diff --git a/checks.nix b/checks.nix
index 173c1d4..8ecf45d 100644
--- a/checks.nix
+++ b/checks.nix
@@ -30,12 +30,11 @@
editorconfig-checker.enable = true;
fix-byte-order-marker.enable = true;
# flake-checker.enable = true;
- nil.enable = true;
nixfmt-rfc-style.enable = true;
prettier.enable = true;
shellcheck.enable = true;
shfmt.enable = true;
- statix.enable = true;
+ statix.enable = false; # Doesn't support pipes yet.
yamllint.enable = true;
};
};
diff --git a/configurations/eonwe/default.nix b/configurations/eonwe/default.nix
index 875f737..68cfac4 100644
--- a/configurations/eonwe/default.nix
+++ b/configurations/eonwe/default.nix
@@ -277,6 +277,17 @@ with lib;
# [1]: https://github.com/nix-community/impermanence/issues/22
# [1]: https://github.com/NixOS/nixpkgs/pull/86967#pullrequestreview-667929259
"/home/${my.username}".neededForBoot = true;
+
+ "/mnt/ydata/music" = {
+ device = "yavanna.shire.net:/export/music";
+ fsType = "nfs";
+ options = [
+ "ro"
+ "noauto"
+ "x-systemd.automount"
+ "x-systemd.idle-timeout=${5 * 60 |> toString}"
+ ];
+ };
};
zramSwap = {
@@ -284,7 +295,10 @@ with lib;
memoryPercent = 50;
};
- my.extraGroups = [ "corectrl" ];
+ my.extraGroups = [
+ "corectrl"
+ config.nixfiles.modules.piracy.group
+ ];
users = {
users.builder = {
@@ -295,7 +309,12 @@ with lib;
];
useDefaultShell = true;
};
- groups.builder = { };
+ groups = {
+ builder = { };
+ piracy = {
+ inherit (config.nixfiles.modules.piracy) gid;
+ };
+ };
};
nix.settings.trusted-users = [ "builder" ];
diff --git a/configurations/eonwe/vidya.nix b/configurations/eonwe/vidya.nix
index a40daa9..0cde57a 100644
--- a/configurations/eonwe/vidya.nix
+++ b/configurations/eonwe/vidya.nix
@@ -10,34 +10,32 @@
games = {
lutris.enable = true;
-
steam.enable = true;
- steam-run.quirks = {
- blackIsleStudios = true;
- cryptOfTheNecrodancer = true;
- mountAndBladeWarband = false;
- };
-
- minecraft.client.enable = true;
+ # steam-run.quirks = {
+ # blackIsleStudios = true;
+ # cryptOfTheNecrodancer = true;
+ # mountAndBladeWarband = false;
+ # };
+ # minecraft.client.enable = true;
};
};
hm.home.packages = with pkgs; [
- (crawl.override { tileMode = true; })
- (dwarf-fortress-packages.dwarf-fortress-full.override {
- dfVersion = "50.13";
- theme = "cla";
- enableIntro = false;
- enableFPS = true;
- })
- fallout-ce
- fallout2-ce
- gzdoom
- openmw
- openttd
- qzdl
- r2modman
+ # (crawl.override { tileMode = true; })
+ # (dwarf-fortress-packages.dwarf-fortress-full.override {
+ # dfVersion = "50.13";
+ # theme = "cla";
+ # enableIntro = false;
+ # enableFPS = true;
+ # })
+ # fallout-ce
+ # fallout2-ce
+ # gzdoom
+ # openmw
+ # openttd
+ # qzdl
+ # r2modman
+ # xonotic
vcmi
- xonotic
];
}
diff --git a/configurations/yavanna/default.nix b/configurations/yavanna/default.nix
index b9de05e..b827dd9 100644
--- a/configurations/yavanna/default.nix
+++ b/configurations/yavanna/default.nix
@@ -1,4 +1,9 @@
-_: {
+{
+ config,
+ lib,
+ ...
+}:
+{
nixfiles.modules = {
wireguard.client.enable = true;
@@ -6,9 +11,31 @@ _: {
acme.enable = true;
- rtorrent.enable = true;
- lidarr.enable = true;
- jackett.enable = true;
+ piracy = {
+ enable = true;
+ lidarr.enable = true;
+ radarr.enable = false;
+ sonarr.enable = false;
+ };
+ };
+
+ services.nfs.server = {
+ enable = true;
+ exports =
+ lib.concatMapStringsSep "\n"
+ (
+ dir:
+ let
+ target = s: "${s}(insecure,ro,no_subtree_check)";
+ v4 = target config.nixfiles.modules.wireguard.ipv4.subnet;
+ v6 = target config.nixfiles.modules.wireguard.ipv6.subnet;
+ in
+ "${dir} ${v4} ${v6}"
+ )
+ [
+ "/export/rtorrent"
+ "/export/music"
+ ];
};
boot.loader.grub = {
@@ -17,10 +44,17 @@ _: {
configurationLimit = 5;
};
- fileSystems."/" = {
- device = "/dev/sda2";
- fsType = "ext4";
- options = [ "noatime" ];
+ fileSystems = {
+ "/" = {
+ device = "/dev/sda2";
+ fsType = "ext4";
+ options = [ "noatime" ];
+ };
+
+ "/export/music" = {
+ device = "/var/lib/lidarr/root";
+ options = [ "bind" ];
+ };
};
swapDevices = [ { device = "/dev/sda3"; } ];
diff --git a/flake.lock b/flake.lock
index 0eabee8..850db7c 100644
--- a/flake.lock
+++ b/flake.lock
@@ -229,11 +229,11 @@
]
},
"locked": {
- "lastModified": 1735048446,
- "narHash": "sha256-Tc35Y8H+krA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc=",
+ "lastModified": 1735468753,
+ "narHash": "sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0=",
"owner": "nix-community",
"repo": "disko",
- "rev": "3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21",
+ "rev": "84a5b93637cc16cbfcc61b6e1684d626df61eb21",
"type": "github"
},
"original": {
@@ -285,11 +285,11 @@
"nixpkgs-lib": "nixpkgs-lib"
},
"locked": {
- "lastModified": 1733312601,
- "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=",
+ "lastModified": 1736143030,
+ "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=",
"owner": "hercules-ci",
"repo": "flake-parts",
- "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9",
+ "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de",
"type": "github"
},
"original": {
@@ -361,17 +361,45 @@
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1735882644,
+ "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=",
+ "owner": "cachix",
+ "repo": "git-hooks.nix",
+ "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656",
+ "type": "github"
+ },
+ "original": {
+ "owner": "cachix",
+ "repo": "git-hooks.nix",
+ "type": "github"
+ }
+ },
+ "git-hooks_2": {
+ "inputs": {
+ "flake-compat": [
+ "stylix",
+ "flake-compat"
+ ],
+ "gitignore": "gitignore_2",
+ "nixpkgs": [
+ "stylix",
+ "nixpkgs"
],
"nixpkgs-stable": [
- "nixpkgs-stable"
+ "stylix",
+ "git-hooks",
+ "nixpkgs"
]
},
"locked": {
- "lastModified": 1734797603,
- "narHash": "sha256-ulZN7ps8nBV31SE+dwkDvKIzvN6hroRY8sYOT0w+E28=",
+ "lastModified": 1731363552,
+ "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=",
"owner": "cachix",
"repo": "git-hooks.nix",
- "rev": "f0f0dc4920a903c3e08f5bdb9246bb572fcae498",
+ "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0",
"type": "github"
},
"original": {
@@ -401,6 +429,28 @@
"type": "github"
}
},
+ "gitignore_2": {
+ "inputs": {
+ "nixpkgs": [
+ "stylix",
+ "git-hooks",
+ "nixpkgs"
+ ]
+ },
+ "locked": {
+ "lastModified": 1709087332,
+ "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+ "type": "github"
+ },
+ "original": {
+ "owner": "hercules-ci",
+ "repo": "gitignore.nix",
+ "type": "github"
+ }
+ },
"gnome-shell": {
"flake": false,
"locked": {
@@ -425,11 +475,11 @@
]
},
"locked": {
- "lastModified": 1735381016,
- "narHash": "sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4=",
+ "lastModified": 1736089250,
+ "narHash": "sha256-/LPWMiiJGPHGd7ZYEgmbE2da4zvBW0acmshUjYC3WG4=",
"owner": "nix-community",
"repo": "home-manager",
- "rev": "10e99c43cdf4a0713b4e81d90691d22c6a58bdf2",
+ "rev": "172b91bfb2b7f5c4a8c6ceac29fd53a01ef07196",
"type": "github"
},
"original": {
@@ -472,11 +522,11 @@
"infuse": {
"flake": false,
"locked": {
- "lastModified": 1735391646,
- "narHash": "sha256-hT6nV+C8VmdC7yUFA8lBTYqHyehSewQAcesQa8Xjrew=",
+ "lastModified": 1735727689,
+ "narHash": "sha256-/aTuYtM+ZJovkhJMNYl0sGpYxTBiFfm/hMKo8Nst+jM=",
"ref": "refs/heads/trunk",
- "rev": "a9baa4b0ac2f88a6aad540831bc5958891b68b5e",
- "revCount": 44,
+ "rev": "9773c94d65779efb420ed613ba9a7769c978bddd",
+ "revCount": 46,
"type": "git",
"url": "https://codeberg.org/amjoseph/infuse.nix"
},
@@ -523,11 +573,11 @@
]
},
"locked": {
- "lastModified": 1735437273,
- "narHash": "sha256-MSB8fwFAV/9KOcnlmrZvjJkL4o0QkzzUUPb/PT3YQII=",
+ "lastModified": 1736128264,
+ "narHash": "sha256-B2RuVaQBbVChPf9ZqRBEqUA09MCD5P/iBpOokoXd5gM=",
"owner": "Infinidoge",
"repo": "nix-minecraft",
- "rev": "37ae8c818d9943c0b60826ace55aaf5bd065a3c2",
+ "rev": "eefeae9b72d15f69e7264a6a87fba6ecc9782496",
"type": "github"
},
"original": {
@@ -543,11 +593,11 @@
]
},
"locked": {
- "lastModified": 1735443188,
- "narHash": "sha256-AydPpRBh8+NOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8=",
+ "lastModified": 1736047960,
+ "narHash": "sha256-hutd85FA1jUJhhqBRRJ+u7UHO9oFGD/RVm2x5w8WjVQ=",
"owner": "nix-community",
"repo": "nix-index-database",
- "rev": "55ab1e1df5daf2476e6b826b69a82862dcbd7544",
+ "rev": "816a6ae88774ba7e74314830546c29e134e0dffb",
"type": "github"
},
"original": {
@@ -570,11 +620,11 @@
]
},
"locked": {
- "lastModified": 1734639503,
- "narHash": "sha256-Z58HeNQpfbi94Cw8VxdF1GtU1S5AoWO0hfJTxA6wu78=",
+ "lastModified": 1736111688,
+ "narHash": "sha256-5z1ZgHgrr1qI0ve+mc0SjbL5PGbDLZb/3uijpmLIWT8=",
"owner": "oddlama",
"repo": "nix-topology",
- "rev": "d6edd49bac68dc70e19b5e91617b9f04e8ac1c43",
+ "rev": "ac1aa5116d858fdff131625dde59a988f74efb11",
"type": "github"
},
"original": {
@@ -647,23 +697,23 @@
},
"nixpkgs-lib": {
"locked": {
- "lastModified": 1733096140,
- "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=",
+ "lastModified": 1735774519,
+ "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=",
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
+ "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
},
"original": {
"type": "tarball",
- "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz"
+ "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz"
}
},
"nixpkgs-master": {
"locked": {
- "lastModified": 1735464802,
- "narHash": "sha256-W8WRoQlkS9ZqOaR9Lmphg6aODYxNCLSnvO4laH0YtMU=",
+ "lastModified": 1736163950,
+ "narHash": "sha256-w+Kk+zA8R2Oae4i2jC8IflJsfjogOKy8pm3H28k5zY4=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "1bdf3ca3ad39a0a837746f81bb2eb6adb518abee",
+ "rev": "19ab97dfada0904de0ff1329d93f6bbadf8269f3",
"type": "github"
},
"original": {
@@ -675,11 +725,11 @@
},
"nixpkgs-stable": {
"locked": {
- "lastModified": 1735336148,
- "narHash": "sha256-J3W9UW0fDdytCZGtZE7+ark8dp/au71Z9C1J7VrdIvY=",
+ "lastModified": 1735651292,
+ "narHash": "sha256-YLbzcBtYo1/FEzFsB3AnM16qFc6fWPMIoOuSoDwvg9g=",
"owner": "NixOS",
"repo": "nixpkgs",
- "rev": "d19eb06286da7d91276afccb4ffb2bd85da6f65d",
+ "rev": "0da3c44a9460a26d2025ec3ed2ec60a895eb1114",
"type": "github"
},
"original": {
@@ -760,11 +810,11 @@
]
},
"locked": {
- "lastModified": 1735379278,
- "narHash": "sha256-DpihJuI9SaWOUc1lRrw+e5014Qj+WHn9Xla89jxA6jk=",
+ "lastModified": 1735858634,
+ "narHash": "sha256-qp83fDr3W5b6QoWSp+vfcH1vFNEhreW98qe9tlhSaXE=",
"owner": "nix-community",
"repo": "srvos",
- "rev": "e3b404890cfb44caec3edc8b84facb8934299428",
+ "rev": "eea4ff2050968da5134788c73d63a2461f9daf27",
"type": "github"
},
"original": {
@@ -783,6 +833,7 @@
"flake-compat"
],
"flake-utils": "flake-utils_2",
+ "git-hooks": "git-hooks_2",
"gnome-shell": "gnome-shell",
"home-manager": [
"home-manager"
@@ -796,11 +847,11 @@
"tinted-tmux": "tinted-tmux"
},
"locked": {
- "lastModified": 1735253599,
- "narHash": "sha256-aKLAUkdeMH2N5gMDNiOC7KghRNy1necLtLa9+zUcj1g=",
+ "lastModified": 1736011580,
+ "narHash": "sha256-8gmk/i9ZA5C6LGRnqHb5sZ8UKaqT5GnS6XxeSPMSz+s=",
"owner": "danth",
"repo": "stylix",
- "rev": "963e77a3a4fc2be670d5a9a6cbeb249b8a43808a",
+ "rev": "7dfcdb410118dcd02ba1d85a2179a6f1c877403f",
"type": "github"
},
"original": {
@@ -917,11 +968,11 @@
]
},
"locked": {
- "lastModified": 1735437250,
- "narHash": "sha256-UMLwX1WiR2cjJndlKHm4WXQ8fBKJPMMSUsk+YjsjTl8=",
+ "lastModified": 1736128196,
+ "narHash": "sha256-wSVfnO8Hixn767LsdAE/FIHO5IemkfbTEZZ03+HUowM=",
"owner": "nix-community",
"repo": "nix-vscode-extensions",
- "rev": "adf374ae7e5237a3aa03e88503644732ea15045d",
+ "rev": "ba2fa846fba43fb9c8cd71b1435d227a7925fae0",
"type": "github"
},
"original": {
diff --git a/lib/my.nix b/lib/my.nix
index 3a8058e..20f01be 100644
--- a/lib/my.nix
+++ b/lib/my.nix
@@ -178,6 +178,7 @@ with lib;
"flood.${shire}"
"jackett.${shire}"
"lidarr.${shire}"
+ "prowlarr.${shire}"
];
syncthing.id = "@SYNCTHING_ID@";
diff --git a/modules/beets.nix b/modules/beets.nix
index 732f400..c25ad53 100644
--- a/modules/beets.nix
+++ b/modules/beets.nix
@@ -49,10 +49,17 @@ in
original_date = true;
import = {
write = true;
- copy = true;
+ copy = true; # sshfs mount and `beet import` the required directory.
move = false;
- bell = true;
+ link = false;
+ hardlink = false;
+ reflink = false;
+ resume = false;
+ incremental = true;
+ incremental_skip_later = false;
from_scratch = true;
+ quiet = false;
+ bell = true;
};
match = {
preferred = {
diff --git a/modules/common/ark.nix b/modules/common/ark.nix
index f297fce..e3ea4c5 100644
--- a/modules/common/ark.nix
+++ b/modules/common/ark.nix
@@ -46,7 +46,7 @@ in
config = lib.mkIf cfg.enable {
environment.persistence.${cfg.path} = {
hideMounts = true;
- enableDebugging = true;
+ enableDebugging = false;
enableWarnings = true;
inherit (cfg) directories files;
};
diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix
index a3e57d3..164ac5d 100644
--- a/modules/monitoring/default.nix
+++ b/modules/monitoring/default.nix
@@ -189,6 +189,14 @@ in
];
inherit (config.services.endlessh-go.prometheus) port;
};
+ exportarr-prowlarr = {
+ hosts = [ yavanna ];
+ inherit (config.services.prometheus.exporters.exportarr-prowlarr) port;
+ };
+ exportarr-lidarr = {
+ hosts = [ yavanna ];
+ inherit (config.services.prometheus.exporters.exportarr-lidarr) port;
+ };
nginx = {
hosts = [
manwe
@@ -221,10 +229,6 @@ in
hosts = [ manwe ];
inherit (config.services.prometheus.exporters.wireguard) port;
};
- exportarr-lidarr = {
- hosts = [ yavanna ];
- inherit (config.services.prometheus.exporters.exportarr-lidarr) port;
- };
};
ruleFiles = [
diff --git a/modules/nsd.nix b/modules/nsd.nix
index acf7e27..13cebe9 100644
--- a/modules/nsd.nix
+++ b/modules/nsd.nix
@@ -103,7 +103,7 @@ in
SOA = {
nameServer = "${cfg.fqdn}.";
adminEmail = "admin+dns@${my.domain.shire}";
- serial = 2022091601; # Don't forget to bump the revision!
+ serial = 2024010301; # Don't forget to bump the revision!
};
NS = with my.domain; [
@@ -163,6 +163,7 @@ in
flood = yavanna;
jackett = yavanna;
lidarr = yavanna;
+ prowlarr = yavanna;
};
}
];
diff --git a/modules/piracy/default.nix b/modules/piracy/default.nix
new file mode 100644
index 0000000..be957f0
--- /dev/null
+++ b/modules/piracy/default.nix
@@ -0,0 +1,177 @@
+{
+ config,
+ lib,
+ libNginx,
+ pkgs,
+ ...
+}:
+let
+ cfg = config.nixfiles.modules.piracy;
+in
+{
+ imports = lib.attrValues (lib.modulesIn ./.);
+
+ options.nixfiles.modules.piracy = {
+ enable = lib.mkEnableOption "tools for working with the BitTorrent protocol";
+
+ group = lib.mkOption {
+ type = lib.types.str;
+ default = "piracy";
+ };
+ gid = lib.mkOption {
+ type = lib.types.int;
+ default = 210; # Unused UID from Nixpkgs.
+ };
+
+ flood = {
+ enable = lib.mkEnableOption "Flood" // {
+ default = cfg.enable;
+ };
+
+ domain = lib.mkOption {
+ description = "Domain name sans protocol scheme.";
+ type = lib.types.str;
+ default = "flood.${config.networking.domain}";
+ };
+ };
+ };
+
+ config =
+ let
+ files = "/export/rtorrent";
+ socket = "/run/rtorrent/rpc.sock";
+ in
+ lib.mkIf cfg.enable (
+ lib.mkMerge [
+ {
+ ark.directories = [
+ config.services.rtorrent.dataDir
+ files
+ ];
+
+ services.rtorrent = {
+ enable = true;
+
+ user = "rtorrent";
+ inherit (cfg) group;
+
+ rpcSocket = socket;
+ configText =
+ with config.services.rtorrent;
+ lib.mkForce ''
+ directory.default.set = ${files}
+ session.path.set = ${dataDir}/session
+
+ network.port_range.set = ${toString port}-${toString port}
+ network.port_random.set = no
+
+ dht.mode.set = disable
+ protocol.pex.set = no
+
+ trackers.use_udp.set = no
+
+ protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
+
+ pieces.memory.max.set = ${toString (lib.pow 2 11)}M
+ pieces.preload.type.set = 2
+
+ network.max_open_files.set = ${toString (lib.pow 2 13)}
+ network.max_open_sockets.set = ${toString (lib.pow 2 13)}
+
+ network.http.max_open.set = ${toString (lib.pow 2 10)}
+
+ throttle.global_down.max_rate.set_kb = 0
+ throttle.global_up.max_rate.set_kb = 0
+
+ network.scgi.open_local = ${socket}
+ network.xmlrpc.size_limit.set = ${toString (lib.pow 2 17)}
+
+ encoding.add = utf8
+ system.umask.set = 0007
+
+ log.open_file = "log", "/var/log/rtorrent/log"
+ log.add_output = "info", "log"
+ '';
+ };
+
+ systemd = {
+ sockets.rtorrent = {
+ socketConfig.ListenStream = socket;
+ wantedBy = [ "sockets.target" ];
+ };
+
+ services.rtorrent = {
+ serviceConfig = {
+ UMask = "0007";
+ RuntimeDirectory = "rtorrent";
+ LogsDirectory = "rtorrent";
+ ReadWritePaths = [ files ];
+ };
+ after = [ "rtorrent.socket" ];
+ requires = [ "rtorrent.socket" ];
+ };
+
+ tmpfiles.rules = with config.services.rtorrent; [
+ "d '${files}' 0750 ${user} ${cfg.group} -"
+ ];
+ };
+
+ users = {
+ users.${config.services.rtorrent.user}.uid = cfg.gid;
+ groups.${config.services.rtorrent.group}.gid = cfg.gid;
+ };
+ my.extraGroups = [ cfg.group ];
+
+ boot.kernel.sysctl = {
+ "net.core.rmem_max" = lib.mkOverride 500 (lib.pow 2 24);
+ "net.core.wmem_max" = lib.mkOverride 500 (lib.pow 2 24);
+ "net.ipv4.tcp_fin_timeout" = lib.mkOverride 500 30;
+ "net.ipv4.tcp_rmem" = lib.mkOverride 500 (lib.mkTcpMem 12 23 24);
+ "net.ipv4.tcp_slow_start_after_idle" = 0;
+ "net.ipv4.tcp_tw_recycle" = lib.mkOverride 500 1;
+ "net.ipv4.tcp_tw_reuse" = lib.mkOverride 500 1;
+ "net.ipv4.tcp_wmem" = lib.mkOverride 500 (lib.mkTcpMem 12 23 24);
+ };
+ }
+ (lib.mkIf cfg.flood.enable {
+ ark.directories = [ "/var/lib/private/flood" ];
+
+ nixfiles.modules.nginx = with config.services.flood; {
+ enable = true;
+ upstreams.flood.servers."${host}:${toString port}" = { };
+ virtualHosts.${cfg.flood.domain} = {
+ root = "${package}/lib/node_modules/flood/dist/assets";
+ locations = {
+ "/".tryFiles = "$uri /index.html";
+ "/api" = {
+ proxyPass = "http://flood";
+ extraConfig = libNginx.config.noProxyBuffering;
+ };
+ };
+ extraConfig = libNginx.config.internalOnly;
+ };
+ };
+
+ services.flood = {
+ enable = true;
+ extraArgs = [
+ "--auth=none"
+ "--assets=false"
+ "--allowedpath=${files}"
+ "--rtsocket=${socket}"
+ ];
+ };
+
+ systemd.services.flood = {
+ path = [ pkgs.mediainfo ];
+ serviceConfig = {
+ Group = cfg.group;
+ ReadOnlyPaths = [ files ];
+ };
+ after = [ "rtorrent.socket" ];
+ requires = [ "rtorrent.socket" ];
+ };
+ })
+ ]
+ );
+}
diff --git a/modules/jackett.nix b/modules/piracy/jackett.nix
index 5b0b2c0..7ef9311 100644
--- a/modules/jackett.nix
+++ b/modules/piracy/jackett.nix
@@ -7,10 +7,10 @@
...
}:
let
- cfg = config.nixfiles.modules.jackett;
+ cfg = config.nixfiles.modules.piracy.jackett;
in
{
- options.nixfiles.modules.jackett = {
+ options.nixfiles.modules.piracy.jackett = {
enable = lib.mkEnableOption "Jackett";
domain = lib.mkOption {
diff --git a/modules/lidarr.nix b/modules/piracy/lidarr.nix
index 127e8d9..a905d8e 100644
--- a/modules/lidarr.nix
+++ b/modules/piracy/lidarr.nix
@@ -8,10 +8,12 @@
}:
with lib;
let
- cfg = config.nixfiles.modules.lidarr;
+ cfg = config.nixfiles.modules.piracy.lidarr;
+
+ port = 8686;
in
{
- options.nixfiles.modules.lidarr = {
+ options.nixfiles.modules.piracy.lidarr = {
enable = mkEnableOption "Lidarr";
domain = mkOption {
@@ -26,27 +28,33 @@ in
ark.directories = [ "/var/lib/lidarr" ];
- nixfiles.modules.nginx = {
- enable = true;
- upstreams.lidarr.servers."127.0.0.1:8686" = { };
- virtualHosts.${cfg.domain} = {
- locations."/".proxyPass = "http://lidarr";
- extraConfig = libNginx.config.internalOnly;
+ nixfiles.modules = {
+ nginx = {
+ enable = true;
+ upstreams.lidarr.servers."127.0.0.1:${toString port}" = { };
+ virtualHosts.${cfg.domain} = {
+ locations."/".proxyPass = "http://lidarr";
+ extraConfig = libNginx.config.internalOnly;
+ };
+ };
+
+ piracy = {
+ enable = true;
+ jackett.enable = true;
};
};
services = {
lidarr = {
enable = true;
- user = "rtorrent";
- group = "rtorrent";
+ group = "piracy";
};
prometheus.exporters.exportarr-lidarr = {
enable = true;
url = "http://127.0.0.1";
+ port = port + 10000;
apiKeyFile = config.secrets.lidarr-api-key.path;
- port = mkDefault 9708;
inherit (config.services.lidarr) user;
inherit (config.services.lidarr) group;
listenAddress = this.wireguard.ipv4.address;
@@ -54,14 +62,22 @@ in
};
};
- systemd.tmpfiles.rules = with config.services.lidarr; [
- "d /var/lib/lidarr/root 0755 ${user} ${group} - -"
- ];
+ systemd = {
+ tmpfiles.rules = with config.services.lidarr; [
+ "d /var/lib/lidarr/root 0755 ${user} ${group} - -"
+ ];
+
+ services.lidarr.after = [
+ "flood.service"
+ "jackett.service"
+ "local-fs.target"
+ ];
+ };
topology = with cfg; {
nodes.${this.hostname}.services.lidarr = {
info = domain;
- details.listen.text = "127.0.0.1:8686";
+ details.listen.text = "127.0.0.1:${toString port}";
};
};
};
diff --git a/modules/piracy/radarr.nix b/modules/piracy/radarr.nix
new file mode 100644
index 0000000..ac2fe7f
--- /dev/null
+++ b/modules/piracy/radarr.nix
@@ -0,0 +1,84 @@
+{
+ config,
+ inputs,
+ lib,
+ libNginx,
+ this,
+ ...
+}:
+with lib;
+let
+ cfg = config.nixfiles.modules.piracy.radarr;
+
+ port = 7878;
+in
+{
+ options.nixfiles.modules.piracy.radarr = {
+ enable = mkEnableOption "Radarr";
+
+ domain = mkOption {
+ description = "Domain name sans protocol scheme.";
+ type = with types; str;
+ default = "radarr.${config.networking.domain}";
+ };
+ };
+
+ config = mkIf cfg.enable {
+ secrets.radarr-api-key.file = "${inputs.self}/secrets/radarr-api-key";
+
+ ark.directories = [ "/var/lib/radarr" ];
+
+ nixfiles.modules = {
+ nginx = {
+ enable = true;
+ upstreams.radarr.servers."127.0.0.1:${toString port}" = { };
+ virtualHosts.${cfg.domain} = {
+ locations."/".proxyPass = "http://radarr";
+ extraConfig = libNginx.config.internalOnly;
+ };
+ };
+
+ piracy = {
+ enable = true;
+ jackett.enable = true;
+ };
+ };
+
+ services = {
+ radarr = {
+ enable = true;
+ group = "piracy";
+ };
+
+ prometheus.exporters.exportarr-radarr = {
+ enable = true;
+ url = "http://127.0.0.1";
+ port = port + 10000;
+ apiKeyFile = config.secrets.radarr-api-key.path;
+ inherit (config.services.radarr) user;
+ inherit (config.services.radarr) group;
+ listenAddress = this.wireguard.ipv4.address;
+ environment.CONFIG = "/var/lib/radarr/.config/Radarr/config.xml";
+ };
+ };
+
+ systemd = {
+ tmpfiles.rules = with config.services.radarr; [
+ "d /var/lib/radarr/root 0755 ${user} ${group} - -"
+ ];
+
+ services.lidarr.after = [
+ "flood.service"
+ "jackett.service"
+ "local-fs.target"
+ ];
+ };
+
+ topology = with cfg; {
+ nodes.${this.hostname}.services.radarr = {
+ info = domain;
+ details.listen.text = "127.0.0.1:${toString port}";
+ };
+ };
+ };
+}
diff --git a/modules/piracy/sonarr.nix b/modules/piracy/sonarr.nix
new file mode 100644
index 0000000..8715a12
--- /dev/null
+++ b/modules/piracy/sonarr.nix
@@ -0,0 +1,84 @@
+{
+ config,
+ inputs,
+ lib,
+ libNginx,
+ this,
+ ...
+}:
+with lib;
+let
+ cfg = config.nixfiles.modules.piracy.sonarr;
+
+ port = 8989;
+in
+{
+ options.nixfiles.modules.piracy.sonarr = {
+ enable = mkEnableOption "Sonarr";
+
+ domain = mkOption {
+ description = "Domain name sans protocol scheme.";
+ type = with types; str;
+ default = "sonarr.${config.networking.domain}";
+ };
+ };
+
+ config = mkIf cfg.enable {
+ secrets.sonarr-api-key.file = "${inputs.self}/secrets/sonarr-api-key";
+
+ ark.directories = [ "/var/lib/sonarr" ];
+
+ nixfiles.modules = {
+ nginx = {
+ enable = true;
+ upstreams.sonarr.servers."127.0.0.1:${toString port}" = { };
+ virtualHosts.${cfg.domain} = {
+ locations."/".proxyPass = "http://sonarr";
+ extraConfig = libNginx.config.internalOnly;
+ };
+ };
+
+ piracy = {
+ enable = true;
+ jackett.enable = true;
+ };
+ };
+
+ services = {
+ sonarr = {
+ enable = true;
+ group = "piracy";
+ };
+
+ prometheus.exporters.exportarr-sonarr = {
+ enable = true;
+ url = "http://127.0.0.1";
+ port = port + 10000;
+ apiKeyFile = config.secrets.sonarr-api-key.path;
+ inherit (config.services.sonarr) user;
+ inherit (config.services.sonarr) group;
+ listenAddress = this.wireguard.ipv4.address;
+ environment.CONFIG = "/var/lib/sonarr/.config/Sonarr/config.xml";
+ };
+ };
+
+ systemd = {
+ tmpfiles.rules = with config.services.sonarr; [
+ "d /var/lib/sonarr/root 0755 ${user} ${group} - -"
+ ];
+
+ services.sonarr.after = [
+ "flood.service"
+ "jackett.service"
+ "local-fs.target"
+ ];
+ };
+
+ topology = with cfg; {
+ nodes.${this.hostname}.services.sonarr = {
+ info = domain;
+ details.listen.text = "127.0.0.1:${toString port}";
+ };
+ };
+ };
+}
diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix
index 991d513..d7f1876 100644
--- a/modules/profiles/headful.nix
+++ b/modules/profiles/headful.nix
@@ -56,9 +56,11 @@ in
audacity
byedpi
eaglemode
+ easyeffects
element-desktop
fd
gimp
+ helvum
imv
kdenlive
libreoffice-fresh
diff --git a/modules/prowlarr.nix b/modules/prowlarr.nix
new file mode 100644
index 0000000..c5bf5c0
--- /dev/null
+++ b/modules/prowlarr.nix
@@ -0,0 +1,65 @@
+{
+ config,
+ inputs,
+ lib,
+ libNginx,
+ this,
+ ...
+}:
+with lib;
+let
+ cfg = config.nixfiles.modules.prowlarr;
+
+ port = 9696;
+in
+{
+ options.nixfiles.modules.prowlarr = {
+ enable = mkEnableOption "Prowlarr";
+
+ domain = mkOption {
+ description = "Domain name sans protocol scheme.";
+ type = with types; str;
+ default = "prowlarr.${config.networking.domain}";
+ };
+ };
+
+ config = mkIf cfg.enable {
+ # secrets.prowlarr-api-key.file = "${inputs.self}/secrets/prowlarr-api-key";
+
+ ark.directories = [ "/var/lib/private/prowlarr" ];
+
+ nixfiles.modules.nginx = {
+ enable = true;
+ upstreams.prowlarr.servers."127.0.0.1:${toString port}" = { };
+ virtualHosts.${cfg.domain} = {
+ locations."/".proxyPass = "http://prowlarr";
+ extraConfig = libNginx.config.internalOnly;
+ };
+ };
+
+ services = {
+ prowlarr.enable = true;
+
+ prometheus.exporters.exportarr-prowlarr = {
+ enable = true;
+ url = "http://127.0.0.1";
+ port = port + 10000;
+ apiKeyFile = config.secrets.lidarr-api-key.path;
+ listenAddress = this.wireguard.ipv4.address;
+ environment = {
+ PROWLARR__BACKFILL = "true";
+ PROWLARR__BACKFILL_DATE_SINCE = "2025-01-01";
+ };
+ };
+ };
+
+ topology = with cfg; {
+ nodes.${this.hostname}.services.prowlarr = {
+ name = "Prowlarr";
+ icon = "${inputs.homelab-svg-assets}/assets/prowlarr.svg";
+ info = domain;
+ details.listen.text = "127.0.0.1:${toString port}";
+ };
+ };
+ };
+}
diff --git a/modules/radarr.nix b/modules/radarr.nix
deleted file mode 100644
index 9e4e13f..0000000
--- a/modules/radarr.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{
- config,
- lib,
- libNginx,
- ...
-}:
-with lib;
-let
- cfg = config.nixfiles.modules.radarr;
-in
-{
- options.nixfiles.modules.radarr = {
- enable = mkEnableOption "Radarr";
-
- domain = mkOption {
- description = "Domain name sans protocol scheme.";
- type = with types; str;
- default = "radarr.${config.networking.domain}";
- };
- };
-
- config = mkIf cfg.enable {
- ark.directories = [ "/var/lib/radarr" ];
-
- nixfiles.modules.nginx = {
- enable = true;
- upstreams.radarr.servers."127.0.0.1:7878" = { };
- virtualHosts.${cfg.domain} = {
- locations."/".proxyPass = "http://radarr";
- extraConfig = libNginx.config.internalOnly;
- };
- };
-
- services.radarr = {
- enable = true;
- user = "rtorrent";
- group = "rtorrent";
- };
- };
-}
diff --git a/modules/rtorrent.nix b/modules/rtorrent.nix
deleted file mode 100644
index 82ef1b2..0000000
--- a/modules/rtorrent.nix
+++ /dev/null
@@ -1,328 +0,0 @@
-{
- config,
- lib,
- libNginx,
- pkgs,
- ...
-}:
-with lib;
-let
- cfg = config.nixfiles.modules.rtorrent;
-in
-{
- options.nixfiles.modules.rtorrent = {
- enable = mkEnableOption "rTorrent";
-
- flood = {
- enable = mkEnableOption "Flood" // {
- default = cfg.enable;
- };
-
- domain = mkOption {
- description = "Domain name sans protocol scheme.";
- type = with types; str;
- default = "flood.${config.networking.domain}";
- };
- };
- };
-
- config =
- let
- user = "rtorrent";
- group = "rtorrent";
- baseDir = "/var/lib/rtorrent";
- rpcSocket = "${baseDir}/rpc.socket";
- in
- mkIf cfg.enable (mkMerge [
- (
- let
- port = 50000;
- in
- {
- ark.directories = [ baseDir ];
-
- systemd = {
- services.rtorrent = {
- description = "rTorrent";
- after = [
- "network.target"
- "local-fs.target"
- ];
- serviceConfig =
- let
- leechDir = "${baseDir}/leech";
- seedDir = "${baseDir}/seed";
- sessionDir = "${baseDir}/session";
- logDir = "${baseDir}/log";
- configFile =
- let
- moveCompleted = getExe (
- pkgs.writeShellApplication {
- name = "move-completed";
- runtimeInputs = with pkgs; [
- coreutils-full
- gnused
- findutils
- ];
- text = ''
- set -x
-
- leech_path="$1"
- seed_path="$2"
- # seed_path="$(echo "$2" | sed 's@+@ @g;s@%@\\x@g' | xargs -0 printf '%b')"
-
- mkdir -pv "$seed_path"
- mv -fv "$leech_path" "$seed_path"
- '';
- }
- );
- in
- pkgs.writeText "rtorrent.rc" ''
- method.insert = cfg.leech, private|const|string, (cat, "${leechDir}")
- method.insert = cfg.seed, private|const|string, (cat, "${seedDir}")
- method.insert = cfg.session, private|const|string, (cat, "${sessionDir}")
- method.insert = cfg.log, private|const|string, (cat, "${logDir}")
- method.insert = cfg.rpcsocket, private|const|string, (cat, "${rpcSocket}")
-
- directory.default.set = (cat, (cfg.leech))
- session.path.set = (cat, (cfg.session))
-
- network.port_range.set = ${toString port}-${toString port}
- network.port_random.set = no
-
- dht.mode.set = disable
- protocol.pex.set = no
-
- trackers.use_udp.set = no
-
- protocol.encryption.set = allow_incoming,try_outgoing,enable_retry
-
- pieces.memory.max.set = ${toString (pow 2 11)}M
- pieces.preload.type.set = 2
-
- network.xmlrpc.size_limit.set = ${toString (pow 2 17)}
-
- network.max_open_files.set = ${toString (pow 2 10)}
- network.max_open_sockets.set = ${toString (pow 2 10)}
-
- network.http.max_open.set = ${toString (pow 2 8)}
-
- throttle.global_down.max_rate.set_kb = 0
- throttle.global_up.max_rate.set_kb = 0
-
- encoding.add = UTF-8
- system.umask.set = 0027
- system.cwd.set = (directory.default)
-
- network.scgi.open_local = (cat, (cfg.rpcsocket))
-
- method.insert = d.move_completed, simple, "\
- d.directory.set=$argument.1=;\
- execute=${moveCompleted}, $argument.0=, $argument.1=;\
- d.save_full_session=\
- "
- method.insert = d.leech_path, simple, "\
- if=(d.is_multi_file),\
- (cat, (d.directory), /),\
- (cat, (d.directory), /, (d.name))\
- "
- method.insert = d.seed_path, simple, "\
- cat=$cfg.seed=, /, $d.custom1=\
- "
- method.set_key = event.download.finished, move_complete, "\
- d.move_completed=$d.leech_path=, $d.seed_path=\
- "
-
- log.open_file = "log", (cat, (cfg.log), "/", "default.log")
- log.add_output = "info", "log"
- log.execute = (cat, (cfg.log), "/", "execute.log")
- '';
- in
- {
- Restart = "on-failure";
- RestartSec = 3;
-
- KillMode = "process";
- KillSignal = "SIGHUP";
-
- User = user;
- Group = group;
-
- ExecStartPre = concatStringsSep " " [
- "${pkgs.coreutils-full}/bin/mkdir -p"
- leechDir
- seedDir
- sessionDir
- logDir
- ];
- ExecStart = concatStringsSep " " [
- (getExe pkgs.rtorrent)
- "-n"
- "-o system.daemon.set=true"
- "-o network.bind_address.set=0.0.0.0"
- "-o import=${configFile}"
- ];
- ExecStop = concatStringsSep " " [
- "${pkgs.coreutils-full}/bin/rm -rf"
- rpcSocket
- ];
-
- RuntimeDirectory = "rtorrent";
- RuntimeDirectoryMode = 750;
- UMask = 27;
- AmbientCapabilities = [ "" ];
- CapabilityBoundingSet = [ "" ];
- LockPersonality = true;
- MemoryDenyWriteExecute = true;
- NoNewPrivileges = true;
- PrivateDevices = true;
- PrivateTmp = true;
- PrivateUsers = true;
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectHostname = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- ProcSubset = "pid";
- RemoveIPC = true;
- RestrictAddressFamilies = [
- "AF_UNIX"
- "AF_INET"
- "AF_INET6"
- ];
- RestrictNamespaces = true;
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
- SystemCallArchitectures = "native";
- SystemCallFilter = [
- "@system-service"
- "~@resources"
- "~@privileged"
- ];
- };
- wantedBy = [ "multi-user.target" ];
- };
-
- tmpfiles.rules = [ "d '${baseDir}' 0750 ${user} ${group} -" ];
- };
-
- users = {
- users.${user} = {
- inherit group;
- shell = pkgs.bashInteractive;
- home = baseDir;
- description = "rTorrent";
- isSystemUser = true;
- };
- groups.${group} = { };
- };
- my.extraGroups = [ group ];
-
- networking.firewall.allowedTCPPorts = [ port ];
-
- boot.kernel.sysctl = {
- "net.core.rmem_max" = mkOverride 500 (pow 2 24);
- "net.core.wmem_max" = mkOverride 500 (pow 2 24);
- "net.ipv4.tcp_fin_timeout" = mkOverride 500 30;
- "net.ipv4.tcp_rmem" = mkOverride 500 (mkTcpMem 12 23 24);
- "net.ipv4.tcp_slow_start_after_idle" = 0;
- "net.ipv4.tcp_tw_recycle" = mkOverride 500 1;
- "net.ipv4.tcp_tw_reuse" = mkOverride 500 1;
- "net.ipv4.tcp_wmem" = mkOverride 500 (mkTcpMem 12 23 24);
- };
- }
- )
- (
- let
- port = 50001;
- pkg = pkgs.nodePackages.flood;
- in
- mkIf cfg.flood.enable {
- nixfiles.modules.nginx = {
- enable = true;
- upstreams.flood.servers."127.0.0.1:${toString port}" = { };
- virtualHosts.${cfg.flood.domain} = {
- root = "${pkg}/lib/node_modules/flood/dist/assets";
- locations = {
- "/".tryFiles = "$uri /index.html";
- "/api" = {
- proxyPass = "http://flood";
- extraConfig = libNginx.config.noProxyBuffering;
- };
- };
- extraConfig = libNginx.config.internalOnly;
- };
- };
-
- systemd.services.flood = {
- description = "Flood";
- after = [
- "network.target"
- "rtorrent.service"
- ];
- path = with pkgs; [ mediainfo ];
- serviceConfig = {
- Restart = "on-failure";
- RestartSec = 3;
-
- User = user;
- Group = group;
-
- ExecStart = concatStringsSep " " [
- (getExe pkg)
- "--allowedpath=${baseDir}"
- "--baseuri=/"
- "--rundir=${baseDir}/flood"
- "--host=127.0.0.1"
- "--port=${toString port}"
- "--rtsocket=${rpcSocket}"
- "--ssl=false"
- "--auth=none"
- ];
-
- RuntimeDirectory = "rtorrent";
- RuntimeDirectoryMode = 750;
- UMask = 27;
- AmbientCapabilities = [ "" ];
- CapabilityBoundingSet = [ "" ];
- LockPersonality = true;
- NoNewPrivileges = true;
- PrivateDevices = true;
- PrivateTmp = true;
- PrivateUsers = true;
- ProtectClock = true;
- ProtectControlGroups = true;
- ProtectHome = true;
- ProtectHostname = true;
- ProtectKernelLogs = true;
- ProtectKernelModules = true;
- ProtectKernelTunables = true;
- ProcSubset = "pid";
- ProtectProc = "invisible";
- RemoveIPC = true;
- RestrictAddressFamilies = [
- "AF_UNIX"
- "AF_INET"
- "AF_INET6"
- ];
- RestrictNamespaces = true;
- RestrictRealtime = true;
- RestrictSUIDSGID = true;
- SystemCallArchitectures = "native";
- SystemCallFilter = [
- "~@cpu-emulation"
- "~@debug"
- "~@mount"
- "~@obsolete"
- "~@privileged"
- "~@resources"
- ];
- };
- wantedBy = [ "multi-user.target" ];
- };
- }
- )
- ]);
-}
diff --git a/modules/sonarr.nix b/modules/sonarr.nix
deleted file mode 100644
index b11dda0..0000000
--- a/modules/sonarr.nix
+++ /dev/null
@@ -1,40 +0,0 @@
-{
- config,
- lib,
- libNginx,
- ...
-}:
-with lib;
-let
- cfg = config.nixfiles.modules.sonarr;
-in
-{
- options.nixfiles.modules.sonarr = {
- enable = mkEnableOption "Sonarr";
-
- domain = mkOption {
- description = "Domain name sans protocol scheme.";
- type = with types; str;
- default = "sonarr.${config.networking.domain}";
- };
- };
-
- config = mkIf cfg.enable {
- ark.directories = [ "/var/lib/sonarr" ];
-
- nixfiles.modules.nginx = {
- enable = true;
- upstreams.sonarr.servers."127.0.0.1:8989" = { };
- virtualHosts.${cfg.domain} = {
- locations."/".proxyPass = "http://sonarr";
- extraConfig = libNginx.config.internalOnly;
- };
- };
-
- services.sonarr = {
- enable = true;
- user = "rtorrent";
- group = "rtorrent";
- };
- };
-}
diff --git a/overlays.nix b/overlays.nix
index 71735cc..020c6b2 100644
--- a/overlays.nix
+++ b/overlays.nix
@@ -101,5 +101,8 @@
'';
};
};
+
+ rtorrent =
+ _: (lib.packages.fromPR 368724 "sha256-99C1bOu6L5UMia0zqR3258HO+MS7Jq89KQE6oycFsvc=").rtorrent;
};
}
|
