plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

homelab framework module init (everything is a mess)
Some checks failed
Test / tests (push) Has been cancelled
Details
/ OpenTofu (push) Has been cancelled
Details

Browse source
This commit is contained in:
plasmagoat 2025-07-28 02:05:13 +02:00
parent 0347f4d325
commit bcbcc8b17b
94 changed files with 7289 additions and 436 deletions
Download patch file Download diff file Expand all files Collapse all files

10
machines/_default/configuration.nix
View file

@ -18,11 +18,17 @@
replaceUnknownProfiles = lib.mkDefault true;
buildOnTarget = lib.mkDefault false;
targetHost = lib.mkDefault "${name}.lab";
tags = lib.mkDefault [config.nixpkgs.system name "homelab"];
tags = [config.nixpkgs.system name "homelab"];
keys = {
"age.key" = {
destDir = "/run/keys";
keyFile = "/home/plasmagoat/.config/age/age.key";
};
};
};
sops = {
age.keyFile = "/etc/sops/age.key";
age.keyFile = "/run/keys/age.key";
defaultSopsFile = ../../secrets/secrets.yaml;
};

306
machines/auth/authelia.nix
View file

@ -9,166 +9,164 @@ in {
9091
];
services = {
authelia.instances.procopius = {
enable = true;
settings = {
theme = "auto";
server = {
buffers = {
read = 16384;
write = 16384;
};
services.authelia.instances.procopius = {
enable = true;
settings = {
theme = "auto";
server = {
buffers = {
read = 16384;
write = 16384;
};
authentication_backend.ldap = {
implementation = "lldap";
address = "ldap://localhost:3890";
base_dn = "dc=procopius,dc=dk";
user = "uid=authelia,ou=people,dc=procopius,dc=dk";
};
authentication_backend.ldap = {
implementation = "lldap";
address = "ldap://localhost:3890";
base_dn = "dc=procopius,dc=dk";
user = "uid=authelia,ou=people,dc=procopius,dc=dk";
};
definitions = {
network = {
internal = [
"192.168.1.0/24"
];
};
definitions = {
network = {
internal = [
"192.168.1.0/24"
};
access_control = {
default_policy = "deny";
# We want this rule to be low priority so it doesn't override the others
rules = lib.mkAfter [
{
domain = [
"proxmox.procopius.dk"
"traefik.procopius.dk"
"prometheus.procopius.dk"
"alertmanager.procopius.dk"
];
};
};
access_control = {
default_policy = "deny";
# We want this rule to be low priority so it doesn't override the others
rules = lib.mkAfter [
{
domain = [
"proxmox.procopius.dk"
"traefik.procopius.dk"
"prometheus.procopius.dk"
"alertmanager.procopius.dk"
];
policy = "one_factor";
subject = [
["group:server-admin"]
];
}
# bypass /api and /ping
{
domain = ["*.procopius.dk"];
policy = "bypass";
resources = [
"^/api$"
"^/api/"
"^/ping$"
];
}
# media
{
domain = [
"sonarr.procopius.dk"
"radarr.procopius.dk"
"readarr.procopius.dk"
"lidarr.procopius.dk"
"bazarr.procopius.dk"
"prowlarr.procopius.dk"
];
policy = "one_factor";
subject = [
["group:media-admin"]
];
}
# authenticated
{
domain = [
"gatus.procopius.dk"
];
policy = "one_factor";
}
# bypass auth internally
# {
# domain = [
# "gatus.procopius.dk"
# "prometheus.procopius.dk"
# "alertmanager.procopius.dk"
# "sonarr.procopius.dk"
# "radarr.procopius.dk"
# "readarr.procopius.dk"
# "lidarr.procopius.dk"
# "bazarr.procopius.dk"
# "prowlarr.procopius.dk"
# ];
# policy = "bypass";
# networks = [
# "internal"
# ];
# }
];
};
storage.postgres = {
address = "unix:///run/postgresql";
database = authelia;
username = authelia;
# I'm using peer authentication, so this doesn't actually matter, but Authelia
# complains if I don't have it.
# https://github.com/authelia/authelia/discussions/7646
password = authelia;
};
session = {
redis.host = "/var/run/redis-procopius/redis.sock";
cookies = [
{
domain = "procopius.dk";
authelia_url = "https://authelia.procopius.dk";
# The period of time the user can be inactive for before the session is destroyed
inactivity = "1M";
# The period of time before the cookie expires and the session is destroyed
expiration = "3M";
# The period of time before the cookie expires and the session is destroyed
# when the remember me box is checked
remember_me = "1y";
}
];
};
notifier.smtp = {
address = "smtp://mail.procopius.dk";
username = "authelia@procopius.dk";
sender = "authelia@procopius.dk";
};
log.level = "info";
# identity_providers.oidc = {
# # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
# claims_policies = {
# # karakeep.id_token = ["email"];
# };
# cors = {
# endpoints = ["token"];
# allowed_origins_from_client_redirect_uris = true;
# };
# authorization_policies.default = {
# default_policy = "one_factor";
# rules = [
# {
# policy = "deny";
# subject = "group:lldap_strict_readonly";
# }
# ];
# };
# };
# Necessary for Traefik integration
# See https://www.authelia.com/integration/proxies/traefik/#implementation
server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
policy = "one_factor";
subject = [
["group:server-admin"]
];
}
# bypass /api and /ping
{
domain = ["*.procopius.dk"];
policy = "bypass";
resources = [
"^/api$"
"^/api/"
"^/ping$"
];
}
# media
{
domain = [
"sonarr.procopius.dk"
"radarr.procopius.dk"
"readarr.procopius.dk"
"lidarr.procopius.dk"
"bazarr.procopius.dk"
"prowlarr.procopius.dk"
];
policy = "one_factor";
subject = [
["group:media-admin"]
];
}
# authenticated
{
domain = [
"gatus.procopius.dk"
];
policy = "one_factor";
}
# bypass auth internally
# {
# domain = [
# "gatus.procopius.dk"
# "prometheus.procopius.dk"
# "alertmanager.procopius.dk"
# "sonarr.procopius.dk"
# "radarr.procopius.dk"
# "readarr.procopius.dk"
# "lidarr.procopius.dk"
# "bazarr.procopius.dk"
# "prowlarr.procopius.dk"
# ];
# policy = "bypass";
# networks = [
# "internal"
# ];
# }
];
};
# Templates don't work correctly when parsed from Nix, so our OIDC clients are defined here
# settingsFiles = [./oidc_clients.yaml];
secrets = with config.sops; {
jwtSecretFile = secrets."authelia/jwt_secret".path;
# oidcIssuerPrivateKeyFile = secrets."authelia/jwks".path;
# oidcHmacSecretFile = secrets."authelia/hmac_secret".path;
sessionSecretFile = secrets."authelia/session_secret".path;
storageEncryptionKeyFile = secrets."authelia/storage_encryption_key".path;
storage.postgres = {
address = "unix:///run/postgresql";
database = authelia;
username = authelia;
# I'm using peer authentication, so this doesn't actually matter, but Authelia
# complains if I don't have it.
# https://github.com/authelia/authelia/discussions/7646
password = authelia;
};
environmentVariables = with config.sops; {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
secrets."authelia/lldap_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets.smtp-password_authelia.path;
session = {
redis.host = "/var/run/redis-procopius/redis.sock";
cookies = [
{
domain = "procopius.dk";
authelia_url = "https://authelia.procopius.dk";
# The period of time the user can be inactive for before the session is destroyed
inactivity = "1M";
# The period of time before the cookie expires and the session is destroyed
expiration = "3M";
# The period of time before the cookie expires and the session is destroyed
# when the remember me box is checked
remember_me = "1y";
}
];
};
notifier.smtp = {
address = "smtp://mail.procopius.dk";
username = "authelia@procopius.dk";
sender = "authelia@procopius.dk";
};
log.level = "info";
# identity_providers.oidc = {
# # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
# claims_policies = {
# # karakeep.id_token = ["email"];
# };
# cors = {
# endpoints = ["token"];
# allowed_origins_from_client_redirect_uris = true;
# };
# authorization_policies.default = {
# default_policy = "one_factor";
# rules = [
# {
# policy = "deny";
# subject = "group:lldap_strict_readonly";
# }
# ];
# };
# };
# Necessary for Traefik integration
# See https://www.authelia.com/integration/proxies/traefik/#implementation
server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
};
# Templates don't work correctly when parsed from Nix, so our OIDC clients are defined here
# settingsFiles = [./oidc_clients.yaml];
secrets = with config.sops; {
jwtSecretFile = secrets."authelia/jwt_secret".path;
# oidcIssuerPrivateKeyFile = secrets."authelia/jwks".path;
# oidcHmacSecretFile = secrets."authelia/hmac_secret".path;
sessionSecretFile = secrets."authelia/session_secret".path;
storageEncryptionKeyFile = secrets."authelia/storage_encryption_key".path;
};
environmentVariables = with config.sops; {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
secrets."authelia/lldap_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets.smtp-password_authelia.path;
};
};

11
machines/auth/bootstrap/service-accounts.nix
View file

@ -3,6 +3,7 @@
sops.secrets."service_accounts/forgejo/password" = {};
sops.secrets."service_accounts/jellyfin/password" = {};
sops.secrets."service_accounts/mail/password" = {};
sops.secrets."service_accounts/ente/password" = {};
sops.templates."service-accounts.json" = {
content = ''
{
@ -44,6 +45,16 @@
"mail"
]
}
{
"id": "ente",
"email": "ente@procopius.dk",
"password": "${config.sops.placeholder."service_accounts/ente/password"}",
"displayName": "ente",
"groups": [
"lldap_password_manager",
"mail"
]
}
'';
path = "/bootstrap/user-configs/service-accounts.json";
owner = "lldap";

1
machines/auth/configuration.nix
View file

@ -4,6 +4,7 @@
./authelia.nix
./postgres.nix
./redis.nix
../modules/pgbackrest.nix
];
deployment.tags = ["authelia" "sso" "ldap" "lldap"];

1
machines/auth/postgres.nix
View file

@ -18,6 +18,7 @@
authentication = lib.mkForce ''
# TYPE DATABASE USER ADDRESS METHOD
local all all trust
host all all 127.0.0.1/32 trust
'';
};
}

1
machines/mail/configuration.nix
View file

@ -2,6 +2,7 @@
imports = [
./mailserver.nix
./networking.nix
./roundcube.nix
inputs.simple-nixos-mailserver.nixosModule
];

17
machines/mail/mailserver.nix
View file

@ -1,10 +1,14 @@
{config, ...}: {
sops.secrets."service_accounts/mail/password" = {};
sops.secrets."cloudflare/dns-api-token" = {};
sops.secrets."cloudflare/zone-api-token" = {};
mailserver = {
enable = true;
stateVersion = 3;
fqdn = "mail.procopius.dk";
domains = ["procopius.dk"];
dmarcReporting.enable = true;
localDnsResolver = false;
ldap = {
enable = true;
@ -28,10 +32,17 @@
searchBase = "ou=people,dc=procopius,dc=dk";
};
# Use Let's Encrypt certificates. Note that this needs to set up a stripped
# down nginx and opens port 80.
certificateScheme = "acme-nginx";
certificateScheme = "acme";
acmeCertificateName = "mail.procopius.dk";
};
security.acme.acceptTerms = true;
security.acme.defaults.email = "david.mikael@proton.me";
security.acme.defaults = {
dnsProvider = "cloudflare";
dnsResolver = "1.1.1.1:53";
credentialFiles = {
"CF_DNS_API_TOKEN_FILE" = config.sops.secrets."cloudflare/dns-api-token".path;
"CF_ZONE_API_TOKEN_FILE" = config.sops.secrets."cloudflare/zone-api-token".path;
};
};
}

22
machines/mail/roundcube.nix Normal file
View file

@ -0,0 +1,22 @@
{
lib,
config,
...
}: {
services.roundcube = {
enable = true;
hostName = "roundcube.procopius.dk";
extraConfig = ''
# starttls needed for authentication, so the fqdn required to match
# the certificate
$config['smtp_host'] = "tls://${config.mailserver.fqdn}";
$config['smtp_user'] = "%u";
$config['smtp_pass'] = "%p";
'';
};
services.nginx.virtualHosts."roundcube.procopius.dk" = {
forceSSL = lib.mkForce false;
enableACME = lib.mkForce false;
};
}

11
machines/modules/README.md Normal file
View file

@ -0,0 +1,11 @@
# Homelab nixos global config
A global module config for my homelab, where we gather:
* Monitoring endpoints (/metrics + port + host)
* Promtail log files
* Reverse proxy configuration
* Postgres backups (pgbackrest)
* Restic backups
* ...?
* LDAP config
* OIDC configs

43
machines/modules/pgbackrest.nix Normal file
View file

@ -0,0 +1,43 @@
{
lib,
config,
name,
# meta,
...
}: {
fileSystems."/mnt/pgdumps" = {
device = "192.168.1.226:/volume1/database_backups/${name}";
fsType = "nfs4";
options = ["x-systemd.automount" "noatime" "_netdev"];
};
services.postgresqlBackup = {
enable = true;
# We trigger this through restic
startAt = [];
# startAt = "*-*-* 01:15:00";
compression = "zstd";
databases = [
"authelia-procopius"
"lldap"
];
};
# services.restic.backups.b2 = {
# environmentFile = config.sops.templates.restic_floofs_env.path;
# repositoryFile = config.sops.secrets.b2_floofs_server_repository.path;
# passwordFile = config.sops.secrets.b2_floofs_server_password.path;
# paths = ["/var/backup/postgresql"];
# initialize = true;
# pruneOpts = [
# "--keep-daily 7"
# "--keep-weekly 3"
# "--keep-monthly 3"
# ];
# timerConfig = {
# OnCalendar = "04:45";
# Persistent = true;
# };
# };
# systemd.services.restic-backups-b2.wants = ["postgresqlBackup.service"];
}

1
machines/photos/configuration.nix
View file

@ -2,6 +2,7 @@
imports = [
outputs.nixosModules.ente
./ente.nix
./minio.nix
];
deployment.tags = ["ente"];

60
machines/photos/ente.nix
View file

@ -1,25 +1,73 @@
{
config,
pkgs,
...
}: {
sops.secrets."ente/minio/root_password".owner = "ente";
sops.secrets."ente/minio/root_user".owner = "ente";
sops.secrets."service_accounts/ente/password".owner = "ente";
environment.systemPackages = with pkgs; [
ente-cli
];
services.ente.api = {
enable = true;
enableLocalDB = true;
domain = "ente-v2.procopius.dk";
domain = "ente-museum.procopius.dk";
settings = {
# apps = {
# accounts = "https://accounts.procopius.dk";
# cast = "https://cast.procopius.dk";
# public-albums = "https://albums.procopius.dk";
# };
smtp = {
host = "mail.procopius.dk";
port = "465";
username = "ente@procopius.dk";
password._secret = config.sops.secrets."service_accounts/ente/password".path;
# The email address from which to send the email. Set this to an email
# address whose credentials you're providing.
email = "ente@procopius.dk";
# Optional override for the sender name in the emails. If specified, it will
# be used for all emails sent by the instance (default is email specific).
sender-name = "ente";
};
internal.admins = [
1580559962386438
];
s3 = {
use_path_style_urls = true;
b2-eu-cen = {
endpoint = "https://ente-minio-api.procopius.dk";
region = "us-east-1";
bucket = "ente";
key._secret = config.sops.secrets."ente/minio/root_user".path;
secret._secret = config.sops.secrets."ente/minio/root_password".path;
};
};
};
};
services.ente.web = {
enable = true;
domains = {
api = "ente-v2.procopius.dk";
accounts = "accounts.procopius.dk";
albums = "albums.procopius.dk";
cast = "cast.procopius.dk";
photos = "photos.procopius.dk";
api = "ente-museum.procopius.dk";
accounts = "ente-accounts.procopius.dk";
albums = "ente-albums.procopius.dk";
cast = "ente-cast.procopius.dk";
photos = "ente-photos.procopius.dk";
auth = "ente-auth.procopius.dk";
};
};
networking.firewall.allowedTCPPorts = [
3000
3001
3002
3003
3004
8080
];
}

31
machines/photos/minio.nix
View file

@ -1,6 +1,35 @@
{
config,
pkgs,
lib,
...
}: {
sops.secrets."ente/minio/root_user" = {};
sops.secrets."ente/minio/root_password" = {};
sops.templates."minio-root-credentials".content = ''
MINIO_ROOT_USER=${config.sops.placeholder."ente/minio/root_user"}
MINIO_ROOT_PASSWORD=${config.sops.placeholder."ente/minio/root_password"}
'';
services.minio = {
enable = true;
rootCredentialsFile = "/etc/nixos/minio-root-credentials";
rootCredentialsFile = config.sops.templates."minio-root-credentials".path;
};
systemd.services.minio = {
environment.MINIO_SERVER_URL = "https://ente-minio-api.procopius.dk";
postStart = ''
# Wait until minio is up
${lib.getExe pkgs.curl} --retry 5 --retry-connrefused --fail --no-progress-meter -o /dev/null "http://localhost:9000/minio/health/live"
# Make sure bucket exists
mkdir -p ${lib.escapeShellArg config.services.minio.dataDir}/ente
'';
};
networking.firewall.allowedTCPPorts = [
9000
9001
];
}

15
machines/sandbox/configuration.nix
View file

@ -1,5 +1,18 @@
{
{outputs, ...}: {
deployment.tags = ["sandbox"];
imports = [
outputs.nixosModules.global-config
];
homelab.global = {
enable = true;
hostname = "sandbox";
domain = "sandbox.local";
environment = "production";
location = "proxmox";
tags = ["sandbox"];
};
system.stateVersion = "25.05";
}