blake/nix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

big restructure, getting there prayers for rebuild

Browse Source
This commit is contained in:
blake
2025-10-13 21:29:04 -05:00
parent 9128bf3d66
commit c02dafd0d1
26 changed files with 82 additions and 63 deletions
Download Patch File Download Diff File Expand all files Collapse all files

95
modules/homelab/services/arr/bazarr/default.nix
View File

@@ -1,95 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "bazarr";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7105;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ "media" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = service;
group = service;
listenPort = cfg.port;
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.mediastack = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

78
modules/homelab/services/arr/flaresolverr/default.nix
View File

@@ -1,78 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "flaresolverr";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7120;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
group = service;
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
port = cfg.port;
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
User = service;
Group = service;
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
};
}

97
modules/homelab/services/arr/prowlarr/default.nix
View File

@@ -1,97 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "prowlarr";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7104;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ "media" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
User = service;
Group = service;
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.mediastack = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

100
modules/homelab/services/arr/radarr/default.nix
View File

@@ -1,100 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "radarr";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7107;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ "media" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = service;
group = service;
dataDir = cfg.data_dir;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
# User = service;
# Group = service;
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.mediastack = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

98
modules/homelab/services/arr/sonarr/default.nix
View File

@@ -1,98 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "sonarr";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7106;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service} reverse proxy entry";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ "media" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = service;
group = service;
dataDir = cfg.data_dir;
settings = {
server.port = cfg.port;
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.mediastack = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

101
modules/homelab/services/audiobookshelf/default.nix
View File

@@ -1,101 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "audiobookshelf";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7101;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "abs.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
# home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ "media" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = service;
group = service;
# dataDir = cfg.data_dir;
host = "0.0.0.0";
port = cfg.port;
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
# User = service;
# Group = service;
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "abs.${homelab.public_domain}" ];
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port} {
}
'';
};
# add to glance public service
modules.services.glance.links.mediastack = [{
title = service;
url = "https://abs.${homelab.public_domain}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

98
modules/homelab/services/caddy/default.nix
View File

@@ -1,98 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "caddy";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = {};
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [];
};
# enable the ${service} service
services.${service} = {
enable = true;
user = service;
group = service;
dataDir = cfg.data_dir;
email = "me@blakedheld.xyz";
globalConfig = ''
auto_https ignore_loaded_certs
'';
virtualHosts."key.${homelab.public_domain}" = {
extraConfig = ''
root * /var/www/keys
file_server
'';
};
};
# enable acme for auto ssl certs with lets encrypt
security.acme = {
acceptTerms = true;
defaults.email = "me@blakedheld.xyz";
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# open firewall
networking.firewall.allowedTCPPorts = [ 80 443 ];
sops.secrets = {
"ssl_blakedheld_crt" = {
owner = "caddy";
group = "caddy";
path = "/etc/ssl/blakedheld.xyz.crt";
};
"ssl_blakedheld_key" = {
owner = "caddy";
group = "caddy";
path = "/etc/ssl/blakedheld.xyz.key";
};
"klefki_pub.asc" = {
owner = "caddy";
group = "caddy";
path = "/var/www/keys/klefki_pub.asc";
};
};
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

26
modules/homelab/services/default.nix
View File

@@ -5,34 +5,8 @@
# services show up in glance in reverse import order lmao
imports = [
./home/zigbee2mqtt
./vaultwarden
./gitea
./home/homeassistant
./immich
./arr/bazarr
./arr/prowlarr
./arr/radarr
./qbittorrent
./arr/sonarr
./yacreader
./audiobookshelf
./jellyfin
./caddy
./arr/flaresolverr
./home/mosquitto
./uptime-kuma
./glance
];
# add to udr to glance
modules.services.glance.links.system = [{
title = "bebe";
url = "https://bebe.lan";
error-url = "https://10.10.0.1";
check-url = "https://10.10.0.1";
icon = "di:unifi";
allow-insecure = true; }];

125
modules/homelab/services/gitea/default.nix
View File

@@ -1,125 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "gitea";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7703;
description = "set port for ${service} (default: ${toString cfg.port}";
};
ssh_port = lib.mkOption {
type = lib.types.int;
default = 7567;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "git.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = lib.mkForce "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
shell = pkgs.bash;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [];
};
# declare the gitea service
services.gitea = {
enable = true;
user = "gitea";
group = "gitea";
stateDir = cfg.data_dir;
appName = "gitea";
settings = {
server = {
ROOT_URL = "https://git.blakedheld.xyz";
DOMAIN = "git.blakedheld.xyz";
HTTP_PORT = cfg.port;
SSH_PORT = cfg.ssh_port;
START_SSH_SERVER = true;
ENABLE_PUSH_CREATE_USER = true;
};
};
database = {
passwordFile = "${toString config.sops.secrets."gitea_database_password".path}";
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# open firewall
networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "git.${homelab.public_domain}" ];
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy localhost:${toString cfg.port} {
}
'';
};
# add to glance
modules.services.glance.links.services = [{
title = service;
url = "https://git.${homelab.public_domain}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# manage secrets with sops
sops.secrets = {
"${service}_database_password" = {
owner = service;
group = service;
};
};
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

297
modules/homelab/services/glance/default.nix
View File

@@ -1,297 +0,0 @@
{
pkgs,
config,
lib,
...
}:
/*
this is a wrapper module for glance that allows you to
to pass monitor entries in with nix, all declaratively!
| <8yy> |
V V
# add to glance
modules.services.glance.links.mediastack = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}";
allow-insecure = true; }];
*/
let
service = "glance";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
uptimekuma_url = "localhost:7901";
uptimekuma_page = "glance";
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7700;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
links = {
services = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [ ];
description = "list of links for ${service}";
};
mediastack = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [ ];
description = "list of links for ${service}";
};
system = lib.mkOption {
type = lib.types.listOf lib.types.attrs;
default = [ ];
description = "list of links for ${service}";
};
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = {
gid = lib.mkForce cfg.ids;
};
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ ];
};
services.${service} = {
enable = true;
openFirewall = true;
settings = {
server = {
host = "0.0.0.0";
port = cfg.port;
assets-path = "${cfg.data_dir}/assets";
};
# theme = {custom-css-file = "/assets/user.css";};
auth = {
secret-key = "+mYVAc1uO85hUUz5Ij6Lpelv1RqiLlneYqZD5Jv45buoF2+LZtIt2okRrbFCppiRQbqXkGoRMtSI0bROg4uFUw==";
users = {
blake = {
password-hash = "$2a$10$RwPCkcto35DCp4vNTDpH6.G3TpecPJ/zUL1jI93uzr.lg6v233Sie";
};
};
};
branding = {
logo-url = "/assets/icons/snowbelle.png";
favicon-url = "/assets/icons/favicon.ico";
};
pages = [
{
name = "snowbelle";
hide-desktop-navigation = true;
columns = [
{
size = "small";
widgets = [
{
type = "calendar";
first-day-of-week = "monday";
}
{
type = "server-stats";
servers = [
{
type = "local";
name = "snowbelle";
}
];
}
{
type = "clock";
hour-format = "24h";
timezones = [
{
timezone = "America/Chicago";
label = "HTX";
}
{
timezone = "America/Denver";
label = "AF";
}
];
}
{
type = "twitch-channels";
channels = [
"mang0"
"SaltSSBM"
"thewaffle77"
"ironmouse"
"linustech"
];
}
];
}
{
size = "full";
widgets = [
{
type = "search";
autofocus = true;
search-engine = "https://www.ecosia.org/search?q={QUERY}";
new-tab = true;
bangs = [
{
title = "YouTube";
shortcut = "!y";
url = "https://www.youtube.com/results?search_query={QUERY}";
}
{
title = "Google";
shortcut = "!g";
url = "https://www.google.com/search?q={QUERY}";
}
{
title = "Github";
shortcut = "!gh";
url = "https://github.com/search?q={QUERY}&type=repositories";
}
];
}
{
type = "monitor";
cache = "1m";
title = "services";
sites = cfg.links.services;
}
{
type = "monitor";
cache = "1m";
title = "mediastack";
sites = cfg.links.mediastack;
}
{
type = "monitor";
cache = "1m";
title = "system";
sites = cfg.links.system;
}
{
type = "custom-api";
title = "recpro";
url = "https://api.mcstatus.io/v2/status/java/mc.recoil.pro";
cache = "5s";
template = "<div style=\"display:flex; align-items:center; gap:12px;\">\n <div style=\"width:40px; height:40px; flex-shrink:0; border-radius:4px; display:flex; justify-content:center; align-items:center; overflow:hidden;\">\n {{ if .JSON.Bool \"online\" }}\n <img src=\"{{ .JSON.String \"icon\" | safeURL }}\" width=\"64\" height=\"64\" style=\"object-fit:contain;\">\n {{ else }}\n <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 20 20\" fill=\"currentColor\" style=\"width:32px; height:32px; opacity:0.5;\">\n <path fill-rule=\"evenodd\" d=\"M1 5.25A2.25 2.25 0 0 1 3.25 3h13.5A2.25 2.25 0 0 1 19 5.25v9.5A2.25 2.25 0 0 1 16.75 17H3.25A2.25 2.25 0 0 1 1 14.75v-9.5Zm1.5 5.81v3.69c0 .414.336.75.75.75h13.5a.75.75 0 0 0 .75-.75v-2.69l-2.22-2.219a.75.75 0 0 0-1.06 0l-1.91 1.909.47.47a.75.75 0 1 1-1.06 1.06L6.53 8.091a.75.75 0 0 0-1.06 0l-2.97 2.97ZM12 7a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z\" clip-rule=\"evenodd\" />\n </svg>\n {{ end }}\n </div>\n\n <div style=\"flex-grow:1; min-width:0;\">\n <a class=\"size-h4 block text-truncate color-highlight\">\n {{ .JSON.String \"host\" }}\n {{ if .JSON.Bool \"online\" }}\n <span\n style=\"width: 8px; height: 8px; border-radius: 50%; background-color: var(--color-positive); display: inline-block; vertical-align: middle;\"\n data-popover-type=\"text\"\n data-popover-text=\"Online\"\n ></span>\n {{ else }}\n <span\n style=\"width: 8px; height: 8px; border-radius: 50%; background-color: var(--color-negative); display: inline-block; vertical-align: middle;\"\n data-popover-type=\"text\"\n data-popover-text=\"Offline\"\n ></span>\n {{ end }}\n </a>\n\n <ul class=\"list-horizontal-text\">\n <li>\n {{ if .JSON.Bool \"online\" }}\n <span>{{ .JSON.String \"version.name_clean\" }}</span>\n {{ else }}\n <span>Offline</span>\n {{ end }}\n </li>\n {{ if .JSON.Bool \"online\" }}\n <li data-popover-type=\"html\">\n <div data-popover-html>\n {{ range .JSON.Array \"players.list\" }}{{ .String \"name_clean\" }}<br>{{ end }}\n </div>\n <p style=\"display:inline-flex;align-items:center;\">\n <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 24 24\" fill=\"currentColor\" class=\"size-6\" style=\"height:1em;vertical-align:middle;margin-right:0.5em;\">\n <path fill-rule=\"evenodd\" d=\"M7.5 6a4.5 4.5 0 1 1 9 0 4.5 4.5 0 0 1-9 0ZM3.751 20.105a8.25 8.25 0 0 1 16.498 0 .75.75 0 0 1-.437.695A18.683 18.683 0 0 1 12 22.5c-2.786 0-5.433-.608-7.812-1.7a.75.75 0 0 1-.437-.695Z\" clip-rule=\"evenodd\" />\n </svg>\n {{ .JSON.Int \"players.online\" | formatNumber }}/{{ .JSON.Int \"players.max\" | formatNumber }} players\n </p>\n </li>\n {{ else }}\n <li>\n <p style=\"display:inline-flex;align-items:center;\">\n <svg xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 24 24\" fill=\"currentColor\" class=\"size-6\" style=\"height:1em;vertical-align:middle;margin-right:0.5em;opacity:0.5;\">\n <path fill-rule=\"evenodd\" d=\"M7.5 6a4.5 4.5 0 1 1 9 0 4.5 4.5 0 0 1-9 0ZM3.751 20.105a8.25 8.25 0 0 1 16.498 0 .75.75 0 0 1-.437.695A18.683 18.683 0 0 1 12 22.5c-2.786 0-5.433-.608-7.812-1.7a.75.75 0 0 1-.437-.695Z\" clip-rule=\"evenodd\" />\n </svg>\n 0 players\n </p>\n </li>\n {{ end }}\n </ul>\n </div>\n</div>";
}
];
}
{
size = "small";
widgets = [
{
type = "weather";
location = "Pearland, Texas, United States";
units = "imperial";
hour-format = "24h";
}
{
type = "markets";
markets = [
{
symbol = "SPY";
name = "S&P 500";
}
{
symbol = "XMR-USD";
name = "Monero";
}
{
symbol = "NVDA";
name = "NVIDIA";
}
{
symbol = "AAPL";
name = "Apple";
}
{
symbol = "MSFT";
name = "Microsoft";
}
];
}
{
type = "releases";
cache = "1d";
repositories = [
"glanceapp/glance"
"go-gitea/gitea"
"immich-app/immich"
"syncthing/syncthing"
];
}
];
}
];
}
];
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
User = service;
Group = service;
};
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
# serverAliases = [ "${homelab.public_domain}" ];
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to backups
modules.system.backups.baks = {
${service} = {
paths = [ cfg.data_dir ];
};
};
};
}

157
modules/homelab/services/home/homeassistant/default.nix
View File

@@ -1,157 +0,0 @@
{ pkgs, config, lib, inputs, ... }:
let
nixservice = "home-assistant";
service = "hass";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7704;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [];
};
# still suss as fuck bro man fuck
virtualisation.oci-containers.containers = {
hass = {
image = "homeassistant/home-assistant:stable";
autoStart = true;
extraOptions = [
"--pull=newer"
"--network=host"
];
volumes = [
"${cfg.data_dir}:/config"
];
# ports = [
# "0.0.0.0:7704:8123"
# "0.0.0.0:4141:4141"
# ];
environment = {
TZ = homelab.tz;
PUID = toString config.users.users.${service}.uid;
PGID = toString config.users.groups.${service}.gid;
};
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# open firewall
networking.firewall.allowedTCPPorts = [ cfg.port 8123 ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "${service}.${homelab.public_domain}" ];
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.services = [{
title = "home assistant";
url = "https://hass.${homelab.public_domain}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${nixservice}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}
# here lies my tough, and I mean fucking tough, swing at
# getting this to work bare metal, ggs ill see you again
# - didnt take long
# --------------------------------------------------------------------------------
# # enable the ${service} service
# services.${nixservice} = {
# enable = true;
# package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.home-assistant;
# extraComponents = [
# # required for onboarding
# "analytics"
# "google_translate"
# "met"
# "radio_browser"
# "shopping_list"
# "isal"
# "default_config"
# "mqtt"
# ];
# extraPackages = python3Packages: with python3Packages; [
# psycopg2
# universal-silabs-flasher
# getmac
# zha
# ha-silabs-firmware-client
# paho-mqtt
# aiomqtt
# aiounifi
# ibeacon-ble
# ];
# # imperative config
# config = null;
# lovelaceConfig = null;
# configDir = cfg.data_dir;
# # declartive poggers!
## config = {
## # Includes dependencies for a basic setup
## default_config = {};
## };
# };

95
modules/homelab/services/home/mosquitto/default.nix
View File

@@ -1,95 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "mosquitto";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 1883;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "${service}.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = lib.mkForce "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [];
};
# enable the ${service} service
services.mosquitto.enable = true;
services.mosquitto.listeners = [
{
port = 1883;
address = "0.0.0.0";
users.zigbee = {
acl = [ "readwrite #" ];
hashedPassword = "$7$101$140powz2MtsRawFT$ydndjal9wCAywIWtUEAh/IusdfDFvnHMupTFjdS7Ad/EjsEIbJgHrLY9waCe4Z3142XieuxMrXUDjMTp2qwyiw==";
};
# use with no auth
# settings.allow_anonymous = true;
# acl = [ "pattern readwrite #" ];
# omitPasswordAuth = true;
}
];
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
User = service;
Group = service;
};
# open firewall
networking.firewall.allowedTCPPorts = [ cfg.port ];
sops.secrets = {
"${service}_hashed_passwd" = {
owner = service;
group = service;
};
};
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

126
modules/homelab/services/home/zigbee2mqtt/default.nix
View File

@@ -1,126 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "zigbee2mqtt";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7705;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "z2m.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [];
};
# enable the ${service} service
services.${service} = {
enable = true;
dataDir = cfg.data_dir;
settings = {
mqtt = {
base_topic = "zigbee2mqtt";
client_id = "zigbee2mqtt";
server = "mqtt://localhost:1883";
user = "!/run/secrets/mosquitto_passwd.yaml user";
password = "!/run/secrets/mosquitto_passwd.yaml password";
keepalive = 20;
};
serial = {
port = "/dev/serial/by-id/usb-Itead_Sonoff_Zigbee_3.0_USB_Dongle_Plus_V2_4a4e75d63653ef1198d728e0174bec31-if00-port0";
adapter = "ember";
};
advanced = {
channel = 11;
};
frontend = {
enabled = true;
port = cfg.port;
};
homeassistant = {
enabled = true;
};
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
User = service;
Group = service;
};
# # open firewall
networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "z2m.${homelab.public_domain}" ];
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.services = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
sops.secrets = {
"mosquitto_passwd.yaml" = {
owner = service;
group = service;
};
};
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

100
modules/homelab/services/immich/default.nix
View File

@@ -1,100 +0,0 @@
{ pkgs, config, lib, inputs, ... }:
let
service = "immich";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7702;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "photos.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ "video" "render" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.immich;
openFirewall = true;
user = service;
group = service;
mediaLocation = cfg.data_dir;
host = "0.0.0.0";
port = cfg.port;
settings.server.externalDomain = "https://pics.blakedheld.xyz";
};
# override umask to make permissions work out
# systemd.services."${toString service}-server".serviceConfig = {
# UMask = lib.mkForce "0007";
# };
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "photos.${homelab.public_domain}" ];
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.services = [{
title = service;
url = "https://photos.${homelab.public_domain}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir "/var/lib/redis-immich" ]; };
};
};
}

96
modules/homelab/services/jellyfin/default.nix
View File

@@ -1,96 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "jellyfin";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7100;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "media.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ "media" "video" "render" ];
};
# enable the ${service} service
services.${service} = {
enable = true;
openFirewall = true;
user = service;
group = service;
dataDir = cfg.data_dir;
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "media.${homelab.public_domain}" ];
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.mediastack = [{
title = service;
url = "https://media.${homelab.public_domain}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

134
modules/homelab/services/qbittorrent/default.nix
View File

@@ -1,134 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "qbittorrent";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7103;
description = "set port for ${service} (default: ${toString cfg.port}";
};
# torrenting_port = lib.mkOption {
# type = lib.types.int;
# default = ;
# description = "set port for ${service} (default: ${toString cfg.port}";
# };
url = lib.mkOption {
type = lib.types.str;
default = "qbit.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
vpn_inf = lib.mkOption {
type = lib.types.str;
default = "enp89s0.69";
description = "set the interface qbittorrent will be bound to (used to route through vpn)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# ensure media dirs existence
systemd.tmpfiles.rules = [
"d /holocron/media/downloads 2775 qbittorrent media -"
];
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = "media";
};
# enable the qbittorrent service
services.${service} = {
enable = true;
openFirewall = true;
user = service;
group = lib.mkForce "media"; # override for permissions
profileDir = cfg.data_dir;
webuiPort = cfg.port;
# torrentingPort = cfg.torrenting_port;
};
# override umask to make permissions work out
systemd.services.${service} = {
serviceConfig = {
UMask = lib.mkForce "0007";
};
};
# bind to network interface but allow local access to webui
networking.firewall.extraCommands = ''
iptables -F QBIT 2>/dev/null || true
iptables -X QBIT 2>/dev/null || true
iptables -N QBIT
iptables -A OUTPUT -m owner --uid-owner ${toString cfg.ids} -j QBIT
iptables -A QBIT -o ${cfg.vpn_inf} -j ACCEPT
iptables -A QBIT -p udp --dport 53 -o ${cfg.vpn_inf} -j ACCEPT
iptables -A QBIT -p tcp --dport 53 -o ${cfg.vpn_inf} -j ACCEPT
iptables -A QBIT -o lo -j ACCEPT
iptables -A QBIT -p tcp -d 127.0.0.1 --dport ${toString cfg.port} -j ACCEPT
iptables -A QBIT -p tcp -o enp89s0 -d 10.0.0.0/8 --dport ${toString cfg.port} -j ACCEPT
iptables -A QBIT -j DROP
'';
# boilerplate for if you ever want to try to get this working again
# ------------------------------------------------------------------------------
# # add systemd service to VPN network namespace
# vpnConfinement = {
# enable = true;
# vpnNamespace = "wgmex";
# };
# ------------------------------------------------------------------------------
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.mediastack = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

96
modules/homelab/services/uptime-kuma/default.nix
View File

@@ -1,96 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "uptime-kuma";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7901;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "up.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = "${service}";
extraGroups = [];
};
# enable the ${service} service
services.${service} = {
enable = true;
settings =
{
PORT = toString cfg.port;
HOST = "0.0.0.0";
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = {
UMask = lib.mkForce "0007";
};
# # open firewall
# networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.system = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

116
modules/homelab/services/vaultwarden/default.nix
View File

@@ -1,116 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "vaultwarden";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
domain = "https://pass.blakedheld.xyz";
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7701;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "pass.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [];
};
# enable the vaultwarden service
services.${service} = {
enable = true;
config = {
DOMAIN = domain;
ROCKET_ADDRESS = "0.0.0.0";
ROCKET_PORT = cfg.port;
SIGNUPS_ALLOWED = true;
# ADMIN_TOKEN = "yuh";
ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}";
EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item";
# The following flags are available:
# - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
# - "autofill-v2": Use the new autofill implementation.
# - "browser-fileless-import": Directly import credentials from other providers without a file.
# - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
# - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
# - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
# - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
# - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
};
};
# override umask to make permissions work out
systemd.services.${service}.serviceConfig = { UMask = lib.mkForce "0007"; };
# open firewall
networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
serverAliases = [ "pass.${homelab.public_domain}" ];
extraConfig = ''
tls /etc/ssl/blakedheld.xyz.crt /etc/ssl/blakedheld.xyz.key
reverse_proxy 127.0.0.1:${toString cfg.port}
'';
};
# add to glance
modules.services.glance.links.services = [{
title = service;
url = "https://pass.${homelab.public_domain}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:${service}"; }];
sops.secrets = {
"${service}_admin_token" = {
owner = "${service}";
group = "${service}";
};
};
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}

105
modules/homelab/services/yacreader/default.nix
View File

@@ -1,105 +0,0 @@
{ pkgs, config, lib, ... }:
let
service = "yacreader";
cfg = config.modules.services.${service};
sec = config.sops.secrets;
homelab = config.modules.homelab;
in
{
options.modules.services.${service} = {
enable = lib.mkEnableOption "enables ${service}";
# set port options
port = lib.mkOption {
type = lib.types.int;
default = 7102;
description = "set port for ${service} (default: ${toString cfg.port}";
};
url = lib.mkOption {
type = lib.types.str;
default = "manga.${homelab.base_domain}";
description = "set domain for ${service}";
};
data_dir = lib.mkOption {
type = lib.types.str;
default = "/var/lib/${service}";
description = "set data directory for ${service}";
};
ids = lib.mkOption {
type = lib.types.int;
default = cfg.port;
description = "set uid and pid of ${service} user (matches port by default)";
};
backup = lib.mkOption {
type = lib.types.bool;
default = true;
description = "enable backups for ${service}";
};
};
config = lib.mkIf cfg.enable {
# install the binary
environment.systemPackages = with pkgs; [ yacreader ];
# declare ${service} group
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
# declare ${service} user
users.users.${service} = {
description = "${service} server user";
uid = lib.mkForce cfg.ids;
isSystemUser = true;
home = cfg.data_dir;
createHome = true;
group = service;
extraGroups = [ "media" ];
};
# enable the ${service} service
systemd.services.${service} = {
description = "${service} library server";
wantedBy = [ "multi-user.target" ];
after = [ "network.target" ];
serviceConfig = {
UMask = lib.mkForce "0007";
User = service;
Group = service;
Restart = "always";
RestartSec = "5s";
Type = "simple";
ExecStart = "${pkgs.yacreader}/bin/YACReaderLibraryServer start --port ${toString cfg.port}";
WorkingDirectory = "/var/lib/yacreader";
TimeoutStopSec = "20s";
};
};
# open firewall
networking.firewall.allowedTCPPorts = [ cfg.port ];
# add to caddy for reverse proxy
services.caddy.virtualHosts."${cfg.url}" = {
extraConfig = ''
tls ${sec."ssl_blakedheld_crt".path} ${sec."ssl_blakedheld_key".path}
reverse_proxy 127.0.0.1:${toString cfg.port} {
}
'';
};
# add to glance local service
modules.services.glance.links.mediastack = [{
title = service;
url = "https://${cfg.url}";
error-url = "http://${homelab.host_ip}:${toString cfg.port}";
check-url = "http://${homelab.host_ip}:${toString cfg.port}";
icon = "di:yac-reader"; }];
# add to backups
modules.system.backups.baks = {
${service} = { paths = [ cfg.data_dir ]; };
};
};
}