Compare commits
17 Commits
85ddb74e49
...
ec96339443
| Author | SHA1 | Date | |
|---|---|---|---|
| ec96339443 | |||
| 4beb89228c | |||
| ddf196a04d | |||
| 535b2da2e6 | |||
| 6684472736 | |||
| 435d2154b8 | |||
| 7bd74aea43 | |||
| 126754154d | |||
| 044deffeef | |||
| 9336907744 | |||
| e9108dd43e | |||
| 2ee69f3526 | |||
| 76fdb30757 | |||
| 869dc4832d | |||
| 72beee30c3 | |||
| 68840fe56f | |||
| 283761bd0e |
@@ -1,6 +1,6 @@
|
||||
# flake for blakes nixos config
|
||||
# define new devices in outputs
|
||||
# generation: 150 current 2025-10-09 11:52:30 25.05.20251006.20c4598 6.12.50 *
|
||||
# generation: 154 current 2025-10-09 12:40:25 25.05.20251006.20c4598 6.12.50 *
|
||||
{
|
||||
description = "blakes nix config";
|
||||
inputs = {
|
||||
|
||||
@@ -30,14 +30,14 @@
|
||||
nginx-proxy.enable = true;
|
||||
};
|
||||
services = {
|
||||
jellyfin.enable = true;
|
||||
vaultwarden.enable = true;
|
||||
#jellyfin.enable = true;
|
||||
#vaultwarden.enable = true;
|
||||
gitea.enable = true;
|
||||
qbittorrent.enable = true;
|
||||
#prowlarr.enable = true;
|
||||
#flaresolverr.enable = true;
|
||||
#bazarr.enable = true;
|
||||
#radarr.enable = true;
|
||||
#qbittorrent.enable = true;
|
||||
prowlarr.enable = true;
|
||||
flaresolverr.enable = true;
|
||||
bazarr.enable = true;
|
||||
radarr.enable = true;
|
||||
sonarr.enable = true;
|
||||
};
|
||||
};
|
||||
|
||||
@@ -1,74 +0,0 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.bazarr;
|
||||
ids = 2706;
|
||||
default_port = 6767;
|
||||
data_dir = "/var/lib/bazarr";
|
||||
in
|
||||
{
|
||||
options.modules.services.bazarr = {
|
||||
enable = lib.mkEnableOption "enables bazarr";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7106;
|
||||
description = "set port for bazarr (default: ${toString default_port}";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for bazarr";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare bazarr group
|
||||
users.groups.bazarr = { gid = ids; };
|
||||
|
||||
# declare bazarr user
|
||||
users.users.bazarr = {
|
||||
description = "bazarr server user";
|
||||
uid = ids;
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/bazarr";
|
||||
createHome = false;
|
||||
group = "bazarr";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the bazarr service
|
||||
services.bazarr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "bazarr";
|
||||
group = "bazarr";
|
||||
listenPort = cfg.port;
|
||||
};
|
||||
|
||||
# override systemd service
|
||||
systemd.services.bazarr.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."bazarr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
};
|
||||
}
|
||||
@@ -1,68 +0,0 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.flaresolverr;
|
||||
ids = 2008;
|
||||
default_port = 8189;
|
||||
in
|
||||
{
|
||||
options.modules.services.flaresolverr = {
|
||||
enable = lib.mkEnableOption "enables flaresolverr";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7105;
|
||||
description = "set port for flaresolverr (default: ${toString default_port}";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for flaresolverr";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare flaresolverr group
|
||||
users.groups.flaresolverr = { gid = ids; };
|
||||
|
||||
# declare flaresolverr user
|
||||
users.users.flaresolverr = {
|
||||
description = "flaresolverr server user";
|
||||
uid = ids;
|
||||
isSystemUser = true;
|
||||
createHome = false;
|
||||
group = "flaresolverr";
|
||||
extraGroups = [];
|
||||
};
|
||||
|
||||
# enable the flaresolverr service
|
||||
services.flaresolverr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
port = cfg.port;
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.flaresolverr.serviceConfig = {
|
||||
User = "flaresolverr";
|
||||
Group = "flaresolverr";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."flaresolverr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -1,76 +0,0 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.prowlarr;
|
||||
ids = 2004;
|
||||
default_port = 9696;
|
||||
data_dir = "/var/lib/private";
|
||||
in
|
||||
{
|
||||
options.modules.services.prowlarr = {
|
||||
enable = lib.mkEnableOption "enables prowlarr";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7104;
|
||||
description = "set port for prowlarr (default: ${toString default_port}";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for prowlarr";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare prowlarr group
|
||||
users.groups.prowlarr = { gid = ids; };
|
||||
|
||||
# declare prowlarr user
|
||||
users.users.prowlarr = {
|
||||
description = "prowlarr server user";
|
||||
uid = ids;
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/prowlarr";
|
||||
createHome = true;
|
||||
group = "prowlarr";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the prowlarr service
|
||||
services.prowlarr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.prowlarr.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
User = "prowlarr";
|
||||
Group = "prowlarr";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."prowlarr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
};
|
||||
}
|
||||
@@ -1,75 +0,0 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.radarr;
|
||||
ids = lib.mkForce 2006;
|
||||
default_port = 7878;
|
||||
data_dir = "/var/lib/radarr";
|
||||
in
|
||||
{
|
||||
options.modules.services.radarr = {
|
||||
enable = lib.mkEnableOption "enables radarr";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7108;
|
||||
description = "set port for radarr (default: ${toString default_port}";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for radarr";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare radarr group
|
||||
users.groups.radarr = { gid = ids; };
|
||||
|
||||
# declare radarr user
|
||||
users.users.radarr = {
|
||||
description = "radarr server user";
|
||||
uid = ids;
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/radarr";
|
||||
createHome = true;
|
||||
group = "radarr";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the radarr service
|
||||
services.radarr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "radarr";
|
||||
group = "radarr";
|
||||
dataDir = data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.radarr.serviceConfig = { UMask = lib.mkForce "0007"; };
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."radarr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
};
|
||||
}
|
||||
@@ -1,74 +0,0 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.sonarr;
|
||||
ids = lib.mkForce 2005;
|
||||
default_port = 8989;
|
||||
data_dir = "/var/lib/sonarr";
|
||||
in
|
||||
{
|
||||
options.modules.services.sonarr = {
|
||||
enable = lib.mkEnableOption "enables sonarr";
|
||||
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7107;
|
||||
description = "set port for sonarr (${toString default_port})";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
};
|
||||
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare sonarr group
|
||||
users.groups.sonarr = { gid = ids; };
|
||||
|
||||
# declare sonarr user
|
||||
users.users.sonarr = {
|
||||
description = "sonarr server user";
|
||||
uid = ids;
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/sonarr";
|
||||
createHome = true;
|
||||
group = "sonarr";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the sonarr service
|
||||
services.sonarr = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "sonarr";
|
||||
group = "sonarr";
|
||||
dataDir = data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port; # default: 8989
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.sonarr.serviceConfig = { UMask = lib.mkForce "0007"; };
|
||||
|
||||
# open firewall
|
||||
#networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# reverse proxy entryo
|
||||
services.nginx.virtualHosts."sonarr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
};
|
||||
}
|
||||
@@ -1,56 +1,70 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.bazarr;
|
||||
ids = 2706;
|
||||
default_port = 6767;
|
||||
data_dir = "/var/lib/bazarr";
|
||||
service = "bazarr";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
in
|
||||
{
|
||||
options.modules.services.bazarr = {
|
||||
enable = lib.mkEnableOption "enables bazarr";
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7106;
|
||||
description = "set port for bazarr (default: ${toString default_port}";
|
||||
default = 7105;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for bazarr";
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare bazarr group
|
||||
users.groups.bazarr = { gid = ids; };
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare bazarr user
|
||||
users.users.bazarr = {
|
||||
description = "bazarr server user";
|
||||
uid = ids;
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/bazarr";
|
||||
createHome = false;
|
||||
group = "bazarr";
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "${service}";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the bazarr service
|
||||
services.bazarr = {
|
||||
# enable the ${service} service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "bazarr";
|
||||
group = "bazarr";
|
||||
user = "${service}";
|
||||
group = "${service}";
|
||||
listenPort = cfg.port;
|
||||
};
|
||||
|
||||
# override systemd service
|
||||
systemd.services.bazarr.serviceConfig = {
|
||||
# override umask to make permissions work out
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
};
|
||||
|
||||
@@ -58,17 +72,16 @@ in
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."bazarr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,65 +1,77 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.flaresolverr;
|
||||
ids = 2008;
|
||||
default_port = 8189;
|
||||
service = "flaresolverr";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
in
|
||||
{
|
||||
options.modules.services.flaresolverr = {
|
||||
enable = lib.mkEnableOption "enables flaresolverr";
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7105;
|
||||
description = "set port for flaresolverr (default: ${toString default_port}";
|
||||
default = 7120;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for flaresolverr";
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare flaresolverr group
|
||||
users.groups.flaresolverr = { gid = ids; };
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare flaresolverr user
|
||||
users.users.flaresolverr = {
|
||||
description = "flaresolverr server user";
|
||||
uid = ids;
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
createHome = false;
|
||||
group = "flaresolverr";
|
||||
extraGroups = [];
|
||||
group = "${service}";
|
||||
};
|
||||
|
||||
# enable the flaresolverr service
|
||||
services.flaresolverr = {
|
||||
# enable the ${service} service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
port = cfg.port;
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.flaresolverr.serviceConfig = {
|
||||
User = "flaresolverr";
|
||||
Group = "flaresolverr";
|
||||
};
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
User = "${service}";
|
||||
Group = "${service}";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."flaresolverr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
|
||||
@@ -1,47 +1,61 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.prowlarr;
|
||||
ids = 2004;
|
||||
default_port = 9696;
|
||||
data_dir = "/var/lib/private";
|
||||
service = "prowlarr";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
in
|
||||
{
|
||||
options.modules.services.prowlarr = {
|
||||
enable = lib.mkEnableOption "enables prowlarr";
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7104;
|
||||
description = "set port for prowlarr (default: ${toString default_port}";
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for prowlarr";
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare prowlarr group
|
||||
users.groups.prowlarr = { gid = ids; };
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare prowlarr user
|
||||
users.users.prowlarr = {
|
||||
description = "prowlarr server user";
|
||||
uid = ids;
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/prowlarr";
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "prowlarr";
|
||||
group = "${service}";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the prowlarr service
|
||||
services.prowlarr = {
|
||||
# enable the ${service} service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
settings = {
|
||||
@@ -50,27 +64,26 @@ in
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.prowlarr.serviceConfig = {
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
User = "prowlarr";
|
||||
Group = "prowlarr";
|
||||
User = "${service}";
|
||||
Group = "${service}";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."prowlarr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,75 +1,92 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.radarr;
|
||||
ids = lib.mkForce 2006;
|
||||
default_port = 7878;
|
||||
data_dir = "/var/lib/radarr";
|
||||
service = "radarr";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
in
|
||||
{
|
||||
options.modules.services.radarr = {
|
||||
enable = lib.mkEnableOption "enables radarr";
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7108;
|
||||
description = "set port for radarr (default: ${toString default_port}";
|
||||
default = 7107;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for radarr";
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare radarr group
|
||||
users.groups.radarr = { gid = ids; };
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare radarr user
|
||||
users.users.radarr = {
|
||||
description = "radarr server user";
|
||||
uid = ids;
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
home = "/var/lib/radarr";
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "radarr";
|
||||
group = "${service}";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the radarr service
|
||||
services.radarr = {
|
||||
# enable the ${service} service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "radarr";
|
||||
group = "radarr";
|
||||
dataDir = data_dir;
|
||||
user = "${service}";
|
||||
group = "${service}";
|
||||
dataDir = cfg.data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.radarr.serviceConfig = { UMask = lib.mkForce "0007"; };
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
# User = "${service}";
|
||||
# Group = "${service}";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."radarr.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
};
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
};
|
||||
}
|
||||
|
||||
@@ -13,7 +13,7 @@ in
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7107;
|
||||
default = 7106;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
|
||||
111
modules/homelab/services/bak/gitea/default.nix
Normal file
111
modules/homelab/services/bak/gitea/default.nix
Normal file
@@ -0,0 +1,111 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.gitea;
|
||||
ids = 2703;
|
||||
default_port = 3000;
|
||||
data_dir = "/var/lib/gitea";
|
||||
in
|
||||
{
|
||||
options.modules.services.gitea = {
|
||||
enable = lib.mkEnableOption "enables gitea";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7703;
|
||||
description = "set port for gitea (default: ${toString default_port}";
|
||||
};
|
||||
|
||||
# set ssh port
|
||||
ssh_port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7567;
|
||||
description = "set port for gitea (default: 2222";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for gitea";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare gitea group
|
||||
users.groups.gitea = { gid = ids; };
|
||||
|
||||
# declare gitea user
|
||||
users.users.gitea = {
|
||||
description = lib.mkForce "gitea server user";
|
||||
uid = ids;
|
||||
isSystemUser = true;
|
||||
shell = pkgs.bash;
|
||||
home = "/var/lib/gitea";
|
||||
createHome = true;
|
||||
group = "gitea";
|
||||
extraGroups = [];
|
||||
};
|
||||
|
||||
# enable the gitea service
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
user = "gitea";
|
||||
group = "gitea";
|
||||
stateDir = data_dir;
|
||||
appName = "gitea";
|
||||
settings = {
|
||||
server = {
|
||||
DOMAIN = "git.blakedheld.xyz";
|
||||
HTTP_PORT = cfg.port;
|
||||
SSH_PORT = cfg.ssh_port;
|
||||
START_SSH_SERVER = true;
|
||||
ENABLE_PUSH_CREATE_USER = true;
|
||||
|
||||
};
|
||||
};
|
||||
database = {
|
||||
passwordFile = "${toString config.sops.secrets."gitea_database_password".path}";
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; };
|
||||
|
||||
# open firewall
|
||||
networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."git.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
# external reverse proxy entry
|
||||
services.nginx.virtualHosts."git.blakedheld.xyz" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
# sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
# sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"gitea_database_password" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
# neededForUsers = true;
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
};
|
||||
}
|
||||
39
modules/homelab/services/bak/nginx-proxy/default.nix
Normal file
39
modules/homelab/services/bak/nginx-proxy/default.nix
Normal file
@@ -0,0 +1,39 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.homelab.nginx-proxy;
|
||||
in
|
||||
{
|
||||
options.modules.homelab.nginx-proxy = {
|
||||
enable = lib.mkEnableOption "enables nginx-proxy";
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
# enable nginx proxy manager
|
||||
services.nginx = {
|
||||
enable = true;
|
||||
recommendedProxySettings = true;
|
||||
recommendedTlsSettings = true;
|
||||
};
|
||||
# enable acme for auto ssl certs with lets encrypt
|
||||
security.acme = {
|
||||
acceptTerms = true;
|
||||
defaults.email = "me@blakedheld.xyz";
|
||||
};
|
||||
|
||||
# nginx secrets
|
||||
sops.secrets = {
|
||||
"ssl_blakedheld_crt" = {
|
||||
restartUnits = [ "nginx.service" ];
|
||||
owner = "nginx";
|
||||
group = "nginx";
|
||||
# neededForUsers = true;
|
||||
};
|
||||
"ssl_blakedheld_key" = {
|
||||
owner = "nginx";
|
||||
group = "nginx";
|
||||
# neededForUsers = true;
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
@@ -4,16 +4,16 @@
|
||||
{
|
||||
|
||||
imports = [
|
||||
./jellyfin
|
||||
./vaultwarden
|
||||
# ./jellyfin
|
||||
# ./vaultwarden
|
||||
./gitea
|
||||
./qbittorrent
|
||||
# ./qbittorrent
|
||||
./nginx-proxy
|
||||
# ./arr/prowlarr
|
||||
# ./arr/flaresolverr
|
||||
# ./arr/bazarr
|
||||
./arr/prowlarr
|
||||
./arr/flaresolverr
|
||||
./arr/bazarr
|
||||
./arr/sonarr
|
||||
# ./arr/radarr
|
||||
./arr/radarr
|
||||
];
|
||||
|
||||
}
|
||||
|
||||
@@ -77,7 +77,7 @@ in
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."${url}" = {
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
@@ -94,13 +94,13 @@ in
|
||||
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
# };
|
||||
# };
|
||||
|
||||
sops.secrets = {
|
||||
"${service}_" = {
|
||||
owner = "${service}";
|
||||
group = "${service}";
|
||||
};
|
||||
};
|
||||
#
|
||||
# sops.secrets = {
|
||||
# "${service}_" = {
|
||||
# owner = "${service}";
|
||||
# group = "${service}";
|
||||
# };
|
||||
# };
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
|
||||
@@ -1,59 +1,71 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
cfg = config.modules.services.gitea;
|
||||
ids = 2703;
|
||||
default_port = 3000;
|
||||
data_dir = "/var/lib/gitea";
|
||||
service = "gitea";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
in
|
||||
{
|
||||
options.modules.services.gitea = {
|
||||
enable = lib.mkEnableOption "enables gitea";
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7703;
|
||||
description = "set port for gitea (default: ${toString default_port}";
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
|
||||
# set ssh port
|
||||
ssh_port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7567;
|
||||
description = "set port for gitea (default: 2222";
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for gitea";
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare gitea group
|
||||
users.groups.gitea = { gid = ids; };
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare gitea user
|
||||
users.users.gitea = {
|
||||
description = lib.mkForce "gitea server user";
|
||||
uid = ids;
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = lib.mkForce "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
shell = pkgs.bash;
|
||||
home = "/var/lib/gitea";
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "gitea";
|
||||
group = "${service}";
|
||||
extraGroups = [];
|
||||
};
|
||||
|
||||
# enable the gitea service
|
||||
# declare the gitea service
|
||||
services.gitea = {
|
||||
enable = true;
|
||||
user = "gitea";
|
||||
group = "gitea";
|
||||
stateDir = data_dir;
|
||||
stateDir = cfg.data_dir;
|
||||
appName = "gitea";
|
||||
settings = {
|
||||
server = {
|
||||
@@ -71,17 +83,18 @@ in
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.gitea.serviceConfig = { UMask = lib.mkForce "0007"; };
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
};
|
||||
|
||||
# open firewall
|
||||
networking.firewall.allowedTCPPorts = [ cfg.port cfg.ssh_port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."git.snowbelle.lan" = {
|
||||
enableACME = false;
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
@@ -90,22 +103,19 @@ in
|
||||
services.nginx.virtualHosts."git.blakedheld.xyz" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
# sslCertificate = config.sops.secrets."ssl_blakedheld_crt".path;
|
||||
# sslCertificateKey = config.sops.secrets."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"gitea_database_password" = {
|
||||
owner = "gitea";
|
||||
group = "gitea";
|
||||
# neededForUsers = true;
|
||||
"${service}_database_password" = {
|
||||
owner = "${service}";
|
||||
group = "${service}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ data_dir ];
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
};
|
||||
}
|
||||
|
||||
108
modules/homelab/services/jellyfin/default_temp.nix
Normal file
108
modules/homelab/services/jellyfin/default_temp.nix
Normal file
@@ -0,0 +1,108 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
service = "";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
in
|
||||
{
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = <port>;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "${service}";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the ${service} service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "${service}";
|
||||
group = "${service}";
|
||||
dataDir = cfg.data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
# User = "${service}";
|
||||
# Group = "${service}";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
# # external reverse proxy entry
|
||||
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
|
||||
# forceSSL = true;
|
||||
# sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
# sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
# };
|
||||
# };
|
||||
#
|
||||
# sops.secrets = {
|
||||
# "${service}_" = {
|
||||
# owner = "${service}";
|
||||
# group = "${service}";
|
||||
# };
|
||||
# };
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
};
|
||||
}
|
||||
108
modules/homelab/services/qbittorrent/default_temp.nix
Normal file
108
modules/homelab/services/qbittorrent/default_temp.nix
Normal file
@@ -0,0 +1,108 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
service = "";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
in
|
||||
{
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = <port>;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "${service}";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the ${service} service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "${service}";
|
||||
group = "${service}";
|
||||
dataDir = cfg.data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
# User = "${service}";
|
||||
# Group = "${service}";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
# # external reverse proxy entry
|
||||
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
|
||||
# forceSSL = true;
|
||||
# sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
# sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
# };
|
||||
# };
|
||||
#
|
||||
# sops.secrets = {
|
||||
# "${service}_" = {
|
||||
# owner = "${service}";
|
||||
# group = "${service}";
|
||||
# };
|
||||
# };
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
};
|
||||
}
|
||||
108
modules/homelab/services/vaultwarden/default_temp.nix
Normal file
108
modules/homelab/services/vaultwarden/default_temp.nix
Normal file
@@ -0,0 +1,108 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
service = "";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
in
|
||||
{
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = <port>;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "${service}";
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the ${service} service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "${service}";
|
||||
group = "${service}";
|
||||
dataDir = cfg.data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
# User = "${service}";
|
||||
# Group = "${service}";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
# # external reverse proxy entry
|
||||
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
|
||||
# forceSSL = true;
|
||||
# sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
# sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
# };
|
||||
# };
|
||||
#
|
||||
# sops.secrets = {
|
||||
# "${service}_" = {
|
||||
# owner = "${service}";
|
||||
# group = "${service}";
|
||||
# };
|
||||
# };
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user