diff --git a/modules/config/instances/config/jellyfin.nix b/modules/config/instances/config/jellyfin.nix index 377f3f9..80d53ba 100755 --- a/modules/config/instances/config/jellyfin.nix +++ b/modules/config/instances/config/jellyfin.nix @@ -6,12 +6,10 @@ let varPath mntPath cachePath - secretPath ; label = "Jellyfin"; name = "jellyfin"; domain = "${name}.${domain0}"; - secrets = "${secretPath}/${name}"; ssl = "${sslPath}/${name}.${domain0}"; in { @@ -41,8 +39,8 @@ in interface = { id = "vm-${name}"; mac = "02:00:00:00:00:52"; - idUser = "vmuser-jellyfin"; - macUser = "02:00:00:00:00:04"; + idUser = "vmuser-${name}"; + macUser = "03:00:00:00:00:04"; ip = "192.168.50.152"; gate = "192.168.50.1"; ssh = 2202; @@ -59,7 +57,4 @@ in mntPaths = { path0 = "${mntPath}/${name}"; }; - secretPaths = { - path0 = secrets; - }; } diff --git a/modules/nixos/services/jellyfin/default.nix b/modules/nixos/services/jellyfin/default.nix index 841f0f3..c909736 100755 --- a/modules/nixos/services/jellyfin/default.nix +++ b/modules/nixos/services/jellyfin/default.nix @@ -6,24 +6,15 @@ let inherit (flake.config.people) user0; inherit (flake.config.services) instances; - serviceCfg = flake.config.services.instances.jellyfin; - hostCfg = flake.config.services.instances.web; - host = serviceCfg.domains.url0; + serviceCfg = instances.jellyfin; + hostCfg = instances.web; dns0 = instances.web.dns.provider0; + host = serviceCfg.domains.url0; dns0Path = "dns/${dns0}"; in { - users.users.caddy.extraGroups = [ "acme" ]; - - security.acme.certs."${host}" = { - dnsProvider = dns0; - environmentFile = config.sops.secrets.${dns0Path}.path; - group = "caddy"; - }; - microvm.vms.jellyin = { autostart = true; - restartIfChanged = true; config = { system.stateVersion = "24.05"; @@ -33,11 +24,6 @@ in jellyfin = { enable = true; openFirewall = true; - user = user0; - }; - jellyseerr = { - openFirewall = true; - enable = true; }; openssh = { @@ -50,10 +36,12 @@ in }; networking.firewall.allowedTCPPorts = [ + 22 serviceCfg.ports.port0 serviceCfg.ports.port1 serviceCfg.ports.port2 ]; + systemd.network = { enable = true; networks."20-lan" = { @@ -75,6 +63,7 @@ in }; systemd.services.systemd-networkd.wantedBy = [ "multi-user.target" ]; + microvm = { vcpu = 4; mem = 4096; @@ -91,6 +80,7 @@ in mac = serviceCfg.interface.macUser; } ]; + forwardPorts = [ { from = "host"; @@ -110,37 +100,50 @@ in mountPoint = serviceCfg.varPaths.path0; proto = "virtiofs"; source = serviceCfg.mntPaths.path0; - tag = "service_data"; + tag = "${serviceCfg.name}_data"; } { mountPoint = serviceCfg.varPaths.path1; proto = "virtiofs"; source = "${serviceCfg.mntPaths.path0}/cache"; - tag = "service_cache"; + tag = "${serviceCfg.name}_cache"; } ]; }; }; }; - systemd.tmpfiles.rules = [ - "d ${serviceCfg.mntPaths.path0} 0755 root root -" - ]; + security.acme.certs."${host}" = { + dnsProvider = dns0; + environmentFile = config.sops.secrets.${dns0Path}.path; + group = "caddy"; + }; services = { caddy = { virtualHosts = { "${host}" = { extraConfig = '' + reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { + header_up X-Real-IP {remote_host} + } + redir /.well-known/carddav /remote.php/dav/ 301 redir /.well-known/caldav /remote.php/dav/ 301 - reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} - tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} + encode zstd gzip ''; }; }; }; }; + + users.users.caddy.extraGroups = [ "acme" ]; + + systemd.tmpfiles.rules = [ + "d ${serviceCfg.mntPaths.path0} 0755 root root -" + "d ${serviceCfg.mntPaths.path0}/cache 0755 root root -" + ]; + } diff --git a/modules/nixos/services/vaultwarden/default.nix b/modules/nixos/services/vaultwarden/default.nix index a1c82b2..ebdf53b 100755 --- a/modules/nixos/services/vaultwarden/default.nix +++ b/modules/nixos/services/vaultwarden/default.nix @@ -6,10 +6,11 @@ let inherit (flake.config.people) user0; inherit (flake.config.services) instances; - serviceCfg = flake.config.services.instances.vaultwarden; - smtpCfg = flake.config.services.instances.smtp; - host = serviceCfg.domains.url0; + serviceCfg = instances.vaultwarden; + smtpCfg = instances.smtp; + hostCfg = instances.web; dns0 = instances.web.dns.provider0; + host = serviceCfg.domains.url0; dns0Path = "dns/${dns0}"; in { @@ -21,48 +22,49 @@ in system.stateVersion = "24.05"; time.timeZone = "America/Winnipeg"; users.users.root.openssh.authorizedKeys.keys = flake.config.people.users.${user0}.sshKeys; - services.vaultwarden = { - enable = true; - dbBackend = "sqlite"; - config = { - # Domain Configuration - DOMAIN = "https://${host}"; + services = { + vaultwarden = { + enable = true; + dbBackend = "sqlite"; + config = { + # Domain Configuration + DOMAIN = "https://${host}"; - # Email Configuration - SMTP_AUTH_MECHANISM = "Plain"; - SMTP_EMBED_IMAGES = true; - SMTP_FROM = serviceCfg.email.address0; - SMTP_FROM_NAME = serviceCfg.label; - SMTP_HOST = smtpCfg.hostname; - SMTP_PORT = smtpCfg.ports.port1; - SMTP_SECURITY = smtpCfg.records.record1; - SMTP_USERNAME = smtpCfg.email.address0; + # Email Configuration + SMTP_AUTH_MECHANISM = "Plain"; + SMTP_EMBED_IMAGES = true; + SMTP_FROM = serviceCfg.email.address0; + SMTP_FROM_NAME = serviceCfg.label; + SMTP_HOST = smtpCfg.hostname; + SMTP_PORT = smtpCfg.ports.port1; + SMTP_SECURITY = smtpCfg.records.record1; + SMTP_USERNAME = smtpCfg.email.address0; - # Security Configuration - DISABLE_ADMIN_TOKEN = false; + # Security Configuration + DISABLE_ADMIN_TOKEN = false; - # Event and Backup Management - EVENTS_DAYS_RETAIN = 90; + # Event and Backup Management + EVENTS_DAYS_RETAIN = 90; - # User Features - SENDS_ALLOWED = true; - SIGNUPS_VERIFY = true; - WEB_VAULT_ENABLED = true; + # User Features + SENDS_ALLOWED = true; + SIGNUPS_VERIFY = true; + WEB_VAULT_ENABLED = true; - # Rocket (Web Server) Settings - ROCKET_ADDRESS = "0.0.0.0"; - ROCKET_PORT = serviceCfg.ports.port0; + # Rocket (Web Server) Settings + ROCKET_ADDRESS = "0.0.0.0"; + ROCKET_PORT = serviceCfg.ports.port0; + }; + + # Environment file with secrets (mounted from host) + environmentFile = "/run/secrets/${serviceCfg.name}/env"; }; - - # Environment file with secrets (mounted from host) - environmentFile = "/run/secrets/${serviceCfg.name}/env"; - }; - - services.openssh = { - enable = true; - settings = { - PasswordAuthentication = false; - PermitRootLogin = "prohibit-password"; + openssh = { + enable = true; + settings = { + PasswordAuthentication = false; + PermitRootLogin = "prohibit-password"; + }; }; }; @@ -79,10 +81,12 @@ in enable = true; networks."20-lan" = { matchConfig.Name = "enp0s5"; - addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ]; + addresses = [ + { Address = "${serviceCfg.interface.ip}/24"; } + ]; routes = [ { - Destination = "0.0.0.0/0"; + Destination = "${hostCfg.localhost.address1}/0"; Gateway = serviceCfg.interface.gate; } ]; @@ -97,7 +101,7 @@ in microvm = { vcpu = 2; - mem = 1024; + mem = 3072; hypervisor = "qemu"; interfaces = [ { @@ -111,6 +115,7 @@ in mac = serviceCfg.interface.macUser; } ]; + forwardPorts = [ { from = "host"; @@ -118,6 +123,7 @@ in guest.port = 22; } ]; + shares = [ { mountPoint = "/nix/.ro-store"; @@ -154,7 +160,9 @@ in reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} { header_up X-Real-IP {remote_host} } + tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key} + encode zstd gzip ''; }; diff --git a/systems/ceres/config/networking.nix b/systems/ceres/config/networking.nix index 8396cd5..2b58aba 100755 --- a/systems/ceres/config/networking.nix +++ b/systems/ceres/config/networking.nix @@ -1,5 +1,4 @@ { - lib, flake, ... }: