jawz/NixOS
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

private certificate fix

Browse Source
This commit is contained in:
Danilo Reyes
2026-02-05 06:26:40 -06:00
parent eddef549e7
commit d14a7ba395
4 changed files with 96 additions and 88 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
modules/servers/homepage.nix
View File

@@ -9,31 +9,33 @@ let
in
{
options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = {
homepage.sopsFile = ../../secrets/homepage.yaml;
"private-ca/pem" = {
config = lib.mkMerge [
(lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets.homepage.sopsFile = ../../secrets/homepage.yaml;
services.homepage-dashboard = {
inherit (cfg) enable;
listenPort = cfg.port;
environmentFile = config.sops.secrets.homepage.path;
settings = {
providers.openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}";
layout = import ./homepage/layout.nix;
};
widgets = import ./homepage/widgets.nix;
services = import ./homepage/services.nix { inherit lib config; };
bookmarks =
builtins.readDir ./homepage/bookmarks
|> builtins.attrNames
|> builtins.filter (file: builtins.match ".*\\.nix" file != null)
|> map (file: import ./homepage/bookmarks/${file});
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
sops.secrets."private-ca/pem" = {
sopsFile = ../../secrets/certs.yaml;
owner = "nginx";
group = "nginx";
};
};
my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
services.homepage-dashboard = {
inherit (cfg) enable;
listenPort = cfg.port;
environmentFile = config.sops.secrets.homepage.path;
settings = {
providers.openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}";
layout = import ./homepage/layout.nix;
};
widgets = import ./homepage/widgets.nix;
services = import ./homepage/services.nix { inherit lib config; };
bookmarks =
builtins.readDir ./homepage/bookmarks
|> builtins.attrNames
|> builtins.filter (file: builtins.match ".*\\.nix" file != null)
|> map (file: import ./homepage/bookmarks/${file});
};
};
my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
})
];
}

40
modules/servers/prowlarr.nix
View File

@@ -9,27 +9,29 @@ let
in
{
options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
config = lib.mkIf cfg.enable {
sops.secrets = lib.mkIf cfg.enable {
"private-ca/pem" = {
config = lib.mkMerge [
(lib.mkIf cfg.enable {
users.users.prowlarr = {
uid = 987;
group = "piracy";
isSystemUser = true;
};
services = {
prowlarr = {
inherit (cfg) enable;
};
flaresolverr = {
inherit (cfg) enable;
};
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
sops.secrets."private-ca/pem" = {
sopsFile = ../../secrets/certs.yaml;
owner = "nginx";
group = "nginx";
};
};
my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path;
users.users.prowlarr = {
uid = 987;
group = "piracy";
isSystemUser = true;
};
services = {
prowlarr = {
inherit (cfg) enable;
};
flaresolverr = {
inherit (cfg) enable;
};
};
};
my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path;
})
];
}

92
modules/servers/stash.nix
View File

@@ -29,52 +29,56 @@ let
in
{
options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
config = lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = {
"stash/password".sopsFile = ../../secrets/secrets.yaml;
"stash/jwt".sopsFile = ../../secrets/secrets.yaml;
"stash/session".sopsFile = ../../secrets/secrets.yaml;
"private-ca/pem" = {
config = lib.mkMerge [
(lib.mkIf (cfg.enable && config.my.secureHost) {
sops.secrets = {
"stash/password".sopsFile = ../../secrets/secrets.yaml;
"stash/jwt".sopsFile = ../../secrets/secrets.yaml;
"stash/session".sopsFile = ../../secrets/secrets.yaml;
};
services.stash = {
inherit (cfg) enable;
group = "glue";
mutableSettings = true;
username = "Suing8150";
passwordFile = config.sops.secrets."stash/password".path;
jwtSecretKeyFile = config.sops.secrets."stash/jwt".path;
sessionStoreKeyFile = config.sops.secrets."stash/session".path;
settings = {
inherit (cfg) port;
host = "0.0.0.0";
stash = [
{
path = "/srv/pool/glue/";
}
];
};
};
systemd.services.stash = {
environment = {
PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
};
serviceConfig = {
PrivateUsers = lib.mkForce false;
BindReadOnlyPaths = lib.mkForce [ ];
BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
};
};
users.users.stash = {
uid = 974;
isSystemUser = true;
group = "glue";
packages = [ stashPythonFHS ];
};
})
(lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
sops.secrets."private-ca/pem" = {
sopsFile = ../../secrets/certs.yaml;
owner = "nginx";
group = "nginx";
};
};
my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path;
services.stash = {
inherit (cfg) enable;
group = "glue";
mutableSettings = true;
username = "Suing8150";
passwordFile = config.sops.secrets."stash/password".path;
jwtSecretKeyFile = config.sops.secrets."stash/jwt".path;
sessionStoreKeyFile = config.sops.secrets."stash/session".path;
settings = {
inherit (cfg) port;
host = "0.0.0.0";
stash = [
{
path = "/srv/pool/glue/";
}
];
};
};
systemd.services.stash = {
environment = {
PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
};
serviceConfig = {
PrivateUsers = lib.mkForce false;
BindReadOnlyPaths = lib.mkForce [ ];
BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
};
};
users.users.stash = {
uid = 974;
isSystemUser = true;
group = "glue";
packages = [ stashPythonFHS ];
};
};
my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path;
})
];
}