From d14a7ba395c9b3f0fd3e2a004dc4e9bd6815d486 Mon Sep 17 00:00:00 2001 From: Danilo Reyes Date: Thu, 5 Feb 2026 06:26:40 -0600 Subject: [PATCH] private certificate fix --- hosts/vps/toggles.nix | 4 +- modules/servers/homepage.nix | 48 ++++++++++--------- modules/servers/prowlarr.nix | 40 ++++++++-------- modules/servers/stash.nix | 92 +++++++++++++++++++----------------- 4 files changed, 96 insertions(+), 88 deletions(-) diff --git a/hosts/vps/toggles.nix b/hosts/vps/toggles.nix index f9f151a..0156271 100644 --- a/hosts/vps/toggles.nix +++ b/hosts/vps/toggles.nix @@ -38,7 +38,7 @@ in "bazarr" "collabora" "gitea" - # "homepage" + "homepage" "isso" "jellyfin" "kavita" @@ -53,7 +53,7 @@ in "oauth2-proxy" "plausible" "plex" - # "prowlarr" + "prowlarr" "radarr" "sonarr" "vaultwarden" diff --git a/modules/servers/homepage.nix b/modules/servers/homepage.nix index 9e39ca5..bd2f575 100644 --- a/modules/servers/homepage.nix +++ b/modules/servers/homepage.nix @@ -9,31 +9,33 @@ let in { options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082; - config = lib.mkIf (cfg.enable && config.my.secureHost) { - sops.secrets = { - homepage.sopsFile = ../../secrets/homepage.yaml; - "private-ca/pem" = { + config = lib.mkMerge [ + (lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets.homepage.sopsFile = ../../secrets/homepage.yaml; + services.homepage-dashboard = { + inherit (cfg) enable; + listenPort = cfg.port; + environmentFile = config.sops.secrets.homepage.path; + settings = { + providers.openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}"; + layout = import ./homepage/layout.nix; + }; + widgets = import ./homepage/widgets.nix; + services = import ./homepage/services.nix { inherit lib config; }; + bookmarks = + builtins.readDir ./homepage/bookmarks + |> builtins.attrNames + |> builtins.filter (file: builtins.match ".*\\.nix" file != null) + |> map (file: import ./homepage/bookmarks/${file}); + }; + }) + (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) { + sops.secrets."private-ca/pem" = { sopsFile = ../../secrets/certs.yaml; owner = "nginx"; group = "nginx"; }; - }; - my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path; - services.homepage-dashboard = { - inherit (cfg) enable; - listenPort = cfg.port; - environmentFile = config.sops.secrets.homepage.path; - settings = { - providers.openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}"; - layout = import ./homepage/layout.nix; - }; - widgets = import ./homepage/widgets.nix; - services = import ./homepage/services.nix { inherit lib config; }; - bookmarks = - builtins.readDir ./homepage/bookmarks - |> builtins.attrNames - |> builtins.filter (file: builtins.match ".*\\.nix" file != null) - |> map (file: import ./homepage/bookmarks/${file}); - }; - }; + my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path; + }) + ]; } diff --git a/modules/servers/prowlarr.nix b/modules/servers/prowlarr.nix index f49b5a6..5d5eee3 100644 --- a/modules/servers/prowlarr.nix +++ b/modules/servers/prowlarr.nix @@ -9,27 +9,29 @@ let in { options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696; - config = lib.mkIf cfg.enable { - sops.secrets = lib.mkIf cfg.enable { - "private-ca/pem" = { + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + users.users.prowlarr = { + uid = 987; + group = "piracy"; + isSystemUser = true; + }; + services = { + prowlarr = { + inherit (cfg) enable; + }; + flaresolverr = { + inherit (cfg) enable; + }; + }; + }) + (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) { + sops.secrets."private-ca/pem" = { sopsFile = ../../secrets/certs.yaml; owner = "nginx"; group = "nginx"; }; - }; - my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path; - users.users.prowlarr = { - uid = 987; - group = "piracy"; - isSystemUser = true; - }; - services = { - prowlarr = { - inherit (cfg) enable; - }; - flaresolverr = { - inherit (cfg) enable; - }; - }; - }; + my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path; + }) + ]; } diff --git a/modules/servers/stash.nix b/modules/servers/stash.nix index 0ac0875..56c1a1c 100644 --- a/modules/servers/stash.nix +++ b/modules/servers/stash.nix @@ -29,52 +29,56 @@ let in { options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999; - config = lib.mkIf (cfg.enable && config.my.secureHost) { - sops.secrets = { - "stash/password".sopsFile = ../../secrets/secrets.yaml; - "stash/jwt".sopsFile = ../../secrets/secrets.yaml; - "stash/session".sopsFile = ../../secrets/secrets.yaml; - "private-ca/pem" = { + config = lib.mkMerge [ + (lib.mkIf (cfg.enable && config.my.secureHost) { + sops.secrets = { + "stash/password".sopsFile = ../../secrets/secrets.yaml; + "stash/jwt".sopsFile = ../../secrets/secrets.yaml; + "stash/session".sopsFile = ../../secrets/secrets.yaml; + }; + services.stash = { + inherit (cfg) enable; + group = "glue"; + mutableSettings = true; + username = "Suing8150"; + passwordFile = config.sops.secrets."stash/password".path; + jwtSecretKeyFile = config.sops.secrets."stash/jwt".path; + sessionStoreKeyFile = config.sops.secrets."stash/session".path; + settings = { + inherit (cfg) port; + host = "0.0.0.0"; + stash = [ + { + path = "/srv/pool/glue/"; + } + ]; + }; + }; + systemd.services.stash = { + environment = { + PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages"; + LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib"; + }; + serviceConfig = { + PrivateUsers = lib.mkForce false; + BindReadOnlyPaths = lib.mkForce [ ]; + BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash); + }; + }; + users.users.stash = { + uid = 974; + isSystemUser = true; + group = "glue"; + packages = [ stashPythonFHS ]; + }; + }) + (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) { + sops.secrets."private-ca/pem" = { sopsFile = ../../secrets/certs.yaml; owner = "nginx"; group = "nginx"; }; - }; - my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path; - services.stash = { - inherit (cfg) enable; - group = "glue"; - mutableSettings = true; - username = "Suing8150"; - passwordFile = config.sops.secrets."stash/password".path; - jwtSecretKeyFile = config.sops.secrets."stash/jwt".path; - sessionStoreKeyFile = config.sops.secrets."stash/session".path; - settings = { - inherit (cfg) port; - host = "0.0.0.0"; - stash = [ - { - path = "/srv/pool/glue/"; - } - ]; - }; - }; - systemd.services.stash = { - environment = { - PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages"; - LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib"; - }; - serviceConfig = { - PrivateUsers = lib.mkForce false; - BindReadOnlyPaths = lib.mkForce [ ]; - BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash); - }; - }; - users.users.stash = { - uid = 974; - isSystemUser = true; - group = "glue"; - packages = [ stashPythonFHS ]; - }; - }; + my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path; + }) + ]; }