From eb1d01174dd8032b44929dc02b1bd86f28ab6bd7 Mon Sep 17 00:00:00 2001 From: ooks-io Date: Mon, 2 Dec 2024 12:28:46 +1100 Subject: [PATCH] server: rework service based media server --- .../server/services/media-server/default.nix | 3 +++ .../server/services/media-server/jellyfin.nix | 3 ++- .../server/services/media-server/options.nix | 12 ++++++++++++ .../nixos/server/services/media-server/plex.nix | 3 ++- .../server/services/media-server/prowlarr.nix | 7 +++++-- .../server/services/media-server/radarr.nix | 5 +++-- .../server/services/media-server/sonarr.nix | 3 ++- .../services/media-server/transmission.nix | 3 +++ .../nixos/server/services/media-server/users.nix | 2 +- .../nixos/server/services/media-server/vpn.nix | 16 ++++++++++++++-- 10 files changed, 47 insertions(+), 10 deletions(-) diff --git a/modules/nixos/server/services/media-server/default.nix b/modules/nixos/server/services/media-server/default.nix index 2e17c8d..717e673 100644 --- a/modules/nixos/server/services/media-server/default.nix +++ b/modules/nixos/server/services/media-server/default.nix @@ -13,6 +13,9 @@ in { ./options.nix ./jellyfin.nix ./transmission.nix + ./sonarr.nix + ./radarr.nix + ./prowlarr.nix ./file-permissions.nix ./vpn.nix inputs.vpn-confinement.nixosModules.default diff --git a/modules/nixos/server/services/media-server/jellyfin.nix b/modules/nixos/server/services/media-server/jellyfin.nix index 8caf355..b8c6365 100644 --- a/modules/nixos/server/services/media-server/jellyfin.nix +++ b/modules/nixos/server/services/media-server/jellyfin.nix @@ -10,9 +10,10 @@ in { config = mkIf media-server.jellyfin.enable { services.jellyfin = { enable = true; - user = users.streamer; + user = users.jellyfin; group = groups.media; dataDir = storage.state.jellyfin; + openFirewall = true; }; ooknet.server.webserver.caddy.enable = true; services.caddy.virtualHosts."${domain.jellyfin}".extraConfig = proxy.jellyfin; diff --git a/modules/nixos/server/services/media-server/options.nix b/modules/nixos/server/services/media-server/options.nix index 61dbd1f..85dcc8b 100644 --- a/modules/nixos/server/services/media-server/options.nix +++ b/modules/nixos/server/services/media-server/options.nix @@ -113,6 +113,10 @@ in { type = path; default = "${cfg.storage.state.root}/sonarr"; }; + prowlarr = mkOption { + type = path; + default = "${cfg.storage.state.root}/prowlarr"; + }; radarr = mkOption { type = path; default = "${cfg.storage.state.root}/radarr"; @@ -129,6 +133,10 @@ in { type = str; default = "media"; }; + sonarr = mkOption { + type = str; + default = "sonarr"; + }; prowlarr = mkOption { type = str; default = "prowlarr"; @@ -152,6 +160,10 @@ in { type = str; default = "sonarr"; }; + radarr = mkOption { + type = str; + default = "radarr"; + }; transmission = mkOption { type = str; default = "transmission"; diff --git a/modules/nixos/server/services/media-server/plex.nix b/modules/nixos/server/services/media-server/plex.nix index 5c4bfb6..7770f8d 100644 --- a/modules/nixos/server/services/media-server/plex.nix +++ b/modules/nixos/server/services/media-server/plex.nix @@ -10,9 +10,10 @@ in { config = mkIf media-server.plex.enable { services.plex = { enable = true; - user = users.streamer; + user = users.plex; group = groups.media; dataDir = storage.state.plex; + openFirewall = true; }; ooknet.server.webserver.caddy.enable = true; services.caddy.virtualHosts."${domain.plex}".extraConfig = proxy.plex; diff --git a/modules/nixos/server/services/media-server/prowlarr.nix b/modules/nixos/server/services/media-server/prowlarr.nix index b4efd5c..ed59158 100644 --- a/modules/nixos/server/services/media-server/prowlarr.nix +++ b/modules/nixos/server/services/media-server/prowlarr.nix @@ -6,7 +6,7 @@ }: let inherit (lib) mkIf getExe; inherit (config.ooknet.server) media-server; - inherit (config.ooknet.server.media-server) storage users groups domain proxy; + inherit (config.ooknet.server.media-server) storage users groups domain proxy ports; in { config = mkIf media-server.prowlarr.enable { # we dont use the nixpkgs prowlarr service module because it lacks the option to @@ -16,6 +16,8 @@ in { users.users.prowlarr = { group = groups.prowlarr; home = storage.state.prowlarr; + uid = 293; + isSystemUser = true; }; users.groups.prowlarr = {}; @@ -36,12 +38,13 @@ in { }; tmpfiles.settings.prowlarrDirs = { "${storage.state.prowlarr}"."d" = { - mode = "700"; + mode = "0700"; user = users.prowlarr; group = groups.prowlarr; }; }; }; + networking.firewall.allowedTCPPorts = [ports.prowlarr]; ooknet.server.webserver.caddy.enable = true; services.caddy.virtualHosts."${domain.prowlarr}".extraConfig = proxy.prowlarr; }; diff --git a/modules/nixos/server/services/media-server/radarr.nix b/modules/nixos/server/services/media-server/radarr.nix index beb5784..a523c0a 100644 --- a/modules/nixos/server/services/media-server/radarr.nix +++ b/modules/nixos/server/services/media-server/radarr.nix @@ -11,8 +11,9 @@ in { services.radarr = { enable = true; user = users.radarr; - group = groups.radarr; - dataDir = storage.state.radaar; + group = groups.media; + dataDir = storage.state.radarr; + openFirewall = true; }; ooknet.server.webserver.caddy.enable = true; services.caddy.virtualHosts."${domain.radarr}".extraConfig = proxy.radarr; diff --git a/modules/nixos/server/services/media-server/sonarr.nix b/modules/nixos/server/services/media-server/sonarr.nix index be42fde..cfa06bc 100644 --- a/modules/nixos/server/services/media-server/sonarr.nix +++ b/modules/nixos/server/services/media-server/sonarr.nix @@ -11,8 +11,9 @@ in { services.sonarr = { enable = true; user = users.sonarr; - group = groups.sonarr; + group = groups.media; dataDir = storage.state.sonarr; + openFirewall = true; }; ooknet.server.webserver.caddy.enable = true; services.caddy.virtualHosts."${domain.sonarr}".extraConfig = proxy.sonarr; diff --git a/modules/nixos/server/services/media-server/transmission.nix b/modules/nixos/server/services/media-server/transmission.nix index 7999a19..1035024 100644 --- a/modules/nixos/server/services/media-server/transmission.nix +++ b/modules/nixos/server/services/media-server/transmission.nix @@ -40,6 +40,7 @@ in { incomplete-dir = storage.downloads.incomplete; watch-dir = storage.downloads.watch; + rpc-authentication-required = false; # rpc settings # rpc is how we connect to the service remotely rpc-port = ports.transmission.web; @@ -54,6 +55,8 @@ in { "10.*" ]; + rpc-bind-address = "192.168.15.1"; + # basic anti bruteforce protection anti-brute-force-enabled = true; diff --git a/modules/nixos/server/services/media-server/users.nix b/modules/nixos/server/services/media-server/users.nix index b7ec424..04e1cf4 100644 --- a/modules/nixos/server/services/media-server/users.nix +++ b/modules/nixos/server/services/media-server/users.nix @@ -18,7 +18,7 @@ in { isSystemUser = true; group = "downloader"; }; - steamer = { + streamer = { isSystemUser = true; group = "streamer"; }; diff --git a/modules/nixos/server/services/media-server/vpn.nix b/modules/nixos/server/services/media-server/vpn.nix index 7724a97..512b354 100644 --- a/modules/nixos/server/services/media-server/vpn.nix +++ b/modules/nixos/server/services/media-server/vpn.nix @@ -1,18 +1,23 @@ { config, lib, + pkgs, ... }: let inherit (lib) mkIf; inherit (config.ooknet.server.media-server) ports transmission; inherit (config.age) secrets; + inherit (builtins) attrValues; in { config = mkIf transmission.enable { + environment.systemPackages = attrValues { + inherit (pkgs) wireguard-tools dnsutils; + }; vpnNamespaces.wg = { enable = true; - wireguardConfigFile = secrets.mullvad_wg.path; + wireguardConfigFile = secrets."mullvad_wg.conf".path; accessibleFrom = [ - "192.168.0.1/24" + "192.168.20.0/24" "127.0.0.1" "10.0.0.0/8" ]; @@ -35,5 +40,12 @@ in { enable = true; vpnNamespace = "wg"; }; + systemd.services.wg = { + serviceConfig = { + LogLevelMax = "debug"; + StandardOutput = "journal"; + StandardError = "journal"; + }; + }; }; }