Jaaj-San/pointfichiers
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Jaaj-San:36f1a442531a2d6978bea9c30ef2a6411f4bbee7
Branches Tags
Jaaj-San:main
Jaaj-San:feat/ovh-config
Jaaj-San:feat/nix
...
compare: Jaaj-San:927ab2306d90c76fbd45aa28afc171e55cbe303a
Branches Tags
Jaaj-San:main
Jaaj-San:feat/ovh-config
Jaaj-San:feat/nix

14 commits
36f1a44253 ... 927ab2306d

Author SHA1 Message Date
GaspardCulis
927ab2306d fix(services/penpot): Added missing volume for penpot-postgres 2024-10-23 14:05:26 +02:00
GaspardCulis
c522f2aac4 fix(services -> penpot): Fixed onboarding messages not being disabled. 
And re-enabled password logging
 2024-10-23 13:58:36 +02:00
GaspardCulis
97486473bc chore(services/penpot): Disabled onboarding questions and newsletter 2024-10-23 13:46:39 +02:00
GaspardCulis
5fb7082751 fix(penpot): Asset storage backend now assets-fs 
Because S3 backend isn't currently compatible with garage (I guess)
 2024-10-23 13:42:45 +02:00
GaspardCulis
74510601b6 feat(services): Added penpot service and relevant authelia config 2024-10-21 10:48:54 +02:00
GaspardCulis
ab7af0d67b feat(authelia): Configured SMTP notifier 2024-10-18 11:13:14 +02:00
GaspardCulis
0a110d5493 feat(services): Properly configure and enable authelia 2024-10-18 10:53:36 +02:00
GaspardCulis
9376dc8b71 Revert "fix(sops): Changed path_regex for OVHCloud secrets" 
This reverts commit abc5c42aa7.
 2024-10-18 10:28:01 +02:00
GaspardCulis
9fa21dba9c fix(garage): Added new domains 2024-10-12 18:10:49 +02:00
GaspardCulis
b9ef06bfec feat(services): Added back now fixed garage service as default 2024-10-11 22:27:03 +02:00
GaspardCulis
7d223fad78 chore(wireguard): Added new peer for Family desktop 2024-10-11 22:26:23 +02:00
GaspardCulis
c07b6dc58b feat(garage): Add garage bash alias 2024-10-11 20:58:03 +02:00
GaspardCulis
542e43228d fix(garage): Fixed rpc_public_addr value 2024-10-11 20:56:16 +02:00
GaspardCulis
0a9a7d0d02 fix(garage): Fixed rpc secret path 2024-10-11 20:01:22 +02:00
10 changed files with 326 additions and 5 deletions
Show stats Expand all files Collapse all files

2
.sops.yaml
View file

@ -2,7 +2,7 @@ keys:
- &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr - &admin_gaspard age1rgu2e75kt4uztr43y6wj70uz2sj3tr9lz58y4h6rk37alq2vwa5q9v35dr
- &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr - &server_ovh age1th4zyxdg3y5sdza9v3zlezzru7wyqwvk5y0t7jdv97ej3gd6d5hs5mg7cr
creation_rules: creation_rules:
- path_regex: secrets/OVHConfig.yaml - path_regex: secrets/[^/]+\.(yaml|json|env|ini)$
key_groups: key_groups:
- pgp: - pgp:
age: age:

30
secrets/OVHCloud.yaml
View file

@ -1,3 +1,15 @@
authelia:
JWT_SECRET: ENC[AES256_GCM,data:a1LyPNaojDm8JtcCahkYx8TGGjbh2Appz1s5ruZzQs4VOMgtdV7MWl3RMpk=,iv:7y+ZhNYMS8t6Y3YqBJjnESBCK5BPM6Y+BbXMDSUQcc0=,tag:ksoR48cTA2eIg+JEvCXFWw==,type:str]
SESSION_SECRET: ENC[AES256_GCM,data:kr8+BsQhJQRmfhvzlOGBItqiRtHi2BcD9adhsL1N8FURe8sCPoOiNnwT0IM=,iv:97UPC5Woerm+ftrOMJ0HBM8jhF5ea+2H3QZU3a6i+fY=,tag:63N+r/BoBDaWYcEXUtIksw==,type:str]
STORAGE_PASSWORD: ENC[AES256_GCM,data:o+7Bszd/hPOaMMF/NOHVxMTY92hUZrFYu+4gkYkMkAubYiEfsX6kus4oToA=,iv:Q2sl8ZKblupyMO7GY/VCklQWTlHRtSsuVHRC60uwPfc=,tag:QxbpVJXq3HtEzHeFLoVOEw==,type:str]
STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:gGIayEmpkF+uLpsn69DgWcZPzeIV9xgAFBFgEMEKvSCoGx5id1bq/EFM81o=,iv:6SjBuo+/WosohTEWX8QwPqHd2f80ljx+m3WSjiChusU=,tag:pk2mNtGTOpFNcyVO8fFFuQ==,type:str]
SMTP_ADDRESS: ENC[AES256_GCM,data:490uwbjW79yKqFChSo6EzDDwIgk=,iv:HW+VVKjruP5vmJqlYSg9yR1K4R/mMeZipUX9EzTKaKk=,tag:to7dLSW/LF88SjJJaj7f0A==,type:str]
SMTP_USERNAME: ENC[AES256_GCM,data:1/5bB6lUnwdayw==,iv:T7b8i0QvPTOCtZ5/03trKUcpN+vABAfPdSECQLuhlZE=,tag:vvUuKUEK0Rw4JpOnQpMhcg==,type:str]
SMTP_PASSWORD: ENC[AES256_GCM,data:cO2y3TQx/HJpjgseJt9ju9BvjZ2ZLUMf,iv:cWQDU2gtcml4zHlvtINW6k/6CwZtjxkDNWBiMguSijw=,tag:kA3PptaPHszw1FLwA9BTvQ==,type:str]
OIDC_HMAC_SECRET: ENC[AES256_GCM,data:AYVbbPVGqmx+ZOC6Y1xcHYZcz/aoTsv15v7FUL8MCU3+/VuEp0vE6pcxTxc=,iv:Pm/b1mEEgvfTKQr6FXibWAmcZGg9i+sxoqCQ+nD0aVE=,tag:6HaG0g6Rvf2lC9mzWpsHwg==,type:str]
#ENC[AES256_GCM,data:fCLX44MuqhAVHADGxHkVu53bnUSVKRzbUiucasqvu0gLbLOt1UWSyOTGhVUrgdjQC4QtemcqbTsVjBb0cvL7TA7EeYDKLg==,iv:cdhu+Vx/TfyDSsETHAfj3ZJSNRijr6pwW5Ca6uOVGLQ=,tag:2c3m2PmJ8hzU5XDk1eLJrw==,type:comment]
OIDC_JWKS_PRIVATE_KEY: ENC[AES256_GCM,data:jHGumhi77Hr8ZfR8zzNoSfKZvoc5RM35m+IzUybXtQANrT/JXCzWOOYI5cc9nRHJnKLEP80XvSEKzoFspMe1Xl28y1rJacPdx+HbvwEOP3JU+UxBRVjY7ptO/mtDaae7XWEDaEdna1ItqkXiJMkYc+XR0fb/UrD7x/DVNSUGamqTgNIi+oV3QzlVoLd3knVel/ujGaRNd/Dys7G1Ig7mDibH+8z4LTEiNdxJenYHAIFelJeiVWgFNtyT2Uljs9hjCtwJGwl+TmAykzggriTjenlLzmWgYt9kycxkR0hWRDS8zAzLbcloUy9wkNnDrxK9kLtr7G//eDC98UmupvVhDmJaZzgNQOHTVPsF0w7RQ6JRiu6tTbMVQN8g0pH11Zo9A8kJUgCKZWEuh9JbtvG2skrG5OVJVm2Hv0R/FIauypaXM+AXF49D+E0PGP6Os8azk2DDaTBTl8m+7x28VsZMxbwwZtmbPaAVXAyDoCYKa4Ac+LdE1QMv7biiTBOsd4G1iV3nE1b3KO/Jkhb8VS4rxfVbPtU6EOwrBXnZ+0RzK2dJakAkwvLeaUiRnVA8j2o+TKD7n8TPRhuVIfB4ru6LymttzLYveXju7tvN0HHkJL9OoIRFE8i82wSK6s6d1CVrJH1hJtwvZGemuaPRxG/bIJYEtRtsxZO2SPo1F7MLg4XrubaEuNFqJsQAmV2ip3XKsmzIz5yezz0YdgiyYj5i6mXQb4tO5Bmj0OxsmAv/loNHjREwnC5jECT8txKCqkV6V5y5DtLnRR7aZY6X+k84pfGXSi29xupEaU4/NCUM7T5rv8Gl076BSKAQnkwLW3PmtL4g3r/kU0woda0L4RHbgsPT6/kMe7Foxx5UtV4+kaJgA99nXIL2TaYlc9RZlVYOOhTxgT/ZBKdU8lF29sej4nMVQdc1NP2ujq2xG/fffZTHIyPV7W17NbjgRr17STpji1f1PSremU37kpk/hPeaj9F7fnuqNGPuh09EfpnXH3EKzu1gQamfvPNmH0rsglrtxoImaeok41Lrpa7/4CbS03fCwKfNLg7CGdJbUxl9v0hviB3vGj3dJm4DWRW/fAeaJVdxYsIOsRKZT4g32mjOiEcgH2JHOGTD/d64Z0TpvO57bYjBjSMO4oK59/XY8uD1PwqEsiigrAQW9Tww9711NBXlAqDPpgLou6SUrySq/ZnsUeZofpJPAt8VCmZAcGUxVrMTpvCTMkcp7dfrg2yuVqNcQGVtTeHNpX0GBLrlLTocsf7YU5RAoOzHBeT4PVRsKmupuT0zD1S6eBSTgRH7mR2gS5hR5XxbniIfHEXUC2mE6cydsdh7arD3M4mf9UzAoBs6w0pZyO7ztOGX4FaZf5rWE+lizGf2bfvZqXGTRX94h11gSt+VLQqRjb4b8h+ZVhKFwEiVxpFn6GmvuN4lIfK/7xfvwAisCUDAjbNaV5mFfeS7o8l9pclZ+mni86AFgNnMiAJaPKsoClBACabYCRdSxrtAWIsiM9pfQCeHHy6d18dJqLCOBB62IQ4iZJ7YtJF3dV2q6ZKmo9XQwA4YUpj93Qe9b6d7FPtOiBgySlUay5EwDXDteNMcH1hfbTOxMvau5JcePDsDkmH/fzLdBhszCECrsdQBDR+nSCsd8DLyKifyVdHhMd0YJU3oiCpMGIIYlDeLRmBwsXdY88xPhTlItko2bH38581uvPcrp03jXLD0IPPhAYxpjfSJQ33pGX7U0NMQgXH1W1+dqGFpDhX6o7e7lQ/uxXvi/DBz6zoORfSOs+TD0xi4ptkjbHu6xsH9Slrx0JsxyT5yWGBqlYd9QxwsOxbe6X5jZSgxPyRvUdLTGhs6BeZ8UO8/IAZaHQq3WRycnBsA1M0ZJ+HP86Xy9zKg5wCrKzIcoHLfylSBPiChOHvjhJP0C0gt4uSz2f/7hfeJ3JNfNp+yCWZ3VtgzatBkiegjC0V72/HwN9AeaGnoJJ6mC4D5wSoJ7y1bugtFSo9t3wIlA9UjtEPqi/O5C/liG3vCAXluE64J778PSQq1Bm7yztPvo0p460IwXmJ6p635gMVcAlCraBnKTBTwzz+hKIdj+Ok5NBvu0WG/zDXiIWHushIY4XneJC6qryqkBr3HMfYj/OkAkRX/hCbSnsZN8Fc69hyUzryu07up0/q9/R1uYKp6jbAHKONoPfEfip43v0FfP6ncQv9cDcvUE0W/z1TNkNNFDx8nEOtrAu+8fty1fQrj2w==,iv:YGEXMLWOoQ19cbftQU9/4kFNcWIqjnw2GgZIddBwbrc=,tag:og1Avj5ZcYblJWrE2q2Bcg==,type:str]
#ENC[AES256_GCM,data:gIGYsk5h40IBhtmRM4G/yA==,iv:6tdKmKcvTQH7STvVjPIpwmGS2TEzZjX25CBwRIF8fjY=,tag:9pO4w0Zw+5iNkxwWf5VJDw==,type:comment]
caddy: caddy:
ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str] ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str]
ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str] ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str]
@ -5,6 +17,20 @@ caddy:
ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str] ovh_consumer_key: ENC[AES256_GCM,data:oFLHB7obwz3F59Vt8LRxpKaHBjEaoYCrKLKPoqVHz4M=,iv:rXxR2Nv3YaT2QubZUqIi60RxaHe9ZaIT9hLiogbPVFw=,tag:5m+xXEUbN+a2fHCf+EXf9A==,type:str]
garage: garage:
RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str] RPC_SECRET: ENC[AES256_GCM,data:OJbIST1mtpqMNk+MKnGFy6+tXjc6aEOMIWnfs8QY9ozpxN2apAN7ZrjAAZc3J7ORUIhUQh8Vjkb1EhxdqGxERA==,iv:NhREhGE0wz3/0sdXUxuDqWaPdjeeQFau2OEVsqpV3F0=,tag:yGYd5txtVQzIOchh2L/XXQ==,type:str]
penpot:
SECRET_KEY: ENC[AES256_GCM,data:Ebeehmby3FBDOaTxwTWg9vKTsB+w8wpa6FdxcvvRTwDR07A0Ljk4WCaPmbPBArbwB14cMSuGeDGBrvNo1x8N+u3FeMMei+TGvgJGssZynxEN7+g5gTg=,iv:ZAa3n7CCyeeeAIv48JpIZmjFiyHiXLFK+Q0Wqf7utFY=,tag:6JZZ53jEM579vYhQG4X2Fw==,type:str]
OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:+GrXq113byY5XqFDE1tF4n5xcrhIjg2KI39xgxY6hEcS3r6KcF6SAFmczoscMFPJccaTv7Pcr7zfzDxGT7zDuNyj324nzvff,iv:onZV3ESU4Kbvp9x9rfXuq17FlhaoE/4ZXIwH4/bOXPc=,tag:I02FFF54NDMyJuicdwy4TA==,type:str]
SMTP_HOST: ENC[AES256_GCM,data:uFrTj1OIjs+48AmcBhsCFdXEakg=,iv:lFcAjJAC3uIc8u5KNhyiH55oBriV3cnsZ9wRXDfNM0I=,tag:1SbyUxXiKmltinkxQS8SPg==,type:str]
SMTP_PORT: ENC[AES256_GCM,data:Lnh0,iv:gCLwzWrk6hMUZjL1RGi51dS2TULtCfYnlpAOJBVBen0=,tag:fv7lwt36JpKhRjXF41Wc8g==,type:str]
SMTP_USERNAME: ENC[AES256_GCM,data:g1NvuwN+tko/mg==,iv:kXUGrBHLmk8GmZPaaiafOqkKMFhcwIh9pAEFPp716QI=,tag:WkVt+jCjfadIcTrjE8QF5A==,type:str]
SMTP_PASSWORD: ENC[AES256_GCM,data:tl7hp0a4l8JLOSQQvJNRwF4DR+83FaKI,iv:vR0KiXjnkyO1pa+fxQ6ALoYN6IMFAk07qmMe5qgRB1E=,tag:/RmJIzgjDEBH9XNMol3IUg==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:Uk7czFf4,iv:2PGek4z7UJzvs6X4Jq8wx+HkUFYGtq0kVJd5ba3M24E=,tag:QysuNOULNHBPdheBH6CRDA==,type:str]
POSTGRES_PASSWORD: ENC[AES256_GCM,data:S/VKs3mMwgnlpiDLOrvMX0VLNdCseg==,iv:opj0KJq93DWljtnAmktpzAf1l9b9OCvEPAbTC06IEbQ=,tag:DkmgRJ1AodO/sEty3C6mxg==,type:str]
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:1hXif1dLMVHTj7nvqExW6wzFP+1BTwRcqro=,iv:fXqD2fiVQa0DH7z4s70e7ggORppgqoccP+sD6eMQsvw=,tag:g18kahkiT2G9P0SBTB4HfQ==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:n+0cr0tDAUAdOu65YOj+reTzF+EoRFVAZVg5172ZKYnjWBuBYjNgy6QyqqcPvZMkBBtybdUimjDgWD6mVmNDew==,iv:UwgB7PLaCoXN/qAA63u9Q8ERkhRaNRlOpSFqrUBUExg=,tag:ggs1ED4Ryb+4+O+7VG0rTQ==,type:str]
STORAGE_ASSETS_S3_REGION: ENC[AES256_GCM,data:oV4ucbPe,iv:zNsUsftybGcQdryAB+mN9Xb/rVWOLFlVixqRLLz8WIY=,tag:FiiSjLyuK89HK1GEE3BSUA==,type:str]
STORAGE_ASSETS_S3_ENDPOINT: ENC[AES256_GCM,data:mZjvBvNZC28jUYrK8e6HHixC4GU=,iv:mppmZn7nV/gckB3+GonwQQT5U14qg1FyEnQ92pGDSZI=,tag:rAePtPdd6o+EDC0MrAToKw==,type:str]
STORAGE_ASSETS_S3_BUCKET: ENC[AES256_GCM,data:nfcjtCQVWhdT1UUYPw==,iv:mF2Esw1GvWAjkabvDde63bAq4V5pXNhbhqsK1dkg5sg=,tag:uE6qKxKSJzYtHWxPMiK3Lw==,type:str]
shadowsocks: shadowsocks:
password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str] password: ENC[AES256_GCM,data:IdAvKXKckwvZUetkYSFTIPxd8nrwm13Ngc3KVDSmiW3AE4Rhmjk2VHjdUyQ=,iv:LVeQcL7XIEQyMTsXpXIROGte2+Z9+7FpemfiwhA0Pw0=,tag:qt+8jgN5UqwMeCV+D3stEQ==,type:str]
wireguard: wireguard:
@ -34,8 +60,8 @@ sops:
MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ== y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-10-02T07:32:18Z" lastmodified: "2024-10-21T07:59:44Z"
mac: ENC[AES256_GCM,data:0fwZxJO2LKpwV4+IYbBSyrqcQt4RrqlF/2OM8vP+3B/AI3Ny6LSP851IXdwzIMtMLiGBnvl787sXmZWPcUaizq3XmQR7t9lX/q4WkgVIDZ5JQtmHc4TSYDIxECBAQ5P4V6CNsUw3gjC5X4OSLtSfil/pAXbcMFKdlVLgP4S6wMU=,iv:UlJPlLFx2y/YJQWEDCY4NyqkZuQjNH8yCeELzoa3IoU=,tag:JI1tTnMSnQiWXVZmqb+ykA==,type:str] mac: ENC[AES256_GCM,data:CVwxPgx5y64xr5kHnXCmhUgghwvpa+/ulJjjHVr68EVVQp7phrIOES2oF18WF4+HFFJ64YHI9KbuOz2pTjC+7H1TDBzedtQ1azqHT/ADcnKtAdFALS6M3/CpoS8X+TFeU3P3uLEsUfR8UrPNhxm8dlH6m9A0jQMVW0Fqpsd7s0w=,iv:oVfpo0R0WY8pt8LkQv9LfqqsKcuCZNder+P6QiMyRMw=,tag:lbDls/D0f+QHRrkyaPVbww==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.0 version: 3.9.0

91
services/authelia/configuration.yml Normal file
View file

@ -0,0 +1,91 @@
theme: 'auto'
access_control:
default_policy: deny
rules:
- domain: '*.gasdev.fr'
policy: one_factor
server:
address: 'tcp://:9091/'
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
session:
cookies:
- domain: 'gasdev.fr'
authelia_url: 'https://auth.gasdev.fr'
default_redirection_url: 'https://auth.gasdev.fr/authenticated'
identity_providers:
oidc:
jwks:
- key: {{ secret "/secrets/OIDC_JWKS_PRIVATE_KEY" | mindent 10 "|" | msquote }}
clients:
- client_id: 'penpot'
client_name: 'Penpot'
client_secret: $pbkdf2-sha512$310000$WuYHbHrVI3wMn/tZXwDTMA$WnS0VoR4jLNQnXjJUN46EfnC4QMdpdnNcYsGvSCpkbzguO4of.tCgAeLsfzLgWn9CSGMt20TZOQfc/7IbfwBHg
redirect_uris: 'https://penpot.gasdev.fr/api/auth/oauth/oidc/callback'
token_endpoint_auth_method: 'client_secret_post'
authorization_policy: 'one_factor'
scopes:
- 'email'
- 'openid'
- 'profile'
authentication_backend:
password_reset:
disable: false
file:
path: '/data/users_database.yml'
password:
algorithm: 'argon2'
password_policy:
standard:
enabled: true
min_length: 10
max_length: 128
require_uppercase: true
require_lowercase: true
require_number: true
require_special: true
storage:
local:
path: /data/db.sqlite3
notifier:
smtp:
address: 'smtp.mail.ovh.net'
username: 'postmaster@gasdev.fr'
sender: 'Authelia <authelia@gasdev.fr>'
log:
level: 'info'
format: 'json'
totp:
issuer: 'gasdev.fr'
## https://www.authelia.com/c/totp#algorithm
algorithm: 'SHA1'
## https://www.authelia.com/c/totp#digits
digits: 6
period: 30
## See: https://www.authelia.com/c/totp#input-validation to read
skew: 1
webauthn:
disable: true
duo_api:
disable: true
ntp:
address: 'udp://time.cloudflare.com:123'

38
services/authelia/default.nix Normal file
View file

@ -0,0 +1,38 @@
{...}: {
sops.secrets."authelia/JWT_SECRET".owner = "root";
sops.secrets."authelia/SMTP_PASSWORD".owner = "root";
sops.secrets."authelia/SESSION_SECRET".owner = "root";
sops.secrets."authelia/STORAGE_PASSWORD".owner = "root";
sops.secrets."authelia/STORAGE_ENCRYPTION_KEY".owner = "root";
sops.secrets."authelia/OIDC_HMAC_SECRET".owner = "root";
sops.secrets."authelia/OIDC_JWKS_PRIVATE_KEY".owner = "root";
services.caddy.virtualHosts."auth.gasdev.fr".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
virtualisation.oci-containers.containers = {
authelia = {
image = "docker.io/authelia/authelia:latest";
autoStart = true;
ports = ["127.0.0.1:9091:9091"];
environment = {
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET";
AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET";
# AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD";
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY";
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD";
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = "/secrets/OIDC_HMAC_SECRET";
X_AUTHELIA_CONFIG_FILTERS = "template";
};
volumes = [
"authelia-data:/data"
"/run/secrets/authelia:/secrets"
"/etc/authelia/configuration.yml:/config/configuration.yml"
];
};
};
environment.etc."authelia/configuration.yml".text = builtins.readFile ./configuration.yml;
}

3
services/default.nix
View file

@ -1,5 +1,8 @@
{ {
imports = [ imports = [
./authelia
./garage
./penpot
./shadowsocks ./shadowsocks
./uptime-kuma ./uptime-kuma
./wireguard ./wireguard

12
services/garage/default.nix
View file

@ -2,10 +2,18 @@
{...}: { {...}: {
sops.secrets."garage/RPC_SECRET".owner = "root"; sops.secrets."garage/RPC_SECRET".owner = "root";
services.caddy.virtualHosts."s3.gasdev.fr".extraConfig = ''
reverse_proxy http://127.0.0.1:3900
'';
services.caddy.virtualHosts."*.s3.gasdev.fr".extraConfig = '' services.caddy.virtualHosts."*.s3.gasdev.fr".extraConfig = ''
reverse_proxy http://127.0.0.1:3900 reverse_proxy http://127.0.0.1:3900
''; '';
services.caddy.virtualHosts."s3web.gasdev.fr".extraConfig = ''
reverse_proxy http://127.0.0.1:3900
'';
services.caddy.virtualHosts."*.s3web.gasdev.fr".extraConfig = '' services.caddy.virtualHosts."*.s3web.gasdev.fr".extraConfig = ''
reverse_proxy http://127.0.0.1:3902 reverse_proxy http://127.0.0.1:3902
''; '';
@ -33,4 +41,8 @@
"d /var/lib/garage/meta 0700 root root -" "d /var/lib/garage/meta 0700 root root -"
"d /var/lib/garage/data 0700 root root -" "d /var/lib/garage/data 0700 root root -"
]; ];
programs.bash.shellAliases = {
garage = "podman exec -it garage /garage";
};
} }

4
services/garage/garage.toml
View file

@ -8,8 +8,8 @@ replication_factor = 1
compression_level = 2 compression_level = 2
rpc_bind_addr = "[::]:3901" rpc_bind_addr = "[::]:3901"
rpc_public_addr = "gasdev.fr:3901" rpc_public_addr = "0.0.0.0:3901"
rpc_secret_file = "/run/secrets/garage/rpc_secret" rpc_secret_file = "/run/secrets/garage/RPC_SECRET"
[s3_api] [s3_api]
s3_region = "garage" s3_region = "garage"

27
services/i2p/default.nix Normal file
View file

@ -0,0 +1,27 @@
{...}: {
services.caddy.virtualHosts."console.i2p.gasdev.fr".extraConfig = ''
reverse_proxy http://127.0.0.1:7657
'';
services.caddy.virtualHosts."proxy.i2p.gasdev.fr".extraConfig = ''
reverse_proxy http://127.0.0.1:7657
'';
virtualisation.oci-containers.containers = {
uptime-kuma = {
image = "docker.io/geti2p/i2p";
autoStart = true;
environment = {
JVM_XMX = "256m";
};
ports = [
"4444:4444"
"6668:6668"
"7657:7657"
"54321:12345"
"54321:12345/udp"
];
volumes = ["i2phome:/i2p/.i2p" "i2ptorrents:/i2psnark"];
};
};
}

119
services/penpot/default.nix Normal file
View file

@ -0,0 +1,119 @@
{config, ...}: {
services.caddy.virtualHosts."penpot.gasdev.fr".extraConfig = ''
reverse_proxy http://127.0.0.1:9001
'';
sops.secrets."penpot/SECRET_KEY".owner = "root";
sops.secrets."penpot/OIDC_CLIENT_SECRET".owner = "root";
sops.secrets."penpot/SMTP_HOST".owner = "root";
sops.secrets."penpot/SMTP_PORT".owner = "root";
sops.secrets."penpot/SMTP_USERNAME".owner = "root";
sops.secrets."penpot/SMTP_PASSWORD".owner = "root";
sops.secrets."penpot/POSTGRES_USER".owner = "root";
sops.secrets."penpot/POSTGRES_PASSWORD".owner = "root";
sops.secrets."penpot/AWS_ACCESS_KEY_ID".owner = "root";
sops.secrets."penpot/AWS_SECRET_ACCESS_KEY".owner = "root";
sops.secrets."penpot/STORAGE_ASSETS_S3_REGION".owner = "root";
sops.secrets."penpot/STORAGE_ASSETS_S3_ENDPOINT".owner = "root";
sops.secrets."penpot/STORAGE_ASSETS_S3_BUCKET".owner = "root";
sops.templates."penpot.env" = {
content = ''
PENPOT_SECRET_KEY=${config.sops.placeholder."penpot/SECRET_KEY"}
PENPOT_OIDC_CLIENT_SECRET=${config.sops.placeholder."penpot/OIDC_CLIENT_SECRET"}
# SMTP
PENPOT_SMTP_HOST=${config.sops.placeholder."penpot/SMTP_HOST"}
PENPOT_SMTP_PORT=${config.sops.placeholder."penpot/SMTP_PORT"}
PENPOT_SMTP_USERNAME=${config.sops.placeholder."penpot/SMTP_USERNAME"}
PENPOT_SMTP_PASSWORD=${config.sops.placeholder."penpot/SMTP_PASSWORD"}
# Database
PENPOT_DATABASE_USERNAME=${config.sops.placeholder."penpot/POSTGRES_USER"}
PENPOT_DATABASE_PASSWORD=${config.sops.placeholder."penpot/POSTGRES_PASSWORD"}
POSTGRES_USER=${config.sops.placeholder."penpot/POSTGRES_USER"}
POSTGRES_PASSWORD=${config.sops.placeholder."penpot/POSTGRES_PASSWORD"}
# Storage
AWS_ACCESS_KEY_ID=${config.sops.placeholder."penpot/AWS_ACCESS_KEY_ID"}
AWS_SECRET_ACCESS_KEY=${config.sops.placeholder."penpot/AWS_SECRET_ACCESS_KEY"}
PENPOT_STORAGE_ASSETS_S3_REGION=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_REGION"}
PENPOT_STORAGE_ASSETS_S3_BUCKET=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_BUCKET"}
PENPOT_STORAGE_ASSETS_S3_ENDPOINT=${config.sops.placeholder."penpot/STORAGE_ASSETS_S3_ENDPOINT"}
'';
owner = "root";
};
virtualisation.oci-containers.containers = {
penpot-frontend = {
image = "docker.io/penpotapp/frontend:latest";
autoStart = true;
ports = ["127.0.0.1:9001:80"];
volumes = [
"penpot_assets:/opt/data/assets"
];
environment = {
PENPOT_FLAGS = "disable-registration enable-login-with-oidc";
};
dependsOn = [
"penpot-backend"
"penpot-exporter"
];
};
penpot-backend = {
image = "docker.io/penpotapp/backend:latest";
autoStart = true;
volumes = [
"penpot_assets:/opt/data/assets"
];
environment = {
PENPOT_FLAGS = "disable-login-with-password enable-login-with-oidc enable-oidc-registration enable-smtp disable-onboarding-newsletter disable-onboarding-questions";
# Auth
PENPOT_OIDC_CLIENT_ID = "penpot";
PENPOT_OIDC_BASE_URI = "https://auth.gasdev.fr";
PENPOT_PUBLIC_URI = "https://penpot.gasdev.fr";
# DB
PENPOT_DATABASE_URI = "postgresql://penpot-postgres/penpot";
PENPOT_REDIS_URI = "redis://penpot-redis/0";
# Storage
PENPOT_ASSETS_STORAGE_BACKEND = "assets-fs";
# SMTP
PENPOT_SMTP_DEFAULT_FROM = "no-reply@gasdev.fr";
PENPOT_SMTP_DEFAULT_REPLY_TO = "no-reply@gasdev.fr";
PENPOT_SMTP_SSL = "true";
PENPOT_SMTP_TLS = "true";
# Other
PENPOT_TELEMETRY_ENABLED = "false";
};
environmentFiles = [
config.sops.templates."penpot.env".path
];
dependsOn = [
"penpot-postgres"
"penpot-redis"
];
};
penpot-exporter = {
image = "docker.io/penpotapp/exporter:latest";
autoStart = true;
environment = {
PENPOT_PUBLIC_URI = "http://penpot-frontend";
PENPOT_REDIS_URI = "redis://penpot-redis/0";
};
};
penpot-postgres = {
image = "docker.io/postgres:15";
autoStart = true;
volumes = [
"penpot_postgres:/var/lib/postgresql/data"
];
environment = {
POSTGRES_INITDB_ARGS = "--data-checksums";
POSTGRES_DB = "penpot";
};
environmentFiles = [
config.sops.templates."penpot.env".path
];
};
penpot-redis = {
image = "docker.io/redis:7";
autoStart = true;
};
};
}

5
services/wireguard/default.nix
View file

@ -46,6 +46,11 @@
publicKey = "42Vj5VG4bJpOUE7j5UW28IFSmPlV+X3tIA9ne55W0Fo="; publicKey = "42Vj5VG4bJpOUE7j5UW28IFSmPlV+X3tIA9ne55W0Fo=";
allowedIPs = ["10.8.0.42/32"]; allowedIPs = ["10.8.0.42/32"];
} }
{
# Family desktop
publicKey = "cpBhnLD4u5brDZsc2uqXVlelApCIXFdRnfJXJU1WDmM=";
allowedIPs = ["10.8.0.11/32"];
}
]; ];
}; };
}; };