From 3a4ab22009a63d35c7e2d83834b9e22cfbd85793 Mon Sep 17 00:00:00 2001 From: blake Date: Thu, 9 Oct 2025 14:02:02 -0500 Subject: [PATCH] readding vaultwarden and jellyfin --- modules/homelab/services/jellyfin/default.nix | 34 +++--- .../homelab/services/vaultwarden/default.nix | 115 ++++++++++++++++++ .../services/vaultwarden/default_temp.nix | 108 ---------------- 3 files changed, 130 insertions(+), 127 deletions(-) create mode 100644 modules/homelab/services/vaultwarden/default.nix delete mode 100644 modules/homelab/services/vaultwarden/default_temp.nix diff --git a/modules/homelab/services/jellyfin/default.nix b/modules/homelab/services/jellyfin/default.nix index b816f17..47ae9bf 100644 --- a/modules/homelab/services/jellyfin/default.nix +++ b/modules/homelab/services/jellyfin/default.nix @@ -1,7 +1,7 @@ { pkgs, config, lib, ... }: let - service = ""; + service = "jellyfin"; cfg = config.modules.services.${service}; sec = config.sops.secrets; homelab = config.modules.homelab; @@ -13,12 +13,12 @@ in # set port options port = lib.mkOption { type = lib.types.int; - default = ; + default = 7100; description = "set port for ${service} (default: ${toString cfg.port}"; }; url = lib.mkOption { type = lib.types.str; - default = "${service}.${homelab.base_domain}"; + default = "media.${homelab.base_domain}"; description = "set domain for ${service}"; }; data_dir = lib.mkOption { @@ -51,7 +51,7 @@ in home = cfg.data_dir; createHome = true; group = "${service}"; - extraGroups = [ "media" ]; + extraGroups = [ "media" "video" "render" ]; }; # enable the ${service} service @@ -61,16 +61,11 @@ in user = "${service}"; group = "${service}"; dataDir = cfg.data_dir; - settings = { - server.port = cfg.port; - }; }; # override umask to make permissions work out systemd.services.${service}.serviceConfig = { UMask = lib.mkForce "0007"; -# User = "${service}"; -# Group = "${service}"; }; # # open firewall @@ -78,6 +73,16 @@ in # internal reverse proxy entry services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:8096"; + #proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + # external reverse proxy entry + services.nginx.virtualHosts."media.blakedheld.xyz" = { forceSSL = true; sslCertificate = sec."ssl_blakedheld_crt".path; sslCertificateKey = sec."ssl_blakedheld_key".path; @@ -85,16 +90,7 @@ in proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; -# # external reverse proxy entry -# services.nginx.virtualHosts."${service}.blakedheld.xyz" = { -# forceSSL = true; -# sslCertificate = sec."ssl_blakedheld_crt".path; -# sslCertificateKey = sec."ssl_blakedheld_key".path; -# locations."/" = { -# proxyPass = "http://127.0.0.1:${toString cfg.port}"; -# }; -# }; -# + # sops.secrets = { # "${service}_" = { # owner = "${service}"; diff --git a/modules/homelab/services/vaultwarden/default.nix b/modules/homelab/services/vaultwarden/default.nix new file mode 100644 index 0000000..2639152 --- /dev/null +++ b/modules/homelab/services/vaultwarden/default.nix @@ -0,0 +1,115 @@ +{ pkgs, config, lib, ... }: + +let + service = "vaultwarden"; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7701; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "pass.${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = []; + }; + + # enable the vaultwarden service + services.vaultwarden = { + enable = true; + config = { + DOMAIN = domain; + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = cfg.port; + SIGNUPS_ALLOWED = true; +# ADMIN_TOKEN = "yuh"; + ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}"; + EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item"; + # The following flags are available: + # - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. + # - "autofill-v2": Use the new autofill implementation. + # - "browser-fileless-import": Directly import credentials from other providers without a file. + # - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) + # - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. + # - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. + # - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) + # - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) + }; + }; + + # override umask to make permissions work out + systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; }; + + # open firewall + networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + # external reverse proxy entry + services.nginx.virtualHosts."pass.blakedheld.xyz" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + sops.secrets = { + "${service}_admin_token" = { + owner = "${service}"; + group = "${service}"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; + }; +} diff --git a/modules/homelab/services/vaultwarden/default_temp.nix b/modules/homelab/services/vaultwarden/default_temp.nix deleted file mode 100644 index b816f17..0000000 --- a/modules/homelab/services/vaultwarden/default_temp.nix +++ /dev/null @@ -1,108 +0,0 @@ -{ pkgs, config, lib, ... }: - -let - service = ""; - cfg = config.modules.services.${service}; - sec = config.sops.secrets; - homelab = config.modules.homelab; -in -{ - options.modules.services.${service} = { - enable = lib.mkEnableOption "enables ${service}"; - - # set port options - port = lib.mkOption { - type = lib.types.int; - default = ; - description = "set port for ${service} (default: ${toString cfg.port}"; - }; - url = lib.mkOption { - type = lib.types.str; - default = "${service}.${homelab.base_domain}"; - description = "set domain for ${service}"; - }; - data_dir = lib.mkOption { - type = lib.types.str; - default = "/var/lib/${service}"; - description = "set data directory for ${service}"; - }; - ids = lib.mkOption { - type = lib.types.int; - default = cfg.port; - description = "set uid and pid of ${service} user (matches port by default)"; - }; - backup = lib.mkOption { - type = lib.types.bool; - default = true; - description = "enable backups for ${service}"; - }; - }; - - config = lib.mkIf cfg.enable { - - # declare ${service} group - users.groups.${service} = { gid = lib.mkForce cfg.ids; }; - - # declare ${service} user - users.users.${service} = { - description = "${service} server user"; - uid = lib.mkForce cfg.ids; - isSystemUser = true; - home = cfg.data_dir; - createHome = true; - group = "${service}"; - extraGroups = [ "media" ]; - }; - - # enable the ${service} service - services.${service} = { - enable = true; - openFirewall = true; - user = "${service}"; - group = "${service}"; - dataDir = cfg.data_dir; - settings = { - server.port = cfg.port; - }; - }; - - # override umask to make permissions work out - systemd.services.${service}.serviceConfig = { - UMask = lib.mkForce "0007"; -# User = "${service}"; -# Group = "${service}"; - }; - -# # open firewall -# networking.firewall.allowedTCPPorts = [ cfg.port ]; - - # internal reverse proxy entry - services.nginx.virtualHosts."${cfg.url}" = { - forceSSL = true; - sslCertificate = sec."ssl_blakedheld_crt".path; - sslCertificateKey = sec."ssl_blakedheld_key".path; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}"; - }; - }; -# # external reverse proxy entry -# services.nginx.virtualHosts."${service}.blakedheld.xyz" = { -# forceSSL = true; -# sslCertificate = sec."ssl_blakedheld_crt".path; -# sslCertificateKey = sec."ssl_blakedheld_key".path; -# locations."/" = { -# proxyPass = "http://127.0.0.1:${toString cfg.port}"; -# }; -# }; -# -# sops.secrets = { -# "${service}_" = { -# owner = "${service}"; -# group = "${service}"; -# }; -# }; - - # add to backups - modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; - }; -}