mirror of
https://gitlab.com/upRootNutrition/dotfiles.git
synced 2025-12-07 21:42:16 -06:00
test: jellyfin microVM
This commit is contained in:
Nick
parent
b553e92ad1
commit
e25c1a2e06
13 changed files with 271 additions and 358 deletions
|
|
@ -4,21 +4,15 @@
|
|||
...
|
||||
}:
|
||||
let
|
||||
vaultwardenCfg = flake.config.services.instances.vaultwarden;
|
||||
smtpCfg = flake.config.services.instances.smtp;
|
||||
inherit (flake.config.people) user0;
|
||||
inherit (flake.config.services) instances;
|
||||
|
||||
serviceCfg = flake.config.services.instances.vaultwarden;
|
||||
smtpCfg = flake.config.services.instances.smtp;
|
||||
host = serviceCfg.domains.url0;
|
||||
dns0 = instances.web.dns.provider0;
|
||||
dns0Path = "dns/${dns0}";
|
||||
in
|
||||
{
|
||||
users.users.caddy.extraGroups = [ "acme" ];
|
||||
security.acme.certs."${vaultwardenCfg.domains.url0}" = {
|
||||
dnsProvider = dns0;
|
||||
environmentFile = config.sops.secrets.${dns0Path}.path;
|
||||
group = "caddy";
|
||||
};
|
||||
|
||||
microvm.vms.vaultwarden = {
|
||||
autostart = true;
|
||||
|
|
@ -32,13 +26,13 @@ in
|
|||
dbBackend = "sqlite";
|
||||
config = {
|
||||
# Domain Configuration
|
||||
DOMAIN = "https://${vaultwardenCfg.domains.url0}";
|
||||
DOMAIN = "https://${host}";
|
||||
|
||||
# Email Configuration
|
||||
SMTP_AUTH_MECHANISM = "Plain";
|
||||
SMTP_EMBED_IMAGES = true;
|
||||
SMTP_FROM = vaultwardenCfg.email.address0;
|
||||
SMTP_FROM_NAME = vaultwardenCfg.label;
|
||||
SMTP_FROM = serviceCfg.email.address0;
|
||||
SMTP_FROM_NAME = serviceCfg.label;
|
||||
SMTP_HOST = smtpCfg.hostname;
|
||||
SMTP_PORT = smtpCfg.ports.port1;
|
||||
SMTP_SECURITY = smtpCfg.records.record1;
|
||||
|
|
@ -57,11 +51,11 @@ in
|
|||
|
||||
# Rocket (Web Server) Settings
|
||||
ROCKET_ADDRESS = "0.0.0.0";
|
||||
ROCKET_PORT = vaultwardenCfg.ports.port0;
|
||||
ROCKET_PORT = serviceCfg.ports.port0;
|
||||
};
|
||||
|
||||
# Environment file with secrets (mounted from host)
|
||||
environmentFile = "/run/secrets/vaultwarden/env";
|
||||
environmentFile = "/run/secrets/${serviceCfg.name}/env";
|
||||
};
|
||||
|
||||
services.openssh = {
|
||||
|
|
@ -78,18 +72,18 @@ in
|
|||
139 # SMTP
|
||||
587 # SMTP
|
||||
2525 # SMTP
|
||||
vaultwardenCfg.ports.port0
|
||||
serviceCfg.ports.port0
|
||||
];
|
||||
|
||||
systemd.network = {
|
||||
enable = true;
|
||||
networks."20-lan" = {
|
||||
matchConfig.Name = "enp0s5";
|
||||
addresses = [ { Address = "${vaultwardenCfg.interface.ip}/24"; } ];
|
||||
addresses = [ { Address = "${serviceCfg.interface.ip}/24"; } ];
|
||||
routes = [
|
||||
{
|
||||
Destination = "0.0.0.0/0";
|
||||
Gateway = vaultwardenCfg.interface.gate;
|
||||
Gateway = serviceCfg.interface.gate;
|
||||
}
|
||||
];
|
||||
dns = [
|
||||
|
|
@ -108,19 +102,19 @@ in
|
|||
interfaces = [
|
||||
{
|
||||
type = "tap";
|
||||
id = vaultwardenCfg.interface.id;
|
||||
mac = vaultwardenCfg.interface.mac;
|
||||
id = serviceCfg.interface.id;
|
||||
mac = serviceCfg.interface.mac;
|
||||
}
|
||||
{
|
||||
type = "user";
|
||||
id = vaultwardenCfg.interface.idUser;
|
||||
mac = vaultwardenCfg.interface.macUser;
|
||||
id = serviceCfg.interface.idUser;
|
||||
mac = serviceCfg.interface.macUser;
|
||||
}
|
||||
];
|
||||
forwardPorts = [
|
||||
{
|
||||
from = "host";
|
||||
host.port = vaultwardenCfg.interface.ssh;
|
||||
host.port = serviceCfg.interface.ssh;
|
||||
guest.port = 22;
|
||||
}
|
||||
];
|
||||
|
|
@ -134,7 +128,7 @@ in
|
|||
{
|
||||
mountPoint = "/var/lib/bitwarden_rs";
|
||||
proto = "virtiofs";
|
||||
source = vaultwardenCfg.mntPaths.path0;
|
||||
source = serviceCfg.mntPaths.path0;
|
||||
tag = "vaultwarden_data";
|
||||
}
|
||||
{
|
||||
|
|
@ -148,22 +142,32 @@ in
|
|||
};
|
||||
};
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${vaultwardenCfg.mntPaths.path0} 0755 root root -"
|
||||
];
|
||||
|
||||
services.caddy.virtualHosts."${vaultwardenCfg.domains.url0}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${vaultwardenCfg.interface.ip}:${toString vaultwardenCfg.ports.port0} {
|
||||
header_up X-Real-IP {remote_host}
|
||||
}
|
||||
tls ${vaultwardenCfg.ssl.cert} ${vaultwardenCfg.ssl.key}
|
||||
encode zstd gzip
|
||||
'';
|
||||
security.acme.certs."${host}" = {
|
||||
dnsProvider = dns0;
|
||||
environmentFile = config.sops.secrets.${dns0Path}.path;
|
||||
group = "caddy";
|
||||
};
|
||||
|
||||
services.caddy.virtualHosts = {
|
||||
"${host}" = {
|
||||
extraConfig = ''
|
||||
reverse_proxy ${serviceCfg.interface.ip}:${toString serviceCfg.ports.port0} {
|
||||
header_up X-Real-IP {remote_host}
|
||||
}
|
||||
tls ${serviceCfg.ssl.cert} ${serviceCfg.ssl.key}
|
||||
encode zstd gzip
|
||||
'';
|
||||
};
|
||||
};
|
||||
|
||||
users.users.caddy.extraGroups = [ "acme" ];
|
||||
|
||||
systemd.tmpfiles.rules = [
|
||||
"d ${serviceCfg.mntPaths.path0} 0755 root root -"
|
||||
];
|
||||
|
||||
sops.secrets = {
|
||||
"vaultwarden/env" = {
|
||||
"${serviceCfg.name}/env" = {
|
||||
owner = "root";
|
||||
mode = "0600";
|
||||
};
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue