plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

moved mail
Some checks failed
Test / tests (push) Has been cancelled
Details

Browse source
This commit is contained in:
plasmagoat 2025-07-17 00:35:44 +02:00
parent c46903e3a0
commit 032072374b
35 changed files with 511 additions and 324 deletions
Download patch file Download diff file Expand all files Collapse all files

15
nixos/hosts/traefik/configuration/auth/routers.nix
View file

@ -13,19 +13,10 @@
tls.certResolver = "letsencrypt";
};
oauth2proxy = {
rule = "Host(`radarr.procopius.dk`) && PathPrefix(`/oauth2/`)";
service = "oauth2proxy";
lldap = {
rule = "Host(`lldap.procopius.dk`)";
service = "lldap";
entryPoints = ["websecure"];
middlewares = ["auth-headers"];
tls.certResolver = "letsencrypt";
};
oauth2route = {
rule = "Host(`oauth.procopius.dk`)";
service = "oauth2proxy";
entryPoints = ["websecure"];
middlewares = ["auth-headers"];
tls.certResolver = "letsencrypt";
};
}

2
nixos/hosts/traefik/configuration/auth/services.nix
View file

@ -1,6 +1,6 @@
{
keycloak.loadBalancer.servers = [{url = "http://keycloak.lab:8080";}];
oauth2proxy.loadBalancer.servers = [{url = "http://localhost:4180";}];
authelia.loadBalancer.servers = [{url = "http://auth.lab:9091";}];
lldap.loadBalancer.servers = [{url = "http://auth.lab:17170";}];
}

4
nixos/hosts/traefik/configuration/infra/routers.nix
View file

@ -3,7 +3,7 @@
rule = "Host(`traefik.procopius.dk`)";
service = "traefik";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
@ -25,7 +25,7 @@
rule = "Host(`proxmox.procopius.dk`)";
service = "proxmox";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
nas = {

46
nixos/hosts/traefik/configuration/media-center/routers.nix
View file

@ -6,14 +6,18 @@
tls.certResolver = "letsencrypt";
};
jellyseerr = {
rule = "Host(`jellyseerr.procopius.dk`)";
service = "jellyseerr";
entryPoints = ["websecure"];
tls.certResolver = "letsencrypt";
};
radarr = {
rule = "Host(`radarr.procopius.dk`)";
service = "radarr";
entryPoints = ["websecure"];
middlewares = [
"oauth-auth"
"restrict-admin"
];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
@ -21,15 +25,39 @@
rule = "Host(`sonarr.procopius.dk`)";
service = "sonarr";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
jellyseerr = {
rule = "Host(`jellyseerr.procopius.dk`)";
service = "jellyseerr";
prowlarr = {
rule = "Host(`prowlarr.procopius.dk`)";
service = "prowlarr";
entryPoints = ["websecure"];
# middlewares = ["oauth-auth"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
bazarr = {
rule = "Host(`bazarr.procopius.dk`)";
service = "bazarr";
entryPoints = ["websecure"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
lidarr = {
rule = "Host(`lidarr.procopius.dk`)";
service = "lidarr";
entryPoints = ["websecure"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
readarr = {
rule = "Host(`readarr.procopius.dk`)";
service = "readarr";
entryPoints = ["websecure"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
}

7
nixos/hosts/traefik/configuration/media-center/services.nix
View file

@ -1,6 +1,11 @@
{
jellyfin.loadBalancer.servers = [{url = "http://media.lab:8096";}];
jellyseerr.loadBalancer.servers = [{url = "http://media.lab:5055";}];
radarr.loadBalancer.servers = [{url = "http://media.lab:7878";}];
sonarr.loadBalancer.servers = [{url = "http://media.lab:8989";}];
jellyseerr.loadBalancer.servers = [{url = "http://media.lab:5055";}];
readarr.loadBalancer.servers = [{url = "http://media.lab:8787";}];
lidarr.loadBalancer.servers = [{url = "http://media.lab:8686";}];
bazarr.loadBalancer.servers = [{url = "http://media.lab:6767";}];
prowlarr.loadBalancer.servers = [{url = "http://media.lab:9696";}];
}

21
nixos/hosts/traefik/configuration/middlewares.nix
View file

@ -19,25 +19,16 @@ in {
};
};
oauth-auth = {
authelia = {
forwardAuth = {
address = "http://localhost:4180/";
address = "http://auth.lab:9091/api/authz/forward-auth";
trustForwardHeader = true;
authResponseHeaders = [
"Authorization"
"X-Auth-Request-Access-Token"
"X-Auth-Request-User"
"X-Auth-Request-Email"
"X-Auth-Request-Preferred-Username" # Recommended
"X-Auth-Request-Access-Token" # If you want to pass the token
"X-Auth-Request-Groups" # If you configured a mapper in Keycloak to emit groups
"Remote-User"
"Remote-Groups"
"Remote-Email"
"Remote-Name"
];
};
};
restrict-admin = {
forwardAuth = {
address = "http://localhost:4180/oauth2/auth?allowed_groups=role:admin";
};
};
}

6
nixos/hosts/traefik/configuration/monitoring/routers.nix
View file

@ -3,7 +3,7 @@
rule = "Host(`prometheus.procopius.dk`)";
service = "prometheus";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
grafana = {
@ -16,14 +16,14 @@
rule = "Host(`alertmanager.procopius.dk`)";
service = "alertmanager";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
gatus = {
rule = "Host(`gatus.procopius.dk`)";
service = "gatus";
entryPoints = ["websecure"];
middlewares = ["oauth-auth"];
middlewares = ["authelia"];
tls.certResolver = "letsencrypt";
};
umami = {

1
nixos/hosts/traefik/host.nix
View file

@ -11,6 +11,5 @@
./traefik.nix
./promtail.nix
./sops.nix
./oauth2proxy.nix
];
}

76
nixos/hosts/traefik/oauth2proxy.nix
View file

@ -1,76 +0,0 @@
# /etc/nixos/configuration.nix
{
config,
lib,
pkgs,
...
}: let
oauth2ProxyKeyFile = config.sops.secrets."oauth2-proxy-env".path;
in {
services.oauth2-proxy = {
enable = true;
package = pkgs.oauth2-proxy;
keyFile = oauth2ProxyKeyFile;
provider = "keycloak-oidc"; # Use "oidc" for standard OIDC providers like Keycloak
oidcIssuerUrl = "https://keycloak.procopius.dk/realms/homelab";
clientID = "oauth2-proxy"; # Matches the client ID in Keycloak
# Public URL for oauth2-proxy itself, where Keycloak redirects back to
redirectURL = "https://oauth.procopius.dk/oauth2/callback";
upstream = ["static://202"];
extraConfig = {
code-challenge-method = "S256";
# email-domain = "*";
auth-logging = true;
request-logging = true;
whitelist-domain = ".procopius.dk";
pass-host-header = true;
skip-provider-button = true;
};
# Cookie configuration
cookie = {
name = "_oauth2_proxy_homelab";
domain = ".procopius.dk";
secure = true;
httpOnly = true;
expire = "24h";
refresh = "1h";
};
# Listen address for oauth2-proxy internally. Traefik will forward to this.
httpAddress = "http://127.0.0.1:4180"; # Ensure this port is not blocked by your firewall internally
# Reverse proxy settings for headers
reverseProxy = true; # Set to true because it's behind Traefik
# Headers to set for the upstream applications after successful authentication
setXauthrequest = true; # Set X-Auth-Request-User, X-Auth-Request-Email etc.
passBasicAuth = true; # Pass HTTP Basic Auth headers
passHostHeader = true; # Pass the original Host header to the upstream
# Authorization rules for who can access
# You can restrict by email domain (allows everyone from that domain)
email.domains = ["*"]; # Allows any authenticated user from Keycloak
# Or restrict by specific email addresses (if you want tighter control):
# email.addresses = allowedOauth2ProxyEmails;
# Logging
requestLogging = true;
# Optional: If you use specific scopes for Keycloak (e.g., if you want groups claim)
# scope = "openid profile email";
# If you specifically added a 'groups' claim in Keycloak:
scope = "openid profile email";
# You can add extra command-line flags here if needed, e.g., for debug logging
# extraConfig = {
#
# };
};
# Expose the internal port for oauth2-proxy if needed for debugging or direct access (less common)
networking.firewall.allowedTCPPorts = [4180];
}