fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix

Browse Source
This commit is contained in:
rasmus-kirk
2025-05-31 21:07:02 +02:00
parent f7a29ea3f8
commit 58dd1ee446
10 changed files with 108 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixarr/audiobookshelf/default.nix
+22 -22
View File
@@ -6,6 +6,10 @@
}: }:
with lib; let with lib; let
cfg = config.nixarr.audiobookshelf; cfg = config.nixarr.audiobookshelf;
uid = 242;
user = "streamer";
group = "streamer";
port = 9292;
nixarr = config.nixarr; nixarr = config.nixarr;
in { in {
options.nixarr.audiobookshelf = { options.nixarr.audiobookshelf = {
@@ -43,7 +47,7 @@ in {
port = mkOption { port = mkOption {
type = types.port; type = types.port;
default = 9292; default = port;
example = 8000; example = 8000;
description = '' description = ''
Default port for Audiobookshelf. The default is 8000 in nixpkgs, Default port for Audiobookshelf. The default is 8000 in nixpkgs,
@@ -113,7 +117,9 @@ in {
}; };
}; };
config = mkIf (nixarr.enable && cfg.enable) { config = let
host = if cfg.vpn.enable then "192.168.15.1" else "127.0.0.1";
in mkIf (nixarr.enable && cfg.enable) {
assertions = [ assertions = [
{ {
assertion = cfg.vpn.enable -> nixarr.vpn.enable; assertion = cfg.vpn.enable -> nixarr.vpn.enable;
@@ -147,20 +153,21 @@ in {
]; ];
users = { users = {
groups.streamer = {}; groups."${group}" = {};
users.streamer = { users."${user}" = {
isSystemUser = true; isSystemUser = true;
group = "streamer"; group = group;
uid = uid;
}; };
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -" "d '${cfg.stateDir}' 0700 ${user} root - -"
# Media Dirs # Media Dirs
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/audio-books' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/audio-books' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/podcasts' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/podcasts' 0775 ${user} ${group} - -"
]; ];
systemd.services.audiobookshelf = { systemd.services.audiobookshelf = {
@@ -172,11 +179,11 @@ in {
serviceConfig = { serviceConfig = {
IOSchedulingPriority = 0; IOSchedulingPriority = 0;
Type = "simple"; Type = "simple";
User = cfg.user; User = user;
Group = cfg.group; Group = group;
StateDirectory = cfg.dataDir; StateDirectory = cfg.stateDir;
WorkingDirectory = cfg.dataDir; WorkingDirectory = cfg.stateDir;
ExecStart = "${cfg.package}/bin/audiobookshelf --host ${cfg.host} --port ${toString cfg.port}"; ExecStart = "${cfg.package}/bin/audiobookshelf --host ${host} --port ${toString cfg.port}";
Restart = "on-failure"; Restart = "on-failure";
# Security # Security
@@ -195,17 +202,10 @@ in {
RemoveIPC = true; RemoveIPC = true;
PrivateMounts = true; PrivateMounts = true;
ProtectSystem = "strict"; ProtectSystem = "strict";
ReadWritePaths = [cfg.configDir]; ReadWritePaths = [cfg.stateDir];
}; };
}; };
users.users.audiobookshelf = {
isSystemUser = true;
group = cfg.group;
home = cfg.stateDir;
};
users.groups.audiobookshelf = { };
networking.firewall = mkIf cfg.expose.https.enable { networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443]; allowedTCPPorts = [80 443];
}; };
nixarr/bazarr/default.nix
+12 -8
View File
@@ -7,6 +7,8 @@
with lib; let with lib; let
cfg = config.nixarr.bazarr; cfg = config.nixarr.bazarr;
port = 6767; port = 6767;
user = "bazarr";
group = "media";
nixarr = config.nixarr; nixarr = config.nixarr;
in { in {
options.nixarr.bazarr = { options.nixarr.bazarr = {
@@ -78,7 +80,7 @@ in {
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 bazarr root - -" "d '${cfg.stateDir}' 0700 ${user} root - -"
]; ];
systemd.services.bazarr = { systemd.services.bazarr = {
@@ -88,8 +90,8 @@ in {
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
User = "bazarr"; User = user;
Group = "media"; Group = group;
SyslogIdentifier = "bazarr"; SyslogIdentifier = "bazarr";
ExecStart = pkgs.writeShellScript "start-bazarr" '' ExecStart = pkgs.writeShellScript "start-bazarr" ''
${pkgs.bazarr}/bin/bazarr \ ${pkgs.bazarr}/bin/bazarr \
@@ -102,14 +104,16 @@ in {
}; };
networking.firewall = mkIf cfg.openFirewall { networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [cfg.listenPort]; allowedTCPPorts = [cfg.port];
}; };
users.users.bazarr = { users = {
isSystemUser = true; users."${user}" = {
group = "media"; isSystemUser = true;
group = group;
};
groups."${group}" = {};
}; };
users.groups.bazarr = {};
# Enable and specify VPN namespace to confine service in. # Enable and specify VPN namespace to confine service in.
systemd.services.bazarr.vpnConfinement = mkIf cfg.vpn.enable { systemd.services.bazarr.vpnConfinement = mkIf cfg.vpn.enable {
nixarr/jellyfin/default.nix
+15 -11
View File
@@ -7,6 +7,9 @@
with lib; let with lib; let
cfg = config.nixarr.jellyfin; cfg = config.nixarr.jellyfin;
defaultPort = 8096; defaultPort = 8096;
uid = 242;
user = "streamer";
group = "streamer";
nixarr = config.nixarr; nixarr = config.nixarr;
in { in {
options.nixarr.jellyfin = { options.nixarr.jellyfin = {
@@ -138,22 +141,23 @@ in {
]; ];
users = { users = {
groups.streamer = {}; groups."${group}" = {};
users.streamer = { users."${user}" = {
isSystemUser = true; isSystemUser = true;
group = "streamer"; group = group;
uid = uid;
}; };
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -" "d '${cfg.stateDir}' 0700 ${user} root - -"
# Media Dirs # Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -" "d '${nixarr.mediaDir}/library' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/shows' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/movies' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/music' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -"
]; ];
# Always prioritise Jellyfin IO # Always prioritise Jellyfin IO
@@ -162,8 +166,8 @@ in {
services.jellyfin = { services.jellyfin = {
enable = cfg.enable; enable = cfg.enable;
package = cfg.package; package = cfg.package;
user = "streamer"; user = user;
group = "media"; group = group;
openFirewall = cfg.openFirewall; openFirewall = cfg.openFirewall;
logDir = "${cfg.stateDir}/log"; logDir = "${cfg.stateDir}/log";
cacheDir = "${cfg.stateDir}/cache"; cacheDir = "${cfg.stateDir}/cache";
nixarr/jellyseerr/default.nix
+9 -9
View File
@@ -8,6 +8,9 @@ with lib; let
cfg = config.nixarr.jellyseerr; cfg = config.nixarr.jellyseerr;
nixarr = config.nixarr; nixarr = config.nixarr;
port = 5055; port = 5055;
uid = 294;
user = "jellyseerr";
group = "jellyseerr";
in { in {
options.nixarr.jellyseerr = { options.nixarr.jellyseerr = {
enable = mkOption { enable = mkOption {
@@ -184,16 +187,13 @@ in {
}; };
}; };
users.users = mkIf (cfg.user == "jellyseerr") { users = {
jellyseerr = { users."${user}" = {
group = cfg.group; isSystemUser = true;
home = cfg.configDir; group = group;
uid = 294; uid = uid;
}; };
}; groups."${group}" = {};
users.groups = mkIf (cfg.group == "jellyseerr") {
jellyseerr = {};
}; };
networking.firewall = mkIf cfg.expose.https.enable { networking.firewall = mkIf cfg.expose.https.enable {
nixarr/lidarr/default.nix
+4 -2
View File
@@ -8,6 +8,8 @@ with lib; let
cfg = config.nixarr.lidarr; cfg = config.nixarr.lidarr;
nixarr = config.nixarr; nixarr = config.nixarr;
port = 8686; port = 8686;
user = "lidarr";
group = "media";
in { in {
options.nixarr.lidarr = { options.nixarr.lidarr = {
enable = mkOption { enable = mkOption {
@@ -80,8 +82,8 @@ in {
services.lidarr = { services.lidarr = {
enable = cfg.enable; enable = cfg.enable;
package = cfg.package; package = cfg.package;
user = "lidarr"; user = user;
group = "media"; group = group;
settings.server.port = cfg.port; settings.server.port = cfg.port;
openFirewall = cfg.openFirewall; openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir; dataDir = cfg.stateDir;
nixarr/plex/default.nix
+15 -11
View File
@@ -7,6 +7,9 @@
with lib; let with lib; let
cfg = config.nixarr.plex; cfg = config.nixarr.plex;
defaultPort = 32400; defaultPort = 32400;
uid = 242;
user = "streamer";
group = "media";
nixarr = config.nixarr; nixarr = config.nixarr;
in { in {
options.nixarr.plex = { options.nixarr.plex = {
@@ -138,22 +141,23 @@ in {
]; ];
users = { users = {
groups.streamer = {}; groups."${group}" = {};
users.streamer = { users."${user}" = {
isSystemUser = true; isSystemUser = true;
group = "streamer"; group = group;
uid = uid;
}; };
}; };
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -" "d '${cfg.stateDir}' 0700 ${user} root - -"
# Media Dirs # Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -" "d '${nixarr.mediaDir}/library' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/shows' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/movies' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/music' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -" "d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -"
]; ];
# Always prioritise Plex IO # Always prioritise Plex IO
@@ -162,8 +166,8 @@ in {
services.plex = { services.plex = {
enable = cfg.enable; enable = cfg.enable;
package = cfg.package; package = cfg.package;
user = "streamer"; user = user;
group = "media"; group = group;
openFirewall = cfg.openFirewall; openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir; dataDir = cfg.stateDir;
}; };
nixarr/prowlarr/default.nix
+13 -11
View File
@@ -8,6 +8,8 @@ with lib; let
cfg = config.nixarr.prowlarr; cfg = config.nixarr.prowlarr;
nixarr = config.nixarr; nixarr = config.nixarr;
uid = 293; uid = 293;
user = "prowlarr";
group = "prowlarr";
port = 9696; port = 9696;
in { in {
options.nixarr.prowlarr = { options.nixarr.prowlarr = {
@@ -81,21 +83,19 @@ in {
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}' 0700 ${user} ${group} - -"
]; ];
systemd.services.prowlarr = { systemd.services.prowlarr = {
description = "prowlarr"; description = "prowlarr";
after = ["network.target"]; after = ["network.target"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
environment = { environment.PROWLARR__SERVER__PORT = builtins.toString cfg.port;
PROWLARR__SERVER__PORT = cfg.port;
};
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
User = cfg.user; User = user;
Group = cfg.group; Group = group;
ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}"; ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}";
Restart = "on-failure"; Restart = "on-failure";
}; };
@@ -105,12 +105,14 @@ in {
allowedTCPPorts = [cfg.port]; allowedTCPPorts = [cfg.port];
}; };
users.users.prowlarr = { users = {
group = "prowlarr"; groups."${group}" = {};
home = cfg.stateDir; users."${user}" = {
uid = uid; group = "prowlarr";
home = cfg.stateDir;
uid = uid;
};
}; };
users.groups.prowlarr = {};
# Enable and specify VPN namespace to confine service in. # Enable and specify VPN namespace to confine service in.
systemd.services.prowlarr.vpnConfinement = mkIf cfg.vpn.enable { systemd.services.prowlarr.vpnConfinement = mkIf cfg.vpn.enable {
nixarr/radarr/default.nix
+2
View File
@@ -7,6 +7,8 @@
with lib; let with lib; let
cfg = config.nixarr.radarr; cfg = config.nixarr.radarr;
port = 7878; port = 7878;
user = "radarr";
group = "media";
nixarr = config.nixarr; nixarr = config.nixarr;
in { in {
options.nixarr.radarr = { options.nixarr.radarr = {
nixarr/readarr-audiobook/default.nix
+9 -9
View File
@@ -8,6 +8,8 @@ with lib; let
cfg = config.nixarr.readarr-audiobook; cfg = config.nixarr.readarr-audiobook;
nixarr = config.nixarr; nixarr = config.nixarr;
uid = 269; uid = 269;
user = "readarr";
group = "readarr";
port = 9494; port = 9494;
in { in {
options.nixarr.readarr-audiobook = { options.nixarr.readarr-audiobook = {
@@ -81,21 +83,19 @@ in {
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}' 0700 ${user} ${group} - -"
]; ];
systemd.services.readarr-audiobook = { systemd.services.readarr-audiobook = {
description = "Readarr-Audiobook"; description = "Readarr-Audiobook";
after = ["network.target"]; after = ["network.target"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
environment = { environment.READARR__SERVER__PORT = builtins.toString cfg.port;
READARR__SERVER__PORT = cfg.port;
};
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
User = cfg.user; User = user;
Group = cfg.group; Group = group;
ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}"; ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}";
Restart = "on-failure"; Restart = "on-failure";
}; };
@@ -105,12 +105,12 @@ in {
allowedTCPPorts = [cfg.port]; allowedTCPPorts = [cfg.port];
}; };
users.users.readarr-audiobook = { users.users."${user}" = {
group = "readarr-audiobook"; group = group;
home = cfg.stateDir; home = cfg.stateDir;
uid = uid; uid = uid;
}; };
users.groups.readarr-audiobook = {}; users.groups."${group}" = {};
# Enable and specify VPN namespace to confine service in. # Enable and specify VPN namespace to confine service in.
systemd.services.readarr-audiobook.vpnConfinement = mkIf cfg.vpn.enable { systemd.services.readarr-audiobook.vpnConfinement = mkIf cfg.vpn.enable {
nixarr/readarr/default.nix
+7 -7
View File
@@ -8,6 +8,8 @@ with lib; let
cfg = config.nixarr.readarr; cfg = config.nixarr.readarr;
nixarr = config.nixarr; nixarr = config.nixarr;
uid = 250; uid = 250;
user = "readarr";
group = "readarr";
port = 8787; port = 8787;
in { in {
options.nixarr.readarr = { options.nixarr.readarr = {
@@ -79,21 +81,19 @@ in {
]; ];
systemd.tmpfiles.rules = [ systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -" "d '${cfg.stateDir}' 0700 ${user} ${group} - -"
]; ];
systemd.services.readarr = { systemd.services.readarr = {
description = "Readarr"; description = "Readarr";
after = ["network.target"]; after = ["network.target"];
wantedBy = ["multi-user.target"]; wantedBy = ["multi-user.target"];
environment = { environment.READARR__SERVER__PORT = builtins.toString cfg.port;
READARR__SERVER__PORT = cfg.port;
};
serviceConfig = { serviceConfig = {
Type = "simple"; Type = "simple";
User = cfg.user; User = user;
Group = cfg.group; Group = group;
ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}"; ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}";
Restart = "on-failure"; Restart = "on-failure";
}; };
@@ -104,7 +104,7 @@ in {
}; };
users.users.readarr = { users.users.readarr = {
group = "readarr"; group = group;
home = cfg.stateDir; home = cfg.stateDir;
uid = uid; uid = uid;
}; };