diff options
| author | azahi <azat@bahawi.net> | 2025-01-06 23:21:56 +0300 |
|---|---|---|
| committer | azahi <azat@bahawi.net> | 2025-01-06 23:21:56 +0300 |
| commit | 9faff5e0bee5718a5825cef2604a4e81ddcbd0e0 (patch) | |
| tree | f2791f036b339e7c04958e6c0a1ca7604b9523f9 /modules | |
| parent | 2025-01-01 (diff) | |
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/beets.nix | 11 | ||||
| -rw-r--r-- | modules/common/ark.nix | 2 | ||||
| -rw-r--r-- | modules/monitoring/default.nix | 12 | ||||
| -rw-r--r-- | modules/nsd.nix | 3 | ||||
| -rw-r--r-- | modules/piracy/default.nix | 177 | ||||
| -rw-r--r-- | modules/piracy/jackett.nix (renamed from modules/jackett.nix) | 4 | ||||
| -rw-r--r-- | modules/piracy/lidarr.nix (renamed from modules/lidarr.nix) | 46 | ||||
| -rw-r--r-- | modules/piracy/radarr.nix | 84 | ||||
| -rw-r--r-- | modules/piracy/sonarr.nix | 84 | ||||
| -rw-r--r-- | modules/profiles/headful.nix | 2 | ||||
| -rw-r--r-- | modules/prowlarr.nix | 65 | ||||
| -rw-r--r-- | modules/radarr.nix | 40 | ||||
| -rw-r--r-- | modules/rtorrent.nix | 328 | ||||
| -rw-r--r-- | modules/sonarr.nix | 40 |
14 files changed, 465 insertions, 433 deletions
diff --git a/modules/beets.nix b/modules/beets.nix index 732f400..c25ad53 100644 --- a/modules/beets.nix +++ b/modules/beets.nix @@ -49,10 +49,17 @@ in original_date = true; import = { write = true; - copy = true; + copy = true; # sshfs mount and `beet import` the required directory. move = false; - bell = true; + link = false; + hardlink = false; + reflink = false; + resume = false; + incremental = true; + incremental_skip_later = false; from_scratch = true; + quiet = false; + bell = true; }; match = { preferred = { diff --git a/modules/common/ark.nix b/modules/common/ark.nix index f297fce..e3ea4c5 100644 --- a/modules/common/ark.nix +++ b/modules/common/ark.nix @@ -46,7 +46,7 @@ in config = lib.mkIf cfg.enable { environment.persistence.${cfg.path} = { hideMounts = true; - enableDebugging = true; + enableDebugging = false; enableWarnings = true; inherit (cfg) directories files; }; diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix index a3e57d3..164ac5d 100644 --- a/modules/monitoring/default.nix +++ b/modules/monitoring/default.nix @@ -189,6 +189,14 @@ in ]; inherit (config.services.endlessh-go.prometheus) port; }; + exportarr-prowlarr = { + hosts = [ yavanna ]; + inherit (config.services.prometheus.exporters.exportarr-prowlarr) port; + }; + exportarr-lidarr = { + hosts = [ yavanna ]; + inherit (config.services.prometheus.exporters.exportarr-lidarr) port; + }; nginx = { hosts = [ manwe @@ -221,10 +229,6 @@ in hosts = [ manwe ]; inherit (config.services.prometheus.exporters.wireguard) port; }; - exportarr-lidarr = { - hosts = [ yavanna ]; - inherit (config.services.prometheus.exporters.exportarr-lidarr) port; - }; }; ruleFiles = [ diff --git a/modules/nsd.nix b/modules/nsd.nix index acf7e27..13cebe9 100644 --- a/modules/nsd.nix +++ b/modules/nsd.nix @@ -103,7 +103,7 @@ in SOA = { nameServer = "${cfg.fqdn}."; adminEmail = "admin+dns@${my.domain.shire}"; - serial = 2022091601; # Don't forget to bump the revision! + serial = 2024010301; # Don't forget to bump the revision! }; NS = with my.domain; [ @@ -163,6 +163,7 @@ in flood = yavanna; jackett = yavanna; lidarr = yavanna; + prowlarr = yavanna; }; } ]; diff --git a/modules/piracy/default.nix b/modules/piracy/default.nix new file mode 100644 index 0000000..be957f0 --- /dev/null +++ b/modules/piracy/default.nix @@ -0,0 +1,177 @@ +{ + config, + lib, + libNginx, + pkgs, + ... +}: +let + cfg = config.nixfiles.modules.piracy; +in +{ + imports = lib.attrValues (lib.modulesIn ./.); + + options.nixfiles.modules.piracy = { + enable = lib.mkEnableOption "tools for working with the BitTorrent protocol"; + + group = lib.mkOption { + type = lib.types.str; + default = "piracy"; + }; + gid = lib.mkOption { + type = lib.types.int; + default = 210; # Unused UID from Nixpkgs. + }; + + flood = { + enable = lib.mkEnableOption "Flood" // { + default = cfg.enable; + }; + + domain = lib.mkOption { + description = "Domain name sans protocol scheme."; + type = lib.types.str; + default = "flood.${config.networking.domain}"; + }; + }; + }; + + config = + let + files = "/export/rtorrent"; + socket = "/run/rtorrent/rpc.sock"; + in + lib.mkIf cfg.enable ( + lib.mkMerge [ + { + ark.directories = [ + config.services.rtorrent.dataDir + files + ]; + + services.rtorrent = { + enable = true; + + user = "rtorrent"; + inherit (cfg) group; + + rpcSocket = socket; + configText = + with config.services.rtorrent; + lib.mkForce '' + directory.default.set = ${files} + session.path.set = ${dataDir}/session + + network.port_range.set = ${toString port}-${toString port} + network.port_random.set = no + + dht.mode.set = disable + protocol.pex.set = no + + trackers.use_udp.set = no + + protocol.encryption.set = allow_incoming,try_outgoing,enable_retry + + pieces.memory.max.set = ${toString (lib.pow 2 11)}M + pieces.preload.type.set = 2 + + network.max_open_files.set = ${toString (lib.pow 2 13)} + network.max_open_sockets.set = ${toString (lib.pow 2 13)} + + network.http.max_open.set = ${toString (lib.pow 2 10)} + + throttle.global_down.max_rate.set_kb = 0 + throttle.global_up.max_rate.set_kb = 0 + + network.scgi.open_local = ${socket} + network.xmlrpc.size_limit.set = ${toString (lib.pow 2 17)} + + encoding.add = utf8 + system.umask.set = 0007 + + log.open_file = "log", "/var/log/rtorrent/log" + log.add_output = "info", "log" + ''; + }; + + systemd = { + sockets.rtorrent = { + socketConfig.ListenStream = socket; + wantedBy = [ "sockets.target" ]; + }; + + services.rtorrent = { + serviceConfig = { + UMask = "0007"; + RuntimeDirectory = "rtorrent"; + LogsDirectory = "rtorrent"; + ReadWritePaths = [ files ]; + }; + after = [ "rtorrent.socket" ]; + requires = [ "rtorrent.socket" ]; + }; + + tmpfiles.rules = with config.services.rtorrent; [ + "d '${files}' 0750 ${user} ${cfg.group} -" + ]; + }; + + users = { + users.${config.services.rtorrent.user}.uid = cfg.gid; + groups.${config.services.rtorrent.group}.gid = cfg.gid; + }; + my.extraGroups = [ cfg.group ]; + + boot.kernel.sysctl = { + "net.core.rmem_max" = lib.mkOverride 500 (lib.pow 2 24); + "net.core.wmem_max" = lib.mkOverride 500 (lib.pow 2 24); + "net.ipv4.tcp_fin_timeout" = lib.mkOverride 500 30; + "net.ipv4.tcp_rmem" = lib.mkOverride 500 (lib.mkTcpMem 12 23 24); + "net.ipv4.tcp_slow_start_after_idle" = 0; + "net.ipv4.tcp_tw_recycle" = lib.mkOverride 500 1; + "net.ipv4.tcp_tw_reuse" = lib.mkOverride 500 1; + "net.ipv4.tcp_wmem" = lib.mkOverride 500 (lib.mkTcpMem 12 23 24); + }; + } + (lib.mkIf cfg.flood.enable { + ark.directories = [ "/var/lib/private/flood" ]; + + nixfiles.modules.nginx = with config.services.flood; { + enable = true; + upstreams.flood.servers."${host}:${toString port}" = { }; + virtualHosts.${cfg.flood.domain} = { + root = "${package}/lib/node_modules/flood/dist/assets"; + locations = { + "/".tryFiles = "$uri /index.html"; + "/api" = { + proxyPass = "http://flood"; + extraConfig = libNginx.config.noProxyBuffering; + }; + }; + extraConfig = libNginx.config.internalOnly; + }; + }; + + services.flood = { + enable = true; + extraArgs = [ + "--auth=none" + "--assets=false" + "--allowedpath=${files}" + "--rtsocket=${socket}" + ]; + }; + + systemd.services.flood = { + path = [ pkgs.mediainfo ]; + serviceConfig = { + Group = cfg.group; + ReadOnlyPaths = [ files ]; + }; + after = [ "rtorrent.socket" ]; + requires = [ "rtorrent.socket" ]; + }; + }) + ] + ); +} diff --git a/modules/jackett.nix b/modules/piracy/jackett.nix index 5b0b2c0..7ef9311 100644 --- a/modules/jackett.nix +++ b/modules/piracy/jackett.nix @@ -7,10 +7,10 @@ ... }: let - cfg = config.nixfiles.modules.jackett; + cfg = config.nixfiles.modules.piracy.jackett; in { - options.nixfiles.modules.jackett = { + options.nixfiles.modules.piracy.jackett = { enable = lib.mkEnableOption "Jackett"; domain = lib.mkOption { diff --git a/modules/lidarr.nix b/modules/piracy/lidarr.nix index 127e8d9..a905d8e 100644 --- a/modules/lidarr.nix +++ b/modules/piracy/lidarr.nix @@ -8,10 +8,12 @@ }: with lib; let - cfg = config.nixfiles.modules.lidarr; + cfg = config.nixfiles.modules.piracy.lidarr; + + port = 8686; in { - options.nixfiles.modules.lidarr = { + options.nixfiles.modules.piracy.lidarr = { enable = mkEnableOption "Lidarr"; domain = mkOption { @@ -26,27 +28,33 @@ in ark.directories = [ "/var/lib/lidarr" ]; - nixfiles.modules.nginx = { - enable = true; - upstreams.lidarr.servers."127.0.0.1:8686" = { }; - virtualHosts.${cfg.domain} = { - locations."/".proxyPass = "http://lidarr"; - extraConfig = libNginx.config.internalOnly; + nixfiles.modules = { + nginx = { + enable = true; + upstreams.lidarr.servers."127.0.0.1:${toString port}" = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://lidarr"; + extraConfig = libNginx.config.internalOnly; + }; + }; + + piracy = { + enable = true; + jackett.enable = true; }; }; services = { lidarr = { enable = true; - user = "rtorrent"; - group = "rtorrent"; + group = "piracy"; }; prometheus.exporters.exportarr-lidarr = { enable = true; url = "http://127.0.0.1"; + port = port + 10000; apiKeyFile = config.secrets.lidarr-api-key.path; - port = mkDefault 9708; inherit (config.services.lidarr) user; inherit (config.services.lidarr) group; listenAddress = this.wireguard.ipv4.address; @@ -54,14 +62,22 @@ in }; }; - systemd.tmpfiles.rules = with config.services.lidarr; [ - "d /var/lib/lidarr/root 0755 ${user} ${group} - -" - ]; + systemd = { + tmpfiles.rules = with config.services.lidarr; [ + "d /var/lib/lidarr/root 0755 ${user} ${group} - -" + ]; + + services.lidarr.after = [ + "flood.service" + "jackett.service" + "local-fs.target" + ]; + }; topology = with cfg; { nodes.${this.hostname}.services.lidarr = { info = domain; - details.listen.text = "127.0.0.1:8686"; + details.listen.text = "127.0.0.1:${toString port}"; }; }; }; diff --git a/modules/piracy/radarr.nix b/modules/piracy/radarr.nix new file mode 100644 index 0000000..ac2fe7f --- /dev/null +++ b/modules/piracy/radarr.nix @@ -0,0 +1,84 @@ +{ + config, + inputs, + lib, + libNginx, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.piracy.radarr; + + port = 7878; +in +{ + options.nixfiles.modules.piracy.radarr = { + enable = mkEnableOption "Radarr"; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "radarr.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + secrets.radarr-api-key.file = "${inputs.self}/secrets/radarr-api-key"; + + ark.directories = [ "/var/lib/radarr" ]; + + nixfiles.modules = { + nginx = { + enable = true; + upstreams.radarr.servers."127.0.0.1:${toString port}" = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://radarr"; + extraConfig = libNginx.config.internalOnly; + }; + }; + + piracy = { + enable = true; + jackett.enable = true; + }; + }; + + services = { + radarr = { + enable = true; + group = "piracy"; + }; + + prometheus.exporters.exportarr-radarr = { + enable = true; + url = "http://127.0.0.1"; + port = port + 10000; + apiKeyFile = config.secrets.radarr-api-key.path; + inherit (config.services.radarr) user; + inherit (config.services.radarr) group; + listenAddress = this.wireguard.ipv4.address; + environment.CONFIG = "/var/lib/radarr/.config/Radarr/config.xml"; + }; + }; + + systemd = { + tmpfiles.rules = with config.services.radarr; [ + "d /var/lib/radarr/root 0755 ${user} ${group} - -" + ]; + + services.lidarr.after = [ + "flood.service" + "jackett.service" + "local-fs.target" + ]; + }; + + topology = with cfg; { + nodes.${this.hostname}.services.radarr = { + info = domain; + details.listen.text = "127.0.0.1:${toString port}"; + }; + }; + }; +} diff --git a/modules/piracy/sonarr.nix b/modules/piracy/sonarr.nix new file mode 100644 index 0000000..8715a12 --- /dev/null +++ b/modules/piracy/sonarr.nix @@ -0,0 +1,84 @@ +{ + config, + inputs, + lib, + libNginx, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.piracy.sonarr; + + port = 8989; +in +{ + options.nixfiles.modules.piracy.sonarr = { + enable = mkEnableOption "Sonarr"; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "sonarr.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + secrets.sonarr-api-key.file = "${inputs.self}/secrets/sonarr-api-key"; + + ark.directories = [ "/var/lib/sonarr" ]; + + nixfiles.modules = { + nginx = { + enable = true; + upstreams.sonarr.servers."127.0.0.1:${toString port}" = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://sonarr"; + extraConfig = libNginx.config.internalOnly; + }; + }; + + piracy = { + enable = true; + jackett.enable = true; + }; + }; + + services = { + sonarr = { + enable = true; + group = "piracy"; + }; + + prometheus.exporters.exportarr-sonarr = { + enable = true; + url = "http://127.0.0.1"; + port = port + 10000; + apiKeyFile = config.secrets.sonarr-api-key.path; + inherit (config.services.sonarr) user; + inherit (config.services.sonarr) group; + listenAddress = this.wireguard.ipv4.address; + environment.CONFIG = "/var/lib/sonarr/.config/Sonarr/config.xml"; + }; + }; + + systemd = { + tmpfiles.rules = with config.services.sonarr; [ + "d /var/lib/sonarr/root 0755 ${user} ${group} - -" + ]; + + services.sonarr.after = [ + "flood.service" + "jackett.service" + "local-fs.target" + ]; + }; + + topology = with cfg; { + nodes.${this.hostname}.services.sonarr = { + info = domain; + details.listen.text = "127.0.0.1:${toString port}"; + }; + }; + }; +} diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix index 991d513..d7f1876 100644 --- a/modules/profiles/headful.nix +++ b/modules/profiles/headful.nix @@ -56,9 +56,11 @@ in audacity byedpi eaglemode + easyeffects element-desktop fd gimp + helvum imv kdenlive libreoffice-fresh diff --git a/modules/prowlarr.nix b/modules/prowlarr.nix new file mode 100644 index 0000000..c5bf5c0 --- /dev/null +++ b/modules/prowlarr.nix @@ -0,0 +1,65 @@ +{ + config, + inputs, + lib, + libNginx, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.prowlarr; + + port = 9696; +in +{ + options.nixfiles.modules.prowlarr = { + enable = mkEnableOption "Prowlarr"; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "prowlarr.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + # secrets.prowlarr-api-key.file = "${inputs.self}/secrets/prowlarr-api-key"; + + ark.directories = [ "/var/lib/private/prowlarr" ]; + + nixfiles.modules.nginx = { + enable = true; + upstreams.prowlarr.servers."127.0.0.1:${toString port}" = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://prowlarr"; + extraConfig = libNginx.config.internalOnly; + }; + }; + + services = { + prowlarr.enable = true; + + prometheus.exporters.exportarr-prowlarr = { + enable = true; + url = "http://127.0.0.1"; + port = port + 10000; + apiKeyFile = config.secrets.lidarr-api-key.path; + listenAddress = this.wireguard.ipv4.address; + environment = { + PROWLARR__BACKFILL = "true"; + PROWLARR__BACKFILL_DATE_SINCE = "2025-01-01"; + }; + }; + }; + + topology = with cfg; { + nodes.${this.hostname}.services.prowlarr = { + name = "Prowlarr"; + icon = "${inputs.homelab-svg-assets}/assets/prowlarr.svg"; + info = domain; + details.listen.text = "127.0.0.1:${toString port}"; + }; + }; + }; +} diff --git a/modules/radarr.nix b/modules/radarr.nix deleted file mode 100644 index 9e4e13f..0000000 --- a/modules/radarr.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - lib, - libNginx, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.radarr; -in -{ - options.nixfiles.modules.radarr = { - enable = mkEnableOption "Radarr"; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; str; - default = "radarr.${config.networking.domain}"; - }; - }; - - config = mkIf cfg.enable { - ark.directories = [ "/var/lib/radarr" ]; - - nixfiles.modules.nginx = { - enable = true; - upstreams.radarr.servers."127.0.0.1:7878" = { }; - virtualHosts.${cfg.domain} = { - locations."/".proxyPass = "http://radarr"; - extraConfig = libNginx.config.internalOnly; - }; - }; - - services.radarr = { - enable = true; - user = "rtorrent"; - group = "rtorrent"; - }; - }; -} diff --git a/modules/rtorrent.nix b/modules/rtorrent.nix deleted file mode 100644 index 82ef1b2..0000000 --- a/modules/rtorrent.nix +++ /dev/null @@ -1,328 +0,0 @@ -{ - config, - lib, - libNginx, - pkgs, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.rtorrent; -in -{ - options.nixfiles.modules.rtorrent = { - enable = mkEnableOption "rTorrent"; - - flood = { - enable = mkEnableOption "Flood" // { - default = cfg.enable; - }; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; str; - default = "flood.${config.networking.domain}"; - }; - }; - }; - - config = - let - user = "rtorrent"; - group = "rtorrent"; - baseDir = "/var/lib/rtorrent"; - rpcSocket = "${baseDir}/rpc.socket"; - in - mkIf cfg.enable (mkMerge [ - ( - let - port = 50000; - in - { - ark.directories = [ baseDir ]; - - systemd = { - services.rtorrent = { - description = "rTorrent"; - after = [ - "network.target" - "local-fs.target" - ]; - serviceConfig = - let - leechDir = "${baseDir}/leech"; - seedDir = "${baseDir}/seed"; - sessionDir = "${baseDir}/session"; - logDir = "${baseDir}/log"; - configFile = - let - moveCompleted = getExe ( - pkgs.writeShellApplication { - name = "move-completed"; - runtimeInputs = with pkgs; [ - coreutils-full - gnused - findutils - ]; - text = '' - set -x - - leech_path="$1" - seed_path="$2" - # seed_path="$(echo "$2" | sed 's@+@ @g;s@%@\\x@g' | xargs -0 printf '%b')" - - mkdir -pv "$seed_path" - mv -fv "$leech_path" "$seed_path" - ''; - } - ); - in - pkgs.writeText "rtorrent.rc" '' - method.insert = cfg.leech, private|const|string, (cat, "${leechDir}") - method.insert = cfg.seed, private|const|string, (cat, "${seedDir}") - method.insert = cfg.session, private|const|string, (cat, "${sessionDir}") - method.insert = cfg.log, private|const|string, (cat, "${logDir}") - method.insert = cfg.rpcsocket, private|const|string, (cat, "${rpcSocket}") - - directory.default.set = (cat, (cfg.leech)) - session.path.set = (cat, (cfg.session)) - - network.port_range.set = ${toString port}-${toString port} - network.port_random.set = no - - dht.mode.set = disable - protocol.pex.set = no - - trackers.use_udp.set = no - - protocol.encryption.set = allow_incoming,try_outgoing,enable_retry - - pieces.memory.max.set = ${toString (pow 2 11)}M - pieces.preload.type.set = 2 - - network.xmlrpc.size_limit.set = ${toString (pow 2 17)} - - network.max_open_files.set = ${toString (pow 2 10)} - network.max_open_sockets.set = ${toString (pow 2 10)} - - network.http.max_open.set = ${toString (pow 2 8)} - - throttle.global_down.max_rate.set_kb = 0 - throttle.global_up.max_rate.set_kb = 0 - - encoding.add = UTF-8 - system.umask.set = 0027 - system.cwd.set = (directory.default) - - network.scgi.open_local = (cat, (cfg.rpcsocket)) - - method.insert = d.move_completed, simple, "\ - d.directory.set=$argument.1=;\ - execute=${moveCompleted}, $argument.0=, $argument.1=;\ - d.save_full_session=\ - " - method.insert = d.leech_path, simple, "\ - if=(d.is_multi_file),\ - (cat, (d.directory), /),\ - (cat, (d.directory), /, (d.name))\ - " - method.insert = d.seed_path, simple, "\ - cat=$cfg.seed=, /, $d.custom1=\ - " - method.set_key = event.download.finished, move_complete, "\ - d.move_completed=$d.leech_path=, $d.seed_path=\ - " - - log.open_file = "log", (cat, (cfg.log), "/", "default.log") - log.add_output = "info", "log" - log.execute = (cat, (cfg.log), "/", "execute.log") - ''; - in - { - Restart = "on-failure"; - RestartSec = 3; - - KillMode = "process"; - KillSignal = "SIGHUP"; - - User = user; - Group = group; - - ExecStartPre = concatStringsSep " " [ - "${pkgs.coreutils-full}/bin/mkdir -p" - leechDir - seedDir - sessionDir - logDir - ]; - ExecStart = concatStringsSep " " [ - (getExe pkgs.rtorrent) - "-n" - "-o system.daemon.set=true" - "-o network.bind_address.set=0.0.0.0" - "-o import=${configFile}" - ]; - ExecStop = concatStringsSep " " [ - "${pkgs.coreutils-full}/bin/rm -rf" - rpcSocket - ]; - - RuntimeDirectory = "rtorrent"; - RuntimeDirectoryMode = 750; - UMask = 27; - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProcSubset = "pid"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@resources" - "~@privileged" - ]; - }; - wantedBy = [ "multi-user.target" ]; - }; - - tmpfiles.rules = [ "d '${baseDir}' 0750 ${user} ${group} -" ]; - }; - - users = { - users.${user} = { - inherit group; - shell = pkgs.bashInteractive; - home = baseDir; - description = "rTorrent"; - isSystemUser = true; - }; - groups.${group} = { }; - }; - my.extraGroups = [ group ]; - - networking.firewall.allowedTCPPorts = [ port ]; - - boot.kernel.sysctl = { - "net.core.rmem_max" = mkOverride 500 (pow 2 24); - "net.core.wmem_max" = mkOverride 500 (pow 2 24); - "net.ipv4.tcp_fin_timeout" = mkOverride 500 30; - "net.ipv4.tcp_rmem" = mkOverride 500 (mkTcpMem 12 23 24); - "net.ipv4.tcp_slow_start_after_idle" = 0; - "net.ipv4.tcp_tw_recycle" = mkOverride 500 1; - "net.ipv4.tcp_tw_reuse" = mkOverride 500 1; - "net.ipv4.tcp_wmem" = mkOverride 500 (mkTcpMem 12 23 24); - }; - } - ) - ( - let - port = 50001; - pkg = pkgs.nodePackages.flood; - in - mkIf cfg.flood.enable { - nixfiles.modules.nginx = { - enable = true; - upstreams.flood.servers."127.0.0.1:${toString port}" = { }; - virtualHosts.${cfg.flood.domain} = { - root = "${pkg}/lib/node_modules/flood/dist/assets"; - locations = { - "/".tryFiles = "$uri /index.html"; - "/api" = { - proxyPass = "http://flood"; - extraConfig = libNginx.config.noProxyBuffering; - }; - }; - extraConfig = libNginx.config.internalOnly; - }; - }; - - systemd.services.flood = { - description = "Flood"; - after = [ - "network.target" - "rtorrent.service" - ]; - path = with pkgs; [ mediainfo ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 3; - - User = user; - Group = group; - - ExecStart = concatStringsSep " " [ - (getExe pkg) - "--allowedpath=${baseDir}" - "--baseuri=/" - "--rundir=${baseDir}/flood" - "--host=127.0.0.1" - "--port=${toString port}" - "--rtsocket=${rpcSocket}" - "--ssl=false" - "--auth=none" - ]; - - RuntimeDirectory = "rtorrent"; - RuntimeDirectoryMode = 750; - UMask = 27; - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - LockPersonality = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProcSubset = "pid"; - ProtectProc = "invisible"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "~@cpu-emulation" - "~@debug" - "~@mount" - "~@obsolete" - "~@privileged" - "~@resources" - ]; - }; - wantedBy = [ "multi-user.target" ]; - }; - } - ) - ]); -} diff --git a/modules/sonarr.nix b/modules/sonarr.nix deleted file mode 100644 index b11dda0..0000000 --- a/modules/sonarr.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - lib, - libNginx, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.sonarr; -in -{ - options.nixfiles.modules.sonarr = { - enable = mkEnableOption "Sonarr"; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; str; - default = "sonarr.${config.networking.domain}"; - }; - }; - - config = mkIf cfg.enable { - ark.directories = [ "/var/lib/sonarr" ]; - - nixfiles.modules.nginx = { - enable = true; - upstreams.sonarr.servers."127.0.0.1:8989" = { }; - virtualHosts.${cfg.domain} = { - locations."/".proxyPass = "http://sonarr"; - extraConfig = libNginx.config.internalOnly; - }; - }; - - services.sonarr = { - enable = true; - user = "rtorrent"; - group = "rtorrent"; - }; - }; -} |