blake/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

big restructure, wrappers

Browse Source
This commit is contained in:
blake
2025-10-09 11:36:06 -05:00
parent 15b31a51ec
commit 8194729e4e
10 changed files with 486 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

51
modules/homelab/default.nix
View File

@@ -1,17 +1,48 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.homelab;
in
{
options.modules.homelab = {
enable = lib.mkEnableOption "enable homelab services and configuration"
media_user = lib.mkOption = {
default = "media";
type = lib.types.str;
description = "user for media file permissions";
};
media_group = lib.mkOption = {
default = "media";
type = lib.types.str;
description = "group for media file permissions";
};
tz = lib.mkOption = {
default = "America/Chicago";
type = lib.types.str;
description = "set timezone";
};
base_domain = lib.mkOption = {
default = "snowbelle.lan";
type = lib.types.str;
description = "base domain used for reverse proxy";
};
};
imports = [
./zfs.nix
./smb.nix
./nfs.nix
./nginx-proxy.nix
./services/default.nix
./services
];
modules.homelab.zfs.enable = lib.mkDefault false;
modules.homelab.smb.enable = lib.mkDefault false;
modules.homelab.nfs.enable = lib.mkDefault false;
modules.homelab.nginx-proxy.enable = lib.mkDefault false;
config = lib.mkIf cfg.enable {
users = {
groups.${cfg.group} = {
gid = 700;
};
users.${cfg.user} = {
uid = 700;
isSystemUser = true;
group = cfg.group;
};
};
}
}

74
modules/homelab/services/arr.bak/bazarr/default.nix Normal file
View File

@@ -0,0 +1,74 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.bazarr;
ids = 2706;
default_port = 6767;
data_dir = "/var/lib/bazarr";
in
{
options.modules.services.bazarr = {
enable = lib.mkEnableOption "enables bazarr";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7106;
description = "set port for bazarr (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for bazarr";
};
};
config = lib.mkIf cfg.enable {
# declare bazarr group
users.groups.bazarr = { gid = ids; };
# declare bazarr user
users.users.bazarr = {
description = "bazarr server user";
uid = ids;
isSystemUser = true;
home = "/var/lib/bazarr";
createHome = false;
group = "bazarr";
extraGroups = [ "media" ];
};
# enable the bazarr service
services.bazarr = {
enable = true;
openFirewall = true;
user = "bazarr";
group = "bazarr";
listenPort = cfg.port;
};
# override systemd service
systemd.services.bazarr.serviceConfig = {
UMask = lib.mkForce "0007";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."bazarr.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}

68
modules/homelab/services/arr.bak/flaresolverr/default.nix Normal file
View File

@@ -0,0 +1,68 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.flaresolverr;
ids = 2008;
default_port = 8189;
in
{
options.modules.services.flaresolverr = {
enable = lib.mkEnableOption "enables flaresolverr";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7105;
description = "set port for flaresolverr (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for flaresolverr";
};
};
config = lib.mkIf cfg.enable {
# declare flaresolverr group
users.groups.flaresolverr = { gid = ids; };
# declare flaresolverr user
users.users.flaresolverr = {
description = "flaresolverr server user";
uid = ids;
isSystemUser = true;
createHome = false;
group = "flaresolverr";
extraGroups = [];
};
# enable the flaresolverr service
services.flaresolverr = {
enable = true;
openFirewall = true;
port = cfg.port;
};
# override umask to make permissions work out
systemd.services.flaresolverr.serviceConfig = {
User = "flaresolverr";
Group = "flaresolverr";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."flaresolverr.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
};
}

76
modules/homelab/services/arr.bak/prowlarr/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.prowlarr;
ids = 2004;
default_port = 9696;
data_dir = "/var/lib/private";
in
{
options.modules.services.prowlarr = {
enable = lib.mkEnableOption "enables prowlarr";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7104;
description = "set port for prowlarr (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for prowlarr";
};
};
config = lib.mkIf cfg.enable {
# declare prowlarr group
users.groups.prowlarr = { gid = ids; };
# declare prowlarr user
users.users.prowlarr = {
description = "prowlarr server user";
uid = ids;
isSystemUser = true;
home = "/var/lib/prowlarr";
createHome = true;
group = "prowlarr";
extraGroups = [ "media" ];
};
# enable the prowlarr service
services.prowlarr = {
enable = true;
openFirewall = true;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.prowlarr.serviceConfig = {
UMask = lib.mkForce "0007";
User = "prowlarr";
Group = "prowlarr";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."prowlarr.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}

75
modules/homelab/services/arr.bak/radarr/default.nix Normal file
View File

@@ -0,0 +1,75 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.radarr;
ids = lib.mkForce 2006;
default_port = 7878;
data_dir = "/var/lib/radarr";
in
{
options.modules.services.radarr = {
enable = lib.mkEnableOption "enables radarr";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7108;
description = "set port for radarr (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for radarr";
};
};
config = lib.mkIf cfg.enable {
# declare radarr group
users.groups.radarr = { gid = ids; };
# declare radarr user
users.users.radarr = {
description = "radarr server user";
uid = ids;
isSystemUser = true;
home = "/var/lib/radarr";
createHome = true;
group = "radarr";
extraGroups = [ "media" ];
};
# enable the radarr service
services.radarr = {
enable = true;
openFirewall = true;
user = "radarr";
group = "radarr";
dataDir = data_dir;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.radarr.serviceConfig = { UMask = lib.mkForce "0007"; };
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."radarr.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}

0
modules/homelab/services/arr/sonarr/default.nix → modules/homelab/services/arr.bak/sonarr/default.nix
View File

90
modules/homelab/services/arr/sonarr/default_temp.nix Normal file
View File

@@ -0,0 +1,90 @@
{ pkgs, config, lib, ... }:
let
service = "sonarr";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7107;
description = "set port for ${service} (default: ${toString default_port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.basedomain}";
description = "set domain for ${service} reverse proxy entry";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = ${port};
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = "${service}";
extraGroups = [ "media" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = "${service}";
group = "${service}";
dataDir = cfg.data_dir;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
};
}

28
modules/homelab/services/default.nix
View File

@@ -4,25 +4,15 @@
{
imports = [
./jellyfin/default.nix
./vaultwarden/default.nix
./gitea/default.nix
./qbittorrent/default.nix
./arr/prowlarr/default.nix
./arr/flaresolverr/default.nix
./arr/bazarr/default.nix
./arr/sonarr/default.nix
./arr/radarr/default.nix
# ./jellyfin
# ./vaultwarden
# ./gitea
# ./qbittorrent
# ./arr/prowlarr
# ./arr/flaresolverr
# ./arr/bazarr
./arr/sonarr
# ./arr/radarr
];
modules.services.jellyfin.enable = lib.mkDefault false;
modules.services.vaultwarden.enable = lib.mkDefault false;
modules.services.gitea.enable = lib.mkDefault false;
modules.services.qbittorrent.enable = lib.mkDefault false;
modules.services.prowlarr.enable = lib.mkDefault false;
modules.services.flaresolverr.enable = lib.mkDefault false;
modules.services.bazarr.enable = lib.mkDefault false;
modules.services.sonarr.enable = lib.mkDefault false;
modules.services.radarr.enable = lib.mkDefault false;
}

86
modules/homelab/services/default_temp.nix
View File

@@ -1,96 +1,108 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.<service_name>;
ids = <gid_and_uid_number>;
default_port = <port_number>;
data_dir = "/var/lib/<service_name>";
service = "";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.homelab;
in
{
options.modules.services.<service_name> = {
enable = lib.mkEnableOption "enables <service_name>";
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = <port>;
description = "set port for <service_name> (default: ${toString default_port}";
description = "set port for ${service} (default: ${toString default_port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.basedomain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = ${port};
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for <service_name>";
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare <service_name> group
users.groups.<service_name> = { gid = ids; };
# declare ${service} group
users.groups.${service} = { gid = cfg.ids; };
# declare <service_name> user
users.users.<service_name> = {
description = "<service_name> server user";
uid = ids;
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = cfg.ids;
isSystemUser = true;
home = "/var/lib/<service_name>";
home = cfg.data_dir;
createHome = true;
group = "<service_name>";
group = "${service}";
extraGroups = [ "media" ];
};
# enable the <service_name> service
services.<service_name> = {
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = "<service_name>";
group = "<service_name>";
dataDir = data_dir;
user = "${service}";
group = "${service}";
dataDir = cfg.data_dir;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.<service_name>.serviceConfig = {
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
# User = "<service_name>";
# Group = "<service_name>";
# User = "${service}";
# Group = "${service}";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."<service_name>.snowbelle.lan" = {
enableACME = false;
services.nginx.virtualHosts."${url}" = {
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# # external reverse proxy entry
# services.nginx.virtualHosts."<service_name>.blakedheld.xyz" = {
# enableACME = false;
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
# forceSSL = true;
# sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
# sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
# sslCertificate = sec."ssl_blakedheld_crt".path;
# sslCertificateKey = sec."ssl_blakedheld_key".path;
# locations."/" = {
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
# };
# };
sops.secrets = {
"<service_name>_" = {
owner = "<service_name>";
group = "<service_name>";
"${service}_" = {
owner = "${service}";
group = "${service}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
};
}