nathan/Olympus
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

improve security

Browse Source
This commit is contained in:
Nathan
2026-05-13 09:58:58 -05:00
parent d3eeb70fde
commit 5f7c219838
12 changed files with 12 additions and 186 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
modules/features/authentik.nix
View File

@@ -16,12 +16,6 @@
config = {
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
};
sops.secrets = {
"authentik/pass" = {};
"authentik/secret_key" = {};
@@ -108,7 +102,7 @@
"/etc/Authentik/data:/data:rw"
];
ports = [
"${builtins.toString hostPort}:9000/tcp"
"127.0.0.1:${builtins.toString hostPort}:9000/tcp"
#"9443:9443/tcp"
];
cmd = [ "server" ];

124
modules/features/gitea.nix
View File

@@ -1,120 +1,5 @@
{ ... }: {
flake.nixosModules.gitea = { config, lib, ... }: {
config = {
networking = {
nat.internalInterfaces = [ "ve-gitea" ];
};
sops.secrets = {
"gitea/dbpass" = {};
};
containers.gitea = {
autoStart = true;
privateNetwork = true;
hostAddress = "192.168.100.10";
localAddress = "192.168.100.20";
bindMounts = {
"/etc/gitea/data" = {
hostPath = "/ssd1/Gitea/data";
isReadOnly = false;
};
};
extraFlags = [
"--load-credential=dbpass:${config.sops.secrets."gitea/dbpass".path}"
];
config = {
systemd.services.secrets_setup = {
wantedBy = [ "gitea.service" ];
serviceConfig = {
LoadCredential = [
"dbpass"
];
};
script = ''
cat ''${CREDENTIALS_DIRECTORY}/dbpass > /etc/gitea/dbpass
chown gitea:gitea /etc/gitea/*
'';
};
services.gitea = {
enable = true;
stateDir = "/etc/gitea/data";
dump.enable = false;
appName = "Gitea";
settings = {
server = {
DOMAIN = "gitea.esotericbytes.com";
HTTP_PORT = 3000;
ROOT_URL = "https://gitea.esotericbytes.com/";
};
service = {
DISABLE_REGISTRATION = false;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
REQUIRE_SIGNIN_VIEW = false;
};
oauth2_client = {
ENABLE_AUTO_REGISTRATION = true;
};
session.COOKIE_SECURE = true;
cron = {
ENABLED = true;
RUN_AT_START = true;
};
repository = {
DEFAULT_BRANCH = "master";
};
migrations = {
ALLOWED_DOMAINS = "*";
ALLOW_LOCALNETWORKS = true;
SKIP_TLS_VERIFY = true;
BLOCKED_DOMAINS = "";
};
};
database = {
passwordFile = "/etc/gitea/dbpass";
type = "postgres";
};
};
services.openssh = {
enable = true;
openFirewall = true;
settings = {
PermitRootLogin = lib.mkForce "no";
PasswordAuthentication = false;
KbdInteractiveAuthentication = false;
};
ports = [ 2222 ];
};
networking.firewall.allowedTCPPorts = [ 3000 ];
system.stateVersion = "24.11";
};
};
};
};
flake.nixosModules.gitea-docker = { config, lib, pkgs, ... }: let
subdomain = "gitea";
@@ -175,9 +60,6 @@
"traefik.tcp.services.${name}-ssh.loadbalancer.server.port" = "22";
};
ports = [
];
extraOptions = [
"--ip=192.168.101.25"
];
@@ -207,12 +89,6 @@
"docker-main"
];
labels = {
};
ports = [
];
extraOptions = [
"--ip=192.168.101.26"
];

3
modules/features/home-assistant/home-assistant.nix
View File

@@ -48,9 +48,6 @@
"--ip=192.168.101.13"
];
ports = [
];
volumes = [
"vol_home-assistant:/config/"
"/etc/home-assistant/configuration.yaml:/config/configuration.yaml"

6
modules/features/jellyfin.nix
View File

@@ -15,8 +15,6 @@
config = {
networking.firewall.allowedUDPPorts = [ 7359 ];
virtualisation.oci-containers.containers.jellyfin = {
image = "jellyfin/jellyfin:10.11.6";
@@ -29,10 +27,6 @@
"docker-main"
];
ports = [
"7359:7359/udp"
];
volumes = [
"vol_jellyfin-config:/config"
"vol_jellyfin-cache:/cache"

3
modules/features/n8n.nix
View File

@@ -38,9 +38,6 @@
"traefik.http.services.${name}.loadbalancer.server.port" = "5678";
};
ports = [
];
extraOptions = [
"--ip=192.168.101.14"
];

3
modules/features/nginx.nix
View File

@@ -26,9 +26,6 @@
"docker-main"
];
ports = [
];
volumes = [
"/ssd1/esotericbytes-com/data:/var/www/data"
"/etc/nginx/nginx.conf:/etc/nginx/nginx.conf"

12
modules/features/ollama.nix
View File

@@ -40,16 +40,6 @@
ollama
];
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
"ve-openwebui" = {
allowedTCPPorts = [ hostPort ];
};
};
virtualisation.oci-containers.containers.ollama = {
image = "ollama/ollama:latest";
@@ -63,7 +53,7 @@
];
ports = [
"${builtins.toString hostPort}:11434"
"127.0.0.1:${builtins.toString hostPort}:11434"
];
volumes = [

4
modules/features/openwebui.nix
View File

@@ -27,10 +27,6 @@
"docker-main"
];
/*ports = [
"${builtins.toString hostPort}:8080"
];*/
volumes = [
"vol_openwebui:/app/backend/data"
];

12
modules/features/pihole.nix
View File

@@ -32,12 +32,6 @@
mode = "0664";
};
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
};
virtualisation.oci-containers.containers.pihole = {
image = "pihole/pihole:latest";
@@ -66,9 +60,9 @@
];
ports = [
"${builtins.toString hostPort}:80"
"127.0.0.1:53:53/tcp"
"127.0.0.1:53:53/udp"
"127.0.0.1:${builtins.toString hostPort}:80"
"127.0.0.1:53:53/tcp"
"127.0.0.1:53:53/udp"
];
volumes = [

8
modules/features/portainer.nix
View File

@@ -17,12 +17,6 @@
config = {
networking.firewall.interfaces = {
"ve-traefik" = {
allowedTCPPorts = [ hostPort ];
};
};
virtualisation.oci-containers.containers.portainer = {
image = "portainer/portainer-ce:latest";
@@ -48,7 +42,7 @@
ports = [
"127.0.0.1:8000:8000"
"${builtins.toString hostPort}:9000"
"127.0.0.1:${builtins.toString hostPort}:9000"
];
extraOptions = [

3
modules/features/searxng/searxng.nix
View File

@@ -40,9 +40,6 @@
"traefik.http.services.${name}.loadbalancer.server.port" = "8080";
};
ports = [
];
extraOptions = [
"--ip=192.168.101.9"
];

12
modules/features/traefik/traefik.nix
View File

@@ -9,7 +9,7 @@
config = {
networking.firewall.allowedTCPPorts = [ 80 81 443 444 2222 ];
networking.firewall.allowedTCPPorts = [ 80 443 2222 ];
sops.secrets = {
"traefik/cf_email" = {};
@@ -58,11 +58,11 @@
];
ports = [
"80:80"
"81:81"
"443:443"
"444:444"
"2222:2222"
#"80:80"
"80:81"
#"443:443"
"443:444"
"2222:2222"
];
labels = {