Merge branch 'main' of ssh://gitea.xeovalyte.dev:2222/xeovalyte/nix
merge
This commit is contained in:
commit
9ab12a589f
@ -645,9 +645,18 @@ access_control:
|
||||
- domain: 'cloud.timo.bmrs.nl'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'dozzle.timo.bmrs.nl'
|
||||
policy: 'one_factor'
|
||||
|
||||
- domain: 'homeassistant.timo.bmrs.nl'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'office.timo.bmrs.nl'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'paperless.timo.bmrs.nl'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'git.timo.bmrs.nl'
|
||||
policy: 'bypass'
|
||||
|
||||
@ -658,8 +667,10 @@ access_control:
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'ldap.timo.bmrs.nl'
|
||||
policy: 'two_factor'
|
||||
subject: 'group:admin'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'search.timo.bmrs.nl'
|
||||
policy: 'bypass'
|
||||
|
||||
- domain: 'uptime.timo.bmrs.nl'
|
||||
policy: 'bypass'
|
||||
@ -777,7 +788,7 @@ session:
|
||||
## - The above 'domain' option MUST either:
|
||||
## - Match the host portion of this URI.
|
||||
## - Match the suffix of the host portion when prefixed with '.'.
|
||||
# default_redirection_url: 'https://www.example.com'
|
||||
default_redirection_url: 'https://www.timo.bmrs.nl'
|
||||
|
||||
## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
|
||||
## Please read https://www.authelia.com/c/session#same_site
|
||||
@ -1238,6 +1249,12 @@ identity_providers:
|
||||
- policy: 'two_factor'
|
||||
subject: 'group:forgejo'
|
||||
|
||||
paperless:
|
||||
default_policy: 'deny'
|
||||
rules:
|
||||
- policy: 'two_factor'
|
||||
subject: 'group:paperless'
|
||||
|
||||
## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
|
||||
## syntax the lifespans can be customized per-client.
|
||||
lifespans:
|
||||
@ -1271,173 +1288,33 @@ identity_providers:
|
||||
|
||||
## Clients is a list of known clients and their configuration.
|
||||
clients:
|
||||
-
|
||||
## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
|
||||
## configuration.
|
||||
client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
|
||||
|
||||
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
|
||||
- client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
|
||||
client_name: 'Forgejo'
|
||||
|
||||
## The client secret is a shared secret between Authelia and the consumer of this client.
|
||||
# yamllint disable-line rule:line-length
|
||||
client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}'
|
||||
|
||||
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
|
||||
## necessary. It is critical to read the documentation for more information.
|
||||
# sector_identifier_uri: 'https://example.com/sector.json'
|
||||
|
||||
## Sets the client to public. This should typically not be set, please see the documentation for usage.
|
||||
public: false
|
||||
|
||||
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
|
||||
redirect_uris:
|
||||
- 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback'
|
||||
|
||||
## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
|
||||
## URIs to fetch Request Objects.
|
||||
# request_uris:
|
||||
# - 'https://oidc.example.com:8080/oidc/request-object.jwk'
|
||||
|
||||
## Audience this client is allowed to request.
|
||||
# audience: []
|
||||
|
||||
## Scopes this client is allowed to request.
|
||||
scopes:
|
||||
- 'openid'
|
||||
- 'email'
|
||||
- 'profile'
|
||||
|
||||
## Grant Types configures which grants this client can obtain.
|
||||
## It's not recommended to define this unless you know what you're doing.
|
||||
# grant_types:
|
||||
# - 'authorization_code'
|
||||
|
||||
## Response Types configures which responses this client can be sent.
|
||||
## It's not recommended to define this unless you know what you're doing.
|
||||
# response_types:
|
||||
# - 'code'
|
||||
|
||||
## Response Modes configures which response modes this client supports.
|
||||
# response_modes:
|
||||
# - 'form_post'
|
||||
# - 'query'
|
||||
|
||||
## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
|
||||
## authorization policies section.
|
||||
authorization_policy: 'forgejo'
|
||||
|
||||
## The custom lifespan name to use for this client. This must be configured independent of the client before
|
||||
## utilization. Custom lifespans are reusable similar to authorization policies.
|
||||
# lifespan: ''
|
||||
|
||||
## The consent mode controls how consent is obtained.
|
||||
# consent_mode: 'auto'
|
||||
|
||||
## This value controls the duration a consent on this client remains remembered when the consent mode is
|
||||
## configured as 'auto' or 'pre-configured' in the duration common syntax.
|
||||
# pre_configured_consent_duration: '1 week'
|
||||
|
||||
## Requires the use of Pushed Authorization Requests for this client when set to true.
|
||||
# require_pushed_authorization_requests: false
|
||||
|
||||
## Enforces the use of PKCE for this client when set to true.
|
||||
# require_pkce: false
|
||||
|
||||
## Enforces the use of PKCE for this client when configured, and enforces the specified challenge method.
|
||||
## Options are 'plain' and 'S256'.
|
||||
# pkce_challenge_method: 'S256'
|
||||
|
||||
## The permitted client authentication method for the Token Endpoint for this client.
|
||||
## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
|
||||
## defaults to 'none' per the specifications.
|
||||
token_endpoint_auth_method: 'client_secret_basic'
|
||||
|
||||
## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
|
||||
## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
|
||||
# token_endpoint_auth_signing_alg: 'RS256'
|
||||
|
||||
## The signing algorithm which must be used for request objects. A client JWK with a matching algorithm must be
|
||||
## available if configured.
|
||||
# request_object_signing_alg: 'RS256'
|
||||
|
||||
## The signing algorithm used for signing the authorization response. An issuer JWK with a matching algorithm
|
||||
## must be available when configured. Configuring this value enables the JWT Secured Authorization Response
|
||||
## Mode (JARM) for this client. JARM is not understood by a majority of clients so you should only configure
|
||||
## this when you know it's supported.
|
||||
## Has no effect if authorization_signed_response_key_id is configured.
|
||||
# authorization_signed_response_alg: 'none'
|
||||
|
||||
## The signing key id used for signing the authorization response. An issuer JWK with a matching key id must be
|
||||
## available when configured. Configuring this value enables the JWT Secured Authorization Response Mode (JARM)
|
||||
## for this client. JARM is not understood by a majority of clients so you should only configure this when you
|
||||
## know it's supported.
|
||||
# authorization_signed_response_key_id: ''
|
||||
|
||||
## The signing algorithm used for ID Tokens. An issuer JWK with a matching algorithm must be available when
|
||||
## configured. Has no effect if id_token_signed_response_key_id is configured.
|
||||
# id_token_signed_response_alg: 'RS256'
|
||||
|
||||
## The signing key id used for ID Tokens. An issuer JWK with a matching key id must be available when
|
||||
## configured.
|
||||
# id_token_signed_response_key_id: ''
|
||||
|
||||
## The signing algorithm used for Access Tokens. An issuer JWK with a matching algorithm must be available.
|
||||
## Has no effect if access_token_signed_response_key_id is configured. Values other than 'none' enable RFC9068
|
||||
## for this client.
|
||||
# access_token_signed_response_alg: 'none'
|
||||
|
||||
## The signing key id used for Access Tokens. An issuer JWK with a matching key id must be available when
|
||||
## configured. Values other than a blank value enable RFC9068 for this client.
|
||||
# access_token_signed_response_key_id: ''
|
||||
|
||||
## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
|
||||
## available. Has no effect if userinfo_signing_key_id is configured.
|
||||
userinfo_signed_response_alg: 'none'
|
||||
|
||||
## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
|
||||
## configured.
|
||||
# userinfo_signed_response_key_id: ''
|
||||
- client_id: '{{ env "CLIENT_ID_PAPERLESS" }}'
|
||||
client_name: 'Forgejo'
|
||||
client_secret: '{{ env "CLIENT_SECRET_PAPERLESS" }}'
|
||||
public: false
|
||||
redirect_uris:
|
||||
- 'https://paperless.timo.bmrs.nl/accounts/oidc/authelia/login/callback/'
|
||||
scopes:
|
||||
- 'openid'
|
||||
- 'email'
|
||||
- 'profile'
|
||||
- 'groups'
|
||||
authorization_policy: 'paperless'
|
||||
token_endpoint_auth_method: 'client_secret_basic'
|
||||
userinfo_signed_response_alg: 'none'
|
||||
|
||||
## The signing algorithm used for Introspection responses. An issuer JWK with a matching algorithm must be
|
||||
## available when configured. Has no effect if introspection_signed_response_key_id is configured.
|
||||
# introspection_signed_response_alg: 'none'
|
||||
|
||||
## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available
|
||||
## when configured.
|
||||
# introspection_signed_response_key_id: ''
|
||||
|
||||
## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
|
||||
## URL of the HTTPS endpoint which serves the keys. Please note the 'jwks_uri' and the 'jwks' option below
|
||||
## are mutually exclusive.
|
||||
# jwks_uri: 'https://app.example.com/jwks.json'
|
||||
|
||||
## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
|
||||
## List of JWKs known and registered with this client. It's recommended to use the 'jwks_uri' option if
|
||||
## available due to key rotation. Please note the 'jwks' and the 'jwks_uri' option above are mutually exclusive.
|
||||
# jwks:
|
||||
# -
|
||||
## Key ID used to match the JWT's to an individual identifier. This option is required if configured.
|
||||
# key_id: 'example'
|
||||
|
||||
## The key algorithm expected with this key.
|
||||
# algorithm: 'RS256'
|
||||
|
||||
## The key use expected with this key. Currently only 'sig' is supported.
|
||||
# use: 'sig'
|
||||
|
||||
## Required Public Key in PEM DER form.
|
||||
# key: |
|
||||
# -----BEGIN RSA PUBLIC KEY-----
|
||||
# ...
|
||||
# -----END RSA PUBLIC KEY-----
|
||||
|
||||
## The matching certificate chain in PEM DER form that matches the key if available.
|
||||
# certificate_chain: |
|
||||
# -----BEGIN CERTIFICATE-----
|
||||
# ...
|
||||
# -----END CERTIFICATE-----
|
||||
# -----BEGIN CERTIFICATE-----
|
||||
# ...
|
||||
# -----END CERTIFICATE-----
|
||||
...
|
||||
|
@ -18,6 +18,8 @@ services:
|
||||
HMAC_SECRET: ${AUTHELIA_HMAC_SECRET}
|
||||
CLIENT_SECRET_FORGEJO: ${AUTHELIA_CLIENT_SECRET_FORGEJO}
|
||||
CLIENT_ID_FORGEJO: ${AUTHELIA_CLIENT_ID_FORGEJO}
|
||||
CLIENT_SECRET_PAPERLESS: ${AUTHELIA_CLIENT_SECRET_PAPERLESS}
|
||||
CLIENT_ID_PAPERLESS: ${AUTHELIA_CLIENT_ID_PAPERLESS}
|
||||
|
||||
lldap:
|
||||
image: lldap/lldap:latest
|
||||
|
9
homelab/caddy/caddyfiles/routes/dozzle
Normal file
9
homelab/caddy/caddyfiles/routes/dozzle
Normal file
@ -0,0 +1,9 @@
|
||||
@dozzle host dozzle.timo.bmrs.nl
|
||||
handle @dozzle {
|
||||
forward_auth authelia:9091 {
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
|
||||
}
|
||||
|
||||
reverse_proxy dozzle:8080
|
||||
}
|
4
homelab/caddy/caddyfiles/routes/homeassistant
Normal file
4
homelab/caddy/caddyfiles/routes/homeassistant
Normal file
@ -0,0 +1,4 @@
|
||||
@homeassistant host homeassistant.timo.bmrs.nl
|
||||
handle @homeassistant {
|
||||
reverse_proxy homeassistant:8123
|
||||
}
|
4
homelab/caddy/caddyfiles/routes/paperless-ngx
Normal file
4
homelab/caddy/caddyfiles/routes/paperless-ngx
Normal file
@ -0,0 +1,4 @@
|
||||
@paperless-ngx host paperless.timo.bmrs.nl
|
||||
handle @paperless-ngx {
|
||||
reverse_proxy paperless-ngx:8000
|
||||
}
|
4
homelab/caddy/caddyfiles/routes/searxng
Normal file
4
homelab/caddy/caddyfiles/routes/searxng
Normal file
@ -0,0 +1,4 @@
|
||||
@searxng host search.timo.bmrs.nl
|
||||
handle @searxng {
|
||||
reverse_proxy searxng:8080
|
||||
}
|
15
homelab/dozzle/docker-compose.yml
Normal file
15
homelab/dozzle/docker-compose.yml
Normal file
@ -0,0 +1,15 @@
|
||||
services:
|
||||
dozzle:
|
||||
image: amir20/dozzle:latest
|
||||
container_name: dozzle
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- /run/user/1000/docker.sock:/var/run/docker.sock:ro
|
||||
environment:
|
||||
DOZZLE_ENABLE_ACTIONS: true
|
||||
DOZZLE_AUTH_PROVIDER: forward-proxy
|
||||
|
||||
networks:
|
||||
default:
|
||||
external: true
|
||||
name: proxy
|
15
homelab/homeassistant/config/configuration.yaml
Normal file
15
homelab/homeassistant/config/configuration.yaml
Normal file
@ -0,0 +1,15 @@
|
||||
# Loads default set of integrations. Do not remove.
|
||||
default_config:
|
||||
|
||||
# Load frontend themes from the themes folder
|
||||
frontend:
|
||||
themes: !include_dir_merge_named themes
|
||||
|
||||
automation: !include automations.yaml
|
||||
script: !include scripts.yaml
|
||||
scene: !include scenes.yaml
|
||||
|
||||
http:
|
||||
use_x_forwarded_for: true
|
||||
trusted_proxies:
|
||||
- 172.18.0.0/24
|
17
homelab/homeassistant/docker-compose.yml
Normal file
17
homelab/homeassistant/docker-compose.yml
Normal file
@ -0,0 +1,17 @@
|
||||
services:
|
||||
homeassistant:
|
||||
image: ghcr.io/home-assistant/home-assistant:stable
|
||||
container_name: homeassistant
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- config:/config
|
||||
- ./config/configuration.yaml:/config/configuration.yaml
|
||||
- /etc/localtime:/etc/localtime:ro
|
||||
|
||||
volumes:
|
||||
config:
|
||||
|
||||
networks:
|
||||
default:
|
||||
name: proxy
|
||||
external: true
|
3
homelab/paperless-ngx/README.md
Normal file
3
homelab/paperless-ngx/README.md
Normal file
@ -0,0 +1,3 @@
|
||||
# Paperless NGX
|
||||
- Create super user: `docker compose exec paperless-ngx python3 manage.py createsuperuser`
|
||||
- Follow [Paperless wiki](https://www.authelia.com/integration/openid-connect/paperless/) for configuring oauth
|
50
homelab/paperless-ngx/docker-compose.yml
Normal file
50
homelab/paperless-ngx/docker-compose.yml
Normal file
@ -0,0 +1,50 @@
|
||||
services:
|
||||
paperless-ngx:
|
||||
image: ghcr.io/paperless-ngx/paperless-ngx:latest
|
||||
container_name: paperless-ngx
|
||||
restart: unless-stopped
|
||||
depends_on:
|
||||
- broker
|
||||
- db
|
||||
volumes:
|
||||
- data:/usr/src/paperless/data
|
||||
- media:/usr/src/paperless/media
|
||||
environment:
|
||||
PAPERLESS_REDIS: redis://paperless-ngx-broker:6379
|
||||
PAPERLESS_DBHOST: paperless-ngx-db
|
||||
PAPERLESS_DBPASS: ${POSTGRES_PASSWORD}
|
||||
PAPERLESS_URL: https://paperless.timo.bmrs.nl
|
||||
|
||||
PAPERLESS_DISABLE_REGULAR_LOGIN: true
|
||||
PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
|
||||
PAPERLESS_SOCIALACCOUNT_PROVIDERS: ${PAPERLESS_SOCIALACCOUNT_PROVIDERS}
|
||||
|
||||
broker:
|
||||
image: docker.io/library/redis:7
|
||||
container_name: paperless-ngx-broker
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- data_redis:/data
|
||||
|
||||
db:
|
||||
image: docker.io/library/postgres:16
|
||||
container_name: paperless-ngx-db
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- data_db:/var/lib/postgresql/data
|
||||
environment:
|
||||
POSTGRES_DB: paperless
|
||||
POSTGRES_USER: paperless
|
||||
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
|
||||
|
||||
|
||||
volumes:
|
||||
data:
|
||||
data_db:
|
||||
data_redis:
|
||||
media:
|
||||
|
||||
networks:
|
||||
default:
|
||||
name: proxy
|
||||
external: true
|
2493
homelab/searxng/config/settings.yml
Normal file
2493
homelab/searxng/config/settings.yml
Normal file
File diff suppressed because it is too large
Load Diff
54
homelab/searxng/config/uwsgi.ini
Normal file
54
homelab/searxng/config/uwsgi.ini
Normal file
@ -0,0 +1,54 @@
|
||||
[uwsgi]
|
||||
# Who will run the code
|
||||
uid = searxng
|
||||
gid = searxng
|
||||
|
||||
# Number of workers (usually CPU count)
|
||||
# default value: %k (= number of CPU core, see Dockerfile)
|
||||
workers = %k
|
||||
|
||||
# Number of threads per worker
|
||||
# default value: 4 (see Dockerfile)
|
||||
threads = 4
|
||||
|
||||
# The right granted on the created socket
|
||||
chmod-socket = 666
|
||||
|
||||
# Plugin to use and interpreter config
|
||||
single-interpreter = true
|
||||
master = true
|
||||
plugin = python3
|
||||
lazy-apps = true
|
||||
enable-threads = 4
|
||||
|
||||
# Module to import
|
||||
module = searx.webapp
|
||||
|
||||
# Virtualenv and python path
|
||||
pythonpath = /usr/local/searxng/
|
||||
chdir = /usr/local/searxng/searx/
|
||||
|
||||
# automatically set processes name to something meaningful
|
||||
auto-procname = true
|
||||
|
||||
# Disable request logging for privacy
|
||||
disable-logging = true
|
||||
log-5xx = true
|
||||
|
||||
# Set the max size of a request (request-body excluded)
|
||||
buffer-size = 8192
|
||||
|
||||
# No keep alive
|
||||
# See https://github.com/searx/searx-docker/issues/24
|
||||
add-header = Connection: close
|
||||
|
||||
# Follow SIGTERM convention
|
||||
# See https://github.com/searxng/searxng/issues/3427
|
||||
die-on-term
|
||||
|
||||
# uwsgi serves the static files
|
||||
static-map = /static=/usr/local/searxng/searx/static
|
||||
# expires set to one day
|
||||
static-expires = /* 86400
|
||||
static-gzip-all = True
|
||||
offload-threads = 4
|
15
homelab/searxng/docker-compose.yml
Normal file
15
homelab/searxng/docker-compose.yml
Normal file
@ -0,0 +1,15 @@
|
||||
services:
|
||||
searxng:
|
||||
image: searxng/searxng
|
||||
container_name: searxng
|
||||
restart: unless-stopped
|
||||
volumes:
|
||||
- ./config:/etc/searxng
|
||||
environment:
|
||||
BASE_URL: "https://search.timo.bmrs.nl/"
|
||||
SEARXNG_SECRET: "PO8rO5ZW7K67sroemisMS8wpiq5pXEHecvXzGs4CdAgTQIQvAI09m65vFKGVVkZW"
|
||||
|
||||
networks:
|
||||
default:
|
||||
external: true
|
||||
name: proxy
|
@ -14,19 +14,17 @@
|
||||
boot.extraModulePackages = [ ];
|
||||
|
||||
fileSystems."/" =
|
||||
{ device = "/dev/disk/by-uuid/649666ff-db85-4666-86d0-c088732505d6";
|
||||
{ device = "/dev/disk/by-uuid/47301fe6-a7db-4ffd-854a-beddd53b6d99";
|
||||
fsType = "ext4";
|
||||
};
|
||||
|
||||
fileSystems."/boot" =
|
||||
{ device = "/dev/disk/by-uuid/A157-F96E";
|
||||
{ device = "/dev/disk/by-uuid/6A5B-F811";
|
||||
fsType = "vfat";
|
||||
options = [ "fmask=0077" "dmask=0077" ];
|
||||
};
|
||||
|
||||
# swapDevices =
|
||||
# [ { device = "/dev/disk/by-uuid/f8c0a59c-7e1a-4eb7-960e-20ba65fec156"; }
|
||||
# ];
|
||||
swapDevices = [ ];
|
||||
|
||||
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
|
||||
# (the default) this is the recommended approach. When using systemd-networkd it's
|
||||
|
Loading…
Reference in New Issue
Block a user