blake/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

big restructure, wrappers

Browse Source
This commit is contained in:
blake
2025-10-09 11:36:06 -05:00
parent 15b31a51ec
commit 8194729e4e
10 changed files with 486 additions and 71 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
hosts/snowbelle/configuration.nix
View File

@@ -34,10 +34,10 @@
vaultwarden.enable = true; vaultwarden.enable = true;
gitea.enable = true; gitea.enable = true;
qbittorrent.enable = true; qbittorrent.enable = true;
prowlarr.enable = true; #prowlarr.enable = true;
flaresolverr.enable = true; #flaresolverr.enable = true;
bazarr.enable = true; #bazarr.enable = true;
radarr.enable = true; #radarr.enable = true;
sonarr.enable = true; sonarr.enable = true;
}; };
}; };
@@ -45,7 +45,6 @@
# configure users & groups # configure users & groups
users = { users = {
blake.enable = true; # main user, home manager blake.enable = true; # main user, home manager
groups.media = { gid = 700; }; # user for share permissions with mediastack
defaultUserShell = pkgs.zsh; # the goat defaultUserShell = pkgs.zsh; # the goat
}; };

51
modules/homelab/default.nix
View File

@@ -1,17 +1,48 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
let
cfg = config.modules.homelab;
in
{ {
options.modules.homelab = {
enable = lib.mkEnableOption "enable homelab services and configuration"
media_user = lib.mkOption = {
default = "media";
type = lib.types.str;
description = "user for media file permissions";
};
media_group = lib.mkOption = {
default = "media";
type = lib.types.str;
description = "group for media file permissions";
};
tz = lib.mkOption = {
default = "America/Chicago";
type = lib.types.str;
description = "set timezone";
};
base_domain = lib.mkOption = {
default = "snowbelle.lan";
type = lib.types.str;
description = "base domain used for reverse proxy";
};
};
imports = [ imports = [
./zfs.nix ./services
./smb.nix
./nfs.nix
./nginx-proxy.nix
./services/default.nix
]; ];
modules.homelab.zfs.enable = lib.mkDefault false; config = lib.mkIf cfg.enable {
modules.homelab.smb.enable = lib.mkDefault false; users = {
modules.homelab.nfs.enable = lib.mkDefault false; groups.${cfg.group} = {
modules.homelab.nginx-proxy.enable = lib.mkDefault false; gid = 700;
};
users.${cfg.user} = {
uid = 700;
isSystemUser = true;
group = cfg.group;
};
};
}
} }

74
modules/homelab/services/arr.bak/bazarr/default.nix Normal file
View File

@@ -0,0 +1,74 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.bazarr;
ids = 2706;
default_port = 6767;
data_dir = "/var/lib/bazarr";
in
{
options.modules.services.bazarr = {
enable = lib.mkEnableOption "enables bazarr";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7106;
description = "set port for bazarr (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for bazarr";
};
};
config = lib.mkIf cfg.enable {
# declare bazarr group
users.groups.bazarr = { gid = ids; };
# declare bazarr user
users.users.bazarr = {
description = "bazarr server user";
uid = ids;
isSystemUser = true;
home = "/var/lib/bazarr";
createHome = false;
group = "bazarr";
extraGroups = [ "media" ];
};
# enable the bazarr service
services.bazarr = {
enable = true;
openFirewall = true;
user = "bazarr";
group = "bazarr";
listenPort = cfg.port;
};
# override systemd service
systemd.services.bazarr.serviceConfig = {
UMask = lib.mkForce "0007";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."bazarr.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}

68
modules/homelab/services/arr.bak/flaresolverr/default.nix Normal file
View File

@@ -0,0 +1,68 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.flaresolverr;
ids = 2008;
default_port = 8189;
in
{
options.modules.services.flaresolverr = {
enable = lib.mkEnableOption "enables flaresolverr";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7105;
description = "set port for flaresolverr (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for flaresolverr";
};
};
config = lib.mkIf cfg.enable {
# declare flaresolverr group
users.groups.flaresolverr = { gid = ids; };
# declare flaresolverr user
users.users.flaresolverr = {
description = "flaresolverr server user";
uid = ids;
isSystemUser = true;
createHome = false;
group = "flaresolverr";
extraGroups = [];
};
# enable the flaresolverr service
services.flaresolverr = {
enable = true;
openFirewall = true;
port = cfg.port;
};
# override umask to make permissions work out
systemd.services.flaresolverr.serviceConfig = {
User = "flaresolverr";
Group = "flaresolverr";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."flaresolverr.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
};
}

76
modules/homelab/services/arr.bak/prowlarr/default.nix Normal file
View File

@@ -0,0 +1,76 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.prowlarr;
ids = 2004;
default_port = 9696;
data_dir = "/var/lib/private";
in
{
options.modules.services.prowlarr = {
enable = lib.mkEnableOption "enables prowlarr";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7104;
description = "set port for prowlarr (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for prowlarr";
};
};
config = lib.mkIf cfg.enable {
# declare prowlarr group
users.groups.prowlarr = { gid = ids; };
# declare prowlarr user
users.users.prowlarr = {
description = "prowlarr server user";
uid = ids;
isSystemUser = true;
home = "/var/lib/prowlarr";
createHome = true;
group = "prowlarr";
extraGroups = [ "media" ];
};
# enable the prowlarr service
services.prowlarr = {
enable = true;
openFirewall = true;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.prowlarr.serviceConfig = {
UMask = lib.mkForce "0007";
User = "prowlarr";
Group = "prowlarr";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."prowlarr.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}

75
modules/homelab/services/arr.bak/radarr/default.nix Normal file
View File

@@ -0,0 +1,75 @@
{ pkgs, config, lib, ... }:
let
cfg = config.modules.services.radarr;
ids = lib.mkForce 2006;
default_port = 7878;
data_dir = "/var/lib/radarr";
in
{
options.modules.services.radarr = {
enable = lib.mkEnableOption "enables radarr";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7108;
description = "set port for radarr (default: ${toString default_port}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for radarr";
};
};
config = lib.mkIf cfg.enable {
# declare radarr group
users.groups.radarr = { gid = ids; };
# declare radarr user
users.users.radarr = {
description = "radarr server user";
uid = ids;
isSystemUser = true;
home = "/var/lib/radarr";
createHome = true;
group = "radarr";
extraGroups = [ "media" ];
};
# enable the radarr service
services.radarr = {
enable = true;
openFirewall = true;
user = "radarr";
group = "radarr";
dataDir = data_dir;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.radarr.serviceConfig = { UMask = lib.mkForce "0007"; };
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."radarr.snowbelle.lan" = {
enableACME = false;
forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
};
}

0
modules/homelab/services/arr/sonarr/default.nix → modules/homelab/services/arr.bak/sonarr/default.nix
View File

90
modules/homelab/services/arr/sonarr/default_temp.nix Normal file
View File

@@ -0,0 +1,90 @@
{ pkgs, config, lib, ... }:
let
service = "sonarr";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7107;
description = "set port for ${service} (default: ${toString default_port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.basedomain}";
description = "set domain for ${service} reverse proxy entry";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = ${port};
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = "${service}";
extraGroups = [ "media" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = "${service}";
group = "${service}";
dataDir = cfg.data_dir;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry
services.nginx.virtualHosts."${url}" = {
forceSSL = true;
sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}";
};
};
# add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
};
}

28
modules/homelab/services/default.nix
View File

@@ -4,25 +4,15 @@
{ {
imports = [ imports = [
./jellyfin/default.nix # ./jellyfin
./vaultwarden/default.nix # ./vaultwarden
./gitea/default.nix # ./gitea
./qbittorrent/default.nix # ./qbittorrent
./arr/prowlarr/default.nix # ./arr/prowlarr
./arr/flaresolverr/default.nix # ./arr/flaresolverr
./arr/bazarr/default.nix # ./arr/bazarr
./arr/sonarr/default.nix ./arr/sonarr
./arr/radarr/default.nix # ./arr/radarr
]; ];
modules.services.jellyfin.enable = lib.mkDefault false;
modules.services.vaultwarden.enable = lib.mkDefault false;
modules.services.gitea.enable = lib.mkDefault false;
modules.services.qbittorrent.enable = lib.mkDefault false;
modules.services.prowlarr.enable = lib.mkDefault false;
modules.services.flaresolverr.enable = lib.mkDefault false;
modules.services.bazarr.enable = lib.mkDefault false;
modules.services.sonarr.enable = lib.mkDefault false;
modules.services.radarr.enable = lib.mkDefault false;
} }

86
modules/homelab/services/default_temp.nix
View File

@@ -1,96 +1,108 @@
{ pkgs, config, lib, ... }: { pkgs, config, lib, ... }:
let let
cfg = config.modules.services.<service_name>; service = "";
ids = <gid_and_uid_number>; cfg = config.modules.services.${service};
default_port = <port_number>; sec = config.sops.secrets;
data_dir = "/var/lib/<service_name>"; homelab = config.homelab;
in in
{ {
options.modules.services.<service_name> = { options.modules.services.${service} = {
enable = lib.mkEnableOption "enables <service_name>"; enable = lib.mkEnableOption "enables ${service}";
# set port options # set port options
port = lib.mkOption { port = lib.mkOption {
type = lib.types.int; type = lib.types.int;
default = <port>; default = <port>;
description = "set port for <service_name> (default: ${toString default_port}"; description = "set port for ${service} (default: ${toString default_port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.basedomain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = ${port};
description = "set uid and pid of ${service} user (matches port by default)";
}; };
backup = lib.mkOption { backup = lib.mkOption {
type = lib.types.bool; type = lib.types.bool;
default = true; default = true;
description = "enable backups for <service_name>"; description = "enable backups for ${service}";
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable {
# declare <service_name> group # declare ${service} group
users.groups.<service_name> = { gid = ids; }; users.groups.${service} = { gid = cfg.ids; };
# declare <service_name> user # declare ${service} user
users.users.<service_name> = { users.users.${service} = {
description = "<service_name> server user"; description = "${service} server user";
uid = ids; uid = cfg.ids;
isSystemUser = true; isSystemUser = true;
home = "/var/lib/<service_name>"; home = cfg.data_dir;
createHome = true; createHome = true;
group = "<service_name>"; group = "${service}";
extraGroups = [ "media" ]; extraGroups = [ "media" ];
}; };
# enable the <service_name> service # enable the ${service} service
services.<service_name> = { services.${service} = {
enable = true; enable = true;
openFirewall = true; openFirewall = true;
user = "<service_name>"; user = "${service}";
group = "<service_name>"; group = "${service}";
dataDir = data_dir; dataDir = cfg.data_dir;
settings = { settings = {
server.port = cfg.port; server.port = cfg.port;
}; };
}; };
# override umask to make permissions work out # override umask to make permissions work out
systemd.services.<service_name>.serviceConfig = { systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007"; UMask = lib.mkForce "0007";
# User = "<service_name>"; # User = "${service}";
# Group = "<service_name>"; # Group = "${service}";
}; };
# # open firewall # # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ]; # networking.firewall.allowedTCPPorts = [ cfg.port ];
# internal reverse proxy entry # internal reverse proxy entry
services.nginx.virtualHosts."<service_name>.snowbelle.lan" = { services.nginx.virtualHosts."${url}" = {
enableACME = false;
forceSSL = true; forceSSL = true;
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; sslCertificate = sec."ssl_blakedheld_crt".path;
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; sslCertificateKey = sec."ssl_blakedheld_key".path;
locations."/" = { locations."/" = {
proxyPass = "http://127.0.0.1:${toString cfg.port}"; proxyPass = "http://127.0.0.1:${toString cfg.port}";
}; };
}; };
# # external reverse proxy entry # # external reverse proxy entry
# services.nginx.virtualHosts."<service_name>.blakedheld.xyz" = { # services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
# enableACME = false;
# forceSSL = true; # forceSSL = true;
# sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path; # sslCertificate = sec."ssl_blakedheld_crt".path;
# sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path; # sslCertificateKey = sec."ssl_blakedheld_key".path;
# locations."/" = { # locations."/" = {
# proxyPass = "http://127.0.0.1:${toString cfg.port}"; # proxyPass = "http://127.0.0.1:${toString cfg.port}";
# }; # };
# }; # };
sops.secrets = { sops.secrets = {
"<service_name>_" = { "${service}_" = {
owner = "<service_name>"; owner = "${service}";
group = "<service_name>"; group = "${service}";
}; };
}; };
# add to backups # add to backups
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ]; modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
}; };
} }