feat: add lms

2025-05-24 10:11:18 +02:00
parent 348d8e1d03
commit 8def0af08f
3 changed files with 120 additions and 2 deletions
--- a/hosts/fw/modules/lms.nix
+++ b/hosts/fw/modules/lms.nix
@@ -0,0 +1,88 @@
+{ pkgs, config, lib, python3Packages, ... }:
+
+let
+  lmsDomain     = "lms.cloonar.com";
+  networkPrefix = config.networkPrefix;
+in
+{
+  security.acme.certs."${lmsDomain}" = {
+    group = "nginx";
+  };
+
+  sops.secrets.lms-spotify = { };
+
+  containers.lms = {
+    autoStart      = true;
+    ephemeral      = false;
+    privateNetwork = true;
+    hostBridge     = "server";
+
+    hostAddress  = "${networkPrefix}.97.2";
+    localAddress = "${networkPrefix}.97.21/24";
+
+    extraFlags = [ "--capability=CAP_NET_ADMIN" ];
+
+    bindMounts = {
+      "/var/lib/acme/lms/" = {
+        hostPath   = config.security.acme.certs.${lmsDomain}.directory;
+        isReadOnly = true;
+      };
+      "/run/secrets/lms-spotify" = {
+        hostPath = config.sops.secrets.lms-spotify.path;
+      };
+    };
+
+    config = { pkgs, lib, config, ... }:
+    let
+    in
+    {
+      networking = {
+        hostName = "lms";
+        useHostResolvConf = false;
+        defaultGateway = {
+          address = "${networkPrefix}.97.1";
+          interface = "eth0";
+        };
+        nameservers = [ "${networkPrefix}.97.1" ];
+        firewall.enable = false;
+      };
+
+      environment.systemPackages = with pkgs; [
+        slimserver      # Logitech/Lyrion Media Server
+      ];
+
+      services.slimserver = {
+        enable  = true;
+        package = pkgs.slimserver;
+      };
+
+      # make LMS discoverable via mDNS/Avahi
+      services.avahi = {
+        enable               = true;
+        publish.enable       = true;
+        publish.userServices = true;
+      };
+
+      services.nginx.enable = true;
+      services.nginx.virtualHosts."${lmsDomain}" = {
+        sslCertificate        = "/var/lib/acme/lms/fullchain.pem";
+        sslCertificateKey     = "/var/lib/acme/lms/key.pem";
+        sslTrustedCertificate = "/var/lib/acme/lms/chain.pem";
+        forceSSL              = true;
+        extraConfig           = "proxy_buffering off;";
+
+        locations."/".extraConfig = ''
+          proxy_pass         http://127.0.0.1:9000/;
+          proxy_set_header   Host $host;
+          proxy_redirect     http:// https://;
+          proxy_http_version 1.1;
+          proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header   Upgrade $http_upgrade;
+          proxy_set_header   Connection $connection_upgrade;
+        '';
+      };
+
+      system.stateVersion = "23.05";
+    };
+  };
+}