archive/server_config
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: archive:master
Branches Tags
archive:master
archive:trilium
archive:authentik
archive:authelia
..
compare: archive:authelia
Branches Tags
archive:master
archive:trilium
archive:authentik
archive:authelia

5 commits
master ... authelia

Author SHA1 Message Date
Fabian Montero
7d3100c3d3
works? 2024-08-25 02:09:29 -06:00
Fabian Montero
d6f40dd4fd
still wip 2024-08-24 18:50:57 -06:00
Fabian Montero
e8b3f321ed
fix typo 2024-08-24 03:54:20 -06:00
Fabian Montero
12cb13952a
add secrets generation 2024-08-24 03:51:56 -06:00
Fabian Montero
495d54def8
wip: add authelia config 2024-08-24 03:36:28 -06:00
25 changed files with 304 additions and 620 deletions
Download patch file Download diff file Expand all files Collapse all files

1
cdn/factorio_blueprints/nauvis_science.txt
View file

File diff suppressed because one or more lines are too long

1
cdn/factorio_blueprints/red_circuits.txt
View file

File diff suppressed because one or more lines are too long

328
flake.lock generated
View file

@ -3,8 +3,8 @@
"attic": {
"inputs": {
"crane": "crane",
"flake-compat": "flake-compat_2",
"flake-utils": "flake-utils_2",
"flake-compat": "flake-compat",
"flake-utils": "flake-utils",
"nixpkgs": "nixpkgs",
"nixpkgs-stable": "nixpkgs-stable"
},
@ -23,53 +23,10 @@
"type": "github"
}
},
"authentik-nix": {
"inputs": {
"authentik-src": "authentik-src",
"flake-compat": "flake-compat",
"flake-parts": "flake-parts",
"flake-utils": "flake-utils",
"napalm": "napalm",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1724362025,
"narHash": "sha256-/fzIU/Hjgksy7A4ji09zK6cH7ATQV5rAEYb/wgBw8x8=",
"owner": "nix-community",
"repo": "authentik-nix",
"rev": "39cf62b92149800dd2a436f8b18acd471c9180dd",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "authentik-nix",
"type": "github"
}
},
"authentik-src": {
"flake": false,
"locked": {
"lastModified": 1724339964,
"narHash": "sha256-QwK/auMLCJEHHtyexFnO+adCq/u0fezHQ90fXW9J4c4=",
"owner": "goauthentik",
"repo": "authentik",
"rev": "8a0b31b9227ca33b96c5448f185419f17090ed38",
"type": "github"
},
"original": {
"owner": "goauthentik",
"ref": "version/2024.6.4",
"repo": "authentik",
"type": "github"
}
},
"cachix": {
"inputs": {
"devenv": "devenv",
"flake-compat": "flake-compat_4",
"flake-compat": "flake-compat_3",
"nixpkgs": "nixpkgs_3",
"pre-commit-hooks": "pre-commit-hooks"
},
@ -127,11 +84,11 @@
"complement": {
"flake": false,
"locked": {
"lastModified": 1720637557,
"narHash": "sha256-oZz6nCmFmdJZpC+K1iOG2KkzTI6rlAmndxANPDVU7X0=",
"lastModified": 1722323564,
"narHash": "sha256-6w6/N8walz4Ayc9zu7iySqJRmGFukhkaICLn4dweAcA=",
"owner": "matrix-org",
"repo": "complement",
"rev": "0d14432e010482ea9e13a6f7c47c1533c0c9d62f",
"rev": "6e4426a9e63233f9821a4d2382bfed145244183f",
"type": "github"
},
"original": {
@ -148,8 +105,8 @@
"complement": "complement",
"crane": "crane_2",
"fenix": "fenix",
"flake-compat": "flake-compat_6",
"flake-utils": "flake-utils_4",
"flake-compat": "flake-compat_5",
"flake-utils": "flake-utils_3",
"liburing": "liburing",
"nix-filter": "nix-filter",
"nixpkgs": [
@ -261,7 +218,7 @@
],
"nix": "nix",
"nixpkgs": "nixpkgs_2",
"poetry2nix": "poetry2nix_2",
"poetry2nix": "poetry2nix",
"pre-commit-hooks": [
"conduwuit",
"cachix",
@ -311,11 +268,11 @@
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
@ -343,11 +300,11 @@
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
@ -373,22 +330,6 @@
}
},
"flake-compat_5": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_6": {
"flake": false,
"locked": {
"lastModified": 1696426674,
@ -405,43 +346,7 @@
"type": "github"
}
},
"flake-parts": {
"inputs": {
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
"lastModified": 1722555600,
"narHash": "sha256-XOQkdLafnb/p9ij77byFQjDf5m5QYl9b2REiVClC+x4=",
"owner": "hercules-ci",
"repo": "flake-parts",
"rev": "8471fe90ad337a8074e957b69ca4d0089218391d",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "flake-parts",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"locked": {
"lastModified": 1667395993,
"narHash": "sha256-nuEHfE/LcWyuSWnS8t12N1wc105Qtau+/OdUAjtQ0rA=",
@ -456,9 +361,9 @@
"type": "github"
}
},
"flake-utils_3": {
"flake-utils_2": {
"inputs": {
"systems": "systems_3"
"systems": "systems"
},
"locked": {
"lastModified": 1689068808,
@ -474,9 +379,9 @@
"type": "github"
}
},
"flake-utils_4": {
"flake-utils_3": {
"inputs": {
"systems": "systems_4"
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
@ -493,9 +398,9 @@
"type": "github"
}
},
"flake-utils_5": {
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
@ -511,9 +416,9 @@
"type": "github"
}
},
"flake-utils_6": {
"flake-utils_5": {
"inputs": {
"systems": "systems_6"
"systems": "systems_4"
},
"locked": {
"lastModified": 1710146030,
@ -575,15 +480,15 @@
},
"homepage": {
"inputs": {
"flake-utils": "flake-utils_6",
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_4"
},
"locked": {
"lastModified": 1726714659,
"narHash": "sha256-DCngitzTqzhGjoykt7npvuGxc9aWDgZq3Pn+S6++5EM=",
"lastModified": 1724455559,
"narHash": "sha256-suDqHUBghYgS79MqOOBtxu28MVbiQpbB01JGnvvhN0E=",
"ref": "master",
"rev": "c5ba6530fb371d09faf933a08efb288b037705f8",
"revCount": 21,
"rev": "18b56328eda94579fb4727ba886888f6596f7d0a",
"revCount": 15,
"type": "git",
"url": "https://git.posixlycorrect.com/fabian/homepage.git"
},
@ -595,11 +500,11 @@
},
"impermanence": {
"locked": {
"lastModified": 1724489415,
"narHash": "sha256-ey8vhwY/6XCKoh7fyTn3aIQs7WeYSYtLbYEG87VCzX4=",
"lastModified": 1719091691,
"narHash": "sha256-AxaLX5cBEcGtE02PeGsfscSb/fWMnyS7zMWBXQWDKbE=",
"owner": "nix-community",
"repo": "impermanence",
"rev": "c7f5b394397398c023000cf843986ee2571a1fd7",
"rev": "23c1f06316b67cb5dabdfe2973da3785cfe9c34a",
"type": "github"
},
"original": {
@ -642,34 +547,9 @@
"type": "github"
}
},
"napalm": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"nixpkgs": [
"authentik-nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717929455,
"narHash": "sha256-BiI5xWygriOJuNISnGAeL0KYxrEMnjgpg+7wDskVBhI=",
"owner": "nix-community",
"repo": "napalm",
"rev": "e1babff744cd278b56abe8478008b4a9e23036cf",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "napalm",
"type": "github"
}
},
"nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-compat": "flake-compat_2",
"nixpkgs": [
"conduwuit",
"cachix",
@ -712,28 +592,6 @@
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-github-actions_2": {
"inputs": {
"nixpkgs": [
"conduwuit",
@ -806,18 +664,6 @@
"type": "github"
}
},
"nixpkgs-lib": {
"locked": {
"lastModified": 1722555339,
"narHash": "sha256-uFf2QeW7eAHlYXuDktm9c25OxOyCoUOQmh5SZ9amE5Q=",
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
},
"original": {
"type": "tarball",
"url": "https://github.com/NixOS/nixpkgs/archive/a5d394176e64ab29c852d03346c1fc9b0b7d33eb.tar.gz"
}
},
"nixpkgs-regression": {
"locked": {
"lastModified": 1643052045,
@ -929,11 +775,11 @@
},
"nixpkgs_5": {
"locked": {
"lastModified": 1725001927,
"narHash": "sha256-eV+63gK0Mp7ygCR0Oy4yIYSNcum2VQwnZamHxYTNi+M=",
"lastModified": 1722221733,
"narHash": "sha256-sga9SrrPb+pQJxG1ttJfMPheZvDOxApFfwXCFO0H9xw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "6e99f2a27d600612004fbd2c3282d614bfee6421",
"rev": "12bf09802d77264e441f48e25459c10c93eada2e",
"type": "github"
},
"original": {
@ -945,36 +791,8 @@
},
"poetry2nix": {
"inputs": {
"flake-utils": [
"authentik-nix",
"flake-utils"
],
"flake-utils": "flake-utils_2",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"authentik-nix",
"nixpkgs"
],
"systems": "systems_2",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1724208502,
"narHash": "sha256-TCRcEPSfgAw/t7kClmlr23s591N06mQCrhzlAO7cyFw=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "884b66152b0c625b8220b570a31dc7acc36749a3",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"poetry2nix_2": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions_2",
"nixpkgs": [
"conduwuit",
"cachix",
@ -1000,7 +818,7 @@
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_5",
"flake-compat": "flake-compat_4",
"gitignore": "gitignore",
"nixpkgs": [
"conduwuit",
@ -1042,9 +860,8 @@
},
"root": {
"inputs": {
"authentik-nix": "authentik-nix",
"conduwuit": "conduwuit",
"flake-utils": "flake-utils_5",
"flake-utils": "flake-utils_4",
"home-manager": "home-manager",
"homepage": "homepage",
"impermanence": "impermanence",
@ -1096,8 +913,9 @@
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
@ -1130,65 +948,13 @@
"type": "github"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"authentik-nix",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1719749022,
"narHash": "sha256-ddPKHcqaKCIFSFc/cvxS14goUhCOAwsM1PbMr0ZtHMg=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "8df5ff62195d4e67e2264df0b7f5e8c9995fd0bd",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"unstable": {
"locked": {
"lastModified": 1725103162,
"narHash": "sha256-Ym04C5+qovuQDYL/rKWSR+WESseQBbNAe5DsXNx5trY=",
"lastModified": 1722185531,
"narHash": "sha256-veKR07psFoJjINLC8RK4DiLniGGMgF3QMlS4tb74S6k=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "12228ff1752d7b7624a54e9c1af4b222b3c1073b",
"rev": "52ec9ac3b12395ad677e8b62106f0b98c1f8569d",
"type": "github"
},
"original": {
@ -1200,11 +966,11 @@
},
"vpsadminos": {
"locked": {
"lastModified": 1725379879,
"narHash": "sha256-RXSlp6OS9BNCio8kKajk4yEpntNc2AyozQeDSQa6f3w=",
"lastModified": 1722101851,
"narHash": "sha256-fM5Z8Qhk9/AbGYJ4VrJilGlFK9btBEF+ROtbYYJZJ1I=",
"owner": "vpsfreecz",
"repo": "vpsadminos",
"rev": "605f2f6c56cb79eb66b2b7d3bec050342d7f43b7",
"rev": "2c8ff8462a6f4aefb7bd2663d6ddbedd9d161f2c",
"type": "github"
},
"original": {

6
flake.nix
View file

@ -26,11 +26,6 @@
url = "github:StarCitizenTools/mediawiki-skins-Citizen/v2.27.0";
flake = false;
};
authentik-nix = {
url = "github:nix-community/authentik-nix";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = flakes @ {
@ -44,7 +39,6 @@
homepage,
conduwuit,
mediawikiSkinCitizen,
authentik-nix,
}: let
system = "x86_64-linux";

0
pki/fabian.ssh → pki/fabian.pub
View file

25
pki/fabian_primary.gpg
View file

@ -1,25 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZHlROBYJKwYBBAHaRw8BAQdAhzA1JCghQ6KoHOuf6JPQhEmchHLVXFVye4I2
pRUOUMO0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
PoiUBBMWCgA8FiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwMFCQlmAYAE
CwkIBwQVCgkIBRYCAwEAAh4FAheAAAoJEB/6w14XmBdPP2EA/i9ugFxpIFF6oOQs
clMfr+sNj6Il0OUTJK0dqpp4mGorAP0awa6nfhU8T1Ju7UWr6cfSmnL4bM6M/4Z3
D+AF/L5PBokCMwQQAQoAHRYhBOd6gIv5qVXWaO7qZHP6nJy18CSbBQJkeVKDAAoJ
EHP6nJy18CSbzTkP/Reio0ObRrRW+QSw62ZXrUG0mFcNeeoM9amldCToFRyGnSDu
wtZ9nqwLiTJ01VPBOsEZLsl4VonO3rdadqnMTZ3XqKK9VHBl6UNot3DQ8INDAcko
GW1zvEdxNkpMxhtAja0JkcBdG7+zxc2aEGeKfEna2qDXA+xtYw5+pssOWYMip7hm
jQ2NzYMYav2KYRBC7eXTkAIIIJi/l9pR1IwHtY3a0gfbkQymgCyt5wVG6LneYFIR
+ycNVCObwyP8gFASdId0bWnA23rkilc9ZBOCps/cGfDLM+KQ+sLAWBFBQyQeEjcv
tU+pLXncAEvWy/SFmprVSLDQMMooFaEJMZChojGcCkwAPG1twsihqIA3E44Q3/+G
K0gZN57jGMnfvuQiuLuttOMdu27KwEu++t3YUt0P6S4kARpx51zZJ7A2Yj2u22aM
7EL8qq6KTNdNoS7FgwQkrWbokdDZIl0HV+5TeMQfylPqOPhuFK/1A9qztqknBPVY
QUx2t6FZUgH9sT7uD+5gXxyeqmEIFo2i6D8G/4TEPbKtWivJfeOqDEBn4QEY2nvE
zgJLLU5XCv9xPz5rizRCa+h+kg+i4mH6fLCBCCAPXsbAAo0gUlGJvX4slPh7uPOa
T2r7A/7uezResBzP/L/vostlmjO5c8cOl9Wc6D1kRZq17/AjMUgy6+KR3iVnuDgE
ZHlROBIKKwYBBAGXVQEFAQEHQPRbCS2p8xpt3fRxfyRnDOdH9pULY4NtGmZUS0ve
ZGkTAwEIB4h+BBgWCgAmFiEEeqJ35gSkFzkWu7TpH/rDXheYF08FAmR5UTgCGwwF
CQlmAYAACgkQH/rDXheYF0/65AD+LtDeedCYv9zs+1Ia3DvejVZM256WEH+dRH5h
Pm3RzQ8A/2+bXRnfsgGqacj/kKEL3spuos95ngRNRkrQ39nc1koP
=PAxr
-----END PGP PUBLIC KEY BLOCK-----

19
pki/fabian_yubikey.gpg
View file

@ -1,19 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEZukhMBYJKwYBBAHaRw8BAQdAC/Gy2p7RPFw3k+ROFnKpJvCVqQb+BUYboE2u
CP1kz/C0KkZhYmlhbiBNb250ZXJvIDxmYWJpYW5AcG9zaXhseWNvcnJlY3QuY29t
PoiTBBMWCgA7FiEEcgbY7iR0898Y6odvDsFpH/jBqB8FAmbpITACGwMFCwkIBwIC
IgIGFQoJCAsCBBYCAwECHgcCF4AACgkQDsFpH/jBqB+oGwEAhmegCZJAt8Opv/9+
HBbL51f2035qymHPgkV/SyFM1GEBAOVQY6A5U+NrLNiaQTN5Z7jcfQuBobzk4ksn
RzROhTcAiHUEEBYKAB0WIQR6onfmBKQXORa7tOkf+sNeF5gXTwUCZutnFQAKCRAf
+sNeF5gXT1juAQDsH/lDorfMdWxuP87eV9OP8jQvibuTuZ9n2jUllXsLcQEA5gDJ
05NW5Tw2g9mvlrocWr7N2/PC5UvFct4akwDXtA+4MwRm6SEwFgkrBgEEAdpHDwEB
B0AHSmncE+krtL9ZGe4eq865vjaLiUAVnZQaVObKm11CBYh4BBgWCgAgFiEEcgbY
7iR0898Y6odvDsFpH/jBqB8FAmbpITACGyAACgkQDsFpH/jBqB+hBwD/Y9vAcbPG
CTmZvtgYlZW5Oey5T3hHoANv1THOZwv9G58BALEBZRvDztmYPjRaMyAMonrpc2P0
GPHYLcqCPVbjkaAKuDgEZukhMBIKKwYBBAGXVQEFAQEHQC2+QJcHEJjdZikBYeMj
ks53MjfeawAXU31KtAU60KACAwEIB4h4BBgWCgAgFiEEcgbY7iR0898Y6odvDsFp
H/jBqB8FAmbpITACGwwACgkQDsFpH/jBqB+0TwD+K4IcFstNGLrijlgH2zuQaI+p
8QT8AInjSpGfC4zcMlEBAIVYvdTYw4IXPSQOs0qPyR0nhfGIeoBMeWrAAfoxQ0oB
=wpc0
-----END PGP PUBLIC KEY BLOCK-----

21
pki/gatekeeper_ca.pem Normal file
View file

@ -0,0 +1,21 @@
-----BEGIN CERTIFICATE-----
MIIDijCCAnKgAwIBAgIUQCBAoFSQrYx063PnK3XKiOJSpvQwDQYJKoZIhvcNAQEL
BQAwKzEpMCcGA1UEAwwgcG9zaXhseWNvcnJlY3QuY29tIGdhdGVrZWVwZXIgQ0Ew
HhcNMjQwODAyMDcxNzE4WhcNMzQwNzMxMDcxNzE4WjArMSkwJwYDVQQDDCBwb3Np
eGx5Y29ycmVjdC5jb20gZ2F0ZWtlZXBlciBDQTCCASIwDQYJKoZIhvcNAQEBBQAD
ggEPADCCAQoCggEBAKxjqIpRxIu2yPejUbyMixZACESrbmIGOhhxwUu1ys6aYPOZ
7yQMs5xuJXcgCuD7Oba1eBi+CpLhyvgZlyLrCfxoCzTdAeeXq0EB7YUn8IYEN3dR
e+yds//zkjRzbXAaIbUoAF8XaXgylOSIXLNrh0TTjNscC+TPYvKSbaDhdICOZ1ky
u08w5QdOoi1W8FNJd4LKIKWQZW3dMeNaBbKnt9R4mjL28tE5gP6ZYUvcCIoqYAbE
DSNq29lXsmDzbD914bN5wYoTP3A+k8QG6eYGb10YgaaJ0TBxeLzadVBq7gFylMt3
1LTNmH/v+l73IYfiDV4O3d33cg0VOKqiD48WCnkCAwEAAaOBpTCBojAMBgNVHRME
BTADAQH/MB0GA1UdDgQWBBStVj4YoMTnD+XZ+doBI7Ao17Gg3DBmBgNVHSMEXzBd
gBStVj4YoMTnD+XZ+doBI7Ao17Gg3KEvpC0wKzEpMCcGA1UEAwwgcG9zaXhseWNv
cnJlY3QuY29tIGdhdGVrZWVwZXIgQ0GCFEAgQKBUkK2MdOtz5yt1yojiUqb0MAsG
A1UdDwQEAwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAZgbpPdkhAbrbA7Y63WI2Bo26
tPVCZpsEKiwpyEbDDC+NVrbOit1kQg/j26RuXLDVg19IfXk407FVFVGYVJNE+kXt
KjyKCGyyZUBQRebCN8kzFsCQ/AJSfzNKQhEK68rchSH66mbjtOtItkdVZRnq0pWI
7WXlTIxK8KTcAx2V/ijyalCENUpwRWfM4Qnkqsi82Dx9e8V0TRCLomW7IQok4dre
F6IolUHw9ZuSC10/T8n8+riqWBWEisBGLz79OrdETdHK9A5gpNHRF+sO9JAhVr/t
exBWTEJ33BeI0NX87d0Pneun4nss5FsLst+Ut7Y0F2QF2Iar1iERUalHVIjCtA==
-----END CERTIFICATE-----

2
sys/default.nix
View file

@ -62,7 +62,7 @@ with lib; {
group = "fabian";
shell = pkgs.zsh;
extraGroups = ["users" "wheel" "networkmanager" "dialout" "libvirtd"];
openssh.authorizedKeys.keyFiles = [../pki/fabian.ssh];
openssh.authorizedKeys.keyFiles = [../pki/fabian.pub];
};
groups.fabian.gid = 1000;
};

32
sys/srv/authelia/authelia-authrequest.conf Normal file
View file

@ -0,0 +1,32 @@
## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
auth_request /internal/authelia/authz;
## Save the upstream metadata response headers from Authelia to variables.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
## Inject the metadata response headers from the variables into the request made to the backend.
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Email $email;
proxy_set_header Remote-Name $name;
## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
auth_request_set $redirection_url $upstream_http_location;
## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
error_page 401 =302 $redirection_url;
## Legacy Method: Set $target_url to the original requested URL.
## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
# set_escape_uri $target_url $scheme://$http_host$request_uri;
## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
## URL parameter set to $target_url. This requires users update 'auth.posixlycorrect.com/' with their external authelia URL.
# error_page 401 =302 https://auth.posixlycorrect.com/?rd=$target_url;

20
sys/srv/authelia/authelia-location.conf Normal file
View file

@ -0,0 +1,20 @@
## Virtual endpoint created by nginx to forward auth requests.
location /internal/authelia/authz {
## Essential Proxy Configuration
internal;
proxy_pass http://localhost:9091/api/authz/auth-request;
## Headers
## The headers starting with X-* are required.
proxy_set_header X-Original-Method $request_method;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Content-Length "";
proxy_set_header Connection "";
## Basic Proxy Configuration
proxy_pass_request_body off;
## Advanced Proxy Configuration TODO: maybe reducir estos timeouts?
send_timeout 5m;
}

169
sys/srv/authelia/default.nix Normal file
View file

@ -0,0 +1,169 @@
{
lib,
pkgs,
...
}:
with lib; {
options = {
services.nginx.virtualHosts = mkOption {
type = with lib.types;
attrsOf (
submodule
(
{config, ...}: {
options = {
enableAuthelia = mkOption {
default = false;
type = bool;
};
};
config = mkIf config.enableAuthelia {
extraConfig = ''
include ${./authelia-authrequest.conf};
include ${./authelia-location.conf};
'';
};
}
)
);
};
};
config = {
systemd.services.authelia-main.before = ["nginx.service"];
services = {
nginx = {
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
## Headers
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
## Basic Proxy Configuration
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
# proxy_redirect http:// $scheme://;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
## Trusted Proxies Configuration
## Please read the following documentation before configuring this:
## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
virtualHosts."auth.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://localhost:9091"; #TODO: hacer que eso esté en alguna config o en algún let
};
"= /api/verify" = {
proxyPass = "http://localhost:9091";
};
"= /api/authz/" = {
proxyPass = "http://localhost:9091";
};
};
};
};
authelia.instances.main = {
enable = true;
package = pkgs.unstable.authelia;
# config based on https://github.com/authelia/authelia/blob/master/config.template.yml
secrets = {
jwtSecretFile = "/var/trust/authelia-main/jwt-secret";
storageEncryptionKeyFile = "/var/trust/authelia-main/storage-encryption-file";
sessionSecretFile = "/var/trust/authelia-main/session-secret-file";
};
settings = {
theme = "dark";
default_2fa_method = "totp";
server = {
disable_healthcheck = true;
port = 9091;
host = "localhost";
endpoints.authz.auth-request.implementation = "AuthRequest";
};
# tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53
log = {
level = "info";
format = "text";
};
telemetry.metrics.enabled = false;
totp = {
disable = false;
issuer = "https://getaegis.app/ or whatever you prefer";
};
webauthn = {
disable = false;
};
duo_api.disable = true;
authentication_backend.file = {
path = "/var/lib/authelia-main/users_database.yml";
password.algorithm = "argon2";
};
password_policy.zxcvbn = {
enabled = true;
min_score = 3;
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "auth.posixlycorrect.com";
policy = "bypass";
}
{
domain = "meet.posixlycorrect.com";
policy = "bypass";
}
];
};
session = {
name = "posixlycorrect_session";
same_site = "lax";
inactivity = "5m";
expiration = "1h";
remember_me = "1M";
cookies = [
{
name = "posixlycorrect_session";
domain = "posixlycorrect.com";
authelia_url = "https://auth.posixlycorrect.com";
default_redirection_url = "https://posixlycorrect.com";
same_site = "lax";
inactivity = "5 minutes";
expiration = "1 hour";
remember_me = "1 month";
}
];
};
regulation = {
max_retries = 3;
find_time = "2 minutes";
ban_time = "5 minutes";
};
storage.local.path = "/var/lib/authelia-main/db.sqlite3";
# TODO: usar smtp
notifier.filesystem = {
filename = "/tmp/trash.txt";
};
};
};
};
};
}

110
sys/srv/authentik.nix
View file

@ -1,110 +0,0 @@
{
lib,
pkgs,
flakes,
...
}:
with lib; {
imports = [flakes.authentik-nix.nixosModules.default];
options = {
services.nginx.virtualHosts = mkOption {
type = with lib.types;
attrsOf (
submodule
(
{config, ...}: {
options = {
enableAuthentik = mkOption {
default = false;
type = bool;
};
locations = mkOption {
type = attrsOf (
submodule {
config = mkIf config.enableAuthentik {
extraConfig = ''
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
# translate headers from the outposts back to the actual upstream
auth_request_set $authentik_username $upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-username $authentik_username;
proxy_set_header X-authentik-groups $authentik_groups;
proxy_set_header X-authentik-email $authentik_email;
proxy_set_header X-authentik-name $authentik_name;
proxy_set_header X-authentik-uid $authentik_uid;
'';
};
}
);
};
};
config = mkIf config.enableAuthentik {
extraConfig = ''
proxy_buffers 8 16k;
proxy_buffer_size 32k;
location /outpost.goauthentik.io {
proxy_pass http://localhost:9000/outpost.goauthentik.io;
# ensure the host of this vserver matches your external URL you've configured
# in authentik
proxy_set_header Host $host;
proxy_redirect http://localhost:9000 https://auth.posixlycorrect.com;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set $auth_cookie $upstream_http_set_cookie;
# required for POST requests to work
proxy_pass_request_body off;
proxy_set_header Content-Length "";
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
# For domain level, use the below error_page to redirect to your authentik server with the full redirect path
# return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}
'';
};
}
)
);
};
};
config = {
services = {
authentik = {
enable = true;
environmentFile = "/var/trust/authentik/authentik-env";
nginx = {
enable = true;
enableACME = true;
host = "auth.posixlycorrect.com";
};
settings = {
email = {
host = "smtp.fastmail.com";
port = 587;
username = "fabianmontero@fastmail.com";
use_tls = true;
use_ssl = false;
from = "auth@posixlycorrect.com";
};
disable_startup_analytics = true;
avatars = "initials";
};
};
};
};
}

4
sys/srv/bepasty.nix
View file

@ -9,10 +9,6 @@ with lib; {
virtualHosts."send.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:8989";
};

6
sys/srv/default.nix
View file

@ -10,15 +10,13 @@ with lib; {
./net.nix
./mediawiki.nix
./jitsi.nix
# ./matrix.nix currently not being used
./matrix.nix
./forgejo.nix
./vaultwarden.nix
./bepasty.nix
./jellyfin.nix
./msmtp.nix
./kuma.nix
# ./authentik.nix consumes too much RAM and serves no purpose for now
./paperless.nix
./trilium.nix
./authelia
];
}

33
sys/srv/firefly.nix
View file

@ -1,33 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."firefly.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
firefly-iii = {
enable = true;
user = "firefly-iii";
dataDir = "/var/lib/firefly-iii";
enableNginx = true;
virtualHost = "firefly.posixlycorrect.com";
settings = {
SITE_OWNER = "fabian@posixlycorrect.com";
DB_CONNECTION = "sqlite";
APP_ENV = "local";
APP_KEY_FILE = /var/trust/firefly/key_file;
};
};
};
}

5
sys/srv/forgejo.nix
View file

@ -16,10 +16,6 @@ with lib; {
virtualHosts."git.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".proxyPass = "http://localhost:9170";
};
};
@ -39,7 +35,6 @@ with lib; {
useWizard = false;
settings = {
general.APP_NAME = "posixlycorrect";
ui.DEFAULT_THEME = "forgejo-dark";
server = {
DOMAIN = "git.posixlycorrect.com";
ROOT_URL = "https://git.posixlycorrect.com";

4
sys/srv/jellyfin.nix
View file

@ -9,10 +9,6 @@ with lib; {
virtualHosts."stream.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://localhost:8096";
};

8
sys/srv/jitsi.nix
View file

@ -10,8 +10,12 @@ with lib; {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
ssl_verify_depth 1;
ssl_verify_client on;
ssl_client_certificate ${../../pki/gatekeeper_ca.pem};
if ($ssl_client_verify != "SUCCESS") {
return 403;
}
'';
};
};

4
sys/srv/kuma.nix
View file

@ -9,10 +9,6 @@ with lib; {
virtualHosts."status.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:4456";
};

23
sys/srv/mediawiki.nix
View file

@ -10,10 +10,7 @@ with lib; {
virtualHosts."wiki.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
enableAuthelia = true;
};
};
mediawiki = {
@ -53,24 +50,6 @@ with lib; {
extensions = {
# some extensions are included and can enabled by passing null
VisualEditor = null;
CategoryTree = null;
CiteThisPage = null;
Scribunto = null;
Cite = null;
CodeEditor = null;
Math = null;
MultimediaViewer = null;
PdfHandler = null;
Poem = null;
SecureLinkFixer = null;
WikiEditor = null;
ParserFunctions = null;
TemplateStyles = pkgs.fetchzip {
url = "https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/TemplateStyles/+archive/refs/heads/wmf/1.42.0-wmf.9.tar.gz";
sha256 = "sha256-+EOwkDU8L0qQ4Wo3WDqNug4Pyz/PUhOiHKmNcFJO4G0=";
stripRoot = false;
};
};
};
};

28
sys/srv/net.nix
View file

@ -26,35 +26,17 @@ with lib; {
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
logError = "/var/log/nginx/error.log";
clientMaxBodySize = "99M";
virtualHosts = {
"posixlycorrect.com" = {
forceSSL = true;
enableACME = true;
locations = {
"/".root = "${pkgs.local.homepage}";
"~ ^/pki(?:/(.*))?$" = { # https://serverfault.com/a/476368
alias = "${../../pki}/$1";
extraConfig = ''
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
autoindex_format html;
'';
};
"~ ^/factorio_blueprints(?:/(.*))?$" = { # https://serverfault.com/a/476368
alias = "${../../cdn/factorio_blueprints}/$1";
extraConfig = ''
autoindex on;
autoindex_exact_size on;
autoindex_localtime on;
autoindex_format html;
'';
};
};
root = "${pkgs.local.homepage}";
};
};
};

39
sys/srv/paperless.nix
View file

@ -1,39 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."docs.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:28981";
};
};
};
paperless = {
enable = true;
user = "paperless";
passwordFile = "/var/trust/paperless/passwordFile";
openMPThreadingWorkaround = true; # see https://github.com/NixOS/nixpkgs/issues/240591
address = "127.0.0.1";
port = 28981;
settings = {
PAPERLESS_URL = "docs.posixlycorrect.com";
PAPERLESS_OCR_LANGUAGE = "eng+spa";
PAPERLESS_APP_TITLE = "posixlycorrect";
PAPERLESS_OCR_USER_ARGS = {
"invalidate_digital_signatures" = true;
};
};
};
};
}

32
sys/srv/trilium.nix
View file

@ -1,32 +0,0 @@
{
lib,
pkgs,
...
}:
with lib; {
services = {
nginx = {
virtualHosts."notes.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
};
};
trilium-server = {
enable = true;
host = "127.0.0.1";
port = 8458;
noAuthentication = false;
instanceName = "posixlycorrect";
dataDir = "/var/lib/trilium";
nginx = {
enable = true;
hostName = "notes.posixlycorrect.com";
};
};
};
}

4
sys/srv/vaultwarden.nix
View file

@ -9,10 +9,6 @@ with lib; {
virtualHosts."vault.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
proxy_headers_hash_max_size 512;
proxy_headers_hash_bucket_size 128;
'';
locations."/".proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}";
};
};