mirror of
https://github.com/TheWanderingCrow/CrOS.git
synced 2026-01-10 01:24:05 -05:00
142 lines
3.4 KiB
Nix
142 lines
3.4 KiB
Nix
######################
|
|
# #
|
|
# HandlerOne - m710q #
|
|
# #
|
|
######################
|
|
{
|
|
config,
|
|
inputs,
|
|
lib,
|
|
pkgs,
|
|
...
|
|
}:
|
|
{
|
|
imports = lib.flatten [
|
|
# Hardware
|
|
./hardware-configuration.nix
|
|
|
|
# FIXME(TODO): Turn this into it's own backup module
|
|
./backup.nix
|
|
|
|
# Disks
|
|
inputs.disko.nixosModules.disko
|
|
(lib.custom.relativeToRoot "hosts/common/disks/btrfs-disk.nix")
|
|
{
|
|
_module.args = {
|
|
disk = "/dev/nvme0n1";
|
|
withSwap = true;
|
|
swapSize = "8";
|
|
};
|
|
}
|
|
|
|
# Misc
|
|
|
|
(map lib.custom.relativeToRoot [
|
|
# Required configs
|
|
"hosts/common/core"
|
|
|
|
# Optional configs
|
|
"hosts/common/optional/keyd.nix"
|
|
"hosts/common/optional/podman.nix"
|
|
|
|
# Quadlets
|
|
"modules/quadlets"
|
|
"modules/quadlets/booklore"
|
|
|
|
# Hosted services
|
|
"modules/services/mealie"
|
|
"modules/services/actualbudget"
|
|
"modules/services/frigate"
|
|
"modules/services/homepage"
|
|
"modules/services/mqtt"
|
|
"modules/services/lubelogger"
|
|
"modules/services/trilium"
|
|
"modules/services/fail2ban"
|
|
"modules/services/mesh/client.nix"
|
|
"modules/services/auth-provider"
|
|
"modules/services/paperless"
|
|
"modules/services/matrix"
|
|
"modules/services/freshrss"
|
|
"modules/services/forgejo"
|
|
"modules/services/flamesites"
|
|
])
|
|
];
|
|
|
|
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
|
|
|
|
hostSpec = {
|
|
hostName = "HandlerOne";
|
|
persistFolder = "/persist";
|
|
};
|
|
|
|
networking = {
|
|
networkmanager.enable = true;
|
|
enableIPv6 = false;
|
|
firewall = {
|
|
allowedTCPPorts = [
|
|
80
|
|
443
|
|
];
|
|
};
|
|
};
|
|
|
|
boot.loader = {
|
|
systemd-boot.enable = true;
|
|
efi = {
|
|
canTouchEfiVariables = true;
|
|
};
|
|
};
|
|
|
|
sops = {
|
|
secrets = {
|
|
"caddy/oidc/client" = { };
|
|
"caddy/oidc/secret" = { };
|
|
};
|
|
templates."caddyserver-env".content = ''
|
|
POCKETID_CLIENT_ID=${config.sops.placeholder."caddy/oidc/client"}
|
|
POCKETID_CLIENT_SECRET=${config.sops.placeholder."caddy/oidc/secret"}
|
|
'';
|
|
};
|
|
|
|
services.caddy = {
|
|
email = "infrastructure@wanderingcrow.net";
|
|
acmeCA = "https://acme-v02.api.letsencrypt.org/directory";
|
|
package = pkgs.caddy.withPlugins {
|
|
plugins = [ "github.com/greenpau/caddy-security@v1.1.31" ];
|
|
hash = "sha256-65Z20N16/jHOtVb85HLx0z4nHEuG9POEV7D5QXOGYQM=";
|
|
};
|
|
environmentFile = config.sops.templates."caddyserver-env".path;
|
|
logFormat = ''
|
|
level DEBUG
|
|
'';
|
|
globalConfig = ''
|
|
order authenticate before respond
|
|
security {
|
|
oauth identity provider generic {
|
|
delay_start 3
|
|
realm generic
|
|
driver generic
|
|
client_id {env.POCKETID_CLIENT_ID}
|
|
client_secret {env.POCKETID_CLIENT_SECRET}
|
|
scopes openid email profile groups
|
|
base_auth_url https://auth.wanderingcrow.net
|
|
metadata_url https://auth.wanderingcrow.net/.well-known/openid-configuration
|
|
}
|
|
|
|
authentication portal myportal {
|
|
crypto default token lifetime 3600
|
|
enable identity provider generic
|
|
cookie insecure off
|
|
}
|
|
|
|
authorization policy frigate {
|
|
set auth url /caddy-security/oauth2/generic
|
|
allow roles frigate
|
|
inject headers with claims
|
|
inject header Remote-User from name
|
|
inject header Remote-Role from groups
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
}
|