diff --git a/flake.nix b/flake.nix index bcd5cf4..2266d55 100644 --- a/flake.nix +++ b/flake.nix @@ -1,6 +1,6 @@ # flake for blakes nixos config # define new devices in outputs -# generation: 152 current 2025-10-09 12:19:53 25.05.20251006.20c4598 6.12.50 * +# generation: 153 current 2025-10-09 12:27:20 25.05.20251006.20c4598 6.12.50 * { description = "blakes nix config"; inputs = { diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix index 9aa4f3a..e48541b 100644 --- a/hosts/snowbelle/configuration.nix +++ b/hosts/snowbelle/configuration.nix @@ -32,7 +32,7 @@ services = { #jellyfin.enable = true; #vaultwarden.enable = true; - #gitea.enable = true; + gitea.enable = true; #qbittorrent.enable = true; prowlarr.enable = true; flaresolverr.enable = true; diff --git a/modules/homelab/services/gitea/default.nix b/modules/homelab/services/gitea/default.nix index 8ba502d..5e4ee20 100644 --- a/modules/homelab/services/gitea/default.nix +++ b/modules/homelab/services/gitea/default.nix @@ -1,59 +1,71 @@ { pkgs, config, lib, ... }: let - cfg = config.modules.services.gitea; - ids = 2703; - default_port = 3000; - data_dir = "/var/lib/gitea"; + service = "gitea"; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.modules.homelab; in { - options.modules.services.gitea = { - enable = lib.mkEnableOption "enables gitea"; + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; # set port options port = lib.mkOption { type = lib.types.int; default = 7703; - description = "set port for gitea (default: ${toString default_port}"; + description = "set port for ${service} (default: ${toString cfg.port}"; }; - - # set ssh port ssh_port = lib.mkOption { type = lib.types.int; default = 7567; - description = "set port for gitea (default: 2222"; + description = "set port for ${service} (default: ${toString cfg.port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.base_domain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = cfg.port; + description = "set uid and pid of ${service} user (matches port by default)"; }; - backup = lib.mkOption { type = lib.types.bool; default = true; - description = "enable backups for gitea"; + description = "enable backups for ${service}"; }; }; config = lib.mkIf cfg.enable { - # declare gitea group - users.groups.gitea = { gid = ids; }; + # declare ${service} group + users.groups.${service} = { gid = lib.mkForce cfg.ids; }; - # declare gitea user - users.users.gitea = { - description = lib.mkForce "gitea server user"; - uid = ids; + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = lib.mkForce cfg.ids; isSystemUser = true; - shell = pkgs.bash; - home = "/var/lib/gitea"; + shell = pkgs.bash; + home = cfg.data_dir; createHome = true; - group = "gitea"; + group = "${service}"; extraGroups = []; }; - # enable the gitea service + # declare the gitea service services.gitea = { enable = true; user = "gitea"; group = "gitea"; - stateDir = data_dir; + stateDir = cfg.data_dir; appName = "gitea"; settings = { server = { @@ -69,43 +81,41 @@ in passwordFile = "${toString config.sops.secrets."gitea_database_password".path}"; }; }; - + # override umask to make permissions work out - systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; }; + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; + }; # open firewall networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ]; # internal reverse proxy entry - services.nginx.virtualHosts."git.snowbelle.lan" = { - enableACME = false; + services.nginx.virtualHosts."${cfg.url}" = { forceSSL = true; - sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; - sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; # external reverse proxy entry services.nginx.virtualHosts."git.blakedheld.xyz" = { - enableACME = true; + useACME = true; forceSSL = true; -# sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; -# sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; sops.secrets = { - "gitea_database_password" = { - owner = "gitea"; - group = "gitea"; -# neededForUsers = true; + "${service}_database_password" = { + owner = "${service}"; + group = "${service}"; }; }; # add to backups - modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; }; } diff --git a/modules/homelab/services/jellyfin/default.nix b/modules/homelab/services/jellyfin/default.nix deleted file mode 100644 index 0e6b54b..0000000 --- a/modules/homelab/services/jellyfin/default.nix +++ /dev/null @@ -1,82 +0,0 @@ -{ pkgs, config, lib, ... }: - -let - cfg = config.modules.services.jellyfin; - ids = 701; - default_port = 8096; - data_dir = "/var/lib/jellyfin"; -in -{ - options.modules.services.jellyfin = { - enable = lib.mkEnableOption "enables jellyfin"; - - # set port options - port = lib.mkOption { - type = lib.types.int; - default = 7101; - description = "set port for jellyfin (default: ${toString default_port}"; - }; - - backup = lib.mkOption { - type = lib.types.bool; - default = true; - }; - }; - - config = lib.mkIf cfg.enable { - - # declare jellyfin group - users.groups.jellyfin = { gid = ids; }; - - # declare jellyfin user - users.users.jellyfin = { - description = "jellyfin media server user"; - uid = ids; - isSystemUser = true; - home = data_dir; - createHome = true; - group = "jellyfin"; - extraGroups = [ "media" "video" "render" ]; - }; - - # enable the jellyfin service - services.jellyfin = { - enable = true; - openFirewall = true; # Opens 8096/8920 automatically - user = "jellyfin"; # Default: jellyfin - group = "jellyfin"; # Default: jellyfin - dataDir = "/var/lib/jellyfin"; # Config + metadata storage - }; - - # override umask to make permissions work out - systemd.services.jellyfin.serviceConfig = { UMask = lib.mkForce "0007"; }; - - # open firewall -# networking.firewall.allowedTCPPorts = [ cfg.port ]; - - # internal reverse proxy entry - services.nginx.virtualHosts."jellyfin.snowbelle.lan" = { - enableACME = false; - forceSSL = true; - sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; - sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}"; - }; - }; - - # external reverse proxy entry - services.nginx.virtualHosts."media.blakedheld.xyz" = { - enableACME = false; - forceSSL = true; - sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; - sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}"; - }; - }; - - # add to backups - modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; - }; -} diff --git a/modules/homelab/services/qbittorrent/default.nix b/modules/homelab/services/qbittorrent/default.nix deleted file mode 100644 index 373e945..0000000 --- a/modules/homelab/services/qbittorrent/default.nix +++ /dev/null @@ -1,102 +0,0 @@ -{ pkgs, config, lib, ... }: - -let - cfg = config.modules.services.qbittorrent; - default_port = 8080; - data_dir = "/var/lib/qBittorrent"; - ids = 2003; - vpn_inf = "enp89s0.69"; # vpn interfacve -in -{ - options.modules.services.qbittorrent = { - enable = lib.mkEnableOption "enables qbittorrent"; - - # set port options - port = lib.mkOption { - type = lib.types.int; - default = 7103; - description = "set port for qbittorrent (default: ${toString default_port}"; - }; - - backup = lib.mkOption { - type = lib.types.bool; - default = true; - description = "enable backups for qbittorrent"; - }; - }; - - config = lib.mkIf cfg.enable { - - # declare qbittorrent group - users.groups.qbittorrent = { gid = ids; }; - - # declare qbittorrent user - users.users.qbittorrent = { - description = "qbittorrent server user"; - uid = ids; - isSystemUser = true; - home = data_dir; - createHome = true; - group = "qbittorrent"; - extraGroups = [ "media" ]; - }; - - # enable the qbittorrent service - services.qbittorrent = { - enable = true; - openFirewall = true; - user = "qbittorrent"; - group = "qbittorrent"; - profileDir = data_dir; - webuiPort = cfg.port; -# torrentingPort = cfg.port; - }; - - # override umask to make permissions work out - systemd.services.qbittorrent = { - serviceConfig = { - UMask = lib.mkForce "0007"; - }; - }; - - networking.firewall.extraCommands = '' - iptables -F QBIT - iptables -X QBIT - iptables -N QBIT - iptables -A OUTPUT -m owner --uid-owner ${toString ids} -j QBIT - iptables -A QBIT -o ${vpn_inf} -j ACCEPT - iptables -A QBIT -p udp --dport 53 -o ${vpn_inf} -j ACCEPT - iptables -A QBIT -p tcp --dport 53 -o ${vpn_inf} -j ACCEPT - iptables -A QBIT -p tcp -d 127.0.0.1 --dport ${toString cfg.port} -j ACCEPT - iptables -A QBIT -p tcp -o enp89s0 -d 10.0.0.0/8 --dport ${toString cfg.port} -j ACCEPT - iptables -A QBIT -j DROP - ''; - - - -# ------------------------------------------------------------------------------ -# # add systemd service to VPN network namespace -# vpnConfinement = { -# enable = true; -# vpnNamespace = "wgmex"; -# }; -# ------------------------------------------------------------------------------ - -# # open firewall -# networking.firewall.allowedTCPPorts = [ cfg.port ]; - - # internal reverse proxy entry - services.nginx.virtualHosts."qbit.snowbelle.lan" = { - enableACME = false; - forceSSL = true; - sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; - sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}"; - }; - }; - - # add to backups - modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; - }; -} diff --git a/modules/homelab/services/vaultwarden/default.nix b/modules/homelab/services/vaultwarden/default.nix deleted file mode 100644 index 131a07b..0000000 --- a/modules/homelab/services/vaultwarden/default.nix +++ /dev/null @@ -1,105 +0,0 @@ -{ pkgs, config, lib, ... }: - -let - cfg = config.modules.services.vaultwarden; - ids = 2771; - default_port = 8000; - data_dir = "/var/lib/vaultwarden"; - domain = https://pass.blakedheld.xyz; -in -{ - options.modules.services.vaultwarden = { - enable = lib.mkEnableOption "enables vaultwarden"; - - # set port options - port = lib.mkOption { - type = lib.types.int; - default = 7701; - description = "set port for vaultwarden (default: ${toString default_port}"; - }; - - backup = lib.mkOption { - type = lib.types.bool; - default = true; - description = "enable backups for vaultwarden"; - }; - }; - - config = lib.mkIf cfg.enable { - - # declare vaultwarden group - users.groups.vaultwarden = { gid = ids; }; - - # declare vaultwarden user - users.users.vaultwarden = { - description = "vaultwarden server user"; - uid = ids; - isSystemUser = true; - home = "/var/lib/vaultwarden"; - createHome = true; - group = "vaultwarden"; - extraGroups = [ "media" ]; - }; - - # enable the vaultwarden service - services.vaultwarden = { - enable = true; - config = { - DOMAIN = domain; - ROCKET_ADDRESS = "0.0.0.0"; - ROCKET_PORT = cfg.port; - SIGNUPS_ALLOWED = true; -# ADMIN_TOKEN = "yuh"; - ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}"; - EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item"; - # The following flags are available: - # - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials. - # - "autofill-v2": Use the new autofill implementation. - # - "browser-fileless-import": Directly import credentials from other providers without a file. - # - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension) - # - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor. - # - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension. - # - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0) - # - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0) - }; - }; - - # override umask to make permissions work out - systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; }; - -# # open firewall -# networking.firewall.allowedTCPPorts = [ cfg.port ]; - - # internal reverse proxy entry - services.nginx.virtualHosts."pass.snowbelle.lan" = { - enableACME = false; - forceSSL = true; - sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; - sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}"; - }; - }; - # external reverse proxy entry - services.nginx.virtualHosts."pass.blakedheld.xyz" = { - enableACME = false; - forceSSL = true; - sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; - sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; - locations."/" = { - proxyPass = "http://127.0.0.1:${toString cfg.port}"; - }; - }; - - sops.secrets = { - "vaultwarden_admin_token" = { - owner = "vaultwarden"; - group = "vaultwarden"; - path = "/home/blake/.nix/.keyring/vaultwarden_admin_token"; - }; - }; - - # add to backups - modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; - }; -}