2024-11-13 22:10:09 +01:00
{ config , modulesPath , lib , pkgs , . . . }:
{
imports = [
( modulesPath + " / i n s t a l l e r / s c a n / n o t - d e t e c t e d . n i x " )
( modulesPath + " / p r o f i l e s / q e m u - g u e s t . n i x " )
./vps-disk-config.nix
] ;
boot . loader . grub = {
# no need to set devices, disko will add all devices that have a EF02 partition to the list already
# devices = [ ];
efiSupport = true ;
efiInstallAsRemovable = true ;
} ;
2024-11-14 22:38:24 +01:00
environment . systemPackages = with pkgs ; [
2024-11-19 21:36:50 +01:00
authelia
2024-11-14 22:38:24 +01:00
curl
2024-11-19 21:36:50 +01:00
vim
2024-11-14 22:38:24 +01:00
] ;
2024-11-13 22:10:09 +01:00
2024-11-14 22:38:24 +01:00
networking . hostName = " t i e n " ;
# do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)
2024-11-13 22:10:09 +01:00
networking . useDHCP = pkgs . lib . mkForce false ;
2024-11-14 22:38:24 +01:00
networking . firewall = {
2024-11-13 22:10:09 +01:00
enable = true ;
2024-11-14 22:38:24 +01:00
allowedTCPPorts = [ 80 443 ] ;
trustedInterfaces = [ " t a i l s c a l e 0 " ] ;
2024-11-13 22:10:09 +01:00
} ;
2024-11-19 21:00:51 +01:00
services . authelia . instances . main = {
enable = true ;
secrets = {
jwtSecretFile = " ${ pkgs . writeText " j w t S e c r e t F i l e " " s u p e r s e c r e t k e y i s s u p e r s e c r e t " } " ;
storageEncryptionKeyFile = " ${ pkgs . writeText " s t o r a g e E n c r y p t i o n K e y F i l e " " s u p e r s e c r e t k e y i s s u p e r s e c r e t " } " ;
sessionSecretFile = " ${ pkgs . writeText " s e s s i o n S e c r e t F i l e " " s u p e r s e c r e t k e y i s s u p e r s e c r e t " } " ;
} ;
settings = {
theme = " a u t o " ;
default_redirection_url = " h t t p s : / / a u t h . j o h a n n e s - r o t h e . d e " ;
server = {
host = " 1 2 7 . 0 . 0 . 1 " ;
port = 9091 ;
} ;
log = {
level = " d e b u g " ;
format = " t e x t " ;
} ;
authentication_backend = {
#file = {
# path = "/var/lib/authelia-main/users_database.yml";
#};
2024-11-19 21:36:50 +01:00
password_reset . disable = false ;
refresh_interval = " 1 m " ;
ldap = {
implementation = " c u s t o m " ;
url = " l d a p : / / l o c a l h o s t : 3 8 9 0 " ;
timeout = " 5 s " ;
start_tls = false ;
base_dn = " d c = a c c o u n t s , d c = j o h a n n e s - r o t h e , d c = d e " ;
additional_users_dn = " o u = p e o p l e " ;
users_filter = " ( & ( { u s e r n a m e _ a t t r i b u t e } = { i n p u t } ) ( o b j e c t C l a s s = p e r s o n ) ) " ;
additional_groups_dn = " o u = g r o u p s " ;
groups_filter = " ( m e m b e r = { d n } ) " ;
display_name_attribute = " d i s p l a y N a m e " ;
username_attribute = " u i d " ;
group_name_attribute = " c n " ;
mail_attribute = " m a i l " ;
# "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
# If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
user = " u i d = b i n d _ u s e r , o u = p e o p l e , d c = a c c o u n t s , d c = j o h a n n e s - r o t h e , d c = d e " ;
# Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
password = " R E P L A C E _ M E " ;
} ;
2024-11-19 21:00:51 +01:00
} ;
access_control = {
default_policy = " o n e _ f a c t o r " ;
rules = [
#{
# domain = ["auth.example.com"];
# policy = "bypass";
#}
#{
# domain = ["*.example.com"];
# policy = "one_factor";
#}
] ;
} ;
session = {
name = " a u t h e l i a _ s e s s i o n " ;
expiration = " 1 2 h " ;
inactivity = " 4 5 m " ;
remember_me_duration = " 1 M " ;
domain = " e x a m p l e . c o m " ;
redis . host = " / r u n / r e d i s - a u t h e l i a - m a i n / r e d i s . s o c k " ;
} ;
regulation = {
max_retries = 3 ;
find_time = " 5 m " ;
ban_time = " 1 5 m " ;
} ;
storage = {
local = {
path = " / v a r / l i b / a u t h e l i a - m a i n / d b . s q l i t e 3 " ;
} ;
} ;
notifier = {
disable_startup_check = false ;
filesystem = {
filename = " / v a r / l i b / a u t h e l i a - m a i n / n o t i f i c a t i o n . t x t " ;
} ;
} ;
} ;
} ;
services . redis . servers . authelia-main = {
enable = true ;
user = " a u t h e l i a - m a i n " ;
port = 0 ;
unixSocket = " / r u n / r e d i s - a u t h e l i a - m a i n / r e d i s . s o c k " ;
unixSocketPerm = 600 ;
} ;
2024-11-17 23:03:54 +01:00
services . headscale = {
enable = true ;
address = " 0 . 0 . 0 . 0 " ;
port = 8080 ;
settings = {
dns_config . base_domain = " j o h a n n e s - r o t h e . d e " ;
server_url = " h t t p s : / / h e a d s c a l e . j o h a n n e s - r o t h e . d e " ;
} ;
} ;
2024-11-14 22:38:24 +01:00
services . caddy = {
2024-11-13 22:10:09 +01:00
enable = true ;
2024-11-14 22:38:24 +01:00
email = lib . strings . concatStrings [ " m a i l " " @ " " j o h a n n e s - r o t h e . d e " ] ;
virtualHosts = {
" j o h a n n e s - r o t h e . d e " . extraConfig = ''
reverse_proxy base:11112
'' ;
" w w w . j o h a n n e s - r o t h e . d e " . extraConfig = ''
reverse_proxy base:11112
'' ;
2024-11-19 21:42:07 +01:00
#"accounts.johannes-rothe.de".extraConfig = ''
# reverse_proxy localhost:9095
#'';
#"auth.johannes-rothe.de".extraConfig = ''
# reverse_proxy localhost:9091
#'';
2024-11-14 22:38:24 +01:00
" c l o u d . j o h a n n e s - r o t h e . d e " . extraConfig = ''
reverse_proxy base:5002
'' ;
" f e e d s . j o h a n n e s - r o t h e . d e " . extraConfig = ''
reverse_proxy base:1990
'' ;
" g i t . j o h a n n e s - r o t h e . d e " . extraConfig = ''
reverse_proxy base:3001
'' ;
2024-11-19 21:42:07 +01:00
#"headscale.johannes-rothe.de".extraConfig = ''
# reverse_proxy localhost:8080
#'';
2024-11-14 22:38:24 +01:00
" r a d i c a l e . j o h a n n e s - r o t h e . d e " . extraConfig = ''
reverse_proxy base:5232
'' ;
} ;
2024-11-13 22:10:09 +01:00
} ;
2024-11-14 22:38:24 +01:00
services . cloud-init = {
enable = true ;
network . enable = true ;
2024-11-15 22:50:18 +01:00
settings = {
hostname = " t i e n " ;
} ;
2024-11-14 22:38:24 +01:00
} ;
2024-11-13 22:10:09 +01:00
2024-11-19 21:36:50 +01:00
services . lldap = {
enable = true ;
settings = {
http_host = " 1 2 7 . 0 . 0 . 1 " ;
http_port = 9095 ;
http_url = " h t t p s : / / a c c o u n t s . j o h a n n e s - r o t h e . d e " ;
ldap_base_dn = " d c = a c c o u n t s , d c = j o h a n n e s - r o t h e , d c = d e " ;
} ;
} ;
2024-11-16 20:47:59 +01:00
services . searx = {
enable = true ;
redisCreateLocally = true ;
settings . server = {
bind_address = " 0 . 0 . 0 . 0 " ;
port = 8888 ;
secret_key = " l o c a l o n l y " ;
} ;
} ;
2024-11-14 22:38:24 +01:00
services . tailscale . enable = true ;
2024-11-13 22:10:09 +01:00
system . stateVersion = " 2 4 . 0 5 " ;
}
