feat(homelab): implement SSO

hosts/homelab/arr.nix

@@ -12,18 +12,15 @@
     locations."/" = {
       proxyPass = "http://localhost:${toString port}";
     };
-    basicAuthFile = "${config.age.secrets.arr-basic-auth.path}";
+    locations."/api" = {
+      proxyPass = "http://localhost:${toString port}";
+      extraConfig = ''
+        auth_request off;
+      '';
+    };
   };
 in {
   # for linux ISOs
-  age.secrets = {
-    arr-basic-auth = {
-      rekeyFile = ../../secrets/hosts/homelab/basic-auth.age;
-      owner = config.services.nginx.user;
-      inherit (config.services.nginx) group;
-    };
-  };
-
   users.groups."${group}" = {
     members = [username];
   };
@@ -33,19 +30,37 @@ in {
   };
 
   services = {
+    oauth2-proxy.nginx.virtualHosts = {
+      "radarr.nickolaj.com".allowed_groups = ["arr"];
+      "sonarr.nickolaj.com".allowed_groups = ["arr"];
+      "prowlarr.nickolaj.com".allowed_groups = ["arr"];
+      "sabnzbd.nickolaj.com".allowed_groups = ["arr"];
+      "bazarr.nickolaj.com".allowed_groups = ["arr"];
+    };
     nginx.virtualHosts = {
       "radarr.nickolaj.com" = mkVirtualHost 7878;
       "sonarr.nickolaj.com" = mkVirtualHost 8989;
       "prowlarr.nickolaj.com" = mkVirtualHost 9696;
       "sabnzbd.nickolaj.com" = mkVirtualHost 8080;
+      "bazarr.nickolaj.com" = mkVirtualHost config.services.bazarr.listenPort;
     };
 
-    restic.backups.homelab.paths = [
-      "/var/lib/radarr"
-      "/var/lib/sonarr"
-      "/var/lib/prowlarr"
-      "/var/lib/sabnzbd"
-    ];
+    restic.backups.homelab = {
+      paths = [
+        "/var/lib/radarr"
+        "/var/lib/sonarr"
+        "/var/lib/prowlarr"
+        "/var/lib/sabnzbd"
+        "/var/lib/bazarr"
+      ];
+      exclude = [
+        # arrs logs and media cover
+        "/var/lib/*/.config/*/logs/"
+        "/var/lib/*/.config/*/MediaCover/"
+        "/var/lib/sabnzbd/Downloads/"
+        "/var/lib/sabnzbd/logs/"
+      ];
+    };
 
     sabnzbd = {
       inherit user group;
@@ -59,6 +74,10 @@ in {
       inherit user group;
       enable = true;
     };
+    bazarr = {
+      inherit user group;
+      enable = true;
+    };
     prowlarr.enable = true;
   };
 }

hosts/homelab/flame.nix

@@ -2,7 +2,10 @@ _: let
   dataDir = "/var/lib/flame";
   domain = "flame.nickolaj.com";
 in {
-  services.restic.backups.homelab.paths = [dataDir];
+  services.restic.backups.homelab = {
+    paths = [dataDir];
+    exclude = ["/var/lib/flame/db_backups"];
+  };
 
   services.nginx.virtualHosts."${domain}" = {
     enableACME = true;

hosts/homelab/home-assistant.nix

@@ -14,11 +14,6 @@ in {
       owner = "zigbee2mqtt";
       group = "zigbee2mqtt";
     };
-    z2m-basic-auth = {
-      rekeyFile = ../../secrets/hosts/homelab/basic-auth.age;
-      owner = config.services.nginx.user;
-      inherit (config.services.nginx) group;
-    };
     mosquitto-zigbee2mqtt.rekeyFile = ../../secrets/hosts/homelab/mosquitto-zigbee2mqtt.age;
     mosquitto-sas.rekeyFile = ../../secrets/hosts/homelab/mosquitto-sas.age;
     mosquitto-ha.rekeyFile = ../../secrets/hosts/homelab/mosquitto-ha.age;
@@ -29,11 +24,17 @@ in {
   ];
 
   services = {
-    restic.backups.homelab.paths = [
-      config.services.zigbee2mqtt.dataDir
-      config.services.home-assistant.configDir
-    ];
+    restic.backups.homelab = {
+      paths = [
+        config.services.zigbee2mqtt.dataDir
+        config.services.home-assistant.configDir
+      ];
+      exclude = [
+        "/var/lib/zigbee2mqtt/log/"
+      ];
+    };
 
+    oauth2-proxy.nginx.virtualHosts."zigbee.nickolaj.com".allowed_groups = ["iot-admin"];
     nginx.virtualHosts = {
       "zigbee.nickolaj.com" = {
         enableACME = true;
@@ -42,7 +43,6 @@ in {
           proxyPass = "http://localhost:${toString zigbee2mqttPort}";
           proxyWebsockets = true;
         };
-        basicAuthFile = "${config.age.secrets.z2m-basic-auth.path}";
       };
       "ha.nickolaj.com" = {
         enableACME = true;

hosts/homelab/netdata.nix

@@ -1,13 +0,0 @@
-{
-  config,
-  pkgsUnstable,
-  ...
-}: {
-  age.secrets.netdata-claim-token.rekeyFile = ../../secrets/netdata-claim-token.age;
-
-  services.netdata = {
-    enable = true;
-    package = pkgsUnstable.netdataCloud;
-    claimTokenFile = "${config.age.secrets.netdata-claim-token.path}";
-  };
-}

hosts/homelab/nextcloud.nix

@@ -27,6 +27,9 @@
         adminpassFile = "${config.age.secrets.nextcloud-admin-pass.path}";
         dbtype = "pgsql";
       };
+      extraApps = {
+        inherit (config.services.nextcloud.package.packages.apps) sociallogin;
+      };
     };
   };
 }

hosts/homelab/nginx.nix

@@ -3,7 +3,11 @@ _: {
 
   services.nginx = {
     enable = true;
+    recommendedTlsSettings = true;
+    recommendedOptimisation = true;
     recommendedProxySettings = true;
+    recommendedGzipSettings = true;
+    recommendedBrotliSettings = true;
   };
   security.acme = {
     acceptTerms = true;

hosts/homelab/postgres.nix

@@ -5,4 +5,4 @@
     postgresql.enable = true;
     postgresqlBackup.enable = true;
   };
-}
+}

hosts/homelab/prometheus.nix

@@ -0,0 +1,52 @@
+{
+  config,
+  hostname,
+  ...
+}: let
+  mkScrapeConfig = name: {
+    job_name = name;
+    static_configs = [
+      {
+        labels = {
+          instance = hostname;
+        };
+
+        targets = [
+          "${toString config.services.prometheus.exporters.${name}.listenAddress}:${toString config.services.prometheus.exporters.${name}.port}"
+        ];
+      }
+    ];
+  };
+in {
+  age.secrets.grafana-cloud-prometheus-api-key = {
+    rekeyFile = ../../secrets/grafana-cloud-prometheus.age;
+    owner = "prometheus";
+    group = "prometheus";
+  };
+
+  services.prometheus = {
+    enable = true;
+    enableAgentMode = true;
+    globalConfig.scrape_interval = "1m";
+    remoteWrite = [
+      {
+        url = "https://prometheus-prod-01-eu-west-0.grafana.net/api/prom/push";
+        basic_auth = {
+          username = "432120";
+          password_file = "${config.age.secrets.grafana-cloud-prometheus-api-key.path}";
+        };
+      }
+    ];
+
+    scrapeConfigs = [
+      (mkScrapeConfig "node")
+    ];
+
+    exporters.node = {
+      enable = true;
+      extraFlags = [
+        "--web.disable-exporter-metrics"
+      ];
+    };
+  };
+}

hosts/homelab/sso.nix

@@ -0,0 +1,105 @@
+{config, pkgsUnstable, ...}: let
+  port = 9190;
+  rootDomain = "nickolaj.com";
+  zitadelDomain = "sso.${rootDomain}";
+  oathproxyDomain = "oauth2-proxy.${rootDomain}";
+in {
+  age.secrets.zitadel-master = {
+    rekeyFile = ../../secrets/hosts/homelab/zitadel-master.age;
+    owner = config.services.zitadel.user;
+  };
+  age.secrets.oauth2-proxy = {
+    rekeyFile = ../../secrets/hosts/homelab/oauth2-proxy-keyfile.age;
+    owner = "oauth2-proxy";
+  };
+
+  services.nginx.virtualHosts."${zitadelDomain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+      extraConfig = ''
+        grpc_pass grpc://127.0.0.1:${toString port};
+        grpc_set_header Host $host:$server_port;
+      '';
+    };
+  };
+  services.nginx.virtualHosts."${oathproxyDomain}" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyWebsockets = true;
+      proxyPass = "http://127.0.0.1:4180";
+    };
+  };
+
+  services.postgresql = {
+    ensureDatabases = ["zitadel"];
+    ensureUsers = [
+      {
+        name = "zitadel";
+        ensureDBOwnership = true;
+        ensureClauses.login = true;
+        ensureClauses.superuser = true;
+      }
+    ];
+  };
+
+  services.zitadel = {
+    enable = true;
+    package = pkgsUnstable.zitadel;
+    masterKeyFile = config.age.secrets.zitadel-master.path;
+    settings = {
+      Port = port;
+      Database.postgres = {
+        Host = "/var/run/postgresql/";
+        Port = 5432;
+        Database = "zitadel";
+        User = {
+          Username = "zitadel";
+          SSL.Mode = "disable";
+        };
+        Admin = {
+          Username = "zitadel";
+          SSL.Mode = "disable";
+          ExistingDatabase = "zitadel";
+        };
+      };
+      ExternalDomain = zitadelDomain;
+      ExternalPort = 443;
+      ExternalSecure = true;
+    };
+    steps.FirstInstance = {
+      InstanceName = "Fireproof Auth";
+      Org = {
+        Name = "Fireproof Auth";
+        Human = {
+          UserName = "nickolaj1177@gmail.com";
+          FirstName = "Nickolaj";
+          LastName = "Jepsen";
+          Email.Verified = true;
+          Password = "Password1!";
+          PasswordChangeRequired = true;
+        };
+      };
+      LoginPolicy.AllowRegister = false;
+    };
+  };
+
+  services.oauth2-proxy = {
+    enable = true;
+    package = pkgsUnstable.oauth2-proxy;
+    provider = "oidc";
+    reverseProxy = true;
+    redirectURL = "https://${oathproxyDomain}/oauth2/callback";
+    validateURL = "https://${zitadelDomain}/oauth2/";
+    oidcIssuerUrl = "https://${zitadelDomain}:443";
+    keyFile = config.age.secrets.oauth2-proxy.path;
+    nginx.domain = oathproxyDomain;
+    email.domains = ["*"];
+    extraConfig = {
+      whitelist-domain = ".${rootDomain}";
+      cookie-domain = ".${rootDomain}";
+    };
+  };
+}

hosts/homelab/vaultwarden.nix

@@ -11,7 +11,13 @@ in {
         ROCKET_PORT = 8222;
       };
     };
-    restic.backups.homelab.paths = ["/var/lib/vaultwarden"];
+    restic.backups.homelab = {
+      paths = ["/var/lib/vaultwarden"];
+      exclude = [
+        "/var/lib/vaultwarden/icon_cache"
+        "/var/lib/vaultwarden/tmp"
+      ];
+    };
 
     nginx.virtualHosts."${domain}" = {
       enableACME = true;