feat(deertopia): *Arr suite

modules/nixos/deertopia/servarr.nix

@@ -0,0 +1,96 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.servarr;
+in {
+  options.sydnix.deertopia.servarr = {
+    enable = lib.mkEnableOption "Deertopia's *arr suite";
+    peer = lib.mkOption {
+      default = "us-den-wg-101";
+      type = lib.types.str;
+      description = ''
+        The name of a Wireguard configuration file in
+        modules/nixos/deertopia/mullvad/, without the .conf suffix.  Ideally, we
+        would support multiple peers without rebuilding, but...
+      '';
+    };
+  };
+
+  imports = [
+    ./servarr/jellyfin.nix
+    ./servarr/lidarr.nix
+    ./servarr/prowlarr.nix
+    ./servarr/sabnzbd.nix
+    ./servarr/sonarr.nix
+    ./servarr/radarr.nix
+    ./servarr/transmission.nix
+    # ./servarr/slskd.nix
+  ];
+
+  config = lib.mkIf cfg.enable {
+    sydnix.impermanence.directories = [
+      # "All services support state management and all state that they manage is
+      # located by default in /data/.state/nixarr/*"
+      # See https://nixarr.com/nixos-options/
+      config.nixarr.stateDir
+    ];
+
+    # Mount our NAS's 'media' share.
+    fileSystems."/persist/media/library" = {
+      # DNS is seemingly unavailable to the mount service.
+      device = "//192.168.68.62/media";
+      mountPoint = "/persist/media/library";
+      fsType = "cifs";
+      options = [
+        "vers=2.0"
+        "cred=/run/secrets/buffalo-nas-creds"
+        # It appears that the group/user names used by Nixarr are hard-coded.
+        "gid=media"
+        "uid=streamer"
+        # Mysteriously, 0664 doesn't work…
+        "dir_mode=0770"
+        "file_mode=0770"
+      ];
+    };
+
+    sydnix.sops.secrets.wireguard-mullvad-key = {};
+
+    systemd.services."create-wireguard-config" = {
+      script = ''
+        wgConf="${config.nixarr.stateDir}/wg.conf"
+        cp "/persist/dots/modules/nixos/deertopia/mullvad/${cfg.peer}.conf" \
+          "$wgConf"
+        ${pkgs.replace-secret}/bin/replace-secret \
+          '{{WG_PRIVATE_KEY}}' \
+          /run/secrets/wireguard-mullvad-key \
+          "$wgConf"
+        ${pkgs.gnused}/bin/sed -i -e 's/^DNS.*/DNS = 1.1.1.1/' "$wgConf"
+        chmod 700 "$wgConf"
+        chown root "$wgConf"
+      '';
+      requiredBy = [ "wg.service" ];
+    };
+
+    systemd.services.test-mullvad-connection = {
+      script = ''
+        ${pkgs.curl}/bin/curl -s https://am.i.mullvad.net/connected >&2
+        ${pkgs.curl}/bin/curl -s https://am.i.mullvad.net/connected 2>/dev/null
+      '';
+      vpnconfinement = {
+        enable = true;
+        vpnnamespace = "wg";
+      };
+    };
+
+    nixarr = {
+      enable = true;
+      # The default value is overly anti-FHS.
+      stateDir = "/var/lib/nixarr";
+      mediaDir = "/persist/media";
+      vpn = {
+        enable = true;
+        wgConf = "${config.nixarr.stateDir}/wg.conf";
+      };
+    };
+  };
+}
+