diff --git a/system-config/configuration/homebox/default.nix b/system-config/configuration/homebox/default.nix index 62bf1d1..4eb2599 100644 --- a/system-config/configuration/homebox/default.nix +++ b/system-config/configuration/homebox/default.nix @@ -101,14 +101,11 @@ networkmanager.enable = true; firewall.allowedTCPPorts = [ 22 80 443 ]; firewall.interfaces."ve-traefik".allowedTCPPorts = [ - 9000 8080 - 6080 8123 - 11434 ]; hosts = { - "192.168.100.11" = [ "blunkall.us" "*.blunkall.us" "*.local.blunkall.us" ]; + "192.168.100.11" = [ "blunkall.us" "*.blunkall.us" ]; "192.168.100.20" = [ "gitea.blunkall.us" ]; }; nftables = {}; diff --git a/system-config/services/containers/authentik-nix/default.nix b/system-config/services/containers/authentik-nix/default.nix deleted file mode 100644 index ab1c227..0000000 --- a/system-config/services/containers/authentik-nix/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ config, lib, ... }: { - - options.sysconfig.opts.virtualization.authentik.enable = lib.options.mkOption { - type = lib.types.bool; - default = false; - }; - - imports = [ - ./docker-compose.nix - ]; - - config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable { - sops.templates."authentik.env" = { - content = '' - POSTGRES_DB=authentik-db - POSTGRES_USER=authentik-admin - POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"} - AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} - AUTHENTIK_POSTGRESQL__NAME=authentik-db - AUTHENTIK_POSTGRESQL__USER=authentik-admin - AUTHENTIK_POSTGRESQL__PASSWORD=${config.sops.placeholder."authentik/pass"} - ''; - - path = "/ssd1/Authentik/.env"; - }; - }; -} diff --git a/system-config/services/containers/authentik-nix/docker-compose.nix b/system-config/services/containers/authentik-nix/docker-compose.nix deleted file mode 100644 index a7fa514..0000000 --- a/system-config/services/containers/authentik-nix/docker-compose.nix +++ /dev/null @@ -1,235 +0,0 @@ -# Auto-generated using compose2nix v0.3.2-pre. -{ pkgs, lib, ... }: - -{ - # Runtime - virtualisation.docker = { - enable = true; - autoPrune.enable = true; - }; - virtualisation.oci-containers.backend = "docker"; - - # Containers - virtualisation.oci-containers.containers."authentik-postgresql" = { - image = "docker.io/library/postgres:16-alpine"; - - environmentFiles = [ "/ssd1/Authentik/.env" ]; - volumes = [ - "authentik_database:/var/lib/postgresql/data:rw" - ]; - log-driver = "journald"; - extraOptions = [ - "--health-cmd=pg_isready -d \${POSTGRES_DB} -U \${POSTGRES_USER}" - "--health-interval=30s" - "--health-retries=5" - "--health-start-period=20s" - "--health-timeout=5s" - "--network-alias=postgresql" - "--network=authentik_backend" - ]; - }; - systemd.services."docker-authentik-postgresql" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-authentik_backend.service" - "docker-volume-authentik_database.service" - ]; - requires = [ - "docker-network-authentik_backend.service" - "docker-volume-authentik_database.service" - ]; - partOf = [ - "docker-compose-authentik-root.target" - ]; - wantedBy = [ - "docker-compose-authentik-root.target" - ]; - }; - virtualisation.oci-containers.containers."authentik-redis" = { - image = "docker.io/library/redis:alpine"; - volumes = [ - "authentik_redis:/data:rw" - ]; - cmd = [ "--save" "60" "1" "--loglevel" "warning" ]; - log-driver = "journald"; - extraOptions = [ - "--health-cmd=redis-cli ping | grep PONG" - "--health-interval=30s" - "--health-retries=5" - "--health-start-period=20s" - "--health-timeout=3s" - "--network-alias=redis" - "--network=authentik_backend" - ]; - }; - systemd.services."docker-authentik-redis" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-authentik_backend.service" - "docker-volume-authentik_redis.service" - ]; - requires = [ - "docker-network-authentik_backend.service" - "docker-volume-authentik_redis.service" - ]; - partOf = [ - "docker-compose-authentik-root.target" - ]; - wantedBy = [ - "docker-compose-authentik-root.target" - ]; - }; - virtualisation.oci-containers.containers."authentik-server" = { - image = "ghcr.io/goauthentik/server:2024.10.4"; - environment = { - "AUTHENTIK_ERROR_REPORTING__ENABLED" = "true"; - "AUTHENTIK_REDIS__HOST" = "redis"; - }; - environmentFiles = [ "/ssd1/Authentik/.env" ]; - volumes = [ - "/ssd1/Authentik/custom-templates:/templates:rw" - "/ssd1/Authentik/media:/media:rw" - ]; - ports = [ - "9000:9000/tcp" - "9443:9443/tcp" - ]; - cmd = [ "server" ]; - dependsOn = [ - "authentik-postgresql" - "authentik-redis" - ]; - log-driver = "journald"; - extraOptions = [ - "--network-alias=server" - "--network=authentik_backend" - ]; - }; - systemd.services."docker-authentik-server" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-authentik_backend.service" - ]; - requires = [ - "docker-network-authentik_backend.service" - ]; - partOf = [ - "docker-compose-authentik-root.target" - ]; - wantedBy = [ - "docker-compose-authentik-root.target" - ]; - }; - virtualisation.oci-containers.containers."authentik-worker" = { - image = "ghcr.io/goauthentik/server:2024.10.4"; - environment = { - "AUTHENTIK_ERROR_REPORTING__ENABLED" = "true"; - "AUTHENTIK_POSTGRESQL__HOST" = "postgresql"; - "AUTHENTIK_REDIS__HOST" = "redis"; - }; - environmentFiles = [ "/ssd1/Authentik/.env" ]; - volumes = [ - "/ssd1/Authentik/certs:/certs:rw" - "/ssd1/Authentik/custom-templates:/templates:rw" - "/ssd1/Authentik/media:/media:rw" - "/var/run/podman/podman.sock:/var/run/docker.sock:rw" - ]; - cmd = [ "worker" ]; - dependsOn = [ - "authentik-postgresql" - "authentik-redis" - ]; - user = "root"; - log-driver = "journald"; - extraOptions = [ - "--network-alias=worker" - "--network=authentik_backend" - ]; - }; - systemd.services."docker-authentik-worker" = { - serviceConfig = { - Restart = lib.mkOverride 90 "always"; - RestartMaxDelaySec = lib.mkOverride 90 "1m"; - RestartSec = lib.mkOverride 90 "100ms"; - RestartSteps = lib.mkOverride 90 9; - }; - after = [ - "docker-network-authentik_backend.service" - ]; - requires = [ - "docker-network-authentik_backend.service" - ]; - partOf = [ - "docker-compose-authentik-root.target" - ]; - wantedBy = [ - "docker-compose-authentik-root.target" - ]; - }; - - # Networks - systemd.services."docker-network-authentik_backend" = { - path = [ pkgs.docker ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - ExecStop = "docker network rm -f authentik_backend"; - }; - script = '' - docker network inspect authentik_backend || docker network create authentik_backend - ''; - partOf = [ "docker-compose-authentik-root.target" ]; - wantedBy = [ "docker-compose-authentik-root.target" ]; - }; - - # Volumes - systemd.services."docker-volume-authentik_database" = { - path = [ pkgs.docker ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - docker volume inspect authentik_database || docker volume create authentik_database --driver=local - ''; - partOf = [ "docker-compose-authentik-root.target" ]; - wantedBy = [ "docker-compose-authentik-root.target" ]; - }; - systemd.services."docker-volume-authentik_redis" = { - path = [ pkgs.docker ]; - serviceConfig = { - Type = "oneshot"; - RemainAfterExit = true; - }; - script = '' - docker volume inspect authentik_redis || docker volume create authentik_redis --driver=local - ''; - partOf = [ "docker-compose-authentik-root.target" ]; - wantedBy = [ "docker-compose-authentik-root.target" ]; - }; - - # Root service - # When started, this will automatically create all resources and start - # the containers. When stopped, this will teardown all resources. - systemd.targets."docker-compose-authentik-root" = { - unitConfig = { - Description = "Root target generated by compose2nix."; - }; - wantedBy = [ "multi-user.target" ]; - }; -} diff --git a/system-config/services/containers/authentik/default.nix b/system-config/services/containers/authentik/default.nix deleted file mode 100644 index 78dbf35..0000000 --- a/system-config/services/containers/authentik/default.nix +++ /dev/null @@ -1,34 +0,0 @@ -{ pkgs, config, lib, ... }: { - - options.sysconfig.opts.virtualization.authentik.enable = lib.options.mkOption { - type = lib.types.bool; - default = false; - }; - - - config = lib.mkIf config.sysconfig.opts.virtualization.authentik.enable { - - sops.templates."authentik.env" = { - content = '' - POSTGRES_DB=authentik-db - POSTGRES_USER=authentik-admin - POSTGRES_PASSWORD=${config.sops.placeholder."authentik/pass"} - AUTHENTIK_SECRET_KEY=${config.sops.placeholder."authentik/secret_key"} - ''; - - path = "/ssd1/Authentik/.env"; - }; - - systemd.services.launchAuthentik = { - - enable = false; - - wantedBy = [ "multi-user.target" ]; - - script = '' - cd /ssd1/Authentik - ${pkgs.docker-compose}/bin/docker-compose up - ''; - }; - }; -} diff --git a/system-config/services/containers/traefik/default.nix b/system-config/services/containers/traefik/default.nix index 32e4e92..79b0e6e 100644 --- a/system-config/services/containers/traefik/default.nix +++ b/system-config/services/containers/traefik/default.nix @@ -101,21 +101,14 @@ rule = "Host(`blunkall.us`) || Host(`www.blunkall.us`)"; service = "homepage"; tls.certResolver = "cloudflare"; - #middlewares = [ "authentik" ]; }; - nathan = { - entryPoints = [ "websecure" ]; - rule = "Host(`nathan.blunkall.us`)"; - service = "homepage"; - tls.certResolver = "cloudflare"; - }; - remote = { + /*remote = { entryPoints = [ "websecure" ]; rule = "Host(`remote.blunkall.us`)"; service = "novnc"; tls.certResolver = "cloudflare"; #middlewares = [ "authentik" ]; - }; + };*/ /*homeassistant = { entryPoints = [ "websecure" ]; rule = "Host(`hass.blunkall.us`)"; @@ -156,13 +149,13 @@ "nextcloud_redirectregex" ]; }; - traefik = { + /*traefik = { entryPoints = [ "websecure" ]; rule = "Host(`traefik.blunkall.us`)"; service = "api@internal"; tls.certResolver = "cloudflare"; #middlewares = [ "authentik" ]; - }; + };*/ /*ntfy = { entryPoints = [ "websecure" ]; rule = "Host(`ntfy.blunkall.us`)"; @@ -204,23 +197,6 @@ }; middlewares = { - /*authentik.forwardAuth = { - address = "http://192.168.100.10:9000/outpost.goauthentik.io/auth/traefik"; - trustForwardHeader = true; - authResponseHeaders = [ - "X-authentik-username" - "X-authentik-groups" - "X-authentik-email" - "X-authentik-name" - "X-authentik-uid" - "X-authentik-jwt" - "X-authentik-meta-jwks" - "X-authentik-meta-outpost" - "X-authentik-meta-provider" - "X-authentik-meta-app" - "X-authentik-meta-version" - ]; - };*/ nextcloud_redirectregex.redirectregex = { permanent = true; @@ -243,7 +219,7 @@ keycloak.loadBalancer.servers = [ { url = "http://192.168.100.22:80"; } ]; - novnc.loadBalancer.servers = [ { url = "http://192.168.100.10:6080"; } ]; + #novnc.loadBalancer.servers = [ { url = "http://192.168.100.10:6080"; } ]; nextcloud.loadBalancer.servers = [ { url = "http://192.168.100.15:80"; } ];