servius/dotfiles
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat(neovim): enable on tako device

Browse Source 
feat(authelia): configure port and reverse proxy
feat(lldap): force password reset and update settings
fix(nixos): remove root from trusted users on ryu and tako
fix(immich): disable auto launch and enable password login
refactor(tako): enable authelia, immich, and lldap services
chore(secrets): update lldap seed and metadata timestamps
This commit is contained in:
uttarayan21
2025-11-27 20:51:34 +05:30
parent f9970ce3af
commit a9616c8564
10 changed files with 26 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
home/programs/neovim.nix
View File

@@ -6,7 +6,7 @@
... ...
}: { }: {
stylix.targets.nixvim.enable = false; stylix.targets.nixvim.enable = false;
programs = lib.optionalAttrs (device.is "ryu" || device.is "kuro" || device.is "mirai") { programs = lib.optionalAttrs (device.is "ryu" || device.is "kuro" || device.is "mirai" || device.is "tako") {
nixvim = nixvim =
{ {
enable = true; enable = true;

2
nixos/mirai/configuration.nix
View File

@@ -42,7 +42,7 @@
cores = 8; cores = 8;
auto-optimise-store = true; auto-optimise-store = true;
extra-experimental-features = "nix-command flakes auto-allocate-uids"; extra-experimental-features = "nix-command flakes auto-allocate-uids";
trusted-users = ["root" device.user "remotebuilder"]; trusted-users = [device.user "remotebuilder"];
trusted-substituters = [ trusted-substituters = [
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://nixos-raspberrypi.cachix.org" "https://nixos-raspberrypi.cachix.org"

2
nixos/ryu/configuration.nix
View File

@@ -43,7 +43,7 @@
cores = 24; cores = 24;
auto-optimise-store = true; auto-optimise-store = true;
extra-experimental-features = "nix-command flakes auto-allocate-uids"; extra-experimental-features = "nix-command flakes auto-allocate-uids";
trusted-users = ["root" device.user]; trusted-users = [device.user];
trusted-substituters = [ trusted-substituters = [
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://nixos-raspberrypi.cachix.org" "https://nixos-raspberrypi.cachix.org"

2
nixos/tako/configuration.nix
View File

@@ -42,7 +42,7 @@
cores = 8; cores = 8;
auto-optimise-store = true; auto-optimise-store = true;
extra-experimental-features = "nix-command flakes auto-allocate-uids"; extra-experimental-features = "nix-command flakes auto-allocate-uids";
trusted-users = ["root" device.user "remotebuilder"]; trusted-users = [device.user "remotebuilder"];
trusted-substituters = [ trusted-substituters = [
"https://nix-community.cachix.org" "https://nix-community.cachix.org"
"https://nixos-raspberrypi.cachix.org" "https://nixos-raspberrypi.cachix.org"

8
nixos/tako/services/authelia.nix
View File

@@ -1,4 +1,6 @@
{config, ...}: { {config, ...}: let
port = 5555;
in {
sops = { sops = {
secrets = let secrets = let
user = config.systemd.services.authelia-darksailor.serviceConfig.User; user = config.systemd.services.authelia-darksailor.serviceConfig.User;
@@ -71,7 +73,7 @@
theme = "dark"; theme = "dark";
notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log"; notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log";
server = { server = {
address = "0.0.0.0:5555"; address = "0.0.0.0:${toString port}";
endpoints.authz = { endpoints.authz = {
forward-auth = { forward-auth = {
implementation = "ForwardAuth"; implementation = "ForwardAuth";
@@ -96,7 +98,7 @@
}; };
caddy = { caddy = {
virtualHosts."auth.darksailor.dev".extraConfig = '' virtualHosts."auth.darksailor.dev".extraConfig = ''
reverse_proxy localhost:5555 { reverse_proxy localhost:${toString port} {
# header_up Host {http.request.header.X-Forwarded-Host} # header_up Host {http.request.header.X-Forwarded-Host}
# header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host} # header_up X-Forwarded-Host {http.request.header.X-Forwarded-Host}
# header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto} # header_up X-Forwarded-Proto {http.request.header.X-Forwarded-Proto}

8
nixos/tako/services/default.nix
View File

@@ -1,6 +1,5 @@
{...}: { {...}: {
imports = [ imports = [
# ./caddy.nix
# ./excalidraw.nix # ./excalidraw.nix
# ./fail2ban.nix # ./fail2ban.nix
# ./flaresolverr.nix # ./flaresolverr.nix
@@ -17,9 +16,10 @@
# ./headscale.nix # ./headscale.nix
# ./shitpost.nix # ./shitpost.nix
./atuin.nix ./atuin.nix
# ./immich.nix ./caddy.nix
# ./lldap.nix ./authelia.nix
# ./authelia.nix ./immich.nix
./lldap.nix
./openssh.nix ./openssh.nix
./tailscale.nix ./tailscale.nix
]; ];

4
nixos/tako/services/immich.nix
View File

@@ -26,14 +26,14 @@
"clientId": "${config.sops.placeholder."authelia/oidc/immich/client_id"}", "clientId": "${config.sops.placeholder."authelia/oidc/immich/client_id"}",
"clientSecret": "${config.sops.placeholder."authelia/oidc/immich/client_secret"}", "clientSecret": "${config.sops.placeholder."authelia/oidc/immich/client_secret"}",
"enabled": true, "enabled": true,
"autoLaunch": true, "autoLaunch": false,
"autoRegister": true, "autoRegister": true,
"buttonText": "Login with Authelia", "buttonText": "Login with Authelia",
"scope": "openid email profile", "scope": "openid email profile",
"issuerUrl": "https://auth.darksailor.dev" "issuerUrl": "https://auth.darksailor.dev"
}, },
"passwordLogin" : { "passwordLogin" : {
"enabled": false "enabled": true
}, },
"server": { "server": {
"externalDomain": "https://photos.darksailor.dev" "externalDomain": "https://photos.darksailor.dev"

11
nixos/tako/services/lldap.nix
View File

@@ -6,6 +6,7 @@
services.lldap = { services.lldap = {
enable = true; enable = true;
settings = { settings = {
force_ldap_user_pass_reset = "always";
ldap_user_dn = "admin"; ldap_user_dn = "admin";
ldap_base_dn = "dc=darksailor,dc=dev"; ldap_base_dn = "dc=darksailor,dc=dev";
ldap_user_email = "admin@darksailor.dev"; ldap_user_email = "admin@darksailor.dev";
@@ -14,10 +15,12 @@
ldap_port = 389; ldap_port = 389;
ldap_host = "::"; ldap_host = "::";
ldap_user_pass_file = config.sops.secrets."lldap/admin".path; ldap_user_pass_file = config.sops.secrets."lldap/admin".path;
environmentFile = '' jwt_secret_file = "${config.sops.secrets."lldap/jwt".path}";
LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path}; };
LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path}; environment = {
''; LLDAP_JWT_SECRET_FILE = "${config.sops.secrets."lldap/jwt".path}";
# LLDAP_FORCE_UPDATE_PRIVATE_KEY = "true";
# LLDAP_KEY_SEED_FILE = "${config.sops.secrets."lldap/seed".path}";
}; };
}; };
users.users.lldap = { users.users.lldap = {

2
nixos/tsuba/configuration.nix
View File

@@ -41,8 +41,8 @@
distributedBuilds = true; distributedBuilds = true;
buildMachines = [ buildMachines = [
../../builders/tako.nix ../../builders/tako.nix
../../builders/mirai.nix
../../builders/shiro.nix ../../builders/shiro.nix
../../builders/tsuba.nix
]; ];
}; };
users.users.${device.user} = { users.users.${device.user} = {

6
secrets/secrets.yaml
View File

@@ -49,7 +49,7 @@ authelia:
jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str] jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str]
lldap: lldap:
jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str] jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str]
seed: ENC[AES256_GCM,data:zMBZP4GeGkQ4chC9eQ4tG8vTqbxZj4iQMKCj0WQd1qOWVTibpk6VylnFz5ugmeMR,iv:5ZFf/r683AHVlpp7iN9B6nY1b8tD/JSCxRN4vXT1cRM=,tag:MmeGpK9d2GFP3etr9Ouvkg==,type:str] seed: ENC[AES256_GCM,data:jJPutPkhFVFxLbbQNZznHHiilP/cN2r+/vT4ArQVRQSqPMnkkwgc3LNk4sUTrT9V,iv:LD1IJ1CgtDfYf1gSyyaU+hir0InuDEq0u7ppMmwGJRY=,tag:cK4l4Evr7V9WEUEL7V9jtQ==,type:str]
admin: ENC[AES256_GCM,data:6eLFuyt9hBzoAGfaDLi9cwxFj/yq20BDCSzbHzakZLo=,iv:qjczQ/hswAzVVS7gCUapzqhRx1dAE7FhRUvtovlMuY0=,tag:aMBFJy+USOd5Vy2QKjoD6Q==,type:str] admin: ENC[AES256_GCM,data:6eLFuyt9hBzoAGfaDLi9cwxFj/yq20BDCSzbHzakZLo=,iv:qjczQ/hswAzVVS7gCUapzqhRx1dAE7FhRUvtovlMuY0=,tag:aMBFJy+USOd5Vy2QKjoD6Q==,type:str]
users: users:
authelia: ENC[AES256_GCM,data:6zddaWEBqJqfLaSzeANlSfldpw==,iv:jx3P9FThq7+LbwX0LpNK7qll3RJ5ibNfdDybS+KZG6U=,tag:RHNPLdbpkPy2aAcibljxAg==,type:str] authelia: ENC[AES256_GCM,data:6zddaWEBqJqfLaSzeANlSfldpw==,iv:jx3P9FThq7+LbwX0LpNK7qll3RJ5ibNfdDybS+KZG6U=,tag:RHNPLdbpkPy2aAcibljxAg==,type:str]
@@ -82,7 +82,7 @@ sops:
VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q== ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-11-22T15:13:49Z" lastmodified: "2025-11-27T13:28:41Z"
mac: ENC[AES256_GCM,data:n8nE2sZE/uIoyQEeZpB1gYztlCZzZYziJcZE55rK73zdKl/3a7qOISMErBBsI/1d2vYx/Ju7aQjyTfnxsNEEIyZB4DMghxSmvubGTUA/cdLY5l2Y9mgMxq4gjpyNGDzEpScGhxhBoDJJvju3FWnsAig6gPJ1AC4nnol4mY+xUwg=,iv:XQ1PAUBXce/B6EteWTpwcBp1btEsvrEzoz5I4LEwk1g=,tag:dLthWuQyhJNOHC9shGXB9w==,type:str] mac: ENC[AES256_GCM,data:KVdCTn6EXEAnj76kUL0d5eaYQJUc1HdfWTlwF+vku5wo2f9aJA2s6uyKXmhhx0e6q8muu10gMVObZzgae0vYZBOhO7GSxlLU9gCi4PaQo2Vz5mC75liCt3geoO9PTShZmLGaEPeuA9DFt/t3ggC2yqXij6uwz0SifvCuKM2QNzw=,iv:FSAa/eJBRDcxY+RLPy9O2PxLDibzRJrLh6+CtQNFtaQ=,tag:iNDr5XvpTJS8pNt9vZgOFw==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.11.0 version: 3.11.0