fujin/nixarr
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

format

Browse Source
This commit is contained in:
rasmus-kirk
2024-02-20 15:38:34 +01:00
parent d0a87c984a
commit f5b6c56797
15 changed files with 674 additions and 432 deletions
Download Patch File Download Diff File Expand all files Collapse all files
servarr/default.nix
+5 -4
View File
@@ -14,8 +14,9 @@ in {
./sonarr
./prowlarr
./transmission
../util
];
options.kirk.servarr = {
enable = mkEnableOption ''
My servarr setup. Lets you host the servarr services optionally
@@ -71,7 +72,7 @@ in {
Extra DNS servers for the VPN. If your wg config has a DNS field,
then this should not be necessary.
'';
example = [ "1.1.1.2" ];
example = ["1.1.1.2"];
};
vpnTestService = {
@@ -95,7 +96,7 @@ in {
if you're port forwarding on your VPN provider and you're setting
up services that is not covered in by this module.
'';
example = [ 46382 38473 ];
example = [46382 38473];
};
openUdpPorts = mkOption {
@@ -106,7 +107,7 @@ in {
if you're port forwarding on your VPN provider and you're setting
up services that is not covered in by this module.
'';
example = [ 46382 38473 ];
example = [46382 38473];
};
};
};
servarr/jellyfin/default.nix
+82 -77
View File
@@ -44,94 +44,99 @@ in {
};
};
config =
config =
#assert (!(cfg.useVpn && cfg.nginx.enable)) || abort "useVpn not compatible with nginx.enable.";
#assert (cfg.nginx.enable -> (cfg.nginx.domainName != null && cfg.nginx.acmeMail != null)) || abort "Both nginx.domain and nginx.acmeMail needs to be set if nginx.enable is set.";
mkIf cfg.enable
{
services.jellyfin.enable = cfg.enable;
mkIf cfg.enable
{
services.jellyfin.enable = cfg.enable;
networking.firewall.allowedTCPPorts = if cfg.nginx.enable then [
80 # http
443 # https
] else [];
networking.firewall.allowedTCPPorts =
if cfg.nginx.enable
then [
80 # http
443 # https
]
else [];
services.nginx = mkIf (cfg.nginx.enable || cfg.useVpn) {
enable = true;
services.nginx = mkIf (cfg.nginx.enable || cfg.useVpn) {
enable = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
recommendedTlsSettings = true;
recommendedOptimisation = true;
recommendedGzipSettings = true;
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.nginx.domainName}" = mkIf cfg.nginx.enable {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
virtualHosts."${builtins.replaceStrings ["\n"] [""] cfg.nginx.domainName}" = mkIf cfg.nginx.enable {
enableACME = true;
forceSSL = true;
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://127.0.0.1:${builtins.toString defaultPort}";
};
};
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.useVpn {
listen = [
{
addr = "0.0.0.0";
port = defaultPort;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
};
};
};
virtualHosts."127.0.0.1:${builtins.toString defaultPort}" = mkIf cfg.useVpn {
listen = [
{
addr = "0.0.0.0";
port = defaultPort;
security.acme = mkIf cfg.nginx.enable {
acceptTerms = true;
defaults.email = cfg.nginx.acmeMail;
};
kirk.vpnnamespace.portMappings = [
(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
];
locations."/" = {
recommendedProxySettings = true;
proxyWebsockets = true;
proxyPass = "http://192.168.15.1:${builtins.toString defaultPort}";
)
];
containers.jellyfin = mkIf cfg.useVpn {
autoStart = true;
ephemeral = true;
extraFlags = ["--network-namespace-path=/var/run/netns/wg"];
bindMounts = {
"${servarr.mediaDir}/library".isReadOnly = false;
"${cfg.stateDir}".isReadOnly = false;
};
config = {
users.groups.jellyfin = {};
users.users.jellyfin = {
uid = lib.mkForce config.users.users.jellyfin.uid;
isSystemUser = true;
group = "jellyfin";
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
networking.useHostResolvConf = lib.mkForce false;
services.resolved.enable = true;
networking.nameservers = dnsServers;
services.jellyfin = {
enable = true;
group = "jellyfin";
dataDir = "${cfg.stateDir}";
};
system.stateVersion = "23.11";
};
};
};
security.acme = mkIf cfg.nginx.enable {
acceptTerms = true;
defaults.email = cfg.nginx.acmeMail;
};
kirk.vpnnamespace.portMappings = [(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)];
containers.jellyfin = mkIf cfg.useVpn {
autoStart = true;
ephemeral = true;
extraFlags = [ "--network-namespace-path=/var/run/netns/wg" ];
bindMounts = {
"${servarr.mediaDir}/library".isReadOnly = false;
"${cfg.stateDir}".isReadOnly = false;
};
config = {
users.groups.jellyfin = {};
users.users.jellyfin = {
uid = lib.mkForce config.users.users.jellyfin.uid;
isSystemUser = true;
group = "jellyfin";
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
networking.useHostResolvConf = lib.mkForce false;
services.resolved.enable = true;
networking.nameservers = dnsServers;
services.jellyfin = {
enable = true;
group = "jellyfin";
dataDir = "${cfg.stateDir}";
};
system.stateVersion = "23.11";
};
};
};
}
servarr/lidarr/default.nix
+10 -8
View File
@@ -35,17 +35,19 @@ in {
dataDir = cfg.stateDir;
};
kirk.vpnnamespace.portMappings = [(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)];
kirk.vpnnamespace.portMappings = [
(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)
];
containers.lidarr= mkIf cfg.useVpn {
containers.lidarr = mkIf cfg.useVpn {
autoStart = true;
ephemeral = true;
extraFlags = [ "--network-namespace-path=/var/run/netns/wg" ];
extraFlags = ["--network-namespace-path=/var/run/netns/wg"];
bindMounts = {
"${servarr.mediaDir}".isReadOnly = false;
servarr/prowlarr/default.nix
+10 -8
View File
@@ -38,18 +38,20 @@ in {
enable = true;
openFirewall = true;
};
kirk.vpnnamespace.portMappings = [(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)];
kirk.vpnnamespace.portMappings = [
(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)
];
containers.prowlarr = mkIf cfg.useVpn {
autoStart = true;
ephemeral = true;
extraFlags = [ "--network-namespace-path=/var/run/netns/wg" ];
extraFlags = ["--network-namespace-path=/var/run/netns/wg"];
bindMounts = {
"/var/lib/prowlarr" = {
servarr/radarr/default.nix
+10 -9
View File
@@ -39,17 +39,19 @@ in {
dataDir = cfg.stateDir;
};
kirk.vpnnamespace.portMappings = [(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)];
kirk.vpnnamespace.portMappings = [
(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)
];
containers.radarr= mkIf cfg.useVpn {
containers.radarr = mkIf cfg.useVpn {
autoStart = true;
ephemeral = true;
extraFlags = [ "--network-namespace-path=/var/run/netns/wg" ];
extraFlags = ["--network-namespace-path=/var/run/netns/wg"];
bindMounts = {
"${servarr.mediaDir}".isReadOnly = false;
@@ -103,6 +105,5 @@ in {
};
};
};
};
}
servarr/readarr/default.nix
+9 -8
View File
@@ -35,17 +35,19 @@ in {
dataDir = cfg.stateDir;
};
kirk.vpnnamespace.portMappings = [(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)];
kirk.vpnnamespace.portMappings = [
(
mkIf cfg.useVpn {
From = defaultPort;
To = defaultPort;
}
)
];
containers.readarr = mkIf cfg.useVpn {
autoStart = true;
ephemeral = true;
extraFlags = [ "--network-namespace-path=/var/run/netns/wg" ];
extraFlags = ["--network-namespace-path=/var/run/netns/wg"];
bindMounts = {
"${servarr.mediaDir}".isReadOnly = false;
@@ -99,6 +101,5 @@ in {
};
};
};
};
}
servarr/sonarr/default.nix
+1 -2
View File
@@ -1,6 +1,5 @@
# TODO: Dir creation and file permissions in nix
{
pkgs,
config,
lib,
...
@@ -49,7 +48,7 @@ in {
containers.sonarr = mkIf cfg.useVpn {
autoStart = true;
ephemeral = true;
extraFlags = [ "--network-namespace-path=/var/run/netns/wg" ];
extraFlags = ["--network-namespace-path=/var/run/netns/wg"];
bindMounts = {
"${servarr.mediaDir}".isReadOnly = false;
servarr/transmission/default.nix
+63 -51
View File
@@ -67,47 +67,54 @@ in {
enable = true;
group = "media";
#home = cfg.stateDir;
webHome = if cfg.useFlood then pkgs.flood-for-transmission else null;
webHome =
if cfg.useFlood
then pkgs.flood-for-transmission
else null;
package = pkgs.transmission_4;
openRPCPort = true;
openPeerPorts = true;
settings = {
download-dir = "${servarr.mediaDir}/torrents";
incomplete-dir-enabled = true;
incomplete-dir = "${servarr.mediaDir}/torrents/.incomplete";
watch-dir-enabled = true;
watch-dir = "${servarr.mediaDir}/torrents/.watch";
settings =
{
download-dir = "${servarr.mediaDir}/torrents";
incomplete-dir-enabled = true;
incomplete-dir = "${servarr.mediaDir}/torrents/.incomplete";
watch-dir-enabled = true;
watch-dir = "${servarr.mediaDir}/torrents/.watch";
rpc-port = cfg.uiPort;
rpc-whitelist-enabled = true;
rpc-whitelist = "192.168.15.1,127.0.0.1";
rpc-authentication-required = true;
rpc-port = cfg.uiPort;
rpc-whitelist-enabled = true;
rpc-whitelist = "192.168.15.1,127.0.0.1";
rpc-authentication-required = true;
blocklist-enabled = true;
blocklist-url = "https://github.com/Naunter/BT_BlockLists/raw/master/bt_blocklists.gz";
blocklist-enabled = true;
blocklist-url = "https://github.com/Naunter/BT_BlockLists/raw/master/bt_blocklists.gz";
encryption = 1;
utp-enabled = true;
port-forwarding-enabled = false;
encryption = 1;
utp-enabled = true;
port-forwarding-enabled = false;
anti-brute-force-enabled = true;
anti-brute-force-threshold = 10;
} // cfg.extraConfig;
anti-brute-force-enabled = true;
anti-brute-force-threshold = 10;
}
// cfg.extraConfig;
};
kirk.vpnnamespace = mkIf cfg.useVpn {
portMappings = [{
From = cfg.uiPort;
To = cfg.uiPort;
}];
openUdpPorts = [ cfg.peerPort ];
openTcpPorts = [ cfg.peerPort ];
portMappings = [
{
From = cfg.uiPort;
To = cfg.uiPort;
}
];
openUdpPorts = [cfg.peerPort];
openTcpPorts = [cfg.peerPort];
};
containers.transmission = mkIf cfg.useVpn {
autoStart = true;
ephemeral = true;
extraFlags = [ "--network-namespace-path=/var/run/netns/wg" ];
extraFlags = ["--network-namespace-path=/var/run/netns/wg"];
bindMounts = {
"${servarr.mediaDir}/torrents".isReadOnly = false;
@@ -142,39 +149,44 @@ in {
enable = true;
# This is maybe wrong, too afraid to fix it lol
group = "media";
webHome = if cfg.useFlood then pkgs.flood-for-transmission else null;
webHome =
if cfg.useFlood
then pkgs.flood-for-transmission
else null;
package = pkgs.transmission_4;
openRPCPort = true;
openPeerPorts = true;
settings = {
download-dir = "${servarr.mediaDir}/torrents";
incomplete-dir-enabled = true;
incomplete-dir = "${servarr.mediaDir}/torrents/.incomplete";
watch-dir-enabled = true;
watch-dir = "${servarr.mediaDir}/torrents/.watch";
settings =
{
download-dir = "${servarr.mediaDir}/torrents";
incomplete-dir-enabled = true;
incomplete-dir = "${servarr.mediaDir}/torrents/.incomplete";
watch-dir-enabled = true;
watch-dir = "${servarr.mediaDir}/torrents/.watch";
rpc-bind-address = "192.168.15.1";
rpc-port = cfg.uiPort;
rpc-whitelist-enabled = false;
rpc-whitelist = "192.168.15.1,127.0.0.1";
rpc-authentication-required = false;
rpc-bind-address = "192.168.15.1";
rpc-port = cfg.uiPort;
rpc-whitelist-enabled = false;
rpc-whitelist = "192.168.15.1,127.0.0.1";
rpc-authentication-required = false;
blocklist-enabled = true;
blocklist-url = "https://github.com/Naunter/BT_BlockLists/raw/master/bt_blocklists.gz";
blocklist-enabled = true;
blocklist-url = "https://github.com/Naunter/BT_BlockLists/raw/master/bt_blocklists.gz";
peer-port = cfg.peerPort;
dht-enabled = true;
pex-enabled = true;
utp-enabled = false;
encryption = 1;
port-forwarding-enabled = false;
peer-port = cfg.peerPort;
dht-enabled = true;
pex-enabled = true;
utp-enabled = false;
encryption = 1;
port-forwarding-enabled = false;
anti-brute-force-enabled = true;
anti-brute-force-threshold = 10;
anti-brute-force-enabled = true;
anti-brute-force-threshold = 10;
# 0 = None, 1 = Critical, 2 = Error, 3 = Warn, 4 = Info, 5 = Debug, 6 = Trace
message-level = 3;
} // cfg.extraConfig;
# 0 = None, 1 = Critical, 2 = Error, 3 = Warn, 4 = Info, 5 = Debug, 6 = Trace
message-level = 3;
}
// cfg.extraConfig;
};
environment.systemPackages = with pkgs; [