xeovalyte/nix
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' of ssh://gitea.xeovalyte.dev:2222/xeovalyte/nix

Browse Source 
merge
This commit is contained in:
xeovalyte 2024-11-24 21:01:26 +01:00
commit 9ab12a589f
Signed by: xeovalyte
SSH Key Fingerprint: SHA256:kSQDrQDmKzljJzfGYcd3m9RqHi4h8rSwkZ3sQ9kBURo
16 changed files with 2724 additions and 164 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
homelab/adguard/docker-compose.yml
View File

@ -6,7 +6,7 @@ services:
ports:
- 53:53/tcp
- 53:53/udp
# - 80:3000 # Only use during setup
# - 80:3000 # Only use during setup
volumes:
- work:/opt/adguardhome/work
- conf:/opt/adguardhome/conf

193
homelab/authelia/config/configuration.yml
View File

@ -645,9 +645,18 @@ access_control:
- domain: 'cloud.timo.bmrs.nl'
policy: 'bypass'
- domain: 'dozzle.timo.bmrs.nl'
policy: 'one_factor'
- domain: 'homeassistant.timo.bmrs.nl'
policy: 'bypass'
- domain: 'office.timo.bmrs.nl'
policy: 'bypass'
- domain: 'paperless.timo.bmrs.nl'
policy: 'bypass'
- domain: 'git.timo.bmrs.nl'
policy: 'bypass'
@ -658,8 +667,10 @@ access_control:
policy: 'bypass'
- domain: 'ldap.timo.bmrs.nl'
policy: 'two_factor'
subject: 'group:admin'
policy: 'bypass'
- domain: 'search.timo.bmrs.nl'
policy: 'bypass'
- domain: 'uptime.timo.bmrs.nl'
policy: 'bypass'
@ -777,7 +788,7 @@ session:
## - The above 'domain' option MUST either:
## - Match the host portion of this URI.
## - Match the suffix of the host portion when prefixed with '.'.
# default_redirection_url: 'https://www.example.com'
default_redirection_url: 'https://www.timo.bmrs.nl'
## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
## Please read https://www.authelia.com/c/session#same_site
@ -1238,6 +1249,12 @@ identity_providers:
- policy: 'two_factor'
subject: 'group:forgejo'
paperless:
default_policy: 'deny'
rules:
- policy: 'two_factor'
subject: 'group:paperless'
## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
## syntax the lifespans can be customized per-client.
lifespans:
@ -1271,173 +1288,33 @@ identity_providers:
## Clients is a list of known clients and their configuration.
clients:
-
## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
## configuration.
client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
- client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
client_name: 'Forgejo'
## The client secret is a shared secret between Authelia and the consumer of this client.
# yamllint disable-line rule:line-length
client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}'
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
## necessary. It is critical to read the documentation for more information.
# sector_identifier_uri: 'https://example.com/sector.json'
## Sets the client to public. This should typically not be set, please see the documentation for usage.
public: false
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
redirect_uris:
- 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback'
## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
## URIs to fetch Request Objects.
# request_uris:
# - 'https://oidc.example.com:8080/oidc/request-object.jwk'
## Audience this client is allowed to request.
# audience: []
## Scopes this client is allowed to request.
scopes:
- 'openid'
- 'email'
- 'profile'
## Grant Types configures which grants this client can obtain.
## It's not recommended to define this unless you know what you're doing.
# grant_types:
# - 'authorization_code'
## Response Types configures which responses this client can be sent.
## It's not recommended to define this unless you know what you're doing.
# response_types:
# - 'code'
## Response Modes configures which response modes this client supports.
# response_modes:
# - 'form_post'
# - 'query'
## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
## authorization policies section.
authorization_policy: 'forgejo'
## The custom lifespan name to use for this client. This must be configured independent of the client before
## utilization. Custom lifespans are reusable similar to authorization policies.
# lifespan: ''
## The consent mode controls how consent is obtained.
# consent_mode: 'auto'
## This value controls the duration a consent on this client remains remembered when the consent mode is
## configured as 'auto' or 'pre-configured' in the duration common syntax.
# pre_configured_consent_duration: '1 week'
## Requires the use of Pushed Authorization Requests for this client when set to true.
# require_pushed_authorization_requests: false
## Enforces the use of PKCE for this client when set to true.
# require_pkce: false
## Enforces the use of PKCE for this client when configured, and enforces the specified challenge method.
## Options are 'plain' and 'S256'.
# pkce_challenge_method: 'S256'
## The permitted client authentication method for the Token Endpoint for this client.
## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
## defaults to 'none' per the specifications.
token_endpoint_auth_method: 'client_secret_basic'
## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
# token_endpoint_auth_signing_alg: 'RS256'
## The signing algorithm which must be used for request objects. A client JWK with a matching algorithm must be
## available if configured.
# request_object_signing_alg: 'RS256'
## The signing algorithm used for signing the authorization response. An issuer JWK with a matching algorithm
## must be available when configured. Configuring this value enables the JWT Secured Authorization Response
## Mode (JARM) for this client. JARM is not understood by a majority of clients so you should only configure
## this when you know it's supported.
## Has no effect if authorization_signed_response_key_id is configured.
# authorization_signed_response_alg: 'none'
## The signing key id used for signing the authorization response. An issuer JWK with a matching key id must be
## available when configured. Configuring this value enables the JWT Secured Authorization Response Mode (JARM)
## for this client. JARM is not understood by a majority of clients so you should only configure this when you
## know it's supported.
# authorization_signed_response_key_id: ''
## The signing algorithm used for ID Tokens. An issuer JWK with a matching algorithm must be available when
## configured. Has no effect if id_token_signed_response_key_id is configured.
# id_token_signed_response_alg: 'RS256'
## The signing key id used for ID Tokens. An issuer JWK with a matching key id must be available when
## configured.
# id_token_signed_response_key_id: ''
## The signing algorithm used for Access Tokens. An issuer JWK with a matching algorithm must be available.
## Has no effect if access_token_signed_response_key_id is configured. Values other than 'none' enable RFC9068
## for this client.
# access_token_signed_response_alg: 'none'
## The signing key id used for Access Tokens. An issuer JWK with a matching key id must be available when
## configured. Values other than a blank value enable RFC9068 for this client.
# access_token_signed_response_key_id: ''
## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
## available. Has no effect if userinfo_signing_key_id is configured.
userinfo_signed_response_alg: 'none'
## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
## configured.
# userinfo_signed_response_key_id: ''
- client_id: '{{ env "CLIENT_ID_PAPERLESS" }}'
client_name: 'Forgejo'
client_secret: '{{ env "CLIENT_SECRET_PAPERLESS" }}'
public: false
redirect_uris:
- 'https://paperless.timo.bmrs.nl/accounts/oidc/authelia/login/callback/'
scopes:
- 'openid'
- 'email'
- 'profile'
- 'groups'
authorization_policy: 'paperless'
token_endpoint_auth_method: 'client_secret_basic'
userinfo_signed_response_alg: 'none'
## The signing algorithm used for Introspection responses. An issuer JWK with a matching algorithm must be
## available when configured. Has no effect if introspection_signed_response_key_id is configured.
# introspection_signed_response_alg: 'none'
## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available
## when configured.
# introspection_signed_response_key_id: ''
## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
## URL of the HTTPS endpoint which serves the keys. Please note the 'jwks_uri' and the 'jwks' option below
## are mutually exclusive.
# jwks_uri: 'https://app.example.com/jwks.json'
## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
## List of JWKs known and registered with this client. It's recommended to use the 'jwks_uri' option if
## available due to key rotation. Please note the 'jwks' and the 'jwks_uri' option above are mutually exclusive.
# jwks:
# -
## Key ID used to match the JWT's to an individual identifier. This option is required if configured.
# key_id: 'example'
## The key algorithm expected with this key.
# algorithm: 'RS256'
## The key use expected with this key. Currently only 'sig' is supported.
# use: 'sig'
## Required Public Key in PEM DER form.
# key: |
# -----BEGIN RSA PUBLIC KEY-----
# ...
# -----END RSA PUBLIC KEY-----
## The matching certificate chain in PEM DER form that matches the key if available.
# certificate_chain: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
...

2
homelab/authelia/docker-compose.yml
View File

@ -18,6 +18,8 @@ services:
HMAC_SECRET: ${AUTHELIA_HMAC_SECRET}
CLIENT_SECRET_FORGEJO: ${AUTHELIA_CLIENT_SECRET_FORGEJO}
CLIENT_ID_FORGEJO: ${AUTHELIA_CLIENT_ID_FORGEJO}
CLIENT_SECRET_PAPERLESS: ${AUTHELIA_CLIENT_SECRET_PAPERLESS}
CLIENT_ID_PAPERLESS: ${AUTHELIA_CLIENT_ID_PAPERLESS}
lldap:
image: lldap/lldap:latest

9
homelab/caddy/caddyfiles/routes/dozzle Normal file
View File

@ -0,0 +1,9 @@
@dozzle host dozzle.timo.bmrs.nl
handle @dozzle {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
reverse_proxy dozzle:8080
}

4
homelab/caddy/caddyfiles/routes/homeassistant Normal file
View File

@ -0,0 +1,4 @@
@homeassistant host homeassistant.timo.bmrs.nl
handle @homeassistant {
reverse_proxy homeassistant:8123
}

4
homelab/caddy/caddyfiles/routes/paperless-ngx Normal file
View File

@ -0,0 +1,4 @@
@paperless-ngx host paperless.timo.bmrs.nl
handle @paperless-ngx {
reverse_proxy paperless-ngx:8000
}

4
homelab/caddy/caddyfiles/routes/searxng Normal file
View File

@ -0,0 +1,4 @@
@searxng host search.timo.bmrs.nl
handle @searxng {
reverse_proxy searxng:8080
}

15
homelab/dozzle/docker-compose.yml Normal file
View File

@ -0,0 +1,15 @@
services:
dozzle:
image: amir20/dozzle:latest
container_name: dozzle
restart: unless-stopped
volumes:
- /run/user/1000/docker.sock:/var/run/docker.sock:ro
environment:
DOZZLE_ENABLE_ACTIONS: true
DOZZLE_AUTH_PROVIDER: forward-proxy
networks:
default:
external: true
name: proxy

15
homelab/homeassistant/config/configuration.yaml Normal file
View File

@ -0,0 +1,15 @@
# Loads default set of integrations. Do not remove.
default_config:
# Load frontend themes from the themes folder
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.18.0.0/24

17
homelab/homeassistant/docker-compose.yml Normal file
View File

@ -0,0 +1,17 @@
services:
homeassistant:
image: ghcr.io/home-assistant/home-assistant:stable
container_name: homeassistant
restart: unless-stopped
volumes:
- config:/config
- ./config/configuration.yaml:/config/configuration.yaml
- /etc/localtime:/etc/localtime:ro
volumes:
config:
networks:
default:
name: proxy
external: true

3
homelab/paperless-ngx/README.md Normal file
View File

@ -0,0 +1,3 @@
# Paperless NGX
- Create super user: `docker compose exec paperless-ngx python3 manage.py createsuperuser`
- Follow [Paperless wiki](https://www.authelia.com/integration/openid-connect/paperless/) for configuring oauth

50
homelab/paperless-ngx/docker-compose.yml Normal file
View File

@ -0,0 +1,50 @@
services:
paperless-ngx:
image: ghcr.io/paperless-ngx/paperless-ngx:latest
container_name: paperless-ngx
restart: unless-stopped
depends_on:
- broker
- db
volumes:
- data:/usr/src/paperless/data
- media:/usr/src/paperless/media
environment:
PAPERLESS_REDIS: redis://paperless-ngx-broker:6379
PAPERLESS_DBHOST: paperless-ngx-db
PAPERLESS_DBPASS: ${POSTGRES_PASSWORD}
PAPERLESS_URL: https://paperless.timo.bmrs.nl
PAPERLESS_DISABLE_REGULAR_LOGIN: true
PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect
PAPERLESS_SOCIALACCOUNT_PROVIDERS: ${PAPERLESS_SOCIALACCOUNT_PROVIDERS}
broker:
image: docker.io/library/redis:7
container_name: paperless-ngx-broker
restart: unless-stopped
volumes:
- data_redis:/data
db:
image: docker.io/library/postgres:16
container_name: paperless-ngx-db
restart: unless-stopped
volumes:
- data_db:/var/lib/postgresql/data
environment:
POSTGRES_DB: paperless
POSTGRES_USER: paperless
POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
volumes:
data:
data_db:
data_redis:
media:
networks:
default:
name: proxy
external: true

2493
homelab/searxng/config/settings.yml Normal file
View File

File diff suppressed because it is too large Load Diff

54
homelab/searxng/config/uwsgi.ini Normal file
View File

@ -0,0 +1,54 @@
[uwsgi]
# Who will run the code
uid = searxng
gid = searxng
# Number of workers (usually CPU count)
# default value: %k (= number of CPU core, see Dockerfile)
workers = %k
# Number of threads per worker
# default value: 4 (see Dockerfile)
threads = 4
# The right granted on the created socket
chmod-socket = 666
# Plugin to use and interpreter config
single-interpreter = true
master = true
plugin = python3
lazy-apps = true
enable-threads = 4
# Module to import
module = searx.webapp
# Virtualenv and python path
pythonpath = /usr/local/searxng/
chdir = /usr/local/searxng/searx/
# automatically set processes name to something meaningful
auto-procname = true
# Disable request logging for privacy
disable-logging = true
log-5xx = true
# Set the max size of a request (request-body excluded)
buffer-size = 8192
# No keep alive
# See https://github.com/searx/searx-docker/issues/24
add-header = Connection: close
# Follow SIGTERM convention
# See https://github.com/searxng/searxng/issues/3427
die-on-term
# uwsgi serves the static files
static-map = /static=/usr/local/searxng/searx/static
# expires set to one day
static-expires = /* 86400
static-gzip-all = True
offload-threads = 4

15
homelab/searxng/docker-compose.yml Normal file
View File

@ -0,0 +1,15 @@
services:
searxng:
image: searxng/searxng
container_name: searxng
restart: unless-stopped
volumes:
- ./config:/etc/searxng
environment:
BASE_URL: "https://search.timo.bmrs.nl/"
SEARXNG_SECRET: "PO8rO5ZW7K67sroemisMS8wpiq5pXEHecvXzGs4CdAgTQIQvAI09m65vFKGVVkZW"
networks:
default:
external: true
name: proxy

8
hosts/pm01vm01/hardware-configuration.nix
View File

@ -14,19 +14,17 @@
boot.extraModulePackages = [ ];
fileSystems."/" =
{ device = "/dev/disk/by-uuid/649666ff-db85-4666-86d0-c088732505d6";
{ device = "/dev/disk/by-uuid/47301fe6-a7db-4ffd-854a-beddd53b6d99";
fsType = "ext4";
};
fileSystems."/boot" =
{ device = "/dev/disk/by-uuid/A157-F96E";
{ device = "/dev/disk/by-uuid/6A5B-F811";
fsType = "vfat";
options = [ "fmask=0077" "dmask=0077" ];
};
# swapDevices =
# [ { device = "/dev/disk/by-uuid/f8c0a59c-7e1a-4eb7-960e-20ba65fec156"; }
# ];
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's