plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

moved mail
Some checks failed
Test / tests (push) Has been cancelled
Details

Browse source
This commit is contained in:
plasmagoat 2025-07-17 00:35:44 +02:00
parent c46903e3a0
commit 032072374b
35 changed files with 511 additions and 324 deletions
Download patch file Download diff file Expand all files Collapse all files

98
machines/auth/authelia.nix
View file

@ -14,21 +14,91 @@ in {
enable = true;
settings = {
theme = "auto";
server = {
buffers = {
read = 16384;
write = 16384;
};
};
authentication_backend.ldap = {
implementation = "lldap";
address = "ldap://localhost:3890";
base_dn = "dc=procopius,dc=dk";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
groups_filter = "(member={dn})";
user = "uid=authelia,ou=people,dc=procopius,dc=dk";
};
definitions = {
network = {
internal = [
"192.168.1.0/24"
];
};
};
access_control = {
default_policy = "deny";
# We want this rule to be low priority so it doesn't override the others
rules = lib.mkAfter [
{
domain = "*.procopius.dk";
domain = [
"proxmox.procopius.dk"
"traefik.procopius.dk"
"prometheus.procopius.dk"
"alertmanager.procopius.dk"
];
policy = "one_factor";
subject = [
["group:server-admin"]
];
}
# bypass /api and /ping
{
domain = ["*.procopius.dk"];
policy = "bypass";
resources = [
"^/api$"
"^/api/"
"^/ping$"
];
}
# media
{
domain = [
"sonarr.procopius.dk"
"radarr.procopius.dk"
"readarr.procopius.dk"
"lidarr.procopius.dk"
"bazarr.procopius.dk"
"prowlarr.procopius.dk"
];
policy = "one_factor";
subject = [
["group:media-admin"]
];
}
# authenticated
{
domain = [
"gatus.procopius.dk"
];
policy = "one_factor";
}
# bypass auth internally
# {
# domain = [
# "gatus.procopius.dk"
# "prometheus.procopius.dk"
# "alertmanager.procopius.dk"
# "sonarr.procopius.dk"
# "radarr.procopius.dk"
# "readarr.procopius.dk"
# "lidarr.procopius.dk"
# "bazarr.procopius.dk"
# "prowlarr.procopius.dk"
# ];
# policy = "bypass";
# networks = [
# "internal"
# ];
# }
];
};
storage.postgres = {
@ -58,8 +128,8 @@ in {
};
notifier.smtp = {
address = "smtp://mail.procopius.dk";
username = "admin@procopius.dk";
sender = "auth@procopius.dk";
username = "authelia@procopius.dk";
sender = "authelia@procopius.dk";
};
log.level = "info";
# identity_providers.oidc = {
@ -97,24 +167,9 @@ in {
environmentVariables = with config.sops; {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
secrets."authelia/lldap_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets."authelia/smtp_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets.smtp-password_authelia.path;
};
};
# caddy = {
# virtualHosts."auth.procopius.cc".extraConfig = ''
# reverse_proxy :9091
# '';
# # A Caddy snippet that can be imported to enable Authelia in front of a service
# # Taken from https://www.authelia.com/integration/proxies/caddy/#subdomain
# extraConfig = ''
# (auth) {
# forward_auth :9091 {
# uri /api/authz/forward-auth
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
# }
# }
# '';
# };
};
# Give Authelia access to the Redis socket
@ -142,7 +197,6 @@ in {
"authelia/storage_encryption_key".owner = authelia;
# The password for the `authelia` LLDAP user
"authelia/lldap_authelia_password".owner = authelia;
"authelia/smtp_authelia_password".owner = authelia;
smtp-password_authelia = {
owner = authelia;
key = "service_accounts/authelia/password";

39
machines/auth/bootstrap/default.nix
View file

@ -1,39 +0,0 @@
{
pkgs,
config,
...
}: {
systemd.services.lldap-bootstrap = {
description = "Bootstraps LLDAP users";
requires = ["lldap.service"];
serviceConfig = {
DynamicUser = true;
Type = "oneshot";
ProtectSystem = "strict";
ProtectHome = true;
PrivateUsers = true;
PrivateTmp = true;
LoadCredential = "inadyn.conf:${config.sops.templates."inadyn.conf".path}";
CacheDirectory = "inadyn";
ExecStart = ''
export LLDAP_URL=http://localhost:8080
export LLDAP_ADMIN_USERNAME=admin
export LLDAP_ADMIN_PASSWORD=changeme
export USER_CONFIGS_DIR="$(realpath ./configs/user)"
export GROUP_CONFIGS_DIR="$(realpath ./configs/group)"
export USER_SCHEMAS_DIR="$(realpath ./configs/user-schema)"
export GROUP_SCHEMAS_DIR="$(realpath ./configs/group-schema)"
export LLDAP_SET_PASSWORD_PATH="$(realpath ./lldap_set_password)"
export DO_CLEANUP=false
./bootstrap.sh
${pkgs.inadyn}/bin/inadyn \
--foreground \
--syslog \
--once \
--cache-dir ''${CACHE_DIRECTORY} \
--config ''${CREDENTIALS_DIRECTORY}/inadyn.conf
'';
};
};
}

14
machines/auth/bootstrap/group-configs.nix
View file

@ -1,12 +1,24 @@
{config, ...}: {
{
sops.templates."default-groups.json" = {
content = ''
{
"name": "mail"
}
{
"name": "git-user"
}
{
"name": "git-admin"
}
{
"name": "media-user"
}
{
"name": "media-admin"
}
{
"name": "server-admin"
}
'';
path = "/bootstrap/group-configs/default-groups.json";
owner = "lldap";

1
machines/auth/bootstrap/lldap-bootstrap.nix
View file

@ -7,6 +7,7 @@
cfg = config.services.lldapBootstrap;
in {
imports = [
./service-accounts.nix
./user-configs.nix
./group-configs.nix
];

51
machines/auth/bootstrap/service-accounts.nix Normal file
View file

@ -0,0 +1,51 @@
{config, ...}: {
sops.secrets."service_accounts/authelia/password" = {};
sops.secrets."service_accounts/forgejo/password" = {};
sops.secrets."service_accounts/jellyfin/password" = {};
sops.secrets."service_accounts/mail/password" = {};
sops.templates."service-accounts.json" = {
content = ''
{
"id": "authelia",
"email": "authelia@procopius.dk",
"password": "${config.sops.placeholder."service_accounts/authelia/password"}",
"displayName": "Authelia",
"groups": [
"lldap_password_manager",
"mail"
]
}
{
"id": "forgejo",
"email": "forgejo@procopius.dk",
"password": "${config.sops.placeholder."service_accounts/forgejo/password"}",
"displayName": "Forgejo",
"groups": [
"lldap_password_manager",
"mail"
]
}
{
"id": "jellyfin",
"email": "jellyfin@procopius.dk",
"password": "${config.sops.placeholder."service_accounts/jellyfin/password"}",
"displayName": "Jellyfin",
"groups": [
"lldap_password_manager"
]
}
{
"id": "mail",
"email": "mail@procopius.dk",
"password": "${config.sops.placeholder."service_accounts/mail/password"}",
"displayName": "NixOS Mailserver",
"groups": [
"lldap_password_manager",
"mail"
]
}
'';
path = "/bootstrap/user-configs/service-accounts.json";
owner = "lldap";
};
}

49
machines/auth/bootstrap/user-configs.nix
View file

@ -1,28 +1,47 @@
{config, ...}: {
sops.secrets."service_accounts/authelia/password" = {};
sops.secrets."service_accounts/forgejo/password" = {};
sops.templates."service-accounts.json" = {
{
sops.templates."user-configs.json" = {
content = ''
{
"id": "authelia",
"email": "authelia@procopius.dk",
"password": "${config.sops.placeholder."service_accounts/authelia/password"}",
"displayName": "Authelia",
"id": "plasmagoat",
"email": "david.mikael@proton.me",
"displayName": "David",
"groups": [
"lldap_password_manager"
"media-user",
"media-admin",
"git-user",
"git-admin",
"server-admin"
]
}
{
"id": "forgejo",
"email": "forgejo@procopius.dk",
"password": "${config.sops.placeholder."service_accounts/forgejo/password"}",
"displayName": "Forgejo",
"id": "kurisudanoda",
"email": "iluvmizuki@gmail.com",
"displayName": "Noda",
"groups": [
"lldap_password_manager"
"media-user",
"git-user"
]
}
{
"id": "dannydannydanny",
"email": "powerhouseplayer@gmail.com",
"displayName": "Danny",
"groups": [
"media-user",
"git-user"
]
}
{
"id": "stocksking",
"email": "ethanstocks9@gmail.com",
"displayName": "Ethan",
"groups": [
"media-user",
"git-user"
]
}
'';
path = "/bootstrap/user-configs/service-accounts.json";
path = "/bootstrap/user-configs/user-configs.json";
owner = "lldap";
};
}

19
machines/mail/definition.nix Normal file
View file

@ -0,0 +1,19 @@
{
imports = [
./mailserver.nix
];
networking = {
interfaces.eth0.ipv4.addresses = [
{
address = "192.168.1.25";
prefixLength = 24;
}
];
nameservers = ["192.168.1.53"];
defaultGateway = "192.168.1.1";
};
deployment.targetHost = "192.168.1.25";
system.stateVersion = "25.05";
}

37
machines/mail/mailserver.nix Normal file
View file

@ -0,0 +1,37 @@
{config, ...}: {
sops.secrets."service_accounts/mail/password" = {};
mailserver = {
enable = true;
stateVersion = 3;
fqdn = "mail.procopius.dk";
domains = ["procopius.dk"];
localDnsResolver = false;
ldap = {
enable = true;
uris = [
"ldap://auth.lab:3890"
];
bind = {
dn = "cn=mail,ou=people,dc=procopius,dc=dk";
passwordFile = config.sops.secrets."service_accounts/mail/password".path;
};
postfix = {
filter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(|(mail=%s)(mail-alias=%s)))"; # Will require MR!351 for aliases to work properly
mailAttribute = "mail";
};
dovecot = {
userFilter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(mail=%u))";
passFilter = "(&(objectClass=person)(memberOf=cn=mail,ou=groups,dc=procopius,dc=dk)(mail=%u))";
};
searchBase = "ou=people,dc=procopius,dc=dk";
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "acme-nginx";
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "david.mikael@proton.me";
}

4
machines/modules/journal-log.nix
View file

@ -1,7 +1,7 @@
{
lib,
config,
nodes,
# nodes,
# name,
# meta,
...
@ -21,7 +21,7 @@ in {
};
clientUrl = mkOption {
type = types.string;
type = types.str;
default = "http://monitor.lab:3100/loki/api/v1/push";
};

44
machines/monitor/gatus.nix
View file

@ -18,11 +18,51 @@
}
{
name = "sonarr";
url = "https://sonarr.procopius.dk/health";
url = "https://sonarr.procopius.dk/ping";
interval = "5m";
conditions = [
"[STATUS] == 200"
"[BODY] == Healthy"
"[BODY].status == OK"
"[RESPONSE_TIME] < 300"
];
}
{
name = "radarr";
url = "https://radarr.procopius.dk/ping";
interval = "5m";
conditions = [
"[STATUS] == 200"
"[BODY].status == OK"
"[RESPONSE_TIME] < 300"
];
}
{
name = "lidarr";
url = "https://lidarr.procopius.dk/ping";
interval = "5m";
conditions = [
"[STATUS] == 200"
"[BODY].status == OK"
"[RESPONSE_TIME] < 300"
];
}
{
name = "readarr";
url = "https://readarr.procopius.dk/ping";
interval = "5m";
conditions = [
"[STATUS] == 200"
"[BODY].status == OK"
"[RESPONSE_TIME] < 300"
];
}
{
name = "prowlarr";
url = "https://prowlarr.procopius.dk/ping";
interval = "5m";
conditions = [
"[STATUS] == 200"
"[BODY].status == OK"
"[RESPONSE_TIME] < 300"
];
}

8
machines/monitor/grafana.nix
View file

@ -1,10 +1,4 @@
{
config,
pkgs,
modulesPath,
lib,
...
}: {
{config, ...}: {
# Add grafana user to the inlfuxdb2 group (for secret)
users.users.grafana.extraGroups = ["influxdb2"];
services.grafana.enable = true;

6
machines/monitor/influxdb.nix
View file

@ -1,8 +1,4 @@
{
config,
pkgs,
...
}: let
{config, ...}: let
influxdbPassword = config.sops.secrets."influxdb/password".path;
influxdbToken = config.sops.secrets."influxdb/token".path;
in {

8
machines/monitor/prometheus.nix
View file

@ -1,10 +1,4 @@
{
config,
pkgs,
modulesPath,
lib,
...
}: let
{pkgs, ...}: let
monitor_hostname = "monitor.lab";
traefik_hostname = "traefik.lab";
sandbox_hostname = "sandbox.lab";

6
machines/monitor/promtail.nix
View file

@ -1,8 +1,4 @@
{
config,
pkgs,
...
}: let
{config, ...}: let
promtail_port = 9080;
in {
networking.firewall.allowedTCPPorts = [promtail_port];