diff --git a/configuration/default.nix b/configuration/default.nix
index 3c572e0..0377e9c 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -13,7 +13,6 @@
"${modulesPath}/profiles/minimal.nix"
(import ../modules)
- ./services/auth
./services/backups.nix
./services/battery-manager.nix
./services/conduit
@@ -22,7 +21,6 @@
./services/gitea.nix
./services/immich.nix
./services/metrics
- ./services/minecraft.nix
./services/nextcloud.nix
./services/webserver.nix
./services/wireguard.nix
@@ -65,6 +63,8 @@
8448
# starbound
21025
+ # Minecraft
+ 25565
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
@@ -73,6 +73,9 @@
];
allowedUDPPorts = [
+ # More minecraft
+ 25565
+
config.services.coturn.listening-port
config.services.coturn.tls-listening-port
config.services.coturn.alt-listening-port
diff --git a/configuration/services/auth/authelia.nix b/configuration/services/auth/authelia.nix
deleted file mode 100644
index e9043c0..0000000
--- a/configuration/services/auth/authelia.nix
+++ /dev/null
@@ -1,93 +0,0 @@
-{ config, ... }:
-{
- systemd.services.authelia-tlaternet.after = [ config.systemd.services.lldap-provisioning.name ];
-
- services = {
- authelia.instances.tlaternet = {
- enable = true;
-
- environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
- config.sops.secrets."authelia/lldap-password".path;
-
- settings = {
- authentication_backend.ldap =
- let
- cfglldap = config.services.lldap.settings;
- in
- {
- # TODO(tlater): Enable when authelia has a webhook notifier:
- # https://github.com/authelia/authelia/issues/7695
- password_reset.disable = true;
- refresh_interval = "1m";
- address = "ldap://${cfglldap.ldap_host}:${toString cfglldap.ldap_port}";
- implementation = "lldap";
- base_dn = cfglldap.ldap_base_dn;
- user = "cn=authelia,ou=people,${cfglldap.ldap_base_dn}";
- };
-
- password_policy.zxcvbn.enabled = true;
-
- telemetry.metrics.enabled = true;
-
- access_control = {
- default_policy = "deny";
- rules = [
- {
- domain = "*.${config.services.nginx.domain}";
- policy = "one_factor";
- }
- ];
- };
- notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt";
-
- session = {
- cookies = [
- {
- domain = "${config.services.nginx.domain}";
- authelia_url = "https://auth.${config.services.nginx.domain}";
- }
- ];
- redis.host = config.services.redis.servers.authelia.unixSocket;
- };
-
- storage = {
- postgres = {
- address = "/var/run/postgresql";
- username = config.services.authelia.instances.tlaternet.user;
- database = config.services.authelia.instances.tlaternet.user;
- };
- };
-
- # Auth options
- default_2fa_method = "totp";
- totp.issuer = "tlater.net";
- webauthn = {
- display_name = "tlater.net";
- enable_passkey_login = true;
-
- attestation_conveyance_preference = "direct";
- filtering.prohibit_backup_eligibility = true;
- metadata = {
- enabled = true;
- validate_trust_anchor = true;
- validate_entry = true;
- validate_status = true;
- validate_entry_permit_zero_aaguid = false;
- };
- };
- duo_api.disable = true;
- };
-
- secrets = {
- storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
- jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
- sessionSecretFile = config.sops.secrets."authelia/session-secret".path;
- };
- };
-
- redis.servers.authelia = {
- enable = true;
- user = config.services.authelia.instances.tlaternet.user;
- };
- };
-}
diff --git a/configuration/services/auth/default.nix b/configuration/services/auth/default.nix
deleted file mode 100644
index bbfa1b6..0000000
--- a/configuration/services/auth/default.nix
+++ /dev/null
@@ -1,6 +0,0 @@
-{
- imports = [
- ./authelia.nix
- ./lldap.nix
- ];
-}
diff --git a/configuration/services/auth/lldap-provisioning.nu b/configuration/services/auth/lldap-provisioning.nu
deleted file mode 100644
index a2f93f0..0000000
--- a/configuration/services/auth/lldap-provisioning.nu
+++ /dev/null
@@ -1,44 +0,0 @@
-#!/usr/bin/env nushell
-
-let groups = [{
-
-}]
-
-let users = [
-
-]
-
-let settings = open $env.LLDAP_CONFIG
-let url = (
- 'http://' |
- $in + ($settings | get http_host | default '127.0.0.1') |
- $in + ':' |
- $in + ($settings | get http_port | default '17170' | into string))
-let user = $settings | get ldap_user_dn | default admin
-let pass = open $env.LLDAP_LDAP_USER_PASS_FILE
-
-let token = { username: $user, password: $pass } | to json | http post $'($url)/auth/simple/login' | get token
-
-def query [operation: string, query: string, variables: list<string>] {
- let body = {
- query: $query,
- operationName: $operation,
- variables: $variables
- }
-
- let res = $body | to json | http post --headers [Authorization $'Bearer ($token)'] $'($url)/api/graphql'
-
- if ("errors" in $res) {
- let msg = "GraphQL query to LLDAP failed:\n" + ($res.errors | each {|e| $'- ($e)' | str join (char newline)})
-
- error make {
- msg: $msg,
- label: {
- text: "Query defined here",
- span: (metadata $query).span
- }
- }
- } else {
- $res.data
- }
-}
diff --git a/configuration/services/auth/lldap.nix b/configuration/services/auth/lldap.nix
deleted file mode 100644
index 250a395..0000000
--- a/configuration/services/auth/lldap.nix
+++ /dev/null
@@ -1,64 +0,0 @@
-{
- lib,
- pkgs,
- config,
- ...
-}:
-{
- services = {
- lldap = {
- enable = true;
- settings = {
- ldap_base_dn = "dc=tlater,dc=net";
- database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
- ldap_host = "127.0.0.1";
-
- http_host = "127.0.0.1";
- http_url = "https://lldap.${config.services.nginx.domain}";
-
- force_ldap_user_pass_reset = "always";
-
- smtp_options.enable_password_reset = false;
-
- environment = {
- LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
- LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
- LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
- };
- };
- };
-
- nginx.virtualHosts = {
- "lldap.${config.services.nginx.domain}" = {
- useACMEHost = "tlater.net";
- forceSSL = true;
- enableHSTS = true;
-
- locations."/".proxyPass =
- "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
- };
- };
- };
-
- systemd.services.lldap.after = [ config.systemd.services.postgresql.name ];
-
- systemd.services.lldap-provisioning = {
- requisite = [ config.systemd.services.lldap.name ];
- wantedBy = [ config.systemd.services.lldap.name ];
- after = [ config.systemd.services.lldap.name ];
-
- path = [
- pkgs.nushell
- pkgs.lldap-cli
- ];
-
- script = "exec nu ${./lldap-provisioning.nu}";
-
- environment = {
- LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
- # LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath;
- };
-
- serviceConfig.Type = "oneshot";
- };
-}
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index e362c49..f37b8b0 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -9,10 +9,6 @@ in
extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
scrapeConfigs = {
- authelia = {
- targets = [ "127.0.0.1:9959" ];
- };
-
forgejo = {
targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
diff --git a/configuration/services/minecraft.nix b/configuration/services/minecraft.nix
deleted file mode 100644
index 0477f44..0000000
--- a/configuration/services/minecraft.nix
+++ /dev/null
@@ -1,83 +0,0 @@
-{
- pkgs,
- lib,
- config,
- ...
-}:
-{
- services.minecraft-server = {
- enable = true;
- eula = true;
- # jvmOpts are set using a file for forge
- # jvmOpts = "-Xmx8G -Xms8G";
- openFirewall = true;
-
- declarative = true;
-
- whitelist = {
- tlater = "140d177a-966f-41b8-a4c0-e305babd291b";
- romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c";
- lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4";
- };
-
- serverProperties = {
- allow-flight = true;
- difficulty = "hard";
- motd = "tlater.net";
- spawn-protection = 1;
- white-list = true;
- enable-query = true;
- enable-status = true;
-
- # Allows the server to write chunks without hogging the main
- # thread...
- sync-chunk-writes = false;
- # Disables chat reporting, because we don't need any of that
- # drama on a lil' friends-only server.
- enforce-secure-profile = false;
- };
-
- package = pkgs.writeShellApplication {
- name = "minecraft-server";
- runtimeInputs = with pkgs; [ jdk17_headless ];
-
- text = ''
- exec /var/lib/minecraft/run.sh $@
- '';
- };
- };
-
- systemd.services.minecraft-server = {
- path = with pkgs; [ jdk17_headless ];
-
- # Since we read from our own HTTP server, we need to wait for it
- # to be up
- after = [ "nginx.service" ];
-
- serviceConfig = {
- # Use packwiz to install mods
- ExecStartPre = [
- "${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'"
- ];
- # Forge requires some bonus JVM options, which they include in a
- # little `run.sh` script
- ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui";
- };
- };
-
- systemd.tmpfiles.settings."10-minecraft" = {
- "/srv/minecraft".d = {
- user = "nginx";
- group = "minecraft";
- mode = "0775";
- };
- };
-
- services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = {
- forceSSL = true;
- useACMEHost = "tlater.net";
- enableHSTS = true;
-
- root = "/srv/minecraft";
- };
-}
diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix
index 9ac9ff3..85a6843 100644
--- a/configuration/services/postgres.nix
+++ b/configuration/services/postgres.nix
@@ -1,4 +1,4 @@
-{ config, pkgs, ... }:
+{ pkgs, ... }:
{
services.postgresql = {
package = pkgs.postgresql_14;
@@ -17,18 +17,10 @@
# that operation needs to be performed manually on the system as
# well.
ensureUsers = [
- {
- name = config.services.authelia.instances.tlaternet.user;
- ensureDBOwnership = true;
- }
{
name = "grafana";
ensureDBOwnership = true;
}
- {
- name = "lldap";
- ensureDBOwnership = true;
- }
{
name = "nextcloud";
ensureDBOwnership = true;
@@ -36,9 +28,7 @@
];
ensureDatabases = [
- config.services.authelia.instances.tlaternet.user
"grafana"
- "lldap"
"nextcloud"
];
};
diff --git a/configuration/sops.nix b/configuration/sops.nix
index cb16026..0337438 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -3,24 +3,6 @@
defaultSopsFile = ../keys/production.yaml;
secrets = {
- "authelia/storage-encryption-key" = {
- owner = "authelia-tlaternet";
- group = "authelia-tlaternet";
- };
- "authelia/jwt-secret" = {
- owner = "authelia-tlaternet";
- group = "authelia-tlaternet";
- };
- "authelia/session-secret" = {
- owner = "authelia-tlaternet";
- group = "authelia-tlaternet";
- };
- "authelia/lldap-password" = {
- owner = "authelia-tlaternet";
- group = "lldap";
- mode = "0440";
- };
-
"battery-manager/email" = { };
"battery-manager/password" = { };
@@ -46,10 +28,6 @@
"heisenbridge/as-token" = { };
"heisenbridge/hs-token" = { };
- # lldap
- "lldap/admin-password" = { };
- "lldap/key" = { };
-
# Matrix-hookshot
"matrix-hookshot/as-token" = { };
"matrix-hookshot/hs-token" = { };
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 8ba5f45..876d60e 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -1,8 +1,3 @@
-authelia:
- storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
- jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
- session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
- lldap-password: ENC[AES256_GCM,data:cafjSRCUXAg=,iv:vZM/6efEhWjjTKNnDuS+Kj2i/eOkn20vT2JmtcHGcSU=,tag:P1GscnNwMoWCMMDbMVMPqA==,type:str]
porkbun:
api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@@ -14,9 +9,6 @@ forgejo:
grafana:
adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
-lldap:
- admin-password: ENC[AES256_GCM,data:s18N1fvXtzE=,iv:FGXF5+PwDZrQIJylx+pkjY4SO0mmfiGUPZeFAINmGnY=,tag:rpPSFdWzCHhyp4ITddRekg==,type:str]
- key: ENC[AES256_GCM,data:spbrfjm4Ozhu6XAPxN1cuQ==,iv:QEDCGfl75aP0T68nbWmqkPem46FHrs8nj7zVkWYcHt4=,tag:P4p3rC5I2KqPm733wbTp9g==,type:str]
nextcloud:
tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
steam:
@@ -40,8 +32,13 @@ turn:
#ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
sops:
- lastmodified: "2025-05-26T19:48:08Z"
- mac: ENC[AES256_GCM,data:dIuIJlkz6yUKt1MrOgwQTYm8DzwldN4o2E0B89p8c0WeCxgHwWVMtIHt8QsrIet9X7aHDx97/S67XzYEGSXI/9Btc+GCEFNcoVsgZzXy+d7r3io2gQxNrQ6yJwJvStW+ZeWPujg5nJ6NNfhcweLFdquwNwNJ4DC1sGvCl5/m/QY=,iv:n5f8urvZVLfIp46nysSJh3ngx+H8qxLuycmDZVYDOCk=,tag:5ccJtPdIRZmFXDVO1V6y3w==,type:str]
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2025-02-07T17:43:24Z"
+ mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str]
pgp:
- created_at: "2025-01-21T17:55:30Z"
enc: |-
@@ -79,4 +76,4 @@ sops:
-----END PGP MESSAGE-----
fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
unencrypted_suffix: _unencrypted
- version: 3.10.2
+ version: 3.9.2