diff --git a/configurations/host/flamaster/configuration.nix b/configurations/host/flamaster/configuration.nix index 960d955..a8c39ac 100644 --- a/configurations/host/flamaster/configuration.nix +++ b/configurations/host/flamaster/configuration.nix @@ -164,29 +164,28 @@ # Or disable the firewall altogether. networking.firewall.enable = true; - networking.networkmanager.extraConfig = lib.mkDefault '' - [connectivity] - uri=http://nmcheck.gnome.org/check_network_status.txt - ''; + networking.networkmanager.settings = { + connectivity = { uri = lib.mkDefault "http://nmcheck.gnome.org/check_network_status.txt"; }; + }; - # This value determines the NixOS release from which the default - # settings for stateful data, like file locations and database versions - # on your system were taken. It‘s perfectly fine and recommended to leave - # this value at the release version of the first install of this system. - # Before changing this value read the documentation for this option - # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). - system.stateVersion = "23.05"; # Did you read the comment? + # This value determines the NixOS release from which the default + # settings for stateful data, like file locations and database versions + # on your system were taken. It‘s perfectly fine and recommended to leave + # this value at the release version of the first install of this system. + # Before changing this value read the documentation for this option + # (e.g. man configuration.nix or on https://nixos.org/nixos/options.html). + system.stateVersion = "23.05"; # Did you read the comment? - programs.neovim.enable = true; - programs.neovim.vimAlias = true; - programs.neovim.viAlias = true; + programs.neovim.enable = true; + programs.neovim.vimAlias = true; + programs.neovim.viAlias = true; - services.flatpak.enable = true; - xdg.portal.enable = true; + services.flatpak.enable = true; + xdg.portal.enable = true; - virtualisation.podman.enable = true; - virtualisation.podman.dockerCompat = true; - virtualisation.podman.enableNvidia = true; - virtualisation.podman.dockerSocket.enable = true; -} + virtualisation.podman.enable = true; + virtualisation.podman.dockerCompat = true; + virtualisation.podman.enableNvidia = true; + virtualisation.podman.dockerSocket.enable = true; + } diff --git a/configurations/host/waffentrager/secrets/secrets.yaml b/configurations/host/waffentrager/secrets/secrets.yaml index 8f96598..a90af4f 100644 --- a/configurations/host/waffentrager/secrets/secrets.yaml +++ b/configurations/host/waffentrager/secrets/secrets.yaml @@ -2,6 +2,9 @@ wireguard: ENC[AES256_GCM,data:QLngCAtEa6wfRRrZwywbARhsS1oGj9+hGTlC1QV6xnRmlZLor nextcloud-adminpass: ENC[AES256_GCM,data:5vohRPEcJJ8gIRro38O73ufSYYEp1DXpBgjCPdPnMcg=,iv:STh3k5wUwx3AfSDTPCXhuXbPb3d+Vi1cAaQN2a9eW1w=,tag:Ef/Z2Idvl6575Jvs2GDJ8A==,type:str] jwt: ENC[AES256_GCM,data:1Qn7DaBZr8vEa8VZiv2BpwePPOBYRTdHEiDv0asUbvhCtfHvhG4mX5/plyRPlQok6FLEjEzKZTEdnvyyOtFEgA==,iv:kqfHkEr0jkKAro9gQup6CeopQnjfMGhEqbVL81wnDgc=,tag:gP/WACy5cOzzmQOh1v8wsQ==,type:str] lldap-database: ENC[AES256_GCM,data:rNLS4WwvqRd3TFWDXaf8UmDTRsHZNPPS,iv:URV4Oz4ik2vHb03+Zh7ND+AbozSmoXpxENpvad4yvRI=,tag:6TbuMCnHwtTaG5mMWVN/mQ==,type:str] +authelia-storagekey: ENC[AES256_GCM,data:T5b5QWf6vlGHniuUic0tEFSJNNWaFbvi3emZOWEQz0AhNqDpxJZqO57KdjZ02NVMoxHN54c0ChWlHRCoAj234A==,iv:Rch5RQ0oblTTWXz0it7zZuYQNYhYMa0MsorAx9N4GV0=,tag:+GlwGnPXLukzDnW6BUf6Hg==,type:str] +authelia-database: ENC[AES256_GCM,data:XZYk4clzLaMb3/plELOnEoy4bwu/YSQg,iv:TGDKjLdcdmwEI12XDDNGHTgYnJxB+vV6RaomKU+jwpY=,tag:c/p7X4tzPWWiLvAL7DJmYg==,type:str] +ldap-master: ENC[AES256_GCM,data:jiinK8xzuKiTwB9k44okgj+sWWEgbeay,iv:Slvci3EBylIbP/I6NFIJTd3eitxVApXrORtnXY48eGg=,tag:OwaVYBNxNbQyIHrqOcUGhg==,type:str] elements: ENC[AES256_GCM,data:Kh6ueReXpj9h5yQ3P0qY8X1ow4RRZD9zyXZLS6DUIIVuthgqgu9dPzBc7ojnz6nXoYTHt1I2LJJKLOGQYZC+iVxXOk+QADJMPwY4NCyeZ3prgvYMghlD,iv:WFA/UQ0XDFjpbgaDEacrBxkteLitXv3CJP54ANVSJHM=,tag:M+tTpTR0alvQxvUiP2MWlA==,type:str] users: materus: ENC[AES256_GCM,data:MhPrMJ4/0oxEsFZDUKcYb3WMUWLI2ZbRTgnh1fQZG1Ly2J781jcUWtA8vVAdMBedNfWky0mDq5+KEQ/2fJNGU4IkTBvLdAqnWw==,iv:Dpl+M+x1weNIVkEsf3I/uXpG0SM6bDz+d9w7AYwn/MY=,tag:yGc1D2ODp6Te/QAztOj7yA==,type:str] @@ -20,8 +23,8 @@ sops: eFN4VVdUMkVjcTVWNFdLM0xtbExLdncK6LYUufWzIcd2jFyEeZDypo0xkJQ4z91F ULyGxJLLWl6/inYXtxHNdxIIPfwW+5yppBAbXaOgvABi1E7tf1JZcA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-13T16:21:39Z" - mac: ENC[AES256_GCM,data:vVFnPSbCbekww0RVyGdztiUZT/A0VeH+eap3JD96tut7SNJddM2YMVDFYjZROR0qrNEnEFpBNrRZCDJXzBj6qvujDaaSRSjksehyipVKRo3JvHzwj6jqCwAgAJoFYFqKvM/b9Cz88ujKpMW6cm0RKNcf56sITOi06UWtZSGdbxg=,iv:SlFXlEEbgBVIIuhjpR/Eleae34k46Ah3SSsf9fY66NU=,tag:QDqV/vXdhDAPYTTK3x3YTA==,type:str] + lastmodified: "2024-07-21T22:14:08Z" + mac: ENC[AES256_GCM,data:DKI+SljQTH+5T7wtIfYRzNK+W5qQoxQ7E/6b9S7cptAsccdZhupWmVzHlwUlk5MFm92r0Qy3A6B/qV8Dashf6ABmjfnDuysvPoI5O45xE0Qs3TEyPKAbPV07FVi6lDHInEOznNAr6vhEN1Bhveg+ByyVeo+C5C5b+U7Qvx5KESM=,iv:B6xX7/u1ZHOPbEheFSpDeaRey3SP9bZMnDARc5xvzRM=,tag:nux6gkIfodj/4JedkBXWkQ==,type:str] pgp: - created_at: "2024-03-21T18:15:00Z" enc: |- diff --git a/configurations/host/waffentrager/services/auth/authelia.nix b/configurations/host/waffentrager/services/auth/authelia.nix new file mode 100644 index 0000000..a461cd7 --- /dev/null +++ b/configurations/host/waffentrager/services/auth/authelia.nix @@ -0,0 +1,80 @@ +{ config, pkgs, lib, materusArg, ... }: +{ + options.waffentragerService.auth.authelia.enable = materusArg.pkgs.lib.mkBoolOpt false "Enable authelia"; + config = + let + cfg = config.waffentragerService.auth.authelia; + port = 9091; + in + lib.mkIf cfg.enable { + sops.secrets."authelia-storagekey" = { owner = "authelia"; }; + sops.secrets."authelia-database" = { owner = "authelia"; }; + sops.secrets."ldap-master" = { owner = "authelia"; }; + users.users.authelia = { + group = "lldap"; + isSystemUser = true; + }; + services.authelia.instances.main = { + enable = true; + user = "authelia"; + environmentVariables = { + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."ldap-master".path; + AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = config.sops.secrets."authelia-database".path; + }; + secrets = { + jwtSecretFile = config.sops.secrets.jwt.path; + storageEncryptionKeyFile = config.sops.secrets."authelia-storagekey".path; + }; + settings = { + access_control = { + default_policy = "one_factor"; + }; + authentication_backend = { + ldap.url = "ldap://127.0.0.1:3890"; + ldap.implementation = "custom"; + ldap.base_dn = config.services.lldap.settings.ldap_base_dn; + ldap.user = "CN=master,ou=people,DC=podkos,DC=pl"; + ldap.additional_users_dn = "OU=people"; + ldap.users_filter = "(&({username_attribute}={input})(objectClass=person))"; + ldap.additional_groups_dn = "OU=groups"; + ldap.groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; + }; + storage = { + postgres.host = "/var/run/postgresql"; + postgres.port = "5432"; + postgres.database = "authelia"; + postgres.username = "authelia"; + + }; + notifier = { + disable_startup_check = false; + filesystem.filename = "/tmp/test_notification.txt"; + }; + session = { + name = "materus-session"; + domain = "materus.pl"; + }; + + default_redirection_url = "https://materus.pl"; + server.port = port; + }; + }; + services.nginx.virtualHosts."gatekeeper.materus.pl" = { + forceSSL = true; + http3 = true; + sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem"; + sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem"; + sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem"; + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + extraConfig = '' + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + }; + }; + }; +} diff --git a/configurations/host/waffentrager/services/auth/default.nix b/configurations/host/waffentrager/services/auth/default.nix index 9bfab8a..2892b8c 100644 --- a/configurations/host/waffentrager/services/auth/default.nix +++ b/configurations/host/waffentrager/services/auth/default.nix @@ -3,9 +3,11 @@ imports = [ ./lldap.nix + ./authelia.nix ]; config = { waffentragerService.auth.lldap.enable = true; + waffentragerService.auth.authelia.enable = true; }; } diff --git a/configurations/host/waffentrager/services/auth/lldap.nix b/configurations/host/waffentrager/services/auth/lldap.nix index cb40448..2da6095 100644 --- a/configurations/host/waffentrager/services/auth/lldap.nix +++ b/configurations/host/waffentrager/services/auth/lldap.nix @@ -45,7 +45,7 @@ group = "lldap"; isSystemUser = true; }; - sops.secrets.jwt = { owner = "lldap"; group = "lldap"; }; + sops.secrets.jwt = { owner = "lldap"; group = "lldap"; mode = "0440"; }; sops.secrets."lldap-database" = { owner = "lldap"; group = "lldap"; }; services.lldap.enable = true; services.lldap.environmentFile = config.sops.templates."lldap.env".path; @@ -60,6 +60,8 @@ services.lldap.settings = { ldap_base_dn = "dc=podkos,dc=pl"; + + ldap_host = "127.0.0.1"; http_url = "https://mamba.podkos.pl"; ldap_user_dn = "master"; ldap_user_email = "materus@podkos.pl"; diff --git a/configurations/host/waffentrager/services/nextcloud.nix b/configurations/host/waffentrager/services/nextcloud.nix index 72ef817..05d91fa 100644 --- a/configurations/host/waffentrager/services/nextcloud.nix +++ b/configurations/host/waffentrager/services/nextcloud.nix @@ -25,11 +25,11 @@ package = pkgs.nextcloud29; hostName = "waffentrager.materus.pl"; home = config.waffentragerService.elements.nextcloudDir; - config.adminuser = "master"; + config.adminuser = "nextcloud-master"; config.adminpassFile = config.sops.secrets.nextcloud-adminpass.path; config.dbtype = "pgsql"; extraAppsEnable = true; - maxUploadSize = "4G"; + maxUploadSize = "8G"; https = true; enableImagemagick = true; configureRedis = true; diff --git a/configurations/host/waffentrager/services/samba.nix b/configurations/host/waffentrager/services/samba.nix index 5041e03..69a12e0 100644 --- a/configurations/host/waffentrager/services/samba.nix +++ b/configurations/host/waffentrager/services/samba.nix @@ -35,6 +35,9 @@ hosts deny = 0.0.0.0/0 guest account = nobody map to guest = bad user + mangled names = no + dos charset = CP850 + unix charset = UTF-8 ''; shares = { materus = { @@ -42,10 +45,10 @@ browseable = "yes"; "read only" = "no"; "guest ok" = "no"; - "create mask" = "0644"; - "directory mask" = "0755"; + "create mask" = "0770"; + "directory mask" = "0770"; "force user" = "materus"; - "force group" = "users"; + "force group" = "nextcloud"; }; }; }; diff --git a/configurations/host/waffentrager/services/syncthing.nix b/configurations/host/waffentrager/services/syncthing.nix index 986a2a9..3381b29 100644 --- a/configurations/host/waffentrager/services/syncthing.nix +++ b/configurations/host/waffentrager/services/syncthing.nix @@ -7,9 +7,7 @@ cfg = config.waffentragerService.syncthing; in lib.mkIf cfg.enable { - waffentragerService.elements.enable = true; - - networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port]; + waffentragerService.elements.enable = true; networking.firewall.allowedTCPPorts = [ 22000 config.services.syncthing.relay.statusPort config.services.syncthing.relay.port]; networking.firewall.allowedUDPPorts = [ 22000 21027 ]; systemd.services.syncthing = { partOf = [ "elements-mount.service" ]; @@ -20,6 +18,7 @@ syncthing = { enable = true; user = "materus"; + group = "nextcloud"; dataDir = "${config.waffentragerService.elements.path}/storage/materus"; configDir = "${config.waffentragerService.elements.path}/storage/materus/Inne/Config/Syncthing/waffentrager/"; }; diff --git a/extraFiles/scripts/convert_images.sh b/extraFiles/scripts/convert_images.sh index 9fdcb4d..78cc4ac 100755 --- a/extraFiles/scripts/convert_images.sh +++ b/extraFiles/scripts/convert_images.sh @@ -7,6 +7,12 @@ if ! command -v convert &> /dev/null; then $CONVERT "$@"; else convert "$@"; fi } +function max16 { + while [ `jobs | wc -l` -ge 16 ] + do + sleep 2 + done +} change_to_webp() { f="$1" @@ -31,7 +37,7 @@ pushd $XDG_PICTURES_DIR for f in `find "." \( -name "*.png" -type f -o -name "*.jpg" -type f -o -name "*.jpeg" -type f -o -name "*.avif" -type f \) \ -a -not \( -path "./Inne/Special/*" -o -path "./Inne/Emojis/*" -o -path "./Inne/MCSkins/*" -o -path "./Avatar/*" -o -path "./Inne/GIF/*" \)`; do - change_to_webp "$f" & + max16; change_to_webp "$f" & done