DerGrumpf/cyper-nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added SSO to Vaultwarden & NGX

Browse Source
This commit is contained in:
DerGrumpf
2026-05-15 14:49:13 +02:00
parent ebcb37773a
commit c12da16d00
11 changed files with 111 additions and 161 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/roles/adguard.nix
+2 -3
View File
@@ -12,12 +12,11 @@ in
resolved.enable = false;
adguardhome = {
enable = true;
mutableSettings = true;
mutableSettings = false;
allowDHCP = true;
port = adguardPort;
settings = {
http.address = "0.0.0.0:${toString adguardPort}";
users = [
{
name = "DerGrumpf";
nixos/roles/jitsi.nix
-117
View File
@@ -1,117 +0,0 @@
{
pkgs,
...
}:
let
domain = "jitsi.cyperpunk.de";
in
{
nixpkgs.config.permittedInsecurePackages = [
"jitsi-meet-1.0.8792"
];
services.jitsi-meet = {
enable = true;
hostName = domain;
config = {
enableWelcomePage = true;
prejoinPageEnabled = true;
enableInsecureRoomNameWarning = true;
disableAudioLevels = false;
enableLayerSuspension = true;
p2p.enabled = true;
analytics.disabled = true;
};
interfaceConfig = {
SHOW_JITSI_WATERMARK = false;
SHOW_WATERMARK_FOR_GUESTS = false;
DEFAULT_REMOTE_DISPLAY_NAME = "Meeting @ Virtual";
TOOLBAR_BUTTONS = [
"microphone"
"camera"
"desktop"
"fullscreen"
"fodeviceselection"
"hangup"
"profile"
"chat"
"recording"
"livestreaming"
"etherpad"
"sharedvideo"
"settings"
"raisehand"
"videoquality"
"filmstrip"
"invite"
"feedback"
"stats"
"shortcuts"
"tileview"
"select-background"
"mute-everyone"
"security"
];
};
# Enable Jibri for recording/livestreaming support
jibri = {
enable = true;
};
# Enable Jigasi for SIP/telephony support (optional, comment out if not needed)
# jigasi.enable = true;
nginx.enable = true;
prosody.enable = true;
};
# Jitsi Videobridge — handles the actual media routing
services.jitsi-videobridge = {
enable = true;
openFirewall = true;
config = {
videobridge = {
ice.udp.port = 10000;
apis.rest.enabled = true;
};
};
};
networking.firewall = {
allowedTCPPorts = [
5222 # XMPP client (Prosody)
5269 # XMPP federation (Prosody)
];
allowedUDPPorts = [
10000 # Jitsi Videobridge RTP media
];
allowedUDPPortRanges = [
{
from = 49152;
to = 65535;
} # WebRTC ephemeral ports
];
};
# Prosody needs this for XMPP
networking.extraHosts = ''
127.0.0.1 ${domain}
127.0.0.1 auth.${domain}
127.0.0.1 focus.${domain}
127.0.0.1 jitsi-videobridge.${domain}
'';
# Jibri requires Chromium for recording
environment.systemPackages = with pkgs; [
chromium
ffmpeg
];
# ALSA loopback device — required by Jibri for audio capture during recording
boot.kernelModules = [ "snd-aloop" ];
}
nixos/roles/nginx.nix
+13 -1
View File
@@ -56,7 +56,19 @@ in
};
"search.cyperpunk.de" = mkProxy 11080;
"file.cyperpunk.de" = mkProxy 10000;
"ngx.cyperpunk.de" = mkWsProxy 28101;
"ngx.cyperpunk.de" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://${upstream}:28101";
proxyWebsockets = true;
extraConfig = ''
sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.dev/css/base/paperless-ngx/catppuccin-mocha.css"></head>';
sub_filter_once on;
proxy_set_header Accept-Encoding "";
'';
};
};
"vault.cyperpunk.de" = mkWsProxy 8222;
"calvin.cyperpunk.de" = mkWsProxy 15006;
"auth.cyperpunk.de" = mkHttpsProxy 8444;
nixos/roles/paperless-ngx.nix
+17 -5
View File
@@ -1,9 +1,15 @@
{ config, ... }:
{
sops.secrets.paperless_admin = {
owner = "paperless";
sops.secrets = {
paperless_admin = {
owner = "paperless";
};
paperless_oidc_secret = {
owner = "paperless";
};
};
services.paperless = {
enable = true;
address = "0.0.0.0";
@@ -23,6 +29,7 @@
];
PAPERLESS_OCR_LANGUAGE = "deu+eng";
PAPERLESS_CONSUMER_POLLING = 60;
PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect";
};
exporter = {
@@ -41,9 +48,14 @@
"d /storage/backup/paperless 0775 root users -"
];
services.paperless-scheduler = {
after = [ "systemd-tmpfiles-setup.service" ];
requires = [ "systemd-tmpfiles-setup.service" ];
services = {
paperless-scheduler = {
after = [ "systemd-tmpfiles-setup.service" ];
requires = [ "systemd-tmpfiles-setup.service" ];
};
paperless-web = {
serviceConfig.EnvironmentFiles = [ config.sops.secrets.paperless_oidc_secret.path ];
};
};
};
networking.firewall.allowedTCPPorts = [ 28101 ];
nixos/roles/vaultwarden.nix
+19 -11
View File
@@ -1,36 +1,44 @@
{
config,
pkgs,
lib,
inputs,
...
}:
let
address = config.systemd.network.networks."10-ethernet".networkConfig.Address;
ip = builtins.elemAt (lib.splitString "/" address) 0;
port = 8222;
oidcwarden = import ../packages/oidcwarden.nix {
inherit pkgs;
oidcwarden-src = inputs.oidcwarden;
};
in
{
sops.secrets.vaultwarden_env = {
owner = "vaultwarden";
group = "vaultwarden";
};
services.vaultwarden = {
enable = true;
environmentFile = config.sops.secrets.vaultwarden_admin_token.path;
package = oidcwarden;
environmentFile = config.sops.secrets.vaultwarden_env.path;
backupDir = "/var/local/vaultwarden/backup";
config = {
DOMAIN = "https://vault.cyperpunk.de"; # "http://${ip}:${toString port}";
DOMAIN = "https://vault.cyperpunk.de";
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = port;
ROCKET_LOG = "critical";
SIGNUPS_ALLOWED = true;
SIGNUPS_ALLOWED = false;
WEBSOCKET_ENABLED = true;
SSO_ENABLED = true;
SSO_ONLY = false;
SSO_AUTHORITY = "https://auth.cyperpunk.de/oauth2/openid/vaultwarden";
SSO_SCOPES = "openid profile email";
SSO_PKCE = false;
};
};
sops.secrets.vaultwarden_admin_token = {
owner = "vaultwarden";
group = "vaultwarden";
};
networking.firewall.allowedTCPPorts = [ port ];
systemd = {