From 50af3792f9faf8918be7c7a01b7a2297b0ce9bb9 Mon Sep 17 00:00:00 2001 From: Madeleine Sydney Date: Thu, 27 Mar 2025 16:02:11 -0600 Subject: [PATCH] feat(deertopia): *Arr suite --- flake.lock | 64 ++++++++++++- flake.nix | 6 ++ hosts/deertopia/configuration.nix | 24 ++--- hosts/nixos-testbed/configuration.nix | 85 ++++++++++------ modules/nixos/deertopia/copyparty.nix | 15 ++- modules/nixos/deertopia/nginx.nix | 1 + modules/nixos/deertopia/servarr.nix | 96 +++++++++++++++++++ modules/nixos/deertopia/servarr/jellyfin.nix | 67 +++++++++++++ modules/nixos/deertopia/servarr/lidarr.nix | 33 +++++++ modules/nixos/deertopia/servarr/prowlarr.nix | 32 +++++++ modules/nixos/deertopia/servarr/radarr.nix | 33 +++++++ modules/nixos/deertopia/servarr/sabnzbd.nix | 17 ++++ modules/nixos/deertopia/servarr/slskd.nix | 74 ++++++++++++++ modules/nixos/deertopia/servarr/sonarr.nix | 32 +++++++ .../nixos/deertopia/servarr/transmission.nix | 24 +++++ modules/nixos/deertopia/slskd.nix | 11 ++- outputs/nixosConfigurations.nix | 1 + secrets.yaml | 5 +- users/lain/default.nix | 4 +- 19 files changed, 572 insertions(+), 52 deletions(-) create mode 100644 modules/nixos/deertopia/servarr.nix create mode 100644 modules/nixos/deertopia/servarr/jellyfin.nix create mode 100644 modules/nixos/deertopia/servarr/lidarr.nix create mode 100644 modules/nixos/deertopia/servarr/prowlarr.nix create mode 100644 modules/nixos/deertopia/servarr/radarr.nix create mode 100644 modules/nixos/deertopia/servarr/sabnzbd.nix create mode 100644 modules/nixos/deertopia/servarr/slskd.nix create mode 100644 modules/nixos/deertopia/servarr/sonarr.nix create mode 100644 modules/nixos/deertopia/servarr/transmission.nix mode change 100755 => 100644 secrets.yaml diff --git a/flake.lock b/flake.lock index 832287d..9d49615 100755 --- a/flake.lock +++ b/flake.lock @@ -541,6 +541,30 @@ "type": "github" } }, + "nixarr": { + "inputs": { + "nixpkgs": [ + "nixpkgs" + ], + "vpnconfinement": [ + "vpn-confinement" + ], + "website-builder": "website-builder" + }, + "locked": { + "lastModified": 1742243092, + "narHash": "sha256-pTMB/aLTufgNX3rJlT5Ia64TofZxOdEGMl9nfc3D++o=", + "owner": "rasmus-kirk", + "repo": "nixarr", + "rev": "046ec8d875611ec2c93d5c45eebf6b46f0f350e8", + "type": "github" + }, + "original": { + "owner": "rasmus-kirk", + "repo": "nixarr", + "type": "github" + } + }, "nixcord": { "inputs": { "flake-compat": "flake-compat", @@ -836,12 +860,14 @@ "home-manager": "home-manager", "impermanence": "impermanence", "niri": "niri", + "nixarr": "nixarr", "nixcord": "nixcord", "nixpkgs": "nixpkgs_7", "nur": "nur", "sops-nix": "sops-nix", "stylix": "stylix", - "sydnix-cli": "sydnix-cli" + "sydnix-cli": "sydnix-cli", + "vpn-confinement": "vpn-confinement" } }, "sops-nix": { @@ -1101,6 +1127,42 @@ "type": "github" } }, + "vpn-confinement": { + "locked": { + "lastModified": 1742138327, + "narHash": "sha256-Y71Mjej98CjaUKa1ecAIOo0eJ1B3ZVQl2ng6xl7/s9Y=", + "owner": "Maroka-chan", + "repo": "VPN-Confinement", + "rev": "38eeb3bc501900b48d1caf8c52a5b7f2fb7a52c5", + "type": "github" + }, + "original": { + "owner": "Maroka-chan", + "repo": "VPN-Confinement", + "type": "github" + } + }, + "website-builder": { + "inputs": { + "nixpkgs": [ + "nixarr", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1741594814, + "narHash": "sha256-YPAIywsWZVhQuy/cPJLi3PiWgoWDrqvQCBytXeSQYCk=", + "owner": "rasmus-kirk", + "repo": "website-builder", + "rev": "e0239195b33103a4923011d8e96ef39a3397631b", + "type": "github" + }, + "original": { + "owner": "rasmus-kirk", + "repo": "website-builder", + "type": "github" + } + }, "xwayland-satellite-stable": { "flake": false, "locked": { diff --git a/flake.nix b/flake.nix index bf37542..4d26398 100755 --- a/flake.nix +++ b/flake.nix @@ -17,6 +17,12 @@ stylix.url = "github:danth/stylix"; # nixcord.url = "github:kaylorben/nixcord"; nixcord.url = "github:msyds/nixcord/irc-colours"; + vpn-confinement.url = "github:Maroka-chan/VPN-Confinement"; + nixarr = { + url = "github:rasmus-kirk/nixarr"; + inputs.nixpkgs.follows = "nixpkgs"; + inputs.vpnconfinement.follows = "vpn-confinement"; + }; # Used for Firefox extensions/addons. nur = { url = "github:nix-community/NUR"; diff --git a/hosts/deertopia/configuration.nix b/hosts/deertopia/configuration.nix index 49fec69..507fd45 100755 --- a/hosts/deertopia/configuration.nix +++ b/hosts/deertopia/configuration.nix @@ -40,7 +40,7 @@ deertopia = { authelia.enable = true; bepasty.enable = true; - jellyfin.enable = true; + jellyfin.enable = false; lldap.enable = true; nginx.enable = true; slskd.enable = true; @@ -49,6 +49,17 @@ syncthing.enable = true; cache.enable = true; mullvad.enable = true; + servarr = { + enable = true; + prowlarr.enable = true; + jellyfin.enable = true; + transmission.enable = true; + sonarr.enable = true; + lidarr.enable = true; + radarr.enable = true; + # sabnzbd.enable = true; + # slskd.enable = true; + }; # A simple default webpage. This should probably live somewhere else. nginx.vhosts."www" = { @@ -67,17 +78,6 @@ sydnix.sops.secrets.buffalo-nas-creds = {}; - fileSystems."/nas/media" = { - # DNS is seemingly unavailable to the mount service. - device = "//192.168.68.62/media"; - mountPoint = "/nas/media"; - fsType = "cifs"; - options = [ - "vers=2.0" - "cred=/run/secrets/buffalo-nas-creds" - ]; - }; - boot.loader = { systemd-boot.enable = true; efi.canTouchEfiVariables = true; diff --git a/hosts/nixos-testbed/configuration.nix b/hosts/nixos-testbed/configuration.nix index 5702a41..3838191 100644 --- a/hosts/nixos-testbed/configuration.nix +++ b/hosts/nixos-testbed/configuration.nix @@ -24,17 +24,51 @@ # just think it's annoying to edit ~/.ssh/known_hosts all the time. "/etc/ssh" ]; - # rollback = { - # enable = true; - # device = "/dev/sda2"; - # subvolume = "rootfs"; - # }; + rollback = { + enable = true; + device = "/dev/sda2"; + subvolume = "rootfs"; + }; + }; + + sops = { + enable = true; + keyFile = "/persist/private-keys/age/deertopia"; + }; + + deertopia = { + # authelia.enable = true; + # bepasty.enable = true; + # jellyfin.enable = true; + # lldap.enable = true; + nginx.enable = true; + # slskd.enable = true; + # webdav.enable = true; + # copyparty.enable = true; + # syncthing.enable = true; + # cache.enable = true; + # mullvad.enable = true; + servarr.enable = true; + servarr.prowlarr.enable = true; + servarr.jellyfin.enable = true; + servarr.transmission.enable = true; + servarr.sonarr.enable = true; }; }; boot.loader = { systemd-boot.enable = true; - efi.canTouchEfiVariables = false; + efi.canTouchEfiVariables = true; + }; + + time.timeZone = "America/Denver"; + + i18n.defaultLocale = "en_US.UTF-8"; + + console = { + font = "Lat2-Terminus16"; + # keyMap = "us"; + useXkbConfig = true; # use xkb.options in tty. }; fileSystems."/persist/dots" = { @@ -43,35 +77,34 @@ mountPoint = "/persist/dots"; }; - networking.hostId = "238e9b1e"; # head -c 8 /etc/machine-id - - time.timeZone = "America/Denver"; - - i18n.defaultLocale = "en_US.UTF-8"; - - console = { - font = "Lat2-Terminus16"; - useXkbConfig = true; # Use xkb.options in TTY. - }; - - services.xserver.enable = true; services.xserver.xkb.layout = "us"; - services.xserver.xkb.options = "ctrl:swapcaps"; + services.xserver.xkb.options = "caps:escape"; - environment.systemPackages = [ - pkgs.neovim - pkgs.git - pkgs.waypipe + hardware.graphics = { + enable = true; + enable32Bit = true; + }; + + environment.systemPackages = with pkgs; [ + neovim + git + waypipe sydnix-cli.packages.x86_64-linux.default (import ../../scripts/port-tools { inherit pkgs; }) ]; services.openssh = { enable = true; - settings.PermitRootLogin = "yes"; - settings.X11Forwarding = true; + settings = { + PermitRootLogin = "yes"; + X11Forwarding = true; + # This server is connected to the internet! Port 22 is open!! + # Aagghhhh!!! Stay safe! + PasswordAuthentication = false; + }; }; + # TODO: Move to defaults. users.mutableUsers = false; nix = { @@ -80,12 +113,10 @@ "@wheel" ]; substituters = [ - "https://cache.deertopia.net" "https://nix-community.cachix.org" "https://cache.nixos.org" ]; trusted-public-keys = [ - (builtins.readFile ../../public-keys/deertopia-cache.pub.pem) "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" ]; }; diff --git a/modules/nixos/deertopia/copyparty.nix b/modules/nixos/deertopia/copyparty.nix index 38f3aef..48a3cc2 100644 --- a/modules/nixos/deertopia/copyparty.nix +++ b/modules/nixos/deertopia/copyparty.nix @@ -20,9 +20,11 @@ in { nixpkgs.overlays = [ inputs.copyparty.overlays.default ]; # HACK: Ad-hoc permissions, as typical. - users.users.copyparty.extraGroups = [ "jellyfin" ]; + users.users.copyparty.extraGroups = [ + "media" + ]; - # HACK: Make files created by copypaste.service initialise with the mode + # HACK: Make files created by copyparty.service initialise with the mode # 775. systemd.services.copyparty.serviceConfig.UMask = lib.mkForce "002"; @@ -46,12 +48,17 @@ in { path = "/var/lib/slskd"; access.r = "*"; }; - "/Jellyfin" = { - path = "/persist/vault/jellyfin"; + "/Media library" = { + path = "/persist/media/library"; # View and upload, but no deleting. access.rw = "*"; access.rwmd = "@jellyfin-admin"; }; + "/Torrents" = { + path = "/persist/media/torrents"; + access.r = "*"; + access.rwmd = "@jellyfin-admin"; + }; }; }; diff --git a/modules/nixos/deertopia/nginx.nix b/modules/nixos/deertopia/nginx.nix index 808fa12..290616f 100644 --- a/modules/nixos/deertopia/nginx.nix +++ b/modules/nixos/deertopia/nginx.nix @@ -29,6 +29,7 @@ in vhosts = lib.mkOption { # NOTE: `name` shouldn't contain spaces. + default = {}; type = lib.types.attrsOf (lib.types.submodule ({ name, ... }: { options = { enable = lib.mkOption { diff --git a/modules/nixos/deertopia/servarr.nix b/modules/nixos/deertopia/servarr.nix new file mode 100644 index 0000000..72065b3 --- /dev/null +++ b/modules/nixos/deertopia/servarr.nix @@ -0,0 +1,96 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr; +in { + options.sydnix.deertopia.servarr = { + enable = lib.mkEnableOption "Deertopia's *arr suite"; + peer = lib.mkOption { + default = "us-den-wg-101"; + type = lib.types.str; + description = '' + The name of a Wireguard configuration file in + modules/nixos/deertopia/mullvad/, without the .conf suffix. Ideally, we + would support multiple peers without rebuilding, but... + ''; + }; + }; + + imports = [ + ./servarr/jellyfin.nix + ./servarr/lidarr.nix + ./servarr/prowlarr.nix + ./servarr/sabnzbd.nix + ./servarr/sonarr.nix + ./servarr/radarr.nix + ./servarr/transmission.nix + # ./servarr/slskd.nix + ]; + + config = lib.mkIf cfg.enable { + sydnix.impermanence.directories = [ + # "All services support state management and all state that they manage is + # located by default in /data/.state/nixarr/*" + # See https://nixarr.com/nixos-options/ + config.nixarr.stateDir + ]; + + # Mount our NAS's 'media' share. + fileSystems."/persist/media/library" = { + # DNS is seemingly unavailable to the mount service. + device = "//192.168.68.62/media"; + mountPoint = "/persist/media/library"; + fsType = "cifs"; + options = [ + "vers=2.0" + "cred=/run/secrets/buffalo-nas-creds" + # It appears that the group/user names used by Nixarr are hard-coded. + "gid=media" + "uid=streamer" + # Mysteriously, 0664 doesn't work… + "dir_mode=0770" + "file_mode=0770" + ]; + }; + + sydnix.sops.secrets.wireguard-mullvad-key = {}; + + systemd.services."create-wireguard-config" = { + script = '' + wgConf="${config.nixarr.stateDir}/wg.conf" + cp "/persist/dots/modules/nixos/deertopia/mullvad/${cfg.peer}.conf" \ + "$wgConf" + ${pkgs.replace-secret}/bin/replace-secret \ + '{{WG_PRIVATE_KEY}}' \ + /run/secrets/wireguard-mullvad-key \ + "$wgConf" + ${pkgs.gnused}/bin/sed -i -e 's/^DNS.*/DNS = 1.1.1.1/' "$wgConf" + chmod 700 "$wgConf" + chown root "$wgConf" + ''; + requiredBy = [ "wg.service" ]; + }; + + systemd.services.test-mullvad-connection = { + script = '' + ${pkgs.curl}/bin/curl -s https://am.i.mullvad.net/connected >&2 + ${pkgs.curl}/bin/curl -s https://am.i.mullvad.net/connected 2>/dev/null + ''; + vpnconfinement = { + enable = true; + vpnnamespace = "wg"; + }; + }; + + nixarr = { + enable = true; + # The default value is overly anti-FHS. + stateDir = "/var/lib/nixarr"; + mediaDir = "/persist/media"; + vpn = { + enable = true; + wgConf = "${config.nixarr.stateDir}/wg.conf"; + }; + }; + }; +} + diff --git a/modules/nixos/deertopia/servarr/jellyfin.nix b/modules/nixos/deertopia/servarr/jellyfin.nix new file mode 100644 index 0000000..8ffbaba --- /dev/null +++ b/modules/nixos/deertopia/servarr/jellyfin.nix @@ -0,0 +1,67 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr.jellyfin; +in { + options.sydnix.deertopia.servarr.jellyfin = { + enable = lib.mkEnableOption "Jellyfin (via Nixarr)"; + }; + + config = lib.mkIf cfg.enable { + sydnix.deertopia.nginx.vhosts."watch".vhost = + # Currently no (convenient) way to specify Jellyfin's port from Nix. + let port = builtins.toString 8096; + in { + forceSSL = true; + enableACME = true; + locations."/".extraConfig = '' + # Proxy main Jellyfin traffic. + proxy_pass $jellyfin; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + + # Disable buffering when the nginx proxy gets very resource heavy upon + # streaming. + proxy_buffering off; + ''; + locations."/socket".extraConfig = '' + # Proxy Jellyfin Websockets traffic + proxy_pass $jellyfin; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + ''; + extraConfig = '' + set $jellyfin http://127.0.0.1:${port}; + ''; + }; + + nixarr.jellyfin = { + enable = true; + openFirewall = true; + }; + + sydnix.deertopia.nginx.vhosts."jellyseer".vhost = + # Currently no (convenient) way to specify Jellyfin's port from Nix. + let port = builtins.toString 8096; + in { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = "http://127.0.0.1:5055"; + }; + + nixarr.jellyseerr = { + enable = true; + openFirewall = true; + }; + }; +} diff --git a/modules/nixos/deertopia/servarr/lidarr.nix b/modules/nixos/deertopia/servarr/lidarr.nix new file mode 100644 index 0000000..2b42914 --- /dev/null +++ b/modules/nixos/deertopia/servarr/lidarr.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr.lidarr; +in { + options.sydnix.deertopia.servarr.lidarr = { + enable = lib.mkEnableOption "Lidarr (via Nixarr)"; + }; + + config = lib.mkIf cfg.enable { + sydnix.deertopia.nginx.vhosts."lidarr" = { + directory = null; + vhost = { + forceSSL = true; + enableACME = true; + extraConfig = '' + # include ${../authelia/authelia-location.conf}; + set $upstream http://127.0.0.1:8686; + ''; + locations."/".extraConfig = '' + # include ${../authelia/authelia-authrequest.conf}; + # include ${../authelia/proxy.conf}; + proxy_pass $upstream; + ''; + }; + }; + + nixarr.lidarr = { + enable = true; + openFirewall = true; + }; + }; +} + diff --git a/modules/nixos/deertopia/servarr/prowlarr.nix b/modules/nixos/deertopia/servarr/prowlarr.nix new file mode 100644 index 0000000..3236eb3 --- /dev/null +++ b/modules/nixos/deertopia/servarr/prowlarr.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr.prowlarr; +in { + options.sydnix.deertopia.servarr.prowlarr = { + enable = lib.mkEnableOption "Prowlarr (via Nixarr)"; + }; + + config = lib.mkIf cfg.enable { + nixarr.prowlarr = { + enable = true; + openFirewall = true; + }; + + sydnix.deertopia.nginx.vhosts."prowlarr" = { + directory = null; + vhost = { + forceSSL = true; + enableACME = true; + extraConfig = '' + # include ${../authelia/authelia-location.conf}; + set $upstream http://127.0.0.1:9696; + ''; + locations."/".extraConfig = '' + # include ${../authelia/authelia-authrequest.conf}; + # include ${../authelia/proxy.conf}; + proxy_pass $upstream; + ''; + }; + }; + }; +} diff --git a/modules/nixos/deertopia/servarr/radarr.nix b/modules/nixos/deertopia/servarr/radarr.nix new file mode 100644 index 0000000..3768d0f --- /dev/null +++ b/modules/nixos/deertopia/servarr/radarr.nix @@ -0,0 +1,33 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr.radarr; +in { + options.sydnix.deertopia.servarr.radarr = { + enable = lib.mkEnableOption "Radarr (via Nixarr)"; + }; + + config = lib.mkIf cfg.enable { + nixarr.radarr = { + enable = true; + openFirewall = true; + }; + + sydnix.deertopia.nginx.vhosts."radarr" = { + directory = null; + vhost = { + forceSSL = true; + enableACME = true; + extraConfig = '' + # include ${../authelia/authelia-location.conf}; + set $upstream http://127.0.0.1:7878; + ''; + locations."/".extraConfig = '' + # include ${../authelia/authelia-authrequest.conf}; + # include ${../authelia/proxy.conf}; + proxy_pass $upstream; + ''; + }; + }; + }; +} + diff --git a/modules/nixos/deertopia/servarr/sabnzbd.nix b/modules/nixos/deertopia/servarr/sabnzbd.nix new file mode 100644 index 0000000..64c6043 --- /dev/null +++ b/modules/nixos/deertopia/servarr/sabnzbd.nix @@ -0,0 +1,17 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr.sabnzbd; +in { + options.sydnix.deertopia.servarr.sabnzbd = { + enable = lib.mkEnableOption "SABnzbd (via Nixarr)"; + }; + + config = lib.mkIf cfg.enable { + nixarr.sabnzbd = { + enable = true; + # vpn.enable = true; + openFirewall = true; + guiPort = 43288; + }; + }; +} diff --git a/modules/nixos/deertopia/servarr/slskd.nix b/modules/nixos/deertopia/servarr/slskd.nix new file mode 100644 index 0000000..b431158 --- /dev/null +++ b/modules/nixos/deertopia/servarr/slskd.nix @@ -0,0 +1,74 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr.slskd; +in { + options.sydnix.deertopia.servarr.slskd = { + enable = lib.mkEnableOption "Slskd (à la Nixarr)"; + }; + + config = lib.mkIf cfg.enable { + sydnix.sops.secrets.slskd-credentials = { + owner = "torrenter"; + }; + + # TODO: Patch Nixpkgs to add option services.slskd.appDir. + + services.slskd = { + enable = true; + user = "torrenter"; + group = "media"; + + openFirewall = true; + domain = null; + environmentFile = "/run/secrets/slskd-credentials"; + + settings = { + # Disable slskd's authentication in favour of Authelia. + web.authentication.disabled = true; + shares.directories = [ + config.nixarr.mediaDir + ]; + directories = { + downloads = "/var/lib/slskd/downloads"; + incomplete = "/var/lib/slskd/incomplete"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ + config.services.slskd.settings.web.port + ]; + + sydnix.deertopia.nginx.vhosts."slsk" = { + directory = null; + vhost = { + forceSSL = true; + enableACME = true; + extraConfig = + let port = builtins.toString config.services.slskd.settings.web.port; + in '' + include ${../authelia/authelia-location.conf}; + set $upstream http://127.0.0.1:${port}; + ''; + locations."/".extraConfig = '' + include ${../authelia/authelia-authrequest.conf}; + include ${../authelia/proxy.conf}; + proxy_pass $upstream; + ''; + locations."/hub".extraConfig = '' + proxy_pass $upstream; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Protocol $scheme; + proxy_set_header X-Forwarded-Host $http_host; + ''; + }; + }; + }; +} + diff --git a/modules/nixos/deertopia/servarr/sonarr.nix b/modules/nixos/deertopia/servarr/sonarr.nix new file mode 100644 index 0000000..bc83db8 --- /dev/null +++ b/modules/nixos/deertopia/servarr/sonarr.nix @@ -0,0 +1,32 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr.sonarr; +in { + options.sydnix.deertopia.servarr.sonarr = { + enable = lib.mkEnableOption "Sonarr (via Nixarr)"; + }; + + config = lib.mkIf cfg.enable { + nixarr.sonarr = { + enable = true; + openFirewall = true; + }; + + sydnix.deertopia.nginx.vhosts."sonarr" = { + directory = null; + vhost = { + forceSSL = true; + enableACME = true; + extraConfig = '' + # include ${../authelia/authelia-location.conf}; + set $upstream http://127.0.0.1:8989; + ''; + locations."/".extraConfig = '' + # include ${../authelia/authelia-authrequest.conf}; + # include ${../authelia/proxy.conf}; + proxy_pass $upstream; + ''; + }; + }; + }; +} diff --git a/modules/nixos/deertopia/servarr/transmission.nix b/modules/nixos/deertopia/servarr/transmission.nix new file mode 100644 index 0000000..a358700 --- /dev/null +++ b/modules/nixos/deertopia/servarr/transmission.nix @@ -0,0 +1,24 @@ +{ config, lib, pkgs, ... }: + +let cfg = config.sydnix.deertopia.servarr.transmission; +in { + options.sydnix.deertopia.servarr.transmission = { + enable = lib.mkEnableOption "Transmission (via Nixarr)"; + }; + + config = lib.mkIf cfg.enable { + sydnix.sops.secrets.transmission-credentials = { + owner = config.services.transmission.user; + group = config.services.transmission.group; + mode = "700"; + }; + + nixarr.transmission = { + enable = true; + vpn.enable = true; + credentialsFile = "/run/secrets/transmission-credentials"; + # Default (9091) conflicts with Authelia. + uiPort = 7052; + }; + }; +} diff --git a/modules/nixos/deertopia/slskd.nix b/modules/nixos/deertopia/slskd.nix index 189623b..64451b2 100644 --- a/modules/nixos/deertopia/slskd.nix +++ b/modules/nixos/deertopia/slskd.nix @@ -22,11 +22,12 @@ in { # Disable slskd's authentication in favour of Authelia. web.authentication.disabled = true; shares.directories = [ - "/persist/vault/jellyfin/Music" - "/persist/vault/jellyfin/Shows" - "/persist/vault/jellyfin/Documents" - "/persist/vault/jellyfin/Music Videos" - "/persist/vault/jellyfin/Movies" + "/persist/media/library" + # "/persist/vault/jellyfin/Music" + # "/persist/vault/jellyfin/Shows" + # "/persist/vault/jellyfin/Documents" + # "/persist/vault/jellyfin/Music Videos" + # "/persist/vault/jellyfin/Movies" ]; # directories.downloads = "/persist/vault/jellyfin/Music"; }; diff --git a/outputs/nixosConfigurations.nix b/outputs/nixosConfigurations.nix index 8fd6df1..84800c4 100755 --- a/outputs/nixosConfigurations.nix +++ b/outputs/nixosConfigurations.nix @@ -36,6 +36,7 @@ let inputs.copyparty.nixosModules.default inputs.niri.nixosModules.niri inputs.stylix.nixosModules.stylix + inputs.nixarr.nixosModules.default # Directory name should always match host name. ({ ... }: { networking.hostName = hostName; }) diff --git a/secrets.yaml b/secrets.yaml old mode 100755 new mode 100644 index d8105f2..862224e --- a/secrets.yaml +++ b/secrets.yaml @@ -18,6 +18,7 @@ authelia-authentication-backend-ldap-password: ENC[AES256_GCM,data:VWHW3rjjYCiEw wireguard-mullvad-key: ENC[AES256_GCM,data:UHvISlmMz9pqpegyOr9SEHQcgklLp9f4myCGWYR0BoeGHj/dYkLT333FTsE=,iv:4JJo2NUpb9TcAnoSFPVtpk58eDBOwziJ72xJ2ibg9zU=,tag:61a5tcZgMVu3BeJMDOB4Fw==,type:str] deertopia-cache-key: ENC[AES256_GCM,data:icKy8QZ59/zvQXgsTqN0PInUH3kgZBquwoAF0Lz3yy1avRI6z5DPuBAmj15lC8UmoDhTqi8nCvm5CGW1Xp5YgAQ5TgEWRpm8FWXxSofhLw8BotM4S3zxtCyefxcrW8Z7Lh7p25ECLrSX5F1h,iv:NNOWrgLrtg4WgG6IYWrVOhaTBmAaSeephvVwTT3VeUQ=,tag:zHmAil/falzhWXkvAV4PQA==,type:str] buffalo-nas-creds: ENC[AES256_GCM,data:dG8aA6KtATFyfDVGqF0a1wavhXDIv9bxnw==,iv:3H6T/THSxAAWTjDi35Q17Syq0Fz6jsHItzJUPxamzhA=,tag:f8kUnPX1Ik5HT6sDuHaFaw==,type:str] +transmission-credentials: ENC[AES256_GCM,data:HQtayxLRPATLXfS2DvPx9cNjSHk996QhSz6hiF0dnOS4Mdt1u+Ru+r7UNsfNLKOtB8j+mITizVH9S/5GryqTUB+ffJVet5Iw,iv:JRD3MVOwKPaL9S8Xa+amG32qOGaCN1c1N25kCcuVfpU=,tag:FG8ZsAEBpVAiXCYhw3MdZQ==,type:str] sops: kms: [] gcp_kms: [] @@ -42,8 +43,8 @@ sops: TXFLY2l0UHJ3Z0NGZjVpbTQ2UC8yaTQKA7wTmW9Ha6T2KmCr/nkXdizgv8+V6SAp ZhDO+uDQ1evIh2wLWMOXNJ3d/zplLCOTzR2xkqBIUp5V7MXj45RUIA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-01T12:20:42Z" - mac: ENC[AES256_GCM,data:7Z9Uo2J4LBcThM1dBJrTelgXEd614RYwHMS9BSZDommWuG3EicWv+l76GCijHQwGnK8NWXgacc+wEY3rCL9n6Dceuy795ZeIxUBsigaVwuqBsSNAAitMKZelX4W++fIBLk5wzMQUdfjJPOHRXWB8o5ayZPSM5g4gUo9warZ0C94=,iv:v58EcYGC93IHeEpf9wDrolqcL7VKcGD44cwk6RfmW8A=,tag:nbPdqtuZ7pS1Y1ucyihkyg==,type:str] + lastmodified: "2025-04-01T14:04:42Z" + mac: ENC[AES256_GCM,data:EgvhxUBjbs71Exke3c3oI/uzfThbN/SgeaC7wJOTbp1wFV9YgSI+wOzTKApJl72EvRxr6qpep6jchNIDQj++V+wmjgi2Eh3hkfMfzlfeHQk0q3/BFea+8JNXsLNPTQhiWTbttmHNLqgr03j6BeXfLDhm4D+rpvRwzog5N3k356w=,iv:zeUmPgpYw3HGzJobKEssZND9WVB6lc8YYP5KdnBWeMA=,tag:Te6FH2/7ZWpVAdHNTF9IDQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4 diff --git a/users/lain/default.nix b/users/lain/default.nix index 39e4d35..9de42cc 100755 --- a/users/lain/default.nix +++ b/users/lain/default.nix @@ -14,8 +14,10 @@ "annex" # Can modify Deertopia's Jellyfin libraries. "jellyfin" - # Can access slskd's downloads + # Can access slskd's downloads. "slskd" + # Can access Nixarr's media. + "media" ]; initialHashedPassword = "$y$j9T$aEFDDwdTZbAc6VQRXrkBJ0$K8wxTGTWDihyX1wxJ.ZMH//wmQFfrGGUkLkxIU0Lyq8";