Compare commits
61 Commits
ec96339443
...
c88c55382a
| Author | SHA1 | Date | |
|---|---|---|---|
| c88c55382a | |||
| f8ba2be4e2 | |||
| 5dfd513dd5 | |||
| 65e26b3382 | |||
| a2b9384aae | |||
| 74be4d6aa9 | |||
| 72378c32de | |||
| 48a974704d | |||
| cfc2da01c0 | |||
| ad1c563e58 | |||
| 273041dc47 | |||
| 0249e1f179 | |||
| 61b00d67ce | |||
| 3ced3bf721 | |||
| f8acb7a8fa | |||
| 21d9ad81ed | |||
| 1c14281085 | |||
| 7b04b51ffe | |||
| d34f6d7c59 | |||
| 1fba26488a | |||
| 022d3a114a | |||
| 0865d55f0d | |||
| 58081e287b | |||
| 36ecc17e3a | |||
| c18cf9c0b0 | |||
| 87dfbbd5fd | |||
| ac0ca63602 | |||
| 7dea0549ec | |||
| efe3bd6e6e | |||
| 0a8c221c88 | |||
| 3f5ea5ec60 | |||
| ccd8a38c55 | |||
| 85eb79f294 | |||
| c969fadac0 | |||
| d351104648 | |||
| dca35ff368 | |||
| c1505fb290 | |||
| 4497d024b9 | |||
| 0b2d03baf3 | |||
| 0792ce8bf7 | |||
| 18e5fc8681 | |||
| 3a4ab22009 | |||
| 9f1730a5dd | |||
| 3b11460a2e | |||
| 093311d157 | |||
| 79ca881f88 | |||
| 333cf18828 | |||
| 5620b8a688 | |||
| 5f2d400642 | |||
| e61972afa4 | |||
| d73e9ef57c | |||
| 06c0419866 | |||
| 3d9f9a6fc0 | |||
| 85994de789 | |||
| a226bf6ba0 | |||
| ff994f015a | |||
| cf1a599cb6 | |||
| 9f63cc937c | |||
| a8cfb72124 | |||
| afbda269a0 | |||
| c37de52f10 |
16
flake.lock
generated
16
flake.lock
generated
@@ -36,10 +36,26 @@
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"nixpkgs-unstable": {
|
||||
"locked": {
|
||||
"lastModified": 1759831965,
|
||||
"narHash": "sha256-vgPm2xjOmKdZ0xKA6yLXPJpjOtQPHfaZDRtH+47XEBo=",
|
||||
"owner": "NixOS",
|
||||
"repo": "nixpkgs",
|
||||
"rev": "c9b6fb798541223bbb396d287d16f43520250518",
|
||||
"type": "github"
|
||||
},
|
||||
"original": {
|
||||
"id": "nixpkgs",
|
||||
"ref": "nixos-unstable",
|
||||
"type": "indirect"
|
||||
}
|
||||
},
|
||||
"root": {
|
||||
"inputs": {
|
||||
"home-manager": "home-manager",
|
||||
"nixpkgs": "nixpkgs",
|
||||
"nixpkgs-unstable": "nixpkgs-unstable",
|
||||
"sops-nix": "sops-nix",
|
||||
"vpn-confinement": "vpn-confinement"
|
||||
}
|
||||
|
||||
23
flake.nix
23
flake.nix
@@ -1,10 +1,11 @@
|
||||
# flake for blakes nixos config
|
||||
# define new devices in outputs
|
||||
# generation: 154 current 2025-10-09 12:40:25 25.05.20251006.20c4598 6.12.50 *
|
||||
# generation: 178 current 2025-10-09 16:19:44 25.05.20251006.20c4598 6.12.50 *
|
||||
{
|
||||
description = "blakes nix config";
|
||||
inputs = {
|
||||
nixpkgs.url = "nixpkgs/nixos-25.05";
|
||||
nixpkgs-unstable.url = "nixpkgs/nixos-unstable";
|
||||
home-manager = {
|
||||
url = "github:nix-community/home-manager/release-25.05";
|
||||
inputs.nixpkgs.follows = "nixpkgs";
|
||||
@@ -17,29 +18,35 @@
|
||||
url = "github:Maroka-chan/VPN-Confinement";
|
||||
};
|
||||
};
|
||||
outputs = { self, nixpkgs, home-manager, vpn-confinement, ... }@inputs:
|
||||
outputs = { self, nixpkgs, nixpkgs-unstable, ... }@inputs:
|
||||
let
|
||||
system = "x86_64-linux";
|
||||
pkgs = nixpkgs.legacyPackages.${system};
|
||||
systems = {
|
||||
x86_64 = "x86_64-linux";
|
||||
arm64 = "aarch64-linux";
|
||||
darwin = "aarch64-darwin";
|
||||
};
|
||||
stable_pkgs = builtins.mapAttrs (k: v: import nixpkgs { system = v; }) systems;
|
||||
unstable_pkgs = builtins.mapAttrs (k: v: import nixpkgs-unstable { system = v; }) systems;
|
||||
in
|
||||
{
|
||||
nixosConfigurations = {
|
||||
snowbelle = nixpkgs.lib.nixosSystem {
|
||||
specialArgs = { inherit inputs; };
|
||||
system = systems.x86_64;
|
||||
specialArgs = { inherit inputs stable_pkgs unstable_pkgs; };
|
||||
modules = [
|
||||
./hosts/snowbelle/configuration.nix
|
||||
inputs.home-manager.nixosModules.default
|
||||
vpn-confinement.nixosModules.default
|
||||
inputs.vpn-confinement.nixosModules.default
|
||||
];
|
||||
};
|
||||
vaniville = nixpkgs.lib.nixosSystem {
|
||||
specialArgs = { inherit inputs; };
|
||||
system = systems.x86_64;
|
||||
specialArgs = { inherit inputs stable_pkgs unstable_pkgs; };
|
||||
modules = [
|
||||
./hosts/vaniville/configuration.nix
|
||||
inputs.home-manager.nixosModules.default
|
||||
];
|
||||
};
|
||||
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,5 +1,9 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, stable_pkgs, unstable_pkgs, ... }:
|
||||
|
||||
let
|
||||
pkgs = stable_pkgs.x86_64;
|
||||
unstable = unstable_pkgs.x86_64;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
@@ -24,16 +28,18 @@
|
||||
nvidia.enable = true;
|
||||
};
|
||||
homelab = {
|
||||
enable = true;
|
||||
zfs.enable = true;
|
||||
smb.enable = true;
|
||||
nfs.enable = true;
|
||||
nginx-proxy.enable = true;
|
||||
};
|
||||
services = {
|
||||
#jellyfin.enable = true;
|
||||
#vaultwarden.enable = true;
|
||||
jellyfin.enable = true;
|
||||
vaultwarden.enable = true;
|
||||
gitea.enable = true;
|
||||
#qbittorrent.enable = true;
|
||||
qbittorrent.enable = true;
|
||||
immich.enable = true;
|
||||
prowlarr.enable = true;
|
||||
flaresolverr.enable = true;
|
||||
bazarr.enable = true;
|
||||
@@ -99,6 +105,7 @@
|
||||
tree
|
||||
vim
|
||||
lf
|
||||
tmux
|
||||
btop
|
||||
neofetch
|
||||
usbutils
|
||||
@@ -136,10 +143,10 @@
|
||||
7102 # srv - yacreader
|
||||
7103 # srv - qbittorrent
|
||||
7104 # srv - prowlarr
|
||||
7105 # srv - flaresolverr
|
||||
7106 # srv - bazarr
|
||||
7107 # srv - sonarr
|
||||
7108 # srv - radarr
|
||||
7105 # srv - bazarr
|
||||
7106 # srv - sonarr
|
||||
7107 # srv - radarr
|
||||
7120 # srv - flaresolverr
|
||||
5701 # srv - archivebox
|
||||
7502 # srv - kiwix
|
||||
7567 # srv - gitea ssh
|
||||
|
||||
@@ -1,5 +1,9 @@
|
||||
{ config, lib, pkgs, ... }:
|
||||
{ config, lib, stable_pkgs, unstable_pkgs, ... }:
|
||||
|
||||
let
|
||||
pkgs = stable_pkgs.x86_64;
|
||||
unstable = unstable_pkgs.x86_64;
|
||||
in
|
||||
{
|
||||
imports =
|
||||
[ # Include the results of the hardware scan.
|
||||
|
||||
@@ -38,13 +38,13 @@ in
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
users = {
|
||||
groups.${cfg.group} = {
|
||||
groups.${cfg.media_group} = {
|
||||
gid = 700;
|
||||
};
|
||||
users.${cfg.user} = {
|
||||
users.${cfg.media_user} = {
|
||||
uid = 700;
|
||||
isSystemUser = true;
|
||||
group = cfg.group;
|
||||
group = cfg.media_group;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -4,10 +4,11 @@
|
||||
{
|
||||
|
||||
imports = [
|
||||
# ./jellyfin
|
||||
# ./vaultwarden
|
||||
./jellyfin
|
||||
./vaultwarden
|
||||
./gitea
|
||||
# ./qbittorrent
|
||||
./qbittorrent
|
||||
./immich
|
||||
./nginx-proxy
|
||||
./arr/prowlarr
|
||||
./arr/flaresolverr
|
||||
|
||||
@@ -23,7 +23,7 @@ in
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
default = "git.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
{ pkgs, config, lib, inputs, ... }:
|
||||
|
||||
let
|
||||
service = "";
|
||||
service = "immich";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
@@ -13,7 +13,7 @@ in
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = <port>;
|
||||
default = 7702;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
@@ -51,27 +51,26 @@ in
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "${service}";
|
||||
extraGroups = [ "media" ];
|
||||
extraGroups = [ "video" "render" ];
|
||||
};
|
||||
|
||||
# enable the ${service} service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
package = inputs.nixpkgs-unstable.legacyPackages.${pkgs.system}.immich;
|
||||
openFirewall = true;
|
||||
user = "${service}";
|
||||
group = "${service}";
|
||||
dataDir = cfg.data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
mediaLocation = cfg.data_dir;
|
||||
host = "0.0.0.0";
|
||||
port = cfg.port;
|
||||
settings.server.externalDomain = "https://pics.blakedheld.xyz";
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
# User = "${service}";
|
||||
# Group = "${service}";
|
||||
};
|
||||
# systemd.services."${toString service}-server".serviceConfig = {
|
||||
# UMask = lib.mkForce "0007";
|
||||
# };
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
@@ -83,26 +82,21 @@ in
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
# external reverse proxy entry
|
||||
services.nginx.virtualHosts."pics.blakedheld.xyz" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
proxyWebsockets = true;
|
||||
};
|
||||
};
|
||||
# # external reverse proxy entry
|
||||
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
|
||||
# forceSSL = true;
|
||||
# sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
# sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
# };
|
||||
# };
|
||||
#
|
||||
# sops.secrets = {
|
||||
# "${service}_" = {
|
||||
# owner = "${service}";
|
||||
# group = "${service}";
|
||||
# };
|
||||
# };
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir "/var/lib/redis-immich" ];
|
||||
};
|
||||
}
|
||||
@@ -1,7 +1,7 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
service = "";
|
||||
service = "jellyfin";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
@@ -13,12 +13,12 @@ in
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = <port>;
|
||||
default = 7100;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
default = "media.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
@@ -51,7 +51,7 @@ in
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "${service}";
|
||||
extraGroups = [ "media" ];
|
||||
extraGroups = [ "media" "video" "render" ];
|
||||
};
|
||||
|
||||
# enable the ${service} service
|
||||
@@ -61,16 +61,11 @@ in
|
||||
user = "${service}";
|
||||
group = "${service}";
|
||||
dataDir = cfg.data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
# User = "${service}";
|
||||
# Group = "${service}";
|
||||
};
|
||||
|
||||
# # open firewall
|
||||
@@ -85,16 +80,16 @@ in
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
# # external reverse proxy entry
|
||||
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
|
||||
# forceSSL = true;
|
||||
# sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
# sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
# };
|
||||
# };
|
||||
#
|
||||
# external reverse proxy entry
|
||||
services.nginx.virtualHosts."media.blakedheld.xyz" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
# sops.secrets = {
|
||||
# "${service}_" = {
|
||||
# owner = "${service}";
|
||||
@@ -1,7 +1,7 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
service = "";
|
||||
service = "qbittorrent";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
@@ -13,12 +13,17 @@ in
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = <port>;
|
||||
default = 7103;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
# torrenting_port = lib.mkOption {
|
||||
# type = lib.types.int;
|
||||
# default = ;
|
||||
# description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
# };
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "${service}.${homelab.base_domain}";
|
||||
default = "qbit.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
@@ -31,6 +36,11 @@ in
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
vpn_inf = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "enp89s0.69";
|
||||
description = "set the interface qbittorrent will be bound to (used to route through vpn)";
|
||||
};
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
@@ -54,24 +64,47 @@ in
|
||||
extraGroups = [ "media" ];
|
||||
};
|
||||
|
||||
# enable the ${service} service
|
||||
# enable the qbittorrent service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
openFirewall = true;
|
||||
user = "${service}";
|
||||
group = "${service}";
|
||||
dataDir = cfg.data_dir;
|
||||
settings = {
|
||||
server.port = cfg.port;
|
||||
};
|
||||
profileDir = cfg.data_dir;
|
||||
webuiPort = cfg.port;
|
||||
# torrentingPort = cfg.torrenting_port;
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.${service}.serviceConfig = {
|
||||
systemd.services.${service} = {
|
||||
serviceConfig = {
|
||||
UMask = lib.mkForce "0007";
|
||||
# User = "${service}";
|
||||
# Group = "${service}";
|
||||
};
|
||||
};
|
||||
|
||||
# bind to network interface but allow local access to webui
|
||||
networking.firewall.extraCommands = ''
|
||||
iptables -F QBIT 2>/dev/null || true
|
||||
iptables -X QBIT 2>/dev/null || true
|
||||
iptables -N QBIT
|
||||
iptables -A OUTPUT -m owner --uid-owner ${toString cfg.ids} -j QBIT
|
||||
iptables -A QBIT -o ${cfg.vpn_inf} -j ACCEPT
|
||||
iptables -A QBIT -p udp --dport 53 -o ${cfg.vpn_inf} -j ACCEPT
|
||||
iptables -A QBIT -p tcp --dport 53 -o ${cfg.vpn_inf} -j ACCEPT
|
||||
iptables -A QBIT -o lo -j ACCEPT
|
||||
iptables -A QBIT -p tcp -d 127.0.0.1 --dport ${toString cfg.port} -j ACCEPT
|
||||
iptables -A QBIT -p tcp -o enp89s0 -d 10.0.0.0/8 --dport ${toString cfg.port} -j ACCEPT
|
||||
iptables -A QBIT -j DROP
|
||||
'';
|
||||
|
||||
# boilerplate for if you ever want to try to get this working again
|
||||
# ------------------------------------------------------------------------------
|
||||
# # add systemd service to VPN network namespace
|
||||
# vpnConfinement = {
|
||||
# enable = true;
|
||||
# vpnNamespace = "wgmex";
|
||||
# };
|
||||
# ------------------------------------------------------------------------------
|
||||
|
||||
# # open firewall
|
||||
# networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
@@ -85,22 +118,6 @@ in
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
# # external reverse proxy entry
|
||||
# services.nginx.virtualHosts."${service}.blakedheld.xyz" = {
|
||||
# forceSSL = true;
|
||||
# sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
# sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
# locations."/" = {
|
||||
# proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
# };
|
||||
# };
|
||||
#
|
||||
# sops.secrets = {
|
||||
# "${service}_" = {
|
||||
# owner = "${service}";
|
||||
# group = "${service}";
|
||||
# };
|
||||
# };
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
116
modules/homelab/services/vaultwarden/default.nix
Normal file
116
modules/homelab/services/vaultwarden/default.nix
Normal file
@@ -0,0 +1,116 @@
|
||||
{ pkgs, config, lib, ... }:
|
||||
|
||||
let
|
||||
service = "vaultwarden";
|
||||
cfg = config.modules.services.${service};
|
||||
sec = config.sops.secrets;
|
||||
homelab = config.modules.homelab;
|
||||
domain = "https://pass.blakedheld.xyz";
|
||||
in
|
||||
{
|
||||
options.modules.services.${service} = {
|
||||
enable = lib.mkEnableOption "enables ${service}";
|
||||
|
||||
# set port options
|
||||
port = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = 7701;
|
||||
description = "set port for ${service} (default: ${toString cfg.port}";
|
||||
};
|
||||
url = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "pass.${homelab.base_domain}";
|
||||
description = "set domain for ${service}";
|
||||
};
|
||||
data_dir = lib.mkOption {
|
||||
type = lib.types.str;
|
||||
default = "/var/lib/${service}";
|
||||
description = "set data directory for ${service}";
|
||||
};
|
||||
ids = lib.mkOption {
|
||||
type = lib.types.int;
|
||||
default = cfg.port;
|
||||
description = "set uid and pid of ${service} user (matches port by default)";
|
||||
};
|
||||
backup = lib.mkOption {
|
||||
type = lib.types.bool;
|
||||
default = true;
|
||||
description = "enable backups for ${service}";
|
||||
};
|
||||
};
|
||||
|
||||
config = lib.mkIf cfg.enable {
|
||||
|
||||
# declare ${service} group
|
||||
users.groups.${service} = { gid = lib.mkForce cfg.ids; };
|
||||
|
||||
# declare ${service} user
|
||||
users.users.${service} = {
|
||||
description = "${service} server user";
|
||||
uid = lib.mkForce cfg.ids;
|
||||
isSystemUser = true;
|
||||
home = cfg.data_dir;
|
||||
createHome = true;
|
||||
group = "${service}";
|
||||
extraGroups = [];
|
||||
};
|
||||
|
||||
# enable the vaultwarden service
|
||||
services.${service} = {
|
||||
enable = true;
|
||||
config = {
|
||||
DOMAIN = domain;
|
||||
ROCKET_ADDRESS = "0.0.0.0";
|
||||
ROCKET_PORT = cfg.port;
|
||||
SIGNUPS_ALLOWED = true;
|
||||
# ADMIN_TOKEN = "yuh";
|
||||
ADMIN_TOKEN = "${toString config.sops.secrets."vaultwarden_admin_token".path}";
|
||||
EXPERIMENTAL_CLIENT_FEATURE_FLAGS = "fido2-vault-credentials,autofill-overlay,autofill-v2,inline-menu-positioning-improvements,ssh-key-vault-item";
|
||||
# The following flags are available:
|
||||
# - "autofill-overlay": Add an overlay menu to form fields for quick access to credentials.
|
||||
# - "autofill-v2": Use the new autofill implementation.
|
||||
# - "browser-fileless-import": Directly import credentials from other providers without a file.
|
||||
# - "extension-refresh": Temporarily enable the new extension design until general availability (should be used with the beta Chrome extension)
|
||||
# - "fido2-vault-credentials": Enable the use of FIDO2 security keys as second factor.
|
||||
# - "inline-menu-positioning-improvements": Enable the use of inline menu password generator and identity suggestions in the browser extension.
|
||||
# - "ssh-key-vault-item": Enable the creation and use of SSH key vault items. (Needs clients >=2024.12.0)
|
||||
# - "ssh-agent": Enable SSH agent support on Desktop. (Needs desktop >=2024.12.0)
|
||||
};
|
||||
};
|
||||
|
||||
# override umask to make permissions work out
|
||||
systemd.services.${service}.serviceConfig = { UMask = lib.mkForce "0007"; };
|
||||
|
||||
# open firewall
|
||||
networking.firewall.allowedTCPPorts = [ cfg.port ];
|
||||
|
||||
# internal reverse proxy entry
|
||||
services.nginx.virtualHosts."${cfg.url}" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
# external reverse proxy entry
|
||||
services.nginx.virtualHosts."pass.blakedheld.xyz" = {
|
||||
forceSSL = true;
|
||||
sslCertificate = sec."ssl_blakedheld_crt".path;
|
||||
sslCertificateKey = sec."ssl_blakedheld_key".path;
|
||||
locations."/" = {
|
||||
proxyPass = "http://127.0.0.1:${toString cfg.port}";
|
||||
};
|
||||
};
|
||||
|
||||
sops.secrets = {
|
||||
"${service}_admin_token" = {
|
||||
owner = "${service}";
|
||||
group = "${service}";
|
||||
};
|
||||
};
|
||||
|
||||
# add to backups
|
||||
modules.system.backups.paths = lib.mkIf cfg.backup [ cfg.data_dir ];
|
||||
};
|
||||
}
|
||||
Reference in New Issue
Block a user