blake/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

153 current 2025-10-09 12:27:20 25.05.20251006.20c4598 6.12.50 *

Browse Source
This commit is contained in:
blake
2025-10-09 12:36:24 -05:00
parent 126754154d
commit 7bd74aea43
6 changed files with 49 additions and 328 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
flake.nix
View File

@@ -1,6 +1,6 @@
# flake for blakes nixos config # flake for blakes nixos config
# define new devices in outputs # define new devices in outputs
# generation: 152 current 2025-10-09 12:19:53 25.05.20251006.20c4598 6.12.50 * # generation: 153 current 2025-10-09 12:27:20 25.05.20251006.20c4598 6.12.50 *
{ {
description = "blakes nix config"; description = "blakes nix config";
inputs = { inputs = {

2
hosts/snowbelle/configuration.nix
View File

@@ -32,7 +32,7 @@
services = { services = {
#jellyfin.enable = true; #jellyfin.enable = true;
#vaultwarden.enable = true; #vaultwarden.enable = true;
#gitea.enable = true; gitea.enable = true;
#qbittorrent.enable = true; #qbittorrent.enable = true;
prowlarr.enable = true; prowlarr.enable = true;
flaresolverr.enable = true; flaresolverr.enable = true;

84
modules/homelab/services/gitea/default.nix
View File

@@ -1,59 +1,71 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
let let
cfg = config.modules.services.gitea; service = "gitea";
ids = 2703; cfg = config.modules.services.${service};
default_port = 3000; sec = config.sops.secrets;
data_dir = "/var/lib/gitea"; homelab = config.modules.homelab;
in in
{ {
options.modules.services.gitea = { options.modules.services.${service} = {
enable = lib.mkEnableOption "enables gitea"; enable = lib.mkEnableOption "enables ${service}";
# set port options # set port options
port = lib.mkOption { port = lib.mkOption {
type = lib.types.int; type = lib.types.int;
default = 7703; default = 7703;
description = "set port for gitea (default: ${toString default_port}"; description = "set port for ${service} (default: ${toString cfg.port}";
}; };
# set ssh port
ssh_port = lib.mkOption { ssh_port = lib.mkOption {
type = lib.types.int; type = lib.types.int;
default = 7567; default = 7567;
description = "set port for gitea (default: 2222"; description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
}; };
backup = lib.mkOption { backup = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
description = "enable backups for gitea"; description = "enable backups for ${service}";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# declare gitea group # declare ${service} group
users.groups.gitea = { gid = ids; }; users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare gitea user # declare ${service} user
users.users.gitea = { users.users.${service} = {
description = lib.mkForce "gitea server user"; description = "${service} server user";
uid = ids; uid = lib.mkForce cfg.ids;
isSystemUser = true; isSystemUser = true;
shell = pkgs.bash; shell = pkgs.bash;
home = "/var/lib/gitea"; home = cfg.data_dir;
createHome = true; createHome = true;
group = "gitea"; group = "${service}";
extraGroups = []; extraGroups = [];
}; };
# enable the gitea service # declare the gitea service
services.gitea = { services.gitea = {
enable = true; enable = true;
user = "gitea"; user = "gitea";
group = "gitea"; group = "gitea";
stateDir = data_dir; stateDir = cfg.data_dir;
appName = "gitea"; appName = "gitea";
settings = { settings = {
server = { server = {
@@ -69,43 +81,41 @@ in
passwordFile = "${toString config.sops.secrets."gitea_database_password".path}"; passwordFile = "${toString config.sops.secrets."gitea_database_password".path}";
}; };
}; };
# override umask to make permissions work out # override umask to make permissions work out
systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; }; systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# open firewall # open firewall
networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ]; networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
# internal reverse proxy entry # internal reverse proxy entry
services.nginx.virtualHosts."git.snowbelle.lan" = { services.nginx.virtualHosts."${cfg.url}" = {
enableACME = false;
forceSSL = true; forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}"; proxyPass = "http://127.0.0.1:${toString cfg.port}";
}; };
}; };
# external reverse proxy entry # external reverse proxy entry
services.nginx.virtualHosts."git.blakedheld.xyz" = { services.nginx.virtualHosts."git.blakedheld.xyz" = {
enableACME = true; useACME = true;
forceSSL = true; forceSSL = true;
# sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
# sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}"; proxyPass = "http://127.0.0.1:${toString cfg.port}";
}; };
}; };
sops.secrets = { sops.secrets = {
"gitea_database_password" = { "${service}_database_password" = {
owner = "gitea"; owner = "${service}";
group = "gitea"; group = "${service}";
# neededForUsers = true;
}; };
}; };
# add to backups # add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
}; };
} }

82
modules/homelab/services/jellyfin/default.nix
View File

@@ -1,82 +0,0 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.jellyfin;
ids = 701;
default_port = 8096;
data_dir = "/var/lib/jellyfin";
in
{
options.modules.services.jellyfin = {
enable = lib.mkEnableOption "enables jellyfin";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7101;
description = "set port for jellyfin (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
};
};
config = lib.mkIf cfg.enable {
# declare jellyfin group
users.groups.jellyfin = { gid = ids; };
# declare jellyfin user
users.users.jellyfin = {
description = "jellyfin media server user";
uid = ids;
isSystemUser = true;
home = data_dir;
createHome = true;
group = "jellyfin";
extraGroups = [ "media" "video" "render" ];
};
# enable the jellyfin service
services.jellyfin = {
enable = true;
openFirewall = true; # Opens 8096/8920 automatically
user = "jellyfin"; # Default: jellyfin
group = "jellyfin"; # Default: jellyfin
dataDir = "/var/lib/jellyfin"; # Config + metadata storage
};
# override umask to make permissions work out
systemd.services.jellyfin.serviceConfig = { UMask = lib.mkForce "0007"; };
# open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."jellyfin.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# external reverse proxy entry
services.nginx.virtualHosts."media.blakedheld.xyz" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}

102
modules/homelab/services/qbittorrent/default.nix
View File

@@ -1,102 +0,0 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.qbittorrent;
default_port = 8080;
data_dir = "/var/lib/qBittorrent";
ids = 2003;
vpn_inf = "enp89s0.69"; # vpn interfacve
in
{
options.modules.services.qbittorrent = {
enable = lib.mkEnableOption "enables qbittorrent";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7103;
description = "set port for qbittorrent (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for qbittorrent";
};
};
config = lib.mkIf cfg.enable {
# declare qbittorrent group
users.groups.qbittorrent = { gid = ids; };
# declare qbittorrent user
users.users.qbittorrent = {
description = "qbittorrent server user";
uid = ids;
isSystemUser = true;
home = data_dir;
createHome = true;
group = "qbittorrent";
extraGroups = [ "media" ];
};
# enable the qbittorrent service
services.qbittorrent = {
enable = true;
openFirewall = true;
user = "qbittorrent";
group = "qbittorrent";
profileDir = data_dir;
webuiPort = cfg.port;
# torrentingPort = cfg.port;
};
# override umask to make permissions work out
systemd.services.qbittorrent = {
serviceConfig = {
UMask = lib.mkForce "0007";
};
};
networking.firewall.extraCommands = ''
iptables -F QBIT
iptables -X QBIT
iptables -N QBIT
iptables -A OUTPUT -m owner --uid-owner ${toString ids} -j QBIT
iptables -A QBIT -o ${vpn_inf} -j ACCEPT
iptables -A QBIT -p udp --dport 53 -o ${vpn_inf} -j ACCEPT
iptables -A QBIT -p tcp --dport 53 -o ${vpn_inf} -j ACCEPT
iptables -A QBIT -p tcp -d 127.0.0.1 --dport ${toString cfg.port} -j ACCEPT
iptables -A QBIT -p tcp -o enp89s0 -d 10.0.0.0/8 --dport ${toString cfg.port} -j ACCEPT
iptables -A QBIT -j DROP
'';
# ------------------------------------------------------------------------------
# # add systemd service to VPN network namespace
# vpnConfinement = {
# enable = true;
# vpnNamespace = "wgmex";
# };
# ------------------------------------------------------------------------------
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."qbit.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}

105
modules/homelab/services/vaultwarden/default.nix
View File

@@ -1,105 +0,0 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.vaultwarden;
ids = 2771;
default_port = 8000;
data_dir = "/var/lib/vaultwarden";
domain = https://pass.blakedheld.xyz;
in
{
options.modules.services.vaultwarden = {
enable = lib.mkEnableOption "enables vaultwarden";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7701;
description = "set port for vaultwarden (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for vaultwarden";
};
};
config = lib.mkIf cfg.enable {
# declare vaultwarden group
users.groups.vaultwarden = { gid = ids; };
# declare vaultwarden user
users.users.vaultwarden = {
description = "vaultwarden server user";
uid = ids;
isSystemUser = true;
home = "/var/lib/vaultwarden";
createHome = true;
group = "vaultwarden";
extraGroups = [ "media" ];
};
# enable the vaultwarden service
services.vaultwarden = {
enable = true;
config = {
DOMAIN = domain;
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = cfg.port;
SIGNUPS_ALLOWED = true;
# ADMIN_TOKEN = "yuh";
ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}";
EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item";
# The following flags are available:
# - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
# - "autofill-v2": Use the new autofill implementation.
# - "browser-fileless-import": Directly import credentials from other providers without a file.
# - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
# - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
# - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
# - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
# - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
};
};
# override umask to make permissions work out
systemd.services.vaultwarden.serviceConfig = { UMask = lib.mkForce "0007"; };
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."pass.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# external reverse proxy entry
services.nginx.virtualHosts."pass.blakedheld.xyz" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
sops.secrets = {
"vaultwarden_admin_token" = {
owner = "vaultwarden";
group = "vaultwarden";
path = "/home/blake/.nix/.keyring/vaultwarden_admin_token";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}