From 3b714a8e3393df45e81d67b7713dfedc277c2f19 Mon Sep 17 00:00:00 2001 From: rasmus-kirk Date: Tue, 6 Aug 2024 11:12:46 +0200 Subject: [PATCH] Added wiki page and cleaned up dirs and users --- docs/wiki/index.md | 4 +- docs/wiki/vpn/ports/index.md | 45 +++++++++++++++ .../vpn/{ => uncovered-services}/index.md | 0 nixarr/jellyfin/default.nix | 15 +++++ nixarr/nixarr.nix | 55 ++----------------- nixarr/sabnzbd/default.nix | 18 ++++++ nixarr/transmission/default.nix | 23 +++++++- 7 files changed, 108 insertions(+), 52 deletions(-) create mode 100644 docs/wiki/vpn/ports/index.md rename docs/wiki/vpn/{ => uncovered-services}/index.md (100%) diff --git a/docs/wiki/index.md b/docs/wiki/index.md index a837e9d..a043a1d 100644 --- a/docs/wiki/index.md +++ b/docs/wiki/index.md @@ -11,7 +11,9 @@ This is an index of existing articles: - **[Basic Example](/wiki/examples/example-1)** - **[Example Configuration Where Port Forwarding Is Not an Option](/wiki/examples/example-2)** - **[Exposing Services Safely](/wiki/expose)** -- **[Running Services Not Covered by Nixarr Through a VPN](/wiki/vpn)** +- **VPN** + - **[Running Services Not Covered by Nixarr Through a VPN](/docs/wiki/vpn/uncovered-services)** + - **[Opening Ports](/docs/wiki/vpn/ports/index.md)** For learning how to setup the "*Arrs", once running, refer to the [servarr wiki](https://wiki.servarr.com/) diff --git a/docs/wiki/vpn/ports/index.md b/docs/wiki/vpn/ports/index.md new file mode 100644 index 0000000..60959da --- /dev/null +++ b/docs/wiki/vpn/ports/index.md @@ -0,0 +1,45 @@ +--- +title: Opening Ports +--- + +In order to open a port through a VPN you need to open a port with your VPN-provider. + +> **Note:** Not all VPN-providers support this feature! Notably, Mullvad does not anymore! + +> **Note:** The port present in the +> [nixarr.vpn.wgConf](https://nixarr.com/options.html#nixarr.vpn.wgconf), +> should not be used for any options! + +## AirVPN + +Go to the [ports page](https://airvpn.org/ports/) at AirVPN's website open +a port. After opening it should look like this: + +![An open port on AirVPN, the port number that should be used in Nixarr is 12345.](./airvpn.png) + +Then you can set that port for a service, for example + +```nix {.numberLines} + nixarr.transmission = { + enable = true; + vpn.enable = true; + peerPort = 12345; + }; +``` + +## Debugging Ports + +You can debug an open port using the +`[vpnTestService](https://nixarr.com/options.html#nixarr.vpn.vpntestservice.enable)`. +If the DNS and IP checks out, it will +open a `netcat` instance on the port specified in +`[vpnTestService.port](https://nixarr.com/options.html#nixarr.vpn.vpntestservice.port)`. +You can then run: + +```sh + nc +``` + +Where the "_public VPN ip_" is the one shown in the `vpnTestService` logs as +your ip. Upon succesful connection type messages that _should_ show up in the +`vpnTestService` logs. diff --git a/docs/wiki/vpn/index.md b/docs/wiki/vpn/uncovered-services/index.md similarity index 100% rename from docs/wiki/vpn/index.md rename to docs/wiki/vpn/uncovered-services/index.md diff --git a/nixarr/jellyfin/default.nix b/nixarr/jellyfin/default.nix index c80a317..85a8033 100644 --- a/nixarr/jellyfin/default.nix +++ b/nixarr/jellyfin/default.nix @@ -200,8 +200,23 @@ in } ]; + users = { + groups.streamer = {}; + users.streamer = { + isSystemUser = true; + group = "streamer"; + }; + }; + systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' 0700 streamer root - -" + + # Media Dirs + "d '${cfg.mediaDir}/library' 0775 streamer media - -" + "d '${cfg.mediaDir}/library/shows' 0775 streamer media - -" + "d '${cfg.mediaDir}/library/movies' 0775 streamer media - -" + "d '${cfg.mediaDir}/library/music' 0775 streamer media - -" + "d '${cfg.mediaDir}/library/books' 0775 streamer media - -" ]; # Always prioritise Jellyfin IO diff --git a/nixarr/nixarr.nix b/nixarr/nixarr.nix index b3a109c..c47f3b1 100644 --- a/nixarr/nixarr.nix +++ b/nixarr/nixarr.nix @@ -26,17 +26,17 @@ with lib; let exit fi - chown -R torrenter:media "${cfg.mediaDir}/torrents" - chown -R usenet:media "${cfg.mediaDir}/usenet" - chown -R streamer:media "${cfg.mediaDir}/library" find "${cfg.mediaDir}" \( -type d -exec chmod 0775 {} + -true \) -o \( -exec chmod 0664 {} + \) '' + strings.optionalString cfg.jellyfin.enable '' + chown -R streamer:media "${cfg.mediaDir}/library" chown -R streamer:root "${cfg.jellyfin.stateDir}" find "${cfg.jellyfin.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) '' + strings.optionalString cfg.transmission.enable '' + chown -R torrenter:media "${cfg.mediaDir}/torrents" chown -R torrenter:cross-seed "${cfg.transmission.stateDir}" find "${cfg.transmission.stateDir}" \( -type d -exec chmod 0750 {} + -true \) -o \( -exec chmod 0640 {} + \) '' + strings.optionalString cfg.sabnzbd.enable '' + chown -R usenet:media "${cfg.mediaDir}/usenet" chown -R usenet:root "${cfg.sabnzbd.stateDir}" find "${cfg.sabnzbd.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) '' + strings.optionalString cfg.transmission.privateTrackers.cross-seed.enable '' @@ -233,53 +233,10 @@ in { } ]; - users.groups = { - media.members = cfg.mediaUsers; - streamer = {}; - torrenter = {}; - usenet = {}; - }; - users.users = { - streamer = { - isSystemUser = true; - group = "streamer"; - }; - torrenter = { - isSystemUser = true; - group = "torrenter"; - }; - usenet = { - isSystemUser = true; - group = "usenet"; - }; - }; + users.groups.media.members = cfg.mediaUsers; systemd.tmpfiles.rules = [ - # Media dirs - "d '${cfg.mediaDir}' 0775 root media - -" - "d '${cfg.mediaDir}/library' 0775 streamer media - -" - "d '${cfg.mediaDir}/library/shows' 0775 streamer media - -" - "d '${cfg.mediaDir}/library/movies' 0775 streamer media - -" - "d '${cfg.mediaDir}/library/music' 0775 streamer media - -" - "d '${cfg.mediaDir}/library/books' 0775 streamer media - -" - "d '${cfg.mediaDir}/torrents' 0755 torrenter media - -" - "d '${cfg.mediaDir}/torrents/.incomplete' 0755 torrenter media - -" - "d '${cfg.mediaDir}/torrents/.watch' 0755 torrenter media - -" - "d '${cfg.mediaDir}/torrents/manual' 0755 torrenter media - -" - "d '${cfg.mediaDir}/torrents/lidarr' 0755 torrenter media - -" - "d '${cfg.mediaDir}/torrents/radarr' 0755 torrenter media - -" - "d '${cfg.mediaDir}/torrents/sonarr' 0755 torrenter media - -" - "d '${cfg.mediaDir}/torrents/readarr' 0755 torrenter media - -" - ] ++ lists.optionals cfg.sabnzbd.enable [ - # only create usenet dirs if sabnzbd is enabled - "d '${cfg.mediaDir}/usenet' 0755 usenet media - -" - "d '${cfg.mediaDir}/usenet/.incomplete' 0755 usenet media - -" - "d '${cfg.mediaDir}/usenet/.watch' 0755 usenet media - -" - "d '${cfg.mediaDir}/usenet/manual' 0775 usenet media - -" - "d '${cfg.mediaDir}/usenet/liadarr' 0775 usenet media - -" - "d '${cfg.mediaDir}/usenet/radarr' 0775 usenet media - -" - "d '${cfg.mediaDir}/usenet/sonarr' 0775 usenet media - -" - "d '${cfg.mediaDir}/usenet/readarr' 0775 usenet media - -" + "d '${cfg.mediaDir}' 0775 root media - -" ]; environment.systemPackages = with pkgs; [ @@ -290,7 +247,7 @@ in { vpnnamespaces.wg = mkIf cfg.vpn.enable { enable = true; - openVPNPorts = optional cfg.vpn.vpnTestService.enable { + openVPNPorts = optional cfg.vpn.vpnTestService.port != null { port = cfg.vpn.vpnTestService.port; protocol = "tcp"; }; diff --git a/nixarr/sabnzbd/default.nix b/nixarr/sabnzbd/default.nix index 37cc1c7..e14a140 100644 --- a/nixarr/sabnzbd/default.nix +++ b/nixarr/sabnzbd/default.nix @@ -168,9 +168,27 @@ in { sab_config_map.write() ''; in mkIf cfg.enable { + users = { + groups.usenet = {}; + users.usenet = { + isSystemUser = true; + group = "usenet"; + }; + }; + systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' 0700 usenet root - -" "C ${cfg.stateDir}/sabnzbd.ini - - - - ${ini-base-config-file}" + + # Media dirs + "d '${cfg.mediaDir}/usenet' 0755 usenet media - -" + "d '${cfg.mediaDir}/usenet/.incomplete' 0755 usenet media - -" + "d '${cfg.mediaDir}/usenet/.watch' 0755 usenet media - -" + "d '${cfg.mediaDir}/usenet/manual' 0775 usenet media - -" + "d '${cfg.mediaDir}/usenet/liadarr' 0775 usenet media - -" + "d '${cfg.mediaDir}/usenet/radarr' 0775 usenet media - -" + "d '${cfg.mediaDir}/usenet/sonarr' 0775 usenet media - -" + "d '${cfg.mediaDir}/usenet/readarr' 0775 usenet media - -" ]; services.sabnzbd = { diff --git a/nixarr/transmission/default.nix b/nixarr/transmission/default.nix index b3a78f5..81aa56e 100644 --- a/nixarr/transmission/default.nix +++ b/nixarr/transmission/default.nix @@ -290,14 +290,33 @@ in { } ]; + users = { + groups = { + torrenter = {}; + cross-seed = {}; + }; + users.torrenter = { + isSystemUser = true; + group = "torrenter"; + }; + }; + systemd.tmpfiles.rules = [ "d '${cfg.stateDir}' 0750 torrenter cross-seed - -" # This is fixes a bug in nixpks (https://github.com/NixOS/nixpkgs/issues/291883) "d '${cfg.stateDir}/.config' 0750 torrenter cross-seed - -" "d '${cfg.stateDir}/.config/transmission-daemon' 0750 torrenter cross-seed - -" - ]; - users.groups.cross-seed = {}; + # Media Dirs + "d '${cfg.mediaDir}/torrents' 0755 torrenter media - -" + "d '${cfg.mediaDir}/torrents/.incomplete' 0755 torrenter media - -" + "d '${cfg.mediaDir}/torrents/.watch' 0755 torrenter media - -" + "d '${cfg.mediaDir}/torrents/manual' 0755 torrenter media - -" + "d '${cfg.mediaDir}/torrents/lidarr' 0755 torrenter media - -" + "d '${cfg.mediaDir}/torrents/radarr' 0755 torrenter media - -" + "d '${cfg.mediaDir}/torrents/sonarr' 0755 torrenter media - -" + "d '${cfg.mediaDir}/torrents/readarr' 0755 torrenter media - -" + ]; util-nixarr.services.cross-seed = mkIf cfg-cross-seed.enable { enable = true;