blake/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

readding vaultwarden and jellyfin

Browse Source
This commit is contained in:
blake
2025-10-09 14:02:02 -05:00
parent 9f1730a5dd
commit 3a4ab22009
3 changed files with 130 additions and 127 deletions
Download Patch File Download Diff File Expand all files Collapse all files

34
modules/homelab/services/jellyfin/default.nix
View File

@@ -1,7 +1,7 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
let let
service = ""; service = "jellyfin";
cfg = config.modules.services.${service}; cfg = config.modules.services.${service};
sec = config.sops.secrets; sec = config.sops.secrets;
homelab = config.modules.homelab; homelab = config.modules.homelab;
@@ -13,12 +13,12 @@ in
# set port options # set port options
port = lib.mkOption { port = lib.mkOption {
type = lib.types.int; type = lib.types.int;
default = <port>; default = 7100;
description = "set port for ${service} (default: ${toString cfg.port}"; description = "set port for ${service} (default: ${toString cfg.port}";
}; };
url = lib.mkOption { url = lib.mkOption {
type = lib.types.str; type = lib.types.str;
default = "${service}.${homelab.base_domain}"; default = "media.${homelab.base_domain}";
description = "set domain for ${service}"; description = "set domain for ${service}";
}; };
data_dir = lib.mkOption { data_dir = lib.mkOption {
@@ -51,7 +51,7 @@ in
home = cfg.data_dir; home = cfg.data_dir;
createHome = true; createHome = true;
group = "${service}"; group = "${service}";
extraGroups = [ "media" ]; extraGroups = [ "media" "video" "render" ];
}; };
# enable the ${service} service # enable the ${service} service
@@ -61,16 +61,11 @@ in
user = "${service}"; user = "${service}";
group = "${service}"; group = "${service}";
dataDir = cfg.data_dir; dataDir = cfg.data_dir;
settings = {
server.port = cfg.port;
};
}; };
# override umask to make permissions work out # override umask to make permissions work out
systemd.services.${service}.serviceConfig = { systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
# User = "${service}";
# Group = "${service}";
}; };
# # open firewall # # open firewall
@@ -78,6 +73,16 @@ in
# internal reverse proxy entry # internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = { services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:8096";
#proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# external reverse proxy entry
services.nginx.virtualHosts."media.blakedheld.xyz" = {
forceSSL = true; forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path; sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path; sslCertificateKey = sec."ssl_blakedheld_key".path;
@@ -85,16 +90,7 @@ in
proxyPass = "http://127.0.0.1:${toString cfg.port}"; proxyPass = "http://127.0.0.1:${toString cfg.port}";
}; };
}; };
# # external reverse proxy entry
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
# forceSSL = true;
# sslCertificate = sec."ssl_blakedheld_crt".path;
# sslCertificateKey = sec."ssl_blakedheld_key".path;
# locations."/" = {
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
# };
# };
#
# sops.secrets = { # sops.secrets = {
# "${service}_" = { # "${service}_" = {
# owner = "${service}"; # owner = "${service}";

115
modules/homelab/services/vaultwarden/default.nix Normal file
View File

@@ -0,0 +1,115 @@
{ pkgs, config, lib, ... }:
let
service = "vaultwarden";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7701;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "pass.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = "${service}";
extraGroups = [];
};
# enable the vaultwarden service
services.vaultwarden = {
enable = true;
config = {
DOMAIN = domain;
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = cfg.port;
SIGNUPS_ALLOWED = true;
# ADMIN_TOKEN = "yuh";
ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}";
EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item";
# The following flags are available:
# - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
# - "autofill-v2": Use the new autofill implementation.
# - "browser-fileless-import": Directly import credentials from other providers without a file.
# - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
# - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
# - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
# - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
# - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
};
};
# override umask to make permissions work out
systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; };
# open firewall
networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# external reverse proxy entry
services.nginx.virtualHosts."pass.blakedheld.xyz" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
sops.secrets = {
"${service}_admin_token" = {
owner = "${service}";
group = "${service}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
};
}

108
modules/homelab/services/vaultwarden/default_temp.nix
View File

@@ -1,108 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = <port>;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = "${service}";
extraGroups = [ "media" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = "${service}";
group = "${service}";
dataDir = cfg.data_dir;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
# User = "${service}";
# Group = "${service}";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${cfg.url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# # external reverse proxy entry
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
# forceSSL = true;
# sslCertificate = sec."ssl_blakedheld_crt".path;
# sslCertificateKey = sec."ssl_blakedheld_key".path;
# locations."/" = {
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
# };
# };
#
# sops.secrets = {
# "${service}_" = {
# owner = "${service}";
# group = "${service}";
# };
# };
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
};
}