🏡 my personal home lab
add tasks md with caddy security
+94
-4
+7
hosts/cm4-node-2.nix
+7
hosts/cm4-node-2.nix
+58
-1
modules/caddy.nix
+58
-1
modules/caddy.nix
···
1
-
{ config, pkgs, ... }:
1
+
{ config, pkgs-stable, ... }:
2
2
{
3
3
services.caddy = {
4
4
enable = true;
5
5
enableReload = true;
6
+
package = pkgs-stable.caddy.withPlugins {
7
+
plugins = [ "github.com/greenpau/caddy-security@v1.1.50" ];
8
+
hash = "sha256-8iTRB1sHWPwqNY3ds7NqWCJ5tkvWSRN474yeWXtBmgM=";
9
+
};
10
+
environmentFile = config.sops.templates."caddy.env".path;
6
11
globalConfig = ''
7
12
grace_period 1m
13
+
14
+
order authenticate before respond
15
+
order authorize before basicauth
16
+
17
+
security {
18
+
oauth identity provider tasks {
19
+
delay_start 3
20
+
realm tasks
21
+
driver generic
22
+
client_id {$TASKS_OIDC_CLIENT_ID}
23
+
client_secret {$TASKS_OIDC_CLIENT_SECRET}
24
+
scopes openid email profile
25
+
base_auth_url https://id.goo.garden
26
+
metadata_url https://id.goo.garden/.well-known/openid-configuration
27
+
}
28
+
29
+
authentication portal tasks_portal {
30
+
crypto default token lifetime 3600
31
+
enable identity provider tasks
32
+
cookie domain goo.garden
33
+
cookie insecure off
34
+
trust login redirect uri domain suffix goo.garden path prefix /
35
+
transform user {
36
+
match realm tasks
37
+
action add role authp/user
38
+
}
39
+
}
40
+
41
+
authorization policy tasks_policy {
42
+
set auth url https://tasks.goo.garden/oauth2/tasks
43
+
allow roles authp/user
44
+
validate bearer header
45
+
inject headers with claims
46
+
}
47
+
}
8
48
'';
9
49
logDir = "/mnt/nas/logs/caddy";
10
50
virtualHosts = {
···
60
100
"audiobooks.goo.garden".extraConfig = ''
61
101
reverse_proxy rk1-node-2:8000
62
102
'';
103
+
"tasks.goo.garden".extraConfig = ''
104
+
route /oauth2/* {
105
+
authenticate with tasks_portal
106
+
}
107
+
route {
108
+
authorize with tasks_policy
109
+
reverse_proxy cm4-node-2:8080
110
+
}
111
+
'';
63
112
"home.goo.garden".extraConfig = ''
64
113
reverse_proxy rk1-node-2:8123
65
114
'';
···
74
123
group = config.services.caddy.group;
75
124
reloadServices = [ "caddy" ];
76
125
};
126
+
127
+
sops.templates."caddy.env".content = ''
128
+
TASKS_OIDC_CLIENT_ID=${config.sops.placeholder.tasks-oidc-client-id}
129
+
TASKS_OIDC_CLIENT_SECRET=${config.sops.placeholder.tasks-oidc-client-secret}
130
+
'';
131
+
132
+
sops.secrets.tasks-oidc-client-id = { };
133
+
sops.secrets.tasks-oidc-client-secret = { };
77
134
78
135
systemd.services.caddy = {
79
136
after = [ "mnt-nas.mount" ];
+1
-1
modules/home-assistant.nix
+1
-1
modules/home-assistant.nix
+23
modules/tasks-md.nix
+23
modules/tasks-md.nix
···
1
+
{ ... }:
2
+
{
3
+
virtualisation.oci-containers = {
4
+
backend = "podman";
5
+
containers = {
6
+
tasks-md = {
7
+
image = "baldissaramatheus/tasks.md:latest";
8
+
ports = [ "8080:8080" ];
9
+
volumes = [
10
+
"/mnt/nas/data/tasks-md/tasks:/tasks"
11
+
"/mnt/nas/data/tasks-md/config:/config"
12
+
];
13
+
};
14
+
};
15
+
};
16
+
17
+
systemd.services.podman-tasks-md = {
18
+
after = [ "mnt-nas.mount" ];
19
+
requires = [ "mnt-nas.mount" ];
20
+
};
21
+
22
+
networking.firewall.allowedTCPPorts = [ 8080 ];
23
+
}
+4
-2
secrets/secrets.yaml
+4
-2
secrets/secrets.yaml
···
13
13
immich-oidc-client-secret: ENC[AES256_GCM,data:5HyB9XWsN6QLdWvnxfNI2WO5snbj4oRl78fW++R40Zk=,iv:5Oo46wCTkFCy4859rLLCISgC77dv0beEhTQ8s2gUmKA=,tag:X7qULtRuSFhCutb67Z+fgg==,type:str]
14
14
zigbee2mqtt-mosquitto-password: ENC[AES256_GCM,data:dXD9+mMETKdf9huDlYgzogeyKfqOzT07ydWcSI9VKyCclYQzBIxTgm72E/GEhhFWLEHAgxoOAjjWQejPflvHbA==,iv:82elJgcRYHup1rESG5nAQlfTEmKXlK/6gUOQqjpPOdg=,tag:nBUym60JWWTMlAGhCQGVyw==,type:str]
15
15
zigbee2mqtt-mosquitto-password-hashed: ENC[AES256_GCM,data:/jaOxL6CuAY6gyAD1sgb5Vp+jDAPkUbie2YcknEVMvIGR0di7RgVPhgUctzzyF9sicxZrid3b9iwWe9Q1c77GU45eKUtQfrWfqUnIf434g5bhuRJxsCzQ+u0SuyLbsQOUzTRZR/uCIovGY64suPYTQ==,iv:P0mmkdmnR66l9a748qsLIZaChsSbxzICTN+TJwOy5xw=,tag:rZtfK8eSrdFnb6yAfNfwHA==,type:str]
16
+
tasks-oidc-client-id: ENC[AES256_GCM,data:J0qy+sxD2d9Cfoi2PCoFARj4es42FJf08sve8VJzQKQCCLCa,iv:fmhUF8tFATwfrqE8Uj0AbrJgy/j6G0k6iB/lOt4eXGE=,tag:mlIO0sn8oVBVfTEHkghNAg==,type:str]
17
+
tasks-oidc-client-secret: ENC[AES256_GCM,data:uX/G+TdE2nAeQ5jbd6YUkdwigxxJMVQODlpgL330hhk=,iv:72sKHzrij9BOSYfh9TEHxS899CulH6pNzTmCMegZEac=,tag:fa5r9UV7clsbXxpC/AfTIg==,type:str]
16
18
backup-repository: ENC[AES256_GCM,data:v6tUjTwVsym8i52jcapjSRXPIjX2xNFY+bZRkHnVsp4AebcksHzHEDX6N4BF3OuQ2KepOfHngMn61Mk=,iv:HPV+8aCPpvFnytja6RUA7hJdtz2BMI1zsH01w1J9r2w=,tag:znMIFmrcsKTIq2TowhAV0w==,type:str]
17
19
backup-identity: ENC[AES256_GCM,data:8TJP7vSWJAj56AcczQhMRoQqahxM4EGzPm+wk1apMD+L3pybXh/4LPp0DNcGugOb3RPTyjki6jZArDgiirS+ltbldaNQPZaZ4cFrtiJVt8D/iQlsgM9tR8oC7bcR4KV+UoVeeXJN0fWqy5U+IzJ87ZRKKyb9i8WKhPuWFIftb4KqZRyada7jhl/SzwuoIcw9BagMJPLv6BaUmNp1j5fOHvo7RseImiIqsbVo37NTqMMQf7PKM5gsMU6bbeAMjtdeC2RNVG21eop8JlO5uYVyjGxyl5wfU+PwMSRc+XNpgeVEv9mjdo6dkG3QC2poHZ77ot4py6HzQPUZjwLyFsr0ccC4e6e0PNOBtTPtku/LnXHsV45LB9Q3X7t9VSYCTtlJul2W8huZuCRnv7crvIUW21ZMTWiwMbqNEqDUJTBcPLDi42Ea4CvA+I6ODJP8n5g7GTHW0ggy6FtjVXH5DzhzJJULQ27kq97EWi43bSRv0N+N5C1viM+j+hs6tM5eQ15niRVB,iv:YpRoGlD8YFxZ+RChb6T4Eh665AMTTeTJXRFR0xa7l3k=,tag:FWOVonF+SYbbgQoopa2lhA==,type:str]
18
20
sops:
···
62
64
ajA5bDZCY1BnblVYRGQ1QTE2S2I4M2cKSIGmFBP6sqiiM+cvTMQuZHit9fN5Vffk
63
65
1pWz8xSen/tqoywqipRf3LqzFb2K7Bx15vwazHbm6LJJa+ZQaruVMg==
64
66
-----END AGE ENCRYPTED FILE-----
65
-
lastmodified: "2026-03-24T22:16:27Z"
66
-
mac: ENC[AES256_GCM,data:nDb+jCMETbVmW5BWRuxGYRqbcci8pmFf6MKfFnAfA623vlEqTPH4zj7M/E5dHv6vruvk9UBQdUG2IPokhRIBGya+JrHJVLrcwN57gs2PqUcV4I2B9vLcXdDeyhzjciw53KryZXmyD0+jc5DJnbp7IMr7X7dv1d2KjHx/nSMpdoc=,iv:IJw2IDxkGv2WEFNcQtpNnP0m6hubkwXopvV8USx8q9E=,tag:5uxXxmL4BXsrGFU0esa/tg==,type:str]
67
+
lastmodified: "2026-03-25T00:05:05Z"
68
+
mac: ENC[AES256_GCM,data:b0cSfykJxWsjkwQLTGcrV7fdHDzZurAbDO/zodZRQ3quqnEN1bbJHpzbZHzgu3RSoI8Ei+zYlLwKKz0eLMYG7Glpv1oUafveGAbTvZeDdVZPjqoD3pr0doIkxHVX+wGBo0J6MDI6BTPQTjcb/7RHyhO40DVIfHA1UnXJFrxQKfo=,iv:iXNeUS0STaihxgVpJpHsiR4Hkgn6q40RKtqh6mjriO8=,tag:YUjbTy1pUjg8k2djcIKG8A==,type:str]
67
69
unencrypted_suffix: _unencrypted
68
70
version: 3.12.2