From 6d5ae474c6513d3dec748fbd1752dd5a04d5baf1 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:00:12 -0600 Subject: [PATCH 01/28] keycloak init --- TODO.md | 39 ++++++++++++++++++++++++++++++++ modules/servers/keycloak.nix | 44 ++++++++++++++++++++++++++++++++++++ modules/servers/postgres.nix | 1 + 3 files changed, 84 insertions(+) create mode 100644 TODO.md create mode 100644 modules/servers/keycloak.nix diff --git a/TODO.md b/TODO.md new file mode 100644 index 0000000..53b93d4 --- /dev/null +++ b/TODO.md @@ -0,0 +1,39 @@ +# Keycloak SSO Rollout (Server) + +## Compatible services to cover (assume up-to-date versions) +- Gitea (OAuth2/OIDC) +- Nextcloud (Social Login app) +- Paperless-ngx (OIDC) +- Mealie (OIDC v1+) +- Jellyfin (OIDC plugin) +- Kavita (OIDC-capable builds) +- Readeck (OIDC-capable builds) +- Audiobookshelf (OIDC-capable builds) +- Matrix Synapse – intentionally excluded (see below) but natively OIDC if needed + +## Explicit exclusions (no SSO for now) +- Syncplay +- Matrix/Synapse +- Arr stack (sonarr, radarr, lidarr, prowlarr, bazarr) +- qbittorrent +- sabnzbd +- metube +- multi-scrobbler +- microbin +- ryot +- maloja +- plex +- atticd + +## Phased rollout plan +1) Base identity + - Add Keycloak deployment/module and realm/client defaults. +2) Gateway/proxy auth + - Add oauth2-proxy (Keycloak provider) + nginx auth_request for non-OIDC apps (e.g., homepage-dashboard, stash). +3) Native OIDC wiring + - Configure native OIDC services (Gitea, Nextcloud, Paperless, Mealie, Jellyfin/Kavita/Readeck/Audiobookshelf) with Keycloak clients. +4) Per-service rollout + - Enable per app in priority order; document client IDs/secrets and callback URLs. +5) Verification + - Smoke-test login flows and cache any needed public keys/metadata. + diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix new file mode 100644 index 0000000..33cfe85 --- /dev/null +++ b/modules/servers/keycloak.nix @@ -0,0 +1,44 @@ +{ + lib, + config, + inputs, + ... +}: +let + setup = import ../factories/mkserver.nix { inherit lib config; }; + cfg = config.my.servers.keycloak; +in +{ + options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090; + config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets."keycloak/admin_password" = { + sopsFile = ../../secrets/secrets.yaml; + owner = "keycloak"; + group = "keycloak"; + }; + services.keycloak = { + inherit (cfg) enable; + database = { + type = "postgresql"; + host = config.my.postgresSocket; + username = "keycloak"; + database = "keycloak"; + }; + initialAdmin = { + user = "admin"; + passwordFile = config.sops.secrets."keycloak/admin_password".path; + }; + settings = { + hostname = cfg.host; + "hostname-strict" = true; + "hostname-strict-https" = false; + "http-enabled" = true; + "http-port" = cfg.port; + "proxy" = "edge"; + "frontend-url" = cfg.url; + }; + }; + services.nginx.virtualHosts.${cfg.host} = + lib.mkIf (cfg.enableProxy && config.my.enableProxy) (inputs.self.lib.proxyReverseFix cfg); + }; +} \ No newline at end of file diff --git a/modules/servers/postgres.nix b/modules/servers/postgres.nix index 4978528..188ea56 100644 --- a/modules/servers/postgres.nix +++ b/modules/servers/postgres.nix @@ -40,6 +40,7 @@ let "sonarqube" "gitea" "atticd" + "keycloak" ]; in { From 92492b6323006e413db9ad26167fd942f18d50a0 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:04:17 -0600 Subject: [PATCH 02/28] Update Keycloak database configuration to use 'databaseName' instead of 'database' --- modules/servers/keycloak.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index 33cfe85..ecfb0da 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -22,7 +22,7 @@ in type = "postgresql"; host = config.my.postgresSocket; username = "keycloak"; - database = "keycloak"; + databaseName = "keycloak"; }; initialAdmin = { user = "admin"; From 2cd3afe2b32594248131ea1580b1f5651755d366 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:06:28 -0600 Subject: [PATCH 03/28] Rename Keycloak database configuration key from 'databaseName' to 'name' --- modules/servers/keycloak.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index ecfb0da..b172128 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -22,7 +22,7 @@ in type = "postgresql"; host = config.my.postgresSocket; username = "keycloak"; - databaseName = "keycloak"; + name = "keycloak"; }; initialAdmin = { user = "admin"; From 303cd2db36e4917b034f727cef923fe304a78f2c Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:12:06 -0600 Subject: [PATCH 04/28] Add SOPS secrets for Keycloak database password and update configuration --- modules/servers/keycloak.nix | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index b172128..2aab379 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -16,17 +16,20 @@ in owner = "keycloak"; group = "keycloak"; }; + sops.secrets."keycloak/db_password" = { + sopsFile = ../../secrets/secrets.yaml; + owner = "keycloak"; + group = "keycloak"; + }; services.keycloak = { inherit (cfg) enable; database = { type = "postgresql"; - host = config.my.postgresSocket; + host = "localhost"; + createLocally = false; username = "keycloak"; name = "keycloak"; - }; - initialAdmin = { - user = "admin"; - passwordFile = config.sops.secrets."keycloak/admin_password".path; + passwordFile = config.sops.secrets."keycloak/db_password".path; }; settings = { hostname = cfg.host; @@ -35,7 +38,11 @@ in "http-enabled" = true; "http-port" = cfg.port; "proxy" = "edge"; - "frontend-url" = cfg.url; + }; + }; + systemd.services.keycloak = { + serviceConfig = { + EnvironmentFile = config.sops.secrets."keycloak/admin_password".path; }; }; services.nginx.virtualHosts.${cfg.host} = From 4d788d90ca2383e4c1551914771bcf4062909705 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:29:25 -0600 Subject: [PATCH 05/28] linting --- config/overlay.nix | 2 +- config/users.nix | 3 +-- modules/servers/qbittorrent.nix | 4 ---- modules/services/sound.nix | 1 - 4 files changed, 2 insertions(+), 8 deletions(-) diff --git a/config/overlay.nix b/config/overlay.nix index dea5260..e8da2f2 100644 --- a/config/overlay.nix +++ b/config/overlay.nix @@ -38,7 +38,7 @@ _final: prev: { waybar = prev.waybar.overrideAttrs (old: { mesonFlags = old.mesonFlags ++ [ "-Dexperimental=true" ]; }); - qbittorrent = prev.qbittorrent.overrideAttrs (old: rec { + qbittorrent = prev.qbittorrent.overrideAttrs (_old: rec { version = "5.1.3"; src = prev.fetchFromGitHub { owner = "qbittorrent"; diff --git a/config/users.nix b/config/users.nix index 873e143..c73aa80 100644 --- a/config/users.nix +++ b/config/users.nix @@ -1,5 +1,4 @@ -{ ... }: -{ +_: { users.users = { sonarr = { uid = 274; diff --git a/modules/servers/qbittorrent.nix b/modules/servers/qbittorrent.nix index fa9d0c6..87b9393 100644 --- a/modules/servers/qbittorrent.nix +++ b/modules/servers/qbittorrent.nix @@ -7,10 +7,6 @@ }: let inherit (inputs) qbit_manage; - pkgsU = import inputs.nixpkgs-unstable { - system = "x86_64-linux"; - config.allowUnfree = true; - }; vuetorrent = pkgs.fetchzip { url = "https://github.com/VueTorrent/VueTorrent/releases/download/v2.31.0/vuetorrent.zip"; sha256 = "sha256-kVDnDoCoJlY2Ew71lEMeE67kNOrKTJEMqNj2OfP01qw="; diff --git a/modules/services/sound.nix b/modules/services/sound.nix index a562251..a391b93 100644 --- a/modules/services/sound.nix +++ b/modules/services/sound.nix @@ -1,7 +1,6 @@ { config, lib, - inputs, ... }: { From e714a8d184b7602555a886cf96c43c59331ef9d0 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:29:34 -0600 Subject: [PATCH 06/28] Update Keycloak configuration to use new secrets file and adjust environment variable references --- modules/servers/keycloak.nix | 33 ++++++++++++++------------------- secrets/env.yaml | 5 +++-- secrets/secrets.yaml | 7 ++++--- 3 files changed, 21 insertions(+), 24 deletions(-) diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index 2aab379..1a74a2f 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -11,12 +11,12 @@ in { options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090; config = lib.mkIf (cfg.enable && config.my.secureHost) { - sops.secrets."keycloak/admin_password" = { - sopsFile = ../../secrets/secrets.yaml; + sops.secrets.keycloak = { + sopsFile = ../../secrets/env.yaml; owner = "keycloak"; group = "keycloak"; }; - sops.secrets."keycloak/db_password" = { + sops.secrets.postgres-password = { sopsFile = ../../secrets/secrets.yaml; owner = "keycloak"; group = "keycloak"; @@ -31,21 +31,16 @@ in name = "keycloak"; passwordFile = config.sops.secrets."keycloak/db_password".path; }; - settings = { - hostname = cfg.host; - "hostname-strict" = true; - "hostname-strict-https" = false; - "http-enabled" = true; - "http-port" = cfg.port; - "proxy" = "edge"; - }; + settings.hostname = cfg.host; + "hostname-strict" = true; + "hostname-strict-https" = false; + "http-enabled" = true; + "http-port" = cfg.port; + "proxy" = "edge"; }; - systemd.services.keycloak = { - serviceConfig = { - EnvironmentFile = config.sops.secrets."keycloak/admin_password".path; - }; - }; - services.nginx.virtualHosts.${cfg.host} = - lib.mkIf (cfg.enableProxy && config.my.enableProxy) (inputs.self.lib.proxyReverseFix cfg); + systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path; + services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) ( + inputs.self.lib.proxyReverseFix cfg + ); }; -} \ No newline at end of file +} diff --git a/secrets/env.yaml b/secrets/env.yaml index 131252b..3467917 100644 --- a/secrets/env.yaml +++ b/secrets/env.yaml @@ -11,6 +11,7 @@ cloudflare-api: ENC[AES256_GCM,data:iNUMlY8rz5yHVitpK4HGaFSK7j+c8Pm7rOQMOQGmSJ3a synapse: ENC[AES256_GCM,data:IR0pFwQBEM4O8mzzYXrPe2FjulSUGuitzLDLms2uovr6gEU82mCkRO/UCQOybNm03iOQeXX0Whz739kpYSGSInEyx69BNG/etH+bMu+GbYeMdrTEyXHSa7kcH4Ug,iv:Vn2ILYXnCj+Op/E2kWoxV+2ZtlxYJxO6XK3Ql41KW6w=,tag:9wogJFLlmfM5PRgPdwFlcw==,type:str] readeck: ENC[AES256_GCM,data:TsIkHLji37dDHQRt78SquBhoSREHDgvgbc6+M1k2MLrgMGJ/Ejfy5AZXCIp/Qj5sXDzKP4j6Y6xFvGLswCqe02XjqGCpX13gZVCFPuKr8Nq051Xg,iv:Rc/pjYP+Vd/DvLCYsfJjDrnAlAiUlZOcNeeYzE6O3UY=,tag:OvR+CXMmrUFbsrHvduhnjA==,type:str] lidarr-mb-gap: ENC[AES256_GCM,data:bNzD9Nf9BWAPkm0Yk0J4MJbmo908QX9VsD+40Rngnfec9nzH4vZ2DrelxRllgT1kgnXMQzvoSgNhBwkDN4fgX73hz1FjkytTwahlO0wcY6R+tw4aokh0QYy0TVx5pZ4u1FEQOAp3IMgBsP8HOqaL/NEsEo3yb0K9iC3AfFihkLDJmVh26Pg=,iv:go0qS7/BcfcAMPkAdGWCoL61gNqBG5lWDev++y9DJ/I=,tag:LgtEyTZH8NfhfrKTcAigZw==,type:str] +keycloak: ENC[AES256_GCM,data:BmwZxuJaOB8F7zmBNAf42lkw36s5TepimtdyT2xjdGVyuHgRHbTZqeVen7/0II39qrJjko4agZJgToIZ1uhaC/gpGSoHZlib3rJozPCqmBc42nO6SOtpIO8=,iv:kPModK85937/liNk6iLIRiQ/G5yB7S7h24ZzPb8A1zo=,tag:lWvDQAHVRiBz8XZUoADKvw==,type:str] sops: age: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 @@ -49,7 +50,7 @@ sops: QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb 9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-11-11T23:18:34Z" - mac: ENC[AES256_GCM,data:i3U364pjZB5Y61Wf7ETbXhNWyfH1gw0oyPcNyT+nCIJmePh8JWiP9hnHmZfLS1BKkI2powQdezbz9R0XDvU7g2SkV8EsWmn/h3rFwbopUZbeRQ2SCoX7LGFez74l1oTPQjL8zWJVdrUtfAFgbZKSEWuz7rsDieKBVhIJwWaeePY=,iv:N4z+X3eD6jH+zQfY24qec+U6wkfhLGPm4MzY8T2Km/A=,tag:yluW5YSKMZ4Kk+wcXbkj8Q==,type:str] + lastmodified: "2025-12-10T08:26:05Z" + mac: ENC[AES256_GCM,data:rUc4vtnyqK7U6Zvx+BCVMT6yqhCBBsKY/Cfp13XzPzKqa/8sRI7PSEUBY+RSH0t2ShCUep+dWu0ghgFq9L2olJkwuOQ3MHPyIRw3ldwbuYwoRiCtvTkyvtZMaJouy/QrD+mHBr8a6UZRIl/6gnIxcqktzXUeKbCtJcSFj5ScHIg=,iv:j/mtZ3RJwMilVF5AFFUjo4Jm5IDlRIzZx1MdjOE+4gc=,tag:w4Niu71q3Lutu32VdFruHw==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index d1437bc..00e76b8 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -14,6 +14,7 @@ stash: unpackerr: sonarr-api: ENC[AES256_GCM,data:74/aSs7Q2tcDh9hPGm88h2hIneOcJ+P9HaCqoeuL6FQ=,iv:1AOpCii7ED1EyOFNCzvgRp5tR2ic1U6oRi7yg0hUcLk=,tag:k1miUivDQPxRgBWhXi9f+w==,type:str] radarr-api: ENC[AES256_GCM,data:bZiJNk/ewREIBss+z4daVwL1UyI4rt8GxVmC/bpTNvc=,iv:li2kMzOgdWtLLr4l244P082Z0jwDB2aEC6iRYt3o/HY=,tag:mi9SY/pT2qTIzR/ngp8bGg==,type:str] +postgres-password: ENC[AES256_GCM,data:V0g4T1cLUFnTN94zZZR83/KVJFUDGEWVEn6nyijnver4QCELUFkNr99s9g==,iv:1ymHA0JaVC2/aHdg4TmJmuKOG8JGZRRvynrgQIGdTss=,tag:xsCVpc+HBaNeswYvzo0PaA==,type:str] sops: age: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 @@ -52,7 +53,7 @@ sops: RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-10-02T20:02:38Z" - mac: ENC[AES256_GCM,data:DnbkeF+evVTMhYTg3OU528cRQ+jBiUl7Q7JZxyGRL6USjB2OdIRxqnnCH8L36K2hSAIkKQ/kojyJs+8Pgkx5uD/qsCbGlNT9pSBU1qPdSBxqJsVPxHZmkuf/QxGtE4pgV/50xJMrVyzAetWPZuxcYVfWAPszxDZcR5XDuD+Yjk4=,iv:i2Vt6nv6etIgaaoxsbVlxEnIhIx4adOQZFeyGM/4Saw=,tag:jugPmHU78lap7Hy7RJd9pg==,type:str] + lastmodified: "2025-12-10T08:27:18Z" + mac: ENC[AES256_GCM,data:Q9mdmt8HI+yzOu3IiEbxtZ7jg/2+6EHtHyRAJndrlwKCbTM59Nqza3YJ5+EpOrQw+ydYhiG2gXZ8qU/f70s0XdDUlpo/EgOkYoLDCgqFQ8TQu7R7Fwjv9Lw27IomGyCtTouWLfIQC1lZV1I1Df61P8HiPzUmV3pEr87o7qD0f/w=,iv:Cst3qxD65ijqmB+ftLNdpRGmRjSjqW7MrSskd33Ght8=,tag:+zgclBJw/PYTQYzPMAFQUA==,type:str] unencrypted_suffix: _unencrypted - version: 3.10.2 + version: 3.11.0 From 52891939612a89b98196cd77ee1076ba109872e5 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:31:31 -0600 Subject: [PATCH 07/28] Add Keycloak to enabled services and refactor configuration settings structure --- hosts/server/toggles.nix | 1 + modules/servers/keycloak.nix | 14 ++++++++------ 2 files changed, 9 insertions(+), 6 deletions(-) diff --git a/hosts/server/toggles.nix b/hosts/server/toggles.nix index 5ebea53..6698e8b 100644 --- a/hosts/server/toggles.nix +++ b/hosts/server/toggles.nix @@ -76,6 +76,7 @@ in "mealie" "metube" "atticd" + "keycloak" ] // enableList mkEnabledIp [ "audiobookshelf" diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index 1a74a2f..70a4758 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -31,12 +31,14 @@ in name = "keycloak"; passwordFile = config.sops.secrets."keycloak/db_password".path; }; - settings.hostname = cfg.host; - "hostname-strict" = true; - "hostname-strict-https" = false; - "http-enabled" = true; - "http-port" = cfg.port; - "proxy" = "edge"; + settings = { + hostname = cfg.host; + hostname-strict = true; + hostname-strict-https = false; + http-enabled = true; + http-port = cfg.port; + proxy = "edge"; + }; }; systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path; services.nginx.virtualHosts.${cfg.host} = lib.mkIf (cfg.enableProxy && config.my.enableProxy) ( From ba41e8f8044996ad55325ee4d667c554b71be819 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:33:31 -0600 Subject: [PATCH 08/28] Update Keycloak configuration to use new password secret and modify proxy settings --- modules/servers/keycloak.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index 70a4758..8f4af18 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -29,7 +29,7 @@ in createLocally = false; username = "keycloak"; name = "keycloak"; - passwordFile = config.sops.secrets."keycloak/db_password".path; + passwordFile = config.sops.secrets.postgres-password.path; }; settings = { hostname = cfg.host; @@ -37,7 +37,7 @@ in hostname-strict-https = false; http-enabled = true; http-port = cfg.port; - proxy = "edge"; + proxy-headers = "xforwarded"; }; }; systemd.services.keycloak.serviceConfig.EnvironmentFile = config.sops.secrets.keycloak.path; From 616db8006e4a9e703b93eac30262f776f162d71a Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:37:55 -0600 Subject: [PATCH 09/28] Refactor Keycloak configuration to include restart units and streamline secret management --- modules/servers/keycloak.nix | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index 8f4af18..735442e 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -13,14 +13,9 @@ in config = lib.mkIf (cfg.enable && config.my.secureHost) { sops.secrets.keycloak = { sopsFile = ../../secrets/env.yaml; - owner = "keycloak"; - group = "keycloak"; - }; - sops.secrets.postgres-password = { - sopsFile = ../../secrets/secrets.yaml; - owner = "keycloak"; - group = "keycloak"; + restartUnits = [ "keycloak.service" ]; }; + sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml; services.keycloak = { inherit (cfg) enable; database = { From b912aa82fa180967a95bfd13034bd44d4aa5f6ab Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:41:10 -0600 Subject: [PATCH 10/28] Update Keycloak configuration to ensure proper handling of SOPS secrets and maintain consistency in secret file references --- modules/servers/keycloak.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index 735442e..b7ea960 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -11,11 +11,11 @@ in { options.my.servers.keycloak = setup.mkOptions "keycloak" "auth" 8090; config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml; sops.secrets.keycloak = { sopsFile = ../../secrets/env.yaml; restartUnits = [ "keycloak.service" ]; }; - sops.secrets.postgres-password.sopsFile = ../../secrets/secrets.yaml; services.keycloak = { inherit (cfg) enable; database = { From 3f40666ebfd462195f2185ef66c47b4e61e35ea4 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 02:51:58 -0600 Subject: [PATCH 11/28] Add Keycloak to the enabled services list and update its configuration to include the HTTP host setting --- hosts/server/toggles.nix | 2 +- modules/servers/keycloak.nix | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/server/toggles.nix b/hosts/server/toggles.nix index 6698e8b..048320a 100644 --- a/hosts/server/toggles.nix +++ b/hosts/server/toggles.nix @@ -76,11 +76,11 @@ in "mealie" "metube" "atticd" - "keycloak" ] // enableList mkEnabledIp [ "audiobookshelf" "vaultwarden" "readeck" + "keycloak" ]; } diff --git a/modules/servers/keycloak.nix b/modules/servers/keycloak.nix index b7ea960..c7e3e5c 100644 --- a/modules/servers/keycloak.nix +++ b/modules/servers/keycloak.nix @@ -32,6 +32,7 @@ in hostname-strict-https = false; http-enabled = true; http-port = cfg.port; + http-host = cfg.ip; proxy-headers = "xforwarded"; }; }; From bd26dc247bd9d76542b0221ecd5a5c1d3065d9ae Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 04:03:05 -0600 Subject: [PATCH 12/28] oauth --- hosts/server/toggles.nix | 1 + modules/servers/oauth2-proxy.nix | 51 ++++++++++++++++++++++++++++++++ secrets/env.yaml | 5 ++-- 3 files changed, 55 insertions(+), 2 deletions(-) create mode 100644 modules/servers/oauth2-proxy.nix diff --git a/hosts/server/toggles.nix b/hosts/server/toggles.nix index 048320a..1c6a32e 100644 --- a/hosts/server/toggles.nix +++ b/hosts/server/toggles.nix @@ -82,5 +82,6 @@ in "vaultwarden" "readeck" "keycloak" + "oauth2-proxy" ]; } diff --git a/modules/servers/oauth2-proxy.nix b/modules/servers/oauth2-proxy.nix new file mode 100644 index 0000000..c231bd0 --- /dev/null +++ b/modules/servers/oauth2-proxy.nix @@ -0,0 +1,51 @@ +{ + lib, + config, + ... +}: +let + setup = import ../factories/mkserver.nix { inherit lib config; }; + cfg = config.my.servers.oauth2-proxy; +in +{ + options.my.servers.oauth2-proxy = setup.mkOptions "oauth2-proxy" "auth-proxy" 4180; + config = lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.oauth2-proxy = { + sopsFile = ../../secrets/env.yaml; + restartUnits = [ "oauth2-proxy.service" ]; + }; + services.oauth2-proxy = { + inherit (cfg) enable; + provider = "keycloak-oidc"; + clientID = "oauth2-proxy"; + keyFile = config.sops.secrets.oauth2-proxy.path; + oidcIssuerUrl = "https://auth.lebubu.org/realms/homelab"; + redirectURL = "https://auth-proxy.lebubu.org/oauth2/callback"; + httpAddress = "${cfg.ip}:${toString cfg.port}"; + email.domains = [ "*" ]; + cookie = { + name = "_oauth2_proxy"; + secure = true; + expire = "168h"; + refresh = "1h"; + domain = ".lebubu.org"; + }; + extraConfig = { + skip-auth-routes = [ + "^/ping$" + ]; + set-xauthrequest = true; + pass-access-token = true; + pass-user-headers = true; + request-logging = true; + auth-logging = true; + session-store-type = "cookie"; + skip-provider-button = true; + }; + }; + systemd.services.oauth2-proxy = { + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + }; + }; +} diff --git a/secrets/env.yaml b/secrets/env.yaml index 3467917..08558be 100644 --- a/secrets/env.yaml +++ b/secrets/env.yaml @@ -12,6 +12,7 @@ synapse: ENC[AES256_GCM,data:IR0pFwQBEM4O8mzzYXrPe2FjulSUGuitzLDLms2uovr6gEU82mC readeck: ENC[AES256_GCM,data:TsIkHLji37dDHQRt78SquBhoSREHDgvgbc6+M1k2MLrgMGJ/Ejfy5AZXCIp/Qj5sXDzKP4j6Y6xFvGLswCqe02XjqGCpX13gZVCFPuKr8Nq051Xg,iv:Rc/pjYP+Vd/DvLCYsfJjDrnAlAiUlZOcNeeYzE6O3UY=,tag:OvR+CXMmrUFbsrHvduhnjA==,type:str] lidarr-mb-gap: ENC[AES256_GCM,data:bNzD9Nf9BWAPkm0Yk0J4MJbmo908QX9VsD+40Rngnfec9nzH4vZ2DrelxRllgT1kgnXMQzvoSgNhBwkDN4fgX73hz1FjkytTwahlO0wcY6R+tw4aokh0QYy0TVx5pZ4u1FEQOAp3IMgBsP8HOqaL/NEsEo3yb0K9iC3AfFihkLDJmVh26Pg=,iv:go0qS7/BcfcAMPkAdGWCoL61gNqBG5lWDev++y9DJ/I=,tag:LgtEyTZH8NfhfrKTcAigZw==,type:str] keycloak: ENC[AES256_GCM,data:BmwZxuJaOB8F7zmBNAf42lkw36s5TepimtdyT2xjdGVyuHgRHbTZqeVen7/0II39qrJjko4agZJgToIZ1uhaC/gpGSoHZlib3rJozPCqmBc42nO6SOtpIO8=,iv:kPModK85937/liNk6iLIRiQ/G5yB7S7h24ZzPb8A1zo=,tag:lWvDQAHVRiBz8XZUoADKvw==,type:str] +oauth2-proxy: ENC[AES256_GCM,data:IjHaomHQbt8PYWen6mcL9NWRlbTwv0ozk2ggiCsmWwT77U/D8n8JzlaBxJ5d50aqn4U0P+nNr6tQnBj/,iv:EbqmMUEZeprgCojN6h+uPWXsrUsd59HHsiOz8KwOIRU=,tag:3ke0SYGjvxKT1p7Na2pxvg==,type:str] sops: age: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 @@ -50,7 +51,7 @@ sops: QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb 9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-10T08:26:05Z" - mac: ENC[AES256_GCM,data:rUc4vtnyqK7U6Zvx+BCVMT6yqhCBBsKY/Cfp13XzPzKqa/8sRI7PSEUBY+RSH0t2ShCUep+dWu0ghgFq9L2olJkwuOQ3MHPyIRw3ldwbuYwoRiCtvTkyvtZMaJouy/QrD+mHBr8a6UZRIl/6gnIxcqktzXUeKbCtJcSFj5ScHIg=,iv:j/mtZ3RJwMilVF5AFFUjo4Jm5IDlRIzZx1MdjOE+4gc=,tag:w4Niu71q3Lutu32VdFruHw==,type:str] + lastmodified: "2025-12-10T10:02:01Z" + mac: ENC[AES256_GCM,data:AAxT/ujy2OoQhZfqS/Dv6YMOWE3uSE9m0zy6fxRSSsN1A9muzNkUVtUWUUdmTC0galwth62s07IU91fHGv+y75MZ76TQMFUXvhkaQp3I4p9I0eDalQfrDaEjqnSKgTJ9jdjzGPAdnG0ZNZQESIQllMUzD5JRGIEiN7gmZo5BGLQ=,iv:BHQOJyaGPp4Hu1EV4bgIJzhLlGOqfWrH6+GI0eZ4Vpc=,tag:yKP1JPAb/z/I9uIMeB0KvA==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From dfe8ce2e4ba2e20fca103aa0261c54e5d0f36831 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 04:06:35 -0600 Subject: [PATCH 13/28] duh, wrong secret --- secrets/env.yaml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/secrets/env.yaml b/secrets/env.yaml index 08558be..628556b 100644 --- a/secrets/env.yaml +++ b/secrets/env.yaml @@ -12,7 +12,7 @@ synapse: ENC[AES256_GCM,data:IR0pFwQBEM4O8mzzYXrPe2FjulSUGuitzLDLms2uovr6gEU82mC readeck: ENC[AES256_GCM,data:TsIkHLji37dDHQRt78SquBhoSREHDgvgbc6+M1k2MLrgMGJ/Ejfy5AZXCIp/Qj5sXDzKP4j6Y6xFvGLswCqe02XjqGCpX13gZVCFPuKr8Nq051Xg,iv:Rc/pjYP+Vd/DvLCYsfJjDrnAlAiUlZOcNeeYzE6O3UY=,tag:OvR+CXMmrUFbsrHvduhnjA==,type:str] lidarr-mb-gap: ENC[AES256_GCM,data:bNzD9Nf9BWAPkm0Yk0J4MJbmo908QX9VsD+40Rngnfec9nzH4vZ2DrelxRllgT1kgnXMQzvoSgNhBwkDN4fgX73hz1FjkytTwahlO0wcY6R+tw4aokh0QYy0TVx5pZ4u1FEQOAp3IMgBsP8HOqaL/NEsEo3yb0K9iC3AfFihkLDJmVh26Pg=,iv:go0qS7/BcfcAMPkAdGWCoL61gNqBG5lWDev++y9DJ/I=,tag:LgtEyTZH8NfhfrKTcAigZw==,type:str] keycloak: ENC[AES256_GCM,data:BmwZxuJaOB8F7zmBNAf42lkw36s5TepimtdyT2xjdGVyuHgRHbTZqeVen7/0II39qrJjko4agZJgToIZ1uhaC/gpGSoHZlib3rJozPCqmBc42nO6SOtpIO8=,iv:kPModK85937/liNk6iLIRiQ/G5yB7S7h24ZzPb8A1zo=,tag:lWvDQAHVRiBz8XZUoADKvw==,type:str] -oauth2-proxy: ENC[AES256_GCM,data:IjHaomHQbt8PYWen6mcL9NWRlbTwv0ozk2ggiCsmWwT77U/D8n8JzlaBxJ5d50aqn4U0P+nNr6tQnBj/,iv:EbqmMUEZeprgCojN6h+uPWXsrUsd59HHsiOz8KwOIRU=,tag:3ke0SYGjvxKT1p7Na2pxvg==,type:str] +oauth2-proxy: ENC[AES256_GCM,data:MnAMX4adm8joZGaxZhgMDGf/15U2tk3dE/0dHFwETIi4JdpNvG/PUHTWGmXJrUnRrFxdZaOtGUzAMF47,iv:eEoo0YM+wt2/pCcONHM9YPRj/q4fC9OQZr+ckRsmhjY=,tag:AevxpvvRt13T5w5xwzay5w==,type:str] sops: age: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 @@ -51,7 +51,7 @@ sops: QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb 9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-10T10:02:01Z" - mac: ENC[AES256_GCM,data:AAxT/ujy2OoQhZfqS/Dv6YMOWE3uSE9m0zy6fxRSSsN1A9muzNkUVtUWUUdmTC0galwth62s07IU91fHGv+y75MZ76TQMFUXvhkaQp3I4p9I0eDalQfrDaEjqnSKgTJ9jdjzGPAdnG0ZNZQESIQllMUzD5JRGIEiN7gmZo5BGLQ=,iv:BHQOJyaGPp4Hu1EV4bgIJzhLlGOqfWrH6+GI0eZ4Vpc=,tag:yKP1JPAb/z/I9uIMeB0KvA==,type:str] + lastmodified: "2025-12-10T10:06:23Z" + mac: ENC[AES256_GCM,data:gyDuKTL+gL6L3F6EcUmUyTaDie6+DEre8ByiEgDKzNZsJh0+oz6tyNFxUHA0dgfHOmlRJ7Ffih/obMgA1JhKCaDu3v2DOHFd1IvQ1WDrGTzjY+QNCNJsaKNJR1eoCY34GLTVYnaLzJxikT9HnhIBDp69V16QbKQ2Y9jPh218VMY=,iv:XEleenWQq7fVJGpPvP6ABeIU0FJ3n8dJ4br1VfcrSUM=,tag:vx+rSaBioOz0zLXU/iTlpg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 8f04f99c852451122065d64ac36c5dad64bc12fb Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 04:14:51 -0600 Subject: [PATCH 14/28] Refactor oauth2-proxy configuration to change 'skip-auth-routes' to 'skip-auth-route' for improved clarity --- modules/servers/oauth2-proxy.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/servers/oauth2-proxy.nix b/modules/servers/oauth2-proxy.nix index c231bd0..9dba2d0 100644 --- a/modules/servers/oauth2-proxy.nix +++ b/modules/servers/oauth2-proxy.nix @@ -31,9 +31,7 @@ in domain = ".lebubu.org"; }; extraConfig = { - skip-auth-routes = [ - "^/ping$" - ]; + skip-auth-route = [ "^/ping$" ]; set-xauthrequest = true; pass-access-token = true; pass-user-headers = true; From b5a5d429105b0bc1f7264f98011a2db05f86c90e Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 04:25:47 -0600 Subject: [PATCH 15/28] Add oauth2-proxy cookie secret to configuration and update secrets.yaml for enhanced security management --- modules/servers/oauth2-proxy.nix | 5 +++++ secrets/secrets.yaml | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/modules/servers/oauth2-proxy.nix b/modules/servers/oauth2-proxy.nix index 9dba2d0..4c6d5c5 100644 --- a/modules/servers/oauth2-proxy.nix +++ b/modules/servers/oauth2-proxy.nix @@ -14,6 +14,10 @@ in sopsFile = ../../secrets/env.yaml; restartUnits = [ "oauth2-proxy.service" ]; }; + sops.secrets.oauth2-proxy-cookie = { + sopsFile = ../../secrets/secrets.yaml; + restartUnits = [ "oauth2-proxy.service" ]; + }; services.oauth2-proxy = { inherit (cfg) enable; provider = "keycloak-oidc"; @@ -29,6 +33,7 @@ in expire = "168h"; refresh = "1h"; domain = ".lebubu.org"; + secret = config.sops.secrets.oauth2-proxy-cookie.path; }; extraConfig = { skip-auth-route = [ "^/ping$" ]; diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index 00e76b8..e5c2704 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -15,6 +15,7 @@ unpackerr: sonarr-api: ENC[AES256_GCM,data:74/aSs7Q2tcDh9hPGm88h2hIneOcJ+P9HaCqoeuL6FQ=,iv:1AOpCii7ED1EyOFNCzvgRp5tR2ic1U6oRi7yg0hUcLk=,tag:k1miUivDQPxRgBWhXi9f+w==,type:str] radarr-api: ENC[AES256_GCM,data:bZiJNk/ewREIBss+z4daVwL1UyI4rt8GxVmC/bpTNvc=,iv:li2kMzOgdWtLLr4l244P082Z0jwDB2aEC6iRYt3o/HY=,tag:mi9SY/pT2qTIzR/ngp8bGg==,type:str] postgres-password: ENC[AES256_GCM,data:V0g4T1cLUFnTN94zZZR83/KVJFUDGEWVEn6nyijnver4QCELUFkNr99s9g==,iv:1ymHA0JaVC2/aHdg4TmJmuKOG8JGZRRvynrgQIGdTss=,tag:xsCVpc+HBaNeswYvzo0PaA==,type:str] +oauth2-proxy-cookie: ENC[AES256_GCM,data:eWEgnIGcdq1aRXWokmVO9DDb+t2oAxNCwFeyOUITzHQ=,iv:x5CROKQ5arUMESWQsroC15xbtMA6/HvnArhBiGwAx6k=,tag:U5yYk1ztExZsou7gVvA8Og==,type:str] sops: age: - recipient: age1lufn6t35gs4wgevyr2gud4eec7lvkn7pgnnv4tja64ww3hef7gqq8fas37 @@ -53,7 +54,7 @@ sops: RmRyZldlMjUwMEdUUEpDS2JSa2tDTTAKp/pT+0cNnCuKVL+Z0fEMiw1PL9PB/nSM QWVTo0Mt8Y6X0Xt0EAi9G5AYxADZ/mmEWPxB7RFgVAiMKtor5Gy1zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-10T08:27:18Z" - mac: ENC[AES256_GCM,data:Q9mdmt8HI+yzOu3IiEbxtZ7jg/2+6EHtHyRAJndrlwKCbTM59Nqza3YJ5+EpOrQw+ydYhiG2gXZ8qU/f70s0XdDUlpo/EgOkYoLDCgqFQ8TQu7R7Fwjv9Lw27IomGyCtTouWLfIQC1lZV1I1Df61P8HiPzUmV3pEr87o7qD0f/w=,iv:Cst3qxD65ijqmB+ftLNdpRGmRjSjqW7MrSskd33Ght8=,tag:+zgclBJw/PYTQYzPMAFQUA==,type:str] + lastmodified: "2025-12-10T10:25:19Z" + mac: ENC[AES256_GCM,data:nltQOPjhpJ0+xPBpA8SZOxbV9HeahxS7xG6I+sdYHhNxPsjYnpyTlIf281NdnRaefcGbtcsXDBo3sDeiOjL6zfknQ88nMEyR0tFNXAjb0K1aPAtDfwoZR69hftWafJi9RWNCEFg0W3L/CSLPCB57Xqr3NSKtDeftCBcJ1kYpXmQ=,iv:loSoBoLIId6TNxh5PHrmYO9tVaF/HIJpE4U7fMphqCQ=,tag:WWZ3Fq5dB3eRK4jhKWUGNg==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 7ab8789799719852e374e22f2849fe54bb4c1cad Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 04:38:27 -0600 Subject: [PATCH 16/28] Remove systemd service configuration for oauth2-proxy to streamline service management --- modules/servers/oauth2-proxy.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/modules/servers/oauth2-proxy.nix b/modules/servers/oauth2-proxy.nix index 4c6d5c5..33c8511 100644 --- a/modules/servers/oauth2-proxy.nix +++ b/modules/servers/oauth2-proxy.nix @@ -46,9 +46,5 @@ in skip-provider-button = true; }; }; - systemd.services.oauth2-proxy = { - after = [ "network-online.target" ]; - wants = [ "network-online.target" ]; - }; }; } From 451359dc4d87885f8f41ed14f37b10fb704706af Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 04:40:01 -0600 Subject: [PATCH 17/28] Add code-challenge-method to oauth2-proxy configuration for enhanced security compliance --- modules/servers/oauth2-proxy.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/servers/oauth2-proxy.nix b/modules/servers/oauth2-proxy.nix index 33c8511..21b33c6 100644 --- a/modules/servers/oauth2-proxy.nix +++ b/modules/servers/oauth2-proxy.nix @@ -44,6 +44,7 @@ in auth-logging = true; session-store-type = "cookie"; skip-provider-button = true; + code-challenge-method = "S256"; }; }; }; From b864c98786eb61e61ce11c64ba0dfdd16c34b4aa Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 04:49:35 -0600 Subject: [PATCH 18/28] Update oauth2-proxy configuration to use dynamic Keycloak URL and enhance redirect settings --- modules/servers/oauth2-proxy.nix | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/modules/servers/oauth2-proxy.nix b/modules/servers/oauth2-proxy.nix index 21b33c6..3933401 100644 --- a/modules/servers/oauth2-proxy.nix +++ b/modules/servers/oauth2-proxy.nix @@ -23,8 +23,7 @@ in provider = "keycloak-oidc"; clientID = "oauth2-proxy"; keyFile = config.sops.secrets.oauth2-proxy.path; - oidcIssuerUrl = "https://auth.lebubu.org/realms/homelab"; - redirectURL = "https://auth-proxy.lebubu.org/oauth2/callback"; + oidcIssuerUrl = "${config.my.servers.keycloak.url}/realms/homelab"; httpAddress = "${cfg.ip}:${toString cfg.port}"; email.domains = [ "*" ]; cookie = { @@ -45,6 +44,8 @@ in session-store-type = "cookie"; skip-provider-button = true; code-challenge-method = "S256"; + redirect-url = "${cfg.url}/oauth2/callback"; + whitelist-domain = [ ".lebubu.org" ]; }; }; }; From 8c55d42ba29880639487b43f1373169eacc02d7d Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 05:04:03 -0600 Subject: [PATCH 19/28] Remove redirect-url from oauth2-proxy configuration to simplify callback handling --- modules/servers/oauth2-proxy.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/modules/servers/oauth2-proxy.nix b/modules/servers/oauth2-proxy.nix index 3933401..1cf8b77 100644 --- a/modules/servers/oauth2-proxy.nix +++ b/modules/servers/oauth2-proxy.nix @@ -44,7 +44,6 @@ in session-store-type = "cookie"; skip-provider-button = true; code-challenge-method = "S256"; - redirect-url = "${cfg.url}/oauth2/callback"; whitelist-domain = [ ".lebubu.org" ]; }; }; From 016b181d1b0af19904227a0c6266e9bf30ac956d Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 11:31:16 -0600 Subject: [PATCH 20/28] disable gitea registration --- modules/servers/gitea.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/modules/servers/gitea.nix b/modules/servers/gitea.nix index d69c8a3..86f3981 100644 --- a/modules/servers/gitea.nix +++ b/modules/servers/gitea.nix @@ -30,6 +30,10 @@ in FROM = config.my.smtpemail; SENDMAIL_PATH = "${pkgs.msmtp}/bin/msmtp"; }; + service = { + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + }; }; database = { socket = config.my.postgresSocket; From 1ade9dd65ad397cd894d91c1f92a44035cf33860 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 12:09:49 -0600 Subject: [PATCH 21/28] paperless test --- modules/servers/paperless.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/modules/servers/paperless.nix b/modules/servers/paperless.nix index 5763677..c1cb657 100644 --- a/modules/servers/paperless.nix +++ b/modules/servers/paperless.nix @@ -16,6 +16,7 @@ in PAPERLESS_DBNAME = "paperless"; PAPERLESS_DBHOST = config.my.postgresSocket; PAPERLESS_TIME_ZONE = config.my.timeZone; + PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [ ".DS_STORE/*" "desktop.ini" From e279e3811fb1ccbc9c7d816354b2625b04fe63e6 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 12:43:28 -0600 Subject: [PATCH 22/28] paperless > http --- modules/servers/paperless.nix | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/modules/servers/paperless.nix b/modules/servers/paperless.nix index c1cb657..b737658 100644 --- a/modules/servers/paperless.nix +++ b/modules/servers/paperless.nix @@ -1,17 +1,20 @@ { lib, config, ... }: let cfg = config.my.servers.paperless; + port = config.services.paperless.port; in { options.my.servers.paperless.enable = lib.mkEnableOption "Paperless-ngx document management system"; config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { - networking.firewall.allowedTCPPorts = [ config.services.paperless.port ]; + networking.firewall.allowedTCPPorts = [ port ]; services.paperless = { inherit (cfg) enable; - address = "0.0.0.0"; + address = config.my.ips.server; consumptionDirIsPublic = true; consumptionDir = "/srv/pool/scans/"; settings = { + PAPERLESS_ACCOUNT_DEFAULT_HTTP_PROTOCOL = "http"; + PAPERLESS_URL = "http://${config.my.ips.server}:${builtins.toString port}"; PAPERLESS_DBENGINE = "postgress"; PAPERLESS_DBNAME = "paperless"; PAPERLESS_DBHOST = config.my.postgresSocket; From b00459e26e5bc47b16250a558562bcd2a86fdc97 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 13:08:08 -0600 Subject: [PATCH 23/28] paperless signon social --- modules/servers/paperless.nix | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/servers/paperless.nix b/modules/servers/paperless.nix index b737658..7d9fe4b 100644 --- a/modules/servers/paperless.nix +++ b/modules/servers/paperless.nix @@ -20,6 +20,9 @@ in PAPERLESS_DBHOST = config.my.postgresSocket; PAPERLESS_TIME_ZONE = config.my.timeZone; PAPERLESS_APPS = "allauth.socialaccount.providers.openid_connect"; + PAPERLESS_ACCOUNT_ALLOW_SIGNUPS = false; + PAPERLESS_SOCIALACCOUNT_ALLOW_SIGNUPS = true; + PAPERLESS_SOCIAL_AUTO_SIGNUP = true; PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [ ".DS_STORE/*" "desktop.ini" From 6cf501ab6263d8c97f652ffbad337d1479acf398 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 13:51:54 -0600 Subject: [PATCH 24/28] mealie keycloak init --- modules/servers/mealie.nix | 8 ++++++++ secrets/env.yaml | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-) diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index eef34ef..fc01ab0 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -25,6 +25,14 @@ in WEB_CONCURRENCY = "1"; SMTP_HOST = "smtp.gmail.com"; SMTP_PORT = "587"; + OIDC_AUTH_ENABLED = true; + OIDC_SIGNUP_ENABLED = true; + OIDC_CLIENT_ID = "mealie"; + OIDC_ADMIN_GROUP = "admins"; + OIDC_AUTO_REDIRECT = true; + OIDC_USER_CLAIM = "email"; + OIDC_PROVIDER_NAME = "Keycloak"; + }; credentialsFile = config.sops.secrets.mealie.path; }; diff --git a/secrets/env.yaml b/secrets/env.yaml index 628556b..b7d0d03 100644 --- a/secrets/env.yaml +++ b/secrets/env.yaml @@ -2,7 +2,7 @@ gitea: ENC[AES256_GCM,data:8o+U4qFdyIhCPNlYyflQIuLHsQHtbT6G/a0OyCUeg9DtIeABXNVFh shiori: ENC[AES256_GCM,data:tV7+1GusZvcli8dM86xOD71dc2mzcyfQwMeTh//LDb0=,iv:ED9wR6QjQgwd9Ll/UC5FK3CyYK3b0RniC/D6Y0nGEOI=,tag:X/aopMc2vhnRW2iTphFflQ==,type:str] flame: ENC[AES256_GCM,data:XsYRsA2xs+juWje2Od2Yl2xIvU0OS8xMrtwtcK/0NyyRrg==,iv:FR8lHsNQNCaOy4P+7BsIjNCz+H38i5RlwLYQ4fpB2+w=,tag:61EV7H04pcr1bSX4nSvlpw==,type:str] ryot: ENC[AES256_GCM,data:VMWf3VqcUdyJu2Ygd3XmoqGNWY/W/VJ4213ej0FrA95kAoX+S+j0+4a4B65NtW9UheDSxD1swTXebyenJCIN/tEZwH2wj9I12akNNvSDpt/LG3d1/BZ62cvLCb5n9vyE/vcXgJVfPUqmc67pYDWLpEV/vkKjpqwNH4Y8vnapVo1ytIgsjkTuBb7VFbnRPvYs6J1M0rnaTtkVhOBoRxv+Xg3pWYCgFEXdM/Pg/WKqdHpyh+tJqR74Z91Mwv6G56ZYEDQmAp+Cn+Kk2zZ+t44UAu1SQOgYXPLep+4/PgWw/vQMuyN7GNNP6TrsX3g+ONtJtkdmGu6ArcfbRAky4vM14DxlQP4xSjYSu+FDWGJL/J4TMw6IVDuw/TDVNpMrhBmZdPujYLUW1c6GCCEchBknNfw/Wt+NyTjOzCmZLVw760jY05Fa9kcW2kz+P0iAGTviY7yJZWDctP6PrVNtG1cXc4noJqV/uJ9sQmuGWCiTzaCIIZEhwRKnvjpvZNisKPhx4tctZMWm8l9gKO/TJC/SHMIhvEazmH4v0AzCiRUzdTfnWQZGTNenDrCUetztPh/UUJbLZjhFBH3QR26w/3I5oNpUzUDhfDhcEYtfWuB7ckbkXT8nyYMfe0OR16yJTfQCdnIPBhAUi1g1ZV3jFg+OhYWxk73lPiqC1ADRNh01L1k90PMMWtLXXm6aQ28cB+iQTvvgKbDrr76U8bXoZUyEl30waOQ2HT6nDG61OBUtQHTu6/cFhfhrnU6poAD/k+L7SyqcBoMYAZJN6Us1y3SKhV/3mXVKjRwSl5XZSW+ZpcRe/Cg4bonxFBYsZyY3VjK0LC4Cj8ijh4LpYWrGWtVmWOt/gg7UQPTd81A=,iv:Oa2pvfDpfPr3pqeAg2kYIzjf8KUK9ckMfbVymM78FyE=,tag:XyjYEvWo46BliYXdDH8QrQ==,type:str] -mealie: ENC[AES256_GCM,data:RjKqDs70lWhGN0LXPp3feQfW/WtfJlR6vX++0hwGtqcA3iepEh2Ab/36YRKbsVRBkglp0u18MusTmP0LSHUpzgCn/c/5ZzzRLGL83K3aQRlg8JtdTvzvEnLQSdE=,iv:GEfa8LwpOhkqWtLk0I5F14zkHcnFjVhVaHeLSFlDkN4=,tag:lkGcFn91hVxraMHCKF7rXQ==,type:str] +mealie: ENC[AES256_GCM,data:JmubDEnMp/djzsO6AQOyJkTKZYAUbTMoeIKGQ423MZfGbMVld0vmVSR0C1l8J4VFhW3HLGsoDdg4yRHpckgyqrN+VVFPovsDUZS71VnTNSP02CuJCjmqt4p6VGnB2wBlPKHx51VwFiVO3Q3WbwGivE3XjqQaF7mZuQOAuNjNOW7qinh062/d78uzU3c4s5eD8HBiq+3Q2O+Mj5CUW+PA580ikxur+/tGusE5TniqX8A56Fo8McTU/2w7YoA6f5UaFTHDdmDTwF7mhhxd/70k0hoeb8iQkIapvPFVME6osBHlF43wDhRS+OAFb0ZuMumf1g==,iv:Ynpbqb7Np5SPBCqVuIh9rxeE5nVIoNZNddvllrPOXZs=,tag:u/P1kaEEnfkHHj2Sul0Bww==,type:str] maloja: ENC[AES256_GCM,data:yCwokfD4I1Boy2NOhOTLA3dWgUVOdSzWKIEdYC0klvYu41IGcM8bM65uYFmiOtk+jHgt6j3kO/pBBlC4w/iTElphTqFyFRGdBN4fNRntAhMzqOszBZII,iv:Vf9hfNwSTBkh2cXV7Y2fv4NA8kng2M1i7BtTXJvy4u4=,tag:KLc8sP6N2/Pp/9069E3aPQ==,type:str] multi-scrobbler: ENC[AES256_GCM,data:ce3dd0PKm6eyD2AqWmw+8iex/tBHgMhG8ASoOMkT3c9k6kiZabpTTFTkcouMO+s42P+qjWQAUJcJlDdYVYJZbAqw8nnxLrtYmKoBknSbbWijlR//CpgfwuuAWIyGQAGVPliuxz+lR+1cf/G2mXM+FJIfp8Sliak3v/nGg3ry0bdjbOLVoBM4rS90Jrq98ZuBrjlFVhcJTKkEHtgDv8N56wWbPL/r3cTlS9MoEu2ulCSLvfu/snr8HqJ5yssAGQ==,iv:jOJulX6o3t+W6DrD6sU7amDH7JQP/JFGBI9IM8m/sXU=,tag:jFZoLpYFXj+xplbypf3nvw==,type:str] vaultwarden: ENC[AES256_GCM,data:NituIOyGrYALEkuwKT0RRS1gvi3wjC6ZSAfUIejfi8xoePE6vSNztJTGsRSIh4sJnRrQIiDuKTmRKZDM6AtX/oEBsNW8MVq+lWAq/vtcO7fuTriySEungmpXhQwRZD6NsXE+9283P3s6RshpA4iipmENiW2v2/uxkIXxtTguUxfX0psWYtF6mx5/hpaoNZ523OB69m6veAxD6Pmnj+pTOAORGXHldoNrxNc35WBDdndjAZICyO873tbs22VJOWD9a66BNxtfwIPYoFkuPO6QG3nnFfyPSQ==,iv:rmDJbrP+NQ5HGdRCWSYfymP8dU9WJdMEhAg80eupgeY=,tag:kdNzgWjgeqaTCjqUCc4uWw==,type:str] @@ -51,7 +51,7 @@ sops: QXRUYWtGcWZCVW11U3VYRktuUjlCbDgKsTK4WhUza/JuoDTU3uATa6fq/8eYzxtb 9BUK1ddzx9Mghea9XBMS17YGtGmW800OsLBomb3SINnOFvejcnKf8Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-10T10:06:23Z" - mac: ENC[AES256_GCM,data:gyDuKTL+gL6L3F6EcUmUyTaDie6+DEre8ByiEgDKzNZsJh0+oz6tyNFxUHA0dgfHOmlRJ7Ffih/obMgA1JhKCaDu3v2DOHFd1IvQ1WDrGTzjY+QNCNJsaKNJR1eoCY34GLTVYnaLzJxikT9HnhIBDp69V16QbKQ2Y9jPh218VMY=,iv:XEleenWQq7fVJGpPvP6ABeIU0FJ3n8dJ4br1VfcrSUM=,tag:vx+rSaBioOz0zLXU/iTlpg==,type:str] + lastmodified: "2025-12-10T19:51:43Z" + mac: ENC[AES256_GCM,data:2U3Q6V1RL4xqPQbTvAZ76J/q8buGZTlZpSx5Alj2C1txarbHgeEkoHCmnkK6c3KQPD1qoBwuAhLd1z3FOTujmQERW+ptStShj03dNX+qW+hTHKrhJ6VKDuN5euOa1MkABO2LT1ylHNLahOlht5wYLP8JPoNyLuBtAAsZ1bZwHtY=,iv:BW+JF27xdbWpjcje2Px5XSLtjMp2zvtTl7q/+ihFxIE=,tag:LjRx1DCafMh9JPuPVkOGYQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0 From 41850af033e6174349e7fb96f8e0ca272ca3103a Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 18:08:04 -0600 Subject: [PATCH 25/28] uhh --- modules/servers/mealie.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index fc01ab0..472aa65 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -31,8 +31,7 @@ in OIDC_ADMIN_GROUP = "admins"; OIDC_AUTO_REDIRECT = true; OIDC_USER_CLAIM = "email"; - OIDC_PROVIDER_NAME = "Keycloak"; - + OIDC_PROVIDER_NAME = "keycloak"; }; credentialsFile = config.sops.secrets.mealie.path; }; From 7846f5a8229f344e78f74c4efa1b1b3bdba932ab Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 18:29:41 -0600 Subject: [PATCH 26/28] hmhmm? --- modules/servers/mealie.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index 472aa65..af8f1ec 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -28,7 +28,7 @@ in OIDC_AUTH_ENABLED = true; OIDC_SIGNUP_ENABLED = true; OIDC_CLIENT_ID = "mealie"; - OIDC_ADMIN_GROUP = "admins"; + OIDC_ADMIN_GROUP = "/admins"; OIDC_AUTO_REDIRECT = true; OIDC_USER_CLAIM = "email"; OIDC_PROVIDER_NAME = "keycloak"; From 75520f3b86d38e6547e0ec045b5483152f724e7a Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 18:38:08 -0600 Subject: [PATCH 27/28] mealie configs --- modules/servers/mealie.nix | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index af8f1ec..698a340 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -17,8 +17,8 @@ in TZ = config.my.timeZone; DEFAULT_GROUP = "Home"; BASE_URL = cfg.url; - API_DOCS = "false"; - ALLOW_SIGNUP = "false"; + API_DOCS = true; + ALLOW_SIGNUP = false; DB_ENGINE = "postgres"; POSTGRES_URL_OVERRIDE = "postgresql://${cfg.name}:@/${cfg.name}?host=${config.my.postgresSocket}"; MAX_WORKERS = "1"; @@ -29,9 +29,9 @@ in OIDC_SIGNUP_ENABLED = true; OIDC_CLIENT_ID = "mealie"; OIDC_ADMIN_GROUP = "/admins"; - OIDC_AUTO_REDIRECT = true; OIDC_USER_CLAIM = "email"; OIDC_PROVIDER_NAME = "keycloak"; + OIDC_SIGNING_ALGORITHM = "RS256"; }; credentialsFile = config.sops.secrets.mealie.path; }; From 3325d8b931a2479e9857708340dc472ce097d044 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Wed, 10 Dec 2025 18:45:57 -0600 Subject: [PATCH 28/28] bools to string --- modules/servers/mealie.nix | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index 698a340..e040273 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -17,16 +17,16 @@ in TZ = config.my.timeZone; DEFAULT_GROUP = "Home"; BASE_URL = cfg.url; - API_DOCS = true; - ALLOW_SIGNUP = false; + API_DOCS = "true"; + ALLOW_SIGNUP = "false"; DB_ENGINE = "postgres"; POSTGRES_URL_OVERRIDE = "postgresql://${cfg.name}:@/${cfg.name}?host=${config.my.postgresSocket}"; MAX_WORKERS = "1"; WEB_CONCURRENCY = "1"; SMTP_HOST = "smtp.gmail.com"; SMTP_PORT = "587"; - OIDC_AUTH_ENABLED = true; - OIDC_SIGNUP_ENABLED = true; + OIDC_AUTH_ENABLED = "true"; + OIDC_SIGNUP_ENABLED = "true"; OIDC_CLIENT_ID = "mealie"; OIDC_ADMIN_GROUP = "/admins"; OIDC_USER_CLAIM = "email";