6 files changed, 376 insertions, 106 deletions

diff --git a/modules/containers/freshrss/default.nix b/modules/containers/freshrss/default.nix
index 7cbe944..7d2e5eb 100644
--- a/modules/containers/freshrss/default.nix
+++ b/modules/containers/freshrss/default.nix
@@ -1,27 +1,77 @@
-{ ... }:
+{
+  config,
+  lib,
+  ...
+}:
+with lib;
 let
-  directory = "/opt/freshrss";
-  port = "8888";
+  service = "freshrss";
+  cfg = config.modules.containers.${service};
 in
 {
-  systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ];
+  options.modules.containers.${service} = {
+    enable = mkEnableOption service;
+    user = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    group = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    port = mkOption {
+      default = 8888;
+      type = types.int;
+    };
+    url = mkOption {
+      default = null;
+      type = types.str;
+    };
+    configDir = mkOption {
+      default = "/opt/${service}";
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = { };
 
-  virtualisation.oci-containers.containers.freshrss = {
-    image = "freshrss/freshrss:latest";
-    autoStart = true;
-    ports = [ "${port}:80" ];
-    volumes = [
-      "${directory}/data:/var/www/FreshRSS/data"
-      "${directory}/extensions:/var/www/FreshRSS/extensions"
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
     ];
-    environment = {
-      TZ = "America/Detroit";
-      CRON_MIN = "*/20";
+
+    services.caddy = {
+      enable = true;
+      virtualHosts = {
+        ${cfg.url}.extraConfig = ''
+          encode zstd gzip
+          reverse_proxy http://localhost:${builtins.toString cfg.port}
+        '';
+      };
     };
-  };
 
-  services.caddy.virtualHosts."fresh.brownbread.net".extraConfig = ''
-    encode zstd gzip
-    reverse_proxy http://localhost:${port}
-  '';
+    systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [
+      cfg.configDir
+    ];
+
+    virtualisation.oci-containers.containers.${service} = {
+      image = "${service}/${service}:latest";
+      autoStart = true;
+      ports = [ "${builtins.toString cfg.port}:80" ];
+      volumes = [
+        "${cfg.configDir}/data:/var/www/FreshRSS/data"
+        "${cfg.configDir}/extensions:/var/www/FreshRSS/extensions"
+      ];
+      environment = {
+        TZ = "America/Detroit";
+        CRON_MIN = "*/20";
+      };
+    };
+  };
 }
diff --git a/modules/containers/jellyfin/default.nix b/modules/containers/jellyfin/default.nix
index a7b9557..aa0d4b1 100644
--- a/modules/containers/jellyfin/default.nix
+++ b/modules/containers/jellyfin/default.nix
@@ -1,24 +1,86 @@
-{ ... }:
+{
+  config,
+  lib,
+  ...
+}:
+with lib;
 let
-  directory = "/opt/jellyfin";
+  service = "jellyfin";
+  cfg = config.modules.containers.${service};
 in
 {
-  systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ];
+  options.modules.containers.${service} = {
+    enable = mkEnableOption service;
+    user = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    group = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    port = mkOption {
+      default = 8096;
+      type = types.int;
+    };
+    url = mkOption {
+      default = null;
+      type = types.str;
+    };
+    mediaDir = mkOption {
+      type = types.str;
+    };
+    configDir = mkOption {
+      default = "/opt/${service}";
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
 
-  virtualisation.oci-containers.containers.jellyfin = {
-    image = "jellyfin/jellyfin:latest";
-    autoStart = true;
-    user = "994:994";
-    ports = [ "8096:8096/tcp" ];
-    volumes = [
-      "${directory}/config:/config"
-      "${directory}/cache:/cache"
-      "/tank/media:/media"
+    users.groups.${cfg.group} = { };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
     ];
-  };
 
-  services.caddy.virtualHosts."buttered.brownbread.net".extraConfig = ''
-    encode zstd gzip
-    reverse_proxy http://localhost:8096
-  '';
+    services.caddy = {
+      enable = true;
+      virtualHosts = {
+        ${cfg.url}.extraConfig = ''
+          encode zstd gzip
+          reverse_proxy http://localhost:${builtins.toString cfg.port}
+        '';
+      };
+    };
+
+    systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [
+      cfg.configDir
+    ];
+
+    virtualisation.oci-containers.containers.${service} =
+      with config.users;
+      with builtins;
+      let
+        uid = toString users.${cfg.user}.uid;
+        gid = toString groups.${cfg.group}.gid;
+        port = toString cfg.port;
+      in
+      {
+        image = "${service}/${service}:latest";
+        autoStart = true;
+        user = "${uid}:${gid}";
+        ports = [ "${port}:${port}/tcp" ];
+        volumes = [
+          "${cfg.configDir}/config:/config"
+          "${cfg.configDir}/cache:/cache"
+          "${cfg.mediaDir}:/media"
+        ];
+      };
+  };
 }
diff --git a/modules/containers/lubelogger/default.nix b/modules/containers/lubelogger/default.nix
index 6ff2b0d..c7ca98f 100644
--- a/modules/containers/lubelogger/default.nix
+++ b/modules/containers/lubelogger/default.nix
@@ -1,34 +1,84 @@
-{ ... }:
+{
+  config,
+  lib,
+  ...
+}:
+with lib;
 let
-  directory = "/opt/lubelogger";
-  port = "8889";
+  service = "lubelogger";
+  cfg = config.modules.containers.${service};
 in
 {
-  systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ];
+  options.modules.containers.${service} = {
+    enable = mkEnableOption service;
+    user = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    group = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    port = mkOption {
+      default = 8889;
+      type = types.int;
+    };
+    url = mkOption {
+      default = null;
+      type = types.str;
+    };
+    configDir = mkOption {
+      default = "/opt/${service}";
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = { };
 
-  virtualisation.oci-containers.containers.lubelogger = {
-    image = "ghcr.io/hargata/lubelogger:latest";
-    autoStart = true;
-    ports = [ "${port}:8080" ];
-    volumes = [
-      "${directory}/config:/App/config"
-      "${directory}/data:/App/data"
-      "${directory}/translations:/App/wwwroot/translations"
-      "${directory}/documents:/App/wwwroot/documents"
-      "${directory}/images:/App/wwwroot/images"
-      "${directory}/temp:/App/wwwroot/temp"
-      "${directory}/log:/App/log"
-      "${directory}/keys:/root/.aspnet/DataProtection-Keys"
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
     ];
-    environment = {
-      LC_ALL = "en_US.UTF-8";
-      LANG = "en_US.UTF-8";
-      LUBELOGGER_ALLOWED_FILE_EXTENSIONS = "*";
+
+    services.caddy = {
+      enable = true;
+      virtualHosts = {
+        ${cfg.url}.extraConfig = ''
+          encode zstd gzip
+          reverse_proxy http://localhost:${builtins.toString cfg.port}
+        '';
+      };
     };
-  };
 
-  services.caddy.virtualHosts."garage.brownbread.net".extraConfig = ''
-    encode zstd gzip
-    reverse_proxy http://localhost:${port}
-  '';
+    systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [
+      cfg.configDir
+    ];
+
+    virtualisation.oci-containers.containers.${service} = {
+      image = "ghcr.io/hargata/lubelogger:latest";
+      autoStart = true;
+      ports = [ "${builtins.toString cfg.port}:8080" ];
+      volumes = [
+        "${cfg.configDir}/config:/App/config"
+        "${cfg.configDir}/data:/App/data"
+        "${cfg.configDir}/translations:/App/wwwroot/translations"
+        "${cfg.configDir}/documents:/App/wwwroot/documents"
+        "${cfg.configDir}/images:/App/wwwroot/images"
+        "${cfg.configDir}/temp:/App/wwwroot/temp"
+        "${cfg.configDir}/log:/App/log"
+        "${cfg.configDir}/keys:/root/.aspnet/DataProtection-Keys"
+      ];
+      environment = {
+        LC_ALL = "en_US.UTF-8";
+        LANG = "en_US.UTF-8";
+        LUBELOGGER_ALLOWED_FILE_EXTENSIONS = "*";
+      };
+    };
+  };
 }
diff --git a/modules/containers/pinchflat/default.nix b/modules/containers/pinchflat/default.nix
index 6f9c825..6b5df23 100644
--- a/modules/containers/pinchflat/default.nix
+++ b/modules/containers/pinchflat/default.nix
@@ -1,18 +1,62 @@
-{ ... }:
+{
+  config,
+  lib,
+  ...
+}:
+with lib;
 let
-  directory = "/opt/pinchflat";
+  service = "pinchflat";
+  cfg = config.modules.containers.${service};
 in
 {
-  systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ];
+  options.modules.containers.${service} = {
+    enable = mkEnableOption service;
+    user = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    group = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    port = mkOption {
+      default = 8945;
+      type = types.int;
+    };
+    url = mkOption {
+      default = null;
+      type = types.str;
+    };
+    mediaDir = mkOption {
+      type = types.str;
+    };
+    configDir = mkOption {
+      default = "/opt/${service}";
+      type = types.str;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
 
-  virtualisation.oci-containers.containers.pinchflat = {
-    image = "keglin/pinchflat:latest";
-    autoStart = true;
-    ports = [ "8945:8945" ];
-    volumes = [
-      "${directory}:/config"
-      "/tank/media/yt:/downloads"
+    users.groups.${cfg.group} = { };
+
+    systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [
+      cfg.configDir
     ];
-    environment.TZ = "America/Detroit";
+
+    virtualisation.oci-containers.containers.${service} = {
+      image = "keglin/pinchflat:latest";
+      autoStart = true;
+      ports = [ "${builtins.toString cfg.port}:${builtins.toString cfg.port}" ];
+      volumes = [
+        "${cfg.configDir}:/config"
+        "${cfg.mediaDir}:/downloads"
+      ];
+      environment.TZ = "America/Detroit";
+    };
   };
 }
diff --git a/modules/containers/vaultwarden/default.nix b/modules/containers/vaultwarden/default.nix
index 7fb4ae0..c04d679 100644
--- a/modules/containers/vaultwarden/default.nix
+++ b/modules/containers/vaultwarden/default.nix
@@ -1,29 +1,78 @@
-{ ... }:
+{
+  config,
+  lib,
+  ...
+}:
+with lib;
 let
-  directory = "/opt/vaultwarden";
-  domain = "steel-mountain.brownbread.net";
-  port = "11001";
+  service = "vaultwarden";
+  cfg = config.modules.containers.${service};
 in
 {
-  systemd.tmpfiles.rules = builtins.map (x: "d ${x} 0755 share share - -") [ directory ];
-
-  virtualisation.oci-containers.containers.vaultwarden = {
-    image = "vaultwarden/server:latest";
-    autoStart = true;
-    ports = [ "${port}:80" ];
-    volumes = [ "${directory}/data:/data" ];
-    environment = {
-      DOMAIN = domain;
-      WEBSOCKET_ENABLED = "true";
-      SIGNUPS_ALLOWED = "false";
-      SHOW_PASSWORD_HINT = "false";
+  options.modules.containers.${service} = {
+    enable = mkEnableOption service;
+    user = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    group = mkOption {
+      default = "share";
+      type = types.str;
+    };
+    port = mkOption {
+      default = 11001;
+      type = types.int;
+    };
+    url = mkOption {
+      default = null;
+      type = types.str;
+    };
+    configDir = mkOption {
+      default = "/opt/${service}";
+      type = types.str;
     };
   };
 
-  services.caddy.virtualHosts.${domain}.extraConfig = ''
-    encode zstd gzip
-    reverse_proxy http://localhost:${port} {
-      header_up X-Real-IP {remote_host}
-    }
-  '';
+  config = mkIf cfg.enable {
+    users.users.${cfg.user} = {
+      isSystemUser = true;
+      group = cfg.group;
+    };
+
+    users.groups.${cfg.group} = { };
+
+    networking.firewall.allowedTCPPorts = [
+      80
+      443
+    ];
+
+    services.caddy = {
+      enable = true;
+      virtualHosts = {
+        ${cfg.url}.extraConfig = ''
+          encode zstd gzip
+          reverse_proxy http://localhost:${builtins.toString cfg.port} {
+            header_up X-Real-IP {remote_host}
+          }
+        '';
+      };
+    };
+
+    systemd.tmpfiles.rules = builtins.map (f: "d ${f} 0755 ${cfg.user} ${cfg.group} - -") [
+      cfg.configDir
+    ];
+
+    virtualisation.oci-containers.containers.${service} = {
+      image = "vaultwarden/server:latest";
+      autoStart = true;
+      ports = [ "${builtins.toString cfg.port}:80" ];
+      volumes = [ "${cfg.configDir}/data:/data" ];
+      environment = {
+        DOMAIN = cfg.url;
+        WEBSOCKET_ENABLED = "true";
+        SIGNUPS_ALLOWED = "false";
+        SHOW_PASSWORD_HINT = "false";
+      };
+    };
+  };
 }
diff --git a/modules/containers/watchtower/default.nix b/modules/containers/watchtower/default.nix
index bc819cd..b7644ec 100644
--- a/modules/containers/watchtower/default.nix
+++ b/modules/containers/watchtower/default.nix
@@ -1,15 +1,30 @@
-{ ... }:
 {
-  virtualisation.oci-containers.containers.watchtower = {
-    image = "containrrr/watchtower:latest";
-    autoStart = true;
-    volumes = [
-      "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
-      "/etc/localtime:/etc/localtime:ro"
-    ];
-    environment = {
-      WATCHTOWER_CLEANUP = "true";
-      WATCHTOWER_SCHEDULE = "0 0 5 * * *";
+  config,
+  lib,
+  ...
+}:
+with lib;
+let
+  service = "watchtower";
+  cfg = config.modules.containers.${service};
+in
+{
+  options.modules.containers.${service} = {
+    enable = mkEnableOption service;
+  };
+
+  config = mkIf cfg.enable {
+    virtualisation.oci-containers.containers.${service} = {
+      image = "containrrr/watchtower:latest";
+      autoStart = true;
+      volumes = [
+        "/var/run/podman/podman.sock:/var/run/docker.sock:ro"
+        "/etc/localtime:/etc/localtime:ro"
+      ];
+      environment = {
+        WATCHTOWER_CLEANUP = "true";
+        WATCHTOWER_SCHEDULE = "0 0 5 * * *";
+      };
     };
   };
 }