mirror of
https://github.com/Swarsel/.dotfiles.git
synced 2025-12-06 09:07:21 +01:00
feat: add firefly-iii to winters
This commit is contained in:
Leon Schwarzäugl
parent
2386303317
commit
3efa748383
GPG key ID:
26A54C31F2A4FD84
12 changed files with 817 additions and 373 deletions
|
|
@ -1,28 +1,29 @@
|
|||
{ lib, ... }:
|
||||
{
|
||||
options.swarselsystems = {
|
||||
withHomeManager = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
};
|
||||
isSwap = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
};
|
||||
swapSize = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "8G";
|
||||
};
|
||||
rootDisk = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
};
|
||||
isCrypted = lib.mkEnableOption "uses full disk encryption";
|
||||
initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
|
||||
|
||||
isImpermanence = lib.mkEnableOption "use impermanence on this system";
|
||||
isSecureBoot = lib.mkEnableOption "use secure boot on this system";
|
||||
options = {
|
||||
swarselsystems = {
|
||||
withHomeManager = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
};
|
||||
isSwap = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
};
|
||||
swapSize = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "8G";
|
||||
};
|
||||
rootDisk = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "";
|
||||
};
|
||||
isCrypted = lib.mkEnableOption "uses full disk encryption";
|
||||
initialSetup = lib.mkEnableOption "initial setup (no sops keys available)";
|
||||
|
||||
isImpermanence = lib.mkEnableOption "use impermanence on this system";
|
||||
isSecureBoot = lib.mkEnableOption "use secure boot on this system";
|
||||
};
|
||||
globals = lib.mkOption {
|
||||
default = { };
|
||||
type = lib.types.submodule {
|
||||
|
|
@ -46,9 +47,14 @@
|
|||
description = "My main domain.";
|
||||
};
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
};
|
||||
# _globalsDefs = lib.mkOption {
|
||||
# type = lib.types.unspecified;
|
||||
# default = options.globals.definitions;
|
||||
# readOnly = true;
|
||||
# internal = true;
|
||||
# };
|
||||
};
|
||||
}
|
||||
|
|
|
|||
106
modules/nixos/server/firefly-iii.nix
Normal file
106
modules/nixos/server/firefly-iii.nix
Normal file
|
|
@ -0,0 +1,106 @@
|
|||
{ lib, config, ... }:
|
||||
let
|
||||
cfg = config.services.firefly-iii;
|
||||
fireflyDomain = "stonks.swarsel.win";
|
||||
fireflyUser = "firefly-iii";
|
||||
in
|
||||
{
|
||||
options.swarselsystems.modules.server.firefly = lib.mkEnableOption "enable firefly-iii on server";
|
||||
config = lib.mkIf config.swarselsystems.modules.server.firefly {
|
||||
|
||||
users.users.firefly-iii = {
|
||||
group = "nginx";
|
||||
isSystemUser = true;
|
||||
};
|
||||
|
||||
sops = {
|
||||
secrets = {
|
||||
"firefly-iii-app-key" = { owner = fireflyUser; group = "nginx"; mode = "0440"; };
|
||||
};
|
||||
};
|
||||
|
||||
services = {
|
||||
firefly-iii = {
|
||||
enable = true;
|
||||
user = fireflyUser;
|
||||
group = if cfg.enableNginx then "nginx" else fireflyUser;
|
||||
dataDir = "/Vault/data/firefly-iii";
|
||||
settings = {
|
||||
TZ = config.repo.secrets.common.location.timezone;
|
||||
APP_URL = "https://${fireflyDomain}";
|
||||
APP_KEY_FILE = config.sops.secrets.firefly-iii-app-key.path;
|
||||
APP_ENV = "local";
|
||||
DB_CONNECTION = "sqlite";
|
||||
# AUTHENTICATION_GUARD = "remote_user_guard";
|
||||
# AUTHENTICATION_GUARD_HEADER = "X-User";
|
||||
# AUTHENTICATION_GUARD_EMAIL = "X-Email";
|
||||
};
|
||||
enableNginx = true;
|
||||
virtualHost = fireflyDomain;
|
||||
};
|
||||
|
||||
nginx = {
|
||||
virtualHosts = {
|
||||
"${fireflyDomain}" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
acmeRoot = null;
|
||||
# main config is automatically added by nixos firefly config.
|
||||
# hence, only provide certificate
|
||||
locations = {
|
||||
"/" = {
|
||||
extraConfig = ''
|
||||
auth_request /oauth2/auth;
|
||||
error_page 401 = /oauth2/sign_in;
|
||||
|
||||
# pass information via X-User and X-Email headers to backend,
|
||||
# requires running with --set-xauthrequest flag (done by NixOS)
|
||||
auth_request_set $user $upstream_http_x_auth_request_user;
|
||||
auth_request_set $email $upstream_http_x_auth_request_email;
|
||||
proxy_set_header X-User $user;
|
||||
proxy_set_header X-Email $email;
|
||||
|
||||
# if you enabled --pass-access-token, this will pass the token to the backend
|
||||
auth_request_set $token $upstream_http_x_auth_request_access_token;
|
||||
proxy_set_header X-Access-Token $token;
|
||||
|
||||
# if you enabled --cookie-refresh, this is needed for it to work with auth_request
|
||||
auth_request_set $auth_cookie $upstream_http_set_cookie;
|
||||
add_header Set-Cookie $auth_cookie;
|
||||
'';
|
||||
};
|
||||
"/oauth2/" = {
|
||||
proxyPass = "http://oauth2-proxy";
|
||||
extraConfig = ''
|
||||
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
proxy_set_header X-Auth-Request-Redirect $scheme://$host$request_uri;
|
||||
'';
|
||||
};
|
||||
"= /oauth2/auth" = {
|
||||
proxyPass = "http://oauth2-proxy/oauth2/auth";
|
||||
extraConfig = ''
|
||||
internal;
|
||||
|
||||
proxy_set_header X-Scheme $scheme;
|
||||
# nginx auth_request includes headers but not body
|
||||
proxy_set_header Content-Length "";
|
||||
proxy_pass_request_body off;
|
||||
'';
|
||||
};
|
||||
"/api" = {
|
||||
extraConfig = ''
|
||||
index index.php;
|
||||
try_files $uri $uri/ /index.php?$query_string;
|
||||
add_header Access-Control-Allow-Methods 'GET, POST, HEAD, OPTIONS';
|
||||
proxy_set_header X-User "";
|
||||
proxy_set_header X-Email "";
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -82,6 +82,7 @@ in
|
|||
"nextcloud.admins" = { };
|
||||
"navidrome.access" = { };
|
||||
"freshrss.access" = { };
|
||||
"firefly.access" = { };
|
||||
};
|
||||
persons = {
|
||||
swarsel = {
|
||||
|
|
@ -96,6 +97,7 @@ in
|
|||
"nextcloud.access"
|
||||
"freshrss.access"
|
||||
"navidrome.access"
|
||||
"firefly.access"
|
||||
];
|
||||
displayName = "Swarsel";
|
||||
};
|
||||
|
|
@ -208,21 +210,31 @@ in
|
|||
originUrl = "https://${oauth2ProxyDomain}/oauth2/callback";
|
||||
originLanding = "https://${oauth2ProxyDomain}/";
|
||||
basicSecretFile = config.sops.secrets.kanidm-oauth2-proxy.path;
|
||||
scopeMaps."freshrss.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
scopeMaps."navidrome.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
scopeMaps = {
|
||||
"freshrss.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
"navidrome.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
"firefly.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
};
|
||||
preferShortUsername = true;
|
||||
claimMaps.groups = {
|
||||
joinType = "array";
|
||||
valuesByGroup."freshrss.access" = [ "ttrss_access" ];
|
||||
valuesByGroup."navidrome.access" = [ "navidrome_access" ];
|
||||
valuesByGroup = {
|
||||
"freshrss.access" = [ "ttrss_access" ];
|
||||
"navidrome.access" = [ "navidrome_access" ];
|
||||
"firefly.access" = [ "firefly_access" ];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
|
|
|
|||
|
|
@ -65,11 +65,15 @@
|
|||
|
||||
gotenberg = {
|
||||
enable = true;
|
||||
package = pkgs.stable.gotenberg;
|
||||
port = 3002;
|
||||
bindIP = "127.0.0.1";
|
||||
timeout = "600s";
|
||||
chromium.package = pkgs.stable.chromium;
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
# Add secret to PAPERLESS_SOCIALACCOUNT_PROVIDERS
|
||||
systemd.services.paperless-web.script = lib.mkBefore ''
|
||||
oidcSecret=$(< ${config.sops.secrets.kanidm-paperless-client.path})
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue