Merge branch 'main' of ssh://git.ghoscht.com:2222/ghoscht/nix-config

Revert "Make navidrome home-network-only again"
This reverts commit b21b9b774d.
2024-08-23 09:39:15 +02:00 · 2024-08-19 20:56:20 +02:00 · 2024-08-19 20:55:51 +02:00
5 changed files with 34 additions and 2 deletions
--- a/hosts/franz/arion/infrastructure/arion-compose.nix
+++ b/hosts/franz/arion/infrastructure/arion-compose.nix
@ -38,7 +38,7 @@
      };
      volumes = [
        "/home/ghoscht/.docker/infrastructure/traefik_config/traefik.yml:/traefik.yml:ro"
-        "/home/ghoscht/.docker/infrastructure/traefik_data/config.yml:/config.yml:ro"
+        "/home/ghoscht/.docker/infrastructure/traefik_config/conf:/conf:ro"
        "/storage/dataset/docker/infrastructure/traefik_data/acme.json:/acme.json"
        "/var/run/docker.sock:/var/run/docker.sock:ro"
        "traefik-logs:/var/log/traefik"
--- a/hosts/franz/arion/infrastructure/default.nix
+++ b/hosts/franz/arion/infrastructure/default.nix
@ -96,7 +96,8 @@ in {
          exposedByDefault: false
          network: dmz
        file:
-          filename: /config.yml
+          watch: true
+          directory: /conf/
      certificatesResolvers:
        letsencrypt:
          acme:
--- a/hosts/franz/arion/media/arion-compose.nix
+++ b/hosts/franz/arion/media/arion-compose.nix
@ -59,6 +59,13 @@
        "traefik.http.routers.navidrome.tls" = "true";
        "traefik.http.routers.navidrome.tls.certresolver" = "letsencrypt";

+        "traefik.http.services.navidrome-external.loadbalancer.server.port" = "4533";
+        "traefik.http.routers.navidrome-external.service" = "navidrome-external";
+        "traefik.http.routers.navidrome-external.rule" = "Host(`music.ghoscht.com`)";
+        "traefik.http.routers.navidrome-external.entrypoints" = "websecure-external";
+        "traefik.http.routers.navidrome-external.tls" = "true";
+        "traefik.http.routers.navidrome-external.tls.certresolver" = "letsencrypt";
+
        "diun.enable" = "true";
        "diun.watch_repo" = "true";
        "diun.sort_tags" = "semver";
@ -112,6 +119,7 @@
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.transmission.tls" = "true";
        "traefik.http.routers.transmission.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.transmission.middlewares" = "authentik@file";
      };
      volumes = [
        "/storage/dataset/docker/media/transmission_data:/config"
@ -155,6 +163,7 @@
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.prowlarr.tls" = "true";
        "traefik.http.routers.prowlarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.prowlarr.middlewares" = "authentik@file";

        "diun.enable" = "true";
        "diun.watch_repo" = "true";
@ -185,6 +194,7 @@
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.sonarr.tls" = "true";
        "traefik.http.routers.sonarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.sonarr.middlewares" = "authentik@file";

        "diun.enable" = "true";
        "diun.watch_repo" = "true";
@ -217,6 +227,7 @@
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.radarr.tls" = "true";
        "traefik.http.routers.radarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.radarr.middlewares" = "authentik@file";

        "diun.enable" = "true";
        "diun.watch_repo" = "true";
@ -250,6 +261,7 @@
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.lidarr.tls" = "true";
        "traefik.http.routers.lidarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.lidarr.middlewares" = "authentik@file";
      };
      volumes = [
        "/storage/dataset/docker/media/lidarr_data:/config"
@ -280,6 +292,7 @@
        "traefik.docker.network" = "dmz";
        "traefik.http.routers.bazarr.tls" = "true";
        "traefik.http.routers.bazarr.tls.certresolver" = "letsencrypt";
+        "traefik.http.routers.bazarr.middlewares" = "authentik@file";
      };
      volumes = [
        "/storage/dataset/docker/media/bazarr_data:/config"
--- a/rsc/docker/franz/infrastructure/traefik_config/conf/crowdsec.yml
+++ b/rsc/docker/franz/infrastructure/traefik_config/conf/crowdsec.yml
--- a/rsc/docker/franz/infrastructure/traefik_config/conf/headers.yml
+++ b/rsc/docker/franz/infrastructure/traefik_config/conf/headers.yml
@ -0,0 +1,18 @@
+http:
+  middlewares:
+    authentik:
+      forwardAuth:
+        address: http://authentik:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version
Author	SHA1	Message	Date
GHOSCHT	9b46f6e9e9	Merge branch 'main' of ssh://git.ghoscht.com:2222/ghoscht/nix-config	2024-08-23 09:39:15 +02:00
GHOSCHT	ad901449e1	Revert "Make navidrome home-network-only again" This reverts commit `b21b9b774d`.	2024-08-19 20:56:20 +02:00
GHOSCHT	756536a2ee	Arion: Add authentik integration with non-oidc services	2024-08-19 20:55:51 +02:00