moved mail

2025-07-17 00:35:44 +02:00 · 2025-07-17 00:35:44 +02:00 · 032072374b
commit 032072374b
parent c46903e3a0
35 changed files with 511 additions and 324 deletions
--- a/nixos/README.md
+++ b/nixos/README.md
@ -1,4 +1,4 @@
-nixos-rebuild switch --flake .#traefik --target-host root@192.168.1.171 --verbose
+nixos-rebuild switch --flake .#traefik --target-host root@traefik.lab --verbose
 nixos-rebuild switch --flake .#proxmox --target-host root@192.168.1.205 --verbose
 nixos-rebuild switch --flake .#sandbox --target-host root@sandbox.lab --verbose
 nixos-rebuild switch --flake .#monitoring --target-host root@monitor.lab --verbose
@ -6,6 +6,7 @@ nixos-rebuild switch --flake .#forgejo --target-host root@forgejo.lab --verbose
 nixos-rebuild switch --flake .#dns --target-host root@192.168.1.140 --verbose
 nixos-rebuild switch --flake .#keycloak --target-host root@keycloak.lab --verbose
 nixos-rebuild switch --flake .#mail --target-host root@mail.lab --verbose
+nixos-rebuild switch --flake .#media --target-host root@media.lab --verbose

 nixos-rebuild switch --flake .#runner01 --target-host root@forgejo-runner-01.lab --verbose

--- a/nixos/configuration.nix
+++ b/nixos/configuration.nix
@ -1,6 +1,10 @@
-{ config, pkgs, modulesPath, lib, ... }:
-
 {
+  config,
+  pkgs,
+  modulesPath,
+  lib,
+  ...
+}: {
  ########################################################################
  # IMPORTS & PROFILE
  #
@ -30,9 +34,8 @@
    services.qemuGuest.enable = lib.mkDefault true;

    # GRUB on the “boot drive”
-    # Both live and template should install a bootloader on /dev/disk/by-label/nixos.
    boot.loader.grub.enable = lib.mkDefault true;
-    boot.loader.grub.devices = [ "nodev" ];
+    boot.loader.grub.devices = ["nodev"];

    # Grow the root partition on first boot
    boot.growPartition = lib.mkDefault true;
@ -53,16 +56,16 @@
    # Root’s SSH authorized_keys (copy your own keys here)
    # Both live & template will install these, so you can ssh in.
    users.users.root.openssh.authorizedKeys.keys = [
-        # ← Replace these with your actual public keys
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeg/n/vst9KME8byhxX2FhA+FZNQ60W38kkNt45eNzK5zFqBYuwo1nDXVanJSh9unRvB13b+ygpZhrb4sHvkETGWiEioc49MiWr8czEhu6Wpo0vv5MAJkiYvGZUYPdUW52jUzWcYdw8PukG2rowrxL5G0CmsqLwHMPU2FyeCe5aByFI/JZb8R80LoEacgjUiipJcoLWUVgG2koMomHClqGu+16kB8nL5Ja3Kc9lgLfDK7L0A5R8JXhCjrlEsmXbxZmwDKuxvjDAZdE9Sl1VZmMDfWkyrRlenrt01eR3t3Fec6ziRm5ZJk9e2Iu1DPoz+PoHH9aZGVwmlvvnr/gMF3OILxcqb0qx+AYlCCnb6D6pJ9zufhZkKcPRS1Q187F6fz+v2oD1xLZWFHJ92+7ItM0WmbDOHOC29s5EA6wNm3iXZCq86OI3n6T34njDtPqh6Z7Pk2sdK4GBwnFj4KwEWXvdKZKSX1qb2EVlEBE9QI4Gf3eg4SiBu2cAFt3nOSzs8c= asol\\dbs@ALPHA-DBS-P14sG2"
-        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+U3DWOrklcA8n8wdbLBGyli5LsJI3dpL2Zod8mx8eOdC4H127ZT1hzuk2uSmkic4c73BykPyQv8rcqwaRGW94xdMRanKmHYxnbHXo5FBiGrCkNlNNZuahthAGO49c6sUhJMq0eLhYOoFWjtf15sr5Zu7Ug2YTUL3HXB1o9PZ3c9sqYHo2rC/Il1x2j3jNAMKST/qUZYySvdfNJEeQhMbQcdoKJsShcE3oGRL6DFBoV/mjJAJ+wuDhGLDnqi79nQjYfbYja1xKcrKX+D3MfkFxFl6ZIzomR1t75AnZ+09oaWcv1J7ehZ3h9PpDBFNXvzyLwDBMNS+UYcH6SyFjkUbF David@NZXT"
-        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICUP7m8jZJiclZGfSje8CeBYFhX10SrdtjYziuChmj1X plasmagoat@macbook-air"
+      # ← Replace these with your actual public keys
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCeg/n/vst9KME8byhxX2FhA+FZNQ60W38kkNt45eNzK5zFqBYuwo1nDXVanJSh9unRvB13b+ygpZhrb4sHvkETGWiEioc49MiWr8czEhu6Wpo0vv5MAJkiYvGZUYPdUW52jUzWcYdw8PukG2rowrxL5G0CmsqLwHMPU2FyeCe5aByFI/JZb8R80LoEacgjUiipJcoLWUVgG2koMomHClqGu+16kB8nL5Ja3Kc9lgLfDK7L0A5R8JXhCjrlEsmXbxZmwDKuxvjDAZdE9Sl1VZmMDfWkyrRlenrt01eR3t3Fec6ziRm5ZJk9e2Iu1DPoz+PoHH9aZGVwmlvvnr/gMF3OILxcqb0qx+AYlCCnb6D6pJ9zufhZkKcPRS1Q187F6fz+v2oD1xLZWFHJ92+7ItM0WmbDOHOC29s5EA6wNm3iXZCq86OI3n6T34njDtPqh6Z7Pk2sdK4GBwnFj4KwEWXvdKZKSX1qb2EVlEBE9QI4Gf3eg4SiBu2cAFt3nOSzs8c= asol\\dbs@ALPHA-DBS-P14sG2"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+U3DWOrklcA8n8wdbLBGyli5LsJI3dpL2Zod8mx8eOdC4H127ZT1hzuk2uSmkic4c73BykPyQv8rcqwaRGW94xdMRanKmHYxnbHXo5FBiGrCkNlNNZuahthAGO49c6sUhJMq0eLhYOoFWjtf15sr5Zu7Ug2YTUL3HXB1o9PZ3c9sqYHo2rC/Il1x2j3jNAMKST/qUZYySvdfNJEeQhMbQcdoKJsShcE3oGRL6DFBoV/mjJAJ+wuDhGLDnqi79nQjYfbYja1xKcrKX+D3MfkFxFl6ZIzomR1t75AnZ+09oaWcv1J7ehZ3h9PpDBFNXvzyLwDBMNS+UYcH6SyFjkUbF David@NZXT"
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICUP7m8jZJiclZGfSje8CeBYFhX10SrdtjYziuChmj1X plasmagoat@macbook-air"
    ];

    # Default filesystem on
    fileSystems."/" = lib.mkDefault {
      device = "/dev/disk/by-label/nixos";
-      autoResize = true;   # grow on first boot
+      autoResize = true; # grow on first boot
      fsType = "ext4";
    };

@ -72,23 +75,23 @@

    # Default set of packages
    environment.systemPackages = with pkgs; [
-      vim    # emergencies
-      git    # pulling flakes, code
-      curl   # downloading things
-      python3  # for Ansible if needed on live VM
+      vim # emergencies
+      git # pulling flakes, code
+      curl # downloading things
+      python3 # for Ansible if needed on live VM
    ];

    # Nix settings (cache, experimental, gc)
-    nix.settings.trusted-users = [ "root" "@wheel" ];
-    nix.settings.experimental-features = [ "nix-command" "flakes" ];
+    nix.settings.trusted-users = ["root" "@wheel"];
+    nix.settings.experimental-features = ["nix-command" "flakes"];
    nix.extraOptions = ''
-        experimental-features = nix-command flakes
-        keep-outputs = true
-        keep-derivations = true
+      experimental-features = nix-command flakes
+      keep-outputs = true
+      keep-derivations = true
    '';
    nix.gc.automatic = true;
-    nix.gc.dates     = "weekly";
-    nix.gc.options   = "--delete-older-than 7d";
+    nix.gc.dates = "weekly";
+    nix.gc.options = "--delete-older-than 7d";

    # mDNS with avahi to enable .local dns
    services.avahi = {
@ -104,7 +107,7 @@
      ipv6 = false;
    };

-    networking.firewall.allowedUDPPorts = [ 5353 ];
+    networking.firewall.allowedUDPPorts = [5353];

    # State version (set to match the Nixpkgs you’re using)
    system.stateVersion = lib.mkDefault "25.05";
--- a/nixos/hosts/dns/dnsmasq.nix
+++ b/nixos/hosts/dns/dnsmasq.nix
@ -30,6 +30,7 @@
        # Static IPs
        "/dns.lab/192.168.1.53"
        "/traefik.lab/192.168.1.80"
+        "/mail.lab/192.168.1.25"
        # "/proxmox-01.lab/192.168.1.205"
        # "/nas-01.lab/192.168.1.226"

--- a/nixos/hosts/mail/host.nix
+++ b/nixos/hosts/mail/host.nix
@ -1,14 +0,0 @@
-{
-  config,
-  pkgs,
-  modulesPath,
-  lib,
-  ...
-}: {
-  imports = [
-    ../../templates/base.nix
-    ./networking.nix
-    ./sops.nix
-    ./mailserver.nix
-  ];
-}
--- a/nixos/hosts/mail/mailserver.nix
+++ b/nixos/hosts/mail/mailserver.nix
@ -1,39 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  imports = [
-    (builtins.fetchTarball {
-      # Pick a release version you are interested in and set its hash, e.g.
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz";
-      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
-      # release="nixos-25.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
-      sha256 = "0jpp086m839dz6xh6kw5r8iq0cm4nd691zixzy6z11c4z2vf8v85";
-    })
-  ];
-
-  mailserver = {
-    enable = true;
-    fqdn = "mail.procopius.dk";
-    domains = ["procopius.dk"];
-
-    # A list of all login accounts. To create the password hashes, use
-    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
-    loginAccounts = {
-      "admin@procopius.dk" = {
-        hashedPasswordFile = config.sops.secrets.mailserver-admin-pass.path;
-        aliases = [
-          "@procopius.dk"
-          "postmaster@procopius.dk"
-        ];
-      };
-    };
-
-    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
-    # down nginx and opens port 80.
-    certificateScheme = "acme-nginx";
-  };
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "david.mikael@proton.me";
-}
--- a/nixos/hosts/mail/networking.nix
+++ b/nixos/hosts/mail/networking.nix
@ -1,8 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  networking.hostName = "mail";
-}
--- a/nixos/hosts/mail/sops.nix
+++ b/nixos/hosts/mail/sops.nix
@ -1,8 +0,0 @@
-{...}: let
-  mailserverSops = ../../secrets/mailserver/secrets.yml;
-in {
-  sops.secrets.mailserver-admin-pass = {
-    sopsFile = mailserverSops;
-    mode = "0440";
-  };
-}
--- a/nixos/hosts/media/nixarr.nix
+++ b/nixos/hosts/media/nixarr.nix
@ -1,7 +1,9 @@
 {config, ...}: {
-  services.sonarr.settings = {
-    auth.method = "External";
-  };
+  services.sonarr.settings.auth.method = "External";
+  services.radarr.settings.auth.method = "External";
+  services.lidarr.settings.auth.method = "External";
+  services.readarr.settings.auth.method = "External";
+  services.prowlarr.settings.auth.method = "External";

  nixarr = {
    enable = true;
--- a/nixos/hosts/traefik/configuration/auth/routers.nix
+++ b/nixos/hosts/traefik/configuration/auth/routers.nix
@ -13,19 +13,10 @@
    tls.certResolver = "letsencrypt";
  };

-  oauth2proxy = {
-    rule = "Host(`radarr.procopius.dk`) && PathPrefix(`/oauth2/`)";
-    service = "oauth2proxy";
+  lldap = {
+    rule = "Host(`lldap.procopius.dk`)";
+    service = "lldap";
    entryPoints = ["websecure"];
-    middlewares = ["auth-headers"];
-    tls.certResolver = "letsencrypt";
-  };
-
-  oauth2route = {
-    rule = "Host(`oauth.procopius.dk`)";
-    service = "oauth2proxy";
-    entryPoints = ["websecure"];
-    middlewares = ["auth-headers"];
    tls.certResolver = "letsencrypt";
  };
 }
--- a/nixos/hosts/traefik/configuration/auth/services.nix
+++ b/nixos/hosts/traefik/configuration/auth/services.nix
@ -1,6 +1,6 @@
 {
  keycloak.loadBalancer.servers = [{url = "http://keycloak.lab:8080";}];
-  oauth2proxy.loadBalancer.servers = [{url = "http://localhost:4180";}];

  authelia.loadBalancer.servers = [{url = "http://auth.lab:9091";}];
+  lldap.loadBalancer.servers = [{url = "http://auth.lab:17170";}];
 }
--- a/nixos/hosts/traefik/configuration/infra/routers.nix
+++ b/nixos/hosts/traefik/configuration/infra/routers.nix
@ -3,7 +3,7 @@
    rule = "Host(`traefik.procopius.dk`)";
    service = "traefik";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };

@ -25,7 +25,7 @@
    rule = "Host(`proxmox.procopius.dk`)";
    service = "proxmox";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
  nas = {
--- a/nixos/hosts/traefik/configuration/media-center/routers.nix
+++ b/nixos/hosts/traefik/configuration/media-center/routers.nix
@ -6,14 +6,18 @@
    tls.certResolver = "letsencrypt";
  };

+  jellyseerr = {
+    rule = "Host(`jellyseerr.procopius.dk`)";
+    service = "jellyseerr";
+    entryPoints = ["websecure"];
+    tls.certResolver = "letsencrypt";
+  };
+
  radarr = {
    rule = "Host(`radarr.procopius.dk`)";
    service = "radarr";
    entryPoints = ["websecure"];
-    middlewares = [
-      "oauth-auth"
-      "restrict-admin"
-    ];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };

@ -21,15 +25,39 @@
    rule = "Host(`sonarr.procopius.dk`)";
    service = "sonarr";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };

-  jellyseerr = {
-    rule = "Host(`jellyseerr.procopius.dk`)";
-    service = "jellyseerr";
+  prowlarr = {
+    rule = "Host(`prowlarr.procopius.dk`)";
+    service = "prowlarr";
    entryPoints = ["websecure"];
-    # middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
+    tls.certResolver = "letsencrypt";
+  };
+
+  bazarr = {
+    rule = "Host(`bazarr.procopius.dk`)";
+    service = "bazarr";
+    entryPoints = ["websecure"];
+    middlewares = ["authelia"];
+    tls.certResolver = "letsencrypt";
+  };
+
+  lidarr = {
+    rule = "Host(`lidarr.procopius.dk`)";
+    service = "lidarr";
+    entryPoints = ["websecure"];
+    middlewares = ["authelia"];
+    tls.certResolver = "letsencrypt";
+  };
+
+  readarr = {
+    rule = "Host(`readarr.procopius.dk`)";
+    service = "readarr";
+    entryPoints = ["websecure"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
 }
--- a/nixos/hosts/traefik/configuration/media-center/services.nix
+++ b/nixos/hosts/traefik/configuration/media-center/services.nix
@ -1,6 +1,11 @@
 {
  jellyfin.loadBalancer.servers = [{url = "http://media.lab:8096";}];
+  jellyseerr.loadBalancer.servers = [{url = "http://media.lab:5055";}];
+
  radarr.loadBalancer.servers = [{url = "http://media.lab:7878";}];
  sonarr.loadBalancer.servers = [{url = "http://media.lab:8989";}];
-  jellyseerr.loadBalancer.servers = [{url = "http://media.lab:5055";}];
+  readarr.loadBalancer.servers = [{url = "http://media.lab:8787";}];
+  lidarr.loadBalancer.servers = [{url = "http://media.lab:8686";}];
+  bazarr.loadBalancer.servers = [{url = "http://media.lab:6767";}];
+  prowlarr.loadBalancer.servers = [{url = "http://media.lab:9696";}];
 }
--- a/nixos/hosts/traefik/configuration/middlewares.nix
+++ b/nixos/hosts/traefik/configuration/middlewares.nix
@ -19,25 +19,16 @@ in {
    };
  };

-  oauth-auth = {
+  authelia = {
    forwardAuth = {
-      address = "http://localhost:4180/";
+      address = "http://auth.lab:9091/api/authz/forward-auth";
      trustForwardHeader = true;
      authResponseHeaders = [
-        "Authorization"
-        "X-Auth-Request-Access-Token"
-        "X-Auth-Request-User"
-        "X-Auth-Request-Email"
-        "X-Auth-Request-Preferred-Username" # Recommended
-        "X-Auth-Request-Access-Token" # If you want to pass the token
-        "X-Auth-Request-Groups" # If you configured a mapper in Keycloak to emit groups
+        "Remote-User"
+        "Remote-Groups"
+        "Remote-Email"
+        "Remote-Name"
      ];
    };
  };
-
-  restrict-admin = {
-    forwardAuth = {
-      address = "http://localhost:4180/oauth2/auth?allowed_groups=role:admin";
-    };
-  };
 }
--- a/nixos/hosts/traefik/configuration/monitoring/routers.nix
+++ b/nixos/hosts/traefik/configuration/monitoring/routers.nix
@ -3,7 +3,7 @@
    rule = "Host(`prometheus.procopius.dk`)";
    service = "prometheus";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
  grafana = {
@ -16,14 +16,14 @@
    rule = "Host(`alertmanager.procopius.dk`)";
    service = "alertmanager";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
  gatus = {
    rule = "Host(`gatus.procopius.dk`)";
    service = "gatus";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
  umami = {
--- a/nixos/hosts/traefik/host.nix
+++ b/nixos/hosts/traefik/host.nix
@ -11,6 +11,5 @@
    ./traefik.nix
    ./promtail.nix
    ./sops.nix
-    ./oauth2proxy.nix
  ];
 }
--- a/nixos/hosts/traefik/oauth2proxy.nix
+++ b/nixos/hosts/traefik/oauth2proxy.nix
@ -1,76 +0,0 @@
-# /etc/nixos/configuration.nix
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  oauth2ProxyKeyFile = config.sops.secrets."oauth2-proxy-env".path;
-in {
-  services.oauth2-proxy = {
-    enable = true;
-    package = pkgs.oauth2-proxy;
-
-    keyFile = oauth2ProxyKeyFile;
-
-    provider = "keycloak-oidc"; # Use "oidc" for standard OIDC providers like Keycloak
-    oidcIssuerUrl = "https://keycloak.procopius.dk/realms/homelab";
-    clientID = "oauth2-proxy"; # Matches the client ID in Keycloak
-
-    # Public URL for oauth2-proxy itself, where Keycloak redirects back to
-    redirectURL = "https://oauth.procopius.dk/oauth2/callback";
-    upstream = ["static://202"];
-    extraConfig = {
-      code-challenge-method = "S256";
-      # email-domain = "*";
-      auth-logging = true;
-      request-logging = true;
-      whitelist-domain = ".procopius.dk";
-      pass-host-header = true;
-      skip-provider-button = true;
-    };
-
-    # Cookie configuration
-    cookie = {
-      name = "_oauth2_proxy_homelab";
-      domain = ".procopius.dk";
-      secure = true;
-      httpOnly = true;
-      expire = "24h";
-      refresh = "1h";
-    };
-
-    # Listen address for oauth2-proxy internally. Traefik will forward to this.
-    httpAddress = "http://127.0.0.1:4180"; # Ensure this port is not blocked by your firewall internally
-
-    # Reverse proxy settings for headers
-    reverseProxy = true; # Set to true because it's behind Traefik
-
-    # Headers to set for the upstream applications after successful authentication
-    setXauthrequest = true; # Set X-Auth-Request-User, X-Auth-Request-Email etc.
-    passBasicAuth = true; # Pass HTTP Basic Auth headers
-    passHostHeader = true; # Pass the original Host header to the upstream
-
-    # Authorization rules for who can access
-    # You can restrict by email domain (allows everyone from that domain)
-    email.domains = ["*"]; # Allows any authenticated user from Keycloak
-    # Or restrict by specific email addresses (if you want tighter control):
-    # email.addresses = allowedOauth2ProxyEmails;
-
-    # Logging
-    requestLogging = true;
-
-    # Optional: If you use specific scopes for Keycloak (e.g., if you want groups claim)
-    # scope = "openid profile email";
-    # If you specifically added a 'groups' claim in Keycloak:
-    scope = "openid profile email";
-
-    # You can add extra command-line flags here if needed, e.g., for debug logging
-    # extraConfig = {
-    #
-    # };
-  };
-
-  # Expose the internal port for oauth2-proxy if needed for debugging or direct access (less common)
-  networking.firewall.allowedTCPPorts = [4180];
-}