homelab
/
config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add docs for all roles

main
kalle 2025-02-16 13:48:43 +01:00
parent 52c9b74f27
commit f96fdf7efd
6 changed files with 165 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/roles/authentik.md Normal file
View File

@ -0,0 +1,46 @@
# Authentik role
SSO server
## Notes
- Requires the podman and postgres roles to be enabled on the same host.
- The server will be mostly unconfigured.
## Options
### `authentik.domain`
The domain used by authentik.
## Secrets
### `authentik/db_pass`
The password for the authentik postgres database. This should be the same as
`postgres/authentik` on the same host.
### `authentik/secret_key`
The secret key used by authentik. This value can not be changed without data
loss and has to be kept secret at all times.
### `authentik/email_host`
The SMTP host for email. This is not necessarily secret, but here to keep all
email settings collocated.
Example: `mail.example.com`
### `authentik/email_port`
The SMTP port for email. This is not necessarily secret, but here to keep all
email settings collocated. **Make sure to quote this value!**
Example: `587`
### `authentik/email_from`
The from address used by authentik. This is not necessarily secret, but here to keep all
email settings collocated.
Example: `git@example.com`
### `authentik/email_username`
The user used by authentik to authenticate to the SMTP server.
Example: `git@example.com`
### `authentik/email_password`
The password used by authentik to authenticate to the SMTP server.

52
docs/roles/forgejo.md
View File

@ -1,13 +1,47 @@
# Forgejo role
Git server
By default the forgejo server is installed without any users and without an
## Notes
- Requires the postgres role to be enabled on the same host.
- By default the forgejo server is installed without any users and without an
external authentication provider. To create the first (admin) user ssh into the
host and run
```bash
forgejo-cli admin user create --username $username --email $email --admin
```
After this, you can log in with this new user and set up SSO through the
[admin panel](https://$DOMAIN/admin/auths). After this is set up (and verified)
you can change the initial user to use the new authentication source in the
host and run `forgejo-cli admin user create --username $username --email $email --admin`
- To set up SSO go to the [admin panel](https://$DOMAIN/admin/auths).
- To change the initial user to use the new authentication source, go to the
[admin panel](https://$DOMAIN/admin/users).
## Options
### `forgejo.domain`
The domain used by forgejo.
## Secrets
### `forgejo/db_pass`
The password for the forgejo postgres database. This should be the same as
`postgres/forgejo` on the same host.
### `forgejo/email_host`
The SMTP host for email. This is not necessarily secret, but here to keep all
email settings collocated.
Example: `mail.example.com`
### `forgejo/email_port`
The SMTP port for email. This is not necessarily secret, but here to keep all
email settings collocated. **Make sure to quote this value!**
Example: `587`
### `forgejo/email_from`
The from address used by forgejo. This is not necessarily secret, but here to keep all
email settings collocated.
Example: `git@example.com`
### `forgejo/email_username`
The user used by forgejo to authenticate to the SMTP server.
Example: `git@example.com`
### `forgejo/email_password`
The password used by forgejo to authenticate to the SMTP server.

24
docs/roles/podman.md Normal file
View File

@ -0,0 +1,24 @@
# Podman role
Allows the server to run podman/docker containers. Required for some services.
## Options
### `podman.containers`
A set with all the same options as `virtualisation.oci-containers.containers`
with the addition of a `imageMetadata` option on each container which can be
used instead of the `image` option to cache an exact image into the nix store
at build time.
Example:
```nix
{
"example-container" = {
imageMetadata = {
imageName = "ghcr.io/goauthentik/server";
imageDigest = "sha256:7464a70c0d84df0816858106116a3306a80359b4300aa656c3a5ab790a38c229"; # 2024.12.3
sha256 = "fadbb55b7ae1d84d7322538101e933caa021582e5120828040c3883a18b1b3d5";
};
# Other container options
};
}
```

14
docs/roles/postgres.md Normal file
View File

@ -0,0 +1,14 @@
# Postgres role
PostgreSQL database server.
## Notes
- Database user passwords are updated on every service restart through a script.
## Options
### `postgres.databases`
A list of all databases to be created. Each database also gets a user by the
same name with a password in the secret `postgres/$DB_NAME`.
## Secrets
### `postgres/$DB_NAME`
The password for the user corresponding to the database $DB_NAME.

8
docs/roles/sonarr.md Normal file
View File

@ -0,0 +1,8 @@
# Sonarr role
## Notes
- The server is completely unconfigured.
## Options
### `sonarr.domain`
The domain used by sonarr.

30
docs/roles/traefik.md Normal file
View File

@ -0,0 +1,30 @@
# Traefik role
Reverse proxy for HTTP traffic.
## Notes
- Adds the `infra` tag to hosts that use it.
- Routes are collected from all hosts in the entire configuration automatically.
- To acquire wildcard certificates for a domain, its DNS must be at the
cloudflare user specified in the secrets.
## Options
### `traefik.wildcardDomains`
A list of all domains to acquire wildcard certificates for.
## Secrets
### `traefik/acmeEmail`
Email given to Let's Encrypt for notification emails.
Example: `email@example.com`
### `traefik/CLOUDFLARE_EMAIL`
Email used to authenticate to CloudFlare to set DNS for wildcard domain
certificate challenge.
Example: `email@example.com`
### `traefik/CLOUDFLARE_DNS_API_TOKEN`
API key used to authenticate to CloudFlare to set DNS for wildcard domain
certificate challenge.
Example: AVeryLongAPIKeyHere