DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added SSO to Vaultwarden & NGX

Browse Source
This commit is contained in:
DerGrumpf
2026-05-15 14:49:13 +02:00
parent ebcb37773a
commit c12da16d00
11 changed files with 111 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/default.nix
+20 -20
View File
@@ -2,6 +2,7 @@
pkgs,
inputs,
lib,
config,
primaryUser,
isServer,
...
@@ -25,6 +26,10 @@
nix = {
settings = {
trusted-users = [
"root"
primaryUser
];
experimental-features = [
"nix-command"
"flakes"
@@ -37,11 +42,13 @@
"https://cache.nixos.org"
"https://hyprland.cachix.org"
"https://nix-community.cachix.org"
"https://cyper-cache.cachix.org"
];
trusted-public-keys = [
"cache.nixos.org-1:6NCHdD59X431o0gWypbMrAURkbJ16ZPMQFGspcDShjY="
"hyprland.cachix.org-1:a7pgxzMz7+chwVL3/pzj6jIBMioiJM7ypFP8PwtkuGc="
"nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs="
"cyper-cache.cachix.org-1:pOpeWFEjGHg9XvqRg+DQpYnGRQNp+z+QEF8Ev2mbSoM="
];
};
gc = {
@@ -117,32 +124,25 @@
port = 9002;
};
alloy = {
enable = true;
extraFlags = [ "--stability.level=public-preview" ];
configPath = pkgs.writeText "config.alloy" ''
loki.write "default" {
endpoint {
url = "http://192.168.2.2:3100/loki/api/v1/push"
}
}
loki.source.journal "journal" {
forward_to = [loki.write.default.receiver]
labels = {
job = "systemd-journal",
host = sys.env("HOSTNAME"),
}
}
'';
};
gnome = lib.mkIf (!isServer) {
tinysparql.enable = true;
localsearch.enable = true;
};
};
sops.secrets.cachix_auth_token = { };
systemd.services.cachix-push = {
description = "Push new store paths to Cachix";
after = [ "multi-user.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${pkgs.bash}/bin/bash -c 'CACHIX_AUTH_TOKEN=$(cat ${config.sops.secrets.cachix_auth_token.path}) ${pkgs.nix}/bin/nix path-info --recursive /run/current-system | CACHIX_AUTH_TOKEN=$(cat ${config.sops.secrets.cachix_auth_token.path}) ${pkgs.cachix}/bin/cachix push cyper-cache'";
};
};
networking.firewall.allowedTCPPorts = [
9002
3100
nixos/packages/oidcwarden.nix
+12
View File
@@ -0,0 +1,12 @@
{ pkgs, oidcwarden-src, ... }:
pkgs.vaultwarden.overrideAttrs (old: {
pname = "oidcwarden";
src = oidcwarden-src;
cargoDeps = pkgs.rustPlatform.importCargoLock {
lockFile = "${oidcwarden-src}/Cargo.lock";
};
postInstall = (old.postInstall or "") + ''
mv $out/bin/oidcwarden $out/bin/vaultwarden
'';
})
nixos/roles/adguard.nix
+2 -3
View File
@@ -12,12 +12,11 @@ in
resolved.enable = false;
adguardhome = {
enable = true;
mutableSettings = true;
mutableSettings = false;
allowDHCP = true;
port = adguardPort;
settings = {
http.address = "0.0.0.0:${toString adguardPort}";
users = [
{
name = "DerGrumpf";
nixos/roles/jitsi.nix
-117
View File
@@ -1,117 +0,0 @@
{
pkgs,
...
}:
let
domain = "jitsi.cyperpunk.de";
in
{
nixpkgs.config.permittedInsecurePackages = [
"jitsi-meet-1.0.8792"
];
services.jitsi-meet = {
enable = true;
hostName = domain;
config = {
enableWelcomePage = true;
prejoinPageEnabled = true;
enableInsecureRoomNameWarning = true;
disableAudioLevels = false;
enableLayerSuspension = true;
p2p.enabled = true;
analytics.disabled = true;
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
DEFAULT_REMOTE_DISPLAY_NAME = "Meeting @ Virtual";
TOOLBAR_BUTTONS = [
"microphone"
"camera"
"desktop"
"fullscreen"
"fodeviceselection"
"hangup"
"profile"
"chat"
"recording"
"livestreaming"
"etherpad"
"sharedvideo"
"settings"
"raisehand"
"videoquality"
"filmstrip"
"invite"
"feedback"
"stats"
"shortcuts"
"tileview"
"select-background"
"mute-everyone"
"security"
];
};
# Enable Jibri for recording/livestreaming support
jibri = {
enable = true;
};
# Enable Jigasi for SIP/telephony support (optional, comment out if not needed)
# jigasi.enable = true;
nginx.enable = true;
prosody.enable = true;
};
# Jitsi Videobridge — handles the actual media routing
services.jitsi-videobridge = {
enable = true;
openFirewall = true;
config = {
videobridge = {
ice.udp.port = 10000;
apis.rest.enabled = true;
};
};
};
networking.firewall = {
allowedTCPPorts = [
5222 # XMPP client (Prosody)
5269 # XMPP federation (Prosody)
];
allowedUDPPorts = [
10000 # Jitsi Videobridge RTP media
];
allowedUDPPortRanges = [
{
from = 49152;
to = 65535;
} # WebRTC ephemeral ports
];
};
# Prosody needs this for XMPP
networking.extraHosts = ''
127.0.0.1 ${domain}
127.0.0.1 auth.${domain}
127.0.0.1 focus.${domain}
127.0.0.1 jitsi-videobridge.${domain}
'';
# Jibri requires Chromium for recording
environment.systemPackages = with pkgs; [
chromium
ffmpeg
];
# ALSA loopback device — required by Jibri for audio capture during recording
boot.kernelModules = [ "snd-aloop" ];
}
nixos/roles/nginx.nix
+13 -1
View File
@@ -56,7 +56,19 @@ in
};
"search.cyperpunk.de" = mkProxy 11080;
"file.cyperpunk.de" = mkProxy 10000;
"ngx.cyperpunk.de" = mkWsProxy 28101;
"ngx.cyperpunk.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${upstream}:28101";
proxyWebsockets = true;
extraConfig = ''
sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.dev/css/base/paperless-ngx/catppuccin-mocha.css"></head>';
sub_filter_once on;
proxy_set_header Accept-Encoding "";
'';
};
};
"vault.cyperpunk.de" = mkWsProxy 8222;
"calvin.cyperpunk.de" = mkWsProxy 15006;
"auth.cyperpunk.de" = mkHttpsProxy 8444;
nixos/roles/paperless-ngx.nix
+17 -5
View File
@@ -1,9 +1,15 @@
{ config, ... }:
{
sops.secrets.paperless_admin = {
owner = "paperless";
sops.secrets = {
paperless_admin = {
owner = "paperless";
};
paperless_oidc_secret = {
owner = "paperless";
};
};
services.paperless = {
enable = true;
address = "0.0.0.0";
@@ -23,6 +29,7 @@
];
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_CONSUMER_POLLING = 60;
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
};
exporter = {
@@ -41,9 +48,14 @@
"d /storage/backup/paperless 0775 root users -"
];
services.paperless-scheduler = {
after = [ "systemd-tmpfiles-setup.service" ];
requires = [ "systemd-tmpfiles-setup.service" ];
services = {
paperless-scheduler = {
after = [ "systemd-tmpfiles-setup.service" ];
requires = [ "systemd-tmpfiles-setup.service" ];
};
paperless-web = {
serviceConfig.EnvironmentFiles = [ config.sops.secrets.paperless_oidc_secret.path ];
};
};
};
networking.firewall.allowedTCPPorts = [ 28101 ];
nixos/roles/vaultwarden.nix
+19 -11
View File
@@ -1,36 +1,44 @@
{
config,
pkgs,
lib,
inputs,
...
}:
let
address = config.systemd.network.networks."10-ethernet".networkConfig.Address;
ip = builtins.elemAt (lib.splitString "/" address) 0;
port = 8222;
oidcwarden = import ../packages/oidcwarden.nix {
inherit pkgs;
oidcwarden-src = inputs.oidcwarden;
};
in
{
sops.secrets.vaultwarden_env = {
owner = "vaultwarden";
group = "vaultwarden";
};
services.vaultwarden = {
enable = true;
environmentFile = config.sops.secrets.vaultwarden_admin_token.path;
package = oidcwarden;
environmentFile = config.sops.secrets.vaultwarden_env.path;
backupDir = "/var/local/vaultwarden/backup";
config = {
DOMAIN = "https://vault.cyperpunk.de"; # "http://${ip}:${toString port}";
DOMAIN = "https://vault.cyperpunk.de";
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = port;
ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = true;
SIGNUPS_ALLOWED = false;
WEBSOCKET_ENABLED = true;
SSO_ENABLED = true;
SSO_ONLY = false;
SSO_AUTHORITY = "https://auth.cyperpunk.de/oauth2/openid/vaultwarden";
SSO_SCOPES = "openid profile email";
SSO_PKCE = false;
};
};
sops.secrets.vaultwarden_admin_token = {
owner = "vaultwarden";
group = "vaultwarden";
};
networking.firewall.allowedTCPPorts = [ port ];
systemd = {