moved mail

2025-07-17 00:35:44 +02:00 · 2025-07-17 00:35:44 +02:00 · 032072374b
commit 032072374b
parent c46903e3a0
35 changed files with 511 additions and 324 deletions
--- a/nixos/hosts/dns/dnsmasq.nix
+++ b/nixos/hosts/dns/dnsmasq.nix
@ -30,6 +30,7 @@
        # Static IPs
        "/dns.lab/192.168.1.53"
        "/traefik.lab/192.168.1.80"
+        "/mail.lab/192.168.1.25"
        # "/proxmox-01.lab/192.168.1.205"
        # "/nas-01.lab/192.168.1.226"

--- a/nixos/hosts/mail/host.nix
+++ b/nixos/hosts/mail/host.nix
@ -1,14 +0,0 @@
-{
-  config,
-  pkgs,
-  modulesPath,
-  lib,
-  ...
-}: {
-  imports = [
-    ../../templates/base.nix
-    ./networking.nix
-    ./sops.nix
-    ./mailserver.nix
-  ];
-}
--- a/nixos/hosts/mail/mailserver.nix
+++ b/nixos/hosts/mail/mailserver.nix
@ -1,39 +0,0 @@
-{
-  config,
-  pkgs,
-  ...
-}: {
-  imports = [
-    (builtins.fetchTarball {
-      # Pick a release version you are interested in and set its hash, e.g.
-      url = "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/nixos-25.05/nixos-mailserver-nixos-25.05.tar.gz";
-      # To get the sha256 of the nixos-mailserver tarball, we can use the nix-prefetch-url command:
-      # release="nixos-25.05"; nix-prefetch-url "https://gitlab.com/simple-nixos-mailserver/nixos-mailserver/-/archive/${release}/nixos-mailserver-${release}.tar.gz" --unpack
-      sha256 = "0jpp086m839dz6xh6kw5r8iq0cm4nd691zixzy6z11c4z2vf8v85";
-    })
-  ];
-
-  mailserver = {
-    enable = true;
-    fqdn = "mail.procopius.dk";
-    domains = ["procopius.dk"];
-
-    # A list of all login accounts. To create the password hashes, use
-    # nix-shell -p mkpasswd --run 'mkpasswd -sm bcrypt'
-    loginAccounts = {
-      "admin@procopius.dk" = {
-        hashedPasswordFile = config.sops.secrets.mailserver-admin-pass.path;
-        aliases = [
-          "@procopius.dk"
-          "postmaster@procopius.dk"
-        ];
-      };
-    };
-
-    # Use Let's Encrypt certificates. Note that this needs to set up a stripped
-    # down nginx and opens port 80.
-    certificateScheme = "acme-nginx";
-  };
-  security.acme.acceptTerms = true;
-  security.acme.defaults.email = "david.mikael@proton.me";
-}
--- a/nixos/hosts/mail/networking.nix
+++ b/nixos/hosts/mail/networking.nix
@ -1,8 +0,0 @@
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: {
-  networking.hostName = "mail";
-}
--- a/nixos/hosts/mail/sops.nix
+++ b/nixos/hosts/mail/sops.nix
@ -1,8 +0,0 @@
-{...}: let
-  mailserverSops = ../../secrets/mailserver/secrets.yml;
-in {
-  sops.secrets.mailserver-admin-pass = {
-    sopsFile = mailserverSops;
-    mode = "0440";
-  };
-}
--- a/nixos/hosts/media/nixarr.nix
+++ b/nixos/hosts/media/nixarr.nix
@ -1,7 +1,9 @@
 {config, ...}: {
-  services.sonarr.settings = {
-    auth.method = "External";
-  };
+  services.sonarr.settings.auth.method = "External";
+  services.radarr.settings.auth.method = "External";
+  services.lidarr.settings.auth.method = "External";
+  services.readarr.settings.auth.method = "External";
+  services.prowlarr.settings.auth.method = "External";

  nixarr = {
    enable = true;
--- a/nixos/hosts/traefik/configuration/auth/routers.nix
+++ b/nixos/hosts/traefik/configuration/auth/routers.nix
@ -13,19 +13,10 @@
    tls.certResolver = "letsencrypt";
  };

-  oauth2proxy = {
-    rule = "Host(`radarr.procopius.dk`) && PathPrefix(`/oauth2/`)";
-    service = "oauth2proxy";
+  lldap = {
+    rule = "Host(`lldap.procopius.dk`)";
+    service = "lldap";
    entryPoints = ["websecure"];
-    middlewares = ["auth-headers"];
-    tls.certResolver = "letsencrypt";
-  };
-
-  oauth2route = {
-    rule = "Host(`oauth.procopius.dk`)";
-    service = "oauth2proxy";
-    entryPoints = ["websecure"];
-    middlewares = ["auth-headers"];
    tls.certResolver = "letsencrypt";
  };
 }
--- a/nixos/hosts/traefik/configuration/auth/services.nix
+++ b/nixos/hosts/traefik/configuration/auth/services.nix
@ -1,6 +1,6 @@
 {
  keycloak.loadBalancer.servers = [{url = "http://keycloak.lab:8080";}];
-  oauth2proxy.loadBalancer.servers = [{url = "http://localhost:4180";}];

  authelia.loadBalancer.servers = [{url = "http://auth.lab:9091";}];
+  lldap.loadBalancer.servers = [{url = "http://auth.lab:17170";}];
 }
--- a/nixos/hosts/traefik/configuration/infra/routers.nix
+++ b/nixos/hosts/traefik/configuration/infra/routers.nix
@ -3,7 +3,7 @@
    rule = "Host(`traefik.procopius.dk`)";
    service = "traefik";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };

@ -25,7 +25,7 @@
    rule = "Host(`proxmox.procopius.dk`)";
    service = "proxmox";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
  nas = {
--- a/nixos/hosts/traefik/configuration/media-center/routers.nix
+++ b/nixos/hosts/traefik/configuration/media-center/routers.nix
@ -6,14 +6,18 @@
    tls.certResolver = "letsencrypt";
  };

+  jellyseerr = {
+    rule = "Host(`jellyseerr.procopius.dk`)";
+    service = "jellyseerr";
+    entryPoints = ["websecure"];
+    tls.certResolver = "letsencrypt";
+  };
+
  radarr = {
    rule = "Host(`radarr.procopius.dk`)";
    service = "radarr";
    entryPoints = ["websecure"];
-    middlewares = [
-      "oauth-auth"
-      "restrict-admin"
-    ];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };

@ -21,15 +25,39 @@
    rule = "Host(`sonarr.procopius.dk`)";
    service = "sonarr";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };

-  jellyseerr = {
-    rule = "Host(`jellyseerr.procopius.dk`)";
-    service = "jellyseerr";
+  prowlarr = {
+    rule = "Host(`prowlarr.procopius.dk`)";
+    service = "prowlarr";
    entryPoints = ["websecure"];
-    # middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
+    tls.certResolver = "letsencrypt";
+  };
+
+  bazarr = {
+    rule = "Host(`bazarr.procopius.dk`)";
+    service = "bazarr";
+    entryPoints = ["websecure"];
+    middlewares = ["authelia"];
+    tls.certResolver = "letsencrypt";
+  };
+
+  lidarr = {
+    rule = "Host(`lidarr.procopius.dk`)";
+    service = "lidarr";
+    entryPoints = ["websecure"];
+    middlewares = ["authelia"];
+    tls.certResolver = "letsencrypt";
+  };
+
+  readarr = {
+    rule = "Host(`readarr.procopius.dk`)";
+    service = "readarr";
+    entryPoints = ["websecure"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
 }
--- a/nixos/hosts/traefik/configuration/media-center/services.nix
+++ b/nixos/hosts/traefik/configuration/media-center/services.nix
@ -1,6 +1,11 @@
 {
  jellyfin.loadBalancer.servers = [{url = "http://media.lab:8096";}];
+  jellyseerr.loadBalancer.servers = [{url = "http://media.lab:5055";}];
+
  radarr.loadBalancer.servers = [{url = "http://media.lab:7878";}];
  sonarr.loadBalancer.servers = [{url = "http://media.lab:8989";}];
-  jellyseerr.loadBalancer.servers = [{url = "http://media.lab:5055";}];
+  readarr.loadBalancer.servers = [{url = "http://media.lab:8787";}];
+  lidarr.loadBalancer.servers = [{url = "http://media.lab:8686";}];
+  bazarr.loadBalancer.servers = [{url = "http://media.lab:6767";}];
+  prowlarr.loadBalancer.servers = [{url = "http://media.lab:9696";}];
 }
--- a/nixos/hosts/traefik/configuration/middlewares.nix
+++ b/nixos/hosts/traefik/configuration/middlewares.nix
@ -19,25 +19,16 @@ in {
    };
  };

-  oauth-auth = {
+  authelia = {
    forwardAuth = {
-      address = "http://localhost:4180/";
+      address = "http://auth.lab:9091/api/authz/forward-auth";
      trustForwardHeader = true;
      authResponseHeaders = [
-        "Authorization"
-        "X-Auth-Request-Access-Token"
-        "X-Auth-Request-User"
-        "X-Auth-Request-Email"
-        "X-Auth-Request-Preferred-Username" # Recommended
-        "X-Auth-Request-Access-Token" # If you want to pass the token
-        "X-Auth-Request-Groups" # If you configured a mapper in Keycloak to emit groups
+        "Remote-User"
+        "Remote-Groups"
+        "Remote-Email"
+        "Remote-Name"
      ];
    };
  };
-
-  restrict-admin = {
-    forwardAuth = {
-      address = "http://localhost:4180/oauth2/auth?allowed_groups=role:admin";
-    };
-  };
 }
--- a/nixos/hosts/traefik/configuration/monitoring/routers.nix
+++ b/nixos/hosts/traefik/configuration/monitoring/routers.nix
@ -3,7 +3,7 @@
    rule = "Host(`prometheus.procopius.dk`)";
    service = "prometheus";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
  grafana = {
@ -16,14 +16,14 @@
    rule = "Host(`alertmanager.procopius.dk`)";
    service = "alertmanager";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
  gatus = {
    rule = "Host(`gatus.procopius.dk`)";
    service = "gatus";
    entryPoints = ["websecure"];
-    middlewares = ["oauth-auth"];
+    middlewares = ["authelia"];
    tls.certResolver = "letsencrypt";
  };
  umami = {
--- a/nixos/hosts/traefik/host.nix
+++ b/nixos/hosts/traefik/host.nix
@ -11,6 +11,5 @@
    ./traefik.nix
    ./promtail.nix
    ./sops.nix
-    ./oauth2proxy.nix
  ];
 }
--- a/nixos/hosts/traefik/oauth2proxy.nix
+++ b/nixos/hosts/traefik/oauth2proxy.nix
@ -1,76 +0,0 @@
-# /etc/nixos/configuration.nix
-{
-  config,
-  lib,
-  pkgs,
-  ...
-}: let
-  oauth2ProxyKeyFile = config.sops.secrets."oauth2-proxy-env".path;
-in {
-  services.oauth2-proxy = {
-    enable = true;
-    package = pkgs.oauth2-proxy;
-
-    keyFile = oauth2ProxyKeyFile;
-
-    provider = "keycloak-oidc"; # Use "oidc" for standard OIDC providers like Keycloak
-    oidcIssuerUrl = "https://keycloak.procopius.dk/realms/homelab";
-    clientID = "oauth2-proxy"; # Matches the client ID in Keycloak
-
-    # Public URL for oauth2-proxy itself, where Keycloak redirects back to
-    redirectURL = "https://oauth.procopius.dk/oauth2/callback";
-    upstream = ["static://202"];
-    extraConfig = {
-      code-challenge-method = "S256";
-      # email-domain = "*";
-      auth-logging = true;
-      request-logging = true;
-      whitelist-domain = ".procopius.dk";
-      pass-host-header = true;
-      skip-provider-button = true;
-    };
-
-    # Cookie configuration
-    cookie = {
-      name = "_oauth2_proxy_homelab";
-      domain = ".procopius.dk";
-      secure = true;
-      httpOnly = true;
-      expire = "24h";
-      refresh = "1h";
-    };
-
-    # Listen address for oauth2-proxy internally. Traefik will forward to this.
-    httpAddress = "http://127.0.0.1:4180"; # Ensure this port is not blocked by your firewall internally
-
-    # Reverse proxy settings for headers
-    reverseProxy = true; # Set to true because it's behind Traefik
-
-    # Headers to set for the upstream applications after successful authentication
-    setXauthrequest = true; # Set X-Auth-Request-User, X-Auth-Request-Email etc.
-    passBasicAuth = true; # Pass HTTP Basic Auth headers
-    passHostHeader = true; # Pass the original Host header to the upstream
-
-    # Authorization rules for who can access
-    # You can restrict by email domain (allows everyone from that domain)
-    email.domains = ["*"]; # Allows any authenticated user from Keycloak
-    # Or restrict by specific email addresses (if you want tighter control):
-    # email.addresses = allowedOauth2ProxyEmails;
-
-    # Logging
-    requestLogging = true;
-
-    # Optional: If you use specific scopes for Keycloak (e.g., if you want groups claim)
-    # scope = "openid profile email";
-    # If you specifically added a 'groups' claim in Keycloak:
-    scope = "openid profile email";
-
-    # You can add extra command-line flags here if needed, e.g., for debug logging
-    # extraConfig = {
-    #
-    # };
-  };
-
-  # Expose the internal port for oauth2-proxy if needed for debugging or direct access (less common)
-  networking.firewall.allowedTCPPorts = [4180];
-}