tbarnouin/nixos-hypervisor
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Compare commits

base: tbarnouin:d039cc313130d564c9b001580c9dac00c02bb604
Branches Tags
tbarnouin:main
..
compare: tbarnouin:1c6643d4c2cfae1346f1b8bf3a7f4a07a4fb091c
Branches Tags
tbarnouin:main

No commits in common. "d039cc313130d564c9b001580c9dac00c02bb604" and "1c6643d4c2cfae1346f1b8bf3a7f4a07a4fb091c" have entirely different histories.
d039cc3131 ... 1c6643d4c2

5 changed files with 17 additions and 50 deletions
Show stats Expand all files Collapse all files

20
flake.nix
View file

@ -84,16 +84,16 @@
} }
]; ];
}; };
# template = nixpkgs.lib.nixosSystem { template = nixpkgs.lib.nixosSystem {
# inherit system; inherit system;
# modules = [ modules = [
# agenix.nixosModules.default agenix.nixosModules.default
# "${inputs.self}/systems/minimalVMConfig.nix" "${inputs.self}/systems/minimalVMConfig.nix"
# { {
# networking.hostName = "nixos"; networking.hostName = "nixos";
# } }
# ]; ];
# }; };
jellyfin = nixpkgs.lib.nixosSystem { jellyfin = nixpkgs.lib.nixosSystem {
inherit system; inherit system;
modules = [ modules = [

1
secrets.nix
View file

@ -11,7 +11,6 @@ in
{ {
"secrets/initialPassword.age".publicKeys = users ++ systems; "secrets/initialPassword.age".publicKeys = users ++ systems;
"services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ]; "services/grafana/secrets/grafana-db.age".publicKeys = [ tbarnouin grafana ];
"services/grafana/secrets/grafana-oauth_secret.age".publicKeys = [ tbarnouin grafana ];
"services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ]; "services/grafana/secrets/kuma-token.age".publicKeys = [ tbarnouin grafana ];
"services/onlyoffice/secrets/office-dbpass.age".publicKeys = [ tbarnouin onlyoffice ]; "services/onlyoffice/secrets/office-dbpass.age".publicKeys = [ tbarnouin onlyoffice ];
"services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ]; "services/onlyoffice/secrets/office-jwtpass.age".publicKeys = [ tbarnouin onlyoffice ];

31
services/grafana/default.nix
View file

@ -19,17 +19,11 @@ in
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
age.secrets ={ age.secrets.grafana-db = {
grafana-db = { file = ./secrets/grafana-db.age;
file = ./secrets/grafana-db.age; owner = "grafana";
owner = "grafana";
};
grafana-oauth_secret = {
file = ./secrets/grafana-oauth_secret.age;
owner = "grafana";
};
kuma-token.file = ./secrets/kuma-token.age;
}; };
age.secrets.kuma-token.file = ./secrets/kuma-token.age;
services.rsyslogd = { services.rsyslogd = {
enable = true; enable = true;
extraConfig = '' extraConfig = ''
@ -43,10 +37,10 @@ in
module(load="imtcp") module(load="imtcp")
input(type="imtcp" port="514" ruleset="remote") input(type="imtcp" port="514" ruleset="remote")
''; '';
}; };
services.influxdb2 = { services.influxdb2 = {
enable = true; enable = true;
}; };
services.grafana = { services.grafana = {
enable = true; enable = true;
settings = { settings = {
@ -65,19 +59,6 @@ in
user = "grafana"; user = "grafana";
password = "\$__file{${config.age.secrets.grafana-db.path}}"; password = "\$__file{${config.age.secrets.grafana-db.path}}";
}; };
"auth.generic_oauth" = {
enabled = "true";
name = "authentik";
allow_sign_up = "true";
client_id = "9HV82G8F92Jcbw4nP8eppMcPpLcAw5uYpejfReLy";
client_secret = "\$__file{${config.age.secrets.grafana-oauth_secret.path}}";
scopes = "openid email profile";
auth_url = "https://authentik.le43.eu/application/o/authorize/";
token_url = "https://authentik.le43.eu/application/o/token/";
api_url = "https://authentik.le43.eu/application/o/userinfo/";
role_attribute_path = "contains(groups, 'admin') && 'Admin' || contains(groups, 'admin') && 'Editor' || 'Viewer';role_attribute_strict = false";
allow_assign_grafana_admin = "true";
};
}; };
}; };
services.prometheus = { services.prometheus = {

13
services/grafana/secrets/grafana-oauth_secret.age
View file

@ -1,13 +0,0 @@
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9Xa1ZYdyBtMm9n
VGJyeEdFckZjWHNybm94b2crSE0wclE1QlRXZkVGMVk4U1hMdFJBCnhQL3FSdW9l
cUdNNThIdDVwQkxZWEQ2ZXZuekpKcWxQNy9jZlVoTVArZEkKLT4gc3NoLWVkMjU1
MTkgd25FVXB3IEtwTmV3ckQybkd3L3R0TFp0a2JMTzNiMmdyNkNyVkdHUkQyd0Fm
cGkxamMKeGNCSmF6TCtkVXZ5WG5Cd1F6WmkxWjlRZ0FCZ0p1NklPcmw1bFJ6dFNv
ZwotPiAoLWdyZWFzZSAzfUpGL0QgOEtFWXdwCnJCNTFoeTQzUVJlejRUakRqREVy
WS8zTmh3aUptcE56RDBqMld3NXNKZwotLS0gRnlBdEc1cVZOeDFQblAwOVN1MDUx
Yko2UEJ6UE14Z3haUW5XWjJzNFVodwrg7eJ6dnbIAjvsz/XoktAot7G1+u1UJsAE
QkLEtM7DpcFEvESO3JOhuIO/l6qoWjDuksh7yNhdLv2uOKa7ZpM5Q0DGFnRke3Qk
RU2E2UU4w30cmAXFm75NT2T9Po0R182Px25gV7fvfNHMHmONFJZRqNxS2IUDS20W
hDqk+ea9mnYNG1icpmYPj56OpKt+mqrf6kSFuU+R6zwIcoKpMR2wCA==
-----END AGE ENCRYPTED FILE-----

2
services/nginx/default.nix
View file

@ -61,7 +61,7 @@ in
# Enable CSP for your services. # Enable CSP for your services.
#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
add_header Content-Security-Policy "frame-ancestors self *.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;"; add_header Content-Security-Policy "frame-ancestors self cloud.le43.eu office.le43.eu; upgrade-insecure-requests; frame-src 'self' http://office.le43.eu;";
# Minimize information leaked to other domains # Minimize information leaked to other domains