diff --git a/config/matrix-synapse.nix b/config/matrix-synapse.nix index 7bc2a00..d60e516 100644 --- a/config/matrix-synapse.nix +++ b/config/matrix-synapse.nix @@ -98,7 +98,7 @@ in idp_id = "authentik"; idp_name = "authentik"; discover = true; - issuer = "https://${auth_host}/application/o/chat/"; + issuer = "https://${auth_host}/application/o/matrix/"; client_id = sec.oidc_client_id; client_secret = sec.oidc_client_secret; scopes = [ diff --git a/config/papers-paperless.nix b/config/papers-paperless.nix index 66b1f09..65dd60d 100644 --- a/config/papers-paperless.nix +++ b/config/papers-paperless.nix @@ -7,10 +7,11 @@ { services.paperless = { enable = true; + address = "0.0.0.0"; configureTika = true; + consumptionDirIsPublic = true; domain = tools.build_hostname "papers"; environmentFile = config.age.secrets.papers-environment-file.path; passwordFile = config.age.secrets.papers-password-file.path; - port = 80; }; } diff --git a/containers/music.nix b/containers/music.nix index cdddfbc..00d6c28 100644 --- a/containers/music.nix +++ b/containers/music.nix @@ -23,16 +23,19 @@ in enable = true; providers = [ "builtin" - "builtin_player" + # "builtin_player" "chromecast" "deezer" "dlna" + "fanarttv" "filesystem_local" "filesystem_smb" "hass" "hass_players" "jellyfin" - "player_group" + #"player_group" + "sendspin" + "universal_group" "ytmusic" "squeezelite" ]; diff --git a/containers/papers.nix b/containers/papers.nix index 9a4d5bb..8b10554 100644 --- a/containers/papers.nix +++ b/containers/papers.nix @@ -7,7 +7,7 @@ in container = { cores = 1; memory = 512; - disk = "6G"; + disk = "10G"; swap = 512; }; db = { @@ -15,7 +15,7 @@ in password = db_pass.papers; }; system = { - port = 80; # open in firewall + expose on proxy + port = 28981; importConfig = [ ../config/papers-paperless.nix ]; @@ -24,7 +24,7 @@ in enable = true; metricsEnable = true; }; - private = true; # available only on private lan - auth = false; # true; # auth overlay + private = true; + auth = true; }; } diff --git a/modules/containers-terraform-authentik.nix b/modules/containers-terraform-authentik.nix index 4377737..7326193 100644 --- a/modules/containers-terraform-authentik.nix +++ b/modules/containers-terraform-authentik.nix @@ -6,6 +6,7 @@ }: let cfg = config.my-lxc; + sec = import ../config/_matrix_secrets.nix; in { authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( @@ -20,31 +21,47 @@ in } ) cfg ); + authentik_application = + lib.filterAttrs (_: v: v != { }) ( + lib.mapAttrs ( + containerName: def: + lib.optionalAttrs (def.auth) { + name = containerName; + slug = containerName; + protocol_provider = "\${resource.authentik_provider_proxy.${containerName}.id}"; + } + ) cfg + ) + // { + matrix = { + name = "matrix"; + slug = "matrix"; + protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}"; - # dns_provider = { - # name = "dns"; - # authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; - # invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; - # external_host = "https://dns.plg.m0rel.eu/"; - # mode = "forward_single"; - # }; - authentik_application = lib.filterAttrs (_: v: v != { }) ( - lib.mapAttrs ( - containerName: def: - lib.optionalAttrs (def.auth) { - name = containerName; - slug = containerName; - protocol_provider = "\${resource.authentik_provider_proxy.${containerName}.id}"; - } - ) cfg - ); - authentik_outpost_provider_attachment = lib.filterAttrs (_: v: v != { }) ( - lib.mapAttrs ( - containerName: def: - lib.optionalAttrs (def.auth) { + }; + }; + authentik_outpost_provider_attachment = + lib.filterAttrs (_: v: v != { }) ( + lib.mapAttrs ( + containerName: def: + lib.optionalAttrs (def.auth) { + outpost = "\${data.authentik_outpost.embedded.id}"; + protocol_provider = "\${authentik_provider_proxy.${containerName}.id}"; + } + ) cfg + ) + // { + matrix = { outpost = "\${data.authentik_outpost.embedded.id}"; - protocol_provider = "\${authentik_provider_proxy.${containerName}.id}"; - } - ) cfg - ); + protocol_provider = "\${authentik_provider_oauth2.matrix.id}"; + }; + }; + + authentik_provider_oauth2.matrix = { + name = "matrix"; + authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; + invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; + client_id = sec.oidc_client_id; + client_secret = sec.oidc_client_secret; + }; }