README.md

@@ -29,10 +29,21 @@ The nix based configuration for my home lab.
 
 - confgi.nix    # Global configuration options
 ```
+
+## Roles
+
+### Traefik
+HTTP reverse proxy.
+
+### Authentik
+SSO for almost everything running.
+
+
 ## TODO:
 
 ### Services
 **For sure**:
+- Forgejo: Git server
 - FreshRSS: RSS server/reader
 - Gramps: Family tree
 - hoarder: Bookmark manager

docs/roles/authentik.md

@@ -1,46 +0,0 @@
-# Authentik role
-SSO server
-
-## Notes 
-- Requires the podman and postgres roles to be enabled on the same host.
-- The server will be mostly unconfigured.
-
-## Options
-### `authentik.domain`
-The domain used by authentik.
-
-## Secrets
-### `authentik/db_pass`
-The password for the authentik postgres database. This should be the same as 
-`postgres/authentik` on the same host.
-
-### `authentik/secret_key`
-The secret key used by authentik. This value can not be changed without data
-loss and has to be kept secret at all times.
-
-### `authentik/email_host`
-The SMTP host for email. This is not necessarily secret, but here to keep all 
-email settings collocated.
-
-Example: `mail.example.com`
-
-### `authentik/email_port`
-The SMTP port for email. This is not necessarily secret, but here to keep all 
-email settings collocated. **Make sure to quote this value!**
-
-Example: `587`
-
-### `authentik/email_from`
-The from address used by authentik. This is not necessarily secret, but here to keep all 
-email settings collocated.
-
-Example: `git@example.com`
-
-### `authentik/email_username`
-The user used by authentik to authenticate to the SMTP server.
-
-Example: `git@example.com`
-
-### `authentik/email_password`
-The password used by authentik to authenticate to the SMTP server.
-

docs/roles/forgejo.md

@@ -1,47 +1,13 @@
 # Forgejo role
-Git server
 
-## Notes 
+By default the forgejo server is installed without any users and without an
-- Requires the postgres role to be enabled on the same host.
-- By default the forgejo server is installed without any users and without an
 external authentication provider. To create the first (admin) user ssh into the
-host and run `forgejo-cli admin user create --username $username --email $email --admin`
+host and run 
-- To set up SSO go to the [admin panel](https://$DOMAIN/admin/auths).
+```bash
-- To change the initial user to use the new authentication source, go to the
+forgejo-cli admin user create --username $username --email $email --admin
+```
+
+After this, you can log in with this new user and set up SSO through the
+[admin panel](https://$DOMAIN/admin/auths). After this is set up (and verified)
+you can change the initial user to use the new authentication source in the
 [admin panel](https://$DOMAIN/admin/users).
-
-## Options
-### `forgejo.domain`
-The domain used by forgejo.
-
-## Secrets
-### `forgejo/db_pass`
-The password for the forgejo postgres database. This should be the same as 
-`postgres/forgejo` on the same host.
-
-### `forgejo/email_host`
-The SMTP host for email. This is not necessarily secret, but here to keep all 
-email settings collocated.
-
-Example: `mail.example.com`
-
-### `forgejo/email_port`
-The SMTP port for email. This is not necessarily secret, but here to keep all 
-email settings collocated. **Make sure to quote this value!**
-
-Example: `587`
-
-### `forgejo/email_from`
-The from address used by forgejo. This is not necessarily secret, but here to keep all 
-email settings collocated.
-
-Example: `git@example.com`
-
-### `forgejo/email_username`
-The user used by forgejo to authenticate to the SMTP server.
-
-Example: `git@example.com`
-
-### `forgejo/email_password`
-The password used by forgejo to authenticate to the SMTP server.
-

docs/roles/podman.md

@@ -1,24 +0,0 @@
-# Podman role
-Allows the server to run podman/docker containers. Required for some services.
-
-## Options
-### `podman.containers`
-A set with all the same options as `virtualisation.oci-containers.containers`
-with the addition of a `imageMetadata` option on each container which can be
-used instead of the `image` option to cache an exact image into the nix store
-at build time.
-
-Example:
-```nix
-{
-  "example-container" = {
-    imageMetadata = {
-      imageName = "ghcr.io/goauthentik/server";
-      imageDigest = "sha256:7464a70c0d84df0816858106116a3306a80359b4300aa656c3a5ab790a38c229"; # 2024.12.3
-      sha256 = "fadbb55b7ae1d84d7322538101e933caa021582e5120828040c3883a18b1b3d5";
-    };
-    # Other container options
-  };
-}
-```
-

docs/roles/postgres.md

@@ -1,14 +0,0 @@
-# Postgres role
-PostgreSQL database server.
-
-## Notes
-- Database user passwords are updated on every service restart through a script.
-
-## Options
-### `postgres.databases`
-A list of all databases to be created. Each database also gets a user by the
-same name with a password in the secret `postgres/$DB_NAME`.
-
-## Secrets
-### `postgres/$DB_NAME`
-The password for the user corresponding to the database $DB_NAME.

docs/roles/sonarr.md

@@ -1,8 +0,0 @@
-# Sonarr role
-
-## Notes
-- The server is completely unconfigured.
-
-## Options
-### `sonarr.domain`
-The domain used by sonarr.

docs/roles/traefik.md

@@ -1,30 +0,0 @@
-# Traefik role
-Reverse proxy for HTTP traffic.
-
-## Notes
-- Adds the `infra` tag to hosts that use it.
-- Routes are collected from all hosts in the entire configuration automatically.
-- To acquire wildcard certificates for a domain, its DNS must be at the
-cloudflare user specified in the secrets.
-
-## Options
-### `traefik.wildcardDomains`
-A list of all domains to acquire wildcard certificates for.
-
-## Secrets
-### `traefik/acmeEmail`
-Email given to Let's Encrypt for notification emails.
-
-Example: `email@example.com`
-
-### `traefik/CLOUDFLARE_EMAIL`
-Email used to authenticate to CloudFlare to set DNS for wildcard domain 
-certificate challenge.
-
-Example: `email@example.com`
-
-### `traefik/CLOUDFLARE_DNS_API_TOKEN`
-API key used to authenticate to CloudFlare to set DNS for wildcard domain
-certificate challenge.
-
-Example: AVeryLongAPIKeyHere