add priv.yori.cc behind oauth2-proxy
parent
f251a891fb
commit
17c351c5b6
|
@ -32,6 +32,35 @@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
virtualHosts."priv.yori.cc" = let
|
||||||
|
oauth2Block = ''
|
||||||
|
auth_request /oauth2/auth;
|
||||||
|
error_page 401 = /oauth2/sign_in;
|
||||||
|
|
||||||
|
# pass information via X-User and X-Email headers to backend,
|
||||||
|
# requires running with --set-xauthrequest flag
|
||||||
|
auth_request_set $user $upstream_http_x_auth_request_user;
|
||||||
|
auth_request_set $email $upstream_http_x_auth_request_email;
|
||||||
|
proxy_set_header X-User $user;
|
||||||
|
proxy_set_header X-Email $email;
|
||||||
|
|
||||||
|
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
||||||
|
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||||
|
add_header Set-Cookie $auth_cookie;
|
||||||
|
'';
|
||||||
|
in {
|
||||||
|
onlySSL = true;
|
||||||
|
useACMEHost = "wildcard.yori.cc";
|
||||||
|
locations."/".proxyPass = "http://127.0.0.1:4000";
|
||||||
|
locations."/sonarr" = {
|
||||||
|
proxyPass = "http://127.0.0.1:8989";
|
||||||
|
extraConfig = oauth2Block;
|
||||||
|
};
|
||||||
|
locations."/radarr" = {
|
||||||
|
proxyPass = "http://127.0.0.1:7878";
|
||||||
|
extraConfig = oauth2Block;
|
||||||
|
};
|
||||||
|
};
|
||||||
virtualHosts."frumar.yori.cc" = {
|
virtualHosts."frumar.yori.cc" = {
|
||||||
enableACME = lib.mkForce false;
|
enableACME = lib.mkForce false;
|
||||||
inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
|
inherit (config.security.y-selfsigned) sslCertificate sslCertificateKey;
|
||||||
|
@ -57,37 +86,11 @@
|
||||||
extraFlags = [ "--web.enable-admin-api" ];
|
extraFlags = [ "--web.enable-admin-api" ];
|
||||||
# victoriametrics
|
# victoriametrics
|
||||||
remoteWrite = [{ url = "http://127.0.0.1:8428/api/v1/write"; }];
|
remoteWrite = [{ url = "http://127.0.0.1:8428/api/v1/write"; }];
|
||||||
scrapeConfigs = [
|
scrapeConfigs = [{
|
||||||
# {
|
job_name = "node";
|
||||||
# job_name = "smartmeter";
|
static_configs = [{ targets = [ "localhost:9100" ]; }];
|
||||||
# # prometheus doesn't support mdns :thinking_face:
|
}];
|
||||||
# static_configs = [{ targets = [ "192.168.178.30" ]; }];
|
|
||||||
# scrape_interval = "10s";
|
|
||||||
# }
|
|
||||||
{
|
|
||||||
job_name = "node";
|
|
||||||
static_configs = [{ targets = [ "localhost:9100" ]; }];
|
|
||||||
# } {
|
|
||||||
# job_name = "unifi";
|
|
||||||
# static_configs = [ { targets = [ "localhost:9130" ]; } ];
|
|
||||||
}
|
|
||||||
# {
|
|
||||||
# job_name = "thermometer";
|
|
||||||
# static_configs = [{ targets = [ "192.168.178.21:8000" ]; }];
|
|
||||||
# }
|
|
||||||
# {
|
|
||||||
# job_name = "esphome";
|
|
||||||
# static_configs = [{ targets = [ "192.168.178.77" ]; }];
|
|
||||||
# }
|
|
||||||
];
|
|
||||||
exporters.node.enable = true;
|
exporters.node.enable = true;
|
||||||
# exporters.unifi = {
|
|
||||||
# enable = true;
|
|
||||||
# unifiAddress = "https://localhost:8443";
|
|
||||||
# unifiInsecure = true;
|
|
||||||
# unifiUsername = "ReadOnlyUser";
|
|
||||||
# unifiPassword = "ReadOnlyPassword";
|
|
||||||
# };
|
|
||||||
};
|
};
|
||||||
services.yorick.paperless = {
|
services.yorick.paperless = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -96,11 +99,11 @@
|
||||||
};
|
};
|
||||||
boot.zfs.requestEncryptionCredentials = false;
|
boot.zfs.requestEncryptionCredentials = false;
|
||||||
networking.firewall = {
|
networking.firewall = {
|
||||||
interfaces.wg-y.allowedTCPPorts = [ 3000 9090 8443 ];
|
interfaces.wg-y.allowedTCPPorts = [ 3000 9090 ]; # grafana and prometheus via pennyworth
|
||||||
# mqtt, wsdd, ??, minecraft
|
# mqtt
|
||||||
allowedTCPPorts = [ 1883 5357 443 25565 ];
|
allowedTCPPorts = [ 1883 ];
|
||||||
# mqtt, wsdd, minecraft
|
# mqtt
|
||||||
allowedUDPPorts = [ 1883 3702 25565 ];
|
allowedUDPPorts = [ 1883 ];
|
||||||
};
|
};
|
||||||
services.rabbitmq = {
|
services.rabbitmq = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
@ -121,13 +124,14 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
age.secrets = {
|
age.secrets = {
|
||||||
grafana.file = ../../../secrets/grafana.env.age;
|
|
||||||
frumar-mail-pass.file = ../../../secrets/frumar-mail-pass.age;
|
|
||||||
acme-transip-key = {
|
acme-transip-key = {
|
||||||
file = ../../../secrets/transip-key.age;
|
file = ../../../secrets/transip-key.age;
|
||||||
mode = "770";
|
mode = "770";
|
||||||
group = "acme";
|
group = "acme";
|
||||||
};
|
};
|
||||||
|
frumar-mail-pass.file = ../../../secrets/frumar-mail-pass.age;
|
||||||
|
grafana.file = ../../../secrets/grafana.env.age;
|
||||||
|
oauth2-proxy.file = ../../../secrets/oauth2-proxy.age;
|
||||||
};
|
};
|
||||||
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
|
systemd.services.grafana.serviceConfig.EnvironmentFile = config.age.secrets.grafana.path;
|
||||||
services.zfs.autoScrub = {
|
services.zfs.autoScrub = {
|
||||||
|
@ -169,8 +173,6 @@
|
||||||
python3
|
python3
|
||||||
ranger
|
ranger
|
||||||
jq
|
jq
|
||||||
mcrcon
|
|
||||||
jdk17_headless
|
|
||||||
unzip
|
unzip
|
||||||
];
|
];
|
||||||
security.acme.certs."wildcard.yori.cc" = {
|
security.acme.certs."wildcard.yori.cc" = {
|
||||||
|
@ -210,4 +212,14 @@
|
||||||
ZED_NOTIFY_VERBOSE = true;
|
ZED_NOTIFY_VERBOSE = true;
|
||||||
ZED_SCRUB_AFTER_RESILVER = true;
|
ZED_SCRUB_AFTER_RESILVER = true;
|
||||||
};
|
};
|
||||||
|
services.oauth2_proxy = {
|
||||||
|
enable = true;
|
||||||
|
email.addresses = "yorickvanpelt@gmail.com";
|
||||||
|
redirectURL = "https://priv.yori.cc/oauth2/callback";
|
||||||
|
reverseProxy = true;
|
||||||
|
keyFile = config.age.secrets.oauth2-proxy.path;
|
||||||
|
setXauthrequest = true;
|
||||||
|
nginx.virtualHosts = [ "priv.yori.cc" ];
|
||||||
|
extraConfig.whitelist-domain = ["priv.yori.cc"];
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -25,13 +25,11 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
group = "plex";
|
group = "plex";
|
||||||
user = "plex";
|
user = "plex";
|
||||||
openFirewall = true;
|
|
||||||
};
|
};
|
||||||
services.radarr = {
|
services.radarr = {
|
||||||
enable = true;
|
enable = true;
|
||||||
group = "plex";
|
group = "plex";
|
||||||
user = "plex";
|
user = "plex";
|
||||||
openFirewall = true;
|
|
||||||
};
|
};
|
||||||
users.users.plex.packages = with pkgs; [
|
users.users.plex.packages = with pkgs; [
|
||||||
ffmpeg
|
ffmpeg
|
||||||
|
|
Binary file not shown.
|
@ -25,4 +25,5 @@ in
|
||||||
"root-user-pass.age".publicKeys = [ yorick blackadder pennyworth frumar smithers jarvis ];
|
"root-user-pass.age".publicKeys = [ yorick blackadder pennyworth frumar smithers jarvis ];
|
||||||
"frumar-mail-pass-hash.age".publicKeys = [ yorick pennyworth ];
|
"frumar-mail-pass-hash.age".publicKeys = [ yorick pennyworth ];
|
||||||
"frumar-mail-pass.age".publicKeys = [ yorick frumar ];
|
"frumar-mail-pass.age".publicKeys = [ yorick frumar ];
|
||||||
|
"oauth2-proxy.age".publicKeys = [ yorick frumar ];
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in New Issue