mirrors_public/oddlama_nix-config
1
1
Fork 1
mirror of https://github.com/oddlama/nix-config.git synced 2025-10-10 14:50:40 +02:00
Code Activity

chore: unexpose actual from internet; update immich

Browse source
This commit is contained in:
oddlama 2025-04-08 22:17:22 +02:00
parent ba66772cb1
commit fdfae01dac
No known key found for this signature in database
GPG key ID: 14EFE510775FE39A
17 changed files with 81 additions and 60 deletions
Download patch file Download diff file Expand all files Collapse all files

40
flake.lock generated
View file

@ -1185,14 +1185,15 @@
"inputs": {
"nixpkgs": [
"nixpkgs"
]
],
"treefmt-nix": "treefmt-nix_3"
},
"locked": {
"lastModified": 1743855359,
"narHash": "sha256-h8eshPR5JNZJRoOZAh1L0fvXdojfCn9m4TtdP2VvwYY=",
"lastModified": 1744136669,
"narHash": "sha256-033f44gmj3aTN4as/dX8O0qMnhA497eM1OABprp9fcM=",
"owner": "oddlama",
"repo": "home-manager",
"rev": "eaa4471a98f764bb5e93f5a29c37d534c5b63135",
"rev": "c1f5072d3fad49b96894182ea43115ea73873668",
"type": "github"
},
"original": {
@ -1210,7 +1211,7 @@
"nixpkgs"
],
"pre-commit-hooks": "pre-commit-hooks_3",
"treefmt-nix": "treefmt-nix_3"
"treefmt-nix": "treefmt-nix_4"
},
"locked": {
"lastModified": 1740386689,
@ -1710,7 +1711,7 @@
"stylix",
"nixpkgs"
],
"treefmt-nix": "treefmt-nix_4"
"treefmt-nix": "treefmt-nix_5"
},
"locked": {
"lastModified": 1741693509,
@ -2092,7 +2093,7 @@
"nixvim": "nixvim",
"pre-commit-hooks": "pre-commit-hooks_6",
"stylix": "stylix",
"treefmt-nix": "treefmt-nix_5",
"treefmt-nix": "treefmt-nix_6",
"whisper-overlay": "whisper-overlay",
"wired-notify": "wired-notify"
}
@ -2535,6 +2536,27 @@
}
},
"treefmt-nix_3": {
"inputs": {
"nixpkgs": [
"home-manager",
"nixpkgs"
]
},
"locked": {
"lastModified": 1743748085,
"narHash": "sha256-uhjnlaVTWo5iD3LXics1rp9gaKgDRQj6660+gbUU3cE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "815e4121d6a5d504c0f96e5be2dd7f871e4fd99d",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix_4": {
"inputs": {
"nixpkgs": [
"idmail",
@ -2555,7 +2577,7 @@
"type": "github"
}
},
"treefmt-nix_4": {
"treefmt-nix_5": {
"inputs": {
"nixpkgs": [
"stylix",
@ -2577,7 +2599,7 @@
"type": "github"
}
},
"treefmt-nix_5": {
"treefmt-nix_6": {
"inputs": {
"nixpkgs": [
"nixpkgs"

1
hosts/sentinel/firezone.nix
View file

@ -12,6 +12,7 @@ let
# FIXME: new entry here? make new firezone gateway on ward entry too.
homeDomains = [
globals.services.grafana.domain
globals.services.actual.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

48
hosts/sire/guests/actual.nix
View file

@ -8,12 +8,12 @@
}:
let
actualDomain = "finance.${globals.domains.me}";
client_id = "actual";
# client_id = "actual";
in
{
wireguard.proxy-sentinel = {
client.via = "sentinel";
firewallRuleForNode.sentinel.allowedTCPPorts = [ config.services.actual.settings.port ];
wireguard.proxy-home = {
client.via = "ward";
firewallRuleForNode.ward-web-proxy.allowedTCPPorts = [ config.services.actual.settings.port ];
};
# Mirror the original oauth2 secret
@ -30,7 +30,7 @@ in
services.actual = {
enable = true;
settings.trustedProxies = [ nodes.sentinel.config.wireguard.proxy-sentinel.ipv4 ];
settings.trustedProxies = [ nodes.ward-web-proxy.config.wireguard.proxy-home.ipv4 ];
};
# NOTE: state: to enable openid, we need to call their enable-openid script once
@ -46,27 +46,30 @@ in
serviceConfig.LoadCredential = [
"oauth2-client-secret:${config.age.secrets.actual-oauth2-client-secret.path}"
];
environment = {
ACTUAL_OPENID_ENFORCE = "true";
ACTUAL_TOKEN_EXPIRATION = "openid-provider";
ACTUAL_OPENID_DISCOVERY_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
ACTUAL_OPENID_CLIENT_ID = client_id;
ACTUAL_OPENID_SERVER_HOSTNAME = "https://${actualDomain}";
};
# NOTE: openid is disabled for now. too experimental, many rough edges.
# only admins can use sync, every admin can open anyones finances. not good enough yet.
# environment = {
# ACTUAL_OPENID_ENFORCE = "true";
# ACTUAL_TOKEN_EXPIRATION = "openid-provider";
#
# ACTUAL_OPENID_DISCOVERY_URL = "https://${globals.services.kanidm.domain}/oauth2/openid/${client_id}/.well-known/openid-configuration";
# ACTUAL_OPENID_CLIENT_ID = client_id;
# ACTUAL_OPENID_SERVER_HOSTNAME = "https://${actualDomain}";
# };
};
globals.services.actual.domain = actualDomain;
globals.monitoring.http.actual = {
url = "https://${actualDomain}/";
expectedBodyRegex = "Actual";
network = "internet";
};
# FIXME: monitor from internal network
# globals.monitoring.http.actual = {
# url = "https://${actualDomain}/";
# expectedBodyRegex = "Actual";
# network = "local-${config.node.name}";
# };
nodes.sentinel = {
nodes.ward-web-proxy = {
services.nginx = {
upstreams.actual = {
servers."${config.wireguard.proxy-sentinel.ipv4}:${toString config.services.actual.settings.port}" =
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.actual.settings.port}" =
{ };
extraConfig = ''
zone actual 64k;
@ -80,11 +83,6 @@ in
virtualHosts.${actualDomain} = {
forceSSL = true;
useACMEWildcardHost = true;
# oauth2 = {
# enable = true;
# allowedGroups = ["access_openwebui"];
# X-Email = "\${upstream_http_x_auth_request_preferred_username}@${globals.domains.personal}";
# };
extraConfig = ''
client_max_body_size 256M;
'';

2
hosts/sire/guests/immich.nix
View file

@ -107,7 +107,7 @@ let
processedConfigFile = "/run/agenix/immich.config.json";
version = "v1.121.0";
version = "v1.131.3";
environment = {
DB_DATABASE_NAME = "immich";
DB_HOSTNAME = ipImmichPostgres;

1
hosts/sire/guests/paperless.nix
View file

@ -27,6 +27,7 @@ in
};
globals.services.paperless.domain = paperlessDomain;
# FIXME: also monitor from internal network
globals.monitoring.http.paperless = {
url = "https://${paperlessDomain}";
expectedBodyRegex = "Paperless-ngx";

1
hosts/ward/default.nix
View file

@ -13,6 +13,7 @@ let
# FIXME: new entry here? make new firezone entry too.
homeDomains = [
globals.services.grafana.domain
globals.services.actual.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

1
hosts/ward/guests/adguardhome.nix
View file

@ -112,6 +112,7 @@ in
# FIXME: new entry here? make new firezone entry too.
# FIXME: new entry here? make new firezone gateway on ward entry too.
globals.services.grafana.domain
globals.services.actual.domain
globals.services.immich.domain
globals.services.influxdb.domain
globals.services.loki.domain

2
pkgs/mdns-repeater.nix
View file

@ -14,7 +14,7 @@ rustPlatform.buildRustPackage {
hash = "sha256-cIrHSzdzFqfArE2bqWPm+CULuQU/KajkRN+i0b+seD0=";
};
cargoHash = "sha256-ZKY1UVxeMSQaPZecBCIleZSFMRAPP6Vv0uRcnSNUOY0=";
cargoHash = "sha256-lGeOwszMkVGJZT7V8b3COPgKNFo+jW/zDf4D3OoF5uY=";
meta = {
description = "mDNS packet relayer";

8
secrets/rekeyed/sentinel/32d5ff5e623268a2d193b5d49ba7539c-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age
View file

@ -1,8 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 yV7lcA IFccz3iClZKyPf7EdDWd2MzhrVBKhag9IDWc7XUI5Hc
uatqP7QQJnA5mQP9tsHQFaKEHeoDGLgY2kWJpnal674
-> 7jdci-grease c[y2 alscP1
H2uNfINe/FUPjgudAkD33U2rIb5+L1KoQ0A5lr5iGYfPPCdscexXunFJY48qSn03
WpMBYikmzds
--- uugJJPzxMZwJCWH97I/MTlu9WzD4ZQPYDAMXwE989OY
Œ4ïfI€@ɺxöØû½-³mç©|Q,×ûë·ÓjA*q¶úü2÷Îo®6o9Gj�¥a‡'}yªç×aþwç 1k�Îœù�7K��

9
secrets/rekeyed/sire-actual/0ccf3e904f0f5ea268dcf781bcfe160e-wireguard-proxy-sentinel-psks-sentinel+sire-actual.age
View file

@ -1,9 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 11F4Ig gNdfKSW0SI5OHV3WV8Z2gMaIyvpEpKtgEynkBPXO2SU
Atd1AyDvRmX1106aMzZhx9GJEd17nYu9pJiM5/kI3Do
-> ;-grease j+0
cIGZ9KVirP5q/dCKsUjPBzkUXTw+Yo+i8UJ69ndD49smdN2BxmzouELydH5Bva9i
anw8o8lTvqVvso3PDBrgZy7iFcgTJWto
--- jilcU1phIjP8JI2AUkhQbc5Smot9XoJ8t9mGsGtznx0
幃牝�.シ@キ乕テ8MネE]ニッェ+マ�1m鋻<ウ豁ァ排q`セ濮s�アW{@�
�゚゚アH`}ソ)QKーf�狢t_

BIN
secrets/rekeyed/sire-actual/269c5081394861c88bef1d54d93aec1b-wireguard-proxy-home-psks-sire-actual+ward.age Normal file
View file

Binary file not shown.

BIN
secrets/rekeyed/sire-actual/2c8bd09c2adbea96ed80b2506b5ad41b-wireguard-proxy-home-priv-sire-actual.age Normal file
View file

Binary file not shown.

7
secrets/rekeyed/sire-actual/7e69834a561becd34e58ede8c8dc6dcd-wireguard-proxy-sentinel-priv-sire-actual.age
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 11F4Ig xNoQ1/f/e3Jv57Npi3I58y7Z/RvK6l3V7Vo5H81d4FA
3/Fb14I4nNObYCbPUNZZdWfa6/+ZaSTAB24NTjLPy8U
-> %>-grease
itFTJfCmI/7Rt9rvPeKLsrbDUR64w390pprq98A2y8gM
--- AbhEcUA9Qn1KwfouM6bRE9xHWaUKesHHrLc5L3bgS0U
éöAQó?-{1o�Ł��yM–î«ßôŠ(zŰţIÔÄ(Ü?ýlĐ`śřěGG�Ó‡K9Ú8‡¶mwwťěJv§ňƧ¨ü;řJ_G6G˘Ű

BIN
secrets/rekeyed/ward/f443ca4d40a215b56ee3673f09d46eba-wireguard-proxy-home-psks-sire-actual+ward.age Normal file
View file

Binary file not shown.

9
secrets/wireguard/proxy-home/keys/sire-actual.age Normal file
View file

@ -0,0 +1,9 @@
age-encryption.org/v1
-> X25519 m/lJB1n45szFplLVtd7CizaSs3m4xr1NGQTxGNYBXX8
sp56h1uLUCDgyOUz/Ba6Edwe71vfpsiqBQvWsM8yI3E
-> piv-p256 xqSe8Q A3Q6Y91CnrW68eandaYeDBpnK33TTOPJOlHyI6wqGxM0
yOZWxa//Eh/tUxHg9+iMOqh7GOuvxRl57cu/Nva17GE
-> @Y(s^-grease N<4U+cLN *td}fYU
koZVXtJoC5E1pg4Biu/JXA
--- 2hY0WinieNwxX7Dq+oXZsvvZCw/h5iXYD5yZyAjg5H0
!¬/‘¹GÔDs3Ö#šöá›Iö»2-ÝEV¢Ô~5ú8ԓ⽜¸ç?Ï�ññÒ>'�èQ±ÀºX9”.fÍ;ER&BÁL<þ1P"F

1
secrets/wireguard/proxy-home/keys/sire-actual.pub Normal file
View file

@ -0,0 +1 @@
9YnBjTSiag6gR5sRKZFJF+/0c4I66tFkPpDIaIR/O1w=

11
secrets/wireguard/proxy-home/psks/sire-actual+ward.age Normal file
View file

@ -0,0 +1,11 @@
age-encryption.org/v1
-> X25519 Kh+mCGnB5K1NSQ2AlTw91USyZWH1Gxb0zUQ3eGMF9GQ
wguTpicJa0QM8Ftjwdxwz6pWRIKwqE8Va7K/K9b5KGk
-> piv-p256 xqSe8Q AiRTipj4vdFFX4bd73UqnWMK7/ksXVhXX9OGOGJ7MDB8
d4Wh+KdH4vwCmRDIA+RIIplqjOCPB2F/vY607lDQTO8
-> `#f-grease fRA|\bQ `!=
1jGPsD2U0TjNwpTnMR3HxDKQvcXhE4Zw4EkYWu8KTIYuDfEAhtkUpkTAqFhbrf59
aleNrJsH7U8Ct5jNFhu9urYIVnG2oOORNz6FDyZEDF6XqHmNeNqi1ygGCkdqDY3Q
--- sMGofu1JYEzirvzT4SuRQjXqOwXxRlmSmzBa3okchAg
ËüO©Zƒ¼Fhª¶bWkur RÖ€¹¦\ÜŠ:"{Øk£àS7»‚ÃÀVe/pîÃjÇ7ža)âsê|Oê{6j­d´S3vÌ,�¨]Ub