dotfiles/modules/nixos/services/glance/default.nix

{ config, flake, ... }:
let
  inherit (flake.config.services.instances)
    glance
    jellyfin
    web
    ;
  inherit (flake.config.machines.devices) ceres mars deimos;
  configHelpers = {
    service = glance;
    hostname = config.networking.hostName;
    localhost = web.localhost.address1;
    host = configHelpers.service.domains.url0;
  };
  configPath = ./config;
  configImports = {
    server = import (configPath + /server.nix) { inherit flake configHelpers; };
    branding = import (configPath + /branding.nix);
    theme = import (configPath + /theme.nix);
    pages = import (configPath + /pages.nix) { inherit config flake; };
  };
in
{
  services = {
    glance = {
      enable = true;
      settings = configImports;
    };
    caddy = {
      virtualHosts = {
        "${configHelpers.host}" = {
          extraConfig = ''
            @allowed_ips {
              remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0}
            }

            handle @allowed_ips {
              redir /.well-known/carddav /remote.php/dav/ 301
              redir /.well-known/caldav /remote.php/dav/ 301
              reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0}
            }
            handle {
              respond "Access Denied" 403
            }
            tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}
          '';
        };
      };
    };
  };
  sops =
    let
      sopsPath = secret: {
        path = "/run/secrets/${configHelpers.service.name}-${secret}";
        owner = "root";
        group = "root";
        mode = "644";
      };
    in
    {
      secrets = builtins.listToAttrs (
        map
          (secret: {
            name = "${configHelpers.service.name}-${secret}";
            value = sopsPath secret;
          })
          [
            # "key"
            # "${user0}-pass"
            jellyfin.name
          ]
      );
    };

  networking = {
    firewall = {
      interfaces.wg0.allowedTCPPorts = [
        configHelpers.service.ports.port0
      ];
    };
  };
}
feat: added glance 2025-05-24 02:45:00 -05:00			`{ config, flake, ... }:`
			`let`
feat: added glance to caddy 2025-07-03 19:49:48 -05:00			`inherit (flake.config.services.instances)`
			`glance`
			`jellyfin`
			`web`
			`;`
			`inherit (flake.config.machines.devices) ceres mars deimos;`
			`configHelpers = {`
			`service = glance;`
			`hostname = config.networking.hostName;`
feat: glance test 2025-07-03 21:01:55 -05:00			`localhost = web.localhost.address1;`
feat: added glance to caddy 2025-07-03 19:49:48 -05:00			`host = configHelpers.service.domains.url0;`
			`};`
feat: refactored glance 2025-05-25 18:28:37 -05:00			`configPath = ./config;`
			`configImports = {`
feat: added glance to caddy 2025-07-03 20:11:18 -05:00			`server = import (configPath + /server.nix) { inherit flake configHelpers; };`
feat: refactored glance 2025-05-25 18:28:37 -05:00			`branding = import (configPath + /branding.nix);`
			`theme = import (configPath + /theme.nix);`
			`pages = import (configPath + /pages.nix) { inherit config flake; };`
			`};`
feat: added glance 2025-05-24 02:45:00 -05:00			`in`
			`{`
			`services = {`
			`glance = {`
			`enable = true;`
feat: refactored glance 2025-05-25 18:28:37 -05:00			`settings = configImports;`
			`};`
feat: glance test 2025-07-03 20:21:14 -05:00			`caddy = {`
			`virtualHosts = {`
			`"${configHelpers.host}" = {`
			`extraConfig = ''`
feat: glance test 2025-07-03 20:56:06 -05:00			`@allowed_ips {`
			`remote_ip ${mars.wireguard.ip0} ${deimos.wireguard.ip0}`
			`}`
feat: added glance to caddy 2025-07-03 19:49:48 -05:00
feat: glance test 2025-07-03 20:56:06 -05:00			`handle @allowed_ips {`
			`redir /.well-known/carddav /remote.php/dav/ 301`
			`redir /.well-known/caldav /remote.php/dav/ 301`
			`reverse_proxy ${ceres.wireguard.ip0}:${toString configHelpers.service.ports.port0}`
			`}`
			`handle {`
			`respond "Access Denied" 403`
			`}`
feat: glance test 2025-07-03 20:21:14 -05:00			`tls ${configHelpers.service.ssl.cert} ${configHelpers.service.ssl.key}`
			`'';`
			`};`
feat: added glance to caddy 2025-07-03 19:49:48 -05:00			`};`
			`};`
			`};`
feat: refactored glance 2025-05-25 18:28:37 -05:00			`sops =`
			`let`
			`sopsPath = secret: {`
feat: added glance to caddy 2025-07-03 20:11:18 -05:00			`path = "/run/secrets/${configHelpers.service.name}-${secret}";`
feat: refactored glance 2025-05-25 18:28:37 -05:00			`owner = "root";`
feat: updated glance 2025-05-26 14:56:10 -05:00			`group = "root";`
			`mode = "644";`
feat: added glance 2025-05-24 02:45:00 -05:00			`};`
feat: refactored glance 2025-05-25 18:28:37 -05:00			`in`
			`{`
			`secrets = builtins.listToAttrs (`
			`map`
			`(secret: {`
feat: added glance to caddy 2025-07-03 20:11:18 -05:00			`name = "${configHelpers.service.name}-${secret}";`
feat: refactored glance 2025-05-25 18:28:37 -05:00			`value = sopsPath secret;`
			`})`
			`[`
			`# "key"`
			`# "${user0}-pass"`
			`jellyfin.name`
			`]`
			`);`
feat: added glance 2025-05-24 02:45:00 -05:00			`};`

			`networking = {`
			`firewall = {`
feat: glance test 2025-07-03 20:56:06 -05:00			`interfaces.wg0.allowedTCPPorts = [`
feat: added glance to caddy 2025-07-03 20:11:18 -05:00			`configHelpers.service.ports.port0`
feat: added glance 2025-05-24 02:45:00 -05:00			`];`
			`};`
			`};`
			`}`