harden vaultwarden

improve zen config
add homer dashboard
2025-09-03 16:45:32 +02:00 · 2025-09-03 16:45:20 +02:00 · 2025-09-03 16:44:50 +02:00 · 2025-09-03 15:12:30 +02:00 · 2025-09-03 14:54:18 +02:00
7 changed files with 229 additions and 60 deletions
--- a/flake.lock
+++ b/flake.lock
@ -465,6 +465,27 @@
        "type": "github"
      }
    },
+    "home-manager_2": {
+      "inputs": {
+        "nixpkgs": [
+          "zen-browser",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1756842514,
+        "narHash": "sha256-XbtRMewPGJwTNhBC4pnBu3w/xT1XejvB0HfohC2Kga8=",
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "rev": "30fc1b532645a21e157b6e33e3f8b4c154f86382",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "home-manager",
+        "type": "github"
+      }
+    },
    "jovian": {
      "inputs": {
        "nix-github-actions": "nix-github-actions",
@ -1164,18 +1185,19 @@
    },
    "zen-browser": {
      "inputs": {
+        "home-manager": "home-manager_2",
        "nixpkgs": "nixpkgs_10"
      },
      "locked": {
-        "lastModified": 1727721329,
-        "narHash": "sha256-QYlWZwUSwrM7BuO+dXclZIwoPvBIuJr6GpFKv9XKFPI=",
-        "owner": "MarceColl",
+        "lastModified": 1756876659,
+        "narHash": "sha256-B2bpNR7VOoZuKfuNnASfWI/jGveetP2yhG44S3XnI/k=",
+        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
-        "rev": "e6ab73f405e9a2896cce5956c549a9cc359e5fcc",
+        "rev": "07c14b39cad581d9a8bb2dc8959a59e17d26d529",
        "type": "github"
      },
      "original": {
-        "owner": "MarceColl",
+        "owner": "0xc000022070",
        "repo": "zen-browser-flake",
        "type": "github"
      }
--- a/flake.nix
+++ b/flake.nix
@ -41,7 +41,7 @@
      inputs.nixpkgs.follows = "nixpkgs";
    };

-    zen-browser.url = "github:MarceColl/zen-browser-flake";
+    zen-browser.url = "github:0xc000022070/zen-browser-flake";

    nix-minecraft.url = "github:Infinidoge/nix-minecraft";

@ -93,8 +93,12 @@
    channels-config = {
      allowUnfree = true;
      permittedInsecurePackages = [
+        # Due to *arr stack
        "dotnet-sdk-6.0.428"
        "aspnetcore-runtime-6.0.36"
+
+        # I think this is because of zen
+        "qtwebengine-5.15.19"
      ];
    };

@ -106,7 +110,7 @@

    homes.modules = with inputs; [
      stylix.homeModules.stylix
-      plasma-manager.homeManagerModules.plasma-manager
+      plasma-manager.homeModules.plasma-manager
    ];
  };
 }
--- a/modules/home/application/zen/default.nix
+++ b/modules/home/application/zen/default.nix
@ -5,13 +5,15 @@ let
  cfg = config.${namespace}.application.zen;
 in
 {
+  imports = [
+    inputs.zen-browser.homeModules.default
+  ];
+
  options.${namespace}.application.zen = {
    enable = mkEnableOption "enable zen";
  };

  config = mkIf cfg.enable {
-    home.packages = [ inputs.zen-browser.packages.${pkgs.system}.specific ];
-
    home.sessionVariables = {
      MOZ_ENABLE_WAYLAND = "1";
    };
@ -20,20 +22,42 @@ in
      policies = {
        AutofillAddressEnabled = true;
        AutofillCreditCardEnabled = false;
+
+        AppAutoUpdate = false;
        DisableAppUpdate = true;
+        ManualAppUpdateOnly = true;
+
        DisableFeedbackCommands = true;
        DisableFirefoxStudies = true;
        DisablePocket = true;
        DisableTelemetry = true;
-        # DontCheckDefaultBrowser = false;
+
+        DontCheckDefaultBrowser = false;
        NoDefaultBookmarks = true;
-        # OfferToSaveLogins = false;
+        OfferToSaveLogins = false;
        EnableTrackingProtection = {
          Value = true;
          Locked = true;
          Cryptomining = true;
          Fingerprinting = true;
        };
+
+        HttpAllowlist = [
+          "http://ulmo"
+        ];
+      };
+
+      policies.ExtensionSettings = let
+        mkExtension = id: {
+          install_url = "https://addons.mozilla.org/firefox/downloads/latest/${builtins.toString id}/latest.xpi";
+          installation_mode = "force_installed";
+        };
+      in
+      {
+        ublock_origin = 4531307;
+        ghostry = 4562168;
+        bitwarden = 4562769;
+        sponsorblock = 4541835;
      };
    };
  };
--- a/modules/nixos/services/media/default.nix
+++ b/modules/nixos/services/media/default.nix
@ -66,38 +66,73 @@ in
    # Services
    #=========================================================================
    services = let
-      serviceConf = {
+      arrService = {
+        enable = true;
+        openFirewall = true;
+
+        settings = {
+          auth.AuthenticationMethod = "External";
+
+          # postgres = {
+          #   PostgresHost = "localhost";
+          #   PostgresPort = "5432";
+          #   PostgresUser = "media";
+          # };
+        };
+      };
+
+      withPort = port: service: service // { settings.server.Port = builtins.toString port; };
+
+      withUserAndGroup = service: service  // {
+        user = cfg.user;
+        group = cfg.group;
+      };
+    in {
+      radarr =
+        arrService
+        |> withPort 2001
+        |> withUserAndGroup;
+
+      sonarr =
+        arrService
+        |> withPort 2002
+        |> withUserAndGroup;
+
+      lidarr =
+        arrService
+        |> withPort 2003
+        |> withUserAndGroup;
+        
+      prowlarr =
+        arrService
+        |> withPort 2004;
+
+      bazarr = {
+        enable = true;
+        openFirewall = true;
+        user = cfg.user;
+        group = cfg.group;
+        listenPort = 2005;
+      };
+
+      # port is harcoded in nixpkgs module
+      jellyfin = {
        enable = true;
        openFirewall = true;
        user = cfg.user;
        group = cfg.group;
      };
-    in {
-      jellyfin = serviceConf;
-      radarr = serviceConf;
-      sonarr = serviceConf;
-      bazarr = serviceConf;
-      lidarr = serviceConf;

      flaresolverr = {
        enable = true;
        openFirewall = true;
-      };
-
-      jellyseerr = {
-        enable = true;
-        openFirewall = true;
-      };
-
-      prowlarr = {
-        enable = true;
-        openFirewall = true;
+        port = 2007;
      };

      qbittorrent = {
        enable = true;
        openFirewall = true;
-        webuiPort = 5000;
+        webuiPort = 2008;

        serverConfig = {
          LegalNotice.Accepted = true;
@ -107,6 +142,7 @@ in
        group = cfg.group;
      };

+      # port is harcoded in nixpkgs module
      sabnzbd = {
        enable = true;
        openFirewall = true;
@ -116,46 +152,49 @@ in
        group = cfg.group;
      };

+      # postgresql = {
+      #   enable = true;
+      #   ensureDatabases = [
+      #     "radarr-main" "radarr-log"
+      #     "sonarr-main" "sonarr-log"
+      #     "lidarr-main" "lidarr-log"
+      #     "prowlarr-main" "prowlarr-log"
+      #   ];
+      #   identMap = ''
+      #     media media radarr-main
+      #     media media radarr-log
+      #     media media sonarr-main
+      #     media media sonarr-log
+      #     media media lidarr-main
+      #     media media lidarr-log
+      #     media media prowlarr-main
+      #     media media prowlarr-log
+      #   '';
+      #   ensureUsers = [
+      #     { name = "radarr-main"; ensureDBOwnership = true; }
+      #     { name = "radarr-log"; ensureDBOwnership = true; }
+
+      #     { name = "sonarr-main"; ensureDBOwnership = true; }
+      #     { name = "sonarr-log"; ensureDBOwnership = true; }
+          
+      #     { name = "lidarr-main"; ensureDBOwnership = true; }
+      #     { name = "lidarr-log"; ensureDBOwnership = true; }
+          
+      #     { name = "prowlarr-main"; ensureDBOwnership = true; }
+      #     { name = "prowlarr-log"; ensureDBOwnership = true; }
+      #   ];
+      # };
+
      caddy = {
        enable = true;
        virtualHosts = {
-          "media.kruining.eu".extraConfig = ''
-            import auth
-
-            reverse_proxy http://127.0.0.1:9494
-          '';
          "jellyfin.kruining.eu".extraConfig = ''
-            reverse_proxy http://127.0.0.1:8096
+            reverse_proxy http://[::1]:8096
          '';
        };
      };
    };

    systemd.services.jellyfin.serviceConfig.killSignal = lib.mkForce "SIGKILL";
-
-    ${namespace}.services.virtualisation.podman.enable = true;
-
-    virtualisation = {
-      oci-containers = {
-        backend = "podman";
-
-        containers = {
-          # flaresolverr = {
-          #   image = "flaresolverr/flaresolverr";
-          #   autoStart = true;
-          #   ports = [ "127.0.0.1:8191:8191" ];
-          # };
-
-          reiverr = {
-            image = "ghcr.io/aleksilassila/reiverr:v2.2.0";
-            autoStart = true;
-            ports = [ "127.0.0.1:9494:9494" ];
-            volumes = [ "${cfg.path}/reiverr/config:/config" ];
-          };
-        };
-      };
-    };
-
-    networking.firewall.allowedTCPPorts = [ 80 443 6969 ];
  };
 }
--- a/modules/nixos/services/media/homer/default.nix
+++ b/modules/nixos/services/media/homer/default.nix
@ -0,0 +1,73 @@
+{ config, lib, namespace, ... }:
+let
+  inherit (lib) mkIf mkEnableOption;
+
+  cfg = config.${namespace}.services.media.homer;
+in
+{
+  options.${namespace}.services.media.homer = {
+    enable = mkEnableOption "Enable homer";
+  };
+
+  config = mkIf cfg.enable {
+    networking.firewall.allowedTCPPorts = [ 2000 ];
+
+    services = {
+      homer = {
+        enable = true;
+
+        virtualHost = {
+          caddy.enable = true;
+          domain = "http://:2000";
+        };
+
+        settings = {
+          title = "Ulmo dashboard";
+
+          columns = 4;
+          connectivityCheck = true;
+
+          links = [
+            {
+              name = "Git";
+              icon = "fab fa-forgejo";
+              url = "https://git.amarth.cloud";
+
+            }
+          ];
+
+          services = [
+            {
+              name = "Services";
+              items = [
+                {
+                  name = "Zitadel";
+                  tag = "authentication";
+                  keywords = "auth";
+                  url = "https://auth.amarth.cloud";
+                }
+              ];
+            }
+
+            {
+              name = "Media";
+              items = [
+                {
+                  name = "Radarr";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.radarr.settings.server.port}";
+                }
+
+                {
+                  name = "Sonarr";
+                  tag = "app";
+                  url = "http://${config.networking.hostName}:${builtins.toString config.services.sonarr.settings.server.port}";
+                }
+              ];
+            }
+          ];
+        };
+      };
+    };
+  };
+}
--- a/modules/nixos/services/security/vaultwarden/default.nix
+++ b/modules/nixos/services/security/vaultwarden/default.nix
@ -76,6 +76,12 @@ in
          "vault.kruining.eu".extraConfig = ''
            encode zstd gzip

+            handle_path /admin {
+              respond 401 {
+                close
+              }
+            }
+
            reverse_proxy http://localhost:${toString config.services.vaultwarden.config.ROCKET_PORT} {
              header_up X-Real-IP {remote_host}
            }
--- a/systems/x86_64-linux/ulmo/default.nix
+++ b/systems/x86_64-linux/ulmo/default.nix
@ -15,6 +15,7 @@
      networking.ssh.enable = true;

      media.enable = true;
+      media.homer.enable = true;
      media.nfs.enable = true;

      observability = {
Author	SHA1	Message	Date
Chris Kruining	44e7a6fa0f	harden vaultwarden All checks were successful Test action / Print hello world (push) Successful in 19s Details	2025-09-03 16:45:32 +02:00
Chris Kruining	6379b5e2de	improve zen config	2025-09-03 16:45:20 +02:00
Chris Kruining	7758806282	add homer dashboard	2025-09-03 16:44:50 +02:00
Chris Kruining	a29b757530	restructure media services	2025-09-03 15:12:30 +02:00
Chris Kruining	5ddcaf35f6	fix zen	2025-09-03 14:54:18 +02:00