okk.moe / homelab
🏡 my personal home lab
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

remove caddy security

Jen Stehlik 21624c19 5c7cb6d9

+24 -58
+1 -53
modules/caddy.nix
··· 3 3 services.caddy = { 4 4 enable = true; 5 5 enableReload = true; 6 - package = pkgs.caddy.withPlugins { 7 - plugins = [ "github.com/greenpau/caddy-security@v1.1.50" ]; 8 - hash = ""; 9 - }; 10 - environmentFile = config.sops.templates."caddy.env".path; 11 6 globalConfig = '' 12 7 grace_period 1m 13 - order authenticate before respond 14 - order authorize before basicauth 15 - 16 - security { 17 - oauth identity provider homeassistant { 18 - delay_start 3 19 - realm homeassistant 20 - driver generic 21 - client_id {$HOMEASSISTANT_OIDC_CLIENT_ID} 22 - client_secret {$HOMEASSISTANT_OIDC_CLIENT_SECRET} 23 - scopes openid email profile 24 - base_auth_url https://id.goo.garden 25 - metadata_url https://id.goo.garden/.well-known/openid-configuration 26 - } 27 - 28 - authentication portal homeassistant_portal { 29 - crypto default token lifetime 3600 30 - enable identity provider homeassistant 31 - cookie domain goo.garden 32 - cookie insecure off 33 - transform user { 34 - match realm homeassistant 35 - action add role authp/user 36 - } 37 - } 38 - 39 - authorization policy homeassistant_policy { 40 - set auth url https://home.goo.garden/auth/homeassistant 41 - allow roles authp/user 42 - validate bearer header 43 - inject headers with claims 44 - } 45 - } 46 8 ''; 47 9 logDir = "/mnt/nas/logs/caddy"; 48 10 virtualHosts = { ··· 99 61 reverse_proxy rk1-node-2:8000 100 62 ''; 101 63 "home.goo.garden".extraConfig = '' 102 - route /auth/* { 103 - authenticate with homeassistant_portal 104 - } 105 - route { 106 - authorize with homeassistant_policy 107 - reverse_proxy rk1-node-2:8123 108 - } 64 + reverse_proxy rk1-node-2:8123 109 65 ''; 110 66 "probe.outerwilds.space".extraConfig = '' 111 67 reverse_proxy localhost:${config.services.uptime-kuma.settings.PORT} ··· 118 74 group = config.services.caddy.group; 119 75 reloadServices = [ "caddy" ]; 120 76 }; 121 - 122 - sops.templates."caddy.env".content = '' 123 - HOMEASSISTANT_OIDC_CLIENT_ID=${config.sops.placeholder.homeassistant-oidc-client-id} 124 - HOMEASSISTANT_OIDC_CLIENT_SECRET=${config.sops.placeholder.homeassistant-oidc-client-secret} 125 - ''; 126 - 127 - sops.secrets.homeassistant-oidc-client-id = { }; 128 - sops.secrets.homeassistant-oidc-client-secret = { }; 129 77 130 78 systemd.services.caddy = { 131 79 after = [ "mnt-nas.mount" ];
+19 -3
modules/home-assistant.nix
··· 1 - { config, ... }: 1 + { 2 + config, 3 + pkgs, 4 + hosts, 5 + ... 6 + }: 7 + let 8 + # add `http: !include http.yaml` to configuration.yaml 9 + httpConfig = (pkgs.formats.yaml { }).generate "http.yaml" { 10 + use_x_forwarded_for = true; 11 + trusted_proxies = [ 12 + hosts.cm4-node-1.ipv4 13 + hosts.cm4-node-1.ipv6 14 + ]; 15 + }; 16 + in 2 17 { 3 18 virtualisation.oci-containers = { 4 19 backend = "podman"; ··· 7 22 volumes = [ 8 23 "/var/lib/homeassistant:/config" 9 24 "/run/dbus:/run/dbus:ro" 25 + "${httpConfig}:/config/http.yaml:ro" 10 26 ]; 11 27 extraOptions = [ 12 28 "--network=host" ··· 25 41 acl = [ "topic readwrite #" ]; 26 42 users.zigbee2mqtt = { 27 43 acl = [ "readwrite #" ]; 28 - hashedPasswordFile = config.sops.secrets.zigbee2mqtt-mosquitto-hashedpassword.path; 44 + hashedPasswordFile = config.sops.secrets.zigbee2mqtt-mosquitto-password-hashed.path; 29 45 }; 30 46 } 31 47 ]; ··· 47 63 }; 48 64 49 65 sops.secrets.zigbee2mqtt-mosquitto-password = { }; 50 - sops.secrets.zigbee2mqtt-mosquitto-hashedpassword = { }; 66 + sops.secrets.zigbee2mqtt-mosquitto-password-hashed = { }; 51 67 52 68 networking.firewall.allowedTCPPorts = [ 53 69 8123
+4 -2
secrets/secrets.yaml
··· 12 12 kitchenowl-oidc-client-secret: ENC[AES256_GCM,data:rAaxP7OZoQ/soElu10BYnI7L1Fze3AwXkZE1geZ87jE=,iv:nZpHxJZPRndNpAJVrB6YsKPS1SgovfcFIZ9XtP+8dEY=,tag:N6ew5wyFhZChIf5yBV/bVQ==,type:str] 13 13 immich-db-password: ENC[AES256_GCM,data:fnhbOlPlidS0mPV/ehJbauutyDgzycTseHNfR33/MUQl6bE8bZ8aWRpRbqHtUy1UfxjJfoeJF5C+IcJTGYXRdA==,iv:faUyWBEy73G5GOrtI+NUODLzyV10ISOIZ+JJLGPv8zA=,tag:jqhVAo+JYYuFdqi7Zpn89A==,type:str] 14 14 immich-oidc-client-secret: ENC[AES256_GCM,data:5HyB9XWsN6QLdWvnxfNI2WO5snbj4oRl78fW++R40Zk=,iv:5Oo46wCTkFCy4859rLLCISgC77dv0beEhTQ8s2gUmKA=,tag:X7qULtRuSFhCutb67Z+fgg==,type:str] 15 + zigbee2mqtt-mosquitto-password: ENC[AES256_GCM,data:dXD9+mMETKdf9huDlYgzogeyKfqOzT07ydWcSI9VKyCclYQzBIxTgm72E/GEhhFWLEHAgxoOAjjWQejPflvHbA==,iv:82elJgcRYHup1rESG5nAQlfTEmKXlK/6gUOQqjpPOdg=,tag:nBUym60JWWTMlAGhCQGVyw==,type:str] 16 + zigbee2mqtt-mosquitto-password-hashed: ENC[AES256_GCM,data:/jaOxL6CuAY6gyAD1sgb5Vp+jDAPkUbie2YcknEVMvIGR0di7RgVPhgUctzzyF9sicxZrid3b9iwWe9Q1c77GU45eKUtQfrWfqUnIf434g5bhuRJxsCzQ+u0SuyLbsQOUzTRZR/uCIovGY64suPYTQ==,iv:P0mmkdmnR66l9a748qsLIZaChsSbxzICTN+TJwOy5xw=,tag:rZtfK8eSrdFnb6yAfNfwHA==,type:str] 15 17 backup-repository: ENC[AES256_GCM,data:v6tUjTwVsym8i52jcapjSRXPIjX2xNFY+bZRkHnVsp4AebcksHzHEDX6N4BF3OuQ2KepOfHngMn61Mk=,iv:HPV+8aCPpvFnytja6RUA7hJdtz2BMI1zsH01w1J9r2w=,tag:znMIFmrcsKTIq2TowhAV0w==,type:str] 16 18 backup-identity: ENC[AES256_GCM,data:8TJP7vSWJAj56AcczQhMRoQqahxM4EGzPm+wk1apMD+L3pybXh/4LPp0DNcGugOb3RPTyjki6jZArDgiirS+ltbldaNQPZaZ4cFrtiJVt8D/iQlsgM9tR8oC7bcR4KV+UoVeeXJN0fWqy5U+IzJ87ZRKKyb9i8WKhPuWFIftb4KqZRyada7jhl/SzwuoIcw9BagMJPLv6BaUmNp1j5fOHvo7RseImiIqsbVo37NTqMMQf7PKM5gsMU6bbeAMjtdeC2RNVG21eop8JlO5uYVyjGxyl5wfU+PwMSRc+XNpgeVEv9mjdo6dkG3QC2poHZ77ot4py6HzQPUZjwLyFsr0ccC4e6e0PNOBtTPtku/LnXHsV45LB9Q3X7t9VSYCTtlJul2W8huZuCRnv7crvIUW21ZMTWiwMbqNEqDUJTBcPLDi42Ea4CvA+I6ODJP8n5g7GTHW0ggy6FtjVXH5DzhzJJULQ27kq97EWi43bSRv0N+N5C1viM+j+hs6tM5eQ15niRVB,iv:YpRoGlD8YFxZ+RChb6T4Eh665AMTTeTJXRFR0xa7l3k=,tag:FWOVonF+SYbbgQoopa2lhA==,type:str] 17 19 sops: ··· 61 63 ajA5bDZCY1BnblVYRGQ1QTE2S2I4M2cKSIGmFBP6sqiiM+cvTMQuZHit9fN5Vffk 62 64 1pWz8xSen/tqoywqipRf3LqzFb2K7Bx15vwazHbm6LJJa+ZQaruVMg== 63 65 -----END AGE ENCRYPTED FILE----- 64 - lastmodified: "2026-03-24T10:27:04Z" 65 - mac: ENC[AES256_GCM,data:2hUNdVeqyR1pZ9lHdegPT6BlNMDJkh+egV2BHD4WlqIYnlOiExO+hN0eFt/yFGpEp0+HKuc7EBpizTInhA8Fyp/PlLW3f2mMex9LLUAiWnwAJkjJSeB78QDfy8DRqNmkAPRBAYhixF1iukHcG6Svh3mF2IHCnwgWd/O7ysWmeyg=,iv:pTBopn+EKULEieYxI2aNWyhCbQyCrUi9XMqDxrtdjq0=,tag:KFTUoR8GIY9FcX7LQa2szw==,type:str] 66 + lastmodified: "2026-03-24T16:07:14Z" 67 + mac: ENC[AES256_GCM,data:Vi4nG2qoP+BxCmdPYfE2UhieRuks/HtJcjZW8RxpKHdR+2TGcd6wMSWBvWcbA6eEgnckpYdU9Si/SDncfLl5VTx2k6EcoM5cbke9V5rz8+C4tNBOB0b8aOa8YRcF5U8oLAqhA/Xg54ltdHqjlo5JFZgbN7+XLeQvMNJm3CD8zmA=,iv:2i1bh/93Bw+CuSFsic5IxdqcHmF/HEmrj+KcAgkilns=,tag:MbmWiHrZbSj3g39WoCTwKQ==,type:str] 66 68 unencrypted_suffix: _unencrypted 67 69 version: 3.12.2