diff --git a/cosmic.nix b/cosmic.nix index d60a04f..c30600e 100644 --- a/cosmic.nix +++ b/cosmic.nix @@ -10,14 +10,11 @@ enable = true; style = "adwaita"; }; - users.users.jawz.packages = ( - with pkgs; - [ - # ffmpegthumbnailer # generate thumbnails - adw-gtk3 # theme legacy applications - papirus-icon-theme # icon theme - # libgda # for pano shell extension - # gradience # theme customizer, allows you to modify adw-gtk3 themes - ] - ); + users.users.jawz.packages = with pkgs; [ + # ffmpegthumbnailer # generate thumbnails + adw-gtk3 # theme legacy applications + papirus-icon-theme # icon theme + # libgda # for pano shell extension + # gradience # theme customizer, allows you to modify adw-gtk3 themes + ]; } diff --git a/flake.nix b/flake.nix index eb33694..4882668 100644 --- a/flake.nix +++ b/flake.nix @@ -53,7 +53,7 @@ ./hosts/${name}/configuration.nix sops-nix.nixosModules.sops ( - { ... }: + _: { nixpkgs.overlays = overlays; } diff --git a/hosts/miniserver/configuration.nix b/hosts/miniserver/configuration.nix index b9803e6..87c482b 100644 --- a/hosts/miniserver/configuration.nix +++ b/hosts/miniserver/configuration.nix @@ -3,7 +3,6 @@ imports = [ ./hardware-configuration.nix ../../base.nix - ./temp-nginx.nix ]; my = { emacs.enable = true; @@ -41,36 +40,95 @@ jellyfin = { enable = false; enableCron = false; + enableProxy = true; }; nextcloud = { enable = true; enableCron = true; + enableProxy = true; }; adguardhome.enable = false; - audiobookshelf.enable = true; - bazarr.enable = false; - collabora.enable = true; - flame.enable = true; - flameSecret.enable = true; + audiobookshelf = { + enable = true; + enableProxy = true; + }; + bazarr = { + enable = false; + enableProxy = true; + }; + collabora = { + enable = true; + enableProxy = true; + }; + flame = { + enable = true; + enableProxy = true; + }; + flameSecret = { + enable = true; + enableProxy = true; + }; go-vod.enable = false; - homepage.enable = true; - kavita.enable = false; - lidarr.enable = false; - maloja.enable = true; - mealie.enable = true; - metube.enable = false; - microbin.enable = true; - multi-scrobbler.enable = true; + homepage = { + enable = true; + enableProxy = true; + }; + kavita = { + enable = false; + enableProxy = true; + }; + lidarr = { + enable = false; + enableProxy = true; + }; + maloja = { + enable = true; + enableProxy = true; + }; + mealie = { + enable = true; + enableProxy = true; + }; + metube = { + enable = false; + enableProxy = false; + }; + microbin = { + enable = true; + enableProxy = true; + }; + multi-scrobbler = { + enable = true; + enableProxy = true; + }; paperless.enable = true; postgres.enable = true; - prowlarr.enable = false; + prowlarr = { + enable = false; + enableProxy = true; + }; qbittorrent.enable = true; unpackerr.enable = false; - radarr.enable = false; - ryot.enable = true; - shiori.enable = true; - sonarr.enable = false; - vaultwarden.enable = true; + radarr = { + enable = false; + enableProxy = true; + }; + ryot = { + enable = true; + enableProxy = true; + }; + shiori = { + enable = true; + enableProxy = true; + }; + sonarr = { + enable = false; + enableProxy = true; + }; + vaultwarden = { + enable = true; + enableProxy = true; + }; firefly-iii.enable = false; }; }; diff --git a/hosts/miniserver/temp-nginx.nix b/hosts/miniserver/temp-nginx.nix deleted file mode 100644 index b4bbc18..0000000 --- a/hosts/miniserver/temp-nginx.nix +++ /dev/null @@ -1,139 +0,0 @@ -{ config, ... }: -let - proxy = locations: { - inherit locations; - forceSSL = true; - enableACME = true; - http2 = true; - }; - proxyReverse = - port: - proxy { - "/" = { - proxyPass = "http://192.168.1.69:${toString port}"; - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - - proxy_redirect http://192.168.1.69:${toString port}/ https://your_domain.com/; - ''; - }; - }; - proxyReverseArr = - port: - proxyReverse port - // { - extraConfig = '' - proxy_set_header X-Forwarded-Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $http_connection; - proxy_redirect off; - proxy_http_version 1.1; - ''; - }; -in -{ - services = { - nginx = { - appendHttpConfig = '' - # JELLYFIN - proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=1d max_size=35000m; - proxy_cache_path /var/cache/nginx/jellyfin levels=1:2 keys_zone=jellyfin:100m max_size=15g inactive=1d use_temp_path=off; - map $request_uri $h264Level { ~(h264-level=)(.+?)& $2; } - map $request_uri $h264Profile { ~(h264-profile=)(.+?)& $2; } - ''; - virtualHosts = { - "series.${config.my.domain}" = proxyReverse 8989 // { }; - "movies.${config.my.domain}" = proxyReverseArr 7878 // { }; - "indexer.${config.my.domain}" = proxyReverseArr 9696 // { }; - "music.${config.my.domain}" = proxyReverseArr 8686 // { }; - "subs.${config.my.domain}" = proxyReverse config.services.bazarr.listenPort // { }; - "library.${config.my.domain}" = proxyReverse config.services.kavita.port // { }; - # "vnfx2cojmt7dwzcfmi73.${config.my.domain}" = proxyReverse 9091 // { }; - # "HSoeJdGRd2Orj0n31UGI.${config.my.domain}" = proxyReverse 3399 // { }; - # "hjL9GS7edDQVranqV5V4.${config.my.domain}" = proxyReverse 9999 // { }; - "flix.${config.my.domain}" = { - forceSSL = true; - enableACME = true; - http2 = true; - serverAliases = [ "flix.rotehaare.art" ]; - extraConfig = '' - # use a variable to store the upstream proxy - # in this example we are using a hostname which is resolved via DNS - # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address - resolver 192.168.1.69 valid=30; - - location = / { - return 302 http://$host/web/; - #return 302 https://$host/web/; - } - - location = /web/ { - # Proxy main Jellyfin traffic - proxy_pass http://192.168.1.69:8096/web/index.html; - proxy_set_header Host $host; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-Protocol $scheme; - proxy_set_header X-Forwarded-Host $http_host; - } - ''; - locations = { - "/" = { - proxyPass = "http://192.168.1.69:8096"; - proxyWebsockets = true; - }; - "/socket" = { - proxyPass = "http://192.168.1.69:8096"; - extraConfig = '' - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection "upgrade"; - ''; - }; - "~ /Items/(.*)/Images" = { - proxyPass = "http://192.168.1.69:8096"; - extraConfig = '' - proxy_cache jellyfin; - proxy_cache_revalidate on; - proxy_cache_lock on; - ''; - }; - "~* ^/Videos/(.*)/(?!live)" = { - proxyPass = "http://192.168.1.69:8096"; - extraConfig = '' - # Set size of a slice (this amount will be always requested from the backend by nginx) - # Higher value means more latency, lower more overhead - # This size is independent of the size clients/browsers can request - # slice 2m; - - proxy_cache jellyfin-videos; - proxy_cache_valid 200 206 301 302 30d; - proxy_ignore_headers Expires Cache-Control Set-Cookie X-Accel-Expires; - proxy_cache_use_stale error timeout invalid_header updating http_500 http_502 http_503 http_504; - proxy_connect_timeout 15s; - proxy_http_version 1.1; - proxy_set_header Connection ""; - # Transmit slice range to the backend - proxy_set_header Range 2m; - - # This saves bandwidth between the proxy and jellyfin, as a file is only downloaded one time instead of multiple times when multiple clients want to at the same time - # The first client will trigger the download, the other clients will have to wait until the slice is cached - # Esp. practical during SyncPlay - proxy_cache_lock on; - proxy_cache_lock_age 60s; - - proxy_cache_key "jellyvideo$uri?MediaSourceId=$arg_MediaSourceId&VideoCodec=$arg_VideoCodec&AudioCodec=$arg_AudioCodec&AudioStreamIndex=$arg_AudioStreamIndex&VideoBitrate=$arg_VideoBitrate&AudioBitrate=$arg_AudioBitrate&SubtitleMethod=$arg_SubtitleMethod&TranscodingMaxAudioChannels=$arg_TranscodingMaxAudioChannels&RequireAvc=$arg_RequireAvc&SegmentContainer=$arg_SegmentContainer&MinSegments=$arg_MinSegments&BreakOnNonKeyFrames=$arg_BreakOnNonKeyFrames&h264-profile=$h264Profile&h264-level=$h264Level&slicerange=2m"; - - # add_header X-Cache-Status $upstream_cache_status; # This is only for debugging cache - ''; - }; - }; - }; - }; - }; - }; -} diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix index 02eeab3..b4d7117 100644 --- a/hosts/server/configuration.nix +++ b/hosts/server/configuration.nix @@ -43,14 +43,6 @@ let ports = [ 2049 # idk - 8989 # sonarr - 7878 # radarr - 8686 # lidarr - 9696 # prowlarr - 8096 # jellyfin - 6767 # bazarr - 5000 # kavita - 3399 # sabnzbd 9999 # stash ]; in diff --git a/modules/dev/nix.nix b/modules/dev/nix.nix index 32b6e1d..8a4a7e6 100644 --- a/modules/dev/nix.nix +++ b/modules/dev/nix.nix @@ -8,10 +8,10 @@ options.my.dev.nix.enable = lib.mkEnableOption "enable"; config = lib.mkIf config.my.dev.nix.enable { users.users.jawz.packages = with pkgs; [ - nixfmt-rfc-style # linting + nixfmt-rfc-style # formating cachix # why spend time compiling? nixd # language server - nil # another lsp + statix # linter ]; }; } diff --git a/modules/scripts/update-dns.nix b/modules/scripts/update-dns.nix index 3b54328..87987f3 100644 --- a/modules/scripts/update-dns.nix +++ b/modules/scripts/update-dns.nix @@ -17,7 +17,7 @@ }; }; services.cloudflare-dyndns = { - enable = config.my.scripts.update-dns.enable; + inherit (config.my.scripts.update-dns) enable; ipv4 = true; ipv6 = false; proxied = false; diff --git a/modules/servers.nix b/modules/servers.nix index 2135444..5f36e0e 100644 --- a/modules/servers.nix +++ b/modules/servers.nix @@ -5,28 +5,43 @@ ... }: let - setup = import ./servers/base.nix { inherit lib config; }; + setup = import ./servers/setup.nix { inherit lib config; }; proxy = locations: { inherit locations; forceSSL = true; enableACME = true; http2 = true; }; - proxyReverse = port: proxy { "/".proxyPass = "http://${config.my.localhost}:${toString port}/"; }; + proxyReverse = + host: port: + let + useLocalhost = host == config.networking.hostName; + proxyTarget = if useLocalhost then config.my.localhost else config.my.ips."${host}"; + in + proxy { "/".proxyPass = "http://${proxyTarget}:${toString port}/"; }; proxyReverseArr = - port: - proxyReverse port - // { - extraConfig = '' - proxy_set_header Host $host; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + host: port: + let + useLocalhost = host == config.networking.hostName; + headers = '' proxy_set_header X-Forwarded-Host $host; - proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_redirect off; proxy_http_version 1.1; ''; + localHeaders = '' + proxy_set_header Host $host; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + ''; + in + proxyReverse host port + // { + extraConfig = '' + ${if useLocalhost then localHeaders else ""} + ${headers} + ''; }; enableContainers = lib.any (opt: opt) [ config.my.servers.collabora.enable @@ -36,6 +51,7 @@ let config.my.servers.maloja.enable config.my.servers.multi-scrobbler.enable config.my.servers.flame.enable + config.my.servers.flameSecret.enable config.my.servers.metube.enable config.my.servers.go-vod.enable ]; @@ -43,7 +59,7 @@ in { imports = [ ./servers/adguardhome.nix - ./servers/paperless.nix + (import ./servers/paperless.nix { inherit lib config; }) ./servers/postgres.nix (import ./servers/audiobookshelf.nix { inherit @@ -53,14 +69,28 @@ in setup ; }) - (import ./servers/bazarr.nix { inherit lib config proxyReverse; }) - (import ./servers/flame.nix { inherit lib config proxyReverse; }) + (import ./servers/bazarr.nix { + inherit + lib + config + proxyReverse + setup + ; + }) + (import ./servers/flame.nix { + inherit + lib + config + proxyReverse + setup + ; + }) (import ./servers/homepage.nix { inherit lib config - pkgs proxyReverse + setup ; }) (import ./servers/jellyfin.nix { @@ -75,11 +105,18 @@ in inherit lib config - pkgs proxyReverse + setup + ; + }) + (import ./servers/lidarr.nix { + inherit + lib + config + proxyReverseArr + setup ; }) - (import ./servers/lidarr.nix { inherit lib config proxyReverseArr; }) (import ./servers/maloja.nix { inherit lib @@ -88,9 +125,30 @@ in setup ; }) - (import ./servers/mealie.nix { inherit lib config proxyReverse; }) - (import ./servers/metube.nix { inherit lib config proxyReverse; }) - (import ./servers/microbin.nix { inherit lib config proxyReverse; }) + (import ./servers/mealie.nix { + inherit + lib + config + proxyReverse + setup + ; + }) + (import ./servers/metube.nix { + inherit + lib + config + proxyReverse + setup + ; + }) + (import ./servers/microbin.nix { + inherit + lib + config + proxyReverse + setup + ; + }) (import ./servers/multi-scrobbler.nix { inherit lib @@ -99,27 +157,63 @@ in setup ; }) - (import ./servers/nextcloud.nix { inherit lib config pkgs; }) - (import ./servers/prowlarr.nix { inherit lib config proxyReverseArr; }) - (import ./servers/qbittorrent.nix { inherit lib config pkgs; }) - (import ./servers/sabnzbd.nix { inherit lib config pkgs; }) - (import ./servers/radarr.nix { inherit lib config proxyReverseArr; }) - (import ./servers/ryot.nix { inherit lib config proxyReverse; }) - (import ./servers/shiori.nix { + (import ./servers/nextcloud.nix { inherit lib config pkgs - proxyReverse + setup + ; + }) + (import ./servers/prowlarr.nix { + inherit + lib + config + proxyReverseArr + setup + ; + }) + (import ./servers/qbittorrent.nix { inherit lib config pkgs; }) + (import ./servers/sabnzbd.nix { inherit lib config; }) + (import ./servers/radarr.nix { + inherit + lib + config + proxyReverseArr + setup + ; + }) + (import ./servers/ryot.nix { + inherit + lib + config + proxyReverse + setup + ; + }) + (import ./servers/shiori.nix { + inherit + lib + config + proxyReverse + setup + ; + }) + (import ./servers/sonarr.nix { + inherit + lib + config + proxyReverse + setup ; }) - (import ./servers/sonarr.nix { inherit lib config proxyReverse; }) (import ./servers/vaultwarden.nix { inherit lib config pkgs proxyReverse + setup ; }) (import ./servers/firefly-iii.nix { inherit lib config; }) @@ -135,10 +229,19 @@ in default = "servidos.lat"; description = "The domain name."; }; - miniserver-ip = lib.mkOption { + ips = lib.mkOption { + type = lib.types.attrsOf lib.types.str; + default = { + server = "192.168.1.69"; + miniserver = "192.168.1.100"; + workstation = "192.168.1.64"; + }; + description = "Set of IP's for all my computers."; + }; + mainServer = lib.mkOption { type = lib.types.str; - default = "192.168.1.100"; - description = "The miniserver ip."; + default = "miniserver"; + description = "The hostname of the main server."; }; postgresSocket = lib.mkOption { type = lib.types.str; @@ -165,6 +268,11 @@ in default = "CaptainJawZ@protonmail.com"; description = "localhost smtp email"; }; + timeZone = lib.mkOption { + type = lib.types.str; + default = "America/Mexico_City"; + description = "Timezone"; + }; enableContainers = lib.mkEnableOption "enable"; enableProxy = lib.mkEnableOption "enable"; }; @@ -182,31 +290,88 @@ in enableCron = lib.mkDefault false; }; adguardhome.enable = lib.mkDefault false; - audiobookshelf.enable = lib.mkDefault false; - bazarr.enable = lib.mkDefault false; - collabora.enable = lib.mkDefault false; - flame.enable = lib.mkDefault false; - flameSecret.enable = lib.mkDefault false; + audiobookshelf = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + bazarr = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + collabora = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + flame = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + flameSecret = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; go-vod.enable = lib.mkDefault false; - homepage.enable = lib.mkDefault false; - kavita.enable = lib.mkDefault false; - lidarr.enable = lib.mkDefault false; - maloja.enable = lib.mkDefault false; - mealie.enable = lib.mkDefault false; - metube.enable = lib.mkDefault false; - microbin.enable = lib.mkDefault false; - multi-scrobbler.enable = lib.mkDefault false; + homepage = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + kavita = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + lidarr = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + maloja = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + mealie = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + metube = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + microbin = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + multi-scrobbler = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; paperless.enable = lib.mkDefault false; postgres.enable = lib.mkDefault false; - prowlarr.enable = lib.mkDefault false; + prowlarr = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; sabnzbd.enable = lib.mkDefault false; qbittorrent.enable = lib.mkDefault false; unpackerr.enable = lib.mkDefault false; - radarr.enable = lib.mkDefault false; - ryot.enable = lib.mkDefault false; - shiori.enable = lib.mkDefault false; - sonarr.enable = lib.mkDefault false; - vaultwarden.enable = lib.mkDefault false; + radarr = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + ryot = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + shiori = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + sonarr = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; + vaultwarden = { + enable = lib.mkDefault false; + enableProxy = lib.mkDefault false; + }; firefly-iii.enable = lib.mkDefault false; }; }; @@ -242,7 +407,6 @@ in ]; in { - enable = true; allowedTCPPorts = ports; allowedUDPPorts = ports; }; diff --git a/modules/servers/audiobookshelf.nix b/modules/servers/audiobookshelf.nix index 6c7c913..9eee25c 100644 --- a/modules/servers/audiobookshelf.nix +++ b/modules/servers/audiobookshelf.nix @@ -10,14 +10,15 @@ let in { options.my.servers.audiobookshelf = setup.mkOptions "audiobookshelf" "audiobooks" 5687; - config = lib.mkIf config.my.servers.audiobookshelf.enable { + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; services = { - audiobookshelf = { + audiobookshelf = lib.mkIf cfg.enable { + inherit (cfg) port; enable = true; group = "piracy"; - port = cfg.port; }; - nginx.virtualHosts."${cfg.host}" = proxy { + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy (proxy { "/" = { proxyPass = cfg.local; extraConfig = '' @@ -26,11 +27,11 @@ in proxy_set_header Host $host; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; - proxy_http_version 1.1; - proxy_redirect http:// https://; + proxy_http_version 1.1; + proxy_redirect http:// https://; ''; }; - }; + }); }; }; } diff --git a/modules/servers/bazarr.nix b/modules/servers/bazarr.nix index 231b3cd..1aee45b 100644 --- a/modules/servers/bazarr.nix +++ b/modules/servers/bazarr.nix @@ -2,18 +2,24 @@ lib, config, proxyReverse, + setup, ... }: +let + cfg = config.my.servers.bazarr; +in { - options.my.servers.bazarr.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.bazarr.enable { + options.my.servers.bazarr = setup.mkOptions "bazarr" "subs" config.services.bazarr.listenPort; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; services = { - bazarr = { + bazarr = lib.mkIf cfg.enable { enable = true; group = "piracy"; }; - nginx.virtualHosts."subs.${config.my.domain}" = - proxyReverse config.services.bazarr.listenPort // { }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; }; } diff --git a/modules/servers/firefly-iii.nix b/modules/servers/firefly-iii.nix index c17a346..85234f2 100644 --- a/modules/servers/firefly-iii.nix +++ b/modules/servers/firefly-iii.nix @@ -6,20 +6,13 @@ owner = config.users.users.firefly-iii.name; inherit (config.users.users.firefly-iii) group; }; - services = { - nginx.virtualHosts."${config.services.firefly-iii.virtualHost}" = { - forceSSL = true; - enableACME = true; - }; - firefly-iii = { - enable = true; - virtualHost = "money.servidos.lat"; - enableNginx = true; - settings = { - APP_KEY_FILE = config.sops.secrets.firefly-iii-keyfile.path; - DB_HOST = config.my.postgresSocket; - DB_CONNECTION = "pgsql"; - }; + services.firefly-iii = { + enable = true; + enableNginx = true; + settings = { + APP_KEY_FILE = config.sops.secrets.firefly-iii-keyfile.path; + DB_HOST = config.my.postgresSocket; + DB_CONNECTION = "pgsql"; }; }; }; diff --git a/modules/servers/flame.nix b/modules/servers/flame.nix index b8b3d67..c40aee4 100644 --- a/modules/servers/flame.nix +++ b/modules/servers/flame.nix @@ -2,51 +2,59 @@ lib, config, proxyReverse, + setup, ... }: let - port = 5005; - portSecret = 5007; + cfg = config.my.servers.flame; + cfgS = config.my.servers.flameSecret; + enable = (cfg.enable || cfgS.enable); in { options.my.servers = { - flame.enable = lib.mkEnableOption "enable"; - flameSecret.enable = lib.mkEnableOption "enable"; + flame = setup.mkOptions "flame" "start" 5005; + flameSecret = setup.mkOptions "flameSecret" "qampqwn4wprhqny8h8zj" 5007; }; - config = lib.mkIf config.my.servers.flame.enable { - sops.secrets.flame.sopsFile = ../../secrets/env.yaml; - virtualisation.oci-containers.containers = { - flame = { + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal || !cfgS.isLocal) [ + cfg.port + cfgS.port + ]; + sops.secrets = lib.mkIf enable { flame.sopsFile = ../../secrets/env.yaml; }; + virtualisation.oci-containers.containers = lib.mkIf enable { + flame = lib.mkIf cfg.enable { autoStart = true; image = "pawelmalak/flame"; - ports = [ "${toString port}:${toString port}" ]; + ports = [ "${toString cfg.port}:${toString cfg.port}" ]; volumes = [ "${config.my.containerData}/flame:/app/data" "${config.my.containerSocket}:${config.my.containerSocket}" ]; environmentFiles = [ config.sops.secrets.flame.path ]; environment = { - TZ = "America/Mexico_City"; + TZ = config.my.timeZone; PUID = "1000"; PGID = "100"; }; }; - flame-nsfw = { + flame-nsfw = lib.mkIf cfgS.enable { autoStart = true; image = "pawelmalak/flame"; - ports = [ "${toString portSecret}:${toString port}" ]; + ports = [ "${toString cfgS.port}:${toString cfg.port}" ]; volumes = [ "${config.my.containerData}/flame-nsfw:/app/data" ]; environmentFiles = [ config.sops.secrets.flame.path ]; environment = { - TZ = "America/Mexico_City"; + TZ = config.my.timeZone; PUID = "1000"; PGID = "100"; }; }; }; services.nginx = { - virtualHosts."start.${config.my.domain}" = proxyReverse port // { }; - virtualHosts."qampqwn4wprhqny8h8zj.${config.my.domain}" = proxyReverse portSecret // { }; + virtualHosts = lib.mkIf (cfg.enableProxy || cfgS.enableProxy) { + "${cfg.host}" = proxyReverse cfg.hostName cfg.port // { }; + "${cfgS.host}" = proxyReverse cfgS.hostName cfgS.port // { }; + }; }; }; } diff --git a/modules/servers/homepage.nix b/modules/servers/homepage.nix index 5af1d8a..3482138 100644 --- a/modules/servers/homepage.nix +++ b/modules/servers/homepage.nix @@ -2,20 +2,22 @@ lib, config, proxyReverse, + setup, ... }: let - port = 8082; services = import ./homepage/services.nix { inherit config lib; }; + cfg = config.my.servers.homepage; in { - options.my.servers.homepage.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.homepage.enable { - sops.secrets.homepage.sopsFile = ../../secrets/env.yaml; + options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + sops.secrets = lib.mkIf cfg.enable { homepage.sopsFile = ../../secrets/env.yaml; }; services = { - homepage-dashboard = { + homepage-dashboard = lib.mkIf cfg.enable { enable = true; - listenPort = port; + listenPort = cfg.port; environmentFile = config.sops.secrets.homepage.path; settings = { layout = { @@ -75,7 +77,9 @@ in } ]; }; - nginx.virtualHosts."home.${config.my.domain}" = proxyReverse port // { }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; }; } diff --git a/modules/servers/homepage/services.nix b/modules/servers/homepage/services.nix index 5b1eefa..7cb7204 100644 --- a/modules/servers/homepage/services.nix +++ b/modules/servers/homepage/services.nix @@ -1,25 +1,28 @@ { config, lib, ... }: { - audiobookshelf = lib.mkIf config.my.servers.audiobookshelf.enable { - icon = "${config.my.servers.audiobookshelf.name}.png"; - href = config.my.servers.audiobookshelf.url; - widget = { - type = config.my.servers.audiobookshelf.name; - url = config.my.servers.audiobookshelf.url; - key = "{{HOMEPAGE_VAR_AUDIOBOOKSHELF}}"; + audiobookshelf = + let + cfg = config.my.servers.audiobookshelf; + in + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; + widget = { + inherit (cfg) url; + type = cfg.name; + key = "{{HOMEPAGE_VAR_AUDIOBOOKSHELF}}"; + }; }; - }; jellyfin = let - name = "jellyfin"; - url = "https://flix.servidos.lat"; + cfg = config.my.servers.jellyfin; in - { - icon = "${name}.png"; - href = url; + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; widget = { - type = name; - url = url; + inherit (cfg) url; + type = cfg.name; key = "{{HOMEPAGE_VAR_JELLYFIN}}"; enableUser = true; enableBlocks = true; @@ -28,15 +31,14 @@ }; "now playing" = let - name = "jellyfin"; - url = "https://flix.servidos.lat"; + cfg = config.my.servers.jellyfin; in - { - icon = "${name}.png"; - href = url; + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; widget = { - type = name; - url = url; + inherit (cfg) url; + type = cfg.name; key = "{{HOMEPAGE_VAR_JELLYFIN}}"; enableUser = true; enableBlocks = false; @@ -47,117 +49,111 @@ }; sonarr = let - name = "sonarr"; - url = "https://series.servidos.lat"; + cfg = config.my.servers.sonarr; in - { - icon = "${name}.png"; - href = url; + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; widget = { - type = name; - url = url; + inherit (cfg) url; + type = cfg.name; key = "{{HOMEPAGE_VAR_SONARR}}"; enableQueue = true; }; }; radarr = let - name = "radarr"; - url = "https://movies.servidos.lat"; + cfg = config.my.servers.radarr; in - { - icon = "${name}.png"; - href = url; + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; widget = { - type = name; - url = url; + inherit (cfg) url; + type = cfg.name; key = "{{HOMEPAGE_VAR_RADARR}}"; enableQueue = true; }; }; lidarr = let - name = "lidarr"; - url = "https://music.servidos.lat"; + cfg = config.my.servers.lidarr; in - { - icon = "${name}.png"; - href = url; + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; widget = { - type = name; - url = url; + inherit (cfg) url; + type = cfg.name; key = "{{HOMEPAGE_VAR_LIDARR}}"; }; }; prowlarr = let - name = "prowlarr"; - url = "https://indexer.servidos.lat"; + cfg = config.my.servers.prowlarr; in - { - icon = "${name}.png"; - href = url; + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; widget = { - type = name; - url = url; + type = cfg.name; + inherit (cfg) url; key = "{{HOMEPAGE_VAR_PROWLARR}}"; }; }; bazarr = let - name = "bazarr"; - url = "https://subs.servidos.lat"; + cfg = config.my.servers.bazarr; in - { - icon = "${name}.png"; - href = url; + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; widget = { - type = name; - url = url; + type = cfg.name; + inherit (cfg) url; key = "{{HOMEPAGE_VAR_BAZARR}}"; }; }; kavita = let - name = "kavita"; - url = "https://library.servidos.lat"; + cfg = config.my.servers.kavita; in - { - icon = "${name}.png"; - href = url; + lib.mkIf (cfg.enable || cfg.enableProxy) { + icon = "${cfg.name}.png"; + href = cfg.url; widget = { - type = name; - url = url; + type = cfg.name; + inherit (cfg) url; username = "{{HOMEPAGE_VAR_KAVITA_USERNAME}}"; password = "{{HOMEPAGE_VAR_KAVITA_PASSWORD}}"; }; }; "qbittorrent server" = let + url = "http://${config.my.ips.server}:${toString config.my.servers.qbittorrent.port}"; name = "qbittorrent"; - url = "http://192.168.1.69:9091"; in - { + lib.mkIf config.my.servers.qbittorrent.enable { icon = "${name}.png"; href = url; widget = { type = name; - url = url; + inherit url; username = "{{HOMEPAGE_VAR_QBIT_USERNAME}}"; password = "{{HOMEPAGE_VAR_QBIT_PASSWORD}}"; }; }; "qbittorrent miniserver" = let + url = "http://${config.my.ips.miniserver}:${toString config.my.servers.qbittorrent.port}"; name = "qbittorrent"; - url = "http://192.168.1.100:9091"; in - { + lib.mkIf config.my.servers.qbittorrent.enable { icon = "${name}.png"; href = url; widget = { type = name; - url = url; + inherit url; username = "{{HOMEPAGE_VAR_QBIT_USERNAME}}"; password = "{{HOMEPAGE_VAR_QBIT_PASSWORD}}"; }; @@ -165,14 +161,14 @@ sabnzbd = let name = "sabnzbd"; - url = "http://192.168.1.69:3399"; + url = "http://${config.my.ips.server}:${toString config.my.servers.sabnzbd.port}"; in { icon = "${name}.png"; href = url; widget = { type = name; - url = url; + inherit url; key = "{{HOMEPAGE_VAR_SABNZBD}}"; }; }; diff --git a/modules/servers/jellyfin.nix b/modules/servers/jellyfin.nix index a6990a2..77024d5 100644 --- a/modules/servers/jellyfin.nix +++ b/modules/servers/jellyfin.nix @@ -22,16 +22,19 @@ let in { options.my.servers.jellyfin = setup.mkOptions "jellyfin" "flix" 8096; - config = lib.mkIf cfg.enable { - environment.systemPackages = [ - pkgs.jellyfin-ffmpeg - ] ++ (if cfg.enableCron then sub-sync-path else [ ]); + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + environment = { + systemPackages = lib.mkIf cfg.enable ( + [ pkgs.jellyfin-ffmpeg ] ++ (if cfg.enableCron then sub-sync-path else [ ]) + ); + }; services = { - jellyfin = { + jellyfin = lib.mkIf cfg.enable { enable = true; group = "piracy"; }; - nginx = { + nginx = lib.mkIf cfg.enableProxy { appendHttpConfig = '' # JELLYFIN proxy_cache_path /var/cache/nginx/jellyfin-videos levels=1:2 keys_zone=jellyfin-videos:100m inactive=1d max_size=35000m; @@ -48,7 +51,7 @@ in # use a variable to store the upstream proxy # in this example we are using a hostname which is resolved via DNS # (if you aren't using DNS remove the resolver line and change the variable to point to an IP address - resolver ${config.my.localhost} valid=30; + resolver ${cfg.ip} valid=30; location = / { return 302 http://$host/web/; diff --git a/modules/servers/kavita.nix b/modules/servers/kavita.nix index 772a1c7..4f865e9 100644 --- a/modules/servers/kavita.nix +++ b/modules/servers/kavita.nix @@ -2,26 +2,33 @@ lib, config, proxyReverse, + setup, ... }: +let + cfg = config.my.servers.kavita; +in { - options.my.servers.kavita.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.kavita.enable { - sops.secrets.kavita-token = { + options.my.servers.kavita = setup.mkOptions "kavita" "library" config.services.kavita.settings.Port; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + sops.secrets.kavita-token = lib.mkIf cfg.enable { owner = config.users.users.kavita.name; inherit (config.users.users.kavita) group; }; - users.users.kavita = { + users.users.kavita = lib.mkIf cfg.enable { isSystemUser = true; group = "kavita"; extraGroups = [ "piracy" ]; }; services = { - kavita = { + kavita = lib.mkIf cfg.enable { enable = true; tokenKeyFile = config.sops.secrets.kavita-token.path; }; - nginx.virtualHosts."library.${config.my.domain}" = proxyReverse config.services.kavita.port // { }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; }; } diff --git a/modules/servers/lidarr.nix b/modules/servers/lidarr.nix index 4113db0..c014680 100644 --- a/modules/servers/lidarr.nix +++ b/modules/servers/lidarr.nix @@ -2,21 +2,22 @@ lib, config, proxyReverseArr, + setup, ... }: let - port = 8686; - url = "music.${config.my.domain}"; + cfg = config.my.servers.lidarr; in { - options.my.servers.lidarr.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.lidarr.enable { - virtualisation.oci-containers.containers.lidarr = { + options.my.servers.lidarr = setup.mkOptions "lidarr" "music" 8686; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + virtualisation.oci-containers.containers.lidarr = lib.mkIf cfg.enable { autoStart = true; image = "lscr.io/linuxserver/lidarr:latest"; - ports = [ "${toString port}:${toString port}" ]; + ports = [ "${toString cfg.port}:${toString cfg.port}" ]; environment = { - TZ = "America/Mexico_City"; + TZ = config.my.timeZone; PUID = "1000"; PGID = "100"; }; @@ -32,10 +33,12 @@ in labels = { "flame.type" = "application"; "flame.name" = "Lidarr"; - "flame.url" = url; + "flame.url" = cfg.url; "flame.icon" = "music"; }; }; - services.nginx.virtualHosts."${url}" = proxyReverseArr port // { }; + services.nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverseArr cfg.hostName cfg.port // { } + ); }; } diff --git a/modules/servers/maloja.nix b/modules/servers/maloja.nix index 3b513bf..8a66b08 100644 --- a/modules/servers/maloja.nix +++ b/modules/servers/maloja.nix @@ -10,14 +10,15 @@ let in { options.my.servers.maloja = setup.mkOptions "maloja" "maloja" 42010; - config = lib.mkIf cfg.enable { - sops.secrets.maloja.sopsFile = ../../secrets/env.yaml; - virtualisation.oci-containers.containers.maloja = { - image = "krateng/maloja"; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + sops.secrets = lib.mkIf cfg.enable { maloja.sopsFile = ../../secrets/env.yaml; }; + virtualisation.oci-containers.containers.maloja = lib.mkIf cfg.enable { + image = "krateng/maloja:latest"; ports = [ "${toString cfg.port}:${toString cfg.port}" ]; environmentFiles = [ config.sops.secrets.maloja.path ]; environment = { - TZ = "America/Mexico_City"; + TZ = config.my.timeZone; MALOJA_TIMEZONE = "-6"; PUID = "1000"; PGID = "100"; @@ -32,6 +33,8 @@ in "flame.icon" = "bookmark-music"; }; }; - services.nginx.virtualHosts."${cfg.host}" = proxyReverse cfg.port // { }; + services.nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; } diff --git a/modules/servers/mealie.nix b/modules/servers/mealie.nix index fc61366..04a94ef 100644 --- a/modules/servers/mealie.nix +++ b/modules/servers/mealie.nix @@ -2,44 +2,41 @@ lib, config, proxyReverse, + setup, ... }: let - port = 9925; - domain = "mealie.${config.my.domain}"; - url = "https://${domain}"; + cfg = config.my.servers.mealie; in { - options.my.servers.mealie.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.mealie.enable { - sops.secrets.mealie.sopsFile = ../../secrets/env.yaml; - virtualisation.oci-containers.containers.mealie = { - autoStart = true; - image = "ghcr.io/mealie-recipes/mealie:v1.4.0"; - ports = [ "${toString port}:9000" ]; - volumes = [ "${config.my.containerData}/mealie:/app/data/" ]; - environmentFiles = [ config.sops.secrets.mealie.path ]; - environment = { - TZ = "America/Mexico_City"; - ALLOW_SIGNUP = "true"; - PUID = "1000"; - PGID = "100"; - MAX_WORKERS = "1"; - WEB_CONCURRENCY = "1"; - BASE_URL = url; - SMTP_HOST = "smtp.gmail.com"; - SMTP_PORT = "587"; - }; - extraOptions = [ - "--memory=1g" # VA-API (omit for NVENC) - ]; - labels = { - "flame.type" = "application"; - "flame.name" = "Mealie"; - "flame.url" = url; - "flame.icon" = "fridge"; + disabledModules = [ "services/web-apps/mealie.nix" ]; + imports = [ ../../pkgs/mealie-service.nix ]; + options.my.servers.mealie = setup.mkOptions "mealie" "mealie" 9925; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + sops.secrets = lib.mkIf cfg.enable { mealie.sopsFile = ../../secrets/env.yaml; }; + services = { + mealie = lib.mkIf cfg.enable { + enable = true; + inherit (cfg) port; + settings = { + TZ = config.my.timeZone; + DEFAULT_GROUP = "Home"; + BASE_URL = cfg.url; + API_DOCS = "false"; + ALLOW_SIGNUP = "false"; + DB_ENGINE = "postgres"; + POSTGRES_URL_OVERRIDE = "postgresql://${cfg.name}:@/${cfg.name}?host=${config.my.postgresSocket}"; + MAX_WORKERS = "1"; + WEB_CONCURRENCY = "1"; + SMTP_HOST = "smtp.gmail.com"; + SMTP_PORT = "587"; + }; + credentialsFile = config.sops.secrets.mealie.path; }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; - services.nginx.virtualHosts."${domain}" = proxyReverse port // { }; }; } diff --git a/modules/servers/metube.nix b/modules/servers/metube.nix index 3b5045d..2baf3ba 100644 --- a/modules/servers/metube.nix +++ b/modules/servers/metube.nix @@ -2,26 +2,30 @@ lib, config, proxyReverse, + setup, ... }: let - port = 8881; + cfg = config.my.servers.metube; in { - options.my.servers.metube.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.metube.enable { - virtualisation.oci-containers.containers.metube = { - image = "ghcr.io/alexta69/metube"; - ports = [ "${toString port}:8081" ]; + options.my.servers.metube = setup.mkOptions "metube" "bajameesta" 8881; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + virtualisation.oci-containers.containers.metube = lib.mkIf cfg.enable { + image = "ghcr.io/alexta69/metube:latest"; + ports = [ "${toString cfg.port}:8081" ]; volumes = [ "${config.my.containerData}/metube:/downloads" "/home/jawz/.local/share/cookies.txt:/cookies.txt" ]; environment = { - TZ = "America/Mexico_City"; + TZ = config.my.timeZone; YTDL_OPTIONS = ''{"cookiefile":"/cookies.txt"}''; }; }; - services.nginx.virtualHosts."bajameesta.${config.my.domain}" = proxyReverse port // { }; + services.nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; } diff --git a/modules/servers/microbin.nix b/modules/servers/microbin.nix index 8283acb..0f421cd 100644 --- a/modules/servers/microbin.nix +++ b/modules/servers/microbin.nix @@ -2,20 +2,22 @@ lib, config, proxyReverse, + setup, ... }: +let + cfg = config.my.servers.microbin; +in { - options.my.servers.microbin = { - enable = lib.mkEnableOption "enable"; - enableCron = lib.mkEnableOption "enable"; - }; + options.my.servers.microbin = setup.mkOptions "microbin" "copy" 8080; config = lib.mkIf config.my.servers.microbin.enable { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; services = { - microbin = { + microbin = lib.mkIf cfg.enable { enable = true; settings = { + MICROBIN_PORT = cfg.port; MICROBIN_HIDE_LOGO = false; - MICROBIN_PORT = 8080; MICROBIN_HIGHLIGHTSYNTAX = true; MICROBIN_PRIVATE = true; MICROBIN_QR = true; @@ -23,8 +25,9 @@ MICROBIN_ENCRYPTION_SERVER_SIDE = true; }; }; - nginx.virtualHosts."copy.${config.my.domain}" = - proxyReverse config.services.microbin.settings.MICROBIN_PORT // { }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; }; } diff --git a/modules/servers/multi-scrobbler.nix b/modules/servers/multi-scrobbler.nix index eca1209..e45de60 100644 --- a/modules/servers/multi-scrobbler.nix +++ b/modules/servers/multi-scrobbler.nix @@ -10,18 +10,19 @@ let in { options.my.servers.multi-scrobbler = setup.mkOptions "multi-scrobbler" "scrobble" 9078; - config = lib.mkIf cfg.enable { - sops.secrets.multi-scrobbler.sopsFile = ../../secrets/env.yaml; - virtualisation.oci-containers.containers.multi-scrobbler = { + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + sops.secrets = lib.mkIf cfg.enable { multi-scrobbler.sopsFile = ../../secrets/env.yaml; }; + virtualisation.oci-containers.containers.multi-scrobbler = lib.mkIf cfg.enable { image = "foxxmd/multi-scrobbler:latest"; ports = [ "${toString cfg.port}:${toString cfg.port}" ]; environmentFiles = [ config.sops.secrets.multi-scrobbler.path ]; environment = { - TZ = "America/Mexico_City"; + TZ = config.my.timeZone; PUID = "1000"; PGID = "100"; BASE_URL = cfg.url; - DEEZER_REDIRECT_URI = "http://${config.my.miniserver-ip}:${toString cfg.port}/deezer/callback"; + DEEZER_REDIRECT_URI = "http://${config.my.ips.${cfg.hostName}}:${toString cfg.port}/deezer/callback"; MALOJA_URL = config.my.servers.maloja.url; WS_ENABLE = "true"; }; @@ -33,6 +34,8 @@ in "flame.icon" = "broadcast"; }; }; - services.nginx.virtualHosts."${cfg.host}" = proxyReverse cfg.port // { }; + services.nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; } diff --git a/modules/servers/nextcloud.nix b/modules/servers/nextcloud.nix index be7b5c3..a5134d0 100644 --- a/modules/servers/nextcloud.nix +++ b/modules/servers/nextcloud.nix @@ -2,13 +2,10 @@ lib, config, pkgs, + setup, ... }: let - inherit (config.my) localhost; - collaboraPort = 9980; - url = "cloud.${config.my.domain}"; - collaboraProxy = "http://${localhost}:${toString collaboraPort}"; commonProxyConfig = '' proxy_set_header Host $host; ''; @@ -18,17 +15,16 @@ let proxy_set_header Host $host; proxy_read_timeout 36000s; ''; + cfg = config.my.servers.nextcloud; + cfgC = config.my.servers.collabora; in { options.my.servers = { - nextcloud = { - enable = lib.mkEnableOption "enable"; - enableCron = lib.mkEnableOption "enable"; - }; - collabora.enable = lib.mkEnableOption "enable"; + nextcloud = setup.mkOptions "nextcloud" "cloud" 80; + collabora = setup.mkOptions "collabora" "collabora" 9980; go-vod.enable = lib.mkEnableOption "enable"; }; - config = lib.mkIf (config.my.servers.nextcloud.enable && config.my.servers.postgres.enable) { + config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { sops.secrets = { smtp-password = { }; nextcloud-adminpass = { @@ -80,7 +76,7 @@ in extraAppsEnable = true; enableImagemagick = true; maxUploadSize = "16G"; - hostName = url; + hostName = cfg.host; extraApps = { inherit (config.services.nextcloud.package.packages.apps) calendar; }; @@ -139,10 +135,9 @@ in ]; }; # phpExtraExtensions = all: [ all.pdlib all.bz2 ]; - phpExtraExtensions = _all: [ ]; }; nginx.virtualHosts = { - ${config.services.nextcloud.hostName} = { + "${config.services.nextcloud.hostName}" = lib.mkIf cfg.enableProxy { forceSSL = true; enableACME = true; http2 = true; @@ -153,34 +148,34 @@ in { }; }; }; - "collabora.${config.my.domain}" = lib.mkIf config.my.servers.collabora.enable { + "${cfgC.host}" = lib.mkIf cfgC.enableProxy { forceSSL = true; enableACME = true; http2 = true; locations = { # static files "^~ /loleaflet" = { - proxyPass = collaboraProxy; + proxyPass = cfgC.local; extraConfig = commonProxyConfig; }; # WOPI discovery URL "^~ /hosting/discovery" = { - proxyPass = collaboraProxy; + proxyPass = cfgC.local; extraConfig = commonProxyConfig; }; # Capabilities "^~ /hosting/capabilities" = { - proxyPass = collaboraProxy; + proxyPass = cfgC.local; extraConfig = commonProxyConfig; }; # download, presentation, image upload and websocket "~ ^/lool" = { - proxyPass = collaboraProxy; + proxyPass = cfgC.local; extraConfig = commonWebsocketConfig; }; # Admin Console websocket "^~ /lool/adminws" = { - proxyPass = collaboraProxy; + proxyPass = cfgC.local; extraConfig = commonWebsocketConfig; }; }; @@ -211,8 +206,8 @@ in }; ports = [ "9980:9980" ]; environment = { - TZ = "America/Mexico_City"; - domain = "cloud.servidos.lat"; + TZ = config.my.timeZone; + domain = cfg.host; aliasgroup1 = "cloud.servidos.lat:443"; aliasgroup2 = "cloud.rotehaare.art:443"; dictionaries = "en_CA en_US es_MX es_ES fr_FR it pt_BR ru"; diff --git a/modules/servers/paperless.nix b/modules/servers/paperless.nix index 3a54df5..0fc731b 100644 --- a/modules/servers/paperless.nix +++ b/modules/servers/paperless.nix @@ -2,6 +2,7 @@ { options.my.servers.paperless.enable = lib.mkEnableOption "enable"; config = lib.mkIf (config.my.servers.paperless.enable && config.my.servers.postgres.enable) { + networking.firewall.allowedTCPPorts = [ config.services.paperless.port ]; services.paperless = { enable = true; address = "0.0.0.0"; @@ -11,21 +12,16 @@ PAPERLESS_DBENGINE = "postgress"; PAPERLESS_DBNAME = "paperless"; PAPERLESS_DBHOST = config.my.postgresSocket; + PAPERLESS_TIME_ZONE = config.my.timeZone; PAPERLESS_CONSUMER_IGNORE_PATTERN = builtins.toJSON [ ".DS_STORE/*" "desktop.ini" ]; - PAPERLESS_TIME_ZONE = "America/Mexico_City"; PAPERLESS_OCR_USER_ARGS = builtins.toJSON { optimize = 1; pdfa_image_compression = "lossless"; }; }; }; - networking.firewall = { - enable = true; - allowedTCPPorts = [ config.services.paperless.port ]; - allowedUDPPorts = [ config.services.paperless.port ]; - }; }; } diff --git a/modules/servers/postgres.nix b/modules/servers/postgres.nix index d795bbf..2c3785e 100644 --- a/modules/servers/postgres.nix +++ b/modules/servers/postgres.nix @@ -31,6 +31,7 @@ let "ryot" "vaultwarden" "shiori" + "mealie" "firefly-iii" ]; in diff --git a/modules/servers/prowlarr.nix b/modules/servers/prowlarr.nix index d7af99a..38e243a 100644 --- a/modules/servers/prowlarr.nix +++ b/modules/servers/prowlarr.nix @@ -2,20 +2,27 @@ lib, config, proxyReverseArr, + setup, ... }: +let + cfg = config.my.servers.prowlarr; +in { - options.my.servers.prowlarr.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.prowlarr.enable { - users.users.prowlarr = { + options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + users.users.prowlarr = lib.mkIf cfg.enable { group = "piracy"; isSystemUser = true; }; services = { - prowlarr.enable = true; - nginx.virtualHosts."indexer.${config.my.domain}" = proxyReverseArr 9696 // { }; + prowlarr.enable = cfg.enable; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverseArr cfg.hostName cfg.port // { } + ); }; - virtualisation.oci-containers.containers.flaresolverr = { + virtualisation.oci-containers.containers.flaresolverr = lib.mkIf cfg.enable { autoStart = true; image = "ghcr.io/flaresolverr/flaresolverr:latest"; ports = [ "8191:8191" ]; diff --git a/modules/servers/qbittorrent.nix b/modules/servers/qbittorrent.nix index 8013b98..0f47c52 100644 --- a/modules/servers/qbittorrent.nix +++ b/modules/servers/qbittorrent.nix @@ -5,13 +5,6 @@ ... }: let - port = 9091; - ports = [ - port - 51411 - 51412 - 51413 - ]; bencodepy = pkgs.python3Packages.buildPythonPackage { pname = "bencodepy"; version = "0.9.5"; @@ -43,7 +36,14 @@ let in { options.my.servers = { - qbittorrent.enable = lib.mkEnableOption "enable"; + qbittorrent = { + enable = lib.mkEnableOption "enable"; + port = lib.mkOption { + type = lib.types.int; + default = 9091; + description = "The port to access qbittorrent web-ui"; + }; + }; unpackerr.enable = lib.mkEnableOption "enable"; }; config = lib.mkIf config.my.servers.qbittorrent.enable { @@ -97,9 +97,17 @@ in }; }; }; - networking.firewall = { - allowedTCPPorts = ports; - allowedUDPPorts = ports; - }; + networking.firewall = + let + ports = [ + 51411 + 51412 + 51413 + ]; + in + { + allowedTCPPorts = ports ++ [ config.my.servers.qbittorrent.port ]; + allowedUDPPorts = ports; + }; }; } diff --git a/modules/servers/radarr.nix b/modules/servers/radarr.nix index b533e14..b92c5bd 100644 --- a/modules/servers/radarr.nix +++ b/modules/servers/radarr.nix @@ -2,17 +2,24 @@ lib, config, proxyReverseArr, + setup, ... }: +let + cfg = config.my.servers.radarr; +in { - options.my.servers.radarr.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.radarr.enable { + options.my.servers.radarr = setup.mkOptions "radarr" "movies" 7878; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; services = { - radarr = { + radarr = lib.mkIf cfg.enable { enable = true; group = "piracy"; }; - nginx.virtualHosts."movies.${config.my.domain}" = proxyReverseArr 7878 // { }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverseArr cfg.hostName cfg.port // { } + ); }; }; } diff --git a/modules/servers/ryot.nix b/modules/servers/ryot.nix index 92f733c..50d317c 100644 --- a/modules/servers/ryot.nix +++ b/modules/servers/ryot.nix @@ -2,19 +2,19 @@ lib, config, proxyReverse, + setup, ... }: let - port = 8765; - url = "tracker.${config.my.domain}"; + cfg = config.my.servers.ryot; in { - options.my.servers.ryot.enable = lib.mkEnableOption "enable"; + options.my.servers.ryot = setup.mkOptions "ryot" "tracker" 8765; config = lib.mkIf (config.my.servers.ryot.enable && config.my.servers.postgres.enable) { sops.secrets.ryot.sopsFile = ../../secrets/env.yaml; virtualisation.oci-containers.containers.ryot = { image = "ghcr.io/ignisda/ryot:v7.0.0"; - ports = [ "${toString port}:8000" ]; + ports = [ "${toString cfg.port}:8000" ]; environmentFiles = [ config.sops.secrets.ryot.path ]; environment = { RUST_LOG = "ryot=debug,sea_orm=debug"; @@ -26,10 +26,12 @@ in labels = { "flame.type" = "application"; "flame.name" = "Ryot"; - "flame.url" = url; + "flame.url" = cfg.url; "flame.icon" = "radar"; }; }; - services.nginx.virtualHosts."tracker.${config.my.domain}" = proxyReverse port // { }; + services.nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; } diff --git a/modules/servers/sabnzbd.nix b/modules/servers/sabnzbd.nix index 0d3861c..44b0ee5 100644 --- a/modules/servers/sabnzbd.nix +++ b/modules/servers/sabnzbd.nix @@ -1,6 +1,13 @@ { lib, config, ... }: { - options.my.servers.sabnzbd.enable = lib.mkEnableOption "enable"; + options.my.servers.sabnzbd = { + enable = lib.mkEnableOption "enable"; + port = lib.mkOption { + type = lib.types.int; + default = 3399; + description = "The port to access sabnzbd web-ui"; + }; + }; config = lib.mkIf config.my.servers.sabnzbd.enable { services.sabnzbd = { enable = true; diff --git a/modules/servers/base.nix b/modules/servers/setup.nix similarity index 51% rename from modules/servers/base.nix rename to modules/servers/setup.nix index 394a42a..88b0d69 100644 --- a/modules/servers/base.nix +++ b/modules/servers/setup.nix @@ -3,6 +3,7 @@ let mkOptions = name: subdomain: port: { enable = lib.mkEnableOption "enable"; enableCron = lib.mkEnableOption "enable cronjob"; + enableProxy = lib.mkEnableOption "enable reverse proxy"; port = lib.mkOption { type = lib.types.int; default = port; @@ -15,13 +16,29 @@ let type = lib.types.str; default = "${subdomain}.${config.my.domain}"; }; + hostName = lib.mkOption { + type = lib.types.str; + default = config.networking.hostName; + }; url = lib.mkOption { type = lib.types.str; default = "https://${config.my.servers.${name}.host}"; }; + ip = lib.mkOption { + type = lib.types.str; + default = + if config.my.servers."${name}".isLocal then + config.my.localhost + else + config.my.ips."${config.my.servers.${name}.hostName}"; + }; local = lib.mkOption { type = lib.types.str; - default = "http://${config.my.localhost}:${toString port}"; + default = "http://${config.my.servers.${name}.ip}:${toString port}"; + }; + isLocal = lib.mkOption { + type = lib.types.bool; + default = "${config.my.servers.${name}.hostName}" == config.my.mainServer; }; }; in diff --git a/modules/servers/shiori.nix b/modules/servers/shiori.nix index d191c0f..8072a18 100644 --- a/modules/servers/shiori.nix +++ b/modules/servers/shiori.nix @@ -1,26 +1,30 @@ { lib, config, - pkgs, proxyReverse, + setup, ... }: +let + cfg = config.my.servers.shiori; +in { disabledModules = [ "services/web-apps/shiori.nix" ]; - imports = [ ../../pkgs/shiori/shiori-service.nix ]; - options.my.servers.shiori.enable = lib.mkEnableOption "enable"; + imports = [ ../../pkgs/shiori-service.nix ]; + options.my.servers.shiori = setup.mkOptions "shiori" "bookmarks" 4368; config = lib.mkIf (config.my.servers.shiori.enable && config.my.servers.postgres.enable) { - sops.secrets.shiori.sopsFile = ../../secrets/env.yaml; + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + sops.secrets = lib.mkIf cfg.enable { shiori.sopsFile = ../../secrets/env.yaml; }; services = { - shiori = { + shiori = lib.mkIf cfg.enable { enable = true; - port = 4368; - package = pkgs.callPackage ../../pkgs/shiori/shiori.nix { }; + inherit (cfg) port; environmentFile = config.sops.secrets.shiori.path; databaseUrl = "postgres:///shiori?host=${config.my.postgresSocket}"; }; - nginx.virtualHosts."bookmarks.${config.my.domain}" = - proxyReverse config.services.shiori.port // { }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; }; } diff --git a/modules/servers/sonarr.nix b/modules/servers/sonarr.nix index 16f4462..8afc7b9 100644 --- a/modules/servers/sonarr.nix +++ b/modules/servers/sonarr.nix @@ -2,17 +2,24 @@ lib, config, proxyReverse, + setup, ... }: +let + cfg = config.my.servers.sonarr; +in { - options.my.servers.sonarr.enable = lib.mkEnableOption "enable"; - config = lib.mkIf config.my.servers.sonarr.enable { + options.my.servers.sonarr = setup.mkOptions "sonarr" "series" 8989; + config = { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; services = { - sonarr = { + sonarr = lib.mkIf cfg.enable { enable = true; group = "piracy"; }; - nginx.virtualHosts."series.${config.my.domain}" = proxyReverse 8989 // { }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; }; } diff --git a/modules/servers/vaultwarden.nix b/modules/servers/vaultwarden.nix index ef6e5d8..1f25822 100644 --- a/modules/servers/vaultwarden.nix +++ b/modules/servers/vaultwarden.nix @@ -3,23 +3,28 @@ config, pkgs, proxyReverse, + setup, ... }: +let + cfg = config.my.servers.vaultwarden; +in { - options.my.servers.vaultwarden.enable = lib.mkEnableOption "enable"; - config = lib.mkIf (config.my.servers.vaultwarden.enable && config.my.servers.postgres.enable) { - sops.secrets.vaultwarden.sopsFile = ../../secrets/env.yaml; + options.my.servers.vaultwarden = setup.mkOptions "vaultwarden" "vault" 8222; + config = lib.mkIf (cfg.enable && config.my.servers.postgres.enable) { + networking.firewall.allowedTCPPorts = lib.mkIf (!cfg.isLocal) [ cfg.port ]; + sops.secrets = lib.mkIf cfg.enable { vaultwarden.sopsFile = ../../secrets/env.yaml; }; services = { - vaultwarden = { + vaultwarden = lib.mkIf cfg.enable { enable = true; dbBackend = "postgresql"; package = pkgs.vaultwarden; environmentFile = config.sops.secrets.vaultwarden.path; config = { ROCKET_ADDRESS = "${config.my.localhost}"; - ROCKET_PORT = 8222; + ROCKET_PORT = cfg.port; WEBSOCKET_PORT = 8333; - DATABASE_URL = "postgresql:///vaultwarden?host=${config.my.postgresSocket}"; + DATABASE_URL = "postgresql:///${cfg.name}?host=${config.my.postgresSocket}"; ENABLE_DB_WAL = false; WEBSOCKET_ENABLED = true; SHOW_PASSWORD_HINT = false; @@ -27,8 +32,9 @@ LOG_LEVEL = "warn"; }; }; - nginx.virtualHosts."vault.${config.my.domain}" = - proxyReverse config.services.vaultwarden.config.ROCKET_PORT // { }; + nginx.virtualHosts."${cfg.host}" = lib.mkIf cfg.enableProxy ( + proxyReverse cfg.hostName cfg.port // { } + ); }; }; } diff --git a/overlay.nix b/overlay.nix index 4912ce9..b395bb4 100644 --- a/overlay.nix +++ b/overlay.nix @@ -41,6 +41,8 @@ _self: super: { inherit (pkgsU) homepage-dashboard; inherit (pkgsU) stash; inherit (pkgsU) kavita; + inherit (pkgsU) mealie; + inherit (pkgsU) shiori; inherit (pkgsM) gallery-dl; inherit (pkgsM) yt-dlp; handbrake = super.handbrake.override { useGtk = true; }; diff --git a/pkgs/mealie-service.nix b/pkgs/mealie-service.nix new file mode 100644 index 0000000..e0e65b6 --- /dev/null +++ b/pkgs/mealie-service.nix @@ -0,0 +1,82 @@ +{ + config, + lib, + pkgs, + ... +}: +let + cfg = config.services.mealie; + pkg = cfg.package; +in +{ + options.services.mealie = { + enable = lib.mkEnableOption "Mealie, a recipe manager and meal planner"; + + package = lib.mkPackageOption pkgs "mealie" { }; + + listenAddress = lib.mkOption { + type = lib.types.str; + default = "0.0.0.0"; + description = "Address on which the service should listen."; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 9000; + description = "Port on which to serve the Mealie service."; + }; + + settings = lib.mkOption { + type = with lib.types; attrsOf anything; + default = { }; + description = '' + Configuration of the Mealie service. + + See [the mealie documentation](https://nightly.mealie.io/documentation/getting-started/installation/backend-config/) for available options and default values. + ''; + example = { + ALLOW_SIGNUP = "false"; + }; + }; + + credentialsFile = lib.mkOption { + type = with lib.types; nullOr path; + default = null; + example = "/run/secrets/mealie-credentials.env"; + description = '' + File containing credentials used in mealie such as {env}`POSTGRES_PASSWORD` + or sensitive LDAP options. + + Expects the format of an `EnvironmentFile=`, as described by {manpage}`systemd.exec(5)`. + ''; + }; + }; + + config = lib.mkIf cfg.enable { + systemd.services.mealie = { + description = "Mealie, a self hosted recipe manager and meal planner"; + + after = [ "network-online.target" ]; + wants = [ "network-online.target" ]; + wantedBy = [ "multi-user.target" ]; + + environment = { + PRODUCTION = "true"; + API_PORT = toString cfg.port; + BASE_URL = "http://localhost:${toString cfg.port}"; + DATA_DIR = "/var/lib/mealie"; + CRF_MODEL_PATH = "/var/lib/mealie/model.crfmodel"; + } // (builtins.mapAttrs (_: toString) cfg.settings); + + serviceConfig = { + DynamicUser = true; + User = "mealie"; + ExecStartPre = "${pkg}/libexec/init_db"; + ExecStart = "${lib.getExe pkg} -b ${cfg.listenAddress}:${builtins.toString cfg.port}"; + EnvironmentFile = lib.mkIf (cfg.credentialsFile != null) cfg.credentialsFile; + StateDirectory = "mealie"; + StandardOutput = "journal"; + }; + }; + }; +} diff --git a/pkgs/obs-studio.nix b/pkgs/obs-studio.nix index 6d9c375..6ce6d6e 100644 --- a/pkgs/obs-studio.nix +++ b/pkgs/obs-studio.nix @@ -40,7 +40,7 @@ in config = lib.mkIf cfg.enable { programs.obs-studio.finalPackage = pkgs.wrapOBS.override { obs-studio = cfg.package; } { - plugins = cfg.plugins; + inherit (cfg) plugins; }; environment.systemPackages = [ cfg.finalPackage ]; diff --git a/pkgs/shiori/shiori-service.nix b/pkgs/shiori-service.nix similarity index 99% rename from pkgs/shiori/shiori-service.nix rename to pkgs/shiori-service.nix index 386c5cc..0a37304 100644 --- a/pkgs/shiori/shiori-service.nix +++ b/pkgs/shiori-service.nix @@ -4,7 +4,6 @@ pkgs, ... }: - let cfg = config.services.shiori; in diff --git a/pkgs/shiori/shiori.nix b/pkgs/shiori/shiori.nix deleted file mode 100644 index ad180af..0000000 --- a/pkgs/shiori/shiori.nix +++ /dev/null @@ -1,43 +0,0 @@ -{ - lib, - buildGoModule, - fetchFromGitHub, - installShellFiles, -}: - -buildGoModule rec { - pname = "shiori"; - version = "1.7.0"; - - vendorHash = "sha256-fakRqgoEcdzw9WZuubaxfGfvVrMvb8gV/IwPikMnfRQ="; - - doCheck = false; - - src = fetchFromGitHub { - owner = "go-shiori"; - repo = pname; - rev = "v${version}"; - sha256 = "sha256-5+hTtvBnj3Nh5HitReVkLift9LTiMYVuuYx5EirN0SA="; - }; - - nativeBuildInputs = [ installShellFiles ]; - postInstall = '' - installShellCompletion --cmd shiori \ - --bash <($out/bin/shiori completion bash) \ - --fish <($out/bin/shiori completion fish) \ - --zsh <($out/bin/shiori completion zsh) - ''; - - # passthru.tests.smoke-test = nixosTests.shiori; # test broken - - meta = with lib; { - description = "Simple bookmark manager built with Go"; - mainProgram = "shiori"; - homepage = "https://github.com/go-shiori/shiori"; - license = licenses.mit; - maintainers = with maintainers; [ - minijackson - CaptainJawZ - ]; - }; -}