xyno/nix-configs
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

meow

Browse source
This commit is contained in:
Lucy Hochkamp 2025-05-01 20:33:54 +02:00
parent e5ba903fe9
commit 1289e626d8
No known key found for this signature in database
3 changed files with 170 additions and 161 deletions
Download patch file Download diff file Expand all files Collapse all files

151
hosts/ds9/authentik.nix
View file

@ -1,85 +1,90 @@
{ pkgs, config, lib, inputs, ... }: {
pkgs,
config,
lib,
inputs,
...
}:
{ {
imports = [ imports = [
inputs.quadlet-nix.nixosModules.quadlet inputs.quadlet-nix.nixosModules.quadlet
]; ];
ragon.agenix.secrets.ds9AuthentikEnv = { }; ragon.agenix.secrets.ds9AuthentikEnv = { };
ragon.agenix.secrets.ds9AuthentikLdapEnv = { }; ragon.agenix.secrets.ds9AuthentikLdapEnv = { };
virtualisation.quadlet = virtualisation.quadlet = {
{ containers = {
containers = { authentik-server.containerConfig.image = "ghcr.io/goauthentik/server:2025.2.3";
authentik-server.containerConfig.image = "ghcr.io/goauthentik/server:2025.2.3";
authentik-server.containerConfig.exec = "server"; authentik-server.containerConfig.exec = "server";
authentik-server.containerConfig.networks = [ authentik-server.containerConfig.networks = [
"podman" "podman"
"db-net" "db-net"
"authentik-net" "authentik-net"
]; ];
authentik-server.containerConfig.volumes = [ authentik-server.containerConfig.volumes = [
"authentik-media:/media" "authentik-media:/media"
"authentik-certs:/certs" "authentik-certs:/certs"
]; ];
authentik-server.containerConfig.environments = { authentik-server.containerConfig.environments = {
AUTHENTIK_REDIS__HOST = "authentik-redis"; AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres"; AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_POSTGRESQL__USER = "authentik"; AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik"; AUTHENTIK_POSTGRESQL__NAME = "authentik";
};
authentik-server.serviceConfig.TimeoutStartSec = "60";
authentik-server.containerConfig.environmentFiles = [
config.age.secrets.ds9AuthentikEnv.path
];
authentik-worker.containerConfig.image = "ghcr.io/goauthentik/server:2025.2.3";
authentik-worker.containerConfig.exec = "worker";
authentik-worker.containerConfig.networks = [
"podman"
"db-net"
"authentik-net"
];
authentik-worker.containerConfig.volumes = [
"authentik-media:/media"
"authentik-certs:/certs"
];
authentik-worker.containerConfig.environments = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
};
authentik-worker.containerConfig.environmentFiles = [
config.age.secrets.ds9AuthentikEnv.path
];
authentik-worker.serviceConfig.TimeoutStartSec = "60";
authentik-ldap.containerConfig.image = "ghcr.io/goauthentik/ldap:2025.2.3";
authentik-ldap.containerConfig.networks = [
"podman"
"authentik-net"
];
authentik-ldap.containerConfig.environments = {
AUTHENTIK_HOST = "http://authentik-server:9000";
AUTHENTIK_INSECURE = "true";
};
authentik-ldap.containerConfig.environmentFiles = [
config.age.secrets.ds9AuthentikLdapEnv.path
];
authentik-ldap.serviceConfig.TimeoutStartSec = "60";
authentik-redis.containerConfig.image = "docker.io/library/redis:alpine";
authentik-redis.containerConfig.networks = [
"authentik-net"
];
authentik-redis.containerConfig.volumes = [ "authentik-redis:/data" ];
authentik-redis.serviceConfig.TimeoutStartSec = "60";
}; };
networks = { authentik-server.serviceConfig.TimeoutStartSec = "60";
authentik.networkConfig.ipv6 = true; authentik-server.containerConfig.environmentFiles = [
authentik.networkConfig.name = "authentik-net"; config.age.secrets.ds9AuthentikEnv.path
authentik.networkConfig.internal = true; ];
authentik-worker.containerConfig.image = "ghcr.io/goauthentik/server:2025.2.3";
authentik-worker.containerConfig.exec = "worker";
authentik-worker.containerConfig.networks = [
"podman"
"db-net"
"authentik-net"
];
authentik-worker.containerConfig.volumes = [
"authentik-media:/media"
"authentik-certs:/certs"
];
authentik-worker.containerConfig.environments = {
AUTHENTIK_REDIS__HOST = "authentik-redis";
AUTHENTIK_POSTGRESQL__HOST = "postgres";
AUTHENTIK_POSTGRESQL__USER = "authentik";
AUTHENTIK_POSTGRESQL__NAME = "authentik";
}; };
authentik-worker.containerConfig.environmentFiles = [
config.age.secrets.ds9AuthentikEnv.path
];
authentik-worker.serviceConfig.TimeoutStartSec = "60";
authentik-ldap.containerConfig.image = "ghcr.io/goauthentik/ldap:2025.2.3";
authentik-ldap.containerConfig.networks = [
"podman"
"authentik-net"
];
authentik-ldap.containerConfig.environments = {
AUTHENTIK_HOST = "http://authentik-server:9000";
AUTHENTIK_INSECURE = "true";
};
authentik-ldap.containerConfig.environmentFiles = [
config.age.secrets.ds9AuthentikLdapEnv.path
];
authentik-ldap.serviceConfig.TimeoutStartSec = "60";
authentik-redis.containerConfig.image = "docker.io/library/redis:alpine";
authentik-redis.containerConfig.networks = [
"authentik-net"
];
authentik-redis.containerConfig.volumes = [ "authentik-redis:/data" ];
authentik-redis.serviceConfig.TimeoutStartSec = "60";
}; };
networks = {
authentik.networkConfig.ipv6 = true;
authentik.networkConfig.name = "authentik-net";
authentik.networkConfig.internal = true;
};
};
} }

178
hosts/ds9/containers.nix
View file

@ -61,7 +61,7 @@ in
# ]; # ];
# }; # };
# postgres # postgres
boot.binfmt.emulatedSystems = ["aarch64-linux"]; boot.binfmt.emulatedSystems = [ "aarch64-linux" ];
ragon.agenix.secrets.ds9PostgresEnv = { }; ragon.agenix.secrets.ds9PostgresEnv = { };
systemd.services."podman-db-network" = { systemd.services."podman-db-network" = {
script = '' script = ''
@ -367,93 +367,97 @@ in
virtualisation.oci-containers.containers.copyparty = { virtualisation.oci-containers.containers.copyparty = {
image = "docker.io/copyparty/ac:latest"; image = "docker.io/copyparty/ac:latest";
extraOptions = [ "--network=podman" ]; extraOptions = [ "--network=podman" ];
ports = []; ports = [ ];
volumes = let copypartyCfg = '' volumes =
[global] let
xff-src: 10.88.0.1/24 copypartyCfg = ''
idp-h-usr: X-Authentik-Username [global]
idp-h-grp: X-Copyparty-Group xff-src: 10.88.0.1/24
e2dsa # enable file indexing and filesystem scanning idp-h-usr: X-Authentik-Username
e2ts # enable multimedia indexing idp-h-grp: X-Copyparty-Group
ansi # enable colors in log messages e2dsa # enable file indexing and filesystem scanning
re-maxage: 3600 # rescan every something e2ts # enable multimedia indexing
hist: /data/media/copyparty/cache ansi # enable colors in log messages
name: the gayest storage in the west re-maxage: 3600 # rescan every something
no-robots hist: /data/media/copyparty/cache
shr: /shr name: the gayest storage in the west
shr-adm: @admin no-robots
[/] shr: /shr
/data/media/copyparty/srv shr-adm: @admin
accs: [/]
A: @admin /data/media/copyparty/srv
[/noauth] # accessible without auth public accs:
/data/media/copyparty/srv/noauth A: @admin
accs: [/noauth] # accessible without auth public
A: @admin /data/media/copyparty/srv/noauth
g: * accs:
[/dump] A: @admin
/data/media/copyparty/srv/dump g: *
flags: [/dump]
dedup /data/media/copyparty/srv/dump
accs: flags:
A: @admin dedup
w: * accs:
[/pub] A: @admin
/data/media/copyparty/srv/pub w: *
flags: [/pub]
dedup /data/media/copyparty/srv/pub
accs: flags:
A: @admin dedup
rw: * accs:
[/tv] A: @admin
/data/media/tv rw: *
flags: [/tv]
hist: /data/media/copyparty/hist/tv /data/media/tv
accs: flags:
r: * hist: /data/media/copyparty/hist/tv
[/movies] accs:
/data/media/movies r: *
flags: [/movies]
hist: /data/media/copyparty/hist/movies /data/media/movies
accs: flags:
r: * hist: /data/media/copyparty/hist/movies
[/books] accs:
/data/media/books r: *
flags: [/books]
hist: /data/media/copyparty/hist/books /data/media/books
accs: flags:
r: * hist: /data/media/copyparty/hist/books
[/audiobooks] accs:
/data/media/audiobooks r: *
flags: [/audiobooks]
hist: /data/media/copyparty/hist/audiobooks /data/media/audiobooks
accs: flags:
r: * hist: /data/media/copyparty/hist/audiobooks
[/music] accs:
/data/media/music r: *
flags: [/music]
hist: /data/media/copyparty/hist/music /data/media/music
accs: flags:
r: * hist: /data/media/copyparty/hist/music
[/games] accs:
/data/media/games r: *
flags: [/games]
hist: /data/media/copyparty/hist/games /data/media/games
accs: flags:
r: * hist: /data/media/copyparty/hist/games
''; cpp = pkgs.writeText "copyparty.conf" copypartyCfg; in accs:
[ r: *
'';
cpp = pkgs.writeText "copyparty.conf" copypartyCfg;
in
[
"/data/media/tv:/data/media/tv:ro" "/data/media/tv:/data/media/tv:ro"
"/data/media/movies:/data/media/movies:ro" "/data/media/movies:/data/media/movies:ro"
"/data/media/audiobooks:/data/media/audiobooks:ro" "/data/media/audiobooks:/data/media/audiobooks:ro"
"/data/media/books:/data/media/books:ro" "/data/media/books:/data/media/books:ro"
"/data/media/games:/data/media/games:ro" "/data/media/games:/data/media/games:ro"
"/data/media/beets:/data/media/music:ro" "/data/media/beets:/data/media/music:ro"
"/data/media/copyparty:/data/media/copyparty" "/data/media/copyparty:/data/media/copyparty"
"/data/media/copyparty/cfg:/cfg" "/data/media/copyparty/cfg:/cfg"
"${cpp}:/cfg/copyparty.conf" "${cpp}:/cfg/copyparty.conf"
]; ];
}; };
} }

2
hosts/ds9/default.nix
View file

@ -219,7 +219,7 @@ in
} }
@immich host immich.hailsatan.eu @immich host immich.hailsatan.eu
handle @immich { handle @immich {
import podmanRedirWithAuth http://immich-server:2283 import podmanRedir http://immich-server:2283
} }
@cd host cd.hailsatan.eu @cd host cd.hailsatan.eu
handle @cd { handle @cd {