diff --git a/hosts/ulmo/default.nix b/hosts/ulmo/default.nix index 3e7eb8b..96f141d 100644 --- a/hosts/ulmo/default.nix +++ b/hosts/ulmo/default.nix @@ -2,32 +2,34 @@ { imports = [ ./hardware.nix ]; - fileSystems."/var/media" = { - device = "/dev/disk/by-label/data"; - fsType = "ext4"; - }; - - modules = { - networking.ssh.enable = true; - - services = { - auth.enable = true; - media.enable = true; - # nextcloud.enable = true; - - games = { - minecraft.enable = true; - }; + config = { + fileSystems."/var/media" = { + device = "/dev/disk/by-label/data"; + fsType = "ext4"; }; - root = { - user = { - full_name = "__ROOT__"; - email = "__ROOT__@${config.networking.hostName}"; + modules = { + networking.ssh.enable = true; + + services = { + auth.enable = true; + media.enable = true; + # nextcloud.enable = true; + + games = { + minecraft.enable = true; + }; }; - shell = { - default = "zsh"; + root = { + user = { + full_name = "__ROOT__"; + email = "__ROOT__@${config.networking.hostName}"; + }; + + shell = { + default = "zsh"; + }; }; }; }; diff --git a/lib/nixos.nix b/lib/nixos.nix index a2fd2ca..e3e94fb 100644 --- a/lib/nixos.nix +++ b/lib/nixos.nix @@ -56,7 +56,7 @@ in rec inputs.plasma-manager.homeManagerModules.plasma-manager ]; - users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (attrNames config.users.users)); + users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (users ++ ["root"])); }; }; }) diff --git a/modules/system/services/auth.nix b/modules/system/services/auth.nix index 30f5152..0ea412f 100644 --- a/modules/system/services/auth.nix +++ b/modules/system/services/auth.nix @@ -43,7 +43,7 @@ in rules = [ { - domain = ["auth.kruining.eu"]; + domain = ["kaas2.kruining.eu"]; policy = "bypass"; } { @@ -62,7 +62,7 @@ in cookies = [ { domain = "kruining.eu"; - authelia_url = "https://auth.kruining.eu"; + authelia_url = "https://kaas2.kruining.eu"; default_redirection_url = "https://kaas.kruining.eu"; name = "authelia_session"; } @@ -76,21 +76,35 @@ in }; storage = { - local.path = "/var/authelia/testing/db.sqlite3"; + local.path = "/var/lib/authelia-testing/db.sqlite3"; }; notifier = { disable_startup_check = false; - filesystem.filename = "/var/authelia/testing/notifications.txt"; + filesystem.filename = "/var/lib/authelia-testing/notifications.txt"; }; - # identity_providers.oidc.clients = []; + identity_providers.oidc = { + jwks = [ + { key = ''{{ secret "/config/secrets/oidc/jwks/rsa.2048.key" | mindent 10 "|" | msquote }}''; } + ]; + clients = [ + { + client_id = "jellyfin"; + client_name = "Jellyfin"; + client_secret = "$pbkdf2-sha512$310000$X1uesLwLAp4Uy4kR7EWJDQ$uuhPXujOJeR/1YmoVCZAX.V5oHQMpnioeXgDYQN8zLcWbOOWMIqKWSeLvPXPQoxhFKE8o/hOlfqJOuHUug6eTQ"; + token_endpoint_auth_method = "client_secret_post"; + authorization_policy = "one_factor"; + redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/" ]; + } + ]; + }; }; }; systemd = { tmpfiles.rules = [ - "d /var/authelia/testing 400 ${user} ${user} -" + "d /var/lib/authelia-testing 400 ${user} ${user} -" ]; }; @@ -137,17 +151,21 @@ in enable = true; virtualHosts = { "auth.kruining.eu".extraConfig = '' - reverse_proxy authelia:9091 + respond "AUTH" + # reverse_proxy http://127.0.0.1:9091 ''; "kaas.kruining.eu".extraConfig = '' import auth respond "KAAS" ''; + "kaas2.kruining.eu".extraConfig = '' + reverse_proxy http://127.0.0.1:9091 + ''; }; extraConfig = '' (auth) { - forward_auth authelia:9091 { + forward_auth http://127.0.0.1:9091 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name } diff --git a/modules/system/services/media.nix b/modules/system/services/media.nix index 58b6c55..1ab0c3a 100644 --- a/modules/system/services/media.nix +++ b/modules/system/services/media.nix @@ -19,6 +19,7 @@ in environment.systemPackages = with pkgs; [ podman-tui jellyfin + jellyfin-web jellyfin-ffmpeg jellyseerr mediainfo @@ -91,6 +92,8 @@ in enable = true; virtualHosts = { "media.kruining.eu".extraConfig = '' + import auth + reverse_proxy http://127.0.0.1:9494 ''; "jellyfin.kruining.eu".extraConfig = '' @@ -106,7 +109,7 @@ in # reverse_proxy http://127.0.0.1:9696 # ''; # "torrents.kruining.eu".extraConfig = '' - # reverse_proxy http://127.0.0.1:58080 + # reverse_proxy http://127.0.0.1:5000 # ''; # "usenet.kruining.eu".extraConfig = '' # reverse_proxy http://127.0.0.1:8080 diff --git a/modules/system/services/security.nix b/modules/system/services/security.nix new file mode 100644 index 0000000..5c83295 --- /dev/null +++ b/modules/system/services/security.nix @@ -0,0 +1,29 @@ +{ config, lib, pkgs, ... }: +let +inherit (lib.options) mkEnableOption; + inherit (lib.modules) mkIf; + + cfg = config.modules.services.auth; +in +{ + options.modules.services.security = { + enable = mkEnableOption "Auth"; + }; + + config = mkIf cfg.enable { + environment.systemPackages = with pkgs; [ + vaultwarden + vaultwarden-postgresql + ]; + + services.vaultwarden = { + enable = true; + dbBackend = "postgresql"; + + config = { + SIGNUPS_ALLOWED = false; + DOMAIN = "https://passwords.kruining.eu"; + }; + }; + }; +}