harden vaultwarden

improve zen config
add homer dashboard
2025-09-03 16:45:32 +02:00 · 2025-09-03 16:45:20 +02:00 · 2025-09-03 16:44:50 +02:00 · 2025-09-03 15:12:30 +02:00 · 2025-09-03 14:54:18 +02:00
7 changed files with 229 additions and 60 deletions
--- a/flake.lock
+++ b/flake.lock
@ -465,6 +465,27 @@
        "type": "github"
      }
    },
    "home-manager_2": {
      "inputs": {
        "nixpkgs": [
          "zen-browser",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1756842514,
        "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=",
        "owner": "nix-community",
        "repo": "home-manager",
        "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "home-manager",
        "type": "github"
      }
    },
    "jovian": {
      "inputs": {
        "nix-github-actions": "nix-github-actions",
@ -1164,18 +1185,19 @@
    },
    "zen-browser": {
      "inputs": {
        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs_10"
      },
      "locked": {
-        "lastModified": 1727721329,
+        "lastModified": 1756876659,
-        "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=",
+        "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=",
-        "owner": "MarceColl",
+        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
-        "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc",
+        "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529",
        "type": "github"
      },
      "original": {
-        "owner": "MarceColl",
+        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -41,7 +41,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };
-    zen-browser.url = "github:MarceColl/zen-browser-flake";
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";
    nix-minecraft.url = "github:Infinidoge/nix-minecraft";
@ -93,8 +93,12 @@
    channels-config = {
      allowUnfree = true;
      permittedInsecurePackages = [
        # Due to *arr stack
        "dotnet-sdk-6.0.428"
        "aspnetcore-runtime-6.0.36"
        # I think this is because of zen
        "qtwebengine-5.15.19"
      ];
    };
@ -106,7 +110,7 @@
    homes.modules = with inputs; [
      stylix.homeModules.stylix
-      plasma-manager.homeManagerModules.plasma-manager
+      plasma-manager.homeModules.plasma-manager
    ];
  };
 }
--- a/modules/home/application/zen/default.nix
+++ b/modules/home/application/zen/default.nix
@ -5,13 +5,15 @@ let
  cfg = config.${namespace}.application.zen;
 in
 {
  imports = [
    inputs.zen-browser.homeModules.default
  ];
  options.${namespace}.application.zen = {
    enable = mkEnableOption "enable zen";
  };
  config = mkIf cfg.enable {
    home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ];
    home.sessionVariables = {
      MOZ_ENABLE_WAYLAND = "1";
    };
@ -20,20 +22,42 @@ in
      policies = {
        AutofillAddressEnabled = true;
        AutofillCreditCardEnabled = false;
        AppAutoUpdate = false;
        DisableAppUpdate = true;
        ManualAppUpdateOnly = true;
        DisableFeedbackCommands = true;
        DisableFirefoxStudies = true;
        DisablePocket = true;
        DisableTelemetry = true;
-        # DontCheckDefaultBrowser = false;
+
        DontCheckDefaultBrowser = false;
        NoDefaultBookmarks = true;
-        # OfferToSaveLogins = false;
+        OfferToSaveLogins = false;
        EnableTrackingProtection = {
          Value = true;
          Locked = true;
          Cryptomining = true;
          Fingerprinting = true;
        };
        HttpAllowlist = [
          "http://ulmo"
        ];
      };
      policies.ExtensionSettings = let
        mkExtension = id: {
          install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi";
          installation_mode = "force_installed";
        };
      in
      {
        ublock_origin = 4531307;
        ghostry = 4562168;
        bitwarden = 4562769;
        sponsorblock = 4541835;
      };
    };
  };
--- a/modules/nixos/services/media/default.nix
+++ b/modules/nixos/services/media/default.nix
@ -66,38 +66,73 @@ in
    # Services
    #=========================================================================
    services = let
-      serviceConf = {
+      arrService = {
        enable = true;
        openFirewall = true;
        settings = {
          auth.AuthenticationMethod = "External";
          # postgres = {
          #   PostgresHost = "localhost";
          #   PostgresPort = "5432";
          #   PostgresUser = "media";
          # };
        };
      };
      withPort = port: service: service // { settings.server.Port = builtins.toString port; };
      withUserAndGroup = service: service  // {
        user = cfg.user;
        group = cfg.group;
      };
    in {
      radarr =
        arrService
        |> withPort 2001
        |> withUserAndGroup;
      sonarr =
        arrService
        |> withPort 2002
        |> withUserAndGroup;
      lidarr =
        arrService
        |> withPort 2003
        |> withUserAndGroup;
      prowlarr =
        arrService
        |> withPort 2004;
      bazarr = {
        enable = true;
        openFirewall = true;
        user = cfg.user;
        group = cfg.group;
        listenPort = 2005;
      };
      # port is harcoded in nixpkgs module
      jellyfin = {
        enable = true;
        openFirewall = true;
        user = cfg.user;
        group = cfg.group;
      };
    in {
      jellyfin = serviceConf;
      radarr = serviceConf;
      sonarr = serviceConf;
      bazarr = serviceConf;
      lidarr = serviceConf;
      flaresolverr = {
        enable = true;
        openFirewall = true;
-      };
+        port = 2007;
      jellyseerr = {
        enable = true;
        openFirewall = true;
      };
      prowlarr = {
        enable = true;
        openFirewall = true;
      };
      qbittorrent = {
        enable = true;
        openFirewall = true;
-        webuiPort = 5000;
+        webuiPort = 2008;
        serverConfig = {
          LegalNotice.Accepted = true;
@ -107,6 +142,7 @@ in
        group = cfg.group;
      };
      # port is harcoded in nixpkgs module
      sabnzbd = {
        enable = true;
        openFirewall = true;
@ -116,46 +152,49 @@ in
        group = cfg.group;
      };
      # postgresql = {
      #   enable = true;
      #   ensureDatabases = [
      #     "radarr-main" "radarr-log"
      #     "sonarr-main" "sonarr-log"
      #     "lidarr-main" "lidarr-log"
      #     "prowlarr-main" "prowlarr-log"
      #   ];
      #   identMap = ''
      #     media media radarr-main
      #     media media radarr-log
      #     media media sonarr-main
      #     media media sonarr-log
      #     media media lidarr-main
      #     media media lidarr-log
      #     media media prowlarr-main
      #     media media prowlarr-log
      #   '';
      #   ensureUsers = [
      #     { name = "radarr-main"; ensureDBOwnership = true; }
      #     { name = "radarr-log"; ensureDBOwnership = true; }
      #     { name = "sonarr-main"; ensureDBOwnership = true; }
      #     { name = "sonarr-log"; ensureDBOwnership = true; }
      #     { name = "lidarr-main"; ensureDBOwnership = true; }
      #     { name = "lidarr-log"; ensureDBOwnership = true; }
      #     { name = "prowlarr-main"; ensureDBOwnership = true; }
      #     { name = "prowlarr-log"; ensureDBOwnership = true; }
      #   ];
      # };
      caddy = {
        enable = true;
        virtualHosts = {
          "media.kruining.eu".extraConfig = ''
            import auth
            reverse_proxy http://127.0.0.1:9494
          '';
          "jellyfin.kruining.eu".extraConfig = ''
-            reverse_proxy http://127.0.0.1:8096
+            reverse_proxy http://[::1]:8096
          '';
        };
      };
    };
    systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
    ${namespace}.services.virtualisation.podman.enable = true;
    virtualisation = {
      oci-containers = {
        backend = "podman";
        containers = {
          # flaresolverr = {
          #   image = "flaresolverr/flaresolverr";
          #   autoStart = true;
          #   ports = [ "127.0.0.1:8191:8191" ];
          # };
          reiverr = {
            image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
            autoStart = true;
            ports = [ "127.0.0.1:9494:9494" ];
            volumes = [ "${cfg.path}/reiverr/config:/config" ];
          };
        };
      };
    };
    networking.firewall.allowedTCPPorts = [ 80 443 6969 ];
  };
 }
--- a/modules/nixos/services/media/homer/default.nix
+++ b/modules/nixos/services/media/homer/default.nix
@ -0,0 +1,73 @@
 { config, lib, namespace, ... }:
 let
  inherit (lib) mkIf mkEnableOption;
  cfg = config.${namespace}.services.media.homer;
 in
 {
  options.${namespace}.services.media.homer = {
    enable = mkEnableOption "Enable homer";
  };
  config = mkIf cfg.enable {
    networking.firewall.allowedTCPPorts = [ 2000 ];
    services = {
      homer = {
        enable = true;
        virtualHost = {
          caddy.enable = true;
          domain = "http://:2000";
        };
        settings = {
          title = "Ulmo dashboard";
          columns = 4;
          connectivityCheck = true;
          links = [
            {
              name = "Git";
              icon = "fab fa-forgejo";
              url = "https://git.amarth.cloud";
            }
          ];
          services = [
            {
              name = "Services";
              items = [
                {
                  name = "Zitadel";
                  tag = "authentication";
                  keywords = "auth";
                  url = "https://auth.amarth.cloud";
                }
              ];
            }
            {
              name = "Media";
              items = [
                {
                  name = "Radarr";
                  tag = "app";
                  url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}";
                }
                {
                  name = "Sonarr";
                  tag = "app";
                  url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}";
                }
              ];
            }
          ];
        };
      };
    };
  };
 }
--- a/modules/nixos/services/security/vaultwarden/default.nix
+++ b/modules/nixos/services/security/vaultwarden/default.nix
@ -76,6 +76,12 @@ in
          "vault.kruining.eu".extraConfig = ''
            encode zstd gzip
            handle_path /admin {
              respond 401 {
                close
              }
            }
            reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
              header_up X-Real-IP {remote_host}
            }
--- a/systems/x86_64-linux/ulmo/default.nix
+++ b/systems/x86_64-linux/ulmo/default.nix
@ -15,6 +15,7 @@
      networking.ssh.enable = true;
      media.enable = true;
      media.homer.enable = true;
      media.nfs.enable = true;
      observability = {
Author	SHA1	Message	Date
Chris Kruining	44e7a6fa0f	harden vaultwarden All checks were successful Test action / Print hello world (push) Successful in 19s Details	2025-09-03 16:45:32 +02:00
Chris Kruining	6379b5e2de	improve zen config	2025-09-03 16:45:20 +02:00
Chris Kruining	7758806282	add homer dashboard	2025-09-03 16:44:50 +02:00
Chris Kruining	a29b757530	restructure media services	2025-09-03 15:12:30 +02:00
Chris Kruining	5ddcaf35f6	fix zen	2025-09-03 14:54:18 +02:00