fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Changed handling of nixarr.enable option dependency

Browse Source
This commit is contained in:
rasmus-kirk
2025-03-18 15:44:27 +01:00
parent 5da89a70c6
commit 2e7d3a901d
15 changed files with 427 additions and 540 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+4
View File
@@ -5,6 +5,10 @@
Added:
- Plex service
Updated:
- If `nixarr.enable` is not enabled other services will automatically now
be disabled, instead of throwing an assertion error.
## 2025-03-17
Added:
nixarr/bazarr/default.nix
+1 -10
View File
@@ -19,8 +19,6 @@ in {
example = true;
description = ''
Whether or not to enable the Bazarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -65,7 +63,7 @@ in {
};
};
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
@@ -74,13 +72,6 @@ in {
nixarr.vpn.enable option to be set, but it was not.
'';
}
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.bazarr.enable option requires the nixarr.enable option
to be set, but it was not.
'';
}
];
util-nixarr.services.bazarr = {
nixarr/ddns/default.nix
+1 -17
View File
@@ -45,7 +45,6 @@ in {
description = ''
**Required options:**
- [`nixarr.enable`](#nixarr.enable)
- [`nixarr.ddns.njalla.keysFile`](#nixarr.ddns.njalla.keysfile)
- [`nixarr.vpn.enable`](#nixarr.vpn.enable)
@@ -75,7 +74,6 @@ in {
description = ''
**Required options:**
- [`nixarr.enable`](#nixarr.enable)
- [`nixarr.ddns.njalla.keysFile`](#nixarr.ddns.njalla.keysfile)
Whether or not to enable DDNS for a [Njalla](https://njal.la/)
@@ -111,7 +109,7 @@ in {
};
};
config = mkIf cfg.njalla.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.njalla.enable -> cfg.njalla.keysFile != null;
@@ -120,20 +118,6 @@ in {
nixarr.ddns.njalla.keysFile option to be set, but it was not.
'';
}
{
assertion = cfg.njalla.enable -> nixarr.enable;
message = ''
The nixarr.ddns.njalla.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{
assertion = cfg.njalla.vpn.enable -> nixarr.enable;
message = ''
The nixarr.ddns.njalla.vpn.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{
assertion = cfg.njalla.vpn.enable -> cfg.njalla.vpn.keysFile != null;
message = ''
nixarr/jellyfin/default.nix
+202 -213
View File
@@ -3,247 +3,236 @@
lib,
pkgs,
...
}: let
}:
with lib; let
cfg = config.nixarr.jellyfin;
defaultPort = 8096;
nixarr = config.nixarr;
in
with lib; {
options.nixarr.jellyfin = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether or not to enable the Jellyfin service.
in {
options.nixarr.jellyfin = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether or not to enable the Jellyfin service.
'';
};
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
package = mkPackageOption pkgs "jellyfin" {};
package = mkPackageOption pkgs "jellyfin" {};
stateDir = mkOption {
type = types.path;
default = "${nixarr.stateDir}/jellyfin";
defaultText = literalExpression ''"''${nixarr.stateDir}/jellyfin"'';
example = "/nixarr/.state/jellyfin";
description = ''
The location of the state directory for the Jellyfin service.
stateDir = mkOption {
type = types.path;
default = "${nixarr.stateDir}/jellyfin";
defaultText = literalExpression ''"''${nixarr.stateDir}/jellyfin"'';
example = "/nixarr/.state/jellyfin";
description = ''
The location of the state directory for the Jellyfin service.
> **Warning:** Setting this to any path, where the subpath is not
> owned by root, will fail! For example:
>
> ```nix
> stateDir = /home/user/nixarr/.state/jellyfin
> ```
>
> Is not supported, because `/home/user` is owned by `user`.
'';
};
> **Warning:** Setting this to any path, where the subpath is not
> owned by root, will fail! For example:
>
> ```nix
> stateDir = /home/user/nixarr/.state/jellyfin
> ```
>
> Is not supported, because `/home/user` is owned by `user`.
'';
};
openFirewall = mkOption {
type = types.bool;
defaultText = literalExpression ''!nixarr.jellyfin.vpn.enable'';
default = !cfg.vpn.enable;
example = true;
description = "Open firewall for Jellyfin";
};
openFirewall = mkOption {
type = types.bool;
defaultText = literalExpression ''!nixarr.jellyfin.vpn.enable'';
default = !cfg.vpn.enable;
example = true;
description = "Open firewall for Jellyfin";
};
vpn.enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
vpn.enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
**Conflicting options:** [`nixarr.jellyfin.expose.https.enable`](#nixarr.jellyfin.expose.https.enable)
**Conflicting options:** [`nixarr.jellyfin.expose.https.enable`](#nixarr.jellyfin.expose.https.enable)
Route Jellyfin traffic through the VPN.
'';
};
Route Jellyfin traffic through the VPN.
'';
};
expose = {
https = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:**
expose = {
https = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:**
- [`nixarr.jellyfin.expose.https.acmeMail`](#nixarr.jellyfin.expose.https.acmemail)
- [`nixarr.jellyfin.expose.https.domainName`](#nixarr.jellyfin.expose.https.domainname)
- [`nixarr.jellyfin.expose.https.acmeMail`](#nixarr.jellyfin.expose.https.acmemail)
- [`nixarr.jellyfin.expose.https.domainName`](#nixarr.jellyfin.expose.https.domainname)
**Conflicting options:** [`nixarr.jellyfin.vpn.enable`](#nixarr.jellyfin.vpn.enable)
**Conflicting options:** [`nixarr.jellyfin.vpn.enable`](#nixarr.jellyfin.vpn.enable)
Expose the Jellyfin web service to the internet with https support,
allowing anyone to access it.
Expose the Jellyfin web service to the internet with https support,
allowing anyone to access it.
> **Warning:** Do _not_ enable this without setting up Jellyfin
> authentication through localhost first!
'';
};
> **Warning:** Do _not_ enable this without setting up Jellyfin
> authentication through localhost first!
'';
};
upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router.";
upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router.";
domainName = mkOption {
type = types.nullOr types.str;
default = null;
example = "jellyfin.example.com";
description = "The domain name to host Jellyfin on.";
};
domainName = mkOption {
type = types.nullOr types.str;
default = null;
example = "jellyfin.example.com";
description = "The domain name to host Jellyfin on.";
};
acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail@example.com";
description = "The ACME mail required for the letsencrypt bot.";
};
acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail@example.com";
description = "The ACME mail required for the letsencrypt bot.";
};
};
};
};
config =
mkIf cfg.enable
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertions = [
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
The nixarr.jellyfin.vpn.enable option requires the
nixarr.vpn.enable option to be set, but it was not.
'';
}
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.jellyfin.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{
assertion = !(cfg.vpn.enable && cfg.expose.https.enable);
message = ''
The nixarr.jellyfin.vpn.enable option conflicts with the
nixarr.jellyfin.expose.https.enable option. You cannot set both.
'';
}
{
assertion =
cfg.expose.https.enable
-> (
(cfg.expose.https.domainName != null)
&& (cfg.expose.https.acmeMail != null)
);
message = ''
The nixarr.jellyfin.expose.https.enable option requires the
following options to be set, but one of them were not:
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
The nixarr.jellyfin.vpn.enable option requires the
nixarr.vpn.enable option to be set, but it was not.
'';
}
{
assertion = !(cfg.vpn.enable && cfg.expose.https.enable);
message = ''
The nixarr.jellyfin.vpn.enable option conflicts with the
nixarr.jellyfin.expose.https.enable option. You cannot set both.
'';
}
{
assertion =
cfg.expose.https.enable
-> (
(cfg.expose.https.domainName != null)
&& (cfg.expose.https.acmeMail != null)
);
message = ''
The nixarr.jellyfin.expose.https.enable option requires the
following options to be set, but one of them were not:
- nixarr.jellyfin.expose.domainName
- nixarr.jellyfin.expose.acmeMail
'';
}
];
- nixarr.jellyfin.expose.domainName
- nixarr.jellyfin.expose.acmeMail
'';
}
];
users = {
groups.streamer = {};
users.streamer = {
isSystemUser = true;
group = "streamer";
users = {
groups.streamer = {};
users.streamer = {
isSystemUser = true;
group = "streamer";
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
];
# Always prioritise Jellyfin IO
systemd.services.jellyfin.serviceConfig.IOSchedulingPriority = 0;
services.jellyfin = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
openFirewall = cfg.openFirewall;
logDir = "${cfg.stateDir}/log";
cacheDir = "${cfg.stateDir}/cache";
dataDir = "${cfg.stateDir}/data";
configDir = "${cfg.stateDir}/config";
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
];
# Always prioritise Jellyfin IO
systemd.services.jellyfin.serviceConfig.IOSchedulingPriority = 0;
services.jellyfin = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
openFirewall = cfg.openFirewall;
logDir = "${cfg.stateDir}/log";
cacheDir = "${cfg.stateDir}/cache";
dataDir = "${cfg.stateDir}/data";
configDir = "${cfg.stateDir}/config";
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
};
};
})
(mkIf cfg.vpn.enable {
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable {
listen = [
{
addr = "0.0.0.0";
port = defaultPort;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
})
];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.jellyfin.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
})
(mkIf cfg.vpn.enable {
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable {
listen = [
{
from = defaultPort;
to = defaultPort;
addr = "0.0.0.0";
port = defaultPort;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
};
}
})
];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.jellyfin.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
{
from = defaultPort;
to = defaultPort;
}
];
};
};
}
nixarr/jellyseerr/default.nix
+1 -10
View File
@@ -20,8 +20,6 @@ in {
example = true;
description = ''
Whether or not to enable the Jellyseerr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -73,15 +71,8 @@ in {
};
};
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.jellyseerr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
nixarr/lidarr/default.nix
+1 -10
View File
@@ -16,8 +16,6 @@ in {
example = true;
description = ''
Whether or not to enable the Lidarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -62,15 +60,8 @@ in {
};
};
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.lidarr.enable option requires the nixarr.enable option
to be set, but it was not.
'';
}
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
nixarr/openssh/default.nix
+1 -9
View File
@@ -14,7 +14,6 @@ in {
description = ''
**Required options:**
- [`nixarr.vpn.enable`](#nixarr.vpn.enable)
- [`nixarr.enable`](#nixarr.enable)
Run the openssh service through a vpn, exposing it to the internet.
@@ -44,15 +43,8 @@ in {
'';
};
config = mkIf cfg.expose.vpn.enable {
config = mkIf (cfg.expose.vpn.enable && cfg.enable) {
assertions = [
{
assertion = cfg.expose.vpn.enable -> nixarr.enable;
message = ''
The nixarr.openssh.expose.vpn.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{
assertion = cfg.expose.vpn.enable -> nixarr.vpn.enable;
message = ''
nixarr/plex/default.nix
+199 -210
View File
@@ -3,244 +3,233 @@
lib,
pkgs,
...
}: let
}:
with lib; let
cfg = config.nixarr.plex;
defaultPort = 32400;
nixarr = config.nixarr;
in
with lib; {
options.nixarr.plex = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether or not to enable the Plex service.
in {
options.nixarr.plex = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
Whether or not to enable the Plex service.
'';
};
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
package = mkPackageOption pkgs "plexmediaserver" {};
package = mkPackageOption pkgs "plexmediaserver" {};
stateDir = mkOption {
type = types.path;
default = "${nixarr.stateDir}/plex";
defaultText = literalExpression ''"''${nixarr.stateDir}/plex"'';
example = "/nixarr/.state/plex";
description = ''
The location of the state directory for the Plex service.
stateDir = mkOption {
type = types.path;
default = "${nixarr.stateDir}/plex";
defaultText = literalExpression ''"''${nixarr.stateDir}/plex"'';
example = "/nixarr/.state/plex";
description = ''
The location of the state directory for the Plex service.
> **Warning:** Setting this to any path, where the subpath is not
> owned by root, will fail! For example:
>
> ```nix
> stateDir = /home/user/nixarr/.state/plex
> ```
>
> Is not supported, because `/home/user` is owned by `user`.
'';
};
> **Warning:** Setting this to any path, where the subpath is not
> owned by root, will fail! For example:
>
> ```nix
> stateDir = /home/user/nixarr/.state/plex
> ```
>
> Is not supported, because `/home/user` is owned by `user`.
'';
};
openFirewall = mkOption {
type = types.bool;
defaultText = literalExpression ''!nixarr.plex.vpn.enable'';
default = !cfg.vpn.enable;
example = true;
description = "Open firewall for Plex";
};
openFirewall = mkOption {
type = types.bool;
defaultText = literalExpression ''!nixarr.plex.vpn.enable'';
default = !cfg.vpn.enable;
example = true;
description = "Open firewall for Plex";
};
vpn.enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
vpn.enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable)
**Conflicting options:** [`nixarr.plex.expose.https.enable`](#nixarr.plex.expose.https.enable)
**Conflicting options:** [`nixarr.plex.expose.https.enable`](#nixarr.plex.expose.https.enable)
Route Plex traffic through the VPN.
'';
};
Route Plex traffic through the VPN.
'';
};
expose = {
https = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:**
expose = {
https = {
enable = mkOption {
type = types.bool;
default = false;
example = true;
description = ''
**Required options:**
- [`nixarr.plex.expose.https.acmeMail`](#nixarr.plex.expose.https.acmemail)
- [`nixarr.plex.expose.https.domainName`](#nixarr.plex.expose.https.domainname)
- [`nixarr.plex.expose.https.acmeMail`](#nixarr.plex.expose.https.acmemail)
- [`nixarr.plex.expose.https.domainName`](#nixarr.plex.expose.https.domainname)
**Conflicting options:** [`nixarr.plex.vpn.enable`](#nixarr.plex.vpn.enable)
**Conflicting options:** [`nixarr.plex.vpn.enable`](#nixarr.plex.vpn.enable)
Expose the Plex web service to the internet with https support,
allowing anyone to access it.
Expose the Plex web service to the internet with https support,
allowing anyone to access it.
> **Warning:** Do _not_ enable this without setting up Plex
> authentication through localhost first!
'';
};
> **Warning:** Do _not_ enable this without setting up Plex
> authentication through localhost first!
'';
};
upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router.";
upnp.enable = mkEnableOption "UPNP to try to open ports 80 and 443 on your router.";
domainName = mkOption {
type = types.nullOr types.str;
default = null;
example = "plex.example.com";
description = "The domain name to host Plex on.";
};
domainName = mkOption {
type = types.nullOr types.str;
default = null;
example = "plex.example.com";
description = "The domain name to host Plex on.";
};
acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail@example.com";
description = "The ACME mail required for the letsencrypt bot.";
};
acmeMail = mkOption {
type = types.nullOr types.str;
default = null;
example = "mail@example.com";
description = "The ACME mail required for the letsencrypt bot.";
};
};
};
};
config =
mkIf cfg.enable
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertions = [
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
The nixarr.plex.vpn.enable option requires the
nixarr.vpn.enable option to be set, but it was not.
'';
}
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.plex.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{
assertion = !(cfg.vpn.enable && cfg.expose.https.enable);
message = ''
The nixarr.plex.vpn.enable option conflicts with the
nixarr.plex.expose.https.enable option. You cannot set both.
'';
}
{
assertion =
cfg.expose.https.enable
-> (
(cfg.expose.https.domainName != null)
&& (cfg.expose.https.acmeMail != null)
);
message = ''
The nixarr.plex.expose.https.enable option requires the
following options to be set, but one of them were not:
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
The nixarr.plex.vpn.enable option requires the
nixarr.vpn.enable option to be set, but it was not.
'';
}
{
assertion = !(cfg.vpn.enable && cfg.expose.https.enable);
message = ''
The nixarr.plex.vpn.enable option conflicts with the
nixarr.plex.expose.https.enable option. You cannot set both.
'';
}
{
assertion =
cfg.expose.https.enable
-> (
(cfg.expose.https.domainName != null)
&& (cfg.expose.https.acmeMail != null)
);
message = ''
The nixarr.plex.expose.https.enable option requires the
following options to be set, but one of them were not:
- nixarr.plex.expose.domainName
- nixarr.plex.expose.acmeMail
'';
}
];
- nixarr.plex.expose.domainName
- nixarr.plex.expose.acmeMail
'';
}
];
users = {
groups.streamer = {};
users.streamer = {
isSystemUser = true;
group = "streamer";
users = {
groups.streamer = {};
users.streamer = {
isSystemUser = true;
group = "streamer";
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
];
# Always prioritise Plex IO
systemd.services.plex.serviceConfig.IOSchedulingPriority = 0;
services.plex = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir;
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
];
# Always prioritise Plex IO
systemd.services.plex.serviceConfig.IOSchedulingPriority = 0;
services.plex = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir;
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
};
};
})
(mkIf cfg.vpn.enable {
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable {
listen = [
{
addr = "0.0.0.0";
port = defaultPort;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
})
];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.plex.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
})
(mkIf cfg.vpn.enable {
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.vpn.enable {
listen = [
{
from = defaultPort;
to = defaultPort;
addr = "0.0.0.0";
port = defaultPort;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
};
}
})
];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.plex.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
{
from = defaultPort;
to = defaultPort;
}
];
};
};
}
nixarr/prowlarr/default.nix
+1 -10
View File
@@ -20,8 +20,6 @@ in {
example = true;
description = ''
Whether or not to enable the Prowlarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -66,15 +64,8 @@ in {
};
};
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.prowlarr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
nixarr/radarr/default.nix
+1 -10
View File
@@ -16,8 +16,6 @@ in {
example = true;
description = ''
Whether or not to enable the Radarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -62,15 +60,8 @@ in {
};
};
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.radarr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
nixarr/readarr/default.nix
+1 -10
View File
@@ -16,8 +16,6 @@ in {
example = true;
description = ''
Whether or not to enable the Readarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -62,15 +60,8 @@ in {
};
};
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.readarr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
nixarr/recyclarr/default.nix
+1 -10
View File
@@ -59,8 +59,6 @@ in {
example = true;
description = ''
Whether or not to enable the Recyclarr service. This service does not need to be run behind a VPN.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -164,15 +162,8 @@ in {
};
};
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.recyclarr.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{
assertion = cfg.enable -> (nixarr.radarr.enable || nixarr.sonarr.enable);
message = ''
nixarr/sabnzbd/default.nix
+11 -1
View File
@@ -173,7 +173,17 @@ in {
sab_config_map.write()
'';
in
mkIf cfg.enable {
mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
The nixarr.readarr.vpn.enable option requires the
nixarr.vpn.enable option to be set, but it was not.
'';
}
];
users = {
groups.usenet = {};
users.usenet = {
nixarr/sonarr/default.nix
+1 -10
View File
@@ -16,8 +16,6 @@ in {
example = true;
description = ''
Whether or not to enable the Sonarr service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -62,15 +60,8 @@ in {
};
};
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.sonarr.enable option requires the
nixarr.enable option to be set, but it was not.
'';
}
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
nixarr/transmission/default.nix
+1 -10
View File
@@ -71,8 +71,6 @@ in {
example = true;
description = ''
Whether or not to enable the Transmission service.
**Required options:** [`nixarr.enable`](#nixarr.enable)
'';
};
@@ -267,7 +265,7 @@ in {
./cross-seed
];
config = mkIf cfg.enable {
config = mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
@@ -276,13 +274,6 @@ in {
nixarr.vpn.enable option to be set, but it was not.
'';
}
{
assertion = cfg.enable -> nixarr.enable;
message = ''
The nixarr.transmission.enable option requires the nixarr.enable
option to be set, but it was not.
'';
}
{
assertion = cfg-cross-seed.enable -> nixarr.prowlarr.enable;
message = ''