From 4ae9d2ce10a2f1103e6162ecfe145e8ea31d62a4 Mon Sep 17 00:00:00 2001 From: Aly Raffauf Date: Tue, 27 Aug 2024 14:51:16 -0400 Subject: [PATCH] raffauflabs: enable vaultwarden and homepage --- hosts/mauville/raffauflabs.nix | 97 ++++++++++-------- hosts/slateport/raffauflabs.nix | 171 +++++++++++++++++++++++++++++--- 2 files changed, 209 insertions(+), 59 deletions(-) diff --git a/hosts/mauville/raffauflabs.nix b/hosts/mauville/raffauflabs.nix index 6697545b..b872ac5e 100644 --- a/hosts/mauville/raffauflabs.nix +++ b/hosts/mauville/raffauflabs.nix @@ -29,7 +29,7 @@ }; in { networking = { - firewall.allowedTCPPorts = [80 443 2379 2380 3000 6443]; + firewall.allowedTCPPorts = [80 443 2379 2380 3000 6443 61208]; firewall.allowedUDPPorts = [8472]; }; @@ -91,12 +91,12 @@ in { }; }; - k3s = { - enable = true; - role = "server"; - tokenFile = config.age.secrets.k3s.path; - serverAddr = "https://192.168.0.104:6443"; - }; + # k3s = { + # enable = true; + # role = "server"; + # tokenFile = config.age.secrets.k3s.path; + # serverAddr = "https://192.168.0.104:6443"; + # }; navidrome = { enable = true; @@ -123,44 +123,53 @@ in { }; }; - systemd.services.navidrome.serviceConfig = let - navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} { - Address = "0.0.0.0"; - DefaultTheme = "Auto"; - MusicFolder = musicDirectory; - Port = navidrome.port; - SubsonicArtistParticipations = true; - UIWelcomeMessage = "Welcome to Navidrome @ ${domain}"; - "Spotify.ID" = "@spotifyClientId@"; - "Spotify.Secret" = "@spotifyClientSecret@"; - "LastFM.Enabled" = true; - "LastFM.ApiKey" = "@lastFMApiKey@"; - "LastFM.Secret" = "@lastFMSecret@"; - "LastFM.Language" = "en"; - }); + systemd.services = { + glances = { + wantedBy = ["multi-user.target"]; + after = ["network.target"]; + path = [pkgs.glances]; + script = "glances --webserver --bind 0.0.0.0 --port 61208"; + }; - navidrome-secrets = pkgs.writeShellScript "navidrome-secrets" '' - lastFMApiKey=$(cat "${navidrome.lastfm.idFile}") - lastFMSecret=$(cat "${navidrome.lastfm.secretFile}") - spotifyClientId=$(cat "${navidrome.spotify.idFile}") - spotifyClientSecret=$(cat "${navidrome.spotify.secretFile}") - ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \ - -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \ - ${navidromeConfig} > /var/lib/navidrome/navidrome.json - ''; - in { - BindReadOnlyPaths = [ - navidrome.lastfm.idFile - navidrome.lastfm.secretFile - navidrome.spotify.idFile - navidrome.spotify.secretFile - musicDirectory - ]; + navidrome.serviceConfig = let + navidromeConfig = builtins.toFile "navidrome.json" (lib.generators.toJSON {} { + Address = "0.0.0.0"; + DefaultTheme = "Auto"; + MusicFolder = musicDirectory; + Port = navidrome.port; + SubsonicArtistParticipations = true; + UIWelcomeMessage = "Welcome to Navidrome @ ${domain}"; + "Spotify.ID" = "@spotifyClientId@"; + "Spotify.Secret" = "@spotifyClientSecret@"; + "LastFM.Enabled" = true; + "LastFM.ApiKey" = "@lastFMApiKey@"; + "LastFM.Secret" = "@lastFMSecret@"; + "LastFM.Language" = "en"; + }); - ExecStartPre = navidrome-secrets; - ExecStart = lib.mkForce '' - ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \ - --datafolder /var/lib/navidrome/ - ''; + navidrome-secrets = pkgs.writeShellScript "navidrome-secrets" '' + lastFMApiKey=$(cat "${navidrome.lastfm.idFile}") + lastFMSecret=$(cat "${navidrome.lastfm.secretFile}") + spotifyClientId=$(cat "${navidrome.spotify.idFile}") + spotifyClientSecret=$(cat "${navidrome.spotify.secretFile}") + ${pkgs.gnused}/bin/sed -e "s/@lastFMApiKey@/$lastFMApiKey/" -e "s/@lastFMSecret@/$lastFMSecret/" \ + -e "s/@spotifyClientId@/$spotifyClientId/" -e "s/@spotifyClientSecret@/$spotifyClientSecret/" \ + ${navidromeConfig} > /var/lib/navidrome/navidrome.json + ''; + in { + BindReadOnlyPaths = [ + navidrome.lastfm.idFile + navidrome.lastfm.secretFile + navidrome.spotify.idFile + navidrome.spotify.secretFile + musicDirectory + ]; + + ExecStartPre = navidrome-secrets; + ExecStart = lib.mkForce '' + ${config.services.navidrome.package}/bin/navidrome --configfile /var/lib/navidrome/navidrome.json \ + --datafolder /var/lib/navidrome/ + ''; + }; }; } diff --git a/hosts/slateport/raffauflabs.nix b/hosts/slateport/raffauflabs.nix index f6579b0b..442d31d7 100644 --- a/hosts/slateport/raffauflabs.nix +++ b/hosts/slateport/raffauflabs.nix @@ -20,6 +20,7 @@ in { "bt.${domain}" "git.${domain}" "music.${domain}" + "passwords.${domain}" "plex.${domain}" "podcasts.${domain}" domain @@ -39,13 +40,134 @@ in { bantime = "1h"; }; - k3s = { + homepage-dashboard = { enable = true; - clusterInit = true; - role = "server"; - tokenFile = config.age.secrets.k3s.path; + openFirewall = true; + + bookmarks = [ + # { + # Websites = [ + # { + # "Aly Raffauf" = [ + # { + # abbr = "AR"; + # description = "Personal website and portfolio."; + # href = "https://aly.raffauflabs.com/"; + # } + # ]; + # } + # ]; + # } + ]; + + services = [ + { + Websites = [ + { + "Aly Raffauf" = { + abbr = "AR"; + description = "Personal website and portfolio."; + href = "https://aly.raffauflabs.com/"; + }; + } + { + "Specular Anomalies" = { + abbr = "SA"; + description = "Academic & tech blog."; + href = "https://distort.jp/"; + }; + } + ]; + } + { + Media = [ + { + "Audiobookshelf" = { + description = "Audiobooks & podcasts."; + href = "https://podcasts.raffauflabs.com"; + icon = "audiobookshelf"; + }; + } + { + "Plex" = { + description = "TV Shows, movies & music."; + href = "https://plex.raffauflabs.com"; + icon = "plex"; + }; + } + { + "Navidrome" = { + description = "Subsonic-compatible music streaming."; + href = "https://music.raffauflabs.com"; + icon = "navidrome"; + }; + } + ]; + } + { + Tools = [ + { + "Forĝejo" = { + description = "Git forge for open source projects."; + href = "https://git.raffauflabs.com"; + icon = "forgejo"; + }; + } + { + "Transmission (Tailnet only)" = { + description = "Torrent client with web UI."; + href = "http://mauville:9091"; + icon = "transmission"; + }; + } + { + "Vaultwarden" = { + description = "Secure password manager."; + href = "https://passwords.raffauflabs.com"; + icon = "vaultwarden"; + }; + } + ]; + } + ]; + + settings = { + color = "sky"; + target = "_self"; + title = "RaffaufLabs.com"; + }; + + widgets = [ + { + glances = { + url = "http:/mauville:61208/"; + cpu = true; + mem = true; + disk = "/mnt/Media"; + }; + } + { + search = { + provider = "brave"; + showSearchSuggestions = true; + }; + } + { + datetime = { + text_size = "xl"; + format.timeStyle = "short"; + }; + } + ]; }; + # k3s = { + # enable = true; + # clusterInit = true; + # role = "server"; + # tokenFile = config.age.secrets.k3s.path; + # }; + nginx = { enable = true; recommendedGzipSettings = true; @@ -53,19 +175,18 @@ in { recommendedTlsSettings = true; virtualHosts = { - # "bt.${domain}" = { - # enableACME = true; - # forceSSL = true; + "${domain}" = { + enableACME = true; + forceSSL = true; - # locations."/" = { - # proxyPass = "http://${ip}:${toString 9091}"; - # proxyWebsockets = true; + locations."/" = { + proxyPass = "http://localhost:${toString config.services.homepage-dashboard.listenPort}"; - # extraConfig = '' - # proxy_buffering off; - # ''; - # }; - # }; + extraConfig = '' + client_max_body_size 512M; + ''; + }; + }; "git.${domain}" = { enableACME = true; @@ -94,6 +215,14 @@ in { }; }; + "passwords.${domain}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + proxyPass = "http://127.0.0.1:${toString config.services.vaultwarden.config.ROCKET_PORT}"; + }; + }; + "plex.${domain}" = { enableACME = true; forceSSL = true; @@ -129,5 +258,17 @@ in { }; }; }; + + vaultwarden = { + enable = true; + + config = { + DOMAIN = "https://passowrds.raffauflabs.com"; + ROCKET_ADDRESS = "127.0.0.1"; + ROCKET_LOG = "critical"; + ROCKET_PORT = 8222; + SIGNUPS_ALLOWED = false; + }; + }; }; }