diff options
| -rw-r--r-- | checks.nix | 3 | ||||
| -rw-r--r-- | configurations/eonwe/default.nix | 23 | ||||
| -rw-r--r-- | configurations/eonwe/vidya.nix | 44 | ||||
| -rw-r--r-- | configurations/yavanna/default.nix | 50 | ||||
| -rw-r--r-- | flake.lock | 141 | ||||
| -rw-r--r-- | lib/my.nix | 1 | ||||
| -rw-r--r-- | modules/beets.nix | 11 | ||||
| -rw-r--r-- | modules/common/ark.nix | 2 | ||||
| -rw-r--r-- | modules/monitoring/default.nix | 12 | ||||
| -rw-r--r-- | modules/nsd.nix | 3 | ||||
| -rw-r--r-- | modules/piracy/default.nix | 177 | ||||
| -rw-r--r-- | modules/piracy/jackett.nix (renamed from modules/jackett.nix) | 4 | ||||
| -rw-r--r-- | modules/piracy/lidarr.nix (renamed from modules/lidarr.nix) | 46 | ||||
| -rw-r--r-- | modules/piracy/radarr.nix | 84 | ||||
| -rw-r--r-- | modules/piracy/sonarr.nix | 84 | ||||
| -rw-r--r-- | modules/profiles/headful.nix | 2 | ||||
| -rw-r--r-- | modules/prowlarr.nix | 65 | ||||
| -rw-r--r-- | modules/radarr.nix | 40 | ||||
| -rw-r--r-- | modules/rtorrent.nix | 328 | ||||
| -rw-r--r-- | modules/sonarr.nix | 40 | ||||
| -rw-r--r-- | overlays.nix | 3 |
21 files changed, 650 insertions, 513 deletions
diff --git a/checks.nix b/checks.nix index 173c1d4..8ecf45d 100644 --- a/checks.nix +++ b/checks.nix @@ -30,12 +30,11 @@ editorconfig-checker.enable = true; fix-byte-order-marker.enable = true; # flake-checker.enable = true; - nil.enable = true; nixfmt-rfc-style.enable = true; prettier.enable = true; shellcheck.enable = true; shfmt.enable = true; - statix.enable = true; + statix.enable = false; # Doesn't support pipes yet. yamllint.enable = true; }; }; diff --git a/configurations/eonwe/default.nix b/configurations/eonwe/default.nix index 875f737..68cfac4 100644 --- a/configurations/eonwe/default.nix +++ b/configurations/eonwe/default.nix @@ -277,6 +277,17 @@ with lib; # [1]: https://github.com/nix-community/impermanence/issues/22 # [1]: https://github.com/NixOS/nixpkgs/pull/86967#pullrequestreview-667929259 "/home/${my.username}".neededForBoot = true; + + "/mnt/ydata/music" = { + device = "yavanna.shire.net:/export/music"; + fsType = "nfs"; + options = [ + "ro" + "noauto" + "x-systemd.automount" + "x-systemd.idle-timeout=${5 * 60 |> toString}" + ]; + }; }; zramSwap = { @@ -284,7 +295,10 @@ with lib; memoryPercent = 50; }; - my.extraGroups = [ "corectrl" ]; + my.extraGroups = [ + "corectrl" + config.nixfiles.modules.piracy.group + ]; users = { users.builder = { @@ -295,7 +309,12 @@ with lib; ]; useDefaultShell = true; }; - groups.builder = { }; + groups = { + builder = { }; + piracy = { + inherit (config.nixfiles.modules.piracy) gid; + }; + }; }; nix.settings.trusted-users = [ "builder" ]; diff --git a/configurations/eonwe/vidya.nix b/configurations/eonwe/vidya.nix index a40daa9..0cde57a 100644 --- a/configurations/eonwe/vidya.nix +++ b/configurations/eonwe/vidya.nix @@ -10,34 +10,32 @@ games = { lutris.enable = true; - steam.enable = true; - steam-run.quirks = { - blackIsleStudios = true; - cryptOfTheNecrodancer = true; - mountAndBladeWarband = false; - }; - - minecraft.client.enable = true; + # steam-run.quirks = { + # blackIsleStudios = true; + # cryptOfTheNecrodancer = true; + # mountAndBladeWarband = false; + # }; + # minecraft.client.enable = true; }; }; hm.home.packages = with pkgs; [ - (crawl.override { tileMode = true; }) - (dwarf-fortress-packages.dwarf-fortress-full.override { - dfVersion = "50.13"; - theme = "cla"; - enableIntro = false; - enableFPS = true; - }) - fallout-ce - fallout2-ce - gzdoom - openmw - openttd - qzdl - r2modman + # (crawl.override { tileMode = true; }) + # (dwarf-fortress-packages.dwarf-fortress-full.override { + # dfVersion = "50.13"; + # theme = "cla"; + # enableIntro = false; + # enableFPS = true; + # }) + # fallout-ce + # fallout2-ce + # gzdoom + # openmw + # openttd + # qzdl + # r2modman + # xonotic vcmi - xonotic ]; } diff --git a/configurations/yavanna/default.nix b/configurations/yavanna/default.nix index b9de05e..b827dd9 100644 --- a/configurations/yavanna/default.nix +++ b/configurations/yavanna/default.nix @@ -1,4 +1,9 @@ -_: { +{ + config, + lib, + ... +}: +{ nixfiles.modules = { wireguard.client.enable = true; @@ -6,9 +11,31 @@ _: { acme.enable = true; - rtorrent.enable = true; - lidarr.enable = true; - jackett.enable = true; + piracy = { + enable = true; + lidarr.enable = true; + radarr.enable = false; + sonarr.enable = false; + }; + }; + + services.nfs.server = { + enable = true; + exports = + lib.concatMapStringsSep "\n" + ( + dir: + let + target = s: "${s}(insecure,ro,no_subtree_check)"; + v4 = target config.nixfiles.modules.wireguard.ipv4.subnet; + v6 = target config.nixfiles.modules.wireguard.ipv6.subnet; + in + "${dir} ${v4} ${v6}" + ) + [ + "/export/rtorrent" + "/export/music" + ]; }; boot.loader.grub = { @@ -17,10 +44,17 @@ _: { configurationLimit = 5; }; - fileSystems."/" = { - device = "/dev/sda2"; - fsType = "ext4"; - options = [ "noatime" ]; + fileSystems = { + "/" = { + device = "/dev/sda2"; + fsType = "ext4"; + options = [ "noatime" ]; + }; + + "/export/music" = { + device = "/var/lib/lidarr/root"; + options = [ "bind" ]; + }; }; swapDevices = [ { device = "/dev/sda3"; } ]; diff --git a/flake.lock b/flake.lock index 0eabee8..850db7c 100644 --- a/flake.lock +++ b/flake.lock @@ -229,11 +229,11 @@ ] }, "locked": { - "lastModified": 1735048446, - "narHash": "sha256-Tc35Y8H+krA6rZeOIczsaGAtobSSBPqR32AfNTeHDRc=", + "lastModified": 1735468753, + "narHash": "sha256-2dt1nOe9zf9pDkf5Kn7FUFyPRo581s0n90jxYXJ94l0=", "owner": "nix-community", "repo": "disko", - "rev": "3a4de9fa3a78ba7b7170dda6bd8b4cdab87c0b21", + "rev": "84a5b93637cc16cbfcc61b6e1684d626df61eb21", "type": "github" }, "original": { @@ -285,11 +285,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1733312601, - "narHash": "sha256-4pDvzqnegAfRkPwO3wmwBhVi/Sye1mzps0zHWYnP88c=", + "lastModified": 1736143030, + "narHash": "sha256-+hu54pAoLDEZT9pjHlqL9DNzWz0NbUn8NEAHP7PQPzU=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "205b12d8b7cd4802fbcb8e8ef6a0f1408781a4f9", + "rev": "b905f6fc23a9051a6e1b741e1438dbfc0634c6de", "type": "github" }, "original": { @@ -361,17 +361,45 @@ "gitignore": "gitignore", "nixpkgs": [ "nixpkgs" + ] + }, + "locked": { + "lastModified": 1735882644, + "narHash": "sha256-3FZAG+pGt3OElQjesCAWeMkQ7C/nB1oTHLRQ8ceP110=", + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "a5a961387e75ae44cc20f0a57ae463da5e959656", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "git-hooks_2": { + "inputs": { + "flake-compat": [ + "stylix", + "flake-compat" + ], + "gitignore": "gitignore_2", + "nixpkgs": [ + "stylix", + "nixpkgs" ], "nixpkgs-stable": [ - "nixpkgs-stable" + "stylix", + "git-hooks", + "nixpkgs" ] }, "locked": { - "lastModified": 1734797603, - "narHash": "sha256-ulZN7ps8nBV31SE+dwkDvKIzvN6hroRY8sYOT0w+E28=", + "lastModified": 1731363552, + "narHash": "sha256-vFta1uHnD29VUY4HJOO/D6p6rxyObnf+InnSMT4jlMU=", "owner": "cachix", "repo": "git-hooks.nix", - "rev": "f0f0dc4920a903c3e08f5bdb9246bb572fcae498", + "rev": "cd1af27aa85026ac759d5d3fccf650abe7e1bbf0", "type": "github" }, "original": { @@ -401,6 +429,28 @@ "type": "github" } }, + "gitignore_2": { + "inputs": { + "nixpkgs": [ + "stylix", + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=", + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, "gnome-shell": { "flake": false, "locked": { @@ -425,11 +475,11 @@ ] }, "locked": { - "lastModified": 1735381016, - "narHash": "sha256-CyCZFhMUkuYbSD6bxB/r43EdmDE7hYeZZPTCv0GudO4=", + "lastModified": 1736089250, + "narHash": "sha256-/LPWMiiJGPHGd7ZYEgmbE2da4zvBW0acmshUjYC3WG4=", "owner": "nix-community", "repo": "home-manager", - "rev": "10e99c43cdf4a0713b4e81d90691d22c6a58bdf2", + "rev": "172b91bfb2b7f5c4a8c6ceac29fd53a01ef07196", "type": "github" }, "original": { @@ -472,11 +522,11 @@ "infuse": { "flake": false, "locked": { - "lastModified": 1735391646, - "narHash": "sha256-hT6nV+C8VmdC7yUFA8lBTYqHyehSewQAcesQa8Xjrew=", + "lastModified": 1735727689, + "narHash": "sha256-/aTuYtM+ZJovkhJMNYl0sGpYxTBiFfm/hMKo8Nst+jM=", "ref": "refs/heads/trunk", - "rev": "a9baa4b0ac2f88a6aad540831bc5958891b68b5e", - "revCount": 44, + "rev": "9773c94d65779efb420ed613ba9a7769c978bddd", + "revCount": 46, "type": "git", "url": "https://codeberg.org/amjoseph/infuse.nix" }, @@ -523,11 +573,11 @@ ] }, "locked": { - "lastModified": 1735437273, - "narHash": "sha256-MSB8fwFAV/9KOcnlmrZvjJkL4o0QkzzUUPb/PT3YQII=", + "lastModified": 1736128264, + "narHash": "sha256-B2RuVaQBbVChPf9ZqRBEqUA09MCD5P/iBpOokoXd5gM=", "owner": "Infinidoge", "repo": "nix-minecraft", - "rev": "37ae8c818d9943c0b60826ace55aaf5bd065a3c2", + "rev": "eefeae9b72d15f69e7264a6a87fba6ecc9782496", "type": "github" }, "original": { @@ -543,11 +593,11 @@ ] }, "locked": { - "lastModified": 1735443188, - "narHash": "sha256-AydPpRBh8+NOkrLylG7vTsHrGO2b5L7XkMEL5HlzcA8=", + "lastModified": 1736047960, + "narHash": "sha256-hutd85FA1jUJhhqBRRJ+u7UHO9oFGD/RVm2x5w8WjVQ=", "owner": "nix-community", "repo": "nix-index-database", - "rev": "55ab1e1df5daf2476e6b826b69a82862dcbd7544", + "rev": "816a6ae88774ba7e74314830546c29e134e0dffb", "type": "github" }, "original": { @@ -570,11 +620,11 @@ ] }, "locked": { - "lastModified": 1734639503, - "narHash": "sha256-Z58HeNQpfbi94Cw8VxdF1GtU1S5AoWO0hfJTxA6wu78=", + "lastModified": 1736111688, + "narHash": "sha256-5z1ZgHgrr1qI0ve+mc0SjbL5PGbDLZb/3uijpmLIWT8=", "owner": "oddlama", "repo": "nix-topology", - "rev": "d6edd49bac68dc70e19b5e91617b9f04e8ac1c43", + "rev": "ac1aa5116d858fdff131625dde59a988f74efb11", "type": "github" }, "original": { @@ -647,23 +697,23 @@ }, "nixpkgs-lib": { "locked": { - "lastModified": 1733096140, - "narHash": "sha256-1qRH7uAUsyQI7R1Uwl4T+XvdNv778H0Nb5njNrqvylY=", + "lastModified": 1735774519, + "narHash": "sha256-CewEm1o2eVAnoqb6Ml+Qi9Gg/EfNAxbRx1lANGVyoLI=", "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" }, "original": { "type": "tarball", - "url": "https://github.com/NixOS/nixpkgs/archive/5487e69da40cbd611ab2cadee0b4637225f7cfae.tar.gz" + "url": "https://github.com/NixOS/nixpkgs/archive/e9b51731911566bbf7e4895475a87fe06961de0b.tar.gz" } }, "nixpkgs-master": { "locked": { - "lastModified": 1735464802, - "narHash": "sha256-W8WRoQlkS9ZqOaR9Lmphg6aODYxNCLSnvO4laH0YtMU=", + "lastModified": 1736163950, + "narHash": "sha256-w+Kk+zA8R2Oae4i2jC8IflJsfjogOKy8pm3H28k5zY4=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "1bdf3ca3ad39a0a837746f81bb2eb6adb518abee", + "rev": "19ab97dfada0904de0ff1329d93f6bbadf8269f3", "type": "github" }, "original": { @@ -675,11 +725,11 @@ }, "nixpkgs-stable": { "locked": { - "lastModified": 1735336148, - "narHash": "sha256-J3W9UW0fDdytCZGtZE7+ark8dp/au71Z9C1J7VrdIvY=", + "lastModified": 1735651292, + "narHash": "sha256-YLbzcBtYo1/FEzFsB3AnM16qFc6fWPMIoOuSoDwvg9g=", "owner": "NixOS", "repo": "nixpkgs", - "rev": "d19eb06286da7d91276afccb4ffb2bd85da6f65d", + "rev": "0da3c44a9460a26d2025ec3ed2ec60a895eb1114", "type": "github" }, "original": { @@ -760,11 +810,11 @@ ] }, "locked": { - "lastModified": 1735379278, - "narHash": "sha256-DpihJuI9SaWOUc1lRrw+e5014Qj+WHn9Xla89jxA6jk=", + "lastModified": 1735858634, + "narHash": "sha256-qp83fDr3W5b6QoWSp+vfcH1vFNEhreW98qe9tlhSaXE=", "owner": "nix-community", "repo": "srvos", - "rev": "e3b404890cfb44caec3edc8b84facb8934299428", + "rev": "eea4ff2050968da5134788c73d63a2461f9daf27", "type": "github" }, "original": { @@ -783,6 +833,7 @@ "flake-compat" ], "flake-utils": "flake-utils_2", + "git-hooks": "git-hooks_2", "gnome-shell": "gnome-shell", "home-manager": [ "home-manager" @@ -796,11 +847,11 @@ "tinted-tmux": "tinted-tmux" }, "locked": { - "lastModified": 1735253599, - "narHash": "sha256-aKLAUkdeMH2N5gMDNiOC7KghRNy1necLtLa9+zUcj1g=", + "lastModified": 1736011580, + "narHash": "sha256-8gmk/i9ZA5C6LGRnqHb5sZ8UKaqT5GnS6XxeSPMSz+s=", "owner": "danth", "repo": "stylix", - "rev": "963e77a3a4fc2be670d5a9a6cbeb249b8a43808a", + "rev": "7dfcdb410118dcd02ba1d85a2179a6f1c877403f", "type": "github" }, "original": { @@ -917,11 +968,11 @@ ] }, "locked": { - "lastModified": 1735437250, - "narHash": "sha256-UMLwX1WiR2cjJndlKHm4WXQ8fBKJPMMSUsk+YjsjTl8=", + "lastModified": 1736128196, + "narHash": "sha256-wSVfnO8Hixn767LsdAE/FIHO5IemkfbTEZZ03+HUowM=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "adf374ae7e5237a3aa03e88503644732ea15045d", + "rev": "ba2fa846fba43fb9c8cd71b1435d227a7925fae0", "type": "github" }, "original": { diff --git a/lib/my.nix b/lib/my.nix index 3a8058e..20f01be 100644 --- a/lib/my.nix +++ b/lib/my.nix @@ -178,6 +178,7 @@ with lib; "flood.${shire}" "jackett.${shire}" "lidarr.${shire}" + "prowlarr.${shire}" ]; syncthing.id = "@SYNCTHING_ID@"; diff --git a/modules/beets.nix b/modules/beets.nix index 732f400..c25ad53 100644 --- a/modules/beets.nix +++ b/modules/beets.nix @@ -49,10 +49,17 @@ in original_date = true; import = { write = true; - copy = true; + copy = true; # sshfs mount and `beet import` the required directory. move = false; - bell = true; + link = false; + hardlink = false; + reflink = false; + resume = false; + incremental = true; + incremental_skip_later = false; from_scratch = true; + quiet = false; + bell = true; }; match = { preferred = { diff --git a/modules/common/ark.nix b/modules/common/ark.nix index f297fce..e3ea4c5 100644 --- a/modules/common/ark.nix +++ b/modules/common/ark.nix @@ -46,7 +46,7 @@ in config = lib.mkIf cfg.enable { environment.persistence.${cfg.path} = { hideMounts = true; - enableDebugging = true; + enableDebugging = false; enableWarnings = true; inherit (cfg) directories files; }; diff --git a/modules/monitoring/default.nix b/modules/monitoring/default.nix index a3e57d3..164ac5d 100644 --- a/modules/monitoring/default.nix +++ b/modules/monitoring/default.nix @@ -189,6 +189,14 @@ in ]; inherit (config.services.endlessh-go.prometheus) port; }; + exportarr-prowlarr = { + hosts = [ yavanna ]; + inherit (config.services.prometheus.exporters.exportarr-prowlarr) port; + }; + exportarr-lidarr = { + hosts = [ yavanna ]; + inherit (config.services.prometheus.exporters.exportarr-lidarr) port; + }; nginx = { hosts = [ manwe @@ -221,10 +229,6 @@ in hosts = [ manwe ]; inherit (config.services.prometheus.exporters.wireguard) port; }; - exportarr-lidarr = { - hosts = [ yavanna ]; - inherit (config.services.prometheus.exporters.exportarr-lidarr) port; - }; }; ruleFiles = [ diff --git a/modules/nsd.nix b/modules/nsd.nix index acf7e27..13cebe9 100644 --- a/modules/nsd.nix +++ b/modules/nsd.nix @@ -103,7 +103,7 @@ in SOA = { nameServer = "${cfg.fqdn}."; adminEmail = "admin+dns@${my.domain.shire}"; - serial = 2022091601; # Don't forget to bump the revision! + serial = 2024010301; # Don't forget to bump the revision! }; NS = with my.domain; [ @@ -163,6 +163,7 @@ in flood = yavanna; jackett = yavanna; lidarr = yavanna; + prowlarr = yavanna; }; } ]; diff --git a/modules/piracy/default.nix b/modules/piracy/default.nix new file mode 100644 index 0000000..be957f0 --- /dev/null +++ b/modules/piracy/default.nix @@ -0,0 +1,177 @@ +{ + config, + lib, + libNginx, + pkgs, + ... +}: +let + cfg = config.nixfiles.modules.piracy; +in +{ + imports = lib.attrValues (lib.modulesIn ./.); + + options.nixfiles.modules.piracy = { + enable = lib.mkEnableOption "tools for working with the BitTorrent protocol"; + + group = lib.mkOption { + type = lib.types.str; + default = "piracy"; + }; + gid = lib.mkOption { + type = lib.types.int; + default = 210; # Unused UID from Nixpkgs. + }; + + flood = { + enable = lib.mkEnableOption "Flood" // { + default = cfg.enable; + }; + + domain = lib.mkOption { + description = "Domain name sans protocol scheme."; + type = lib.types.str; + default = "flood.${config.networking.domain}"; + }; + }; + }; + + config = + let + files = "/export/rtorrent"; + socket = "/run/rtorrent/rpc.sock"; + in + lib.mkIf cfg.enable ( + lib.mkMerge [ + { + ark.directories = [ + config.services.rtorrent.dataDir + files + ]; + + services.rtorrent = { + enable = true; + + user = "rtorrent"; + inherit (cfg) group; + + rpcSocket = socket; + configText = + with config.services.rtorrent; + lib.mkForce '' + directory.default.set = ${files} + session.path.set = ${dataDir}/session + + network.port_range.set = ${toString port}-${toString port} + network.port_random.set = no + + dht.mode.set = disable + protocol.pex.set = no + + trackers.use_udp.set = no + + protocol.encryption.set = allow_incoming,try_outgoing,enable_retry + + pieces.memory.max.set = ${toString (lib.pow 2 11)}M + pieces.preload.type.set = 2 + + network.max_open_files.set = ${toString (lib.pow 2 13)} + network.max_open_sockets.set = ${toString (lib.pow 2 13)} + + network.http.max_open.set = ${toString (lib.pow 2 10)} + + throttle.global_down.max_rate.set_kb = 0 + throttle.global_up.max_rate.set_kb = 0 + + network.scgi.open_local = ${socket} + network.xmlrpc.size_limit.set = ${toString (lib.pow 2 17)} + + encoding.add = utf8 + system.umask.set = 0007 + + log.open_file = "log", "/var/log/rtorrent/log" + log.add_output = "info", "log" + ''; + }; + + systemd = { + sockets.rtorrent = { + socketConfig.ListenStream = socket; + wantedBy = [ "sockets.target" ]; + }; + + services.rtorrent = { + serviceConfig = { + UMask = "0007"; + RuntimeDirectory = "rtorrent"; + LogsDirectory = "rtorrent"; + ReadWritePaths = [ files ]; + }; + after = [ "rtorrent.socket" ]; + requires = [ "rtorrent.socket" ]; + }; + + tmpfiles.rules = with config.services.rtorrent; [ + "d '${files}' 0750 ${user} ${cfg.group} -" + ]; + }; + + users = { + users.${config.services.rtorrent.user}.uid = cfg.gid; + groups.${config.services.rtorrent.group}.gid = cfg.gid; + }; + my.extraGroups = [ cfg.group ]; + + boot.kernel.sysctl = { + "net.core.rmem_max" = lib.mkOverride 500 (lib.pow 2 24); + "net.core.wmem_max" = lib.mkOverride 500 (lib.pow 2 24); + "net.ipv4.tcp_fin_timeout" = lib.mkOverride 500 30; + "net.ipv4.tcp_rmem" = lib.mkOverride 500 (lib.mkTcpMem 12 23 24); + "net.ipv4.tcp_slow_start_after_idle" = 0; + "net.ipv4.tcp_tw_recycle" = lib.mkOverride 500 1; + "net.ipv4.tcp_tw_reuse" = lib.mkOverride 500 1; + "net.ipv4.tcp_wmem" = lib.mkOverride 500 (lib.mkTcpMem 12 23 24); + }; + } + (lib.mkIf cfg.flood.enable { + ark.directories = [ "/var/lib/private/flood" ]; + + nixfiles.modules.nginx = with config.services.flood; { + enable = true; + upstreams.flood.servers."${host}:${toString port}" = { }; + virtualHosts.${cfg.flood.domain} = { + root = "${package}/lib/node_modules/flood/dist/assets"; + locations = { + "/".tryFiles = "$uri /index.html"; + "/api" = { + proxyPass = "http://flood"; + extraConfig = libNginx.config.noProxyBuffering; + }; + }; + extraConfig = libNginx.config.internalOnly; + }; + }; + + services.flood = { + enable = true; + extraArgs = [ + "--auth=none" + "--assets=false" + "--allowedpath=${files}" + "--rtsocket=${socket}" + ]; + }; + + systemd.services.flood = { + path = [ pkgs.mediainfo ]; + serviceConfig = { + Group = cfg.group; + ReadOnlyPaths = [ files ]; + }; + after = [ "rtorrent.socket" ]; + requires = [ "rtorrent.socket" ]; + }; + }) + ] + ); +} diff --git a/modules/jackett.nix b/modules/piracy/jackett.nix index 5b0b2c0..7ef9311 100644 --- a/modules/jackett.nix +++ b/modules/piracy/jackett.nix @@ -7,10 +7,10 @@ ... }: let - cfg = config.nixfiles.modules.jackett; + cfg = config.nixfiles.modules.piracy.jackett; in { - options.nixfiles.modules.jackett = { + options.nixfiles.modules.piracy.jackett = { enable = lib.mkEnableOption "Jackett"; domain = lib.mkOption { diff --git a/modules/lidarr.nix b/modules/piracy/lidarr.nix index 127e8d9..a905d8e 100644 --- a/modules/lidarr.nix +++ b/modules/piracy/lidarr.nix @@ -8,10 +8,12 @@ }: with lib; let - cfg = config.nixfiles.modules.lidarr; + cfg = config.nixfiles.modules.piracy.lidarr; + + port = 8686; in { - options.nixfiles.modules.lidarr = { + options.nixfiles.modules.piracy.lidarr = { enable = mkEnableOption "Lidarr"; domain = mkOption { @@ -26,27 +28,33 @@ in ark.directories = [ "/var/lib/lidarr" ]; - nixfiles.modules.nginx = { - enable = true; - upstreams.lidarr.servers."127.0.0.1:8686" = { }; - virtualHosts.${cfg.domain} = { - locations."/".proxyPass = "http://lidarr"; - extraConfig = libNginx.config.internalOnly; + nixfiles.modules = { + nginx = { + enable = true; + upstreams.lidarr.servers."127.0.0.1:${toString port}" = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://lidarr"; + extraConfig = libNginx.config.internalOnly; + }; + }; + + piracy = { + enable = true; + jackett.enable = true; }; }; services = { lidarr = { enable = true; - user = "rtorrent"; - group = "rtorrent"; + group = "piracy"; }; prometheus.exporters.exportarr-lidarr = { enable = true; url = "http://127.0.0.1"; + port = port + 10000; apiKeyFile = config.secrets.lidarr-api-key.path; - port = mkDefault 9708; inherit (config.services.lidarr) user; inherit (config.services.lidarr) group; listenAddress = this.wireguard.ipv4.address; @@ -54,14 +62,22 @@ in }; }; - systemd.tmpfiles.rules = with config.services.lidarr; [ - "d /var/lib/lidarr/root 0755 ${user} ${group} - -" - ]; + systemd = { + tmpfiles.rules = with config.services.lidarr; [ + "d /var/lib/lidarr/root 0755 ${user} ${group} - -" + ]; + + services.lidarr.after = [ + "flood.service" + "jackett.service" + "local-fs.target" + ]; + }; topology = with cfg; { nodes.${this.hostname}.services.lidarr = { info = domain; - details.listen.text = "127.0.0.1:8686"; + details.listen.text = "127.0.0.1:${toString port}"; }; }; }; diff --git a/modules/piracy/radarr.nix b/modules/piracy/radarr.nix new file mode 100644 index 0000000..ac2fe7f --- /dev/null +++ b/modules/piracy/radarr.nix @@ -0,0 +1,84 @@ +{ + config, + inputs, + lib, + libNginx, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.piracy.radarr; + + port = 7878; +in +{ + options.nixfiles.modules.piracy.radarr = { + enable = mkEnableOption "Radarr"; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "radarr.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + secrets.radarr-api-key.file = "${inputs.self}/secrets/radarr-api-key"; + + ark.directories = [ "/var/lib/radarr" ]; + + nixfiles.modules = { + nginx = { + enable = true; + upstreams.radarr.servers."127.0.0.1:${toString port}" = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://radarr"; + extraConfig = libNginx.config.internalOnly; + }; + }; + + piracy = { + enable = true; + jackett.enable = true; + }; + }; + + services = { + radarr = { + enable = true; + group = "piracy"; + }; + + prometheus.exporters.exportarr-radarr = { + enable = true; + url = "http://127.0.0.1"; + port = port + 10000; + apiKeyFile = config.secrets.radarr-api-key.path; + inherit (config.services.radarr) user; + inherit (config.services.radarr) group; + listenAddress = this.wireguard.ipv4.address; + environment.CONFIG = "/var/lib/radarr/.config/Radarr/config.xml"; + }; + }; + + systemd = { + tmpfiles.rules = with config.services.radarr; [ + "d /var/lib/radarr/root 0755 ${user} ${group} - -" + ]; + + services.lidarr.after = [ + "flood.service" + "jackett.service" + "local-fs.target" + ]; + }; + + topology = with cfg; { + nodes.${this.hostname}.services.radarr = { + info = domain; + details.listen.text = "127.0.0.1:${toString port}"; + }; + }; + }; +} diff --git a/modules/piracy/sonarr.nix b/modules/piracy/sonarr.nix new file mode 100644 index 0000000..8715a12 --- /dev/null +++ b/modules/piracy/sonarr.nix @@ -0,0 +1,84 @@ +{ + config, + inputs, + lib, + libNginx, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.piracy.sonarr; + + port = 8989; +in +{ + options.nixfiles.modules.piracy.sonarr = { + enable = mkEnableOption "Sonarr"; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "sonarr.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + secrets.sonarr-api-key.file = "${inputs.self}/secrets/sonarr-api-key"; + + ark.directories = [ "/var/lib/sonarr" ]; + + nixfiles.modules = { + nginx = { + enable = true; + upstreams.sonarr.servers."127.0.0.1:${toString port}" = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://sonarr"; + extraConfig = libNginx.config.internalOnly; + }; + }; + + piracy = { + enable = true; + jackett.enable = true; + }; + }; + + services = { + sonarr = { + enable = true; + group = "piracy"; + }; + + prometheus.exporters.exportarr-sonarr = { + enable = true; + url = "http://127.0.0.1"; + port = port + 10000; + apiKeyFile = config.secrets.sonarr-api-key.path; + inherit (config.services.sonarr) user; + inherit (config.services.sonarr) group; + listenAddress = this.wireguard.ipv4.address; + environment.CONFIG = "/var/lib/sonarr/.config/Sonarr/config.xml"; + }; + }; + + systemd = { + tmpfiles.rules = with config.services.sonarr; [ + "d /var/lib/sonarr/root 0755 ${user} ${group} - -" + ]; + + services.sonarr.after = [ + "flood.service" + "jackett.service" + "local-fs.target" + ]; + }; + + topology = with cfg; { + nodes.${this.hostname}.services.sonarr = { + info = domain; + details.listen.text = "127.0.0.1:${toString port}"; + }; + }; + }; +} diff --git a/modules/profiles/headful.nix b/modules/profiles/headful.nix index 991d513..d7f1876 100644 --- a/modules/profiles/headful.nix +++ b/modules/profiles/headful.nix @@ -56,9 +56,11 @@ in audacity byedpi eaglemode + easyeffects element-desktop fd gimp + helvum imv kdenlive libreoffice-fresh diff --git a/modules/prowlarr.nix b/modules/prowlarr.nix new file mode 100644 index 0000000..c5bf5c0 --- /dev/null +++ b/modules/prowlarr.nix @@ -0,0 +1,65 @@ +{ + config, + inputs, + lib, + libNginx, + this, + ... +}: +with lib; +let + cfg = config.nixfiles.modules.prowlarr; + + port = 9696; +in +{ + options.nixfiles.modules.prowlarr = { + enable = mkEnableOption "Prowlarr"; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; str; + default = "prowlarr.${config.networking.domain}"; + }; + }; + + config = mkIf cfg.enable { + # secrets.prowlarr-api-key.file = "${inputs.self}/secrets/prowlarr-api-key"; + + ark.directories = [ "/var/lib/private/prowlarr" ]; + + nixfiles.modules.nginx = { + enable = true; + upstreams.prowlarr.servers."127.0.0.1:${toString port}" = { }; + virtualHosts.${cfg.domain} = { + locations."/".proxyPass = "http://prowlarr"; + extraConfig = libNginx.config.internalOnly; + }; + }; + + services = { + prowlarr.enable = true; + + prometheus.exporters.exportarr-prowlarr = { + enable = true; + url = "http://127.0.0.1"; + port = port + 10000; + apiKeyFile = config.secrets.lidarr-api-key.path; + listenAddress = this.wireguard.ipv4.address; + environment = { + PROWLARR__BACKFILL = "true"; + PROWLARR__BACKFILL_DATE_SINCE = "2025-01-01"; + }; + }; + }; + + topology = with cfg; { + nodes.${this.hostname}.services.prowlarr = { + name = "Prowlarr"; + icon = "${inputs.homelab-svg-assets}/assets/prowlarr.svg"; + info = domain; + details.listen.text = "127.0.0.1:${toString port}"; + }; + }; + }; +} diff --git a/modules/radarr.nix b/modules/radarr.nix deleted file mode 100644 index 9e4e13f..0000000 --- a/modules/radarr.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - lib, - libNginx, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.radarr; -in -{ - options.nixfiles.modules.radarr = { - enable = mkEnableOption "Radarr"; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; str; - default = "radarr.${config.networking.domain}"; - }; - }; - - config = mkIf cfg.enable { - ark.directories = [ "/var/lib/radarr" ]; - - nixfiles.modules.nginx = { - enable = true; - upstreams.radarr.servers."127.0.0.1:7878" = { }; - virtualHosts.${cfg.domain} = { - locations."/".proxyPass = "http://radarr"; - extraConfig = libNginx.config.internalOnly; - }; - }; - - services.radarr = { - enable = true; - user = "rtorrent"; - group = "rtorrent"; - }; - }; -} diff --git a/modules/rtorrent.nix b/modules/rtorrent.nix deleted file mode 100644 index 82ef1b2..0000000 --- a/modules/rtorrent.nix +++ /dev/null @@ -1,328 +0,0 @@ -{ - config, - lib, - libNginx, - pkgs, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.rtorrent; -in -{ - options.nixfiles.modules.rtorrent = { - enable = mkEnableOption "rTorrent"; - - flood = { - enable = mkEnableOption "Flood" // { - default = cfg.enable; - }; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; str; - default = "flood.${config.networking.domain}"; - }; - }; - }; - - config = - let - user = "rtorrent"; - group = "rtorrent"; - baseDir = "/var/lib/rtorrent"; - rpcSocket = "${baseDir}/rpc.socket"; - in - mkIf cfg.enable (mkMerge [ - ( - let - port = 50000; - in - { - ark.directories = [ baseDir ]; - - systemd = { - services.rtorrent = { - description = "rTorrent"; - after = [ - "network.target" - "local-fs.target" - ]; - serviceConfig = - let - leechDir = "${baseDir}/leech"; - seedDir = "${baseDir}/seed"; - sessionDir = "${baseDir}/session"; - logDir = "${baseDir}/log"; - configFile = - let - moveCompleted = getExe ( - pkgs.writeShellApplication { - name = "move-completed"; - runtimeInputs = with pkgs; [ - coreutils-full - gnused - findutils - ]; - text = '' - set -x - - leech_path="$1" - seed_path="$2" - # seed_path="$(echo "$2" | sed 's@+@ @g;s@%@\\x@g' | xargs -0 printf '%b')" - - mkdir -pv "$seed_path" - mv -fv "$leech_path" "$seed_path" - ''; - } - ); - in - pkgs.writeText "rtorrent.rc" '' - method.insert = cfg.leech, private|const|string, (cat, "${leechDir}") - method.insert = cfg.seed, private|const|string, (cat, "${seedDir}") - method.insert = cfg.session, private|const|string, (cat, "${sessionDir}") - method.insert = cfg.log, private|const|string, (cat, "${logDir}") - method.insert = cfg.rpcsocket, private|const|string, (cat, "${rpcSocket}") - - directory.default.set = (cat, (cfg.leech)) - session.path.set = (cat, (cfg.session)) - - network.port_range.set = ${toString port}-${toString port} - network.port_random.set = no - - dht.mode.set = disable - protocol.pex.set = no - - trackers.use_udp.set = no - - protocol.encryption.set = allow_incoming,try_outgoing,enable_retry - - pieces.memory.max.set = ${toString (pow 2 11)}M - pieces.preload.type.set = 2 - - network.xmlrpc.size_limit.set = ${toString (pow 2 17)} - - network.max_open_files.set = ${toString (pow 2 10)} - network.max_open_sockets.set = ${toString (pow 2 10)} - - network.http.max_open.set = ${toString (pow 2 8)} - - throttle.global_down.max_rate.set_kb = 0 - throttle.global_up.max_rate.set_kb = 0 - - encoding.add = UTF-8 - system.umask.set = 0027 - system.cwd.set = (directory.default) - - network.scgi.open_local = (cat, (cfg.rpcsocket)) - - method.insert = d.move_completed, simple, "\ - d.directory.set=$argument.1=;\ - execute=${moveCompleted}, $argument.0=, $argument.1=;\ - d.save_full_session=\ - " - method.insert = d.leech_path, simple, "\ - if=(d.is_multi_file),\ - (cat, (d.directory), /),\ - (cat, (d.directory), /, (d.name))\ - " - method.insert = d.seed_path, simple, "\ - cat=$cfg.seed=, /, $d.custom1=\ - " - method.set_key = event.download.finished, move_complete, "\ - d.move_completed=$d.leech_path=, $d.seed_path=\ - " - - log.open_file = "log", (cat, (cfg.log), "/", "default.log") - log.add_output = "info", "log" - log.execute = (cat, (cfg.log), "/", "execute.log") - ''; - in - { - Restart = "on-failure"; - RestartSec = 3; - - KillMode = "process"; - KillSignal = "SIGHUP"; - - User = user; - Group = group; - - ExecStartPre = concatStringsSep " " [ - "${pkgs.coreutils-full}/bin/mkdir -p" - leechDir - seedDir - sessionDir - logDir - ]; - ExecStart = concatStringsSep " " [ - (getExe pkgs.rtorrent) - "-n" - "-o system.daemon.set=true" - "-o network.bind_address.set=0.0.0.0" - "-o import=${configFile}" - ]; - ExecStop = concatStringsSep " " [ - "${pkgs.coreutils-full}/bin/rm -rf" - rpcSocket - ]; - - RuntimeDirectory = "rtorrent"; - RuntimeDirectoryMode = 750; - UMask = 27; - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - LockPersonality = true; - MemoryDenyWriteExecute = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProcSubset = "pid"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "@system-service" - "~@resources" - "~@privileged" - ]; - }; - wantedBy = [ "multi-user.target" ]; - }; - - tmpfiles.rules = [ "d '${baseDir}' 0750 ${user} ${group} -" ]; - }; - - users = { - users.${user} = { - inherit group; - shell = pkgs.bashInteractive; - home = baseDir; - description = "rTorrent"; - isSystemUser = true; - }; - groups.${group} = { }; - }; - my.extraGroups = [ group ]; - - networking.firewall.allowedTCPPorts = [ port ]; - - boot.kernel.sysctl = { - "net.core.rmem_max" = mkOverride 500 (pow 2 24); - "net.core.wmem_max" = mkOverride 500 (pow 2 24); - "net.ipv4.tcp_fin_timeout" = mkOverride 500 30; - "net.ipv4.tcp_rmem" = mkOverride 500 (mkTcpMem 12 23 24); - "net.ipv4.tcp_slow_start_after_idle" = 0; - "net.ipv4.tcp_tw_recycle" = mkOverride 500 1; - "net.ipv4.tcp_tw_reuse" = mkOverride 500 1; - "net.ipv4.tcp_wmem" = mkOverride 500 (mkTcpMem 12 23 24); - }; - } - ) - ( - let - port = 50001; - pkg = pkgs.nodePackages.flood; - in - mkIf cfg.flood.enable { - nixfiles.modules.nginx = { - enable = true; - upstreams.flood.servers."127.0.0.1:${toString port}" = { }; - virtualHosts.${cfg.flood.domain} = { - root = "${pkg}/lib/node_modules/flood/dist/assets"; - locations = { - "/".tryFiles = "$uri /index.html"; - "/api" = { - proxyPass = "http://flood"; - extraConfig = libNginx.config.noProxyBuffering; - }; - }; - extraConfig = libNginx.config.internalOnly; - }; - }; - - systemd.services.flood = { - description = "Flood"; - after = [ - "network.target" - "rtorrent.service" - ]; - path = with pkgs; [ mediainfo ]; - serviceConfig = { - Restart = "on-failure"; - RestartSec = 3; - - User = user; - Group = group; - - ExecStart = concatStringsSep " " [ - (getExe pkg) - "--allowedpath=${baseDir}" - "--baseuri=/" - "--rundir=${baseDir}/flood" - "--host=127.0.0.1" - "--port=${toString port}" - "--rtsocket=${rpcSocket}" - "--ssl=false" - "--auth=none" - ]; - - RuntimeDirectory = "rtorrent"; - RuntimeDirectoryMode = 750; - UMask = 27; - AmbientCapabilities = [ "" ]; - CapabilityBoundingSet = [ "" ]; - LockPersonality = true; - NoNewPrivileges = true; - PrivateDevices = true; - PrivateTmp = true; - PrivateUsers = true; - ProtectClock = true; - ProtectControlGroups = true; - ProtectHome = true; - ProtectHostname = true; - ProtectKernelLogs = true; - ProtectKernelModules = true; - ProtectKernelTunables = true; - ProcSubset = "pid"; - ProtectProc = "invisible"; - RemoveIPC = true; - RestrictAddressFamilies = [ - "AF_UNIX" - "AF_INET" - "AF_INET6" - ]; - RestrictNamespaces = true; - RestrictRealtime = true; - RestrictSUIDSGID = true; - SystemCallArchitectures = "native"; - SystemCallFilter = [ - "~@cpu-emulation" - "~@debug" - "~@mount" - "~@obsolete" - "~@privileged" - "~@resources" - ]; - }; - wantedBy = [ "multi-user.target" ]; - }; - } - ) - ]); -} diff --git a/modules/sonarr.nix b/modules/sonarr.nix deleted file mode 100644 index b11dda0..0000000 --- a/modules/sonarr.nix +++ /dev/null @@ -1,40 +0,0 @@ -{ - config, - lib, - libNginx, - ... -}: -with lib; -let - cfg = config.nixfiles.modules.sonarr; -in -{ - options.nixfiles.modules.sonarr = { - enable = mkEnableOption "Sonarr"; - - domain = mkOption { - description = "Domain name sans protocol scheme."; - type = with types; str; - default = "sonarr.${config.networking.domain}"; - }; - }; - - config = mkIf cfg.enable { - ark.directories = [ "/var/lib/sonarr" ]; - - nixfiles.modules.nginx = { - enable = true; - upstreams.sonarr.servers."127.0.0.1:8989" = { }; - virtualHosts.${cfg.domain} = { - locations."/".proxyPass = "http://sonarr"; - extraConfig = libNginx.config.internalOnly; - }; - }; - - services.sonarr = { - enable = true; - user = "rtorrent"; - group = "rtorrent"; - }; - }; -} diff --git a/overlays.nix b/overlays.nix index 71735cc..020c6b2 100644 --- a/overlays.nix +++ b/overlays.nix @@ -101,5 +101,8 @@ ''; }; }; + + rtorrent = + _: (lib.packages.fromPR 368724 "sha256-99C1bOu6L5UMia0zqR3258HO+MS7Jq89KQE6oycFsvc=").rtorrent; }; } |