fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changed handling of nixarr.enable option dependency

Browse Source
This commit is contained in:
rasmus-kirk
2025-03-18 15:44:27 +01:00
parent 5da89a70c6
commit 2e7d3a901d
15 changed files with 427 additions and 540 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+4
View File
@@ -5,6 +5,10 @@
Added: Added:
- Plex service - Plex service
Updated:
- If `nixarr.enable` is not enabled other services will automatically now
be disabled, instead of throwing an assertion error.
## 2025-03-17 ## 2025-03-17
Added: Added:
nixarr/bazarr/default.nix
+1 -10
View File
@@ -19,8 +19,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Bazarr service. Whether or not to enable the Bazarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -65,7 +63,7 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
@@ -74,13 +72,6 @@ in {
nixarr.vpn.enable option to be set, but it was not. nixarr.vpn.enable option to be set, but it was not.
''; '';
} }
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.bazarr.enable option requires the nixarr.enable option
to be set, but it was not.
'';
}
]; ];
util-nixarr.services.bazarr = { util-nixarr.services.bazarr = {
nixarr/ddns/default.nix
+1 -17
View File
@@ -45,7 +45,6 @@ in {
description = '' description = ''
**Required options:** **Required options:**
- [`nixarr.enable`](#nixarr.enable)
- [`nixarr.ddns.njalla.keysFile`](#nixarr.ddns.njalla.keysfile) - [`nixarr.ddns.njalla.keysFile`](#nixarr.ddns.njalla.keysfile)
- [`nixarr.vpn.enable`](#nixarr.vpn.enable) - [`nixarr.vpn.enable`](#nixarr.vpn.enable)
@@ -75,7 +74,6 @@ in {
description = '' description = ''
**Required options:** **Required options:**
- [`nixarr.enable`](#nixarr.enable)
- [`nixarr.ddns.njalla.keysFile`](#nixarr.ddns.njalla.keysfile) - [`nixarr.ddns.njalla.keysFile`](#nixarr.ddns.njalla.keysfile)
Whether or not to enable DDNS for a [Njalla](https://njal.la/) Whether or not to enable DDNS for a [Njalla](https://njal.la/)
@@ -111,7 +109,7 @@ in {
}; };
}; };
config = mkIf cfg.njalla.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{ {
assertion = cfg.njalla.enable -> cfg.njalla.keysFile != null; assertion = cfg.njalla.enable -> cfg.njalla.keysFile != null;
@@ -120,20 +118,6 @@ in {
nixarr.ddns.njalla.keysFile option to be set, but it was not. nixarr.ddns.njalla.keysFile option to be set, but it was not.
''; '';
} }
{
assertion = cfg.njalla.enable -> nixarr.enable;
message = ''
The nixarr.ddns.njalla.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{
assertion = cfg.njalla.vpn.enable -> nixarr.enable;
message = ''
The nixarr.ddns.njalla.vpn.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{ {
assertion = cfg.njalla.vpn.enable -> cfg.njalla.vpn.keysFile != null; assertion = cfg.njalla.vpn.enable -> cfg.njalla.vpn.keysFile != null;
message = '' message = ''
nixarr/jellyfin/default.nix
+202 -213
View File
@@ -3,247 +3,236 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
with lib; let
cfg = config.nixarr.jellyfin; cfg = config.nixarr.jellyfin;
defaultPort = 8096; defaultPort = 8096;
nixarr = config.nixarr; nixarr = config.nixarr;
in in {
with lib; { options.nixarr.jellyfin = {
options.nixarr.jellyfin = { enable = mkOption {
enable = mkOption { type = types.bool;
type = types.bool; default = false;
default = false; example = true;
example = true; description = ''
description = '' Whether or not to enable the Jellyfin service.
Whether or not to enable the Jellyfin service. '';
};
**Required options:** [`nixarr.enable`](#nixarr.enable) package = mkPackageOption pkgs "jellyfin" {};
'';
};
package = mkPackageOption pkgs "jellyfin" {}; stateDir = mkOption {
type = types.path;
default = "${nixarr.stateDir}/jellyfin";
defaultText = literalExpression ''"''${nixarr.stateDir}/jellyfin"'';
example = "/nixarr/.state/jellyfin";
description = ''
The location of the state directory for the Jellyfin service.
stateDir = mkOption { > **Warning:** Setting this to any path, where the subpath is not
type = types.path; > owned by root, will fail! For example:
default = "${nixarr.stateDir}/jellyfin"; >
defaultText = literalExpression ''"''${nixarr.stateDir}/jellyfin"''; > ```nix
example = "/nixarr/.state/jellyfin"; > stateDir = /home/user/nixarr/.state/jellyfin
description = '' > ```
The location of the state directory for the Jellyfin service. >
> Is not supported, because `/home/user` is owned by `user`.
'';
};
> **Warning:** Setting this to any path, where the subpath is not openFirewall = mkOption {
> owned by root, will fail! For example: type = types.bool;
> defaultText = literalExpression ''!nixarr.jellyfin.vpn.enable'';
> ```nix default = !cfg.vpn.enable;
> stateDir = /home/user/nixarr/.state/jellyfin example = true;
> ``` description = "Open firewall for Jellyfin";
> };
> Is not supported, because `/home/user` is owned by `user`.
'';
};
openFirewall = mkOption { vpn.enable = mkOption {
type = types.bool; type = types.bool;
defaultText = literalExpression ''!nixarr.jellyfin.vpn.enable''; default = false;
default = !cfg.vpn.enable; example = true;
example = true; description = ''
description = "Open firewall for Jellyfin"; **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
};
vpn.enable = mkOption { **Conflicting options:** [`nixarr.jellyfin.expose.https.enable`](#nixarr.jellyfin.expose.https.enable)
type = types.bool;
default = false;
example = true;
description = ''
**Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
**Conflicting options:** [`nixarr.jellyfin.expose.https.enable`](#nixarr.jellyfin.expose.https.enable) Route Jellyfin traffic through the VPN.
'';
};
Route Jellyfin traffic through the VPN. expose = {
''; https = {
}; enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:**
expose = { - [`nixarr.jellyfin.expose.https.acmeMail`](#nixarr.jellyfin.expose.https.acmemail)
https = { - [`nixarr.jellyfin.expose.https.domainName`](#nixarr.jellyfin.expose.https.domainname)
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:**
- [`nixarr.jellyfin.expose.https.acmeMail`](#nixarr.jellyfin.expose.https.acmemail) **Conflicting options:** [`nixarr.jellyfin.vpn.enable`](#nixarr.jellyfin.vpn.enable)
- [`nixarr.jellyfin.expose.https.domainName`](#nixarr.jellyfin.expose.https.domainname)
**Conflicting options:** [`nixarr.jellyfin.vpn.enable`](#nixarr.jellyfin.vpn.enable) Expose the Jellyfin web service to the internet with https support,
allowing anyone to access it.
Expose the Jellyfin web service to the internet with https support, > **Warning:** Do _not_ enable this without setting up Jellyfin
allowing anyone to access it. > authentication through localhost first!
'';
};
> **Warning:** Do _not_ enable this without setting up Jellyfin upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router.";
> authentication through localhost first!
'';
};
upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router."; domainName = mkOption {
type = types.nullOr types.str;
default = null;
example = "jellyfin.example.com";
description = "The domain name to host Jellyfin on.";
};
domainName = mkOption { acmeMail = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
example = "jellyfin.example.com"; example = "mail@example.com";
description = "The domain name to host Jellyfin on."; description = "The ACME mail required for the letsencrypt bot.";
};
acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail@example.com";
description = "The ACME mail required for the letsencrypt bot.";
};
}; };
}; };
}; };
};
config = config = mkIf (nixarr.enable && cfg.enable) {
mkIf cfg.enable assertions = [
{ {
assertions = [ assertion = cfg.vpn.enable -> nixarr.vpn.enable;
{ message = ''
assertion = cfg.vpn.enable -> nixarr.vpn.enable; The nixarr.jellyfin.vpn.enable option requires the
message = '' nixarr.vpn.enable option to be set, but it was not.
The nixarr.jellyfin.vpn.enable option requires the '';
nixarr.vpn.enable option to be set, but it was not. }
''; {
} assertion = !(cfg.vpn.enable && cfg.expose.https.enable);
{ message = ''
assertion = cfg.enable -> nixarr.enable; The nixarr.jellyfin.vpn.enable option conflicts with the
message = '' nixarr.jellyfin.expose.https.enable option. You cannot set both.
The nixarr.jellyfin.enable option requires the nixarr.enable '';
option to be set, but it was not. }
''; {
} assertion =
{ cfg.expose.https.enable
assertion = !(cfg.vpn.enable && cfg.expose.https.enable); -> (
message = '' (cfg.expose.https.domainName != null)
The nixarr.jellyfin.vpn.enable option conflicts with the && (cfg.expose.https.acmeMail != null)
nixarr.jellyfin.expose.https.enable option. You cannot set both. );
''; message = ''
} The nixarr.jellyfin.expose.https.enable option requires the
{ following options to be set, but one of them were not:
assertion =
cfg.expose.https.enable
-> (
(cfg.expose.https.domainName != null)
&& (cfg.expose.https.acmeMail != null)
);
message = ''
The nixarr.jellyfin.expose.https.enable option requires the
following options to be set, but one of them were not:
- nixarr.jellyfin.expose.domainName - nixarr.jellyfin.expose.domainName
- nixarr.jellyfin.expose.acmeMail - nixarr.jellyfin.expose.acmeMail
''; '';
} }
]; ];
users = { users = {
groups.streamer = {}; groups.streamer = {};
users.streamer = { users.streamer = {
isSystemUser = true; isSystemUser = true;
group = "streamer"; group = "streamer";
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
];
# Always prioritise Jellyfin IO
systemd.services.jellyfin.serviceConfig.IOSchedulingPriority = 0;
services.jellyfin = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
openFirewall = cfg.openFirewall;
logDir = "${cfg.stateDir}/log";
cacheDir = "${cfg.stateDir}/cache";
dataDir = "${cfg.stateDir}/data";
configDir = "${cfg.stateDir}/config";
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
}; };
}; };
})
systemd.tmpfiles.rules = [ (mkIf cfg.vpn.enable {
"d '${cfg.stateDir}' 0700 streamer root - -" virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable {
listen = [
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
];
# Always prioritise Jellyfin IO
systemd.services.jellyfin.serviceConfig.IOSchedulingPriority = 0;
services.jellyfin = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
openFirewall = cfg.openFirewall;
logDir = "${cfg.stateDir}/log";
cacheDir = "${cfg.stateDir}/cache";
dataDir = "${cfg.stateDir}/data";
configDir = "${cfg.stateDir}/config";
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
};
};
})
(mkIf cfg.vpn.enable {
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable {
listen = [
{
addr = "0.0.0.0";
port = defaultPort;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
})
];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.jellyfin.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
{ {
from = defaultPort; addr = "0.0.0.0";
to = defaultPort; port = defaultPort;
} }
]; ];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
}; };
}; })
} ];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.jellyfin.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
{
from = defaultPort;
to = defaultPort;
}
];
};
};
}
nixarr/jellyseerr/default.nix
+1 -10
View File
@@ -20,8 +20,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Jellyseerr service. Whether or not to enable the Jellyseerr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -73,15 +71,8 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.jellyseerr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = '' message = ''
nixarr/lidarr/default.nix
+1 -10
View File
@@ -16,8 +16,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Lidarr service. Whether or not to enable the Lidarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -62,15 +60,8 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.lidarr.enable option requires the nixarr.enable option
to be set, but it was not.
'';
}
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = '' message = ''
nixarr/openssh/default.nix
+1 -9
View File
@@ -14,7 +14,6 @@ in {
description = '' description = ''
**Required options:** **Required options:**
- [`nixarr.vpn.enable`](#nixarr.vpn.enable) - [`nixarr.vpn.enable`](#nixarr.vpn.enable)
- [`nixarr.enable`](#nixarr.enable)
Run the openssh service through a vpn, exposing it to the internet. Run the openssh service through a vpn, exposing it to the internet.
@@ -44,15 +43,8 @@ in {
''; '';
}; };
config = mkIf cfg.expose.vpn.enable { config = mkIf (cfg.expose.vpn.enable && cfg.enable) {
assertions = [ assertions = [
{
assertion = cfg.expose.vpn.enable -> nixarr.enable;
message = ''
The nixarr.openssh.expose.vpn.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{ {
assertion = cfg.expose.vpn.enable -> nixarr.vpn.enable; assertion = cfg.expose.vpn.enable -> nixarr.vpn.enable;
message = '' message = ''
nixarr/plex/default.nix
+199 -210
View File
@@ -3,244 +3,233 @@
lib, lib,
pkgs, pkgs,
... ...
}: let }:
with lib; let
cfg = config.nixarr.plex; cfg = config.nixarr.plex;
defaultPort = 32400; defaultPort = 32400;
nixarr = config.nixarr; nixarr = config.nixarr;
in in {
with lib; { options.nixarr.plex = {
options.nixarr.plex = { enable = mkOption {
enable = mkOption { type = types.bool;
type = types.bool; default = false;
default = false; example = true;
example = true; description = ''
description = '' Whether or not to enable the Plex service.
Whether or not to enable the Plex service. '';
};
**Required options:** [`nixarr.enable`](#nixarr.enable) package = mkPackageOption pkgs "plexmediaserver" {};
'';
};
package = mkPackageOption pkgs "plexmediaserver" {}; stateDir = mkOption {
type = types.path;
default = "${nixarr.stateDir}/plex";
defaultText = literalExpression ''"''${nixarr.stateDir}/plex"'';
example = "/nixarr/.state/plex";
description = ''
The location of the state directory for the Plex service.
stateDir = mkOption { > **Warning:** Setting this to any path, where the subpath is not
type = types.path; > owned by root, will fail! For example:
default = "${nixarr.stateDir}/plex"; >
defaultText = literalExpression ''"''${nixarr.stateDir}/plex"''; > ```nix
example = "/nixarr/.state/plex"; > stateDir = /home/user/nixarr/.state/plex
description = '' > ```
The location of the state directory for the Plex service. >
> Is not supported, because `/home/user` is owned by `user`.
'';
};
> **Warning:** Setting this to any path, where the subpath is not openFirewall = mkOption {
> owned by root, will fail! For example: type = types.bool;
> defaultText = literalExpression ''!nixarr.plex.vpn.enable'';
> ```nix default = !cfg.vpn.enable;
> stateDir = /home/user/nixarr/.state/plex example = true;
> ``` description = "Open firewall for Plex";
> };
> Is not supported, because `/home/user` is owned by `user`.
'';
};
openFirewall = mkOption { vpn.enable = mkOption {
type = types.bool; type = types.bool;
defaultText = literalExpression ''!nixarr.plex.vpn.enable''; default = false;
default = !cfg.vpn.enable; example = true;
example = true; description = ''
description = "Open firewall for Plex"; **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
};
vpn.enable = mkOption { **Conflicting options:** [`nixarr.plex.expose.https.enable`](#nixarr.plex.expose.https.enable)
type = types.bool;
default = false;
example = true;
description = ''
**Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
**Conflicting options:** [`nixarr.plex.expose.https.enable`](#nixarr.plex.expose.https.enable) Route Plex traffic through the VPN.
'';
};
Route Plex traffic through the VPN. expose = {
''; https = {
}; enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:**
expose = { - [`nixarr.plex.expose.https.acmeMail`](#nixarr.plex.expose.https.acmemail)
https = { - [`nixarr.plex.expose.https.domainName`](#nixarr.plex.expose.https.domainname)
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:**
- [`nixarr.plex.expose.https.acmeMail`](#nixarr.plex.expose.https.acmemail) **Conflicting options:** [`nixarr.plex.vpn.enable`](#nixarr.plex.vpn.enable)
- [`nixarr.plex.expose.https.domainName`](#nixarr.plex.expose.https.domainname)
**Conflicting options:** [`nixarr.plex.vpn.enable`](#nixarr.plex.vpn.enable) Expose the Plex web service to the internet with https support,
allowing anyone to access it.
Expose the Plex web service to the internet with https support, > **Warning:** Do _not_ enable this without setting up Plex
allowing anyone to access it. > authentication through localhost first!
'';
};
> **Warning:** Do _not_ enable this without setting up Plex upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router.";
> authentication through localhost first!
'';
};
upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router."; domainName = mkOption {
type = types.nullOr types.str;
default = null;
example = "plex.example.com";
description = "The domain name to host Plex on.";
};
domainName = mkOption { acmeMail = mkOption {
type = types.nullOr types.str; type = types.nullOr types.str;
default = null; default = null;
example = "plex.example.com"; example = "mail@example.com";
description = "The domain name to host Plex on."; description = "The ACME mail required for the letsencrypt bot.";
};
acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail@example.com";
description = "The ACME mail required for the letsencrypt bot.";
};
}; };
}; };
}; };
};
config = config = mkIf (nixarr.enable && cfg.enable) {
mkIf cfg.enable assertions = [
{ {
assertions = [ assertion = cfg.vpn.enable -> nixarr.vpn.enable;
{ message = ''
assertion = cfg.vpn.enable -> nixarr.vpn.enable; The nixarr.plex.vpn.enable option requires the
message = '' nixarr.vpn.enable option to be set, but it was not.
The nixarr.plex.vpn.enable option requires the '';
nixarr.vpn.enable option to be set, but it was not. }
''; {
} assertion = !(cfg.vpn.enable && cfg.expose.https.enable);
{ message = ''
assertion = cfg.enable -> nixarr.enable; The nixarr.plex.vpn.enable option conflicts with the
message = '' nixarr.plex.expose.https.enable option. You cannot set both.
The nixarr.plex.enable option requires the nixarr.enable '';
option to be set, but it was not. }
''; {
} assertion =
{ cfg.expose.https.enable
assertion = !(cfg.vpn.enable && cfg.expose.https.enable); -> (
message = '' (cfg.expose.https.domainName != null)
The nixarr.plex.vpn.enable option conflicts with the && (cfg.expose.https.acmeMail != null)
nixarr.plex.expose.https.enable option. You cannot set both. );
''; message = ''
} The nixarr.plex.expose.https.enable option requires the
{ following options to be set, but one of them were not:
assertion =
cfg.expose.https.enable
-> (
(cfg.expose.https.domainName != null)
&& (cfg.expose.https.acmeMail != null)
);
message = ''
The nixarr.plex.expose.https.enable option requires the
following options to be set, but one of them were not:
- nixarr.plex.expose.domainName - nixarr.plex.expose.domainName
- nixarr.plex.expose.acmeMail - nixarr.plex.expose.acmeMail
''; '';
} }
]; ];
users = { users = {
groups.streamer = {}; groups.streamer = {};
users.streamer = { users.streamer = {
isSystemUser = true; isSystemUser = true;
group = "streamer"; group = "streamer";
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
];
# Always prioritise Plex IO
systemd.services.plex.serviceConfig.IOSchedulingPriority = 0;
services.plex = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir;
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
}; };
}; };
})
systemd.tmpfiles.rules = [ (mkIf cfg.vpn.enable {
"d '${cfg.stateDir}' 0700 streamer root - -" virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable {
listen = [
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
];
# Always prioritise Plex IO
systemd.services.plex.serviceConfig.IOSchedulingPriority = 0;
services.plex = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir;
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
};
};
})
(mkIf cfg.vpn.enable {
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable {
listen = [
{
addr = "0.0.0.0";
port = defaultPort;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
})
];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.plex.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
{ {
from = defaultPort; addr = "0.0.0.0";
to = defaultPort; port = defaultPort;
} }
]; ];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
}; };
}; })
} ];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.plex.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
{
from = defaultPort;
to = defaultPort;
}
];
};
};
}
nixarr/prowlarr/default.nix
+1 -10
View File
@@ -20,8 +20,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Prowlarr service. Whether or not to enable the Prowlarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -66,15 +64,8 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.prowlarr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = '' message = ''
nixarr/radarr/default.nix
+1 -10
View File
@@ -16,8 +16,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Radarr service. Whether or not to enable the Radarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -62,15 +60,8 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.radarr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = '' message = ''
nixarr/readarr/default.nix
+1 -10
View File
@@ -16,8 +16,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Readarr service. Whether or not to enable the Readarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -62,15 +60,8 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.readarr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = '' message = ''
nixarr/recyclarr/default.nix
+1 -10
View File
@@ -59,8 +59,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Recyclarr service. This service does not need to be run behind a VPN. Whether or not to enable the Recyclarr service. This service does not need to be run behind a VPN.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -164,15 +162,8 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.recyclarr.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{ {
assertion = cfg.enable -> (nixarr.radarr.enable || nixarr.sonarr.enable); assertion = cfg.enable -> (nixarr.radarr.enable || nixarr.sonarr.enable);
message = '' message = ''
nixarr/sabnzbd/default.nix
+11 -1
View File
@@ -173,7 +173,17 @@ in {
sab_config_map.write() sab_config_map.write()
''; '';
in in
mkIf cfg.enable { mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
The nixarr.readarr.vpn.enable option requires the
nixarr.vpn.enable option to be set, but it was not.
'';
}
];
users = { users = {
groups.usenet = {}; groups.usenet = {};
users.usenet = { users.usenet = {
nixarr/sonarr/default.nix
+1 -10
View File
@@ -16,8 +16,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Sonarr service. Whether or not to enable the Sonarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -62,15 +60,8 @@ in {
}; };
}; };
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.sonarr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = '' message = ''
nixarr/transmission/default.nix
+1 -10
View File
@@ -71,8 +71,6 @@ in {
example = true; example = true;
description = '' description = ''
Whether or not to enable the Transmission service. Whether or not to enable the Transmission service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
''; '';
}; };
@@ -267,7 +265,7 @@ in {
./cross-seed ./cross-seed
]; ];
config = mkIf cfg.enable { config = mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
@@ -276,13 +274,6 @@ in {
nixarr.vpn.enable option to be set, but it was not. nixarr.vpn.enable option to be set, but it was not.
''; '';
} }
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.transmission.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{ {
assertion = cfg-cross-seed.enable -> nixarr.prowlarr.enable; assertion = cfg-cross-seed.enable -> nixarr.prowlarr.enable;
message = '' message = ''