ooks/ooknet
0
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

server: rework service based media server

Browse source
This commit is contained in:
ooks-io 2024-12-02 12:28:46 +11:00
parent cf9a5b90bd
commit eb1d01174d
10 changed files with 47 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/nixos/server/services/media-server/default.nix
View file

@ -13,6 +13,9 @@ in {
./options.nix ./options.nix
./jellyfin.nix ./jellyfin.nix
./transmission.nix ./transmission.nix
./sonarr.nix
./radarr.nix
./prowlarr.nix
./file-permissions.nix ./file-permissions.nix
./vpn.nix ./vpn.nix
inputs.vpn-confinement.nixosModules.default inputs.vpn-confinement.nixosModules.default

3
modules/nixos/server/services/media-server/jellyfin.nix
View file

@ -10,9 +10,10 @@ in {
config = mkIf media-server.jellyfin.enable { config = mkIf media-server.jellyfin.enable {
services.jellyfin = { services.jellyfin = {
enable = true; enable = true;
user = users.streamer; user = users.jellyfin;
group = groups.media; group = groups.media;
dataDir = storage.state.jellyfin; dataDir = storage.state.jellyfin;
openFirewall = true;
}; };
ooknet.server.webserver.caddy.enable = true; ooknet.server.webserver.caddy.enable = true;
services.caddy.virtualHosts."${domain.jellyfin}".extraConfig = proxy.jellyfin; services.caddy.virtualHosts."${domain.jellyfin}".extraConfig = proxy.jellyfin;

12
modules/nixos/server/services/media-server/options.nix
View file

@ -113,6 +113,10 @@ in {
type = path; type = path;
default = "${cfg.storage.state.root}/sonarr"; default = "${cfg.storage.state.root}/sonarr";
}; };
prowlarr = mkOption {
type = path;
default = "${cfg.storage.state.root}/prowlarr";
};
radarr = mkOption { radarr = mkOption {
type = path; type = path;
default = "${cfg.storage.state.root}/radarr"; default = "${cfg.storage.state.root}/radarr";
@ -129,6 +133,10 @@ in {
type = str; type = str;
default = "media"; default = "media";
}; };
sonarr = mkOption {
type = str;
default = "sonarr";
};
prowlarr = mkOption { prowlarr = mkOption {
type = str; type = str;
default = "prowlarr"; default = "prowlarr";
@ -152,6 +160,10 @@ in {
type = str; type = str;
default = "sonarr"; default = "sonarr";
}; };
radarr = mkOption {
type = str;
default = "radarr";
};
transmission = mkOption { transmission = mkOption {
type = str; type = str;
default = "transmission"; default = "transmission";

3
modules/nixos/server/services/media-server/plex.nix
View file

@ -10,9 +10,10 @@ in {
config = mkIf media-server.plex.enable { config = mkIf media-server.plex.enable {
services.plex = { services.plex = {
enable = true; enable = true;
user = users.streamer; user = users.plex;
group = groups.media; group = groups.media;
dataDir = storage.state.plex; dataDir = storage.state.plex;
openFirewall = true;
}; };
ooknet.server.webserver.caddy.enable = true; ooknet.server.webserver.caddy.enable = true;
services.caddy.virtualHosts."${domain.plex}".extraConfig = proxy.plex; services.caddy.virtualHosts."${domain.plex}".extraConfig = proxy.plex;

7
modules/nixos/server/services/media-server/prowlarr.nix
View file

@ -6,7 +6,7 @@
}: let }: let
inherit (lib) mkIf getExe; inherit (lib) mkIf getExe;
inherit (config.ooknet.server) media-server; inherit (config.ooknet.server) media-server;
inherit (config.ooknet.server.media-server) storage users groups domain proxy; inherit (config.ooknet.server.media-server) storage users groups domain proxy ports;
in { in {
config = mkIf media-server.prowlarr.enable { config = mkIf media-server.prowlarr.enable {
# we dont use the nixpkgs prowlarr service module because it lacks the option to # we dont use the nixpkgs prowlarr service module because it lacks the option to
@ -16,6 +16,8 @@ in {
users.users.prowlarr = { users.users.prowlarr = {
group = groups.prowlarr; group = groups.prowlarr;
home = storage.state.prowlarr; home = storage.state.prowlarr;
uid = 293;
isSystemUser = true;
}; };
users.groups.prowlarr = {}; users.groups.prowlarr = {};
@ -36,12 +38,13 @@ in {
}; };
tmpfiles.settings.prowlarrDirs = { tmpfiles.settings.prowlarrDirs = {
"${storage.state.prowlarr}"."d" = { "${storage.state.prowlarr}"."d" = {
mode = "700"; mode = "0700";
user = users.prowlarr; user = users.prowlarr;
group = groups.prowlarr; group = groups.prowlarr;
}; };
}; };
}; };
networking.firewall.allowedTCPPorts = [ports.prowlarr];
ooknet.server.webserver.caddy.enable = true; ooknet.server.webserver.caddy.enable = true;
services.caddy.virtualHosts."${domain.prowlarr}".extraConfig = proxy.prowlarr; services.caddy.virtualHosts."${domain.prowlarr}".extraConfig = proxy.prowlarr;
}; };

5
modules/nixos/server/services/media-server/radarr.nix
View file

@ -11,8 +11,9 @@ in {
services.radarr = { services.radarr = {
enable = true; enable = true;
user = users.radarr; user = users.radarr;
group = groups.radarr; group = groups.media;
dataDir = storage.state.radaar; dataDir = storage.state.radarr;
openFirewall = true;
}; };
ooknet.server.webserver.caddy.enable = true; ooknet.server.webserver.caddy.enable = true;
services.caddy.virtualHosts."${domain.radarr}".extraConfig = proxy.radarr; services.caddy.virtualHosts."${domain.radarr}".extraConfig = proxy.radarr;

3
modules/nixos/server/services/media-server/sonarr.nix
View file

@ -11,8 +11,9 @@ in {
services.sonarr = { services.sonarr = {
enable = true; enable = true;
user = users.sonarr; user = users.sonarr;
group = groups.sonarr; group = groups.media;
dataDir = storage.state.sonarr; dataDir = storage.state.sonarr;
openFirewall = true;
}; };
ooknet.server.webserver.caddy.enable = true; ooknet.server.webserver.caddy.enable = true;
services.caddy.virtualHosts."${domain.sonarr}".extraConfig = proxy.sonarr; services.caddy.virtualHosts."${domain.sonarr}".extraConfig = proxy.sonarr;

3
modules/nixos/server/services/media-server/transmission.nix
View file

@ -40,6 +40,7 @@ in {
incomplete-dir = storage.downloads.incomplete; incomplete-dir = storage.downloads.incomplete;
watch-dir = storage.downloads.watch; watch-dir = storage.downloads.watch;
rpc-authentication-required = false;
# rpc settings # rpc settings
# rpc is how we connect to the service remotely # rpc is how we connect to the service remotely
rpc-port = ports.transmission.web; rpc-port = ports.transmission.web;
@ -54,6 +55,8 @@ in {
"10.*" "10.*"
]; ];
rpc-bind-address = "192.168.15.1";
# basic anti bruteforce protection # basic anti bruteforce protection
anti-brute-force-enabled = true; anti-brute-force-enabled = true;

2
modules/nixos/server/services/media-server/users.nix
View file

@ -18,7 +18,7 @@ in {
isSystemUser = true; isSystemUser = true;
group = "downloader"; group = "downloader";
}; };
steamer = { streamer = {
isSystemUser = true; isSystemUser = true;
group = "streamer"; group = "streamer";
}; };

16
modules/nixos/server/services/media-server/vpn.nix
View file

@ -1,18 +1,23 @@
{ {
config, config,
lib, lib,
pkgs,
... ...
}: let }: let
inherit (lib) mkIf; inherit (lib) mkIf;
inherit (config.ooknet.server.media-server) ports transmission; inherit (config.ooknet.server.media-server) ports transmission;
inherit (config.age) secrets; inherit (config.age) secrets;
inherit (builtins) attrValues;
in { in {
config = mkIf transmission.enable { config = mkIf transmission.enable {
environment.systemPackages = attrValues {
inherit (pkgs) wireguard-tools dnsutils;
};
vpnNamespaces.wg = { vpnNamespaces.wg = {
enable = true; enable = true;
wireguardConfigFile = secrets.mullvad_wg.path; wireguardConfigFile = secrets."mullvad_wg.conf".path;
accessibleFrom = [ accessibleFrom = [
"192.168.0.1/24" "192.168.20.0/24"
"127.0.0.1" "127.0.0.1"
"10.0.0.0/8" "10.0.0.0/8"
]; ];
@ -35,5 +40,12 @@ in {
enable = true; enable = true;
vpnNamespace = "wg"; vpnNamespace = "wg";
}; };
systemd.services.wg = {
serviceConfig = {
LogLevelMax = "debug";
StandardOutput = "journal";
StandardError = "journal";
};
};
}; };
} }