ookflix: segment modules

2024-12-04 13:19:54 +11:00 · 2024-12-04 13:19:54 +11:00 · bee284691a
commit bee284691a
parent 4edb21607c
21 changed files with 314 additions and 100 deletions
--- a/modules/nixos/server/services/ookflix/default.nix
+++ b/modules/nixos/server/services/ookflix/default.nix
@ -1,15 +1,13 @@
 {
  imports = [
-    ./jellyfin.nix
+    ./streamers
-    ./plex.nix
+    ./monitors
-    ./jellyseer.nix
+    ./networking
-    ./tautulli.nix
+    ./downloading
    ./sonarr.nix
    ./prowlarr.nix
    ./gluetun.nix
    ./qbittorrent.nix
    ./shared.nix
    ./shared.nix
    ./podman.nix
    ./options.nix
    ./homepage.nix
  ];
 }
--- a/modules/nixos/server/services/ookflix/downloading/default.nix
+++ b/modules/nixos/server/services/ookflix/downloading/default.nix
@ -0,0 +1,9 @@
 {
  imports = [
    ./sonarr.nix
    ./radarr.nix
    ./prowlarr.nix
    ./jellyseer.nix
    ./qbittorrent.nix
  ];
 }
--- a/modules/nixos/server/services/ookflix/downloading/jellyseer.nix
+++ b/modules/nixos/server/services/ookflix/downloading/jellyseer.nix
@ -0,0 +1,38 @@
 {
  config,
  lib,
  ook,
  self,
  ...
 }: let
  ookflixLib = import ../lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceUser mkServiceStateDir;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment mkContainerPort;
  inherit (config.ooknet.server.ookflix) groups;
  inherit (config.ooknet.server.ookflix.services) jellyseerr;
 in {
  config = mkIf jellyseerr.enable {
    # media requesting for jellyfin
    users = mkServiceUser jellyseerr.user.name;
    systemd.tmpfiles.settings.jellyseerrStateDir = mkServiceStateDir "jellyseerr";
    virtualisation.oci-containers.containers = {
      jellyseerr = {
        image = "ghcr.io/hotio/jellyseerr";
        autoStart = true;
        hostname = "jellyseerr";
        ports = [(mkContainerPort jellyseerr.port)];
        volumes = ["${jellyseerr.stateDir}:/config"];
        labels = mkContainerLabel {
          name = "jellyseerr";
          inherit (jellyseerr) domain port;
          homepage = {
            group = "media";
            description = "media-server requesting";
          };
        };
        environment = mkContainerEnvironment jellyseerr.user.id groups.media.id;
      };
    };
  };
 }
--- a/modules/nixos/server/services/ookflix/downloading/prowlarr.nix
+++ b/modules/nixos/server/services/ookflix/downloading/prowlarr.nix
@ -5,7 +5,7 @@
  self,
  ...
 }: let
-  ookflixLib = import ./lib.nix {inherit lib config self;};
+  ookflixLib = import ../lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceUser mkServiceStateDir;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment mkContainerPort;
@ -14,7 +14,7 @@
 in {
  config = mkIf prowlarr.enable {
    users = mkServiceUser prowlarr.user.name;
-    systemd.tmpfiles = mkServiceStateDir "prowlarr" prowlarr.stateDir;
+    systemd.tmpfiles.settings.prowlarrStateDir = mkServiceStateDir "prowlarr";
    virtualisation.oci-containers.containers = {
      prowlarr = {
        image = "lscr.io/linuxserver/prowlarr:latest";
--- a/modules/nixos/server/services/ookflix/downloading/qbittorrent.nix
+++ b/modules/nixos/server/services/ookflix/downloading/qbittorrent.nix
@ -5,7 +5,7 @@
  self,
  ...
 }: let
-  ookflixLib = import ./lib.nix {inherit lib config self;};
+  ookflixLib = import ../lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceUser mkServiceStateDir;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment;
@ -14,17 +14,20 @@
 in {
  config = mkIf qbittorrent.enable {
    users = mkServiceUser qbittorrent.user.name;
-    systemd.tmpfiles = mkServiceStateDir "qbittorrent" qbittorrent.stateDir;
+    systemd.tmpfiles.settings.qbittorrentStateDir = mkServiceStateDir "qbittorrent";
    virtualisation.oci-containers.containers = {
      # Torrent client
      qbittorrent = {
        hostname = "qbittorrent";
        image = "ghcr.io/hotio/qbittorrent";
        dependsOn = ["gluetun"];
        volumes = [
          "${qbittorrent.stateDir}:/config"
          "${volumes.torrents.root}:/data/torrents"
        ];
-        extraOptions = ["--network=container:gluetun"];
+        extraOptions = [
          "--network=container:gluetun"
        ];
        labels = mkContainerLabel {
          name = "qbittorrent";
          inherit (qbittorrent) port domain;
@ -34,7 +37,7 @@ in {
          };
        };
        environment =
-          mkContainerEnvironment qbittorrent.user.id groups.downloads.id
+          mkContainerEnvironment qbittorrent.user.id groups.media.id
          // {
            UMASK = "002";
            WEBUI_PORTS = "${toString qbittorrent.port}/tcp,${toString qbittorrent.port}/udp";
--- a/modules/nixos/server/services/ookflix/downloading/radarr.nix
+++ b/modules/nixos/server/services/ookflix/downloading/radarr.nix
@ -5,22 +5,22 @@
  self,
  ...
 }: let
-  ookflixLib = import ./lib.nix {inherit lib config self;};
+  ookflixLib = import ../lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceUser mkServiceStateDir;
  inherit (lib) mkIf;
-  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment;
+  inherit (ook.lib.container) mkContainerLabel mkContainerPort mkContainerEnvironment;
  inherit (config.ooknet.server.ookflix) groups volumes;
  inherit (config.ooknet.server.ookflix.services) radarr;
 in {
  config = mkIf radarr.enable {
    users = mkServiceUser radarr.user.name;
-    systemd.tmpfiles = mkServiceStateDir "radarr" radarr.stateDir;
+    systemd.tmpfiles.settings.radarrStateDir = mkServiceStateDir "radarr";
    virtualisation.oci-containers.containers = {
      radarr = {
-        image = "ghcr.io/hotio/qbittorrent";
+        image = "ghcr.io/hotio/radarr";
        autoStart = true;
        hostname = "radarr";
-        ports = ["${radarr.port}:${radarr.port}"];
+        ports = [(mkContainerPort radarr.port)];
        volumes = [
          "${radarr.stateDir}:/config"
          "${volumes.data.root}:/data"
--- a/modules/nixos/server/services/ookflix/downloading/sonarr.nix
+++ b/modules/nixos/server/services/ookflix/downloading/sonarr.nix
@ -5,7 +5,7 @@
  self,
  ...
 }: let
-  ookflixLib = import ./lib.nix {inherit lib config self;};
+  ookflixLib = import ../lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceUser mkServiceStateDir;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment mkContainerPort;
@ -14,7 +14,7 @@
 in {
  config = mkIf sonarr.enable {
    users = mkServiceUser sonarr.user.name;
-    systemd.tmpfiles = mkServiceStateDir "sonarr" sonarr.stateDir;
+    systemd.tmpfiles.settings.sonarrStateDir = mkServiceStateDir "sonarr";
    virtualisation.oci-containers.containers = {
      sonarr = {
        image = "ghcr.io/hotio/sonarr";
--- a/modules/nixos/server/services/ookflix/homepage.nix
+++ b/modules/nixos/server/services/ookflix/homepage.nix
@ -0,0 +1,34 @@
 {
  config,
  lib,
  ook,
  self,
  ...
 }: let
  ookflixLib = import ./lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceUser mkServiceStateDir;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment mkContainerPort;
  inherit (config.ooknet.server.ookflix) groups;
  inherit (config.ooknet.server.ookflix.services) homepage;
 in {
  config = mkIf homepage.enable {
    # media requesting for jellyfin
    users = mkServiceUser homepage.user.name;
    systemd.tmpfiles.settings.homepageStateDir = mkServiceStateDir "homepage";
    virtualisation.oci-containers.containers = {
      homepage = {
        image = "ghcr.io/benphelps/homepage:latest";
        autoStart = true;
        hostname = "homepage";
        ports = [(mkContainerPort homepage.port)];
        volumes = ["${homepage.stateDir}:/config"];
        labels = mkContainerLabel {
          name = "homepage";
          inherit (homepage) domain port;
        };
        environment = mkContainerEnvironment homepage.user.id groups.media.id;
      };
    };
  };
 }
--- a/modules/nixos/server/services/ookflix/jellyseer.nix
+++ b/modules/nixos/server/services/ookflix/jellyseer.nix
@ -1,34 +0,0 @@
 {
  config,
  lib,
  ook,
  ...
 }: let
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment mkContainerPort;
  inherit (config.ooknet.server.ookflix) groups;
  inherit (config.ooknet.server.ookflix.services) jellyseer;
 in {
  config = mkIf jellyseer.enable {
    # media requesting for jellyfin
    virtualisation.oci-containers.containers = {
      jellyseer = {
        image = "fallenbagel/jellyseerr:latest";
        autoStart = true;
        hostname = "jellyseer";
        ports = [(mkContainerPort jellyseer.port)];
        volumes = ["${jellyseer.stateDir}:/config"];
        extraOptions = ["--network" "host"];
        labels = mkContainerLabel {
          name = "jellyseer";
          inherit (jellyseer) domain port;
          homepage = {
            group = "media";
            description = "media-server requesting";
          };
        };
        environment = mkContainerEnvironment jellyseer.user.id groups.media.id;
      };
    };
  };
 }
--- a/modules/nixos/server/services/ookflix/lib.nix
+++ b/modules/nixos/server/services/ookflix/lib.nix
@ -4,10 +4,11 @@
  self,
  ...
 }: let
-  inherit (lib) mkOption mkEnableOption elem assertMsg;
+  inherit (lib) getExe nameValuePair mkOption mkEnableOption elem assertMsg;
  inherit (builtins) attrValues;
  inherit (lib.types) int path port str;
  inherit (config.ooknet) server;
  inherit (config.virtualisation) podman;
  cfg = server.ookflix;
  ookflixEnabled = elem "ookflix" server.services;
@ -116,13 +117,21 @@
      name = service;
    };
  };
-  mkServiceStateDir = service: dir: {
+  mkServiceStateDir = service: {
-    settings."${service}StateDir".${dir}."d" = {
+    "${cfg.services.${service}.stateDir}"."d" = {
      mode = "0700";
      user = cfg.services.${service}.user.name;
      group = cfg.services.${service}.group.name;
    };
  };
  mkServiceStateFile = service: file: {
    "${cfg.services.${service}.stateDir}/${file}"."f" = {
      mode = "0600";
      user = cfg.services.${service}.user.name;
      group = cfg.services.${service}.group.name;
    };
  };
  mkServiceSecret = name: service: {
    ${name} = {
      file = "${self}/secrets/containers/${name}.age";
@ -130,6 +139,17 @@
      group = cfg.services.${service}.group.name;
    };
  };
  mkNetworkService = name: network:
    nameValuePair "podman-network-${name}" {
      description = "Podman network ${name} for ookflix";
      serviceConfig = {
        Type = "oneshot";
        RemainsAfterExit = true;
        ExecStart = "${getExe podman.package} network create -d bridge ${name}";
        ExecStop = "${getExe podman.package} network rm -f ${name}";
      };
    };
 in {
-  inherit mkServiceSecret mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption;
+  inherit mkServiceStateFile mkServiceSecret mkBasicServiceOptions mkServiceOptions mkServiceStateDir mkServiceUser mkUserOption mkPortOption mkGroupOption mkVolumeOption mkSubdomainOption mkNetworkService;
 }
--- a/modules/nixos/server/services/ookflix/monitors/default.nix
+++ b/modules/nixos/server/services/ookflix/monitors/default.nix
@ -0,0 +1,5 @@
 {
  imports = [
    ./tautulli.nix
  ];
 }
--- a/modules/nixos/server/services/ookflix/monitors/tautulli.nix
+++ b/modules/nixos/server/services/ookflix/monitors/tautulli.nix
@ -5,7 +5,7 @@
  self,
  ...
 }: let
-  ookflixLib = import ./lib.nix {inherit lib config self;};
+  ookflixLib = import ../lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceUser mkServiceStateDir;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment mkContainerPort;
@ -14,7 +14,7 @@
 in {
  config = mkIf tautulli.enable {
    users = mkServiceUser tautulli.user.name;
-    systemd.tmpfiles = mkServiceStateDir "tautulli" tautulli.stateDir;
+    systemd.tmpfiles.settings.tautulliStateDir = mkServiceStateDir "tautulli";
    virtualisation.oci-containers.containers = {
      # plex monitoring service
      tautulli = {
--- a/modules/nixos/server/services/ookflix/networking/default.nix
+++ b/modules/nixos/server/services/ookflix/networking/default.nix
@ -0,0 +1,7 @@
 {
  imports = [
    ./gluetun.nix
    ./traefik.nix
    #  ./networks.nix
  ];
 }
--- a/modules/nixos/server/services/ookflix/networking/gluetun.nix
+++ b/modules/nixos/server/services/ookflix/networking/gluetun.nix
@ -5,10 +5,10 @@
  self,
  ...
 }: let
-  ookflixLib = import ./lib.nix {inherit self lib config;};
+  ookflixLib = import ../lib.nix {inherit self lib config;};
  inherit (ookflixLib) mkServiceUser mkServiceSecret;
  inherit (lib) mkIf;
-  inherit (ook.lib.container) mkContainerEnvironment mkContainerPort;
+  inherit (ook.lib.container) mkContainerEnvironment;
  inherit (config.ooknet.server.ookflix.services) qbittorrent gluetun;
 in {
  config = mkIf gluetun.enable {
@ -21,7 +21,7 @@ in {
        # should make this an option.
        environmentFiles = [config.age.secrets.vpn_env.path];
        ports = [
-          (mkContainerPort qbittorrent.port)
+          "${toString qbittorrent.exposedPort}:${toString qbittorrent.port}"
        ];
        environment = mkContainerEnvironment gluetun.user.id gluetun.group.id;
        extraOptions = [
--- a/modules/nixos/server/services/ookflix/networking/networks.nix
+++ b/modules/nixos/server/services/ookflix/networking/networks.nix
@ -0,0 +1,28 @@
 {
  lib,
  config,
  pkgs,
  ...
 }: let
  inherit (lib) mkIf getExe;
  inherit (config.ooknet.server) ookflix;
  inherit (config.virtualisation) podman;
  podmanCommand = getExe podman.package;
 in {
  config = mkIf ookflix.enable {
    systemd.services = {
      "podman-ookflix-network" = {
        serviceConfig = {
          Type = "oneshot";
          RemainAfterExit = true;
          SyslogIdentifier = "%N";
        };
        unitConfig = {
          "RequiresMountsFor" = "%t/containers";
        };
        wantedBy = ["multi-user.target"];
        script = "${podmanCommand} network create --ignore --driver=bridge ookflix";
      };
    };
  };
 }
--- a/modules/nixos/server/services/ookflix/networking/traefik.nix
+++ b/modules/nixos/server/services/ookflix/networking/traefik.nix
@ -0,0 +1,80 @@
 {
  config,
  lib,
  ook,
  self,
  ...
 }: let
  ookflixLib = import ../lib.nix {inherit self lib config;};
  inherit (ookflixLib) mkServiceUser mkServiceSecret mkServiceStateDir mkServiceStateFile;
  inherit (lib) mkIf;
  inherit (ook.lib.container) mkContainerEnvironment mkContainerLabel mkContainerPort;
  inherit (config.ooknet) server;
  inherit (config.ooknet.server.ookflix.services) traefik;
  inherit (config.ooknet.host) admin;
 in {
  config = mkIf traefik.enable {
    users = mkServiceUser traefik.user.name;
    systemd.tmpfiles.settings = {
      traefikStateDir = mkServiceStateDir "traefik";
      traefikAcmeFile = mkServiceStateFile "traefik" "acme.json";
    };
    age.secrets = mkServiceSecret "cf_creds" "traefik";
    virtualisation.oci-containers.containers = {
      # vpn container
      traefik = mkIf traefik.enable {
        autoStart = true;
        image = "traefik:3.0";
        # should make this an option.
        volumes = [
          "/run/podman/podman.sock:/var/run/docker.sock:ro"
          "${traefik.stateDir}/acme.json:/acme.json"
        ];
        ports = [
          "80:80"
          "443:443"
          (mkContainerPort traefik.port)
        ];
        environmentFiles = [config.age.secrets.cf_creds.path];
        extraOptions = ["--security-opt=no-new-privileges:true"];
        cmd = [
          "--log.level=DEBUG"
          "--api.insecure=true"
          "--api.dashboard=true"
          "--providers.docker=true"
          "--providers.docker.exposedbydefault=false"
          "--certificatesresolvers.letsencrypt.acme.email=${admin.email}"
          "--certificatesresolvers.letsencrypt.acme.storage=/acme.json"
          "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
          "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
          "--entrypoints.web.address=:80"
          "--entrypoints.websecure.address=:443"
          "--entrypoints.traefik.address=:${toString traefik.port}"
          "--entrypoints.websecure.forwardedHeaders.trustedIPs=103.21.244.0/22,103.22.200.0/22,103.31.4.0/22" # Cloudflare IPs
          "--entrypoints.web.http.redirections.entrypoint.to=websecure"
          "--entrypoints.web.http.redirections.entrypoint.scheme=https"
          "--entrypoints.websecure.http.tls=true"
          "--entrypoints.websecure.http.tls.certResolver=letsencrypt"
          "--entrypoints.websecure.http.tls.domains[0].main=${server.domain}"
          "--entrypoints.websecure.http.tls.domains[0].sans=*.${server.domain}"
        ];
        labels = mkContainerLabel {
          name = "traefik";
          inherit (traefik) domain port;
          homepage = {
            group = "proxy";
            description = "reverse proxy";
          };
        };
        environment = mkContainerEnvironment traefik.user.id traefik.group.id;
      };
    };
  };
 }
--- a/modules/nixos/server/services/ookflix/options.nix
+++ b/modules/nixos/server/services/ookflix/options.nix
@ -94,8 +94,11 @@ in {
          uid = 377;
          gid = 377;
        }
-        // {torrentPort = mkPortOption 58080 "Torrenting Port for qbittorrent" 58080;};
+        // {
-      jellyseer = mkServiceOptions "jellyseer" {
+          torrentPort = mkPortOption 58080 "Torrenting Port for qbittorrent" 58080;
          exposedPort = mkPortOption 8081 "Port exposed by qbittorrent" 8081;
        };
      jellyseerr = mkServiceOptions "jellyseerr" {
        port = 5055;
        uid = 345;
        gid = 345;
@ -105,6 +108,16 @@ in {
        uid = 355;
        gid = 355;
      };
      traefik = mkServiceOptions "traefik" {
        port = 8080;
        uid = 389;
        gid = 389;
      };
      homepage = mkServiceOptions "homepage" {
        port = 3000;
        uid = 400;
        gid = 400;
      };
      gluetun = mkBasicServiceOptions "gluetun" {
        uid = 356;
        gid = 357;
--- a/modules/nixos/server/services/ookflix/podman.nix
+++ b/modules/nixos/server/services/ookflix/podman.nix
@ -0,0 +1,35 @@
 {
  lib,
  config,
  ...
 }: let
  inherit (lib) mkIf;
  inherit (config.ooknet.host) admin;
  inherit (config.ooknet.server) ookflix;
 in {
  config = mkIf ookflix.enable {
    # add admin to podman group
    users.groups.podman.members = [admin.name];
    virtualisation = {
      # explicitly set this even though its the default value
      # this enables the module below
      oci-containers.backend = "podman";
      podman = {
        # periodically prunes podman resources
        # defaults to --all, weekly
        autoPrune.enable = true;
        # aliases docker command to podman
        dockerCompat = true;
        # makes the podman sockaet available in place of docker socket
        dockerSocket.enable = true;
        # settings for containers/networks/podman.json
        defaultNetwork.settings = {
          # allows udp port 53 on podmans network interface: podman+
          dns_enabled = true;
        };
      };
    };
  };
 }
--- a/modules/nixos/server/services/ookflix/streamers/default.nix
+++ b/modules/nixos/server/services/ookflix/streamers/default.nix
@ -0,0 +1,6 @@
 {
  imports = [
    ./plex.nix
    ./jellyfin.nix
  ];
 }
--- a/modules/nixos/server/services/ookflix/streamers/jellyfin.nix
+++ b/modules/nixos/server/services/ookflix/streamers/jellyfin.nix
@ -5,7 +5,7 @@
  self,
  ...
 }: let
-  ookflixLib = import ./lib.nix {inherit lib config self;};
+  ookflixLib = import ../lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceStateDir mkServiceUser;
  inherit (lib) mkIf optionalAttrs;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment mkContainerPort;
@ -15,7 +15,7 @@ in {
  config = mkIf services.jellyfin.enable {
    hardware.nvidia-container-toolkit.enable = gpuAcceleration.enable && gpuAcceleration.type == "nvidia";
    users = mkServiceUser jellyfin.user.name;
-    systemd.tmpfiles = mkServiceStateDir "jellyfin" jellyfin.stateDir;
+    systemd.tmpfiles.settings.jellyfinStateDir = mkServiceStateDir "jellyfin";
    virtualisation.oci-containers.containers = {
      # media streaming server
      # docs: <https://docs.linuxserver.io/images/docker-jellyfin/>
@ -36,18 +36,6 @@ in {
            description = "media-server streamer";
          };
        };
        extraOptions = optionalAttrs gpuAcceleration.enable (
          if gpuAcceleration.type == "nvidia"
          then [
            "--runtime=nvidia"
          ]
          else if gpuAcceleration.type == "intel" || "amd"
          then [
            "--device=/dev/dri:/dev/dri"
          ]
          else []
        );
        environment =
          mkContainerEnvironment jellyfin.user.id groups.media.id
          // {JELLYFIN_PublishedServerUrl = jellyfin.domain;}
--- a/modules/nixos/server/services/ookflix/streamers/plex.nix
+++ b/modules/nixos/server/services/ookflix/streamers/plex.nix
@ -5,7 +5,7 @@
  self,
  ...
 }: let
-  ookflixLib = import ./lib.nix {inherit lib config self;};
+  ookflixLib = import ../lib.nix {inherit lib config self;};
  inherit (ookflixLib) mkServiceUser mkServiceStateDir;
  inherit (lib) mkIf optionalAttrs;
  inherit (ook.lib.container) mkContainerLabel mkContainerEnvironment mkContainerPort;
@ -18,7 +18,7 @@ in {
    # users/group/directories configuration, see lib.nix
    users = mkServiceUser plex.user.name;
-    systemd.tmpfiles = mkServiceStateDir "plex" plex.stateDir;
+    systemd.tmpfiles.settings.plexStateDir = mkServiceStateDir "plex";
    # container configuration
    virtualisation.oci-containers.containers = {
@ -29,8 +29,7 @@ in {
        hostname = "plex";
        ports = [(mkContainerPort plex.port)];
        volumes = [
-          "${volumes.media.movies}:/data/movies"
+          "${volumes.media.root}:/data"
          "${volumes.media.tv}:/data/tv"
          "${plex.stateDir}:/config"
        ];
        labels = mkContainerLabel {
@ -41,21 +40,6 @@ in {
            description = "media-server streamer";
          };
        };
        extraOptions = optionalAttrs gpuAcceleration.enable (
          if gpuAcceleration.type == "nvidia"
          then [
            "--runtime=nvidia"
          ]
          else if gpuAcceleration.type == "intel"
          then [
            "--device=/dev/dri:/dev/dri"
          ]
          else if gpuAcceleration.type == "amd"
          then [
            "--device=/dev/dri:/dev/dri"
          ]
          else []
        );
        environment =
          mkContainerEnvironment plex.user.id groups.media.id
          // optionalAttrs (gpuAcceleration.enable && gpuAcceleration.type == "nvidia") {