diff --git a/modules/homelab/services/bak/gitea/default.nix b/modules/homelab/services/bak/gitea/default.nix new file mode 100644 index 0000000..8ba502d --- /dev/null +++ b/modules/homelab/services/bak/gitea/default.nix @@ -0,0 +1,111 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.gitea; + ids = 2703; + default_port = 3000; + data_dir = "/var/lib/gitea"; +in +{ + options.modules.services.gitea = { + enable = lib.mkEnableOption "enables gitea"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7703; + description = "set port for gitea (default: ${toString default_port}"; + }; + + # set ssh port + ssh_port = lib.mkOption { + type = lib.types.int; + default = 7567; + description = "set port for gitea (default: 2222"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for gitea"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare gitea group + users.groups.gitea = { gid = ids; }; + + # declare gitea user + users.users.gitea = { + description = lib.mkForce "gitea server user"; + uid = ids; + isSystemUser = true; + shell = pkgs.bash; + home = "/var/lib/gitea"; + createHome = true; + group = "gitea"; + extraGroups = []; + }; + + # enable the gitea service + services.gitea = { + enable = true; + user = "gitea"; + group = "gitea"; + stateDir = data_dir; + appName = "gitea"; + settings = { + server = { + DOMAIN = "git.blakedheld.xyz"; + HTTP_PORT = cfg.port; + SSH_PORT = cfg.ssh_port; + START_SSH_SERVER = true; + ENABLE_PUSH_CREATE_USER = true; + + }; + }; + database = { + passwordFile = "${toString config.sops.secrets."gitea_database_password".path}"; + }; + }; + + # override umask to make permissions work out + systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; }; + + # open firewall + networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."git.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + # external reverse proxy entry + services.nginx.virtualHosts."git.blakedheld.xyz" = { + enableACME = true; + forceSSL = true; +# sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; +# sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + sops.secrets = { + "gitea_database_password" = { + owner = "gitea"; + group = "gitea"; +# neededForUsers = true; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; +} diff --git a/modules/homelab/services/bak/jellyfin/default.nix b/modules/homelab/services/bak/jellyfin/default.nix new file mode 100644 index 0000000..0e6b54b --- /dev/null +++ b/modules/homelab/services/bak/jellyfin/default.nix @@ -0,0 +1,82 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.jellyfin; + ids = 701; + default_port = 8096; + data_dir = "/var/lib/jellyfin"; +in +{ + options.modules.services.jellyfin = { + enable = lib.mkEnableOption "enables jellyfin"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7101; + description = "set port for jellyfin (default: ${toString default_port}"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare jellyfin group + users.groups.jellyfin = { gid = ids; }; + + # declare jellyfin user + users.users.jellyfin = { + description = "jellyfin media server user"; + uid = ids; + isSystemUser = true; + home = data_dir; + createHome = true; + group = "jellyfin"; + extraGroups = [ "media" "video" "render" ]; + }; + + # enable the jellyfin service + services.jellyfin = { + enable = true; + openFirewall = true; # Opens 8096/8920 automatically + user = "jellyfin"; # Default: jellyfin + group = "jellyfin"; # Default: jellyfin + dataDir = "/var/lib/jellyfin"; # Config + metadata storage + }; + + # override umask to make permissions work out + systemd.services.jellyfin.serviceConfig = { UMask = lib.mkForce "0007"; }; + + # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."jellyfin.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + # external reverse proxy entry + services.nginx.virtualHosts."media.blakedheld.xyz" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; +} diff --git a/modules/homelab/services/bak/nginx-proxy/default.nix b/modules/homelab/services/bak/nginx-proxy/default.nix new file mode 100644 index 0000000..86ce2b1 --- /dev/null +++ b/modules/homelab/services/bak/nginx-proxy/default.nix @@ -0,0 +1,39 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.homelab.nginx-proxy; +in +{ + options.modules.homelab.nginx-proxy = { + enable = lib.mkEnableOption "enables nginx-proxy"; + }; + + config = lib.mkIf cfg.enable { + # enable nginx proxy manager + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + }; + # enable acme for auto ssl certs with lets encrypt + security.acme = { + acceptTerms = true; + defaults.email = "me@blakedheld.xyz"; + }; + + # nginx secrets + sops.secrets = { + "ssl_blakedheld_crt" = { + restartUnits = [ "nginx.service" ]; + owner = "nginx"; + group = "nginx"; +# neededForUsers = true; + }; + "ssl_blakedheld_key" = { + owner = "nginx"; + group = "nginx"; +# neededForUsers = true; + }; + }; + }; +} diff --git a/modules/homelab/services/bak/qbittorrent/default.nix b/modules/homelab/services/bak/qbittorrent/default.nix new file mode 100644 index 0000000..373e945 --- /dev/null +++ b/modules/homelab/services/bak/qbittorrent/default.nix @@ -0,0 +1,102 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.qbittorrent; + default_port = 8080; + data_dir = "/var/lib/qBittorrent"; + ids = 2003; + vpn_inf = "enp89s0.69"; # vpn interfacve +in +{ + options.modules.services.qbittorrent = { + enable = lib.mkEnableOption "enables qbittorrent"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7103; + description = "set port for qbittorrent (default: ${toString default_port}"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for qbittorrent"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare qbittorrent group + users.groups.qbittorrent = { gid = ids; }; + + # declare qbittorrent user + users.users.qbittorrent = { + description = "qbittorrent server user"; + uid = ids; + isSystemUser = true; + home = data_dir; + createHome = true; + group = "qbittorrent"; + extraGroups = [ "media" ]; + }; + + # enable the qbittorrent service + services.qbittorrent = { + enable = true; + openFirewall = true; + user = "qbittorrent"; + group = "qbittorrent"; + profileDir = data_dir; + webuiPort = cfg.port; +# torrentingPort = cfg.port; + }; + + # override umask to make permissions work out + systemd.services.qbittorrent = { + serviceConfig = { + UMask = lib.mkForce "0007"; + }; + }; + + networking.firewall.extraCommands = '' + iptables -F QBIT + iptables -X QBIT + iptables -N QBIT + iptables -A OUTPUT -m owner --uid-owner ${toString ids} -j QBIT + iptables -A QBIT -o ${vpn_inf} -j ACCEPT + iptables -A QBIT -p udp --dport 53 -o ${vpn_inf} -j ACCEPT + iptables -A QBIT -p tcp --dport 53 -o ${vpn_inf} -j ACCEPT + iptables -A QBIT -p tcp -d 127.0.0.1 --dport ${toString cfg.port} -j ACCEPT + iptables -A QBIT -p tcp -o enp89s0 -d 10.0.0.0/8 --dport ${toString cfg.port} -j ACCEPT + iptables -A QBIT -j DROP + ''; + + + +# ------------------------------------------------------------------------------ +# # add systemd service to VPN network namespace +# vpnConfinement = { +# enable = true; +# vpnNamespace = "wgmex"; +# }; +# ------------------------------------------------------------------------------ + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."qbit.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; +} diff --git a/modules/homelab/services/bak/vaultwarden/default.nix b/modules/homelab/services/bak/vaultwarden/default.nix new file mode 100644 index 0000000..131a07b --- /dev/null +++ b/modules/homelab/services/bak/vaultwarden/default.nix @@ -0,0 +1,105 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.vaultwarden; + ids = 2771; + default_port = 8000; + data_dir = "/var/lib/vaultwarden"; + domain = https://pass.blakedheld.xyz; +in +{ + options.modules.services.vaultwarden = { + enable = lib.mkEnableOption "enables vaultwarden"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7701; + description = "set port for vaultwarden (default: ${toString default_port}"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for vaultwarden"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare vaultwarden group + users.groups.vaultwarden = { gid = ids; }; + + # declare vaultwarden user + users.users.vaultwarden = { + description = "vaultwarden server user"; + uid = ids; + isSystemUser = true; + home = "/var/lib/vaultwarden"; + createHome = true; + group = "vaultwarden"; + extraGroups = [ "media" ]; + }; + + # enable the vaultwarden service + services.vaultwarden = { + enable = true; + config = { + DOMAIN = domain; + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = cfg.port; + SIGNUPS_ALLOWED = true; +# ADMIN_TOKEN = "yuh"; + ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}"; + EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item"; + # The following flags are available: + # - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. + # - "autofill-v2": Use the new autofill implementation. + # - "browser-fileless-import": Directly import credentials from other providers without a file. + # - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) + # - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. + # - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. + # - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) + # - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) + }; + }; + + # override umask to make permissions work out + systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."pass.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + # external reverse proxy entry + services.nginx.virtualHosts."pass.blakedheld.xyz" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + sops.secrets = { + "vaultwarden_admin_token" = { + owner = "vaultwarden"; + group = "vaultwarden"; + path = "/home/blake/.nix/.keyring/vaultwarden_admin_token"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; +} diff --git a/modules/homelab/services/jellyfin/default_temp.nix b/modules/homelab/services/jellyfin/default_temp.nix new file mode 100644 index 0000000..b816f17 --- /dev/null +++ b/modules/homelab/services/jellyfin/default_temp.nix @@ -0,0 +1,108 @@ +{ pkgs, config, lib, ... }: + +let + service = ""; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = ; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = [ "media" ]; + }; + + # enable the ${service} service + services.${service} = { + enable = true; + openFirewall = true; + user = "${service}"; + group = "${service}"; + dataDir = cfg.data_dir; + settings = { + server.port = cfg.port; + }; + }; + + # override umask to make permissions work out + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; +# User = "${service}"; +# Group = "${service}"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; +# # external reverse proxy entry +# services.nginx.virtualHosts."${service}.blakedheld.xyz" = { +# forceSSL = true; +# sslCertificate = sec."ssl_blakedheld_crt".path; +# sslCertificateKey = sec."ssl_blakedheld_key".path; +# locations."/" = { +# proxyPass = "http://127.0.0.1:${toString cfg.port}"; +# }; +# }; +# +# sops.secrets = { +# "${service}_" = { +# owner = "${service}"; +# group = "${service}"; +# }; +# }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; + }; +} diff --git a/modules/homelab/services/qbittorrent/default_temp.nix b/modules/homelab/services/qbittorrent/default_temp.nix new file mode 100644 index 0000000..b816f17 --- /dev/null +++ b/modules/homelab/services/qbittorrent/default_temp.nix @@ -0,0 +1,108 @@ +{ pkgs, config, lib, ... }: + +let + service = ""; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = ; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = [ "media" ]; + }; + + # enable the ${service} service + services.${service} = { + enable = true; + openFirewall = true; + user = "${service}"; + group = "${service}"; + dataDir = cfg.data_dir; + settings = { + server.port = cfg.port; + }; + }; + + # override umask to make permissions work out + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; +# User = "${service}"; +# Group = "${service}"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; +# # external reverse proxy entry +# services.nginx.virtualHosts."${service}.blakedheld.xyz" = { +# forceSSL = true; +# sslCertificate = sec."ssl_blakedheld_crt".path; +# sslCertificateKey = sec."ssl_blakedheld_key".path; +# locations."/" = { +# proxyPass = "http://127.0.0.1:${toString cfg.port}"; +# }; +# }; +# +# sops.secrets = { +# "${service}_" = { +# owner = "${service}"; +# group = "${service}"; +# }; +# }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; + }; +} diff --git a/modules/homelab/services/vaultwarden/default_temp.nix b/modules/homelab/services/vaultwarden/default_temp.nix new file mode 100644 index 0000000..b816f17 --- /dev/null +++ b/modules/homelab/services/vaultwarden/default_temp.nix @@ -0,0 +1,108 @@ +{ pkgs, config, lib, ... }: + +let + service = ""; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = ; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = [ "media" ]; + }; + + # enable the ${service} service + services.${service} = { + enable = true; + openFirewall = true; + user = "${service}"; + group = "${service}"; + dataDir = cfg.data_dir; + settings = { + server.port = cfg.port; + }; + }; + + # override umask to make permissions work out + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; +# User = "${service}"; +# Group = "${service}"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${cfg.url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; +# # external reverse proxy entry +# services.nginx.virtualHosts."${service}.blakedheld.xyz" = { +# forceSSL = true; +# sslCertificate = sec."ssl_blakedheld_crt".path; +# sslCertificateKey = sec."ssl_blakedheld_key".path; +# locations."/" = { +# proxyPass = "http://127.0.0.1:${toString cfg.port}"; +# }; +# }; +# +# sops.secrets = { +# "${service}_" = { +# owner = "${service}"; +# group = "${service}"; +# }; +# }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; + }; +}