From 5b0c66d956552881e61c563efc78045231041dbc Mon Sep 17 00:00:00 2001 From: rasmus-kirk Date: Wed, 29 Oct 2025 10:01:09 +0100 Subject: [PATCH] Added stash --- nixarr/stash/default.nix | 138 ++++++++++++++++++++++++++++++++++++ nixarr/whisparr/default.nix | 17 +++-- util/globals/default.nix | 7 ++ 3 files changed, 157 insertions(+), 5 deletions(-) create mode 100644 nixarr/stash/default.nix diff --git a/nixarr/stash/default.nix b/nixarr/stash/default.nix new file mode 100644 index 0000000..cedbf41 --- /dev/null +++ b/nixarr/stash/default.nix @@ -0,0 +1,138 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.nixarr.stash; + globals = config.util-nixarr.globals; + nixarr = config.nixarr; + defaultPort = 9999; +in { + options.nixarr.stash = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether or not to enable the stash service. + ''; + }; + + package = mkPackageOption pkgs "stash" {}; + + stateDir = mkOption { + type = types.path; + default = "${nixarr.stateDir}/stash"; + defaultText = literalExpression ''"''${nixarr.stateDir}/stash"''; + example = "/nixarr/.state/stash"; + description = '' + The location of the state directory for the stash service. + + > **Warning:** Setting this to any path, where the subpath is not + > owned by root, will fail! For example: + > + > ```nix + > stateDir = /home/user/nixarr/.state/stash + > ``` + > + > Is not supported, because `/home/user` is owned by `user`. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + defaultText = literalExpression ''!nixarr.stash.vpn.enable''; + default = !cfg.vpn.enable; + example = true; + description = "Open firewall for stash"; + }; + + port = mkOption { + type = types.port; + default = defaultPort; + description = "Port for Stash to use."; + }; + + vpn.enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) + + Route stash traffic through the VPN. + ''; + }; + }; + + config = mkIf (nixarr.enable && cfg.enable) { + assertions = [ + { + assertion = cfg.vpn.enable -> nixarr.vpn.enable; + message = '' + The nixarr.stash.vpn.enable option requires the + nixarr.vpn.enable option to be set, but it was not. + ''; + } + ]; + + users = { + groups.${globals.stash.group}.gid = globals.gids.${globals.stash.group}; + users.${globals.stash.user} = { + isSystemUser = true; + group = globals.stash.group; + uid = globals.uids.${globals.stash.user}; + }; + }; + + services.stash = { + enable = cfg.enable; + settings.port = cfg.port; + package = cfg.package; + user = globals.stash.user; + group = globals.stash.group; + openFirewall = cfg.openFirewall; + dataDir = cfg.stateDir; + }; + + # Enable and specify VPN namespace to confine service in. + systemd.services.stash.vpnConfinement = mkIf cfg.vpn.enable { + enable = true; + vpnNamespace = "wg"; + }; + + # Port mappings + vpnNamespaces.wg = mkIf cfg.vpn.enable { + portMappings = [ + { + from = cfg.port; + to = cfg.port; + } + ]; + }; + + services.nginx = mkIf cfg.vpn.enable { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + virtualHosts."127.0.0.1:${builtins.toString cfg.port}" = { + listen = [ + { + addr = "0.0.0.0"; + port = cfg.port; + } + ]; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://192.168.15.1:${builtins.toString cfg.port}"; + }; + }; + }; + }; +} diff --git a/nixarr/whisparr/default.nix b/nixarr/whisparr/default.nix index de116f7..2ecc76b 100644 --- a/nixarr/whisparr/default.nix +++ b/nixarr/whisparr/default.nix @@ -49,6 +49,12 @@ in { description = "Open firewall for whisparr"; }; + port = mkOption { + type = types.port; + default = defaultPort; + description = "Port for Whisparr to use."; + }; + vpn.enable = mkOption { type = types.bool; default = false; @@ -91,6 +97,7 @@ in { package = cfg.package; user = globals.whisparr.user; group = globals.whisparr.group; + settings.server.port = cfg.port; openFirewall = cfg.openFirewall; dataDir = cfg.stateDir; }; @@ -105,8 +112,8 @@ in { vpnNamespaces.wg = mkIf cfg.vpn.enable { portMappings = [ { - from = defaultPort; - to = defaultPort; + from = cfg.portcfg.port + to = cfg.port; } ]; }; @@ -118,17 +125,17 @@ in { recommendedOptimisation = true; recommendedGzipSettings = true; - virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = { + virtualHosts."127.0.0.1:${builtins.toString cfg.port}" = { listen = [ { addr = "0.0.0.0"; - port = defaultPort; + port = cfg.port; } ]; locations."/" = { recommendedProxySettings = true; proxyWebsockets = true; - proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; + proxyPass = "http://192.168.15.1:${builtins.toString cfg.port}"; }; }; }; diff --git a/util/globals/default.nix b/util/globals/default.nix index 628e27b..53320b5 100644 --- a/util/globals/default.nix +++ b/util/globals/default.nix @@ -1,3 +1,4 @@ +# See https://github.com/NixOS/nixpkgs/blob/master/nixos/modules/misc/ids.nix # TODO: Dir creation and file permissions in nix { pkgs, @@ -37,6 +38,7 @@ in { transmission = 70; cross-seed = 183; whisparr = 272; + stash = 69; }; gids = { autobrr = 188; @@ -45,6 +47,7 @@ in { media = 169; prowlarr = 287; recyclarr = 269; + stash = 69; }; audiobookshelf = { @@ -119,5 +122,9 @@ in { user = "whisparr"; group = globals.libraryOwner.group; }; + stash = { + user = "stash"; + group = globals.libraryOwner.group; + }; }; }