fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fmt

Browse Source
This commit is contained in:
rasmus-kirk
2025-06-01 21:20:55 +02:00
parent 56884039bf
commit c423ae2a04
2 changed files with 207 additions and 203 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixarr/audiobookshelf/default.nix
+153 -149
View File
@@ -116,157 +116,161 @@ in {
};
config = let
host = if cfg.vpn.enable then "192.168.15.1" else "127.0.0.1";
in mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
The nixarr.audiobookshelf.vpn.enable option requires the
nixarr.vpn.enable option to be set, but it was not.
'';
}
{
assertion = !(cfg.vpn.enable && cfg.expose.https.enable);
message = ''
The nixarr.audiobookshelf.vpn.enable option conflicts with the
nixarr.audiobookshelf.expose.https.enable option. You cannot set both.
'';
}
{
assertion =
cfg.expose.https.enable
-> (
(cfg.expose.https.domainName != null)
&& (cfg.expose.https.acmeMail != null)
);
message = ''
The nixarr.audiobookshelf.expose.https.enable option requires the
following options to be set, but one of them were not:
- nixarr.audiobookshelf.expose.domainName
- nixarr.audiobookshelf.expose.acmeMail
'';
}
];
users = {
groups.${globals.audiobookshelf.group}.gid = globals.gids.${globals.audiobookshelf.group};
users.${globals.audiobookshelf.user} = {
isSystemUser = true;
group = globals.audiobookshelf.group;
uid = globals.uids.${globals.audiobookshelf.user};
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 ${globals.audiobookshelf.user} root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/podcasts' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
systemd.services.audiobookshelf = {
description = "Audiobookshelf is a self-hosted audiobook and podcast server";
after = [ "network.target" ];
wantedBy = [ "multi-user.target" ];
serviceConfig = {
IOSchedulingPriority = 0;
Type = "simple";
User = globals.audiobookshelf.user;
Group = globals.audiobookshelf.group;
StateDirectory = cfg.stateDir;
WorkingDirectory = cfg.stateDir;
ExecStart = "${cfg.package}/bin/audiobookshelf --host ${host} --port ${toString cfg.port}";
Restart = "on-failure";
# Security
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
ProtectSystem = "strict";
ReadWritePaths = [cfg.stateDir];
};
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
})
(mkIf cfg.vpn.enable {
virtualHosts."127.0.0.1:${builtins.toString cfg.port}" = mkIf cfg.vpn.enable {
listen = [
{
addr = "0.0.0.0";
port = cfg.port;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString cfg.port}";
};
};
})
];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.audiobookshelf.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
host =
if cfg.vpn.enable
then "192.168.15.1"
else "127.0.0.1";
in
mkIf (nixarr.enable && cfg.enable) {
assertions = [
{
from = cfg.port;
to = cfg.port;
assertion = cfg.vpn.enable -> nixarr.vpn.enable;
message = ''
The nixarr.audiobookshelf.vpn.enable option requires the
nixarr.vpn.enable option to be set, but it was not.
'';
}
{
assertion = !(cfg.vpn.enable && cfg.expose.https.enable);
message = ''
The nixarr.audiobookshelf.vpn.enable option conflicts with the
nixarr.audiobookshelf.expose.https.enable option. You cannot set both.
'';
}
{
assertion =
cfg.expose.https.enable
-> (
(cfg.expose.https.domainName != null)
&& (cfg.expose.https.acmeMail != null)
);
message = ''
The nixarr.audiobookshelf.expose.https.enable option requires the
following options to be set, but one of them were not:
- nixarr.audiobookshelf.expose.domainName
- nixarr.audiobookshelf.expose.acmeMail
'';
}
];
users = {
groups.${globals.audiobookshelf.group}.gid = globals.gids.${globals.audiobookshelf.group};
users.${globals.audiobookshelf.user} = {
isSystemUser = true;
group = globals.audiobookshelf.group;
uid = globals.uids.${globals.audiobookshelf.user};
};
};
systemd.tmpfiles.rules = [
"d '${cfg.stateDir}' 0700 ${globals.audiobookshelf.user} root - -"
# Media Dirs
"d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
"d '${nixarr.mediaDir}/library/podcasts' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -"
];
systemd.services.audiobookshelf = {
description = "Audiobookshelf is a self-hosted audiobook and podcast server";
after = ["network.target"];
wantedBy = ["multi-user.target"];
serviceConfig = {
IOSchedulingPriority = 0;
Type = "simple";
User = globals.audiobookshelf.user;
Group = globals.audiobookshelf.group;
StateDirectory = cfg.stateDir;
WorkingDirectory = cfg.stateDir;
ExecStart = "${cfg.package}/bin/audiobookshelf --host ${host} --port ${toString cfg.port}";
Restart = "on-failure";
# Security
ProtectHome = true;
PrivateTmp = true;
PrivateDevices = true;
ProtectHostname = true;
ProtectClock = true;
ProtectKernelTunables = true;
ProtectKernelModules = true;
ProtectKernelLogs = true;
ProtectControlGroups = true;
NoNewPrivileges = true;
RestrictRealtime = true;
RestrictSUIDSGID = true;
RemoveIPC = true;
PrivateMounts = true;
ProtectSystem = "strict";
ReadWritePaths = [cfg.stateDir];
};
};
networking.firewall = mkIf cfg.expose.https.enable {
allowedTCPPorts = [80 443];
};
util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable {
enable = true;
openTcpPorts = [80 443];
};
services.nginx = mkMerge [
(mkIf (cfg.expose.https.enable || cfg.vpn.enable) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
})
(mkIf cfg.expose.https.enable {
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}";
};
};
})
(mkIf cfg.vpn.enable {
virtualHosts."127.0.0.1:${builtins.toString cfg.port}" = mkIf cfg.vpn.enable {
listen = [
{
addr = "0.0.0.0";
port = cfg.port;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString cfg.port}";
};
};
})
];
security.acme = mkIf cfg.expose.https.enable {
acceptTerms = true;
defaults.email = cfg.expose.https.acmeMail;
};
# Enable and specify VPN namespace to confine service in.
systemd.services.audiobookshelf.vpnConfinement = mkIf cfg.vpn.enable {
enable = true;
vpnNamespace = "wg";
};
# Port mappings
vpnNamespaces.wg = mkIf cfg.vpn.enable {
portMappings = [
{
from = cfg.port;
to = cfg.port;
}
];
};
};
};
}
nixarr/nixarr-command/default.nix
+54 -54
View File
@@ -33,74 +33,74 @@ with lib; let
find "${nixarr.mediaDir}" \( -type d -exec chmod 0775 {} + -true \) -o \( -exec chmod 0664 {} + \)
${strings.optionalString nixarr.jellyfin.enable ''
chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library"
chown -R ${globals.jellyfin.user}:root "${nixarr.jellyfin.stateDir}"
find "${nixarr.jellyfin.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library"
chown -R ${globals.jellyfin.user}:root "${nixarr.jellyfin.stateDir}"
find "${nixarr.jellyfin.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.plex.enable ''
chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library"
chown -R ${globals.plex.user}:root "${nixarr.plex.stateDir}"
find "${nixarr.plex.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library"
chown -R ${globals.plex.user}:root "${nixarr.plex.stateDir}"
find "${nixarr.plex.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.audiobookshelf.enable ''
chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library"
chown -R ${globals.audiobookshelf.user}:root "${nixarr.audiobookshelf.stateDir}"
find "${nixarr.audiobookshelf.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library"
chown -R ${globals.audiobookshelf.user}:root "${nixarr.audiobookshelf.stateDir}"
find "${nixarr.audiobookshelf.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.transmission.enable ''
chown -R ${globals.transmission.user}:${globals.transmission.group} "${nixarr.mediaDir}/torrents"
chown -R ${globals.transmission.user}:${globals.cross-seed.group} "${nixarr.transmission.stateDir}"
find "${nixarr.transmission.stateDir}" \( -type d -exec chmod 0750 {} + -true \) -o \( -exec chmod 0640 {} + \)
''}
chown -R ${globals.transmission.user}:${globals.transmission.group} "${nixarr.mediaDir}/torrents"
chown -R ${globals.transmission.user}:${globals.cross-seed.group} "${nixarr.transmission.stateDir}"
find "${nixarr.transmission.stateDir}" \( -type d -exec chmod 0750 {} + -true \) -o \( -exec chmod 0640 {} + \)
''}
${strings.optionalString nixarr.sabnzbd.enable ''
chown -R ${globals.sabnzbd.user}:${globals.sabnzbd.group} "${nixarr.mediaDir}/usenet"
chown -R ${globals.sabnzbd.user}:root "${nixarr.sabnzbd.stateDir}"
find "${nixarr.sabnzbd.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.sabnzbd.user}:${globals.sabnzbd.group} "${nixarr.mediaDir}/usenet"
chown -R ${globals.sabnzbd.user}:root "${nixarr.sabnzbd.stateDir}"
find "${nixarr.sabnzbd.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.transmission.privateTrackers.cross-seed.enable ''
chown -R ${globals.cross-seed.user}:root "${nixarr.transmission.privateTrackers.cross-seed.stateDir}"
find "${nixarr.transmission.privateTrackers.cross-seed.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.cross-seed.user}:root "${nixarr.transmission.privateTrackers.cross-seed.stateDir}"
find "${nixarr.transmission.privateTrackers.cross-seed.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.prowlarr.enable ''
chown -R ${globals.prowlarr.user}:root "${nixarr.prowlarr.stateDir}"
find "${nixarr.prowlarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.prowlarr.user}:root "${nixarr.prowlarr.stateDir}"
find "${nixarr.prowlarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.sonarr.enable ''
chown -R ${globals.sonarr.user}:root "${nixarr.sonarr.stateDir}"
find "${nixarr.sonarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.sonarr.user}:root "${nixarr.sonarr.stateDir}"
find "${nixarr.sonarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.radarr.enable ''
chown -R ${globals.radarr.user}:root "${nixarr.radarr.stateDir}"
find "${nixarr.radarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.radarr.user}:root "${nixarr.radarr.stateDir}"
find "${nixarr.radarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.lidarr.enable ''
chown -R ${globals.lidarr.user}:root "${nixarr.lidarr.stateDir}"
find "${nixarr.lidarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.lidarr.user}:root "${nixarr.lidarr.stateDir}"
find "${nixarr.lidarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.bazarr.enable ''
chown -R ${globals.bazarr.user}:root "${nixarr.bazarr.stateDir}"
find "${nixarr.bazarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.bazarr.user}:root "${nixarr.bazarr.stateDir}"
find "${nixarr.bazarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.readarr.enable ''
chown -R ${globals.readarr.user}:root "${nixarr.readarr.stateDir}"
find "${nixarr.readarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.readarr.user}:root "${nixarr.readarr.stateDir}"
find "${nixarr.readarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.readarr-audiobook.enable ''
chown -R ${globals.readarr.user}:root "${nixarr.readarr-audiobook.stateDir}"
find "${nixarr.readarr-audiobook.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.readarr.user}:root "${nixarr.readarr-audiobook.stateDir}"
find "${nixarr.readarr-audiobook.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.jellyseerr.enable ''
chown -R ${globals.jellyseerr.user}:root "${nixarr.jellyseerr.stateDir}"
find "${nixarr.jellyseerr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.jellyseerr.user}:root "${nixarr.jellyseerr.stateDir}"
find "${nixarr.jellyseerr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.autobrr.enable ''
chown -R ${globals.autobrr.user}:root "${nixarr.autobrr.stateDir}"
find "${nixarr.autobrr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.autobrr.user}:root "${nixarr.autobrr.stateDir}"
find "${nixarr.autobrr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
${strings.optionalString nixarr.recyclarr.enable ''
chown -R ${globals.recyclarr.user}:root "${nixarr.recyclarr.stateDir}"
find "${nixarr.recyclarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
chown -R ${globals.recyclarr.user}:root "${nixarr.recyclarr.stateDir}"
find "${nixarr.recyclarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \)
''}
}
list-unlinked() {
@@ -127,5 +127,5 @@ with lib; let
'';
};
in {
config.environment.systemPackages = [ nixarr-command ];
config.environment.systemPackages = [nixarr-command];
}