Merge branch 'main' into dev

CHANGELOG.md

@@ -1,5 +1,14 @@
 # Changelog
 
+## 2025-01-18
+
+Added:
+- Jellyseer service
+- Sonarr default package, pinned to older working sonarr package
+
+Removed:
+- Jellyfin expose VPN options
+
 ## 2024-09-19
 
 Added:

flake.lock

@@ -16,9 +16,26 @@
         "type": "github"
       }
     },
+    "nixpkgs-sonarr": {
+      "locked": {
+        "lastModified": 1732219096,
+        "narHash": "sha256-gbvtOPW7K7v4EFo7Feo5s+SI7FMVrCOA5CgnuMhWO/Y=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "328abff1f7a707dc8da8e802f724f025521793ea",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "328abff1f7a707dc8da8e802f724f025521793ea",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "nixpkgs": "nixpkgs",
+        "nixpkgs-sonarr": "nixpkgs-sonarr",
         "vpnconfinement": "vpnconfinement"
       }
     },

nixarr/jellyfin/default.nix

@@ -219,10 +219,7 @@ in
               locations."/" = {
                 recommendedProxySettings = true;
                 proxyWebsockets = true;
-                proxyPass = if cfg.expose.vpn.enable then
-                  "http://192.168.15.1:${builtins.toString cfg.expose.vpn.port}"
-                else
-                  "http://192.168.15.1:${builtins.toString defaultPort}";
+                proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
               };
             };
           })

nixarr/jellyseerr/jellyseerr-module/default.nix

@@ -1,3 +1,4 @@
+# TODO: Add expose options for this module
 {
   config,
   pkgs,
@@ -67,6 +68,22 @@ in {
         Group = cfg.group;
         ExecStart = lib.getExe cfg.package;
         Restart = "on-failure";
+        # TODO: These are from nixpkgs, add them back if we add expose options
+        # ProtectHome = true;
+        # ProtectSystem = "strict";
+        # PrivateTmp = true;
+        # PrivateDevices = true;
+        # ProtectHostname = true;
+        # ProtectClock = true;
+        # ProtectKernelTunables = true;
+        # ProtectKernelModules = true;
+        # ProtectKernelLogs = true;
+        # ProtectControlGroups = true;
+        # NoNewPrivileges = true;
+        # RestrictRealtime = true;
+        # RestrictSUIDSGID = true;
+        # RemoveIPC = true;
+        # PrivateMounts = true;
       };
     };