private certificate fix

hosts/vps/toggles.nix

@@ -38,7 +38,7 @@ in
     "bazarr"
     "collabora"
     "gitea"
-    # "homepage"
+    "homepage"
     "isso"
     "jellyfin"
     "kavita"
@@ -53,7 +53,7 @@ in
     "oauth2-proxy"
     "plausible"
     "plex"
-    # "prowlarr"
+    "prowlarr"
     "radarr"
     "sonarr"
     "vaultwarden"

modules/servers/homepage.nix

@@ -9,31 +9,33 @@ let
 in
 {
   options.my.servers.homepage = setup.mkOptions "homepage" "home" 8082;
-  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+  config = lib.mkMerge [
-    sops.secrets = {
+    (lib.mkIf (cfg.enable && config.my.secureHost) {
-      homepage.sopsFile = ../../secrets/homepage.yaml;
+      sops.secrets.homepage.sopsFile = ../../secrets/homepage.yaml;
-      "private-ca/pem" = {
+      services.homepage-dashboard = {
+        inherit (cfg) enable;
+        listenPort = cfg.port;
+        environmentFile = config.sops.secrets.homepage.path;
+        settings = {
+          providers.openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}";
+          layout = import ./homepage/layout.nix;
+        };
+        widgets = import ./homepage/widgets.nix;
+        services = import ./homepage/services.nix { inherit lib config; };
+        bookmarks =
+          builtins.readDir ./homepage/bookmarks
+          |> builtins.attrNames
+          |> builtins.filter (file: builtins.match ".*\\.nix" file != null)
+          |> map (file: import ./homepage/bookmarks/${file});
+      };
+    })
+    (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
+      sops.secrets."private-ca/pem" = {
         sopsFile = ../../secrets/certs.yaml;
         owner = "nginx";
         group = "nginx";
       };
-    };
+      my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
-    my.servers.homepage.certPath = config.sops.secrets."private-ca/pem".path;
+    })
-    services.homepage-dashboard = {
+  ];
-      inherit (cfg) enable;
-      listenPort = cfg.port;
-      environmentFile = config.sops.secrets.homepage.path;
-      settings = {
-        providers.openweathermap = "{{HOMEPAGE_VAR_OPENWEATHERMAP_API_KEY}}";
-        layout = import ./homepage/layout.nix;
-      };
-      widgets = import ./homepage/widgets.nix;
-      services = import ./homepage/services.nix { inherit lib config; };
-      bookmarks =
-        builtins.readDir ./homepage/bookmarks
-        |> builtins.attrNames
-        |> builtins.filter (file: builtins.match ".*\\.nix" file != null)
-        |> map (file: import ./homepage/bookmarks/${file});
-    };
-  };
 }

modules/servers/prowlarr.nix

@@ -9,27 +9,29 @@ let
 in
 {
   options.my.servers.prowlarr = setup.mkOptions "prowlarr" "indexer" 9696;
-  config = lib.mkIf cfg.enable {
+  config = lib.mkMerge [
-    sops.secrets = lib.mkIf cfg.enable {
+    (lib.mkIf cfg.enable {
-      "private-ca/pem" = {
+      users.users.prowlarr = {
+        uid = 987;
+        group = "piracy";
+        isSystemUser = true;
+      };
+      services = {
+        prowlarr = {
+          inherit (cfg) enable;
+        };
+        flaresolverr = {
+          inherit (cfg) enable;
+        };
+      };
+    })
+    (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
+      sops.secrets."private-ca/pem" = {
         sopsFile = ../../secrets/certs.yaml;
         owner = "nginx";
         group = "nginx";
       };
-    };
+      my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path;
-    my.servers.prowlarr.certPath = config.sops.secrets."private-ca/pem".path;
+    })
-    users.users.prowlarr = {
+  ];
-      uid = 987;
-      group = "piracy";
-      isSystemUser = true;
-    };
-    services = {
-      prowlarr = {
-        inherit (cfg) enable;
-      };
-      flaresolverr = {
-        inherit (cfg) enable;
-      };
-    };
-  };
 }

modules/servers/stash.nix

@@ -29,52 +29,56 @@ let
 in
 {
   options.my.servers.stash = setup.mkOptions "stash" "xxx" 9999;
-  config = lib.mkIf (cfg.enable && config.my.secureHost) {
+  config = lib.mkMerge [
-    sops.secrets = {
+    (lib.mkIf (cfg.enable && config.my.secureHost) {
-      "stash/password".sopsFile = ../../secrets/secrets.yaml;
+      sops.secrets = {
-      "stash/jwt".sopsFile = ../../secrets/secrets.yaml;
+        "stash/password".sopsFile = ../../secrets/secrets.yaml;
-      "stash/session".sopsFile = ../../secrets/secrets.yaml;
+        "stash/jwt".sopsFile = ../../secrets/secrets.yaml;
-      "private-ca/pem" = {
+        "stash/session".sopsFile = ../../secrets/secrets.yaml;
+      };
+      services.stash = {
+        inherit (cfg) enable;
+        group = "glue";
+        mutableSettings = true;
+        username = "Suing8150";
+        passwordFile = config.sops.secrets."stash/password".path;
+        jwtSecretKeyFile = config.sops.secrets."stash/jwt".path;
+        sessionStoreKeyFile = config.sops.secrets."stash/session".path;
+        settings = {
+          inherit (cfg) port;
+          host = "0.0.0.0";
+          stash = [
+            {
+              path = "/srv/pool/glue/";
+            }
+          ];
+        };
+      };
+      systemd.services.stash = {
+        environment = {
+          PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
+          LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
+        };
+        serviceConfig = {
+          PrivateUsers = lib.mkForce false;
+          BindReadOnlyPaths = lib.mkForce [ ];
+          BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
+        };
+      };
+      users.users.stash = {
+        uid = 974;
+        isSystemUser = true;
+        group = "glue";
+        packages = [ stashPythonFHS ];
+      };
+    })
+    (lib.mkIf (cfg.enableProxy && config.my.enableProxy && config.my.secureHost) {
+      sops.secrets."private-ca/pem" = {
         sopsFile = ../../secrets/certs.yaml;
         owner = "nginx";
         group = "nginx";
       };
-    };
+      my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path;
-    my.servers.stash.certPath = config.sops.secrets."private-ca/pem".path;
+    })
-    services.stash = {
+  ];
-      inherit (cfg) enable;
-      group = "glue";
-      mutableSettings = true;
-      username = "Suing8150";
-      passwordFile = config.sops.secrets."stash/password".path;
-      jwtSecretKeyFile = config.sops.secrets."stash/jwt".path;
-      sessionStoreKeyFile = config.sops.secrets."stash/session".path;
-      settings = {
-        inherit (cfg) port;
-        host = "0.0.0.0";
-        stash = [
-          {
-            path = "/srv/pool/glue/";
-          }
-        ];
-      };
-    };
-    systemd.services.stash = {
-      environment = {
-        PYTHONPATH = "/var/lib/stash/venv/lib/python3.12/site-packages";
-        LD_LIBRARY_PATH = "${pkgs.stdenv.cc.cc.lib}/lib:${pkgs.glibc}/lib:${pkgs.zlib}/lib:${pkgs.libffi}/lib:${pkgs.openssl}/lib";
-      };
-      serviceConfig = {
-        PrivateUsers = lib.mkForce false;
-        BindReadOnlyPaths = lib.mkForce [ ];
-        BindPaths = lib.mkIf (cfgS.settings != { }) (map (stash: "${stash.path}") cfgS.settings.stash);
-      };
-    };
-    users.users.stash = {
-      uid = 974;
-      isSystemUser = true;
-      group = "glue";
-      packages = [ stashPythonFHS ];
-    };
-  };
 }