From c423ae2a0446e2ad0c9371ba43b4d1bda0016927 Mon Sep 17 00:00:00 2001 From: rasmus-kirk Date: Sun, 1 Jun 2025 21:20:55 +0200 Subject: [PATCH] fmt --- nixarr/audiobookshelf/default.nix | 302 +++++++++++++++--------------- nixarr/nixarr-command/default.nix | 108 +++++------ 2 files changed, 207 insertions(+), 203 deletions(-) diff --git a/nixarr/audiobookshelf/default.nix b/nixarr/audiobookshelf/default.nix index f193583..cca49ef 100644 --- a/nixarr/audiobookshelf/default.nix +++ b/nixarr/audiobookshelf/default.nix @@ -116,157 +116,161 @@ in { }; config = let - host = if cfg.vpn.enable then "192.168.15.1" else "127.0.0.1"; - in mkIf (nixarr.enable && cfg.enable) { - assertions = [ - { - assertion = cfg.vpn.enable -> nixarr.vpn.enable; - message = '' - The nixarr.audiobookshelf.vpn.enable option requires the - nixarr.vpn.enable option to be set, but it was not. - ''; - } - { - assertion = !(cfg.vpn.enable && cfg.expose.https.enable); - message = '' - The nixarr.audiobookshelf.vpn.enable option conflicts with the - nixarr.audiobookshelf.expose.https.enable option. You cannot set both. - ''; - } - { - assertion = - cfg.expose.https.enable - -> ( - (cfg.expose.https.domainName != null) - && (cfg.expose.https.acmeMail != null) - ); - message = '' - The nixarr.audiobookshelf.expose.https.enable option requires the - following options to be set, but one of them were not: - - - nixarr.audiobookshelf.expose.domainName - - nixarr.audiobookshelf.expose.acmeMail - ''; - } - ]; - - users = { - groups.${globals.audiobookshelf.group}.gid = globals.gids.${globals.audiobookshelf.group}; - users.${globals.audiobookshelf.user} = { - isSystemUser = true; - group = globals.audiobookshelf.group; - uid = globals.uids.${globals.audiobookshelf.user}; - }; - }; - - systemd.tmpfiles.rules = [ - "d '${cfg.stateDir}' 0700 ${globals.audiobookshelf.user} root - -" - - # Media Dirs - "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - "d '${nixarr.mediaDir}/library/podcasts' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" - ]; - - systemd.services.audiobookshelf = { - description = "Audiobookshelf is a self-hosted audiobook and podcast server"; - - after = [ "network.target" ]; - wantedBy = [ "multi-user.target" ]; - - serviceConfig = { - IOSchedulingPriority = 0; - Type = "simple"; - User = globals.audiobookshelf.user; - Group = globals.audiobookshelf.group; - StateDirectory = cfg.stateDir; - WorkingDirectory = cfg.stateDir; - ExecStart = "${cfg.package}/bin/audiobookshelf --host ${host} --port ${toString cfg.port}"; - Restart = "on-failure"; - - # Security - ProtectHome = true; - PrivateTmp = true; - PrivateDevices = true; - ProtectHostname = true; - ProtectClock = true; - ProtectKernelTunables = true; - ProtectKernelModules = true; - ProtectKernelLogs = true; - ProtectControlGroups = true; - NoNewPrivileges = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - RemoveIPC = true; - PrivateMounts = true; - ProtectSystem = "strict"; - ReadWritePaths = [cfg.stateDir]; - }; - }; - - networking.firewall = mkIf cfg.expose.https.enable { - allowedTCPPorts = [80 443]; - }; - - util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable { - enable = true; - openTcpPorts = [80 443]; - }; - - services.nginx = mkMerge [ - (mkIf (cfg.expose.https.enable || cfg.vpn.enable) { - enable = true; - - recommendedTlsSettings = true; - recommendedOptimisation = true; - recommendedGzipSettings = true; - }) - (mkIf cfg.expose.https.enable { - virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = { - enableACME = true; - forceSSL = true; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; - }; - }; - }) - (mkIf cfg.vpn.enable { - virtualHosts."127.0.0.1:${builtins.toString cfg.port}" = mkIf cfg.vpn.enable { - listen = [ - { - addr = "0.0.0.0"; - port = cfg.port; - } - ]; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://192.168.15.1:${builtins.toString cfg.port}"; - }; - }; - }) - ]; - - security.acme = mkIf cfg.expose.https.enable { - acceptTerms = true; - defaults.email = cfg.expose.https.acmeMail; - }; - - # Enable and specify VPN namespace to confine service in. - systemd.services.audiobookshelf.vpnConfinement = mkIf cfg.vpn.enable { - enable = true; - vpnNamespace = "wg"; - }; - - # Port mappings - vpnNamespaces.wg = mkIf cfg.vpn.enable { - portMappings = [ + host = + if cfg.vpn.enable + then "192.168.15.1" + else "127.0.0.1"; + in + mkIf (nixarr.enable && cfg.enable) { + assertions = [ { - from = cfg.port; - to = cfg.port; + assertion = cfg.vpn.enable -> nixarr.vpn.enable; + message = '' + The nixarr.audiobookshelf.vpn.enable option requires the + nixarr.vpn.enable option to be set, but it was not. + ''; + } + { + assertion = !(cfg.vpn.enable && cfg.expose.https.enable); + message = '' + The nixarr.audiobookshelf.vpn.enable option conflicts with the + nixarr.audiobookshelf.expose.https.enable option. You cannot set both. + ''; + } + { + assertion = + cfg.expose.https.enable + -> ( + (cfg.expose.https.domainName != null) + && (cfg.expose.https.acmeMail != null) + ); + message = '' + The nixarr.audiobookshelf.expose.https.enable option requires the + following options to be set, but one of them were not: + + - nixarr.audiobookshelf.expose.domainName + - nixarr.audiobookshelf.expose.acmeMail + ''; } ]; + + users = { + groups.${globals.audiobookshelf.group}.gid = globals.gids.${globals.audiobookshelf.group}; + users.${globals.audiobookshelf.user} = { + isSystemUser = true; + group = globals.audiobookshelf.group; + uid = globals.uids.${globals.audiobookshelf.user}; + }; + }; + + systemd.tmpfiles.rules = [ + "d '${cfg.stateDir}' 0700 ${globals.audiobookshelf.user} root - -" + + # Media Dirs + "d '${nixarr.mediaDir}/library/audiobooks' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + "d '${nixarr.mediaDir}/library/podcasts' 0775 ${globals.libraryOwner.user} ${globals.libraryOwner.group} - -" + ]; + + systemd.services.audiobookshelf = { + description = "Audiobookshelf is a self-hosted audiobook and podcast server"; + + after = ["network.target"]; + wantedBy = ["multi-user.target"]; + + serviceConfig = { + IOSchedulingPriority = 0; + Type = "simple"; + User = globals.audiobookshelf.user; + Group = globals.audiobookshelf.group; + StateDirectory = cfg.stateDir; + WorkingDirectory = cfg.stateDir; + ExecStart = "${cfg.package}/bin/audiobookshelf --host ${host} --port ${toString cfg.port}"; + Restart = "on-failure"; + + # Security + ProtectHome = true; + PrivateTmp = true; + PrivateDevices = true; + ProtectHostname = true; + ProtectClock = true; + ProtectKernelTunables = true; + ProtectKernelModules = true; + ProtectKernelLogs = true; + ProtectControlGroups = true; + NoNewPrivileges = true; + RestrictRealtime = true; + RestrictSUIDSGID = true; + RemoveIPC = true; + PrivateMounts = true; + ProtectSystem = "strict"; + ReadWritePaths = [cfg.stateDir]; + }; + }; + + networking.firewall = mkIf cfg.expose.https.enable { + allowedTCPPorts = [80 443]; + }; + + util-nixarr.upnp = mkIf cfg.expose.https.upnp.enable { + enable = true; + openTcpPorts = [80 443]; + }; + + services.nginx = mkMerge [ + (mkIf (cfg.expose.https.enable || cfg.vpn.enable) { + enable = true; + + recommendedTlsSettings = true; + recommendedOptimisation = true; + recommendedGzipSettings = true; + }) + (mkIf cfg.expose.https.enable { + virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.expose.https.domainName}" = { + enableACME = true; + forceSSL = true; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:${builtins.toString cfg.port}"; + }; + }; + }) + (mkIf cfg.vpn.enable { + virtualHosts."127.0.0.1:${builtins.toString cfg.port}" = mkIf cfg.vpn.enable { + listen = [ + { + addr = "0.0.0.0"; + port = cfg.port; + } + ]; + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://192.168.15.1:${builtins.toString cfg.port}"; + }; + }; + }) + ]; + + security.acme = mkIf cfg.expose.https.enable { + acceptTerms = true; + defaults.email = cfg.expose.https.acmeMail; + }; + + # Enable and specify VPN namespace to confine service in. + systemd.services.audiobookshelf.vpnConfinement = mkIf cfg.vpn.enable { + enable = true; + vpnNamespace = "wg"; + }; + + # Port mappings + vpnNamespaces.wg = mkIf cfg.vpn.enable { + portMappings = [ + { + from = cfg.port; + to = cfg.port; + } + ]; + }; }; - }; } diff --git a/nixarr/nixarr-command/default.nix b/nixarr/nixarr-command/default.nix index e8a9fb2..520477d 100644 --- a/nixarr/nixarr-command/default.nix +++ b/nixarr/nixarr-command/default.nix @@ -33,74 +33,74 @@ with lib; let find "${nixarr.mediaDir}" \( -type d -exec chmod 0775 {} + -true \) -o \( -exec chmod 0664 {} + \) ${strings.optionalString nixarr.jellyfin.enable '' - chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library" - chown -R ${globals.jellyfin.user}:root "${nixarr.jellyfin.stateDir}" - find "${nixarr.jellyfin.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library" + chown -R ${globals.jellyfin.user}:root "${nixarr.jellyfin.stateDir}" + find "${nixarr.jellyfin.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.plex.enable '' - chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library" - chown -R ${globals.plex.user}:root "${nixarr.plex.stateDir}" - find "${nixarr.plex.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library" + chown -R ${globals.plex.user}:root "${nixarr.plex.stateDir}" + find "${nixarr.plex.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.audiobookshelf.enable '' - chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library" - chown -R ${globals.audiobookshelf.user}:root "${nixarr.audiobookshelf.stateDir}" - find "${nixarr.audiobookshelf.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.libraryOwner.user}:${globals.libraryOwner.group} "${nixarr.mediaDir}/library" + chown -R ${globals.audiobookshelf.user}:root "${nixarr.audiobookshelf.stateDir}" + find "${nixarr.audiobookshelf.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.transmission.enable '' - chown -R ${globals.transmission.user}:${globals.transmission.group} "${nixarr.mediaDir}/torrents" - chown -R ${globals.transmission.user}:${globals.cross-seed.group} "${nixarr.transmission.stateDir}" - find "${nixarr.transmission.stateDir}" \( -type d -exec chmod 0750 {} + -true \) -o \( -exec chmod 0640 {} + \) - ''} + chown -R ${globals.transmission.user}:${globals.transmission.group} "${nixarr.mediaDir}/torrents" + chown -R ${globals.transmission.user}:${globals.cross-seed.group} "${nixarr.transmission.stateDir}" + find "${nixarr.transmission.stateDir}" \( -type d -exec chmod 0750 {} + -true \) -o \( -exec chmod 0640 {} + \) + ''} ${strings.optionalString nixarr.sabnzbd.enable '' - chown -R ${globals.sabnzbd.user}:${globals.sabnzbd.group} "${nixarr.mediaDir}/usenet" - chown -R ${globals.sabnzbd.user}:root "${nixarr.sabnzbd.stateDir}" - find "${nixarr.sabnzbd.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.sabnzbd.user}:${globals.sabnzbd.group} "${nixarr.mediaDir}/usenet" + chown -R ${globals.sabnzbd.user}:root "${nixarr.sabnzbd.stateDir}" + find "${nixarr.sabnzbd.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.transmission.privateTrackers.cross-seed.enable '' - chown -R ${globals.cross-seed.user}:root "${nixarr.transmission.privateTrackers.cross-seed.stateDir}" - find "${nixarr.transmission.privateTrackers.cross-seed.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.cross-seed.user}:root "${nixarr.transmission.privateTrackers.cross-seed.stateDir}" + find "${nixarr.transmission.privateTrackers.cross-seed.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.prowlarr.enable '' - chown -R ${globals.prowlarr.user}:root "${nixarr.prowlarr.stateDir}" - find "${nixarr.prowlarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.prowlarr.user}:root "${nixarr.prowlarr.stateDir}" + find "${nixarr.prowlarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.sonarr.enable '' - chown -R ${globals.sonarr.user}:root "${nixarr.sonarr.stateDir}" - find "${nixarr.sonarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.sonarr.user}:root "${nixarr.sonarr.stateDir}" + find "${nixarr.sonarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.radarr.enable '' - chown -R ${globals.radarr.user}:root "${nixarr.radarr.stateDir}" - find "${nixarr.radarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.radarr.user}:root "${nixarr.radarr.stateDir}" + find "${nixarr.radarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.lidarr.enable '' - chown -R ${globals.lidarr.user}:root "${nixarr.lidarr.stateDir}" - find "${nixarr.lidarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.lidarr.user}:root "${nixarr.lidarr.stateDir}" + find "${nixarr.lidarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.bazarr.enable '' - chown -R ${globals.bazarr.user}:root "${nixarr.bazarr.stateDir}" - find "${nixarr.bazarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.bazarr.user}:root "${nixarr.bazarr.stateDir}" + find "${nixarr.bazarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.readarr.enable '' - chown -R ${globals.readarr.user}:root "${nixarr.readarr.stateDir}" - find "${nixarr.readarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.readarr.user}:root "${nixarr.readarr.stateDir}" + find "${nixarr.readarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.readarr-audiobook.enable '' - chown -R ${globals.readarr.user}:root "${nixarr.readarr-audiobook.stateDir}" - find "${nixarr.readarr-audiobook.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.readarr.user}:root "${nixarr.readarr-audiobook.stateDir}" + find "${nixarr.readarr-audiobook.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.jellyseerr.enable '' - chown -R ${globals.jellyseerr.user}:root "${nixarr.jellyseerr.stateDir}" - find "${nixarr.jellyseerr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.jellyseerr.user}:root "${nixarr.jellyseerr.stateDir}" + find "${nixarr.jellyseerr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.autobrr.enable '' - chown -R ${globals.autobrr.user}:root "${nixarr.autobrr.stateDir}" - find "${nixarr.autobrr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.autobrr.user}:root "${nixarr.autobrr.stateDir}" + find "${nixarr.autobrr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} ${strings.optionalString nixarr.recyclarr.enable '' - chown -R ${globals.recyclarr.user}:root "${nixarr.recyclarr.stateDir}" - find "${nixarr.recyclarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) - ''} + chown -R ${globals.recyclarr.user}:root "${nixarr.recyclarr.stateDir}" + find "${nixarr.recyclarr.stateDir}" \( -type d -exec chmod 0700 {} + -true \) -o \( -exec chmod 0600 {} + \) + ''} } list-unlinked() { @@ -127,5 +127,5 @@ with lib; let ''; }; in { - config.environment.systemPackages = [ nixarr-command ]; + config.environment.systemPackages = [nixarr-command]; }