From 422870af3ff7a26fcaec77cd6c71c440e46318e3 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 16:42:04 -0600 Subject: [PATCH 01/22] try to add jellyseerr --- docs/wiki/examples/example-1/index.md | 2 +- docs/wiki/examples/example-2/index.md | 1 + nixarr/default.nix | 6 ++ nixarr/jellyseerr/default.nix | 128 ++++++++++++++++++++++++++ 4 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 nixarr/jellyseerr/default.nix diff --git a/docs/wiki/examples/example-1/index.md b/docs/wiki/examples/example-1/index.md index 97f9ac5..50ee5a3 100644 --- a/docs/wiki/examples/example-1/index.md +++ b/docs/wiki/examples/example-1/index.md @@ -49,6 +49,6 @@ This example does the following: radarr.enable = true; readarr.enable = true; sonarr.enable = true; + jellyseerr.enable = true; }; ``` - diff --git a/docs/wiki/examples/example-2/index.md b/docs/wiki/examples/example-2/index.md index 49e44f9..d1ebeba 100644 --- a/docs/wiki/examples/example-2/index.md +++ b/docs/wiki/examples/example-2/index.md @@ -51,6 +51,7 @@ example does the following: prowlarr.enable = true; readarr.enable = true; lidarr.enable = true; + jellyseerr.enable = true; }; # The `openssh.vpn.enable` option does not enable openssh, so we do that here: diff --git a/nixarr/default.nix b/nixarr/default.nix index 7d1d20a..6123b5a 100644 --- a/nixarr/default.nix +++ b/nixarr/default.nix @@ -49,6 +49,10 @@ with lib; let chown -R cross-seed:root "${cfg.transmission.privateTrackers.cross-seed.stateDir}" find "${cfg.transmission.privateTrackers.cross-seed.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) '' + + strings.optionalString cfg.jellyseer.enable '' + chown -R jellyseer:root "${cfg.jellyseer.stateDir}" + find "${cfg.jellyseer.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + '' + strings.optionalString cfg.prowlarr.enable '' chown -R prowlarr:root "${cfg.prowlarr.stateDir}" find "${cfg.prowlarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) @@ -77,6 +81,7 @@ with lib; let in { imports = [ ./jellyfin + ./jellyseer ./bazarr ./ddns ./radarr @@ -115,6 +120,7 @@ in { The following services are supported: - [Jellyfin](#nixarr.jellyfin.enable) + - [Jellyseer](#nixarr.Jellyseer.enable) - [Bazarr](#nixarr.bazarr.enable) - [Lidarr](#nixarr.lidarr.enable) - [Prowlarr](#nixarr.prowlarr.enable) diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix new file mode 100644 index 0000000..fbe57f1 --- /dev/null +++ b/nixarr/jellyseerr/default.nix @@ -0,0 +1,128 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.nixarr.jellyseerr; + defaultPort = 5055; + nixarr = config.nixarr; +in { + options.nixarr.jellyseerr = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether or not to enable the Jellyseerr service. + + **Required options:** [`nixarr.enable`](#nixarr.enable) + ''; + }; + + package = mkPackageOption pkgs "jellyseerr" {}; + + stateDir = mkOption { + type = types.path; + default = "${nixarr.stateDir}/jellyseerr"; + defaultText = literalExpression ''"''${nixarr.stateDir}/jellyseerr"''; + example = "/nixarr/.state/jellyseerr"; + description = '' + The location of the state directory for the Jellyseerr service. + + > **Warning:** Setting this to any path, where the subpath is not + > owned by root, will fail! For example: + > + > ```nix + > stateDir = /home/user/nixarr/.state/Jellyseerr + > ``` + > + > Is not supported, because `/home/user` is owned by `user`. + ''; + }; + + openFirewall = mkOption { + type = types.bool; + defaultText = literalExpression ''!nixarr.jellyseerr.vpn.enable''; + default = !cfg.vpn.enable; + example = true; + description = "Open firewall for Jellyseerr"; + }; + + vpn.enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) + + Route Jellyseerr traffic through the VPN. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.enable -> nixarr.enable; + message = '' + The nixarr.jellyseerr.enable option requires the + nixarr.enable option to be set, but it was not. + ''; + } + { + assertion = cfg.vpn.enable -> nixarr.vpn.enable; + message = '' + The nixarr.jellyseerr.vpn.enable option requires the + nixarr.vpn.enable option to be set, but it was not. + ''; + } + ]; + + services.jellyseerr = { + enable = cfg.enable; + package = cfg.package; + user = "jellyseerr"; + group = "media"; + }; + + # Enable and specify VPN namespace to confine service in. + systemd.services.jellyseerr.vpnConfinement = mkIf cfg.vpn.enable { + enable = true; + vpnNamespace = "wg"; + }; + + # Port mappings + vpnNamespaces.wg = mkIf cfg.vpn.enable { + portMappings = [ + { + from = defaultPort; + to = defaultPort; + } + ]; + }; + + services.nginx = mkIf cfg.vpn.enable { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = { + listen = [ + { + addr = "0.0.0.0"; + port = defaultPort; + } + ]; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; + }; + }; + }; + }; +} From e5df587206872b8ba2d06ec4af338cad0ca1ddbe Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 16:52:57 -0600 Subject: [PATCH 02/22] fix typos --- nixarr/default.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/nixarr/default.nix b/nixarr/default.nix index 6123b5a..44e0a3f 100644 --- a/nixarr/default.nix +++ b/nixarr/default.nix @@ -49,9 +49,9 @@ with lib; let chown -R cross-seed:root "${cfg.transmission.privateTrackers.cross-seed.stateDir}" find "${cfg.transmission.privateTrackers.cross-seed.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) '' - + strings.optionalString cfg.jellyseer.enable '' - chown -R jellyseer:root "${cfg.jellyseer.stateDir}" - find "${cfg.jellyseer.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + + strings.optionalString cfg.jellyseerr.enable '' + chown -R jellyseerr:root "${cfg.jellyseerr.stateDir}" + find "${cfg.jellyseerr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) '' + strings.optionalString cfg.prowlarr.enable '' chown -R prowlarr:root "${cfg.prowlarr.stateDir}" @@ -81,7 +81,7 @@ with lib; let in { imports = [ ./jellyfin - ./jellyseer + ./jellyseerr ./bazarr ./ddns ./radarr @@ -120,7 +120,7 @@ in { The following services are supported: - [Jellyfin](#nixarr.jellyfin.enable) - - [Jellyseer](#nixarr.Jellyseer.enable) + - [Jellyseerr](#nixarr.jellyseerr.enable) - [Bazarr](#nixarr.bazarr.enable) - [Lidarr](#nixarr.lidarr.enable) - [Prowlarr](#nixarr.prowlarr.enable) From 033b356ede8f97aa840e2825465cd26254eb7db3 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 16:55:56 -0600 Subject: [PATCH 03/22] delete user and group options --- nixarr/jellyseerr/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index fbe57f1..8b5cfd8 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -83,8 +83,6 @@ in { services.jellyseerr = { enable = cfg.enable; package = cfg.package; - user = "jellyseerr"; - group = "media"; }; # Enable and specify VPN namespace to confine service in. From 564f7d9671e43815ff18337ec24e055cc44a6140 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 17:03:00 -0600 Subject: [PATCH 04/22] remove stateDir option and add port option --- nixarr/jellyseerr/default.nix | 25 +++++++------------------ 1 file changed, 7 insertions(+), 18 deletions(-) diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index 8b5cfd8..f17643e 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -6,7 +6,6 @@ }: with lib; let cfg = config.nixarr.jellyseerr; - defaultPort = 5055; nixarr = config.nixarr; in { options.nixarr.jellyseerr = { @@ -23,23 +22,11 @@ in { package = mkPackageOption pkgs "jellyseerr" {}; - stateDir = mkOption { - type = types.path; - default = "${nixarr.stateDir}/jellyseerr"; - defaultText = literalExpression ''"''${nixarr.stateDir}/jellyseerr"''; - example = "/nixarr/.state/jellyseerr"; - description = '' - The location of the state directory for the Jellyseerr service. - - > **Warning:** Setting this to any path, where the subpath is not - > owned by root, will fail! For example: - > - > ```nix - > stateDir = /home/user/nixarr/.state/Jellyseerr - > ``` - > - > Is not supported, because `/home/user` is owned by `user`. - ''; + port = mkOption { + type = types.port; + default = 5055; + example = 12345; + description = "Jellyseerr web-UI port."; }; openFirewall = mkOption { @@ -83,6 +70,8 @@ in { services.jellyseerr = { enable = cfg.enable; package = cfg.package; + openFirewall = cfg.openFirewall; + port = cfg.port; }; # Enable and specify VPN namespace to confine service in. From 1f9d423064197f5e12eab962e7d74dedd1ec285e Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 17:04:52 -0600 Subject: [PATCH 05/22] remove stateDir script --- nixarr/default.nix | 4 ---- 1 file changed, 4 deletions(-) diff --git a/nixarr/default.nix b/nixarr/default.nix index 44e0a3f..3884aa5 100644 --- a/nixarr/default.nix +++ b/nixarr/default.nix @@ -49,10 +49,6 @@ with lib; let chown -R cross-seed:root "${cfg.transmission.privateTrackers.cross-seed.stateDir}" find "${cfg.transmission.privateTrackers.cross-seed.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) '' - + strings.optionalString cfg.jellyseerr.enable '' - chown -R jellyseerr:root "${cfg.jellyseerr.stateDir}" - find "${cfg.jellyseerr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - '' + strings.optionalString cfg.prowlarr.enable '' chown -R prowlarr:root "${cfg.prowlarr.stateDir}" find "${cfg.prowlarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) From f14a73e968b803bd4429ace97265cc266ed1d1f6 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 17:27:18 -0600 Subject: [PATCH 06/22] add flaresolverr --- nixarr/default.nix | 2 + nixarr/flaresolverr/default.nix | 115 ++++++++++++++++++++++++++++++++ 2 files changed, 117 insertions(+) create mode 100644 nixarr/flaresolverr/default.nix diff --git a/nixarr/default.nix b/nixarr/default.nix index 3884aa5..2c1f419 100644 --- a/nixarr/default.nix +++ b/nixarr/default.nix @@ -86,6 +86,7 @@ in { ./sonarr ./openssh ./prowlarr + ./flaresolverr ./transmission ./sabnzbd ../util @@ -120,6 +121,7 @@ in { - [Bazarr](#nixarr.bazarr.enable) - [Lidarr](#nixarr.lidarr.enable) - [Prowlarr](#nixarr.prowlarr.enable) + - [Flaresolverr](#nixarr.flaresolverr.enable) - [Radarr](#nixarr.radarr.enable) - [Readarr](#nixarr.readarr.enable) - [Sonarr](#nixarr.sonarr.enable) diff --git a/nixarr/flaresolverr/default.nix b/nixarr/flaresolverr/default.nix new file mode 100644 index 0000000..68af86d --- /dev/null +++ b/nixarr/flaresolverr/default.nix @@ -0,0 +1,115 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.nixarr.flaresolverr; + nixarr = config.nixarr; +in { + options.nixarr.flaresolverr = { + enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + Whether or not to enable the Flaresolverr service. + + **Required options:** [`nixarr.enable`](#nixarr.enable) + ''; + }; + + package = mkPackageOption pkgs "flaresolverr" {}; + + port = mkOption { + type = types.port; + default = 5055; + example = 12345; + description = "Flaresolverr port."; + }; + + openFirewall = mkOption { + type = types.bool; + defaultText = literalExpression ''!nixarr.flaresolverr.vpn.enable''; + default = !cfg.vpn.enable; + example = true; + description = "Open firewall for Flaresolverr"; + }; + + vpn.enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) + + Route Jellyseerr traffic through the VPN. + ''; + }; + }; + + config = mkIf cfg.enable { + assertions = [ + { + assertion = cfg.enable -> nixarr.enable; + message = '' + The nixarr.flaresolverr.enable option requires the + nixarr.enable option to be set, but it was not. + ''; + } + { + assertion = cfg.vpn.enable -> nixarr.vpn.enable; + message = '' + The nixarr.flaresolverr.vpn.enable option requires the + nixarr.vpn.enable option to be set, but it was not. + ''; + } + ]; + + services.flaresolverr = { + enable = cfg.enable; + package = cfg.package; + openFirewall = cfg.openFirewall; + port = cfg.port; + }; + + # Enable and specify VPN namespace to confine service in. + systemd.services.flaresolverr.vpnConfinement = mkIf cfg.vpn.enable { + enable = true; + vpnNamespace = "wg"; + }; + + # Port mappings + vpnNamespaces.wg = mkIf cfg.vpn.enable { + portMappings = [ + { + from = defaultPort; + to = defaultPort; + } + ]; + }; + + services.nginx = mkIf cfg.vpn.enable { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = { + listen = [ + { + addr = "0.0.0.0"; + port = defaultPort; + } + ]; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; + }; + }; + }; + }; +} From 3bf919bd052146a1a0cb62a719831aca47ec3b43 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 17:28:54 -0600 Subject: [PATCH 07/22] set flaresolverr default port --- nixarr/flaresolverr/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixarr/flaresolverr/default.nix b/nixarr/flaresolverr/default.nix index 68af86d..31f7baa 100644 --- a/nixarr/flaresolverr/default.nix +++ b/nixarr/flaresolverr/default.nix @@ -24,7 +24,7 @@ in { port = mkOption { type = types.port; - default = 5055; + default = 8191; example = 12345; description = "Flaresolverr port."; }; From fa3bbf002f3c06cccc42ab627b658315316cc094 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 17:46:49 -0600 Subject: [PATCH 08/22] update default port --- nixarr/flaresolverr/default.nix | 3 ++- nixarr/jellyseerr/default.nix | 3 ++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/nixarr/flaresolverr/default.nix b/nixarr/flaresolverr/default.nix index 31f7baa..65e9856 100644 --- a/nixarr/flaresolverr/default.nix +++ b/nixarr/flaresolverr/default.nix @@ -7,6 +7,7 @@ with lib; let cfg = config.nixarr.flaresolverr; nixarr = config.nixarr; + defaultPort = 8191 in { options.nixarr.flaresolverr = { enable = mkOption { @@ -24,7 +25,7 @@ in { port = mkOption { type = types.port; - default = 8191; + default = defaultPort; example = 12345; description = "Flaresolverr port."; }; diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index f17643e..337bdcf 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -7,6 +7,7 @@ with lib; let cfg = config.nixarr.jellyseerr; nixarr = config.nixarr; + defaultPort = 5055; in { options.nixarr.jellyseerr = { enable = mkOption { @@ -24,7 +25,7 @@ in { port = mkOption { type = types.port; - default = 5055; + default = defaultPort; example = 12345; description = "Jellyseerr web-UI port."; }; From d9c234e4801910c884b40cde761fc2888356729f Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 17:47:29 -0600 Subject: [PATCH 09/22] fix syntax error --- nixarr/flaresolverr/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/nixarr/flaresolverr/default.nix b/nixarr/flaresolverr/default.nix index 65e9856..529aeb7 100644 --- a/nixarr/flaresolverr/default.nix +++ b/nixarr/flaresolverr/default.nix @@ -7,7 +7,7 @@ with lib; let cfg = config.nixarr.flaresolverr; nixarr = config.nixarr; - defaultPort = 8191 + defaultPort = 8191; in { options.nixarr.flaresolverr = { enable = mkOption { From 0a434c3b240f17c51599588b9bd79001f671265d Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 17:56:38 -0600 Subject: [PATCH 10/22] remove vpn options for flaresolverr --- nixarr/flaresolverr/default.nix | 62 ++------------------------------- 1 file changed, 2 insertions(+), 60 deletions(-) diff --git a/nixarr/flaresolverr/default.nix b/nixarr/flaresolverr/default.nix index 529aeb7..a33d72e 100644 --- a/nixarr/flaresolverr/default.nix +++ b/nixarr/flaresolverr/default.nix @@ -7,7 +7,6 @@ with lib; let cfg = config.nixarr.flaresolverr; nixarr = config.nixarr; - defaultPort = 8191; in { options.nixarr.flaresolverr = { enable = mkOption { @@ -25,28 +24,16 @@ in { port = mkOption { type = types.port; - default = defaultPort; + default = 8191; example = 12345; description = "Flaresolverr port."; }; openFirewall = mkOption { - type = types.bool; - defaultText = literalExpression ''!nixarr.flaresolverr.vpn.enable''; - default = !cfg.vpn.enable; - example = true; - description = "Open firewall for Flaresolverr"; - }; - - vpn.enable = mkOption { type = types.bool; default = false; example = true; - description = '' - **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) - - Route Jellyseerr traffic through the VPN. - ''; + description = "Open firewall for Flaresolverr"; }; }; @@ -59,13 +46,6 @@ in { nixarr.enable option to be set, but it was not. ''; } - { - assertion = cfg.vpn.enable -> nixarr.vpn.enable; - message = '' - The nixarr.flaresolverr.vpn.enable option requires the - nixarr.vpn.enable option to be set, but it was not. - ''; - } ]; services.flaresolverr = { @@ -74,43 +54,5 @@ in { openFirewall = cfg.openFirewall; port = cfg.port; }; - - # Enable and specify VPN namespace to confine service in. - systemd.services.flaresolverr.vpnConfinement = mkIf cfg.vpn.enable { - enable = true; - vpnNamespace = "wg"; - }; - - # Port mappings - vpnNamespaces.wg = mkIf cfg.vpn.enable { - portMappings = [ - { - from = defaultPort; - to = defaultPort; - } - ]; - }; - - services.nginx = mkIf cfg.vpn.enable { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - - virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = { - listen = [ - { - addr = "0.0.0.0"; - port = defaultPort; - } - ]; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; - }; - }; - }; }; } From 77682e0ae1140c5bebf53a22e05b8c28b01f6870 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 4 Jan 2025 18:08:23 -0600 Subject: [PATCH 11/22] add vpn options back --- nixarr/flaresolverr/default.nix | 62 +++++++++++++++++++++++++++++++-- 1 file changed, 60 insertions(+), 2 deletions(-) diff --git a/nixarr/flaresolverr/default.nix b/nixarr/flaresolverr/default.nix index a33d72e..529aeb7 100644 --- a/nixarr/flaresolverr/default.nix +++ b/nixarr/flaresolverr/default.nix @@ -7,6 +7,7 @@ with lib; let cfg = config.nixarr.flaresolverr; nixarr = config.nixarr; + defaultPort = 8191; in { options.nixarr.flaresolverr = { enable = mkOption { @@ -24,17 +25,29 @@ in { port = mkOption { type = types.port; - default = 8191; + default = defaultPort; example = 12345; description = "Flaresolverr port."; }; openFirewall = mkOption { type = types.bool; - default = false; + defaultText = literalExpression ''!nixarr.flaresolverr.vpn.enable''; + default = !cfg.vpn.enable; example = true; description = "Open firewall for Flaresolverr"; }; + + vpn.enable = mkOption { + type = types.bool; + default = false; + example = true; + description = '' + **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) + + Route Jellyseerr traffic through the VPN. + ''; + }; }; config = mkIf cfg.enable { @@ -46,6 +59,13 @@ in { nixarr.enable option to be set, but it was not. ''; } + { + assertion = cfg.vpn.enable -> nixarr.vpn.enable; + message = '' + The nixarr.flaresolverr.vpn.enable option requires the + nixarr.vpn.enable option to be set, but it was not. + ''; + } ]; services.flaresolverr = { @@ -54,5 +74,43 @@ in { openFirewall = cfg.openFirewall; port = cfg.port; }; + + # Enable and specify VPN namespace to confine service in. + systemd.services.flaresolverr.vpnConfinement = mkIf cfg.vpn.enable { + enable = true; + vpnNamespace = "wg"; + }; + + # Port mappings + vpnNamespaces.wg = mkIf cfg.vpn.enable { + portMappings = [ + { + from = defaultPort; + to = defaultPort; + } + ]; + }; + + services.nginx = mkIf cfg.vpn.enable { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + + virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = { + listen = [ + { + addr = "0.0.0.0"; + port = defaultPort; + } + ]; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; + }; + }; + }; }; } From 3f98c613931cc4034bc18fb2f346faba829ba4cd Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 11 Jan 2025 16:54:21 -0600 Subject: [PATCH 12/22] remove flaresolverr and add state management for jellyseerr --- nixarr/default.nix | 5 ++ nixarr/flaresolverr/default.nix | 116 -------------------------------- nixarr/jellyseerr/default.nix | 20 ++++++ 3 files changed, 25 insertions(+), 116 deletions(-) delete mode 100644 nixarr/flaresolverr/default.nix diff --git a/nixarr/default.nix b/nixarr/default.nix index 2c1f419..8fec7af 100644 --- a/nixarr/default.nix +++ b/nixarr/default.nix @@ -73,6 +73,11 @@ with lib; let chown -R readarr:root "${cfg.readarr.stateDir}" find "${cfg.readarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) ''; + + + strings.optionalString cfg.jellyseerr.enable '' + chown -R jellyseerr:root "${cfg.jellyseerr.stateDir}" + find "${cfg.jellyseerr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''; }; in { imports = [ diff --git a/nixarr/flaresolverr/default.nix b/nixarr/flaresolverr/default.nix deleted file mode 100644 index 529aeb7..0000000 --- a/nixarr/flaresolverr/default.nix +++ /dev/null @@ -1,116 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: -with lib; let - cfg = config.nixarr.flaresolverr; - nixarr = config.nixarr; - defaultPort = 8191; -in { - options.nixarr.flaresolverr = { - enable = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - Whether or not to enable the Flaresolverr service. - - **Required options:** [`nixarr.enable`](#nixarr.enable) - ''; - }; - - package = mkPackageOption pkgs "flaresolverr" {}; - - port = mkOption { - type = types.port; - default = defaultPort; - example = 12345; - description = "Flaresolverr port."; - }; - - openFirewall = mkOption { - type = types.bool; - defaultText = literalExpression ''!nixarr.flaresolverr.vpn.enable''; - default = !cfg.vpn.enable; - example = true; - description = "Open firewall for Flaresolverr"; - }; - - vpn.enable = mkOption { - type = types.bool; - default = false; - example = true; - description = '' - **Required options:** [`nixarr.vpn.enable`](#nixarr.vpn.enable) - - Route Jellyseerr traffic through the VPN. - ''; - }; - }; - - config = mkIf cfg.enable { - assertions = [ - { - assertion = cfg.enable -> nixarr.enable; - message = '' - The nixarr.flaresolverr.enable option requires the - nixarr.enable option to be set, but it was not. - ''; - } - { - assertion = cfg.vpn.enable -> nixarr.vpn.enable; - message = '' - The nixarr.flaresolverr.vpn.enable option requires the - nixarr.vpn.enable option to be set, but it was not. - ''; - } - ]; - - services.flaresolverr = { - enable = cfg.enable; - package = cfg.package; - openFirewall = cfg.openFirewall; - port = cfg.port; - }; - - # Enable and specify VPN namespace to confine service in. - systemd.services.flaresolverr.vpnConfinement = mkIf cfg.vpn.enable { - enable = true; - vpnNamespace = "wg"; - }; - - # Port mappings - vpnNamespaces.wg = mkIf cfg.vpn.enable { - portMappings = [ - { - from = defaultPort; - to = defaultPort; - } - ]; - }; - - services.nginx = mkIf cfg.vpn.enable { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - - virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = { - listen = [ - { - addr = "0.0.0.0"; - port = defaultPort; - } - ]; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}"; - }; - }; - }; - }; -} diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index 337bdcf..d3c4dd6 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -23,6 +23,25 @@ in { package = mkPackageOption pkgs "jellyseerr" {}; + stateDir = mkOption { + type = types.path; + default = "${nixarr.stateDir}/jellyseerr"; + defaultText = literalExpression ''"''${nixarr.stateDir}/jellyseerr"''; + example = "/nixarr/.state/jellyseerr"; + description = '' + The location of the state directory for the Jellyseerr service. + + > **Warning:** Setting this to any path, where the subpath is not + > owned by root, will fail! For example: + > + > ```nix + > stateDir = /home/user/nixarr/.state/jellyseerr + > ``` + > + > Is not supported, because `/home/user` is owned by `user`. + ''; + }; + port = mkOption { type = types.port; default = defaultPort; @@ -73,6 +92,7 @@ in { package = cfg.package; openFirewall = cfg.openFirewall; port = cfg.port; + configDir = cfg.stateDir; }; # Enable and specify VPN namespace to confine service in. From 59a817458d23e32f590e8f719f0caee55be1f699 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 11 Jan 2025 16:58:19 -0600 Subject: [PATCH 13/22] fix syntax error --- nixarr/default.nix | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/nixarr/default.nix b/nixarr/default.nix index 8fec7af..c551ca7 100644 --- a/nixarr/default.nix +++ b/nixarr/default.nix @@ -72,8 +72,7 @@ with lib; let + strings.optionalString cfg.readarr.enable '' chown -R readarr:root "${cfg.readarr.stateDir}" find "${cfg.readarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''; - + '' + strings.optionalString cfg.jellyseerr.enable '' chown -R jellyseerr:root "${cfg.jellyseerr.stateDir}" find "${cfg.jellyseerr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) From ae19d7c102fe361c3578f3cd2d9141c9043e4a6e Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 11 Jan 2025 17:00:00 -0600 Subject: [PATCH 14/22] remove all flaresolverr references --- nixarr/default.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/nixarr/default.nix b/nixarr/default.nix index c551ca7..f92e724 100644 --- a/nixarr/default.nix +++ b/nixarr/default.nix @@ -90,7 +90,6 @@ in { ./sonarr ./openssh ./prowlarr - ./flaresolverr ./transmission ./sabnzbd ../util @@ -125,7 +124,6 @@ in { - [Bazarr](#nixarr.bazarr.enable) - [Lidarr](#nixarr.lidarr.enable) - [Prowlarr](#nixarr.prowlarr.enable) - - [Flaresolverr](#nixarr.flaresolverr.enable) - [Radarr](#nixarr.radarr.enable) - [Readarr](#nixarr.readarr.enable) - [Sonarr](#nixarr.sonarr.enable) From 7ffdbed6bf1f3ba1478416621bea605ad080c168 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 11 Jan 2025 17:07:44 -0600 Subject: [PATCH 15/22] add warning about nixpkgs version for jellyseerr --- flake.lock | 12 ++++++------ nixarr/jellyseerr/default.nix | 5 +++++ 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index 57fd46b..fca6ba0 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1730831018, - "narHash": "sha256-2S0HwIFRxYp+afuoFORcZA9TjryAf512GmE0MTfEOPU=", + "lastModified": 1736420959, + "narHash": "sha256-dMGNa5UwdtowEqQac+Dr0d2tFO/60ckVgdhZU9q2E2o=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8c4dc69b9732f6bbe826b5fbb32184987520ff26", + "rev": "32af3611f6f05655ca166a0b1f47b57c762b5192", "type": "github" }, "original": { @@ -24,11 +24,11 @@ }, "vpnconfinement": { "locked": { - "lastModified": 1729977304, - "narHash": "sha256-T/ABQpSbPJxO7TGl1P2fBd87xsQmnVflIFgHQTxwvBs=", + "lastModified": 1731209328, + "narHash": "sha256-b3jggBHZh20jUfBxoaIvew23czsw82zBc0aKxtkF3g8=", "owner": "Maroka-chan", "repo": "VPN-Confinement", - "rev": "3b11ba59f1c852493203b86c8acd715259a6c3cd", + "rev": "74e6fd47804b5ca69187200efbb14cf1ecb9ea07", "type": "github" }, "original": { diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index d3c4dd6..3f2738a 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -31,6 +31,11 @@ in { description = '' The location of the state directory for the Jellyseerr service. + > **Warning** this option does not work on the latest stable nixpkgs. + > If you are using an old version of nixpkgs, make sure to set the + > `jellyseerr.package` option to use the latest version from nixkpgs-unstable. + + > **Warning:** Setting this to any path, where the subpath is not > owned by root, will fail! For example: > From 0e56a6fe263fdc3962f5129cf1c983013ff92d7c Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sat, 11 Jan 2025 17:23:53 -0600 Subject: [PATCH 16/22] update nixpkgs version --- nixarr/jellyseerr/default.nix | 1 - 1 file changed, 1 deletion(-) diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index 3f2738a..595475f 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -35,7 +35,6 @@ in { > If you are using an old version of nixpkgs, make sure to set the > `jellyseerr.package` option to use the latest version from nixkpgs-unstable. - > **Warning:** Setting this to any path, where the subpath is not > owned by root, will fail! For example: > From d7752173247161608b468ed0a9df9cfd85c56a97 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sun, 12 Jan 2025 14:11:12 -0600 Subject: [PATCH 17/22] update nixpkgs --- flake.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/flake.lock b/flake.lock index fca6ba0..9aa3f0e 100644 --- a/flake.lock +++ b/flake.lock @@ -2,11 +2,11 @@ "nodes": { "nixpkgs": { "locked": { - "lastModified": 1736420959, - "narHash": "sha256-dMGNa5UwdtowEqQac+Dr0d2tFO/60ckVgdhZU9q2E2o=", + "lastModified": 1736657626, + "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=", "owner": "nixos", "repo": "nixpkgs", - "rev": "32af3611f6f05655ca166a0b1f47b57c762b5192", + "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e", "type": "github" }, "original": { From 2f5b47b081d30400dcb19a939851936f33073960 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sun, 12 Jan 2025 15:48:19 -0600 Subject: [PATCH 18/22] use custom jellyseerr module --- nixarr/jellyseerr/default.nix | 8 +- .../jellyseerr/jellyseerr-module/default.nix | 96 +++++++++++++++++++ 2 files changed, 100 insertions(+), 4 deletions(-) create mode 100644 nixarr/jellyseerr/jellyseerr-module/default.nix diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index 595475f..c779d72 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -9,6 +9,10 @@ with lib; let nixarr = config.nixarr; defaultPort = 5055; in { + imports = [ + ./jellyseerr-module + ]; + options.nixarr.jellyseerr = { enable = mkOption { type = types.bool; @@ -31,10 +35,6 @@ in { description = '' The location of the state directory for the Jellyseerr service. - > **Warning** this option does not work on the latest stable nixpkgs. - > If you are using an old version of nixpkgs, make sure to set the - > `jellyseerr.package` option to use the latest version from nixkpgs-unstable. - > **Warning:** Setting this to any path, where the subpath is not > owned by root, will fail! For example: > diff --git a/nixarr/jellyseerr/jellyseerr-module/default.nix b/nixarr/jellyseerr/jellyseerr-module/default.nix new file mode 100644 index 0000000..dd44672 --- /dev/null +++ b/nixarr/jellyseerr/jellyseerr-module/default.nix @@ -0,0 +1,96 @@ +{ + config, + pkgs, + lib, + ... +}: +with lib; let + cfg = config.util-nixarr.services.jellyseerr; +in { + options = { + util-nixarr.services.prowlarr = { + enable = mkEnableOption "Jellyseerr"; + + package = mkPackageOption pkgs "jellyseerr" {}; + + user = mkOption { + type = types.str; + default = "jellyseerr"; + description = "User account under which Jellyseerr runs."; + }; + + group = mkOption { + type = types.str; + default = "jellyseerr"; + description = "Group under which Jellyseerr runs."; + }; + + configDir = mkOption { + type = types.str; + default = "/var/lib/jellyseerr"; + description = "The directory where Jellyseerr stores its data files."; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for the Jellyseerr web interface."; + }; + }; + }; + + config = mkIf cfg.enable { + systemd.tmpfiles.rules = [ + "d '${cfg.configDir}' 0700 ${cfg.user} ${cfg.group} - -" + ]; + + systemd.services.prowlarr = { + description = "Jellyseerr, a requests manager for Jellyfin"; + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + environment = { + PORT = toString cfg.port; + CONFIG_DIRECTORY = cfg.configDir; + }; + + serviceConfig = { + Type = "exec"; + StateDirectory = "jellyseerr"; + User = cfg.user; + ExecStart = lib.getExe cfg.package; + Restart = "on-failure"; + ProtectHome = true; + ProtectSystem = "strict"; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + }; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [5055]; + }; + + users.users = mkIf (cfg.user == "jellyseerr") { + jellyseerr = { + group = cfg.group; + home = cfg.configDir; + uid = 294; + }; + }; + + users.groups = mkIf (cfg.group == "jellyseerr") { + jellyseerr = {}; + }; + }; +} From 112224eb754789e2cf3588d7c890f70325d417af Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sun, 12 Jan 2025 15:49:58 -0600 Subject: [PATCH 19/22] replace bad references --- nixarr/jellyseerr/jellyseerr-module/default.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/nixarr/jellyseerr/jellyseerr-module/default.nix b/nixarr/jellyseerr/jellyseerr-module/default.nix index dd44672..e0000fd 100644 --- a/nixarr/jellyseerr/jellyseerr-module/default.nix +++ b/nixarr/jellyseerr/jellyseerr-module/default.nix @@ -8,7 +8,7 @@ with lib; let cfg = config.util-nixarr.services.jellyseerr; in { options = { - util-nixarr.services.prowlarr = { + util-nixarr.services.jellyseerr = { enable = mkEnableOption "Jellyseerr"; package = mkPackageOption pkgs "jellyseerr" {}; @@ -44,7 +44,7 @@ in { "d '${cfg.configDir}' 0700 ${cfg.user} ${cfg.group} - -" ]; - systemd.services.prowlarr = { + systemd.services.jellyseerr = { description = "Jellyseerr, a requests manager for Jellyfin"; after = ["network.target"]; wantedBy = ["multi-user.target"]; From 45a4997693ce502408ed4928e969e2593784376d Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sun, 12 Jan 2025 16:01:27 -0600 Subject: [PATCH 20/22] change systemd config --- nixarr/jellyseerr/default.nix | 4 +-- .../jellyseerr/jellyseerr-module/default.nix | 32 ++++++++++--------- 2 files changed, 19 insertions(+), 17 deletions(-) diff --git a/nixarr/jellyseerr/default.nix b/nixarr/jellyseerr/default.nix index c779d72..494352a 100644 --- a/nixarr/jellyseerr/default.nix +++ b/nixarr/jellyseerr/default.nix @@ -91,8 +91,8 @@ in { } ]; - services.jellyseerr = { - enable = cfg.enable; + util-nixarr.services.jellyseerr = { + enable = true; package = cfg.package; openFirewall = cfg.openFirewall; port = cfg.port; diff --git a/nixarr/jellyseerr/jellyseerr-module/default.nix b/nixarr/jellyseerr/jellyseerr-module/default.nix index e0000fd..8f4b74b 100644 --- a/nixarr/jellyseerr/jellyseerr-module/default.nix +++ b/nixarr/jellyseerr/jellyseerr-module/default.nix @@ -56,24 +56,26 @@ in { serviceConfig = { Type = "exec"; StateDirectory = "jellyseerr"; + DynamicUser = false; User = cfg.user; + Group = cfg.group; ExecStart = lib.getExe cfg.package; Restart = "on-failure"; - ProtectHome = true; - ProtectSystem = "strict"; - PrivateTmp = true; - PrivateDevices = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - NoNewPrivileges = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RemoveIPC = true; - PrivateMounts = true; + # ProtectHome = true; + # ProtectSystem = "strict"; + # PrivateTmp = true; + # PrivateDevices = true; + # ProtectHostname = true; + # ProtectClock = true; + # ProtectKernelTunables = true; + # ProtectKernelModules = true; + # ProtectKernelLogs = true; + # ProtectControlGroups = true; + # NoNewPrivileges = true; + # RestrictRealtime = true; + # RestrictSUIDSGID = true; + # RemoveIPC = true; + # PrivateMounts = true; }; }; From 92d55630835d19d8b98a764cb7cac83bbd15a43b Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sun, 12 Jan 2025 16:03:31 -0600 Subject: [PATCH 21/22] fix options --- nixarr/jellyseerr/jellyseerr-module/default.nix | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/nixarr/jellyseerr/jellyseerr-module/default.nix b/nixarr/jellyseerr/jellyseerr-module/default.nix index 8f4b74b..08eab29 100644 --- a/nixarr/jellyseerr/jellyseerr-module/default.nix +++ b/nixarr/jellyseerr/jellyseerr-module/default.nix @@ -28,7 +28,13 @@ in { configDir = mkOption { type = types.str; default = "/var/lib/jellyseerr"; - description = "The directory where Jellyseerr stores its data files."; + description = "The directory where Jellyseerr stores its config data."; + }; + + port = lib.mkOption { + type = lib.types.port; + default = 5055; + description = ''The port which the Jellyseerr web UI should listen to.''; }; openFirewall = mkOption { From 2d0399fd47279920957557184045d53e23ef0b93 Mon Sep 17 00:00:00 2001 From: Rohan Datar Date: Sun, 12 Jan 2025 16:34:57 -0600 Subject: [PATCH 22/22] add warining about jellyseerr module --- nixarr/default.nix | 3 +++ nixarr/jellyseerr/jellyseerr-module/default.nix | 15 --------------- 2 files changed, 3 insertions(+), 15 deletions(-) diff --git a/nixarr/default.nix b/nixarr/default.nix index f92e724..b0b5f66 100644 --- a/nixarr/default.nix +++ b/nixarr/default.nix @@ -131,6 +131,9 @@ in { - [SABnzbd](#nixarr.sabnzbd.enable) Remember to read the options. + + > **Warning:** The Jellyseerr module currently does not work on nixos 24.11. + > You will have to update to the `unstable` branch in order for it to work. ''; }; diff --git a/nixarr/jellyseerr/jellyseerr-module/default.nix b/nixarr/jellyseerr/jellyseerr-module/default.nix index 08eab29..fc6b77c 100644 --- a/nixarr/jellyseerr/jellyseerr-module/default.nix +++ b/nixarr/jellyseerr/jellyseerr-module/default.nix @@ -67,21 +67,6 @@ in { Group = cfg.group; ExecStart = lib.getExe cfg.package; Restart = "on-failure"; - # ProtectHome = true; - # ProtectSystem = "strict"; - # PrivateTmp = true; - # PrivateDevices = true; - # ProtectHostname = true; - # ProtectClock = true; - # ProtectKernelTunables = true; - # ProtectKernelModules = true; - # ProtectKernelLogs = true; - # ProtectControlGroups = true; - # NoNewPrivileges = true; - # RestrictRealtime = true; - # RestrictSUIDSGID = true; - # RemoveIPC = true; - # PrivateMounts = true; }; };