diff --git a/modules/nixos/server/services/media-server/default.nix b/modules/nixos/server/services/media-server/default.nix deleted file mode 100644 index 717e673..0000000 --- a/modules/nixos/server/services/media-server/default.nix +++ /dev/null @@ -1,36 +0,0 @@ -{ - lib, - config, - inputs, - ... -}: let - inherit (lib) mkIf elem; - inherit (config.ooknet.server) services; -in { - imports = [ - ./plex.nix - ./users.nix - ./options.nix - ./jellyfin.nix - ./transmission.nix - ./sonarr.nix - ./radarr.nix - ./prowlarr.nix - ./file-permissions.nix - ./vpn.nix - inputs.vpn-confinement.nixosModules.default - ]; - - # short cut for enabling all media-server modules - config = mkIf (elem "media-server" services) { - ooknet.server.media-server = { - enable = true; - jellyfin.enable = true; - plex.enable = true; - transmission.enable = true; - radarr.enable = true; - sonarr.enable = true; - prowlarr.enable = true; - }; - }; -} diff --git a/modules/nixos/server/services/media-server/file-permissions.nix b/modules/nixos/server/services/media-server/file-permissions.nix deleted file mode 100644 index b791728..0000000 --- a/modules/nixos/server/services/media-server/file-permissions.nix +++ /dev/null @@ -1,42 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf; - inherit (config.ooknet.server) media-server; - inherit (config.ooknet.server.media-server) storage groups users; - - contentPermissions = { - group = groups.media; - user = "root"; - mode = "0775"; - }; - - downloadPermissions = { - group = groups.media; - user = users.downloader; - mode = "0775"; - }; -in { - config = mkIf media-server.enable { - systemd.tmpfiles.settings = { - content-dirs = { - "${storage.content.root}"."d" = contentPermissions; - "${storage.content.movies}"."d" = contentPermissions; - "${storage.content.tv}"."d" = contentPermissions; - "${storage.content.music}"."d" = contentPermissions; - "${storage.content.books}"."d" = contentPermissions; - }; - download-dirs = { - "${storage.downloads.root}"."d" = downloadPermissions; - "${storage.downloads.incomplete}"."d" = downloadPermissions; - "${storage.downloads.watch}"."d" = downloadPermissions; - "${storage.downloads.manual}"."d" = downloadPermissions; - "${storage.downloads.radarr}"."d" = downloadPermissions; - "${storage.downloads.sonarr}"."d" = downloadPermissions; - "${storage.downloads.readarr}"."d" = downloadPermissions; - }; - }; - }; -} diff --git a/modules/nixos/server/services/media-server/jellyfin.nix b/modules/nixos/server/services/media-server/jellyfin.nix deleted file mode 100644 index b8c6365..0000000 --- a/modules/nixos/server/services/media-server/jellyfin.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf; - inherit (config.ooknet.server) media-server; - inherit (config.ooknet.server.media-server) storage groups users domain proxy; -in { - config = mkIf media-server.jellyfin.enable { - services.jellyfin = { - enable = true; - user = users.jellyfin; - group = groups.media; - dataDir = storage.state.jellyfin; - openFirewall = true; - }; - ooknet.server.webserver.caddy.enable = true; - services.caddy.virtualHosts."${domain.jellyfin}".extraConfig = proxy.jellyfin; - }; -} diff --git a/modules/nixos/server/services/media-server/options.nix b/modules/nixos/server/services/media-server/options.nix deleted file mode 100644 index 85dcc8b..0000000 --- a/modules/nixos/server/services/media-server/options.nix +++ /dev/null @@ -1,254 +0,0 @@ -{ - lib, - config, - ... -}: let - inherit (lib) mkOption mkEnableOption; - inherit (lib.types) path port str lines; - inherit (config.ooknet) server; - cfg = server.media-server; - - mkSubdomain = name: - mkOption { - type = str; - default = "${name}.${server.domain}"; - }; - - mkProxy = port: '' - encode zstd gzip - reverse_proxy localhost:${toString port} { - header_up X-Real-IP {remote_host} - header_up X-Forwarded-For {remote_host} - header_up X-Forwarded-Proto {scheme} - } - ''; -in { - options.ooknet.server.media-server = { - enable = mkEnableOption "Enable media server functionality"; - - jellyfin.enable = mkEnableOption "Enable the Jellyfin module"; - plex.enable = mkEnableOption "Enable Plex module"; - transmission.enable = mkEnableOption "Enable Transmission module"; - radarr.enable = mkEnableOption "Enable Radarr module"; - sonarr.enable = mkEnableOption "Enable Sonarr module"; - prowlarr.enable = mkEnableOption "Enable Sonarr module"; - - storage = { - mediaRoot = mkOption { - type = path; - default = "/jellyfin"; - description = "Root directory for all media-related storage"; - }; - - content = { - root = mkOption { - type = path; - default = "${cfg.storage.mediaRoot}/content"; - description = "Root directory for media content"; - }; - movies = mkOption { - type = path; - default = "${cfg.storage.content.root}/movies"; - }; - tv = mkOption { - type = path; - default = "${cfg.storage.content.root}/tv"; - }; - music = mkOption { - type = path; - default = "${cfg.storage.content.root}/music"; - }; - books = mkOption { - type = path; - default = "${cfg.storage.content.root}/books"; - }; - }; - - downloads = { - root = mkOption { - type = path; - default = "${cfg.storage.mediaRoot}/downloads"; - }; - incomplete = mkOption { - type = path; - default = "${cfg.storage.downloads.root}/.incomplete"; - }; - watch = mkOption { - type = path; - default = "${cfg.storage.downloads.root}/.watch"; - }; - manual = mkOption { - type = path; - default = "${cfg.storage.downloads.root}/manual"; - }; - radarr = mkOption { - type = path; - default = "${cfg.storage.downloads.root}/radarr"; - }; - sonarr = mkOption { - type = path; - default = "${cfg.storage.downloads.root}/sonarr"; - }; - readarr = mkOption { - type = path; - default = "${cfg.storage.downloads.root}/readarr"; - }; - }; - - state = { - root = mkOption { - type = path; - default = "/var/lib"; - description = "Root directory for service state"; - }; - jellyfin = mkOption { - type = path; - default = "${cfg.storage.state.root}/jellyfin"; - }; - plex = mkOption { - type = path; - default = "${cfg.storage.state.root}/plex"; - }; - sonarr = mkOption { - type = path; - default = "${cfg.storage.state.root}/sonarr"; - }; - prowlarr = mkOption { - type = path; - default = "${cfg.storage.state.root}/prowlarr"; - }; - radarr = mkOption { - type = path; - default = "${cfg.storage.state.root}/radarr"; - }; - transmission = mkOption { - type = path; - default = "${cfg.storage.state.root}/transmission"; - }; - }; - }; - - groups = { - media = mkOption { - type = str; - default = "media"; - }; - sonarr = mkOption { - type = str; - default = "sonarr"; - }; - prowlarr = mkOption { - type = str; - default = "prowlarr"; - }; - radarr = mkOption { - type = str; - default = "radarr"; - }; - }; - - users = { - jellyfin = mkOption { - type = str; - default = "jellyfin"; - }; - plex = mkOption { - type = str; - default = "plex"; - }; - sonarr = mkOption { - type = str; - default = "sonarr"; - }; - radarr = mkOption { - type = str; - default = "radarr"; - }; - transmission = mkOption { - type = str; - default = "transmission"; - }; - prowlarr = mkOption { - type = str; - default = "prowlarr"; - }; - downloader = mkOption { - type = str; - default = "downloader"; - }; - streamer = mkOption { - type = str; - default = "streamer"; - }; - }; - - ports = { - jellyfin = mkOption { - type = port; - default = 8096; - }; - plex = mkOption { - type = port; - default = 32400; - }; - transmission = { - web = mkOption { - type = port; - default = 9091; - }; - peer = mkOption { - type = port; - default = 50000; - }; - }; - sonarr = mkOption { - type = port; - default = 8989; - }; - radarr = mkOption { - type = port; - default = 7878; - }; - prowlarr = mkOption { - type = port; - default = 9696; - }; - }; - - domain = { - jellyfin = mkSubdomain "jellyfin"; - plex = mkSubdomain "plex"; - transmission = mkSubdomain "transmission"; - sonarr = mkSubdomain "sonarr"; - radarr = mkSubdomain "radarr"; - prowlarr = mkSubdomain "prowlarr"; - }; - - proxy = { - jellyfin = mkOption { - type = lines; - default = mkProxy cfg.ports.jellyfin; - }; - plex = mkOption { - type = lines; - default = mkProxy cfg.ports.plex; - }; - sonarr = mkOption { - type = lines; - default = mkProxy cfg.ports.sonarr; - }; - radarr = mkOption { - type = lines; - default = mkProxy cfg.ports.radarr; - }; - prowlarr = mkOption { - type = lines; - default = mkProxy cfg.ports.prowlarr; - }; - transmission = mkOption { - type = lines; - default = mkProxy cfg.ports.transmission.web; - }; - }; - }; -} diff --git a/modules/nixos/server/services/media-server/plex.nix b/modules/nixos/server/services/media-server/plex.nix deleted file mode 100644 index 7770f8d..0000000 --- a/modules/nixos/server/services/media-server/plex.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf; - inherit (config.ooknet.server) media-server; - inherit (config.ooknet.server.media-server) groups users storage domain proxy; -in { - config = mkIf media-server.plex.enable { - services.plex = { - enable = true; - user = users.plex; - group = groups.media; - dataDir = storage.state.plex; - openFirewall = true; - }; - ooknet.server.webserver.caddy.enable = true; - services.caddy.virtualHosts."${domain.plex}".extraConfig = proxy.plex; - }; -} diff --git a/modules/nixos/server/services/media-server/prowlarr.nix b/modules/nixos/server/services/media-server/prowlarr.nix deleted file mode 100644 index ed59158..0000000 --- a/modules/nixos/server/services/media-server/prowlarr.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkIf getExe; - inherit (config.ooknet.server) media-server; - inherit (config.ooknet.server.media-server) storage users groups domain proxy ports; -in { - config = mkIf media-server.prowlarr.enable { - # we dont use the nixpkgs prowlarr service module because it lacks the option to - # declare dataDir, user and group. - - # setup user - users.users.prowlarr = { - group = groups.prowlarr; - home = storage.state.prowlarr; - uid = 293; - isSystemUser = true; - }; - users.groups.prowlarr = {}; - - # basic systemd service - systemd = { - services.prowlarr = { - description = "Prowlarr"; - after = ["network.target"]; - wantedBy = ["multi-user.target"]; - - serviceConfig = { - Type = "simple"; - User = users.prowlarr; - group = groups.prowlarr; - ExecStart = "${getExe pkgs.prowlarr} -nobrowser -data=${storage.state.prowlarr}"; - Restart = "on-failure"; - }; - }; - tmpfiles.settings.prowlarrDirs = { - "${storage.state.prowlarr}"."d" = { - mode = "0700"; - user = users.prowlarr; - group = groups.prowlarr; - }; - }; - }; - networking.firewall.allowedTCPPorts = [ports.prowlarr]; - ooknet.server.webserver.caddy.enable = true; - services.caddy.virtualHosts."${domain.prowlarr}".extraConfig = proxy.prowlarr; - }; -} diff --git a/modules/nixos/server/services/media-server/radarr.nix b/modules/nixos/server/services/media-server/radarr.nix deleted file mode 100644 index a523c0a..0000000 --- a/modules/nixos/server/services/media-server/radarr.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf; - inherit (config.ooknet.server) media-server; - inherit (config.ooknet.server.media-server) storage users groups domain proxy; -in { - config = mkIf media-server.radarr.enable { - services.radarr = { - enable = true; - user = users.radarr; - group = groups.media; - dataDir = storage.state.radarr; - openFirewall = true; - }; - ooknet.server.webserver.caddy.enable = true; - services.caddy.virtualHosts."${domain.radarr}".extraConfig = proxy.radarr; - }; -} diff --git a/modules/nixos/server/services/media-server/sonarr.nix b/modules/nixos/server/services/media-server/sonarr.nix deleted file mode 100644 index cfa06bc..0000000 --- a/modules/nixos/server/services/media-server/sonarr.nix +++ /dev/null @@ -1,21 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) mkIf; - inherit (config.ooknet.server) media-server; - inherit (config.ooknet.server.media-server) storage users groups domain proxy; -in { - config = mkIf media-server.sonarr.enable { - services.sonarr = { - enable = true; - user = users.sonarr; - group = groups.media; - dataDir = storage.state.sonarr; - openFirewall = true; - }; - ooknet.server.webserver.caddy.enable = true; - services.caddy.virtualHosts."${domain.sonarr}".extraConfig = proxy.sonarr; - }; -} diff --git a/modules/nixos/server/services/media-server/transmission.nix b/modules/nixos/server/services/media-server/transmission.nix deleted file mode 100644 index 1035024..0000000 --- a/modules/nixos/server/services/media-server/transmission.nix +++ /dev/null @@ -1,80 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkIf; - inherit (builtins) concatStringsSep; - inherit (config.ooknet.server) media-server; - inherit (config.ooknet.server.media-server) storage ports users groups domain proxy; -in { - config = mkIf media-server.transmission.enable { - services.transmission = { - enable = true; - package = pkgs.transmission_4; - - # systemd service permissions - user = users.downloader; - group = groups.media; - - # location of transmission config dir - home = storage.state.transmission; - - # web ui - webHome = pkgs.flood-for-transmission; - - # additional configurations - # see - settings = { - # enable in completed directory - # this is where files will be placed while still being downloaded - incomplete-dir-enabled = true; - - # enable the watch directory - # this will look for any new torrent files and start downloading them - watch-dir-enabled = true; - - # location of the main download directories - download-dir = storage.downloads.root; - incomplete-dir = storage.downloads.incomplete; - watch-dir = storage.downloads.watch; - - rpc-authentication-required = false; - # rpc settings - # rpc is how we connect to the service remotely - rpc-port = ports.transmission.web; - - # what ip addresses are allowed to connect through rpc - rpc-whitelist-enabled = true; - rpc-whitelist = concatStringsSep "," [ - # localhost - "127.0.0.1" - # generic home networks - "192.168.*" - "10.*" - ]; - - rpc-bind-address = "192.168.15.1"; - - # basic anti bruteforce protection - anti-brute-force-enabled = true; - - # how many authentication attempts can be made before the rpc server will deny any further - # authentication attempts. - anti-brute-force-threshold = 10; - - peer-port = ports.transmission.peer; - port-forwarding-enabled = false; - - # private trackers usually require disabling these - utp-enabled = false; - dht-enabled = false; - pex-enabled = false; - lpd-enabled = false; - }; - }; - ooknet.server.webserver.caddy.enable = true; - services.caddy.virtualHosts."${domain.transmission}".extraConfig = proxy.transmission; - }; -} diff --git a/modules/nixos/server/services/media-server/users.nix b/modules/nixos/server/services/media-server/users.nix deleted file mode 100644 index 04e1cf4..0000000 --- a/modules/nixos/server/services/media-server/users.nix +++ /dev/null @@ -1,28 +0,0 @@ -{ - config, - lib, - ... -}: let - inherit (lib) elem mkIf; - inherit (config.ooknet.server) services; -in { - config = mkIf (elem "media-server" services) { - users = { - groups = { - downloader = {}; - media = {}; - streamer = {}; - }; - users = { - downloader = { - isSystemUser = true; - group = "downloader"; - }; - streamer = { - isSystemUser = true; - group = "streamer"; - }; - }; - }; - }; -} diff --git a/modules/nixos/server/services/media-server/vpn.nix b/modules/nixos/server/services/media-server/vpn.nix deleted file mode 100644 index 512b354..0000000 --- a/modules/nixos/server/services/media-server/vpn.nix +++ /dev/null @@ -1,51 +0,0 @@ -{ - config, - lib, - pkgs, - ... -}: let - inherit (lib) mkIf; - inherit (config.ooknet.server.media-server) ports transmission; - inherit (config.age) secrets; - inherit (builtins) attrValues; -in { - config = mkIf transmission.enable { - environment.systemPackages = attrValues { - inherit (pkgs) wireguard-tools dnsutils; - }; - vpnNamespaces.wg = { - enable = true; - wireguardConfigFile = secrets."mullvad_wg.conf".path; - accessibleFrom = [ - "192.168.20.0/24" - "127.0.0.1" - "10.0.0.0/8" - ]; - openVPNPorts = [ - # Transmission - { - port = ports.transmission.peer; - protocol = "both"; - } - ]; - portMappings = [ - # Transmission - { - from = ports.transmission.web; - to = ports.transmission.web; - } - ]; - }; - systemd.services.transmission.vpnConfinement = { - enable = true; - vpnNamespace = "wg"; - }; - systemd.services.wg = { - serviceConfig = { - LogLevelMax = "debug"; - StandardOutput = "journal"; - StandardError = "journal"; - }; - }; - }; -}