fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'main' into dev

Browse Source
This commit is contained in:
rasmus-kirk
2025-10-29 10:01:21 +01:00
parent 5b0c66d956 02ed738f53
commit ad4fe4e6a7
14 changed files with 276 additions and 164 deletions
Download Patch File Download Diff File Expand all files Collapse all files
flake.lock
Generated
+10 -10
View File
@@ -2,16 +2,16 @@
"nodes": {
"nixpkgs": {
"locked": {
"lastModified": 1750183894,
"narHash": "sha256-ZtOgEt70keBVB4YJc+z7m0h7J1BOlv/GjHE1YC6KxeA=",
"lastModified": 1761016216,
"narHash": "sha256-G/iC4t/9j/52i/nm+0/4ybBmAF4hzR8CNHC75qEhjHo=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "f45e75fc63fc8a7ffc3da382b2f6b681c5b71875",
"rev": "481cf557888e05d3128a76f14c76397b7d7cc869",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixpkgs-unstable",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
@@ -25,11 +25,11 @@
},
"vpnconfinement": {
"locked": {
"lastModified": 1749672087,
"narHash": "sha256-j8LG0s0QcvNkZZLcItl78lvTZemvsScir0dG3Ii4B1c=",
"lastModified": 1759956062,
"narHash": "sha256-NUZu0Rb0fwUjfdp51zMm0xM3lcK8Kw4c97LLog7+JjA=",
"owner": "Maroka-chan",
"repo": "VPN-Confinement",
"rev": "880b3bd2c864dce4f6afc79f6580ca699294c011",
"rev": "fabe7247b720b5eb4c3c053e24a2b3b70e64c52b",
"type": "github"
},
"original": {
@@ -45,11 +45,11 @@
]
},
"locked": {
"lastModified": 1750317638,
"narHash": "sha256-B4RWcXXOLO6gMeYyV+K4olu+kGGsYamKH+JAm0cIXqI=",
"lastModified": 1753958235,
"narHash": "sha256-Rd27XQJKv8Z4BCr3gdbaHFd0TmumiGxdjGRzsEf/mOg=",
"owner": "rasmus-kirk",
"repo": "website-builder",
"rev": "b54192000a00e865947f45bacf3184d56363ee38",
"rev": "00a14b7ae7baef2197978ba7c3fe72dfca7bc475",
"type": "github"
},
"original": {
flake.nix
+5 -2
View File
@@ -2,7 +2,7 @@
description = "The Nixarr Media Server Nixos Module";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixpkgs-unstable";
nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
vpnconfinement.url = "github:Maroka-chan/VPN-Confinement";
@@ -29,7 +29,10 @@
forAllSystems = f:
nixpkgs.lib.genAttrs supportedSystems (system:
f {
pkgs = import nixpkgs { inherit system; config.allowUnfree = true; };
pkgs = import nixpkgs {
inherit system;
config.allowUnfree = true;
};
});
in {
nixosModules.default.imports = [./nixarr vpnconfinement.nixosModules.default];
nixarr/bazarr/default.nix
-1
View File
@@ -98,7 +98,6 @@ in {
--port ${toString cfg.port} \
--no-update True
'';
KillSignal = "SIGINT";
Restart = "on-failure";
KillSignal = "SIGINT";
SuccessExitStatus = "0 156";
nixarr/default.nix
+1
View File
@@ -15,6 +15,7 @@ in {
./ddns
./jellyfin
./jellyseerr
./lib/api-keys.nix
./komga
./lidarr
./nixarr-command
nixarr/lib/api-keys.nix
+109
View File
@@ -0,0 +1,109 @@
{
config,
lib,
pkgs,
...
}:
with lib; let
cfg = config.nixarr;
serviceCfgFile = {
bazarr = "${cfg.bazarr.stateDir}/config/config.yaml";
jellyseerr = "${cfg.jellyseerr.stateDir}/settings.json";
lidarr = "${cfg.lidarr.stateDir}/config.xml";
prowlarr = "${cfg.prowlarr.stateDir}/config.xml";
radarr = "${cfg.radarr.stateDir}/config.xml";
readarr-audiobook = "${cfg.readarr-audiobook.stateDir}/config.xml";
readarr = "${cfg.readarr.stateDir}/config.xml";
sabnzbd = "${cfg.sabnzbd.stateDir}/sabnzbd.ini";
sonarr = "${cfg.sonarr.stateDir}/config.xml";
transmission = "${cfg.transmission.stateDir}/.config/transmission-daemon/settings.json";
};
printServiceApiKey = let
yq = getExe' pkgs.yq "yq";
xq = getExe' pkgs.yq "xq";
grep = getExe pkgs.gnugrep;
sed = getExe pkgs.gnused;
in {
bazarr = pkgs.writeShellScript "print-bazarr-api-key" ''
${yq} -r .auth.apiKey '${serviceCfgFile.bazarr}'
'';
jellyseerr = pkgs.writeShellScript "print-jellyseerr-api-key" ''
${yq} -r .main.apiKey '${serviceCfgFile.jellyseerr}'
'';
lidarr = pkgs.writeShellScript "print-lidarr-api-key" ''
${xq} -r .Config.ApiKey '${serviceCfgFile.lidarr}'
'';
prowlarr = pkgs.writeShellScript "print-prowlarr-api-key" ''
${xq} -r .Config.ApiKey '${serviceCfgFile.prowlarr}'
'';
radarr = pkgs.writeShellScript "print-radarr-api-key" ''
${xq} -r .Config.ApiKey '${serviceCfgFile.radarr}'
'';
readarr-audiobook = pkgs.writeShellScript "print-readarr-audiobook-api-key" ''
${xq} -r .Config.ApiKey '${serviceCfgFile.readarr-audiobook}'
'';
readarr = pkgs.writeShellScript "print-readarr-api-key" ''
${xq} -r .Config.ApiKey '${serviceCfgFile.readarr}'
'';
sabnzbd = pkgs.writeShellScript "print-sabnzbd-api-key" ''
${grep} api_key '${serviceCfgFile.sabnzbd}' | ${sed} 's/^api_key.*= *//g'
'';
sonarr = pkgs.writeShellScript "print-sonarr-api-key" ''
${xq} -r .Config.ApiKey '${serviceCfgFile.sonarr}'
'';
transmission = pkgs.writeShellScript "print-transmission-api-key" ''
${yq} -r .["rpc-password"] '${serviceCfgFile.transmission}'
'';
};
servicesWithApiKeys = builtins.attrNames printServiceApiKey;
# Helper to create API key extraction for a service
mkApiKeyExtractor = serviceName: {
description = "Extract ${serviceName} API key";
after = ["${serviceName}.service"];
requires = ["${serviceName}.service"];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
Group = "${serviceName}-api";
UMask = "0027"; # Results in 0640 permissions
ExecStartPre = [
(pkgs.writeShellScript "wait-for-${serviceName}-config" ''
while [ ! -f '${serviceCfgFile.${serviceName}}' ]; do sleep 1; done
'')
];
ExecStart = pkgs.writeShellScript "extract-${serviceName}-api-key" ''
${printServiceApiKey.${serviceName}} > '${cfg.stateDir}/api-keys/${serviceName}.key'
'';
};
};
in {
config = mkIf cfg.enable {
# Create per-service API key groups
users.groups = mkMerge (
builtins.map
(serviceName: mkIf cfg.${serviceName}.enable {"${serviceName}-api" = {};})
servicesWithApiKeys
);
systemd.services = mkMerge (
# Create API key extractors for enabled services
builtins.map
(serviceName: mkIf cfg.${serviceName}.enable {"${serviceName}-api-key" = mkApiKeyExtractor serviceName;})
servicesWithApiKeys
);
# Create the api-keys directory
systemd.tmpfiles.rules = [
# Needs to be world-executable for members of the `*-api` groups to access
# the files inside.
"d ${cfg.stateDir}/api-keys 0701 root root - -"
];
};
}
nixarr/prowlarr/default.nix
+11 -10
View File
@@ -84,19 +84,20 @@ in {
"d '${cfg.stateDir}' 0700 ${globals.prowlarr.user} root - -"
];
systemd.services.prowlarr = {
description = "prowlarr";
after = ["network.target"];
wantedBy = ["multi-user.target"];
environment.PROWLARR__SERVER__PORT = builtins.toString cfg.port;
services.prowlarr = {
enable = cfg.enable;
package = cfg.package;
settings.server.port = cfg.port;
openFirewall = cfg.openFirewall;
};
serviceConfig = {
Type = "simple";
systemd.services.prowlarr.serviceConfig = {
# `User` and `Group` override `DynamicUser = true` from the NixOS Prowlarr
# module (because a user and group with those names exists).
User = globals.prowlarr.user;
Group = globals.prowlarr.group;
ExecStart = "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}";
Restart = "on-failure";
};
ExecStart = mkForce "${lib.getExe cfg.package} -nobrowser -data=${cfg.stateDir}";
ReadWritePaths = [cfg.stateDir];
};
networking.firewall = mkIf cfg.openFirewall {
nixarr/recyclarr/default.nix
+22 -39
View File
@@ -2,7 +2,6 @@
config,
lib,
pkgs,
inputs,
...
}:
with lib; let
@@ -11,39 +10,6 @@ with lib; let
nixarr = config.nixarr;
format = pkgs.formats.yaml {};
# Helper function to extract API keys
extractApiKeys = pkgs.writeShellApplication {
name = "extract-recyclarr-api-keys";
runtimeInputs = with pkgs; [yq];
text = ''
# Ensure state directory exists with proper permissions
mkdir -p "${cfg.stateDir}"
chown ${config.services.recyclarr.user}:${config.services.recyclarr.group} "${cfg.stateDir}"
chmod 755 "${cfg.stateDir}"
${optionalString nixarr.radarr.enable ''
# Extract Radarr API key
API_KEY_FILE="${cfg.stateDir}/radarr-api-key"
xq -r '.Config.ApiKey' "${nixarr.radarr.stateDir}/config.xml" > "$API_KEY_FILE"
chmod 400 "$API_KEY_FILE"
chown ${config.services.recyclarr.user}:${config.services.recyclarr.group} "$API_KEY_FILE"
echo "RADARR_API_KEY=$(tr -d '\n' < "$API_KEY_FILE")" >> "${cfg.stateDir}/env"
''}
${optionalString nixarr.sonarr.enable ''
# Extract Sonarr API key
API_KEY_FILE="${cfg.stateDir}/sonarr-api-key"
xq -r '.Config.ApiKey' "${nixarr.sonarr.stateDir}/config.xml" > "$API_KEY_FILE"
chmod 400 "$API_KEY_FILE"
chown ${config.services.recyclarr.user}:${config.services.recyclarr.group} "$API_KEY_FILE"
echo "SONARR_API_KEY=$(tr -d '\n' < "$API_KEY_FILE")" >> "${cfg.stateDir}/env"
''}
chmod 400 "${cfg.stateDir}/env"
chown ${config.services.recyclarr.user}:${config.services.recyclarr.group} "${cfg.stateDir}/env"
'';
};
# Generate configuration file from Nix attribute set if provided
generatedConfigFile = format.generate "recyclarr-config.yml" cfg.configuration;
@@ -193,6 +159,9 @@ in {
isSystemUser = true;
group = globals.recyclarr.group;
uid = globals.uids.${globals.recyclarr.user};
extraGroups =
(optional nixarr.radarr.enable "radarr-api")
++ (optional nixarr.sonarr.enable "sonarr-api");
};
};
@@ -207,16 +176,29 @@ in {
requiredBy = ["recyclarr.service"];
before = ["recyclarr.service"];
requires =
(optionals nixarr.radarr.enable ["radarr.service"])
++ (optionals nixarr.sonarr.enable ["sonarr.service"]);
(optionals nixarr.radarr.enable ["radarr.service" "radarr-api-key.service"])
++ (optionals nixarr.sonarr.enable ["sonarr.service" "sonarr-api-key.service"]);
after =
(optionals nixarr.radarr.enable ["radarr.service"])
++ (optionals nixarr.sonarr.enable ["sonarr.service"]);
(optionals nixarr.radarr.enable ["radarr.service" "radarr-api-key.service"])
++ (optionals nixarr.sonarr.enable ["sonarr.service" "sonarr-api-key.service"]);
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = "${extractApiKeys}/bin/extract-recyclarr-api-keys";
UMask = "0077"; # Results in 0600 permissions
User = config.services.recyclarr.user;
ExecStart = pkgs.writeShellScript "recyclar-setup" ''
set -euo pipefail
echo -n > '${cfg.stateDir}/env'
${optionalString nixarr.radarr.enable ''
printf RADARR_API_KEY= >> '${cfg.stateDir}/env'
cat '${nixarr.stateDir}/api-keys/radarr.key' >> '${cfg.stateDir}/env'
''}
${optionalString nixarr.sonarr.enable ''
printf SONARR_API_KEY= >> '${cfg.stateDir}/env'
cat '${nixarr.stateDir}/api-keys/sonarr.key' >> '${cfg.stateDir}/env'
''}
'';
};
};
@@ -232,6 +214,7 @@ in {
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0750 ${config.services.recyclarr.user} root - -"
"f '${cfg.stateDir}/env' 0600 ${config.services.recyclarr.user} ${config.services.recyclarr.group} - -"
];
};
}
nixarr/sonarr/default.nix
+12 -5
View File
@@ -22,6 +22,12 @@ in {
package = mkPackageOption pkgs "sonarr" {};
port = mkOption {
type = types.port;
default = defaultPort;
description = "Port for Sonarr to use.";
};
stateDir = mkOption {
type = types.path;
default = "${nixarr.stateDir}/sonarr";
@@ -91,6 +97,7 @@ in {
package = cfg.package;
user = globals.sonarr.user;
group = globals.sonarr.group;
settings.server.port = cfg.port;
openFirewall = cfg.openFirewall;
dataDir = cfg.stateDir;
};
@@ -105,8 +112,8 @@ in {
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
{
from = defaultPort;
to = defaultPort;
from = cfg.port;
to = cfg.port;
}
];
};
@@ -118,17 +125,17 @@ in {
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = {
virtualHosts."127.0.0.1:${builtins.toString cfg.port}" = {
listen = [
{
addr = "0.0.0.0";
port = defaultPort;
port = cfg.port;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
proxyPass = "http://192.168.15.1:${builtins.toString cfg.port}";
};
};
};
nixarr/transmission/cross-seed/default.nix
+16 -4
View File
@@ -54,14 +54,14 @@ in {
};
user = mkOption {
type = types.str;
default = "cross-seed";
type = types.nullOr types.str;
default = null;
description = "User account under which cross-seed runs.";
};
group = mkOption {
type = types.str;
default = "cross-seed";
type = types.nullOr types.str;
default = null;
description = "Group under which cross-seed runs.";
};
};
@@ -81,6 +81,18 @@ in {
The settings.torrentDir option must be set if cross-seed is enabled.
'';
}
{
assertion = cfg.enable -> cfg.user != null;
message = ''
The user option must be set if cross-seed is enabled.
'';
}
{
assertion = cfg.enable -> cfg.group != null;
message = ''
The group option must be set if cross-seed is enabled.
'';
}
];
systemd.tmpfiles.rules =
nixarr/transmission/default.nix
+5 -6
View File
@@ -287,7 +287,6 @@ in {
users = {
groups.${globals.transmission.group}.gid = globals.gids.${globals.transmission.group};
groups.${globals.cross-seed.group}.gid = globals.gids.${globals.cross-seed.group};
users.${globals.transmission.user} = {
isSystemUser = true;
group = globals.transmission.group;
@@ -296,10 +295,10 @@ in {
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0750 ${globals.transmission.user} ${globals.cross-seed.group} - -"
"d '${cfg.stateDir}' 0750 ${globals.transmission.user} ${globals.transmission.group} - -"
# This is fixes a bug in nixpks (https://github.com/NixOS/nixpkgs/issues/291883)
"d '${cfg.stateDir}/.config' 0750 ${globals.transmission.user} ${globals.cross-seed.group} - -"
"d '${cfg.stateDir}/.config/transmission-daemon' 0750 ${globals.transmission.user} ${globals.cross-seed.group} - -"
"d '${cfg.stateDir}/.config' 0750 ${globals.transmission.user} ${globals.transmission.group} - -"
"d '${cfg.stateDir}/.config/transmission-daemon' 0750 ${globals.transmission.user} ${globals.transmission.group} - -"
# Media Dirs
"d '${nixarr.mediaDir}/torrents' 0755 ${globals.transmission.user} ${globals.transmission.group} - -"
@@ -315,8 +314,8 @@ in {
util-nixarr.services.cross-seed = mkIf cfg-cross-seed.enable {
enable = true;
dataDir = cfg-cross-seed.stateDir;
user = globals.cross-seed.user;
group = globals.cross-seed.group;
user = globals.transmission.user;
group = globals.transmission.group;
settings =
{
torrentDir = "${cfg.stateDir}/.config/transmission-daemon/torrents";
tests/simple-test.nix
+47 -51
View File
@@ -19,9 +19,9 @@ pkgs.nixosTest {
enable = true;
jellyfin.enable = true;
plex.enable = true;
jellyseerr.enable = true;
audiobookshelf.enable = true;
plex.enable = true;
transmission = {
enable = true;
@@ -37,51 +37,51 @@ pkgs.nixosTest {
sabnzbd.enable = true;
lidarr.enable = true;
prowlarr.enable = true;
recyclarr = {
enable = true;
configuration = {
sonarr.series = {
base_url = "http://localhost:8989";
api_key = "!env_var SONARR_API_KEY";
quality_definition.type = "series";
delete_old_custom_formats = true;
custom_formats = [
{
trash_ids = [
"85c61753df5da1fb2aab6f2a47426b09" # BR-DISK
"9c11cd3f07101cdba90a2d81cf0e56b4" # LQ
];
assign_scores_to = [
{
name = "WEB-DL (1080p)";
score = -10000;
}
];
}
];
};
radarr.movies = {
base_url = "http://localhost:7878";
api_key = "!env_var RADARR_API_KEY";
quality_definition.type = "movie";
delete_old_custom_formats = true;
custom_formats = [
{
trash_ids = [
"570bc9ebecd92723d2d21500f4be314c" # Remaster
"eca37840c13c6ef2dd0262b141a5482f" # 4K Remaster
];
assign_scores_to = [
{
name = "HD Bluray + WEB";
score = 25;
}
];
}
];
};
};
};
# recyclarr = {
# enable = true;
# configuration = {
# sonarr.series = {
# base_url = "http://localhost:8989";
# api_key = "!env_var SONARR_API_KEY";
# quality_definition.type = "series";
# delete_old_custom_formats = true;
# custom_formats = [
# {
# trash_ids = [
# "85c61753df5da1fb2aab6f2a47426b09" # BR-DISK
# "9c11cd3f07101cdba90a2d81cf0e56b4" # LQ
# ];
# assign_scores_to = [
# {
# name = "WEB-DL (1080p)";
# score = -10000;
# }
# ];
# }
# ];
# };
# radarr.movies = {
# base_url = "http://localhost:7878";
# api_key = "!env_var RADARR_API_KEY";
# quality_definition.type = "movie";
# delete_old_custom_formats = true;
# custom_formats = [
# {
# trash_ids = [
# "570bc9ebecd92723d2d21500f4be314c" # Remaster
# "eca37840c13c6ef2dd0262b141a5482f" # 4K Remaster
# ];
# assign_scores_to = [
# {
# name = "HD Bluray + WEB";
# score = 25;
# }
# ];
# }
# ];
# };
# };
# };
};
# Create a test user to verify mediaUsers functionality
@@ -109,11 +109,7 @@ pkgs.nixosTest {
machine.succeed("systemctl is-active sabnzbd")
machine.succeed("systemctl is-active lidarr")
machine.succeed("systemctl is-active prowlarr")
machine.succeed("systemctl is-active recyclarr")
machine.succeed("nixarr list-api-keys")
machine.succeed("nixarr fix-permissions")
machine.succeed("nixarr wipe-uids-gids")
# machine.succeed("systemctl is-active recyclarr")
print("\n=== Nixarr Simple Test Completed ===")
'';
tests/vpn-confinement-test.nix
+23 -23
View File
@@ -1,16 +1,16 @@
/*
VPN Confinement Integration Test
VPN Confinement Integration Test
This test validates that Nixarr services are properly confined to a VPN namespace
and cannot leak traffic when the VPN connection fails. It uses a 3-VM topology
to simulate real-world network conditions.
This test validates that Nixarr services are properly confined to a VPN namespace
and cannot leak traffic when the VPN connection fails. It uses a 3-VM topology
to simulate real-world network conditions.
Network Topology:
VLAN 2 VLAN 1
internetClient gateway nixarrHost
10.0.1.2 10.0.1.1 192.168.1.2
fd00:2::2 192.168.1.1 fd00:1::2
fd00:2::1
Network Topology:
VLAN 2 VLAN 1
internetClient gateway nixarrHost
10.0.1.2 10.0.1.1 192.168.1.2
fd00:2::2 192.168.1.1 fd00:1::2
fd00:2::1
fd00:1::1
@@ -19,20 +19,20 @@
fd00:100::1 VPN namespace
(10.100.0.2, fd00:100::2)
Test Coverage:
- VPN namespace isolation (transmission confined to wg namespace)
- IPv4 and IPv6 traffic routing through VPN tunnel
- Traffic leak prevention when VPN is down
- Port forwarding from external clients through gateway to VPN services
- DNS configuration in VPN namespace
- Service recovery after VPN reconnection
Test Coverage:
- VPN namespace isolation (transmission confined to wg namespace)
- IPv4 and IPv6 traffic routing through VPN tunnel
- Traffic leak prevention when VPN is down
- Port forwarding from external clients through gateway to VPN services
- DNS configuration in VPN namespace
- Service recovery after VPN reconnection
The test ensures that:
1. All transmission traffic goes through the VPN tunnel
2. Source IP is preserved (shows VPN client IP: 10.100.0.2/fd00:100::2)
3. No traffic leaks to host network when VPN fails
4. External port forwarding works correctly
5. Both IPv4 and IPv6 work identically through the tunnel
The test ensures that:
1. All transmission traffic goes through the VPN tunnel
2. Source IP is preserved (shows VPN client IP: 10.100.0.2/fd00:100::2)
3. No traffic leaks to host network when VPN fails
4. External port forwarding works correctly
5. Both IPv4 and IPv6 work identically through the tunnel
*/
{
pkgs,
util/globals/default.nix
+4 -2
View File
@@ -36,13 +36,15 @@ in {
recyclarr = 269;
sabnzbd = 38;
transmission = 70;
cross-seed = 183;
# Removed 2025-10-29
# cross-seed = 183;
whisparr = 272;
stash = 69;
};
gids = {
autobrr = 188;
cross-seed = 183;
# Removed 2025-10-29
# cross-seed = 183;
jellyseerr = 250;
media = 169;
prowlarr = 287;
util/upnp/default.nix
+2 -2
View File
@@ -77,7 +77,7 @@ in {
);
};
in
mkIf cfg.upnp.enable {
mkIf cfg.enable {
enable = true;
description = "Sets port on router";
script = "${upnp-ports}/bin/upnp-ports";
@@ -89,7 +89,7 @@ in {
};
timers = {
upnpc = mkIf cfg.upnp.enable {
upnpc = mkIf cfg.enable {
description = "Sets port on router";
wantedBy = ["timers.target"];