fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix

Browse Source
This commit is contained in:
rasmus-kirk
2025-05-31 21:07:02 +02:00
parent f7a29ea3f8
commit 58dd1ee446
10 changed files with 108 additions and 90 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixarr/audiobookshelf/default.nix
+22 -22
View File
@@ -6,6 +6,10 @@
}:
with lib; let
cfg = config.nixarr.audiobookshelf;
uid = 242;
user = "streamer";
group = "streamer";
port = 9292;
nixarr = config.nixarr;
in {
options.nixarr.audiobookshelf = {
@@ -43,7 +47,7 @@ in {
port = mkOption {
type = types.port;
default = 9292;
default = port;
example = 8000;
description = ''
Default port for Audiobookshelf. The default is 8000 in nixpkgs,
@@ -113,7 +117,9 @@ in {
};
};
config = mkIf (nixarr.enable && cfg.enable) {
config = let
host = if cfg.vpn.enable then "192.168.15.1" else "127.0.0.1";
in mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
@@ -147,20 +153,21 @@ in {
];
users = {
groups.streamer = {};
users.streamer = {
groups."${group}" = {};
users."${user}" = {
isSystemUser = true;
group = "streamer";
group = group;
uid = uid;
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
"d '${cfg.stateDir}' 0700 ${user} root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/audio-books' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/podcasts' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/audio-books' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/podcasts' 0775 ${user} ${group} - -"
];
systemd.services.audiobookshelf = {
@@ -172,11 +179,11 @@ in {
serviceConfig = {
IOSchedulingPriority = 0;
Type = "simple";
User = cfg.user;
Group = cfg.group;
StateDirectory = cfg.dataDir;
WorkingDirectory = cfg.dataDir;
ExecStart = "${cfg.package}/bin/audiobookshelf --host ${cfg.host} --port ${toString cfg.port}";
User = user;
Group = group;
StateDirectory = cfg.stateDir;
WorkingDirectory = cfg.stateDir;
ExecStart = "${cfg.package}/bin/audiobookshelf --host ${host} --port ${toString cfg.port}";
Restart = "on-failure";
# Security
@@ -195,17 +202,10 @@ in {
RemoveIPC = true;
PrivateMounts = true;
ProtectSystem = "strict";
ReadWritePaths = [cfg.configDir];
ReadWritePaths = [cfg.stateDir];
};
};
users.users.audiobookshelf = {
isSystemUser = true;
group = cfg.group;
home = cfg.stateDir;
};
users.groups.audiobookshelf = { };
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
nixarr/bazarr/default.nix
+12 -8
View File
@@ -7,6 +7,8 @@
with lib; let
cfg = config.nixarr.bazarr;
port = 6767;
user = "bazarr";
group = "media";
nixarr = config.nixarr;
in {
options.nixarr.bazarr = {
@@ -78,7 +80,7 @@ in {
];
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 bazarr root - -"
"d '${cfg.stateDir}' 0700 ${user} root - -"
];
systemd.services.bazarr = {
@@ -88,8 +90,8 @@ in {
serviceConfig = {
Type = "simple";
User = "bazarr";
Group = "media";
User = user;
Group = group;
SyslogIdentifier = "bazarr";
ExecStart = pkgs.writeShellScript "start-bazarr" ''
${pkgs.bazarr}/bin/bazarr \
@@ -102,14 +104,16 @@ in {
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [cfg.listenPort];
allowedTCPPorts = [cfg.port];
};
users.users.bazarr = {
isSystemUser = true;
group = "media";
users = {
users."${user}" = {
isSystemUser = true;
group = group;
};
groups."${group}" = {};
};
users.groups.bazarr = {};
# Enable and specify VPN namespace to confine service in.
systemd.services.bazarr.vpnConfinement = mkIf cfg.vpn.enable {
nixarr/jellyfin/default.nix
+15 -11
View File
@@ -7,6 +7,9 @@
with lib; let
cfg = config.nixarr.jellyfin;
defaultPort = 8096;
uid = 242;
user = "streamer";
group = "streamer";
nixarr = config.nixarr;
in {
options.nixarr.jellyfin = {
@@ -138,22 +141,23 @@ in {
];
users = {
groups.streamer = {};
users.streamer = {
groups."${group}" = {};
users."${user}" = {
isSystemUser = true;
group = "streamer";
group = group;
uid = uid;
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
"d '${cfg.stateDir}' 0700 ${user} root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/shows' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/movies' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/music' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -"
];
# Always prioritise Jellyfin IO
@@ -162,8 +166,8 @@ in {
services.jellyfin = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
user = user;
group = group;
openFirewall = cfg.openFirewall;
logDir = "${cfg.stateDir}/log";
cacheDir = "${cfg.stateDir}/cache";
nixarr/jellyseerr/default.nix
+9 -9
View File
@@ -8,6 +8,9 @@ with lib; let
cfg = config.nixarr.jellyseerr;
nixarr = config.nixarr;
port = 5055;
uid = 294;
user = "jellyseerr";
group = "jellyseerr";
in {
options.nixarr.jellyseerr = {
enable = mkOption {
@@ -184,16 +187,13 @@ in {
};
};
users.users = mkIf (cfg.user == "jellyseerr") {
jellyseerr = {
group = cfg.group;
home = cfg.configDir;
uid = 294;
users = {
users."${user}" = {
isSystemUser = true;
group = group;
uid = uid;
};
};
users.groups = mkIf (cfg.group == "jellyseerr") {
jellyseerr = {};
groups."${group}" = {};
};
networking.firewall = mkIf cfg.expose.https.enable {
nixarr/lidarr/default.nix
+4 -2
View File
@@ -8,6 +8,8 @@ with lib; let
cfg = config.nixarr.lidarr;
nixarr = config.nixarr;
port = 8686;
user = "lidarr";
group = "media";
in {
options.nixarr.lidarr = {
enable = mkOption {
@@ -80,8 +82,8 @@ in {
services.lidarr = {
enable = cfg.enable;
package = cfg.package;
user = "lidarr";
group = "media";
user = user;
group = group;
settings.server.port = cfg.port;
openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir;
nixarr/plex/default.nix
+15 -11
View File
@@ -7,6 +7,9 @@
with lib; let
cfg = config.nixarr.plex;
defaultPort = 32400;
uid = 242;
user = "streamer";
group = "media";
nixarr = config.nixarr;
in {
options.nixarr.plex = {
@@ -138,22 +141,23 @@ in {
];
users = {
groups.streamer = {};
users.streamer = {
groups."${group}" = {};
users."${user}" = {
isSystemUser = true;
group = "streamer";
group = group;
uid = uid;
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 streamer root - -"
"d '${cfg.stateDir}' 0700 ${user} root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/shows' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/movies' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/music' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library/books' 0775 streamer media - -"
"d '${nixarr.mediaDir}/library' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/shows' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/movies' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/music' 0775 ${user} ${group} - -"
"d '${nixarr.mediaDir}/library/books' 0775 ${user} ${group} - -"
];
# Always prioritise Plex IO
@@ -162,8 +166,8 @@ in {
services.plex = {
enable = cfg.enable;
package = cfg.package;
user = "streamer";
group = "media";
user = user;
group = group;
openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir;
};
nixarr/prowlarr/default.nix
+13 -11
View File
@@ -8,6 +8,8 @@ with lib; let
cfg = config.nixarr.prowlarr;
nixarr = config.nixarr;
uid = 293;
user = "prowlarr";
group = "prowlarr";
port = 9696;
in {
options.nixarr.prowlarr = {
@@ -81,21 +83,19 @@ in {
];
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
"d '${cfg.stateDir}' 0700 ${user} ${group} - -"
];
systemd.services.prowlarr = {
description = "prowlarr";
after = ["network.target"];
wantedBy = ["multi-user.target"];
environment = {
PROWLARR__SERVER__PORT = cfg.port;
};
environment.PROWLARR__SERVER__PORT = builtins.toString cfg.port;
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
User = user;
Group = group;
ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}";
Restart = "on-failure";
};
@@ -105,12 +105,14 @@ in {
allowedTCPPorts = [cfg.port];
};
users.users.prowlarr = {
group = "prowlarr";
home = cfg.stateDir;
uid = uid;
users = {
groups."${group}" = {};
users."${user}" = {
group = "prowlarr";
home = cfg.stateDir;
uid = uid;
};
};
users.groups.prowlarr = {};
# Enable and specify VPN namespace to confine service in.
systemd.services.prowlarr.vpnConfinement = mkIf cfg.vpn.enable {
nixarr/radarr/default.nix
+2
View File
@@ -7,6 +7,8 @@
with lib; let
cfg = config.nixarr.radarr;
port = 7878;
user = "radarr";
group = "media";
nixarr = config.nixarr;
in {
options.nixarr.radarr = {
nixarr/readarr-audiobook/default.nix
+9 -9
View File
@@ -8,6 +8,8 @@ with lib; let
cfg = config.nixarr.readarr-audiobook;
nixarr = config.nixarr;
uid = 269;
user = "readarr";
group = "readarr";
port = 9494;
in {
options.nixarr.readarr-audiobook = {
@@ -81,21 +83,19 @@ in {
];
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
"d '${cfg.stateDir}' 0700 ${user} ${group} - -"
];
systemd.services.readarr-audiobook = {
description = "Readarr-Audiobook";
after = ["network.target"];
wantedBy = ["multi-user.target"];
environment = {
READARR__SERVER__PORT = cfg.port;
};
environment.READARR__SERVER__PORT = builtins.toString cfg.port;
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
User = user;
Group = group;
ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}";
Restart = "on-failure";
};
@@ -105,12 +105,12 @@ in {
allowedTCPPorts = [cfg.port];
};
users.users.readarr-audiobook = {
group = "readarr-audiobook";
users.users."${user}" = {
group = group;
home = cfg.stateDir;
uid = uid;
};
users.groups.readarr-audiobook = {};
users.groups."${group}" = {};
# Enable and specify VPN namespace to confine service in.
systemd.services.readarr-audiobook.vpnConfinement = mkIf cfg.vpn.enable {
nixarr/readarr/default.nix
+7 -7
View File
@@ -8,6 +8,8 @@ with lib; let
cfg = config.nixarr.readarr;
nixarr = config.nixarr;
uid = 250;
user = "readarr";
group = "readarr";
port = 8787;
in {
options.nixarr.readarr = {
@@ -79,21 +81,19 @@ in {
];
systemd.tmpfiles.rules = [
"d '${cfg.dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
"d '${cfg.stateDir}' 0700 ${user} ${group} - -"
];
systemd.services.readarr = {
description = "Readarr";
after = ["network.target"];
wantedBy = ["multi-user.target"];
environment = {
READARR__SERVER__PORT = cfg.port;
};
environment.READARR__SERVER__PORT = builtins.toString cfg.port;
serviceConfig = {
Type = "simple";
User = cfg.user;
Group = cfg.group;
User = user;
Group = group;
ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}";
Restart = "on-failure";
};
@@ -104,7 +104,7 @@ in {
};
users.users.readarr = {
group = "readarr";
group = group;
home = cfg.stateDir;
uid = uid;
};