diff --git a/nixarr/audiobookshelf/default.nix b/nixarr/audiobookshelf/default.nix index d78ae3e..64d4c41 100644 --- a/nixarr/audiobookshelf/default.nix +++ b/nixarr/audiobookshelf/default.nix @@ -6,6 +6,10 @@ }: with lib; let cfg = config.nixarr.audiobookshelf; + uid = 242; + user = "streamer"; + group = "streamer"; + port = 9292; nixarr = config.nixarr; in { options.nixarr.audiobookshelf = { @@ -43,7 +47,7 @@ in { port = mkOption { type = types.port; - default = 9292; + default = port; example = 8000; description = '' Default port for Audiobookshelf. The default is 8000 in nixpkgs, @@ -113,7 +117,9 @@ in { }; }; - config = mkIf (nixarr.enable && cfg.enable) { + config = let + host = if cfg.vpn.enable then "192.168.15.1" else "127.0.0.1"; + in mkIf (nixarr.enable && cfg.enable) { assertions = [ { assertion = cfg.vpn.enable -> nixarr.vpn.enable; @@ -147,20 +153,21 @@ in { ]; users = { - groups.streamer = {}; - users.streamer = { + groups."${group}" = {}; + users."${user}" = { isSystemUser = true; - group = "streamer"; + group = group; + uid = uid; }; }; systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0700 streamer root - -" + "d '${cfg.stateDir}' 0700 ${user} root - -" # Media Dirs - "d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/audio-books' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/podcasts' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/audio-books' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/podcasts' 0775 ${user} ${group} - -" ]; systemd.services.audiobookshelf = { @@ -172,11 +179,11 @@ in { serviceConfig = { IOSchedulingPriority = 0; Type = "simple"; - User = cfg.user; - Group = cfg.group; - StateDirectory = cfg.dataDir; - WorkingDirectory = cfg.dataDir; - ExecStart = "${cfg.package}/bin/audiobookshelf --host ${cfg.host} --port ${toString cfg.port}"; + User = user; + Group = group; + StateDirectory = cfg.stateDir; + WorkingDirectory = cfg.stateDir; + ExecStart = "${cfg.package}/bin/audiobookshelf --host ${host} --port ${toString cfg.port}"; Restart = "on-failure"; # Security @@ -195,17 +202,10 @@ in { RemoveIPC = true; PrivateMounts = true; ProtectSystem = "strict"; - ReadWritePaths = [cfg.configDir]; + ReadWritePaths = [cfg.stateDir]; }; }; - users.users.audiobookshelf = { - isSystemUser = true; - group = cfg.group; - home = cfg.stateDir; - }; - users.groups.audiobookshelf = { }; - networking.firewall = mkIf cfg.expose.https.enable { allowedTCPPorts = [80 443]; }; diff --git a/nixarr/bazarr/default.nix b/nixarr/bazarr/default.nix index 2b5adb4..77b7c54 100644 --- a/nixarr/bazarr/default.nix +++ b/nixarr/bazarr/default.nix @@ -7,6 +7,8 @@ with lib; let cfg = config.nixarr.bazarr; port = 6767; + user = "bazarr"; + group = "media"; nixarr = config.nixarr; in { options.nixarr.bazarr = { @@ -78,7 +80,7 @@ in { ]; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 bazarr root - -" + "d '${cfg.stateDir}' 0700 ${user} root - -" ]; systemd.services.bazarr = { @@ -88,8 +90,8 @@ in { serviceConfig = { Type = "simple"; - User = "bazarr"; - Group = "media"; + User = user; + Group = group; SyslogIdentifier = "bazarr"; ExecStart = pkgs.writeShellScript "start-bazarr" '' ${pkgs.bazarr}/bin/bazarr \ @@ -102,14 +104,16 @@ in { }; networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [cfg.listenPort]; + allowedTCPPorts = [cfg.port]; }; - users.users.bazarr = { - isSystemUser = true; - group = "media"; + users = { + users."${user}" = { + isSystemUser = true; + group = group; + }; + groups."${group}" = {}; }; - users.groups.bazarr = {}; # Enable and specify VPN namespace to confine service in. systemd.services.bazarr.vpnConfinement = mkIf cfg.vpn.enable { diff --git a/nixarr/jellyfin/default.nix b/nixarr/jellyfin/default.nix index ec31ea6..ea09441 100644 --- a/nixarr/jellyfin/default.nix +++ b/nixarr/jellyfin/default.nix @@ -7,6 +7,9 @@ with lib; let cfg = config.nixarr.jellyfin; defaultPort = 8096; + uid = 242; + user = "streamer"; + group = "streamer"; nixarr = config.nixarr; in { options.nixarr.jellyfin = { @@ -138,22 +141,23 @@ in { ]; users = { - groups.streamer = {}; - users.streamer = { + groups."${group}" = {}; + users."${user}" = { isSystemUser = true; - group = "streamer"; + group = group; + uid = uid; }; }; systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0700 streamer root - -" + "d '${cfg.stateDir}' 0700 ${user} root - -" # Media Dirs - "d '${nixarr.mediaDir}/library' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/music' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/shows' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/movies' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/music' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -" ]; # Always prioritise Jellyfin IO @@ -162,8 +166,8 @@ in { services.jellyfin = { enable = cfg.enable; package = cfg.package; - user = "streamer"; - group = "media"; + user = user; + group = group; openFirewall = cfg.openFirewall; logDir = "${cfg.stateDir}/log"; cacheDir = "${cfg.stateDir}/cache"; diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index 73d74f1..80fe336 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -8,6 +8,9 @@ with lib; let cfg = config.nixarr.jellyseerr; nixarr = config.nixarr; port = 5055; + uid = 294; + user = "jellyseerr"; + group = "jellyseerr"; in { options.nixarr.jellyseerr = { enable = mkOption { @@ -184,16 +187,13 @@ in { }; }; - users.users = mkIf (cfg.user == "jellyseerr") { - jellyseerr = { - group = cfg.group; - home = cfg.configDir; - uid = 294; + users = { + users."${user}" = { + isSystemUser = true; + group = group; + uid = uid; }; - }; - - users.groups = mkIf (cfg.group == "jellyseerr") { - jellyseerr = {}; + groups."${group}" = {}; }; networking.firewall = mkIf cfg.expose.https.enable { diff --git a/nixarr/lidarr/default.nix b/nixarr/lidarr/default.nix index 358a47f..af5322e 100644 --- a/nixarr/lidarr/default.nix +++ b/nixarr/lidarr/default.nix @@ -8,6 +8,8 @@ with lib; let cfg = config.nixarr.lidarr; nixarr = config.nixarr; port = 8686; + user = "lidarr"; + group = "media"; in { options.nixarr.lidarr = { enable = mkOption { @@ -80,8 +82,8 @@ in { services.lidarr = { enable = cfg.enable; package = cfg.package; - user = "lidarr"; - group = "media"; + user = user; + group = group; settings.server.port = cfg.port; openFirewall = cfg.openFirewall; dataDir = cfg.stateDir; diff --git a/nixarr/plex/default.nix b/nixarr/plex/default.nix index 1574e94..1838607 100644 --- a/nixarr/plex/default.nix +++ b/nixarr/plex/default.nix @@ -7,6 +7,9 @@ with lib; let cfg = config.nixarr.plex; defaultPort = 32400; + uid = 242; + user = "streamer"; + group = "media"; nixarr = config.nixarr; in { options.nixarr.plex = { @@ -138,22 +141,23 @@ in { ]; users = { - groups.streamer = {}; - users.streamer = { + groups."${group}" = {}; + users."${user}" = { isSystemUser = true; - group = "streamer"; + group = group; + uid = uid; }; }; systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0700 streamer root - -" + "d '${cfg.stateDir}' 0700 ${user} root - -" # Media Dirs - "d '${nixarr.mediaDir}/library' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/music' 0775 streamer media - -" - "d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" + "d '${nixarr.mediaDir}/library' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/shows' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/movies' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/music' 0775 ${user} ${group} - -" + "d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -" ]; # Always prioritise Plex IO @@ -162,8 +166,8 @@ in { services.plex = { enable = cfg.enable; package = cfg.package; - user = "streamer"; - group = "media"; + user = user; + group = group; openFirewall = cfg.openFirewall; dataDir = cfg.stateDir; }; diff --git a/nixarr/prowlarr/default.nix b/nixarr/prowlarr/default.nix index 6a1ed81..71263c7 100644 --- a/nixarr/prowlarr/default.nix +++ b/nixarr/prowlarr/default.nix @@ -8,6 +8,8 @@ with lib; let cfg = config.nixarr.prowlarr; nixarr = config.nixarr; uid = 293; + user = "prowlarr"; + group = "prowlarr"; port = 9696; in { options.nixarr.prowlarr = { @@ -81,21 +83,19 @@ in { ]; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}' 0700 ${user} ${group} - -" ]; systemd.services.prowlarr = { description = "prowlarr"; after = ["network.target"]; wantedBy = ["multi-user.target"]; - environment = { - PROWLARR__SERVER__PORT = cfg.port; - }; + environment.PROWLARR__SERVER__PORT = builtins.toString cfg.port; serviceConfig = { Type = "simple"; - User = cfg.user; - Group = cfg.group; + User = user; + Group = group; ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}"; Restart = "on-failure"; }; @@ -105,12 +105,14 @@ in { allowedTCPPorts = [cfg.port]; }; - users.users.prowlarr = { - group = "prowlarr"; - home = cfg.stateDir; - uid = uid; + users = { + groups."${group}" = {}; + users."${user}" = { + group = "prowlarr"; + home = cfg.stateDir; + uid = uid; + }; }; - users.groups.prowlarr = {}; # Enable and specify VPN namespace to confine service in. systemd.services.prowlarr.vpnConfinement = mkIf cfg.vpn.enable { diff --git a/nixarr/radarr/default.nix b/nixarr/radarr/default.nix index 817a4c5..0390a6c 100644 --- a/nixarr/radarr/default.nix +++ b/nixarr/radarr/default.nix @@ -7,6 +7,8 @@ with lib; let cfg = config.nixarr.radarr; port = 7878; + user = "radarr"; + group = "media"; nixarr = config.nixarr; in { options.nixarr.radarr = { diff --git a/nixarr/readarr-audiobook/default.nix b/nixarr/readarr-audiobook/default.nix index a3da61b..e0f89ca 100644 --- a/nixarr/readarr-audiobook/default.nix +++ b/nixarr/readarr-audiobook/default.nix @@ -8,6 +8,8 @@ with lib; let cfg = config.nixarr.readarr-audiobook; nixarr = config.nixarr; uid = 269; + user = "readarr"; + group = "readarr"; port = 9494; in { options.nixarr.readarr-audiobook = { @@ -81,21 +83,19 @@ in { ]; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}' 0700 ${user} ${group} - -" ]; systemd.services.readarr-audiobook = { description = "Readarr-Audiobook"; after = ["network.target"]; wantedBy = ["multi-user.target"]; - environment = { - READARR__SERVER__PORT = cfg.port; - }; + environment.READARR__SERVER__PORT = builtins.toString cfg.port; serviceConfig = { Type = "simple"; - User = cfg.user; - Group = cfg.group; + User = user; + Group = group; ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}"; Restart = "on-failure"; }; @@ -105,12 +105,12 @@ in { allowedTCPPorts = [cfg.port]; }; - users.users.readarr-audiobook = { - group = "readarr-audiobook"; + users.users."${user}" = { + group = group; home = cfg.stateDir; uid = uid; }; - users.groups.readarr-audiobook = {}; + users.groups."${group}" = {}; # Enable and specify VPN namespace to confine service in. systemd.services.readarr-audiobook.vpnConfinement = mkIf cfg.vpn.enable { diff --git a/nixarr/readarr/default.nix b/nixarr/readarr/default.nix index f314481..709f66d 100644 --- a/nixarr/readarr/default.nix +++ b/nixarr/readarr/default.nix @@ -8,6 +8,8 @@ with lib; let cfg = config.nixarr.readarr; nixarr = config.nixarr; uid = 250; + user = "readarr"; + group = "readarr"; port = 8787; in { options.nixarr.readarr = { @@ -79,21 +81,19 @@ in { ]; systemd.tmpfiles.rules = [ - "d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + "d '${cfg.stateDir}' 0700 ${user} ${group} - -" ]; systemd.services.readarr = { description = "Readarr"; after = ["network.target"]; wantedBy = ["multi-user.target"]; - environment = { - READARR__SERVER__PORT = cfg.port; - }; + environment.READARR__SERVER__PORT = builtins.toString cfg.port; serviceConfig = { Type = "simple"; - User = cfg.user; - Group = cfg.group; + User = user; + Group = group; ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}"; Restart = "on-failure"; }; @@ -104,7 +104,7 @@ in { }; users.users.readarr = { - group = "readarr"; + group = group; home = cfg.stateDir; uid = uid; };