diff --git a/CHANGELOG.md b/CHANGELOG.md index 45b33e2..1723d3c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -5,6 +5,10 @@ Added: - Plex service +Updated: +- If `nixarr.enable` is not enabled other services will automatically now + be disabled, instead of throwing an assertion error. + ## 2025-03-17 Added: diff --git a/nixarr/bazarr/default.nix b/nixarr/bazarr/default.nix index 89e22cc..308bfd6 100644 --- a/nixarr/bazarr/default.nix +++ b/nixarr/bazarr/default.nix @@ -19,8 +19,6 @@ in { example = true; description = '' Whether or not to enable the Bazarr service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -65,7 +63,7 @@ in { }; }; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ { assertion = cfg.vpn.enable -> nixarr.vpn.enable; @@ -74,13 +72,6 @@ in { nixarr.vpn.enable option to be set, but it was not. ''; } - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.bazarr.enable option requires the nixarr.enable option - to be set, but it was not. - ''; - } ]; util-nixarr.services.bazarr = { diff --git a/nixarr/ddns/default.nix b/nixarr/ddns/default.nix index 4824511..ca7fb80 100644 --- a/nixarr/ddns/default.nix +++ b/nixarr/ddns/default.nix @@ -45,7 +45,6 @@ in { description = '' **Required options:** - - [`nixarr.enable`](#nixarr.enable) - [`nixarr.ddns.njalla.keysFile`](#nixarr.ddns.njalla.keysfile) - [`nixarr.vpn.enable`](#nixarr.vpn.enable) @@ -75,7 +74,6 @@ in { description = '' **Required options:** - - [`nixarr.enable`](#nixarr.enable) - [`nixarr.ddns.njalla.keysFile`](#nixarr.ddns.njalla.keysfile) Whether or not to enable DDNS for a [Njalla](https://njal.la/) @@ -111,7 +109,7 @@ in { }; }; - config = mkIf cfg.njalla.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ { assertion = cfg.njalla.enable -> cfg.njalla.keysFile != null; @@ -120,20 +118,6 @@ in { nixarr.ddns.njalla.keysFile option to be set, but it was not. ''; } - { - assertion = cfg.njalla.enable -> nixarr.enable; - message = '' - The nixarr.ddns.njalla.enable option requires the nixarr.enable - option to be set, but it was not. - ''; - } - { - assertion = cfg.njalla.vpn.enable -> nixarr.enable; - message = '' - The nixarr.ddns.njalla.vpn.enable option requires the nixarr.enable - option to be set, but it was not. - ''; - } { assertion = cfg.njalla.vpn.enable -> cfg.njalla.vpn.keysFile != null; message = '' diff --git a/nixarr/jellyfin/default.nix b/nixarr/jellyfin/default.nix index 804d93c..e5fe466 100644 --- a/nixarr/jellyfin/default.nix +++ b/nixarr/jellyfin/default.nix @@ -3,247 +3,236 @@ lib, pkgs, ... -}: let +}: +with lib; let cfg = config.nixarr.jellyfin; defaultPort = 8096; nixarr = config.nixarr; -in - with lib; { - options.nixarr.jellyfin = { - enable = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - Whether or not to enable the Jellyfin service. +in { + options.nixarr.jellyfin = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether or not to enable the Jellyfin service. + ''; + }; - **Required options:** [`nixarr.enable`](#nixarr.enable) - ''; - }; + package = mkPackageOption pkgs "jellyfin" {}; - package = mkPackageOption pkgs "jellyfin" {}; + stateDir = mkOption { + type = types.path; + default = "${nixarr.stateDir}/jellyfin"; + defaultText = literalExpression ''"''${nixarr.stateDir}/jellyfin"''; + example = "/nixarr/.state/jellyfin"; + description = '' + The location of the state directory for the Jellyfin service. - stateDir = mkOption { - type = types.path; - default = "${nixarr.stateDir}/jellyfin"; - defaultText = literalExpression ''"''${nixarr.stateDir}/jellyfin"''; - example = "/nixarr/.state/jellyfin"; - description = '' - The location of the state directory for the Jellyfin service. + > **Warning:** Setting this to any path, where the subpath is not + > owned by root, will fail! For example: + > + > ```nix + > stateDir = /home/user/nixarr/.state/jellyfin + > ``` + > + > Is not supported, because `/home/user` is owned by `user`. + ''; + }; - > **Warning:** Setting this to any path, where the subpath is not - > owned by root, will fail! For example: - > - > ```nix - > stateDir = /home/user/nixarr/.state/jellyfin - > ``` - > - > Is not supported, because `/home/user` is owned by `user`. - ''; - }; + openFirewall = mkOption { + type = types.bool; + defaultText = literalExpression ''!nixarr.jellyfin.vpn.enable''; + default = !cfg.vpn.enable; + example = true; + description = "Open firewall for Jellyfin"; + }; - openFirewall = mkOption { - type = types.bool; - defaultText = literalExpression ''!nixarr.jellyfin.vpn.enable''; - default = !cfg.vpn.enable; - example = true; - description = "Open firewall for Jellyfin"; - }; + vpn.enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) - vpn.enable = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) + **Conflicting options:** [`nixarr.jellyfin.expose.https.enable`](#nixarr.jellyfin.expose.https.enable) - **Conflicting options:** [`nixarr.jellyfin.expose.https.enable`](#nixarr.jellyfin.expose.https.enable) + Route Jellyfin traffic through the VPN. + ''; + }; - Route Jellyfin traffic through the VPN. - ''; - }; + expose = { + https = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + **Required options:** - expose = { - https = { - enable = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - **Required options:** + - [`nixarr.jellyfin.expose.https.acmeMail`](#nixarr.jellyfin.expose.https.acmemail) + - [`nixarr.jellyfin.expose.https.domainName`](#nixarr.jellyfin.expose.https.domainname) - - [`nixarr.jellyfin.expose.https.acmeMail`](#nixarr.jellyfin.expose.https.acmemail) - - [`nixarr.jellyfin.expose.https.domainName`](#nixarr.jellyfin.expose.https.domainname) + **Conflicting options:** [`nixarr.jellyfin.vpn.enable`](#nixarr.jellyfin.vpn.enable) - **Conflicting options:** [`nixarr.jellyfin.vpn.enable`](#nixarr.jellyfin.vpn.enable) + Expose the Jellyfin web service to the internet with https support, + allowing anyone to access it. - Expose the Jellyfin web service to the internet with https support, - allowing anyone to access it. + > **Warning:** Do _not_ enable this without setting up Jellyfin + > authentication through localhost first! + ''; + }; - > **Warning:** Do _not_ enable this without setting up Jellyfin - > authentication through localhost first! - ''; - }; + upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router."; - upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router."; + domainName = mkOption { + type = types.nullOr types.str; + default = null; + example = "jellyfin.example.com"; + description = "The domain name to host Jellyfin on."; + }; - domainName = mkOption { - type = types.nullOr types.str; - default = null; - example = "jellyfin.example.com"; - description = "The domain name to host Jellyfin on."; - }; - - acmeMail = mkOption { - type = types.nullOr types.str; - default = null; - example = "mail@example.com"; - description = "The ACME mail required for the letsencrypt bot."; - }; + acmeMail = mkOption { + type = types.nullOr types.str; + default = null; + example = "mail@example.com"; + description = "The ACME mail required for the letsencrypt bot."; }; }; }; + }; - config = - mkIf cfg.enable + config = mkIf (nixarr.enable && cfg.enable) { + assertions = [ { - assertions = [ - { - assertion = cfg.vpn.enable -> nixarr.vpn.enable; - message = '' - The nixarr.jellyfin.vpn.enable option requires the - nixarr.vpn.enable option to be set, but it was not. - ''; - } - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.jellyfin.enable option requires the nixarr.enable - option to be set, but it was not. - ''; - } - { - assertion = !(cfg.vpn.enable && cfg.expose.https.enable); - message = '' - The nixarr.jellyfin.vpn.enable option conflicts with the - nixarr.jellyfin.expose.https.enable option. You cannot set both. - ''; - } - { - assertion = - cfg.expose.https.enable - -> ( - (cfg.expose.https.domainName != null) - && (cfg.expose.https.acmeMail != null) - ); - message = '' - The nixarr.jellyfin.expose.https.enable option requires the - following options to be set, but one of them were not: + assertion = cfg.vpn.enable -> nixarr.vpn.enable; + message = '' + The nixarr.jellyfin.vpn.enable option requires the + nixarr.vpn.enable option to be set, but it was not. + ''; + } + { + assertion = !(cfg.vpn.enable && cfg.expose.https.enable); + message = '' + The nixarr.jellyfin.vpn.enable option conflicts with the + nixarr.jellyfin.expose.https.enable option. You cannot set both. + ''; + } + { + assertion = + cfg.expose.https.enable + -> ( + (cfg.expose.https.domainName != null) + && (cfg.expose.https.acmeMail != null) + ); + message = '' + The nixarr.jellyfin.expose.https.enable option requires the + following options to be set, but one of them were not: - - nixarr.jellyfin.expose.domainName - - nixarr.jellyfin.expose.acmeMail - ''; - } - ]; + - nixarr.jellyfin.expose.domainName + - nixarr.jellyfin.expose.acmeMail + ''; + } + ]; - users = { - groups.streamer = {}; - users.streamer = { - isSystemUser = true; - group = "streamer"; + users = { + groups.streamer = {}; + users.streamer = { + isSystemUser = true; + group = "streamer"; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0700 streamer root - -" + + # Media Dirs + "d '${nixarr.mediaDir}/library' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/music' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" + ]; + + # Always prioritise Jellyfin IO + systemd.services.jellyfin.serviceConfig.IOSchedulingPriority = 0; + + services.jellyfin = { + enable = cfg.enable; + package = cfg.package; + user = "streamer"; + group = "media"; + openFirewall = cfg.openFirewall; + logDir = "${cfg.stateDir}/log"; + cacheDir = "${cfg.stateDir}/cache"; + dataDir = "${cfg.stateDir}/data"; + configDir = "${cfg.stateDir}/config"; + }; + + networking.firewall = mkIf cfg.expose.https.enable { + allowedTCPPorts = [80 443]; + }; + + util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable { + enable = true; + openTcpPorts = [80 443]; + }; + + services.nginx = mkMerge [ + (mkIf (cfg.expose.https.enable || cfg.vpn.enable) { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + }) + (mkIf cfg.expose.https.enable { + virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}"; }; }; - - systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0700 streamer root - -" - - # Media Dirs - "d '${nixarr.mediaDir}/library' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/music' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" - ]; - - # Always prioritise Jellyfin IO - systemd.services.jellyfin.serviceConfig.IOSchedulingPriority = 0; - - services.jellyfin = { - enable = cfg.enable; - package = cfg.package; - user = "streamer"; - group = "media"; - openFirewall = cfg.openFirewall; - logDir = "${cfg.stateDir}/log"; - cacheDir = "${cfg.stateDir}/cache"; - dataDir = "${cfg.stateDir}/data"; - configDir = "${cfg.stateDir}/config"; - }; - - networking.firewall = mkIf cfg.expose.https.enable { - allowedTCPPorts = [80 443]; - }; - - util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable { - enable = true; - openTcpPorts = [80 443]; - }; - - services.nginx = mkMerge [ - (mkIf (cfg.expose.https.enable || cfg.vpn.enable) { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - }) - (mkIf cfg.expose.https.enable { - virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}"; - }; - }; - }) - (mkIf cfg.vpn.enable { - virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable { - listen = [ - { - addr = "0.0.0.0"; - port = defaultPort; - } - ]; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; - }; - }; - }) - ]; - - security.acme = mkIf cfg.expose.https.enable { - acceptTerms = true; - defaults.email = cfg.expose.https.acmeMail; - }; - - # Enable and specify VPN namespace to confine service in. - systemd.services.jellyfin.vpnConfinement = mkIf cfg.vpn.enable { - enable = true; - vpnNamespace = "wg"; - }; - - # Port mappings - vpnNamespaces.wg = mkIf cfg.vpn.enable { - portMappings = [ + }) + (mkIf cfg.vpn.enable { + virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable { + listen = [ { - from = defaultPort; - to = defaultPort; + addr = "0.0.0.0"; + port = defaultPort; } ]; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; + }; }; - }; - } + }) + ]; + + security.acme = mkIf cfg.expose.https.enable { + acceptTerms = true; + defaults.email = cfg.expose.https.acmeMail; + }; + + # Enable and specify VPN namespace to confine service in. + systemd.services.jellyfin.vpnConfinement = mkIf cfg.vpn.enable { + enable = true; + vpnNamespace = "wg"; + }; + + # Port mappings + vpnNamespaces.wg = mkIf cfg.vpn.enable { + portMappings = [ + { + from = defaultPort; + to = defaultPort; + } + ]; + }; + }; +} diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index 494352a..00b8212 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -20,8 +20,6 @@ in { example = true; description = '' Whether or not to enable the Jellyseerr service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -73,15 +71,8 @@ in { }; }; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.jellyseerr.enable option requires the - nixarr.enable option to be set, but it was not. - ''; - } { assertion = cfg.vpn.enable -> nixarr.vpn.enable; message = '' diff --git a/nixarr/lidarr/default.nix b/nixarr/lidarr/default.nix index 60817e4..40377ec 100644 --- a/nixarr/lidarr/default.nix +++ b/nixarr/lidarr/default.nix @@ -16,8 +16,6 @@ in { example = true; description = '' Whether or not to enable the Lidarr service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -62,15 +60,8 @@ in { }; }; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.lidarr.enable option requires the nixarr.enable option - to be set, but it was not. - ''; - } { assertion = cfg.vpn.enable -> nixarr.vpn.enable; message = '' diff --git a/nixarr/openssh/default.nix b/nixarr/openssh/default.nix index 669ffd9..8d024d6 100644 --- a/nixarr/openssh/default.nix +++ b/nixarr/openssh/default.nix @@ -14,7 +14,6 @@ in { description = '' **Required options:** - [`nixarr.vpn.enable`](#nixarr.vpn.enable) - - [`nixarr.enable`](#nixarr.enable) Run the openssh service through a vpn, exposing it to the internet. @@ -44,15 +43,8 @@ in { ''; }; - config = mkIf cfg.expose.vpn.enable { + config = mkIf (cfg.expose.vpn.enable && cfg.enable) { assertions = [ - { - assertion = cfg.expose.vpn.enable -> nixarr.enable; - message = '' - The nixarr.openssh.expose.vpn.enable option requires the - nixarr.enable option to be set, but it was not. - ''; - } { assertion = cfg.expose.vpn.enable -> nixarr.vpn.enable; message = '' diff --git a/nixarr/plex/default.nix b/nixarr/plex/default.nix index 34fe0f5..2d7372f 100644 --- a/nixarr/plex/default.nix +++ b/nixarr/plex/default.nix @@ -3,244 +3,233 @@ lib, pkgs, ... -}: let +}: +with lib; let cfg = config.nixarr.plex; defaultPort = 32400; nixarr = config.nixarr; -in - with lib; { - options.nixarr.plex = { - enable = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - Whether or not to enable the Plex service. +in { + options.nixarr.plex = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether or not to enable the Plex service. + ''; + }; - **Required options:** [`nixarr.enable`](#nixarr.enable) - ''; - }; + package = mkPackageOption pkgs "plexmediaserver" {}; - package = mkPackageOption pkgs "plexmediaserver" {}; + stateDir = mkOption { + type = types.path; + default = "${nixarr.stateDir}/plex"; + defaultText = literalExpression ''"''${nixarr.stateDir}/plex"''; + example = "/nixarr/.state/plex"; + description = '' + The location of the state directory for the Plex service. - stateDir = mkOption { - type = types.path; - default = "${nixarr.stateDir}/plex"; - defaultText = literalExpression ''"''${nixarr.stateDir}/plex"''; - example = "/nixarr/.state/plex"; - description = '' - The location of the state directory for the Plex service. + > **Warning:** Setting this to any path, where the subpath is not + > owned by root, will fail! For example: + > + > ```nix + > stateDir = /home/user/nixarr/.state/plex + > ``` + > + > Is not supported, because `/home/user` is owned by `user`. + ''; + }; - > **Warning:** Setting this to any path, where the subpath is not - > owned by root, will fail! For example: - > - > ```nix - > stateDir = /home/user/nixarr/.state/plex - > ``` - > - > Is not supported, because `/home/user` is owned by `user`. - ''; - }; + openFirewall = mkOption { + type = types.bool; + defaultText = literalExpression ''!nixarr.plex.vpn.enable''; + default = !cfg.vpn.enable; + example = true; + description = "Open firewall for Plex"; + }; - openFirewall = mkOption { - type = types.bool; - defaultText = literalExpression ''!nixarr.plex.vpn.enable''; - default = !cfg.vpn.enable; - example = true; - description = "Open firewall for Plex"; - }; + vpn.enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) - vpn.enable = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) + **Conflicting options:** [`nixarr.plex.expose.https.enable`](#nixarr.plex.expose.https.enable) - **Conflicting options:** [`nixarr.plex.expose.https.enable`](#nixarr.plex.expose.https.enable) + Route Plex traffic through the VPN. + ''; + }; - Route Plex traffic through the VPN. - ''; - }; + expose = { + https = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + **Required options:** - expose = { - https = { - enable = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - **Required options:** + - [`nixarr.plex.expose.https.acmeMail`](#nixarr.plex.expose.https.acmemail) + - [`nixarr.plex.expose.https.domainName`](#nixarr.plex.expose.https.domainname) - - [`nixarr.plex.expose.https.acmeMail`](#nixarr.plex.expose.https.acmemail) - - [`nixarr.plex.expose.https.domainName`](#nixarr.plex.expose.https.domainname) + **Conflicting options:** [`nixarr.plex.vpn.enable`](#nixarr.plex.vpn.enable) - **Conflicting options:** [`nixarr.plex.vpn.enable`](#nixarr.plex.vpn.enable) + Expose the Plex web service to the internet with https support, + allowing anyone to access it. - Expose the Plex web service to the internet with https support, - allowing anyone to access it. + > **Warning:** Do _not_ enable this without setting up Plex + > authentication through localhost first! + ''; + }; - > **Warning:** Do _not_ enable this without setting up Plex - > authentication through localhost first! - ''; - }; + upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router."; - upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router."; + domainName = mkOption { + type = types.nullOr types.str; + default = null; + example = "plex.example.com"; + description = "The domain name to host Plex on."; + }; - domainName = mkOption { - type = types.nullOr types.str; - default = null; - example = "plex.example.com"; - description = "The domain name to host Plex on."; - }; - - acmeMail = mkOption { - type = types.nullOr types.str; - default = null; - example = "mail@example.com"; - description = "The ACME mail required for the letsencrypt bot."; - }; + acmeMail = mkOption { + type = types.nullOr types.str; + default = null; + example = "mail@example.com"; + description = "The ACME mail required for the letsencrypt bot."; }; }; }; + }; - config = - mkIf cfg.enable + config = mkIf (nixarr.enable && cfg.enable) { + assertions = [ { - assertions = [ - { - assertion = cfg.vpn.enable -> nixarr.vpn.enable; - message = '' - The nixarr.plex.vpn.enable option requires the - nixarr.vpn.enable option to be set, but it was not. - ''; - } - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.plex.enable option requires the nixarr.enable - option to be set, but it was not. - ''; - } - { - assertion = !(cfg.vpn.enable && cfg.expose.https.enable); - message = '' - The nixarr.plex.vpn.enable option conflicts with the - nixarr.plex.expose.https.enable option. You cannot set both. - ''; - } - { - assertion = - cfg.expose.https.enable - -> ( - (cfg.expose.https.domainName != null) - && (cfg.expose.https.acmeMail != null) - ); - message = '' - The nixarr.plex.expose.https.enable option requires the - following options to be set, but one of them were not: + assertion = cfg.vpn.enable -> nixarr.vpn.enable; + message = '' + The nixarr.plex.vpn.enable option requires the + nixarr.vpn.enable option to be set, but it was not. + ''; + } + { + assertion = !(cfg.vpn.enable && cfg.expose.https.enable); + message = '' + The nixarr.plex.vpn.enable option conflicts with the + nixarr.plex.expose.https.enable option. You cannot set both. + ''; + } + { + assertion = + cfg.expose.https.enable + -> ( + (cfg.expose.https.domainName != null) + && (cfg.expose.https.acmeMail != null) + ); + message = '' + The nixarr.plex.expose.https.enable option requires the + following options to be set, but one of them were not: - - nixarr.plex.expose.domainName - - nixarr.plex.expose.acmeMail - ''; - } - ]; + - nixarr.plex.expose.domainName + - nixarr.plex.expose.acmeMail + ''; + } + ]; - users = { - groups.streamer = {}; - users.streamer = { - isSystemUser = true; - group = "streamer"; + users = { + groups.streamer = {}; + users.streamer = { + isSystemUser = true; + group = "streamer"; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0700 streamer root - -" + + # Media Dirs + "d '${nixarr.mediaDir}/library' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/music' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" + ]; + + # Always prioritise Plex IO + systemd.services.plex.serviceConfig.IOSchedulingPriority = 0; + + services.plex = { + enable = cfg.enable; + package = cfg.package; + user = "streamer"; + group = "media"; + openFirewall = cfg.openFirewall; + dataDir = cfg.stateDir; + }; + + networking.firewall = mkIf cfg.expose.https.enable { + allowedTCPPorts = [80 443]; + }; + + util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable { + enable = true; + openTcpPorts = [80 443]; + }; + + services.nginx = mkMerge [ + (mkIf (cfg.expose.https.enable || cfg.vpn.enable) { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + }) + (mkIf cfg.expose.https.enable { + virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}"; }; }; - - systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0700 streamer root - -" - - # Media Dirs - "d '${nixarr.mediaDir}/library' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/music' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" - ]; - - # Always prioritise Plex IO - systemd.services.plex.serviceConfig.IOSchedulingPriority = 0; - - services.plex = { - enable = cfg.enable; - package = cfg.package; - user = "streamer"; - group = "media"; - openFirewall = cfg.openFirewall; - dataDir = cfg.stateDir; - }; - - networking.firewall = mkIf cfg.expose.https.enable { - allowedTCPPorts = [80 443]; - }; - - util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable { - enable = true; - openTcpPorts = [80 443]; - }; - - services.nginx = mkMerge [ - (mkIf (cfg.expose.https.enable || cfg.vpn.enable) { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - }) - (mkIf cfg.expose.https.enable { - virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}"; - }; - }; - }) - (mkIf cfg.vpn.enable { - virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable { - listen = [ - { - addr = "0.0.0.0"; - port = defaultPort; - } - ]; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; - }; - }; - }) - ]; - - security.acme = mkIf cfg.expose.https.enable { - acceptTerms = true; - defaults.email = cfg.expose.https.acmeMail; - }; - - # Enable and specify VPN namespace to confine service in. - systemd.services.plex.vpnConfinement = mkIf cfg.vpn.enable { - enable = true; - vpnNamespace = "wg"; - }; - - # Port mappings - vpnNamespaces.wg = mkIf cfg.vpn.enable { - portMappings = [ + }) + (mkIf cfg.vpn.enable { + virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable { + listen = [ { - from = defaultPort; - to = defaultPort; + addr = "0.0.0.0"; + port = defaultPort; } ]; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; + }; }; - }; - } + }) + ]; + + security.acme = mkIf cfg.expose.https.enable { + acceptTerms = true; + defaults.email = cfg.expose.https.acmeMail; + }; + + # Enable and specify VPN namespace to confine service in. + systemd.services.plex.vpnConfinement = mkIf cfg.vpn.enable { + enable = true; + vpnNamespace = "wg"; + }; + + # Port mappings + vpnNamespaces.wg = mkIf cfg.vpn.enable { + portMappings = [ + { + from = defaultPort; + to = defaultPort; + } + ]; + }; + }; +} diff --git a/nixarr/prowlarr/default.nix b/nixarr/prowlarr/default.nix index 22e149b..b1c0cbb 100644 --- a/nixarr/prowlarr/default.nix +++ b/nixarr/prowlarr/default.nix @@ -20,8 +20,6 @@ in { example = true; description = '' Whether or not to enable the Prowlarr service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -66,15 +64,8 @@ in { }; }; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.prowlarr.enable option requires the - nixarr.enable option to be set, but it was not. - ''; - } { assertion = cfg.vpn.enable -> nixarr.vpn.enable; message = '' diff --git a/nixarr/radarr/default.nix b/nixarr/radarr/default.nix index da00df4..939b116 100644 --- a/nixarr/radarr/default.nix +++ b/nixarr/radarr/default.nix @@ -16,8 +16,6 @@ in { example = true; description = '' Whether or not to enable the Radarr service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -62,15 +60,8 @@ in { }; }; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.radarr.enable option requires the - nixarr.enable option to be set, but it was not. - ''; - } { assertion = cfg.vpn.enable -> nixarr.vpn.enable; message = '' diff --git a/nixarr/readarr/default.nix b/nixarr/readarr/default.nix index df2175f..5241b90 100644 --- a/nixarr/readarr/default.nix +++ b/nixarr/readarr/default.nix @@ -16,8 +16,6 @@ in { example = true; description = '' Whether or not to enable the Readarr service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -62,15 +60,8 @@ in { }; }; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.readarr.enable option requires the - nixarr.enable option to be set, but it was not. - ''; - } { assertion = cfg.vpn.enable -> nixarr.vpn.enable; message = '' diff --git a/nixarr/recyclarr/default.nix b/nixarr/recyclarr/default.nix index 7af62de..f4ea9d3 100644 --- a/nixarr/recyclarr/default.nix +++ b/nixarr/recyclarr/default.nix @@ -59,8 +59,6 @@ in { example = true; description = '' Whether or not to enable the Recyclarr service. This service does not need to be run behind a VPN. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -164,15 +162,8 @@ in { }; }; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.recyclarr.enable option requires the nixarr.enable - option to be set, but it was not. - ''; - } { assertion = cfg.enable -> (nixarr.radarr.enable || nixarr.sonarr.enable); message = '' diff --git a/nixarr/sabnzbd/default.nix b/nixarr/sabnzbd/default.nix index 9370d2e..519b475 100644 --- a/nixarr/sabnzbd/default.nix +++ b/nixarr/sabnzbd/default.nix @@ -173,7 +173,17 @@ in { sab_config_map.write() ''; in - mkIf cfg.enable { + mkIf (nixarr.enable && cfg.enable) { + assertions = [ + { + assertion = cfg.vpn.enable -> nixarr.vpn.enable; + message = '' + The nixarr.readarr.vpn.enable option requires the + nixarr.vpn.enable option to be set, but it was not. + ''; + } + ]; + users = { groups.usenet = {}; users.usenet = { diff --git a/nixarr/sonarr/default.nix b/nixarr/sonarr/default.nix index 269ddfa..34a5ccc 100644 --- a/nixarr/sonarr/default.nix +++ b/nixarr/sonarr/default.nix @@ -16,8 +16,6 @@ in { example = true; description = '' Whether or not to enable the Sonarr service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -62,15 +60,8 @@ in { }; }; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.sonarr.enable option requires the - nixarr.enable option to be set, but it was not. - ''; - } { assertion = cfg.vpn.enable -> nixarr.vpn.enable; message = '' diff --git a/nixarr/transmission/default.nix b/nixarr/transmission/default.nix index b4d527c..9b22ff5 100644 --- a/nixarr/transmission/default.nix +++ b/nixarr/transmission/default.nix @@ -71,8 +71,6 @@ in { example = true; description = '' Whether or not to enable the Transmission service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) ''; }; @@ -267,7 +265,7 @@ in { ./cross-seed ]; - config = mkIf cfg.enable { + config = mkIf (nixarr.enable && cfg.enable) { assertions = [ { assertion = cfg.vpn.enable -> nixarr.vpn.enable; @@ -276,13 +274,6 @@ in { nixarr.vpn.enable option to be set, but it was not. ''; } - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.transmission.enable option requires the nixarr.enable - option to be set, but it was not. - ''; - } { assertion = cfg-cross-seed.enable -> nixarr.prowlarr.enable; message = ''