forked from mirrors_public/oddlama_nix-config
feat: switch from actual -> firefly-iii
This commit is contained in:
parent
4adf28a442
commit
ced72fb7bb
34 changed files with 193 additions and 128 deletions
|
@ -13,7 +13,7 @@ let
|
|||
# FIXME: new entry here? make new firezone entry too.
|
||||
homeDomains = [
|
||||
globals.services.grafana.domain
|
||||
globals.services.actual.domain
|
||||
globals.services.firefly.domain
|
||||
globals.services.immich.domain
|
||||
globals.services.influxdb.domain
|
||||
globals.services.loki.domain
|
||||
|
@ -135,6 +135,7 @@ in
|
|||
lib.mkIf (!minimal) (
|
||||
{ }
|
||||
// mkMicrovm "adguardhome"
|
||||
// mkMicrovm "firefly"
|
||||
// mkMicrovm "forgejo"
|
||||
// mkMicrovm "kanidm"
|
||||
// mkMicrovm "radicale"
|
||||
|
|
|
@ -112,7 +112,7 @@ in
|
|||
# FIXME: new entry here? make new firezone entry too.
|
||||
# FIXME: new entry here? make new firezone gateway on ward entry too.
|
||||
globals.services.grafana.domain
|
||||
globals.services.actual.domain
|
||||
globals.services.firefly.domain
|
||||
globals.services.immich.domain
|
||||
globals.services.influxdb.domain
|
||||
globals.services.loki.domain
|
||||
|
|
87
hosts/ward/guests/firefly.nix
Normal file
87
hosts/ward/guests/firefly.nix
Normal file
|
@ -0,0 +1,87 @@
|
|||
{
|
||||
config,
|
||||
globals,
|
||||
nodes,
|
||||
...
|
||||
}:
|
||||
let
|
||||
fireflyDomain = "firefly.${globals.domains.me}";
|
||||
wardWebProxyCfg = nodes.ward-web-proxy.config;
|
||||
in
|
||||
{
|
||||
wireguard.proxy-home = {
|
||||
client.via = "ward";
|
||||
firewallRuleForNode.sausebiene.allowedTCPPorts = [ config.services.firefly.port ];
|
||||
};
|
||||
|
||||
globals.services.firefly.domain = fireflyDomain;
|
||||
globals.monitoring.http.firefly = {
|
||||
url = "https://${fireflyDomain}";
|
||||
expectedBodyRegex = "Firefly-III";
|
||||
network = "home-lan.vlans.services";
|
||||
};
|
||||
|
||||
age.secrets.firefly-app-key = {
|
||||
generator.script = _: ''
|
||||
echo "base64:$(head -c 32 /dev/urandom | base64)"
|
||||
'';
|
||||
owner = "firefly-iii";
|
||||
};
|
||||
|
||||
environment.persistence."/persist".directories = [
|
||||
{
|
||||
directory = "/var/lib/firefly-iii";
|
||||
user = "firefly-iii";
|
||||
}
|
||||
];
|
||||
|
||||
i18n.supportedLocales = [ "all" ];
|
||||
services.firefly-iii = {
|
||||
enable = true;
|
||||
enableNginx = true;
|
||||
virtualHost = globals.services.firefly.domain;
|
||||
settings = {
|
||||
APP_URL = "https://${globals.services.firefly.domain}";
|
||||
TZ = "Europe/Berlin";
|
||||
TRUSTED_PROXIES = wardWebProxyCfg.wireguard.proxy-home.ipv4;
|
||||
SITE_OWNER = "admin@${globals.domains.me}";
|
||||
APP_KEY_FILE = config.age.secrets.firefly-app-key.path;
|
||||
AUTHENTICATION_GUARD = "remote_user_guard";
|
||||
AUTHENTICATION_GUARD_HEADER = "X-User";
|
||||
AUTHENTICATION_GUARD_EMAIL = "X-Email";
|
||||
};
|
||||
};
|
||||
|
||||
nodes.ward-web-proxy = {
|
||||
services.nginx = {
|
||||
upstreams.firefly = {
|
||||
servers."${config.wireguard.proxy-home.ipv4}:${toString config.services.firefly.settings.server.http_port}" =
|
||||
{ };
|
||||
extraConfig = ''
|
||||
zone firefly 64k;
|
||||
keepalive 2;
|
||||
'';
|
||||
monitoring = {
|
||||
enable = true;
|
||||
expectedBodyRegex = "Firefly";
|
||||
};
|
||||
};
|
||||
virtualHosts.${fireflyDomain} = {
|
||||
forceSSL = true;
|
||||
useACMEWildcardHost = true;
|
||||
locations."/" = {
|
||||
proxyPass = "http://firefly";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
extraConfig = ''
|
||||
allow ${globals.net.home-lan.vlans.home.cidrv4};
|
||||
allow ${globals.net.home-lan.vlans.home.cidrv6};
|
||||
# Firezone traffic
|
||||
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv4};
|
||||
allow ${globals.net.home-lan.vlans.services.hosts.ward.ipv6};
|
||||
deny all;
|
||||
'';
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
|
@ -35,7 +35,6 @@ in
|
|||
age.secrets.kanidm-admin-password = mkRandomSecret;
|
||||
age.secrets.kanidm-idm-admin-password = mkRandomSecret;
|
||||
|
||||
age.secrets.kanidm-oauth2-actual = mkRandomSecret;
|
||||
age.secrets.kanidm-oauth2-forgejo = mkRandomSecret;
|
||||
age.secrets.kanidm-oauth2-grafana = mkRandomSecret;
|
||||
age.secrets.kanidm-oauth2-immich = mkRandomSecret;
|
||||
|
@ -137,23 +136,6 @@ in
|
|||
];
|
||||
};
|
||||
|
||||
# Actual
|
||||
groups."actual.access" = { };
|
||||
systems.oauth2.actual = {
|
||||
displayName = "Actual Budget";
|
||||
originUrl = "https://${globals.services.actual.domain}/openid/callback";
|
||||
originLanding = "https://${globals.services.actual.domain}/";
|
||||
basicSecretFile = config.age.secrets.kanidm-oauth2-actual.path;
|
||||
preferShortUsername = true;
|
||||
# XXX: RS256 is used instead of ES256 so additionally we need legacy crypto
|
||||
enableLegacyCrypto = true;
|
||||
scopeMaps."actual.access" = [
|
||||
"openid"
|
||||
"email"
|
||||
"profile"
|
||||
];
|
||||
};
|
||||
|
||||
# Firezone
|
||||
groups."firezone.access" = { };
|
||||
systems.oauth2.firezone = {
|
||||
|
|
1
hosts/ward/secrets/firefly/host.pub
Normal file
1
hosts/ward/secrets/firefly/host.pub
Normal file
|
@ -0,0 +1 @@
|
|||
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDI93VlzePCcQnAF3MmgcvfJPhWrLmT+9uWCzgVl3YV+
|
Loading…
Add table
Add a link
Reference in a new issue