diff --git a/home/apps/zed.nix b/home/apps/zed.nix index 52d153a3..2f5fb4ab 100644 --- a/home/apps/zed.nix +++ b/home/apps/zed.nix @@ -7,9 +7,9 @@ pkgs.zed-editor ]; - zed-editor = { - enable = true; - }; + # zed-editor = { + # enable = true; + # }; # xdg.configFile = { # "zed/keymaps.json" = ''''; # "zed/settings.json".source = ''''; diff --git a/home/services/hyprland.nix b/home/services/hyprland.nix index 1b5625b6..7c6f4fd4 100644 --- a/home/services/hyprland.nix +++ b/home/services/hyprland.nix @@ -52,7 +52,6 @@ settings = { source = "${pkgs.catppuccinThemes.hyprland}/themes/mocha.conf"; - "render:explicit_sync" = true; "render:cm_fs_passthrough" = 1; monitor = [ "${device.monitors.primary}, 2560x1440@360, 0x0, 1, transform, 0, bitdepth, 10, cm, hdr, sdrbrightness, 1.1, sdrsaturation, 1.2" diff --git a/home/services/swaync.nix b/home/services/swaync.nix index 1b5c3a25..c6e3198f 100644 --- a/home/services/swaync.nix +++ b/home/services/swaync.nix @@ -3,14 +3,14 @@ enable = device.is "ryu"; settings = { notification-inline-replies = true; - cssPriority = "user"; + # cssPriority = "user"; }; }; - xdg.configFile = { - "swaync/style.css".text = '' - .floating-notifications { - background: rgba(0, 0, 0, 0.0); - } - ''; - }; + # xdg.configFile = { + # "swaync/style.css".text = '' + # .floating-notifications { + # background: rgba(0, 0, 0, 0.0); + # } + # ''; + # }; } diff --git a/justfile b/justfile index dc3b4b6a..c68c268b 100644 --- a/justfile +++ b/justfile @@ -25,3 +25,8 @@ home: nvim: nix run .#neovim + + +[linux] +rollback: + sudo nixos-rebuild switch --rollback --flake . diff --git a/nixos/mirai/services/authelia.nix b/nixos/mirai/services/authelia.nix index 669b8c0e..81cefff5 100644 --- a/nixos/mirai/services/authelia.nix +++ b/nixos/mirai/services/authelia.nix @@ -7,8 +7,9 @@ "authelia/servers/darksailor/storageEncryptionSecret".owner = user; "authelia/servers/darksailor/sessionSecret".owner = user; "authelia/users/servius".owner = user; - "authelia/oidc/immich".owner = user; + "lldap/users/authelia".owner = user; users.owner = user; + "authelia/oidc/jwks".owner = user; }; }; services = { @@ -18,44 +19,22 @@ settings = { authentication_backend = { password_reset.disable = false; - file = { - path = "/run/secrets/users"; + password_change.disable = false; + # file = { + # path = "/run/secrets/users"; + # }; + ldap = { + address = "ldap://localhost:389"; + timeout = "5s"; + # start_tls = false; + base_dn = "dc=darksailor,dc=dev"; + user = "cn=authelia,ou=people,dc=darksailor,dc=dev"; + users_filter = "(&({username_attribute}={input})(objectClass=person))"; + groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; + additional_users_dn = "OU=people"; + additional_groups_dn = "OU=groups"; }; }; - # identity_providers = { - # oidc = { - # clients = [ - # { - # client_id = "immich"; - # client_name = "immich"; - # client_secret = ''{{ fileContent "${config.sops.secrets."authelia/oidc/immich".path}" }}''; - # public = false; - # authorization_policy = "two_factor"; - # require_pkce = false; - # pkce_challenge_method = ""; - # redirect_uris = [ - # "https://photos.darksailor.dev/auth/login" - # "https://photos.darksailor.dev/user-settings" - # "app.immich:///oauth-callback" - # ]; - # scopes = [ - # "openid" - # "profile" - # "email" - # ]; - # response_types = [ - # "code" - # ]; - # grant_types = [ - # "authorization_code" - # ]; - # access_token_signed_response_alg = "none"; - # userinfo_signed_response_alg = "none"; - # token_endpoint_auth_method = "client_secret_post"; - # } - # ]; - # }; - # }; session = { cookies = [ { @@ -91,6 +70,11 @@ jwtSecretFile = config.sops.secrets."authelia/servers/darksailor/jwtSecret".path; storageEncryptionKeyFile = config.sops.secrets."authelia/servers/darksailor/storageEncryptionSecret".path; sessionSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path; + oidcHmacSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path; + oidcIssuerPrivateKeyFile = config.sops.secrets."authelia/oidc/jwks".path; + }; + environmentVariables = { + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."lldap/users/authelia".path; }; }; }; diff --git a/nixos/mirai/services/homepage.nix b/nixos/mirai/services/homepage.nix index ca5ae6bf..79477ccf 100644 --- a/nixos/mirai/services/homepage.nix +++ b/nixos/mirai/services/homepage.nix @@ -1,4 +1,4 @@ -{...}: { +{config, ...}: { services = { homepage-dashboard = { enable = true; @@ -107,6 +107,13 @@ href = "https://llama.darksailor.dev"; }; } + { + "Immich" = { + icon = "immich.png"; + description = "Immich: Self-hosted Photo and Video Backup"; + href = "https://photos.darksailor.dev"; + }; + } ]; } ]; @@ -163,8 +170,22 @@ uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name } - reverse_proxy localhost:8082 + reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort} ''; }; + authelia = { + instances.darksailor = { + settings = { + access_control = { + rules = [ + { + domain = "dashboard.darksailor.dev"; + policy = "one_factor"; + } + ]; + }; + }; + }; + }; }; } diff --git a/nixos/mirai/services/immich.nix b/nixos/mirai/services/immich.nix index a6b0b7e7..5c4f885e 100644 --- a/nixos/mirai/services/immich.nix +++ b/nixos/mirai/services/immich.nix @@ -1,5 +1,78 @@ -{...}: { +{config, ...}: { + sops = { + secrets."authelia/oidc/immich/client_id" = { + owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + mode = "0440"; + }; + secrets."authelia/oidc/immich/client_secret" = { + owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + mode = "0440"; + }; + templates = { + "OAUTH_CLIENT.env" = { + content = '' + OAUTH_CLIENT_ID=${config.sops.placeholder."authelia/oidc/immich/client_id"} + OAUTH_CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/immich/client_secret"} + ''; + mode = "0400"; + owner = config.services.immich.user; + }; + }; + }; + users.users.immich.extraGroups = [config.systemd.services.authelia-darksailor.serviceConfig.Group]; services.immich = { - enable = false; + enable = true; + mediaLocation = "/media/photos/immich"; + settings = { + oauth = { + enabled = true; + autoLaunch = true; + autoRegister = true; + buttonText = "Login with Authelia"; + clientId = "immich"; + scope = "openid email profile"; + issuerUrl = "https://auth.darksailor.dev/.well-known/openid-configuration"; + }; + passwordLogin = { + enabled = false; + }; + }; + secretsFile = config.sops.templates."OAUTH_CLIENT.env".path; + }; + services.caddy = { + virtualHosts."photos.darksailor.dev".extraConfig = '' + reverse_proxy localhost:${builtins.toString config.services.immich.port} + ''; + }; + services.authelia = { + instances.darksailor = { + settings = { + identity_providers = { + oidc = { + clients = [ + { + client_name = "immich"; + client_id = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}''; + client_secret = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}''; + public = false; + authorization_policy = "one_factor"; + require_pkce = false; + redirect_uris = [ + "https://photos.darksailor.dev/auth/login" + "https://photos.darksailor.dev/user-settings" + "app.immich:///oauth-callback" + ]; + scopes = ["openid" "profile" "email"]; + response_types = ["code"]; + grant_types = ["authorization_code"]; + access_token_signed_response_alg = "none"; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + }; + }; + }; + }; }; } diff --git a/nixos/mirai/services/llama.nix b/nixos/mirai/services/llama.nix index dbf3a895..28305d99 100644 --- a/nixos/mirai/services/llama.nix +++ b/nixos/mirai/services/llama.nix @@ -43,13 +43,13 @@ }; caddy = { - # virtualHosts."llama.darksailor.dev".extraConfig = '' - # forward_auth localhost:5555 { - # uri /api/authz/forward-auth - # copy_headers Remote-User Remote-Groups Remote-Email Remote-Name - # } - # reverse_proxy localhost:7070 - # ''; + virtualHosts."llama.darksailor.dev".extraConfig = '' + forward_auth localhost:5555 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + reverse_proxy localhost:${builtins.toString config.services.open-webui.port} + ''; virtualHosts."ollama.darksailor.dev".extraConfig = '' @apikey { header Authorization "Bearer {env.LLAMA_API_KEY}" @@ -61,12 +61,26 @@ Access-Control-Allow-Origin * -Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation } - reverse_proxy localhost:11434 + reverse_proxy localhost:${builtins.toString config.services.ollama.port} } respond "Unauthorized" 403 ''; }; + authelia = { + instances.darksailor = { + settings = { + access_control = { + rules = [ + { + domain = "llama.darksailor.dev"; + policy = "one_factor"; + } + ]; + }; + }; + }; + }; }; systemd.services.caddy = { serviceConfig = { diff --git a/nixos/mirai/services/lldap.nix b/nixos/mirai/services/lldap.nix index e302de41..3f6e78fd 100644 --- a/nixos/mirai/services/lldap.nix +++ b/nixos/mirai/services/lldap.nix @@ -6,23 +6,24 @@ services.lldap = { enable = true; settings = { - # ldap_user_dn = "admin"; + ldap_user_dn = "admin"; ldap_base_dn = "dc=darksailor,dc=dev"; - # ldap_user_email = "admin@darksailor.dev"; - # http_host = "127.0.0.1"; + ldap_user_email = "admin@darksailor.dev"; + http_host = "127.0.0.1"; http_port = 5090; ldap_port = 389; - # ldap_host = "::"; - environment = { - LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt".path; - LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/seed".path; - # LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin".path; - LLDAP_LDAP_USER_PASS = "foobar123"; - }; + ldap_host = "::"; + # environment = { + # }; + environmentFile = '' + LLDAP_LDAP_USER_PASS_FILE = ${config.sops.secrets."lldap/admin".path}; + LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path}; + LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path}; + ''; }; }; services.caddy = { - virtualHosts."console.darksailor.dev".extraConfig = '' + virtualHosts."ldap.darksailor.dev".extraConfig = '' reverse_proxy localhost:5090 ''; }; @@ -34,15 +35,12 @@ }; users.groups.lldap = {}; - # systemd.services.sops-install-secrets = { - # after = ["lldap.service"]; - # }; - systemd.services.lldap = { - # wants = ["sops-install-secrets.service"]; serviceConfig = { AmbientCapabilities = "CAP_NET_BIND_SERVICE"; DynamicUser = lib.mkForce false; + User = "lldap"; + Group = "lldap"; }; }; sops = { diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index a71bcc6e..0c01294b 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -26,11 +26,16 @@ authelia: storageEncryptionSecret: ENC[AES256_GCM,data:cJx0HpsAXqqt4cSQduh4NUVb+czQCkMnSn35HNtLDzqoAMAZOxnNCNsd9Rpq0VySyZc4TzSiN+9tPLj1,iv:r1w4hYKWn/Guwuk13Fg831r5bUm02PJw/IoNDTMbdOg=,tag:5vMdpJ6fTT4YvT/5gGy94Q==,type:str] sessionSecret: ENC[AES256_GCM,data:50h5JbQneCjEdTO34T6zDNzXSeeyV1MyuS034gZgwddg8Z/KAGMDWQ==,iv:SsD8YmzXzF2KhRg76tjNRyjpOZsD/jP6M8PgNCuSlcg=,tag:dfW1m6UUubD6Go1HS5yoLw==,type:str] oidc: - immich: ENC[AES256_GCM,data:p11v+4I07FSW/pYk4l5fBlOQ2YczU0eoOvyLq/V62hY=,iv:NuHdsdLL+krQR2BZtMOcZL2zTHYjzoXbvKZLDWe36io=,tag:E8dkaQpSf+pzW18M+lqFGw==,type:str] + immich: + client_id: ENC[AES256_GCM,data:LpB+nR7SGI2EV4YK0VptF5zJ6Ai/LDfikUpoAnFWnT8krMOQ/voqjS6jhqaFz9IKhtPQL9TNZOONr5JjkDZR7sI63Ohv4Lnx,iv:J96CL8EHHj88YbQW7rdQK9C6MxXaHnMt+mgL3iL5Heg=,tag:aXD/HdWXO/e6aKGnay0W+g==,type:str] + client_secret: ENC[AES256_GCM,data:mZ9bxeuKEYtZRRncsXBRgFeu0exO+VN9MRXFEF/KQxrDHnGkiFGQH8/wbeHnqIO8Xpmhd5PJEz5Q29rNKJE6hsomVFHASYe6w/JCaxP24Qu2nQH60YBYsk0vfVgB8QyfpbIN1lDeW+3F8YZLa1IJuxt1Cpg9cgMtaZ4AZh4cGgBxSDE=,iv:QErPIwOTBs3UJMRDTyLpNFc8unucQKzLl6WbSuJ97fY=,tag:NRQYmn6GfIMPAUKyI7QxMQ==,type:str] + jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str] lldap: jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str] seed: ENC[AES256_GCM,data:zMBZP4GeGkQ4chC9eQ4tG8vTqbxZj4iQMKCj0WQd1qOWVTibpk6VylnFz5ugmeMR,iv:5ZFf/r683AHVlpp7iN9B6nY1b8tD/JSCxRN4vXT1cRM=,tag:MmeGpK9d2GFP3etr9Ouvkg==,type:str] admin: ENC[AES256_GCM,data:6eLFuyt9hBzoAGfaDLi9cwxFj/yq20BDCSzbHzakZLo=,iv:qjczQ/hswAzVVS7gCUapzqhRx1dAE7FhRUvtovlMuY0=,tag:aMBFJy+USOd5Vy2QKjoD6Q==,type:str] + users: + authelia: ENC[AES256_GCM,data:6zddaWEBqJqfLaSzeANlSfldpw==,iv:jx3P9FThq7+LbwX0LpNK7qll3RJ5ibNfdDybS+KZG6U=,tag:RHNPLdbpkPy2aAcibljxAg==,type:str] builder: mirai: cache: @@ -55,7 +60,7 @@ sops: VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-28T11:23:30Z" - mac: ENC[AES256_GCM,data:lAaVNBji1kslL5pCYBABP3X8n1AFQ1ocFgPCRmlipLPt9dVVwzKDokI75xWztOTVU/ydkz/AQjHkeunPc0bl3lhukrpLAulpQLFTV/+zy2ku3nStCrpx93bmjO0KWb9GvjidITVOvr4WzOZUSsq45Im4gJgpFXDyCXg/8HsY6K0=,iv:vh7GdrwU+T4AkZS7uWljagA11itG1QEs2JdwSqbqmtc=,tag:VpCVyr4TxWYCWfssXz4QyQ==,type:str] + lastmodified: "2025-07-28T22:24:11Z" + mac: ENC[AES256_GCM,data:k7nnnBg4/5i0JdRXIvQK/zM9Xm6Ex14UTu9ZjZntal6IJuccNvMvbNLIDa4+cnjVjwaOHAXCzmCP5xQZ2R5k7b8EJ853lahMYy4ORbg0Ve5nCIZOVc0A43CfErPz4SdK+NMALP7s7z5aeb1grJ6U3RBRBTrKib//1oo5u44ozNw=,iv:6UiMxysglG0CeSUWXAPlL7qjXR876JS4yUGwBqlwcyU=,tag:mCFw+UU+7SOjw1k+A6jAqQ==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2