nl
      PAPERLESS_DISABLE_REGULAR_LOGIN: true
      PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
      PAPERLESS_SOCIALACCOUNT_PROVIDERS: ${PAPERLESS_SOCIALACCOUNT_PROVIDERS}
  broker:
    image: docker.io/library/redis:7
    container_name: paperless-ngx-broker
    restart: unless-stopped
    volumes:
      - data_redis:/data
  db:
    image: docker.io/library/postgres:16
    container_name: paperless-ngx-db
    restart: unless-stopped
    volumes:
      - data_db:/var/lib/postgresql/data
    environment:
      POSTGRES_DB: paperless
      POSTGRES_USER: paperless
      POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
 volumes:
  data:
  data_db:
  data_redis:
  media:
 networks:
  default:
    name: proxy
    external: true
--- a/homelab/searxng/config/settings.yml
+++ b/homelab/searxng/config/settings.yml
--- a/homelab/searxng/config/uwsgi.ini
+++ b/homelab/searxng/config/uwsgi.ini
@ -0,0 +1,54 @@
 [uwsgi]
 # Who will run the code
 uid = searxng
 gid = searxng
 # Number of workers (usually CPU count)
 # default value: %k (= number of CPU core, see Dockerfile)
 workers = %k
 # Number of threads per worker
 # default value: 4 (see Dockerfile)
 threads = 4
 # The right granted on the created socket
 chmod-socket = 666
 # Plugin to use and interpreter config
 single-interpreter = true
 master = true
 plugin = python3
 lazy-apps = true
 enable-threads = 4
 # Module to import
 module = searx.webapp
 # Virtualenv and python path
 pythonpath = /usr/local/searxng/
 chdir = /usr/local/searxng/searx/
 # automatically set processes name to something meaningful
 auto-procname = true
 # Disable request logging for privacy
 disable-logging = true
 log-5xx = true
 # Set the max size of a request (request-body excluded)
 buffer-size = 8192
 # No keep alive
 # See https://github.com/searx/searx-docker/issues/24
 add-header = Connection: close
 # Follow SIGTERM convention
 # See https://github.com/searxng/searxng/issues/3427
 die-on-term
 # uwsgi serves the static files
 static-map = /static=/usr/local/searxng/searx/static
 # expires set to one day
 static-expires = /* 86400
 static-gzip-all = True
 offload-threads = 4
--- a/homelab/searxng/docker-compose.yml
+++ b/homelab/searxng/docker-compose.yml
@ -0,0 +1,15 @@
 services:
  searxng:
    image: searxng/searxng
    container_name: searxng
    restart: unless-stopped
    volumes:
      - ./config:/etc/searxng
    environment:
      BASE_URL: "https://search.timo.bmrs.nl/"
      SEARXNG_SECRET: "PO8rO5ZW7K67sroemisMS8wpiq5pXEHecvXzGs4CdAgTQIQvAI09m65vFKGVVkZW"
 networks:
  default:
    external: true
    name: proxy
--- a/hosts/pm01vm01/hardware-configuration.nix
+++ b/hosts/pm01vm01/hardware-configuration.nix
@ -14,19 +14,17 @@
  boot.extraModulePackages = [ ];
  fileSystems."/" =
-    { device = "/dev/disk/by-uuid/649666ff-db85-4666-86d0-c088732505d6";
+    { device = "/dev/disk/by-uuid/47301fe6-a7db-4ffd-854a-beddd53b6d99";
      fsType = "ext4";
    };
  fileSystems."/boot" =
-    { device = "/dev/disk/by-uuid/A157-F96E";
+    { device = "/dev/disk/by-uuid/6A5B-F811";
      fsType = "vfat";
      options = [ "fmask=0077" "dmask=0077" ];
    };
-  # swapDevices =
+  swapDevices = [ ];
  #   [ { device = "/dev/disk/by-uuid/f8c0a59c-7e1a-4eb7-960e-20ba65fec156"; }
  #   ];
  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
  # (the default) this is the recommended approach. When using systemd-networkd it's