homelab
/
config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add docs for all roles

main
kalle 2025-02-16 13:48:43 +01:00
parent 52c9b74f27
commit f96fdf7efd
6 changed files with 165 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
docs/roles/authentik.md Normal file
View File

@ -0,0 +1,46 @@
# Authentik role
SSO server
## Notes
- Requires the podman and postgres roles to be enabled on the same host.
- The server will be mostly unconfigured.
## Options
### `authentik.domain`
The domain used by authentik.
## Secrets
### `authentik/db_pass`
The password for the authentik postgres database. This should be the same as
`postgres/authentik` on the same host.
### `authentik/secret_key`
The secret key used by authentik. This value can not be changed without data
loss and has to be kept secret at all times.
### `authentik/email_host`
The SMTP host for email. This is not necessarily secret, but here to keep all
email settings collocated.
Example: `mail.example.com`
### `authentik/email_port`
The SMTP port for email. This is not necessarily secret, but here to keep all
email settings collocated. **Make sure to quote this value!**
Example: `587`
### `authentik/email_from`
The from address used by authentik. This is not necessarily secret, but here to keep all
email settings collocated.
Example: `git@example.com`
### `authentik/email_username`
The user used by authentik to authenticate to the SMTP server.
Example: `git@example.com`
### `authentik/email_password`
The password used by authentik to authenticate to the SMTP server.

52
docs/roles/forgejo.md
View File

@ -1,13 +1,47 @@
# Forgejo role # Forgejo role
Git server
By default the forgejo server is installed without any users and without an ## Notes
- Requires the postgres role to be enabled on the same host.
- By default the forgejo server is installed without any users and without an
external authentication provider. To create the first (admin) user ssh into the external authentication provider. To create the first (admin) user ssh into the
host and run host and run `forgejo-cli admin user create --username $username --email $email --admin`
```bash - To set up SSO go to the [admin panel](https://$DOMAIN/admin/auths).
forgejo-cli admin user create --username $username --email $email --admin - To change the initial user to use the new authentication source, go to the
```
After this, you can log in with this new user and set up SSO through the
[admin panel](https://$DOMAIN/admin/auths). After this is set up (and verified)
you can change the initial user to use the new authentication source in the
[admin panel](https://$DOMAIN/admin/users). [admin panel](https://$DOMAIN/admin/users).
## Options
### `forgejo.domain`
The domain used by forgejo.
## Secrets
### `forgejo/db_pass`
The password for the forgejo postgres database. This should be the same as
`postgres/forgejo` on the same host.
### `forgejo/email_host`
The SMTP host for email. This is not necessarily secret, but here to keep all
email settings collocated.
Example: `mail.example.com`
### `forgejo/email_port`
The SMTP port for email. This is not necessarily secret, but here to keep all
email settings collocated. **Make sure to quote this value!**
Example: `587`
### `forgejo/email_from`
The from address used by forgejo. This is not necessarily secret, but here to keep all
email settings collocated.
Example: `git@example.com`
### `forgejo/email_username`
The user used by forgejo to authenticate to the SMTP server.
Example: `git@example.com`
### `forgejo/email_password`
The password used by forgejo to authenticate to the SMTP server.

24
docs/roles/podman.md Normal file
View File

@ -0,0 +1,24 @@
# Podman role
Allows the server to run podman/docker containers. Required for some services.
## Options
### `podman.containers`
A set with all the same options as `virtualisation.oci-containers.containers`
with the addition of a `imageMetadata` option on each container which can be
used instead of the `image` option to cache an exact image into the nix store
at build time.
Example:
```nix
{
"example-container" = {
imageMetadata = {
imageName = "ghcr.io/goauthentik/server";
imageDigest = "sha256:7464a70c0d84df0816858106116a3306a80359b4300aa656c3a5ab790a38c229"; # 2024.12.3
sha256 = "fadbb55b7ae1d84d7322538101e933caa021582e5120828040c3883a18b1b3d5";
};
# Other container options
};
}
```

14
docs/roles/postgres.md Normal file
View File

@ -0,0 +1,14 @@
# Postgres role
PostgreSQL database server.
## Notes
- Database user passwords are updated on every service restart through a script.
## Options
### `postgres.databases`
A list of all databases to be created. Each database also gets a user by the
same name with a password in the secret `postgres/$DB_NAME`.
## Secrets
### `postgres/$DB_NAME`
The password for the user corresponding to the database $DB_NAME.

8
docs/roles/sonarr.md Normal file
View File

@ -0,0 +1,8 @@
# Sonarr role
## Notes
- The server is completely unconfigured.
## Options
### `sonarr.domain`
The domain used by sonarr.

30
docs/roles/traefik.md Normal file
View File

@ -0,0 +1,30 @@
# Traefik role
Reverse proxy for HTTP traffic.
## Notes
- Adds the `infra` tag to hosts that use it.
- Routes are collected from all hosts in the entire configuration automatically.
- To acquire wildcard certificates for a domain, its DNS must be at the
cloudflare user specified in the secrets.
## Options
### `traefik.wildcardDomains`
A list of all domains to acquire wildcard certificates for.
## Secrets
### `traefik/acmeEmail`
Email given to Let's Encrypt for notification emails.
Example: `email@example.com`
### `traefik/CLOUDFLARE_EMAIL`
Email used to authenticate to CloudFlare to set DNS for wildcard domain
certificate challenge.
Example: `email@example.com`
### `traefik/CLOUDFLARE_DNS_API_TOKEN`
API key used to authenticate to CloudFlare to set DNS for wildcard domain
certificate challenge.
Example: AVeryLongAPIKeyHere