diff --git a/nixos/mirai/services/authelia.nix b/nixos/mirai/services/authelia.nix index a876b0bc..b18ffb4e 100644 --- a/nixos/mirai/services/authelia.nix +++ b/nixos/mirai/services/authelia.nix @@ -20,13 +20,9 @@ authentication_backend = { password_reset.disable = false; password_change.disable = false; - # file = { - # path = "/run/secrets/users"; - # }; ldap = { address = "ldap://localhost:389"; timeout = "5s"; - # start_tls = false; base_dn = "dc=darksailor,dc=dev"; user = "cn=authelia,ou=people,dc=darksailor,dc=dev"; users_filter = "(&({username_attribute}={input})(objectClass=person))"; @@ -46,6 +42,32 @@ }; access_control = { default_policy = "one_factor"; + rules = let + bypass_api = domain: [ + { + domain = domain; + policy = "one_factor"; + } + { + domain = domain; + policy = "bypass"; + resources = [ + "^/api([/?].*)?$" + ]; + } + ]; + in + (bypass_api "sonarr.tsuba.darksailor.dev") + ++ (bypass_api "radarr.tsuba.darksailor.dev") + ++ (bypass_api "lidarr.tsuba.darksailor.dev") + ++ (bypass_api "bazarr.tsuba.darksailor.dev") + ++ (bypass_api "prowlarr.tsuba.darksailor.dev") + ++ [ + { + domain = "llama.ryu.darksailor.dev"; + policy = "one_factor"; + } + ]; }; storage = { local = { diff --git a/nixos/ryu/ryu.nix b/nixos/ryu/ryu.nix index 2697687e..fcca3152 100644 --- a/nixos/ryu/ryu.nix +++ b/nixos/ryu/ryu.nix @@ -24,10 +24,10 @@ ]; }; nvidia = { + open = false; modesetting.enable = true; powerManagement.enable = true; powerManagement.finegrained = false; - open = false; nvidiaSettings = true; package = config.boot.kernelPackages.nvidiaPackages.beta; }; diff --git a/nixos/ryu/services/caddy.nix b/nixos/ryu/services/caddy.nix new file mode 100644 index 00000000..71203e63 --- /dev/null +++ b/nixos/ryu/services/caddy.nix @@ -0,0 +1,38 @@ +{ + config, + pkgs, + ... +}: { + sops = { + secrets."hetzner/api_key".owner = config.services.caddy.user; + templates = { + "HETZNER_API_KEY.env".content = '' + HETZNER_API_KEY=${config.sops.placeholder."hetzner/api_key"} + ''; + }; + }; + services = { + caddy = { + enable = true; + extraConfig = '' + (hetzner) { + tls { + propagation_timeout -1 + propagation_delay 120s + dns hetzner {env.HETZNER_API_KEY} + resolvers 1.1.1.1 + } + } + ''; + package = pkgs.caddy.withPlugins { + plugins = ["github.com/caddy-dns/hetzner@v1.0.0"]; + hash = "sha256-9ea0CfOHG7JhejB73HjfXQpnonn+ZRBqLNz1fFRkcDQ="; + }; + }; + }; + systemd.services.caddy = { + serviceConfig = { + EnvironmentFile = config.sops.templates."HETZNER_API_KEY.env".path; + }; + }; +} diff --git a/nixos/ryu/services/default.nix b/nixos/ryu/services/default.nix index 350040f4..c5604848 100644 --- a/nixos/ryu/services/default.nix +++ b/nixos/ryu/services/default.nix @@ -1,10 +1,10 @@ {...}: { imports = [ - # ./ollama.nix # ./rsyncd.nix # ./sunshine.nix # ./zerotier.nix # ./dnscrypt.nix + ./ollama.nix ./tailscale.nix ./samba.nix ./mullvad.nix @@ -14,7 +14,4 @@ ./minecraft.nix ./fwupd.nix ]; - services = { - # hardware.openrgb.enable = true; - }; } diff --git a/nixos/ryu/services/ollama.nix b/nixos/ryu/services/ollama.nix index daa00aa4..7e787c5f 100644 --- a/nixos/ryu/services/ollama.nix +++ b/nixos/ryu/services/ollama.nix @@ -1,19 +1,55 @@ -{pkgs, ...}: { +{ + pkgs, + lib, + config, + ... +}: { services = { ollama = { - enable = false; + enable = true; host = "127.0.0.1"; loadModels = ["deepseek-r1:7b" "deepseek-r1:14b"]; port = 11434; acceleration = "cuda"; + environmentVariables = { + OLLAMA_LLM_LIBRARY = "cuda"; + LD_LIBRARY_PATH = "run/opengl-driver/lib"; + }; }; open-webui = { - enable = false; + enable = true; environment = { OLLAMA_BASE_URL = "http://127.0.0.1:11434"; WEBUI_AUTH = "False"; ENABLE_LOGIN_FORM = "False"; }; }; + caddy = { + virtualHosts."llama.ryu.darksailor.dev".extraConfig = '' + import hetzner + forward_auth mirai:5555 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } + reverse_proxy localhost:${builtins.toString config.services.open-webui.port} + ''; + virtualHosts."ollama.ryu.darksailor.dev".extraConfig = '' + import hetzner + @apikey { + header Authorization "Bearer {env.LLAMA_API_KEY}" + } + + handle @apikey { + header { + # Set response headers or proxy to a different service if API key is valid + Access-Control-Allow-Origin * + -Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation + } + reverse_proxy localhost:${builtins.toString config.services.ollama.port} + } + + respond "Unauthorized" 403 + ''; + }; }; } diff --git a/nixos/tsuba/services/default.nix b/nixos/tsuba/services/default.nix index 478d2795..bdae9c9f 100644 --- a/nixos/tsuba/services/default.nix +++ b/nixos/tsuba/services/default.nix @@ -8,6 +8,7 @@ ./deluge.nix ./homeassistant.nix ./flaresolverr.nix + ./caddy.nix # ./dnscrypt.nix # ./resolved.nix # ./blocky.nix diff --git a/nixos/tsuba/services/jellyfin.nix b/nixos/tsuba/services/jellyfin.nix index bd8eb891..bd41a72f 100644 --- a/nixos/tsuba/services/jellyfin.nix +++ b/nixos/tsuba/services/jellyfin.nix @@ -8,6 +8,9 @@ enable = true; package = unstablePkgs.jellyseerr; }; + jellyfin = { + enable = true; + }; caddy = { virtualHosts."jellyseerr.tsuba.darksailor.dev".extraConfig = '' import hetzner