diff --git a/hosts/snowbelle/configuration.nix b/hosts/snowbelle/configuration.nix index 3a310a4..77eb2e6 100644 --- a/hosts/snowbelle/configuration.nix +++ b/hosts/snowbelle/configuration.nix @@ -34,10 +34,10 @@ vaultwarden.enable = true; gitea.enable = true; qbittorrent.enable = true; - prowlarr.enable = true; - flaresolverr.enable = true; - bazarr.enable = true; - radarr.enable = true; + #prowlarr.enable = true; + #flaresolverr.enable = true; + #bazarr.enable = true; + #radarr.enable = true; sonarr.enable = true; }; }; @@ -45,7 +45,6 @@ # configure users & groups users = { blake.enable = true; # main user, home manager - groups.media = { gid = 700; }; # user for share permissions with mediastack defaultUserShell = pkgs.zsh; # the goat }; diff --git a/modules/homelab/default.nix b/modules/homelab/default.nix index edf3d40..c9afb81 100644 --- a/modules/homelab/default.nix +++ b/modules/homelab/default.nix @@ -1,17 +1,48 @@ { pkgs, config, lib, ... }: + +let + cfg = config.modules.homelab; +in { + options.modules.homelab = { + enable = lib.mkEnableOption "enable homelab services and configuration" + media_user = lib.mkOption = { + default = "media"; + type = lib.types.str; + description = "user for media file permissions"; + }; + media_group = lib.mkOption = { + default = "media"; + type = lib.types.str; + description = "group for media file permissions"; + }; + tz = lib.mkOption = { + default = "America/Chicago"; + type = lib.types.str; + description = "set timezone"; + }; + base_domain = lib.mkOption = { + default = "snowbelle.lan"; + type = lib.types.str; + description = "base domain used for reverse proxy"; + }; + }; + imports = [ - ./zfs.nix - ./smb.nix - ./nfs.nix - ./nginx-proxy.nix - ./services/default.nix + ./services ]; - modules.homelab.zfs.enable = lib.mkDefault false; - modules.homelab.smb.enable = lib.mkDefault false; - modules.homelab.nfs.enable = lib.mkDefault false; - modules.homelab.nginx-proxy.enable = lib.mkDefault false; - + config = lib.mkIf cfg.enable { + users = { + groups.${cfg.group} = { + gid = 700; + }; + users.${cfg.user} = { + uid = 700; + isSystemUser = true; + group = cfg.group; + }; + }; +} } diff --git a/modules/homelab/services/arr.bak/bazarr/default.nix b/modules/homelab/services/arr.bak/bazarr/default.nix new file mode 100644 index 0000000..d93c3db --- /dev/null +++ b/modules/homelab/services/arr.bak/bazarr/default.nix @@ -0,0 +1,74 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.bazarr; + ids = 2706; + default_port = 6767; + data_dir = "/var/lib/bazarr"; +in +{ + options.modules.services.bazarr = { + enable = lib.mkEnableOption "enables bazarr"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7106; + description = "set port for bazarr (default: ${toString default_port}"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for bazarr"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare bazarr group + users.groups.bazarr = { gid = ids; }; + + # declare bazarr user + users.users.bazarr = { + description = "bazarr server user"; + uid = ids; + isSystemUser = true; + home = "/var/lib/bazarr"; + createHome = false; + group = "bazarr"; + extraGroups = [ "media" ]; + }; + + # enable the bazarr service + services.bazarr = { + enable = true; + openFirewall = true; + user = "bazarr"; + group = "bazarr"; + listenPort = cfg.port; + }; + + # override systemd service + systemd.services.bazarr.serviceConfig = { + UMask = lib.mkForce "0007"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."bazarr.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; +} diff --git a/modules/homelab/services/arr.bak/flaresolverr/default.nix b/modules/homelab/services/arr.bak/flaresolverr/default.nix new file mode 100644 index 0000000..eebbe1c --- /dev/null +++ b/modules/homelab/services/arr.bak/flaresolverr/default.nix @@ -0,0 +1,68 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.flaresolverr; + ids = 2008; + default_port = 8189; +in +{ + options.modules.services.flaresolverr = { + enable = lib.mkEnableOption "enables flaresolverr"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7105; + description = "set port for flaresolverr (default: ${toString default_port}"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for flaresolverr"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare flaresolverr group + users.groups.flaresolverr = { gid = ids; }; + + # declare flaresolverr user + users.users.flaresolverr = { + description = "flaresolverr server user"; + uid = ids; + isSystemUser = true; + createHome = false; + group = "flaresolverr"; + extraGroups = []; + }; + + # enable the flaresolverr service + services.flaresolverr = { + enable = true; + openFirewall = true; + port = cfg.port; + }; + + # override umask to make permissions work out + systemd.services.flaresolverr.serviceConfig = { + User = "flaresolverr"; + Group = "flaresolverr"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."flaresolverr.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + }; +} diff --git a/modules/homelab/services/arr.bak/prowlarr/default.nix b/modules/homelab/services/arr.bak/prowlarr/default.nix new file mode 100644 index 0000000..4cd2f27 --- /dev/null +++ b/modules/homelab/services/arr.bak/prowlarr/default.nix @@ -0,0 +1,76 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.prowlarr; + ids = 2004; + default_port = 9696; + data_dir = "/var/lib/private"; +in +{ + options.modules.services.prowlarr = { + enable = lib.mkEnableOption "enables prowlarr"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7104; + description = "set port for prowlarr (default: ${toString default_port}"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for prowlarr"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare prowlarr group + users.groups.prowlarr = { gid = ids; }; + + # declare prowlarr user + users.users.prowlarr = { + description = "prowlarr server user"; + uid = ids; + isSystemUser = true; + home = "/var/lib/prowlarr"; + createHome = true; + group = "prowlarr"; + extraGroups = [ "media" ]; + }; + + # enable the prowlarr service + services.prowlarr = { + enable = true; + openFirewall = true; + settings = { + server.port = cfg.port; + }; + }; + + # override umask to make permissions work out + systemd.services.prowlarr.serviceConfig = { + UMask = lib.mkForce "0007"; + User = "prowlarr"; + Group = "prowlarr"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."prowlarr.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; +} diff --git a/modules/homelab/services/arr.bak/radarr/default.nix b/modules/homelab/services/arr.bak/radarr/default.nix new file mode 100644 index 0000000..b91a418 --- /dev/null +++ b/modules/homelab/services/arr.bak/radarr/default.nix @@ -0,0 +1,75 @@ +{ pkgs, config, lib, ... }: + +let + cfg = config.modules.services.radarr; + ids = lib.mkForce 2006; + default_port = 7878; + data_dir = "/var/lib/radarr"; +in +{ + options.modules.services.radarr = { + enable = lib.mkEnableOption "enables radarr"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7108; + description = "set port for radarr (default: ${toString default_port}"; + }; + + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for radarr"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare radarr group + users.groups.radarr = { gid = ids; }; + + # declare radarr user + users.users.radarr = { + description = "radarr server user"; + uid = ids; + isSystemUser = true; + home = "/var/lib/radarr"; + createHome = true; + group = "radarr"; + extraGroups = [ "media" ]; + }; + + # enable the radarr service + services.radarr = { + enable = true; + openFirewall = true; + user = "radarr"; + group = "radarr"; + dataDir = data_dir; + settings = { + server.port = cfg.port; + }; + }; + + # override umask to make permissions work out + systemd.services.radarr.serviceConfig = { UMask = lib.mkForce "0007"; }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."radarr.snowbelle.lan" = { + enableACME = false; + forceSSL = true; + sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; + sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + }; +} diff --git a/modules/homelab/services/arr/sonarr/default.nix b/modules/homelab/services/arr.bak/sonarr/default.nix similarity index 100% rename from modules/homelab/services/arr/sonarr/default.nix rename to modules/homelab/services/arr.bak/sonarr/default.nix diff --git a/modules/homelab/services/arr/sonarr/default_temp.nix b/modules/homelab/services/arr/sonarr/default_temp.nix new file mode 100644 index 0000000..51fe1c1 --- /dev/null +++ b/modules/homelab/services/arr/sonarr/default_temp.nix @@ -0,0 +1,90 @@ +{ pkgs, config, lib, ... }: + +let + service = "sonarr"; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.homelab; +in +{ + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; + + # set port options + port = lib.mkOption { + type = lib.types.int; + default = 7107; + description = "set port for ${service} (default: ${toString default_port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.basedomain}"; + description = "set domain for ${service} reverse proxy entry"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = ${port}; + description = "set uid and pid of ${service} user (matches port by default)"; + }; + backup = lib.mkOption { + type = lib.types.bool; + default = true; + description = "enable backups for ${service}"; + }; + }; + + config = lib.mkIf cfg.enable { + + # declare ${service} group + users.groups.${service} = { gid = cfg.ids; }; + + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = cfg.ids; + isSystemUser = true; + home = cfg.data_dir; + createHome = true; + group = "${service}"; + extraGroups = [ "media" ]; + }; + + # enable the ${service} service + services.${service} = { + enable = true; + openFirewall = true; + user = "${service}"; + group = "${service}"; + dataDir = cfg.data_dir; + settings = { + server.port = cfg.port; + }; + }; + + # override umask to make permissions work out + systemd.services.${service}.serviceConfig = { + UMask = lib.mkForce "0007"; + }; + +# # open firewall +# networking.firewall.allowedTCPPorts = [ cfg.port ]; + + # internal reverse proxy entry + services.nginx.virtualHosts."${url}" = { + forceSSL = true; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString cfg.port}"; + }; + }; + + # add to backups + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; + }; +} diff --git a/modules/homelab/services/default.nix b/modules/homelab/services/default.nix index 7b9b078..4d8cde1 100644 --- a/modules/homelab/services/default.nix +++ b/modules/homelab/services/default.nix @@ -4,25 +4,15 @@ { imports = [ - ./jellyfin/default.nix - ./vaultwarden/default.nix - ./gitea/default.nix - ./qbittorrent/default.nix - ./arr/prowlarr/default.nix - ./arr/flaresolverr/default.nix - ./arr/bazarr/default.nix - ./arr/sonarr/default.nix - ./arr/radarr/default.nix +# ./jellyfin +# ./vaultwarden +# ./gitea +# ./qbittorrent +# ./arr/prowlarr +# ./arr/flaresolverr +# ./arr/bazarr + ./arr/sonarr +# ./arr/radarr ]; - - modules.services.jellyfin.enable = lib.mkDefault false; - modules.services.vaultwarden.enable = lib.mkDefault false; - modules.services.gitea.enable = lib.mkDefault false; - modules.services.qbittorrent.enable = lib.mkDefault false; - modules.services.prowlarr.enable = lib.mkDefault false; - modules.services.flaresolverr.enable = lib.mkDefault false; - modules.services.bazarr.enable = lib.mkDefault false; - modules.services.sonarr.enable = lib.mkDefault false; - modules.services.radarr.enable = lib.mkDefault false; } diff --git a/modules/homelab/services/default_temp.nix b/modules/homelab/services/default_temp.nix index 3040285..168c0a7 100644 --- a/modules/homelab/services/default_temp.nix +++ b/modules/homelab/services/default_temp.nix @@ -1,96 +1,108 @@ { pkgs, config, lib, ... }: let - cfg = config.modules.services.; - ids = ; - default_port = ; - data_dir = "/var/lib/"; + service = ""; + cfg = config.modules.services.${service}; + sec = config.sops.secrets; + homelab = config.homelab; in { - options.modules.services. = { - enable = lib.mkEnableOption "enables "; + options.modules.services.${service} = { + enable = lib.mkEnableOption "enables ${service}"; # set port options port = lib.mkOption { type = lib.types.int; default = ; - description = "set port for (default: ${toString default_port}"; + description = "set port for ${service} (default: ${toString default_port}"; + }; + url = lib.mkOption { + type = lib.types.str; + default = "${service}.${homelab.basedomain}"; + description = "set domain for ${service}"; + }; + data_dir = lib.mkOption { + type = lib.types.str; + default = "/var/lib/${service}"; + description = "set data directory for ${service}"; + }; + ids = lib.mkOption { + type = lib.types.int; + default = ${port}; + description = "set uid and pid of ${service} user (matches port by default)"; }; - backup = lib.mkOption { type = lib.types.bool; default = true; - description = "enable backups for "; + description = "enable backups for ${service}"; }; }; config = lib.mkIf cfg.enable { - # declare group - users.groups. = { gid = ids; }; + # declare ${service} group + users.groups.${service} = { gid = cfg.ids; }; - # declare user - users.users. = { - description = " server user"; - uid = ids; + # declare ${service} user + users.users.${service} = { + description = "${service} server user"; + uid = cfg.ids; isSystemUser = true; - home = "/var/lib/"; + home = cfg.data_dir; createHome = true; - group = ""; + group = "${service}"; extraGroups = [ "media" ]; }; - # enable the service - services. = { + # enable the ${service} service + services.${service} = { enable = true; openFirewall = true; - user = ""; - group = ""; - dataDir = data_dir; + user = "${service}"; + group = "${service}"; + dataDir = cfg.data_dir; settings = { server.port = cfg.port; }; }; # override umask to make permissions work out - systemd.services..serviceConfig = { + systemd.services.${service}.serviceConfig = { UMask = lib.mkForce "0007"; -# User = ""; -# Group = ""; +# User = "${service}"; +# Group = "${service}"; }; # # open firewall # networking.firewall.allowedTCPPorts = [ cfg.port ]; # internal reverse proxy entry - services.nginx.virtualHosts.".snowbelle.lan" = { - enableACME = false; + services.nginx.virtualHosts."${url}" = { forceSSL = true; - sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; - sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; + sslCertificate = sec."ssl_blakedheld_crt".path; + sslCertificateKey = sec."ssl_blakedheld_key".path; locations."/" = { proxyPass = "http://127.0.0.1:${toString cfg.port}"; }; }; # # external reverse proxy entry -# services.nginx.virtualHosts.".blakedheld.xyz" = { -# enableACME = false; +# services.nginx.virtualHosts."${service}.blakedheld.xyz" = { # forceSSL = true; -# sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; -# sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; +# sslCertificate = sec."ssl_blakedheld_crt".path; +# sslCertificateKey = sec."ssl_blakedheld_key".path; # locations."/" = { # proxyPass = "http://127.0.0.1:${toString cfg.port}"; # }; # }; sops.secrets = { - "_" = { - owner = ""; - group = ""; + "${service}_" = { + owner = "${service}"; + group = "${service}"; }; }; # add to backups - modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; + modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ]; }; }