diff --git a/hosts/ds9/authentik.nix b/hosts/ds9/authentik.nix index fa0b946f..b1f34059 100644 --- a/hosts/ds9/authentik.nix +++ b/hosts/ds9/authentik.nix @@ -1,85 +1,90 @@ -{ pkgs, config, lib, inputs, ... }: +{ + pkgs, + config, + lib, + inputs, + ... +}: { imports = [ inputs.quadlet-nix.nixosModules.quadlet ]; ragon.agenix.secrets.ds9AuthentikEnv = { }; ragon.agenix.secrets.ds9AuthentikLdapEnv = { }; - virtualisation.quadlet = - { - containers = { - authentik-server.containerConfig.image = "ghcr.io/goauthentik/server:2025.2.3"; + virtualisation.quadlet = { + containers = { + authentik-server.containerConfig.image = "ghcr.io/goauthentik/server:2025.2.3"; - authentik-server.containerConfig.exec = "server"; - authentik-server.containerConfig.networks = [ - "podman" - "db-net" - "authentik-net" - ]; - authentik-server.containerConfig.volumes = [ - "authentik-media:/media" - "authentik-certs:/certs" - ]; - authentik-server.containerConfig.environments = { - AUTHENTIK_REDIS__HOST = "authentik-redis"; - AUTHENTIK_POSTGRESQL__HOST = "postgres"; - AUTHENTIK_POSTGRESQL__USER = "authentik"; - AUTHENTIK_POSTGRESQL__NAME = "authentik"; + authentik-server.containerConfig.exec = "server"; + authentik-server.containerConfig.networks = [ + "podman" + "db-net" + "authentik-net" + ]; + authentik-server.containerConfig.volumes = [ + "authentik-media:/media" + "authentik-certs:/certs" + ]; + authentik-server.containerConfig.environments = { + AUTHENTIK_REDIS__HOST = "authentik-redis"; + AUTHENTIK_POSTGRESQL__HOST = "postgres"; + AUTHENTIK_POSTGRESQL__USER = "authentik"; + AUTHENTIK_POSTGRESQL__NAME = "authentik"; - }; - authentik-server.serviceConfig.TimeoutStartSec = "60"; - authentik-server.containerConfig.environmentFiles = [ - config.age.secrets.ds9AuthentikEnv.path - ]; - authentik-worker.containerConfig.image = "ghcr.io/goauthentik/server:2025.2.3"; - - authentik-worker.containerConfig.exec = "worker"; - authentik-worker.containerConfig.networks = [ - "podman" - "db-net" - "authentik-net" - ]; - authentik-worker.containerConfig.volumes = [ - "authentik-media:/media" - "authentik-certs:/certs" - ]; - authentik-worker.containerConfig.environments = { - AUTHENTIK_REDIS__HOST = "authentik-redis"; - AUTHENTIK_POSTGRESQL__HOST = "postgres"; - AUTHENTIK_POSTGRESQL__USER = "authentik"; - AUTHENTIK_POSTGRESQL__NAME = "authentik"; - - }; - authentik-worker.containerConfig.environmentFiles = [ - config.age.secrets.ds9AuthentikEnv.path - ]; - authentik-worker.serviceConfig.TimeoutStartSec = "60"; - authentik-ldap.containerConfig.image = "ghcr.io/goauthentik/ldap:2025.2.3"; - - authentik-ldap.containerConfig.networks = [ - "podman" - "authentik-net" - ]; - authentik-ldap.containerConfig.environments = { - AUTHENTIK_HOST = "http://authentik-server:9000"; - AUTHENTIK_INSECURE = "true"; - }; - authentik-ldap.containerConfig.environmentFiles = [ - config.age.secrets.ds9AuthentikLdapEnv.path - ]; - authentik-ldap.serviceConfig.TimeoutStartSec = "60"; - authentik-redis.containerConfig.image = "docker.io/library/redis:alpine"; - authentik-redis.containerConfig.networks = [ - "authentik-net" - - ]; - authentik-redis.containerConfig.volumes = [ "authentik-redis:/data" ]; - authentik-redis.serviceConfig.TimeoutStartSec = "60"; }; - networks = { - authentik.networkConfig.ipv6 = true; - authentik.networkConfig.name = "authentik-net"; - authentik.networkConfig.internal = true; + authentik-server.serviceConfig.TimeoutStartSec = "60"; + authentik-server.containerConfig.environmentFiles = [ + config.age.secrets.ds9AuthentikEnv.path + ]; + authentik-worker.containerConfig.image = "ghcr.io/goauthentik/server:2025.2.3"; + + authentik-worker.containerConfig.exec = "worker"; + authentik-worker.containerConfig.networks = [ + "podman" + "db-net" + "authentik-net" + ]; + authentik-worker.containerConfig.volumes = [ + "authentik-media:/media" + "authentik-certs:/certs" + ]; + authentik-worker.containerConfig.environments = { + AUTHENTIK_REDIS__HOST = "authentik-redis"; + AUTHENTIK_POSTGRESQL__HOST = "postgres"; + AUTHENTIK_POSTGRESQL__USER = "authentik"; + AUTHENTIK_POSTGRESQL__NAME = "authentik"; + }; + authentik-worker.containerConfig.environmentFiles = [ + config.age.secrets.ds9AuthentikEnv.path + ]; + authentik-worker.serviceConfig.TimeoutStartSec = "60"; + authentik-ldap.containerConfig.image = "ghcr.io/goauthentik/ldap:2025.2.3"; + + authentik-ldap.containerConfig.networks = [ + "podman" + "authentik-net" + ]; + authentik-ldap.containerConfig.environments = { + AUTHENTIK_HOST = "http://authentik-server:9000"; + AUTHENTIK_INSECURE = "true"; + }; + authentik-ldap.containerConfig.environmentFiles = [ + config.age.secrets.ds9AuthentikLdapEnv.path + ]; + authentik-ldap.serviceConfig.TimeoutStartSec = "60"; + authentik-redis.containerConfig.image = "docker.io/library/redis:alpine"; + authentik-redis.containerConfig.networks = [ + "authentik-net" + + ]; + authentik-redis.containerConfig.volumes = [ "authentik-redis:/data" ]; + authentik-redis.serviceConfig.TimeoutStartSec = "60"; }; + networks = { + authentik.networkConfig.ipv6 = true; + authentik.networkConfig.name = "authentik-net"; + authentik.networkConfig.internal = true; + }; + }; } diff --git a/hosts/ds9/containers.nix b/hosts/ds9/containers.nix index 68859c84..879329f2 100644 --- a/hosts/ds9/containers.nix +++ b/hosts/ds9/containers.nix @@ -61,7 +61,7 @@ in # ]; # }; # postgres - boot.binfmt.emulatedSystems = ["aarch64-linux"]; + boot.binfmt.emulatedSystems = [ "aarch64-linux" ]; ragon.agenix.secrets.ds9PostgresEnv = { }; systemd.services."podman-db-network" = { script = '' @@ -367,93 +367,97 @@ in virtualisation.oci-containers.containers.copyparty = { image = "docker.io/copyparty/ac:latest"; extraOptions = [ "--network=podman" ]; - ports = []; - volumes = let copypartyCfg = '' - [global] - xff-src: 10.88.0.1/24 - idp-h-usr: X-Authentik-Username - idp-h-grp: X-Copyparty-Group - e2dsa # enable file indexing and filesystem scanning - e2ts # enable multimedia indexing - ansi # enable colors in log messages - re-maxage: 3600 # rescan every something - hist: /data/media/copyparty/cache - name: the gayest storage in the west - no-robots - shr: /shr - shr-adm: @admin - [/] - /data/media/copyparty/srv - accs: - A: @admin - [/noauth] # accessible without auth public - /data/media/copyparty/srv/noauth - accs: - A: @admin - g: * - [/dump] - /data/media/copyparty/srv/dump - flags: - dedup - accs: - A: @admin - w: * - [/pub] - /data/media/copyparty/srv/pub - flags: - dedup - accs: - A: @admin - rw: * - [/tv] - /data/media/tv - flags: - hist: /data/media/copyparty/hist/tv - accs: - r: * - [/movies] - /data/media/movies - flags: - hist: /data/media/copyparty/hist/movies - accs: - r: * - [/books] - /data/media/books - flags: - hist: /data/media/copyparty/hist/books - accs: - r: * - [/audiobooks] - /data/media/audiobooks - flags: - hist: /data/media/copyparty/hist/audiobooks - accs: - r: * - [/music] - /data/media/music - flags: - hist: /data/media/copyparty/hist/music - accs: - r: * - [/games] - /data/media/games - flags: - hist: /data/media/copyparty/hist/games - accs: - r: * - ''; cpp = pkgs.writeText "copyparty.conf" copypartyCfg; in - [ + ports = [ ]; + volumes = + let + copypartyCfg = '' + [global] + xff-src: 10.88.0.1/24 + idp-h-usr: X-Authentik-Username + idp-h-grp: X-Copyparty-Group + e2dsa # enable file indexing and filesystem scanning + e2ts # enable multimedia indexing + ansi # enable colors in log messages + re-maxage: 3600 # rescan every something + hist: /data/media/copyparty/cache + name: the gayest storage in the west + no-robots + shr: /shr + shr-adm: @admin + [/] + /data/media/copyparty/srv + accs: + A: @admin + [/noauth] # accessible without auth public + /data/media/copyparty/srv/noauth + accs: + A: @admin + g: * + [/dump] + /data/media/copyparty/srv/dump + flags: + dedup + accs: + A: @admin + w: * + [/pub] + /data/media/copyparty/srv/pub + flags: + dedup + accs: + A: @admin + rw: * + [/tv] + /data/media/tv + flags: + hist: /data/media/copyparty/hist/tv + accs: + r: * + [/movies] + /data/media/movies + flags: + hist: /data/media/copyparty/hist/movies + accs: + r: * + [/books] + /data/media/books + flags: + hist: /data/media/copyparty/hist/books + accs: + r: * + [/audiobooks] + /data/media/audiobooks + flags: + hist: /data/media/copyparty/hist/audiobooks + accs: + r: * + [/music] + /data/media/music + flags: + hist: /data/media/copyparty/hist/music + accs: + r: * + [/games] + /data/media/games + flags: + hist: /data/media/copyparty/hist/games + accs: + r: * + ''; + cpp = pkgs.writeText "copyparty.conf" copypartyCfg; + in + [ - "/data/media/tv:/data/media/tv:ro" - "/data/media/movies:/data/media/movies:ro" - "/data/media/audiobooks:/data/media/audiobooks:ro" - "/data/media/books:/data/media/books:ro" - "/data/media/games:/data/media/games:ro" - "/data/media/beets:/data/media/music:ro" - "/data/media/copyparty:/data/media/copyparty" - "/data/media/copyparty/cfg:/cfg" - "${cpp}:/cfg/copyparty.conf" - ]; + "/data/media/tv:/data/media/tv:ro" + "/data/media/movies:/data/media/movies:ro" + "/data/media/audiobooks:/data/media/audiobooks:ro" + "/data/media/books:/data/media/books:ro" + "/data/media/games:/data/media/games:ro" + "/data/media/beets:/data/media/music:ro" + "/data/media/copyparty:/data/media/copyparty" + "/data/media/copyparty/cfg:/cfg" + "${cpp}:/cfg/copyparty.conf" + ]; }; } diff --git a/hosts/ds9/default.nix b/hosts/ds9/default.nix index d88c73cf..d7f095ba 100644 --- a/hosts/ds9/default.nix +++ b/hosts/ds9/default.nix @@ -219,7 +219,7 @@ in } @immich host immich.hailsatan.eu handle @immich { - import podmanRedirWithAuth http://immich-server:2283 + import podmanRedir http://immich-server:2283 } @cd host cd.hailsatan.eu handle @cd {