sin_serhao/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sin_serhao:authelia
Branches Tags
sin_serhao:master sin_serhao:authelia sin_serhao:disk sin_serhao:test-deploy
...
compare: sin_serhao:b5aa64e74abbdcb06ba3560d1e6d965f6b868927
Branches Tags
sin_serhao:master sin_serhao:authelia sin_serhao:disk sin_serhao:test-deploy

1 Commits
authelia ... b5aa64e74a

Author SHA1 Message Date
Sin Ser'hao
b5aa64e74a trilium & authelia setup
Some checks failed
/ perform flake analysis (push) Has been cancelled
Details
/ build hive configuration (push) Failing after 22m46s
Details
2026-01-29 09:45:10 +01:00
8 changed files with 120 additions and 78 deletions
Expand all files Collapse all files

32
flake.lock generated
View File

@@ -49,11 +49,11 @@
"nixpkgs": "nixpkgs_3" "nixpkgs": "nixpkgs_3"
}, },
"locked": { "locked": {
"lastModified": 1768336726, "lastModified": 1769470446,
"narHash": "sha256-Os4qn0S0bv7MauXGz16ozyOYZuMrA2FJuXNjDnr5yps=", "narHash": "sha256-nze0VZ70K2kbDxjE+BBZLD7juOmnZqNYdOhl9aUNGWg=",
"owner": "9001", "owner": "9001",
"repo": "copyparty", "repo": "copyparty",
"rev": "c46cd7f57a8ae3b121866485c91ec078c4dd970e", "rev": "2f57228fd4e62f8cd8e12cb80a3531dc2d4d170a",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -91,11 +91,11 @@
] ]
}, },
"locked": { "locked": {
"lastModified": 1766150702, "lastModified": 1769524058,
"narHash": "sha256-P0kM+5o+DKnB6raXgFEk3azw8Wqg5FL6wyl9jD+G5a4=", "narHash": "sha256-zygdD6X1PcVNR2PsyK4ptzrVEiAdbMqLos7utrMDEWE=",
"owner": "nix-community", "owner": "nix-community",
"repo": "disko", "repo": "disko",
"rev": "916506443ecd0d0b4a0f4cf9d40a3c22ce39b378", "rev": "71a3fc97d80881e91710fe721f1158d3b96ae14d",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -233,11 +233,11 @@
"nixpkgs": "nixpkgs_4" "nixpkgs": "nixpkgs_4"
}, },
"locked": { "locked": {
"lastModified": 1767838769, "lastModified": 1769567010,
"narHash": "sha256-KCLU6SUU80tEBKIVZsBrSjRYX6kn1eVIYI3fEEqOp24=", "narHash": "sha256-R4ESxjCluQQlSIPw4NaRYVvEtvsnKGRwmACcXU1at6g=",
"owner": "Infinidoge", "owner": "Infinidoge",
"repo": "nix-minecraft", "repo": "nix-minecraft",
"rev": "4da21f019f6443f513f16af7f220ba4db1cdfc04", "rev": "1c9c95fea177a4f8430c34dc1f974394e72bca1f",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -311,16 +311,16 @@
}, },
"nixpkgs_5": { "nixpkgs_5": {
"locked": { "locked": {
"lastModified": 1767313136, "lastModified": 1769318308,
"narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", "narHash": "sha256-Mjx6p96Pkefks3+aA+72lu1xVehb6mv2yTUUqmSet6Q=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", "rev": "1cd347bf3355fce6c64ab37d3967b4a2cb4b878c",
"type": "github" "type": "github"
}, },
"original": { "original": {
"owner": "NixOS", "owner": "NixOS",
"ref": "nixos-25.05", "ref": "nixos-25.11",
"repo": "nixpkgs", "repo": "nixpkgs",
"type": "github" "type": "github"
} }
@@ -452,11 +452,11 @@
}, },
"unstable": { "unstable": {
"locked": { "locked": {
"lastModified": 1768127708, "lastModified": 1769461804,
"narHash": "sha256-1Sm77VfZh3mU0F5OqKABNLWxOuDeHIlcFjsXeeiPazs=", "narHash": "sha256-msG8SU5WsBUfVVa/9RPLaymvi5bI8edTavbIq3vRlhI=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ffbc9f8cbaacfb331b6017d5a5abb21a492c9a38", "rev": "bfc1b8a4574108ceef22f02bafcf6611380c100d",
"type": "github" "type": "github"
}, },
"original": { "original": {

2
flake.nix
View File

@@ -3,7 +3,7 @@
# Flake inputs # Flake inputs
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05"; nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.11";
unstable.url = "github:NixOS/nixpkgs/nixos-unstable"; unstable.url = "github:NixOS/nixpkgs/nixos-unstable";
colmena.url = "github:zhaofengli/colmena"; colmena.url = "github:zhaofengli/colmena";

4
hosts/sin/configuration.nix
View File

@@ -17,7 +17,7 @@
./secrets.nix ./secrets.nix
./coredns ./coredns
./copyparty.nix ./copyparty.nix
# ./trilium.nix ./trilium.nix
]; ];
boot.initrd.kernelModules = [ "usb_storage" ]; boot.initrd.kernelModules = [ "usb_storage" ];
@@ -44,6 +44,8 @@
3000 # gitea 3000 # gitea
config.services.trilium-server.port
53 53
]; ];

19
hosts/sin/jellyfin.nix
View File

@@ -11,10 +11,9 @@ in
extraPackages = with pkgs; [ extraPackages = with pkgs; [
intel-media-driver intel-media-driver
intel-vaapi-driver intel-vaapi-driver
vaapiVdpau libva-vdpau-driver
intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in) intel-compute-runtime # OpenCL filter support (hardware tonemapping and subtitle burn-in)
vpl-gpu-rt # QSV on 11th gen or newer vpl-gpu-rt # QSV on 11th gen or newer
intel-media-sdk # QSV up to 11th gen
]; ];
}; };
@@ -91,10 +90,18 @@ in
enable = true; enable = true;
openFirewall = true; openFirewall = true;
group = "starr"; group = "starr";
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
}; };
prowlarr = { prowlarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
}; };
bazarr = { bazarr = {
enable = true; enable = true;
@@ -103,10 +110,18 @@ in
lidarr = { lidarr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
}; };
whisparr = { whisparr = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
settings = {
authentication.AuthenticationMethod = "external";
authentication.AuthenticationType = "enabled";
};
}; };
jellyseerr = { jellyseerr = {

10
hosts/sin/trilium.nix
View File

@@ -1 +1,9 @@
{ ... }: { } { ... }:
{
services.trilium-server = {
enable = true;
port = 12783;
host = "0.0.0.0";
noAuthentication = true;
};
}

8
hosts/thea/authelia.nix
View File

@@ -49,10 +49,10 @@ in
access_control = { access_control = {
default_policy = "deny"; default_policy = "deny";
rules = [ rules = [
{ # {
domain = "radarr.shobu.fr"; # domain = "radarr.shobu.fr";
policy = "bypass"; # policy = "bypass";
} # }
{ {
domain = "*.shobu.fr"; domain = "*.shobu.fr";
policy = "one_factor"; policy = "one_factor";

2
hosts/thea/lib/autheliaSnippets.nix
View File

@@ -2,7 +2,7 @@
{ {
proxy = pkgs.writeText "proxy.conf" '' proxy = pkgs.writeText "proxy.conf" ''
## Headers ## Headers
proxy_set_header Host $host; # proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Host $http_host;

121
hosts/thea/nginx.nix
View File

@@ -1,4 +1,9 @@
{ inputs, pkgs, ... }: {
inputs,
pkgs,
lib,
...
}:
let let
# striped-front = inputs.striped-front; # striped-front = inputs.striped-front;
@@ -18,81 +23,93 @@ in
recommendedProxySettings = true; recommendedProxySettings = true;
recommendedTlsSettings = true; recommendedTlsSettings = true;
typesHashMaxSize = 512;
mapHashMaxSize = 512;
virtualHosts = virtualHosts =
let let
mkStarr = host: port: { mkVHost = host: port: {
"${host}" = { "${host}" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;
locations."/" = { locations."/" = {
proxyPass = "http://${sin-address}:${port}"; proxyPass = "http://${sin-address}:${port}";
};
};
};
mkStarr = host: port: {
"${host}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
include ${authelia-snippets.authelia-location};
'';
locations."/api" = {
proxyPass = "http://${sin-address}:${port}";
proxyWebsockets = true; proxyWebsockets = true;
extraConfig = '' extraConfig = ''
proxy_ssl_server_name on; proxy_ssl_server_name on;
'';
};
locations."/" = {
proxyPass = "http://${sin-address}:${port}";
proxyWebsockets = true;
extraConfig = ''
include ${authelia-snippets.proxy};
include ${authelia-snippets.authelia-authrequest};
proxy_ssl_server_name on;
proxy_read_timeout 4800s; proxy_read_timeout 4800s;
''; '';
}; };
}; };
}; };
withAuthelia =
vhost: location:
(builtins.mapAttrs (
name: value:
(lib.recursiveUpdate value {
extraConfig = (if value ? extraConfig then value.extraConfig else "") + ''
include ${authelia-snippets.authelia-location};
'';
locations."${location}".extraConfig =
(
if value.locations."${location}" ? extraConfig then
value.locations."${location}".extraConfig
else
""
)
+ ''
include ${authelia-snippets.proxy};
include ${authelia-snippets.authelia-authrequest};
'';
})
) vhost);
withWebsockets =
vhost: location:
(builtins.mapAttrs (
name: value:
(lib.recursiveUpdate value {
locations."${location}".proxyWebsockets = true;
})
) vhost);
in in
( (
mkStarr "jellyfin.shobu.fr" "8096" (withWebsockets (mkVHost "jellyfin.shobu.fr" "8096") "/")
# // mkStarr "radarr.shobu.fr" "7878" // mkStarr "radarr.shobu.fr" "7878"
// mkStarr "sonarr.shobu.fr" "8989" // mkStarr "sonarr.shobu.fr" "8989"
// mkStarr "prowlarr.shobu.fr" "9696" // mkStarr "prowlarr.shobu.fr" "9696"
// mkStarr "bazarr.shobu.fr" "6767" // mkStarr "bazarr.shobu.fr" "6767"
// mkStarr "lidarr.shobu.fr" "8686" // mkStarr "lidarr.shobu.fr" "8686"
// mkStarr "whisparr.shobu.fr" "6969" // mkStarr "whisparr.shobu.fr" "6969"
// mkStarr "jellyseerr.shobu.fr" "5055" // mkVHost "jellyseerr.shobu.fr" "5055"
// mkStarr "transmission.shobu.fr" "9091" // mkVHost "transmission.shobu.fr" "9091"
// mkStarr "zimablade-admin.shobu.fr" "61208" // mkVHost "zimablade-admin.shobu.fr" "61208"
// (withWebsockets (withAuthelia (mkVHost "trilium.shobu.fr" "12783") "/") "/")
// { // {
"radarr.shobu.fr" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
include ${authelia-snippets.authelia-location};
error_log /var/log/nginx/debug_radarr.log debug;
'';
locations."/" = {
proxyPass = "http://${sin-address}:7878";
proxyWebsockets = true;
extraConfig = ''
include ${authelia-snippets.proxy};
include ${authelia-snippets.authelia-authrequest};
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
# From https://gist.github.com/R0GGER/916183fca41f02df1471a6f455e5869f
# HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
add_header Strict-Transport-Security "max-age=63072000; preload" always;
add_header Referrer-Policy strict-origin-when-cross-origin;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Frame-Options SAMEORIGIN;
add_header Content-Security-Policy upgrade-insecure-requests;
add_header Permissions-Policy interest-cohort=();
add_header Expect-CT 'enforce; max-age=604800';
more_set_headers 'Server: Proxy';
more_clear_headers 'X-Powered-By';
proxy_ssl_server_name on;
'';
};
locations."/api" = {
proxyPass = "http://${sin-address}:7878";
proxyWebsockets = true;
extraConfig = ''
proxy_ssl_server_name on;
'';
};
};
"shobu.fr" = { "shobu.fr" = {
enableACME = true; enableACME = true;
forceSSL = true; forceSSL = true;