ambroisie/nix-config
ambroisie/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Compare commits

base: ambroisie:0f757ee7326d4dc9368e8d3003ffe198e37129ee
Branches Tags
ambroisie:main
ambroisie:add-jj
ambroisie:xdg-mime-apps
ambroisie:tmux-undercurls
ambroisie:export-nixos-homes
ambroisie:native-vim-snippets
ambroisie:add-impermanence
ambroisie:add-typos-hook
ambroisie:add-bazel-template
ambroisie:nvim-lua-lsp
ambroisie:xdg-nix
..
compare: ambroisie:96129a8b2f43f1bd5b2b49608e49477529c2d419
Branches Tags
ambroisie:add-jj
ambroisie:main
ambroisie:xdg-mime-apps
ambroisie:tmux-undercurls
ambroisie:export-nixos-homes
ambroisie:native-vim-snippets
ambroisie:add-impermanence
ambroisie:add-typos-hook
ambroisie:add-bazel-template
ambroisie:nvim-lua-lsp
ambroisie:xdg-nix

No commits in common. "0f757ee7326d4dc9368e8d3003ffe198e37129ee" and "96129a8b2f43f1bd5b2b49608e49477529c2d419" have entirely different histories.
0f757ee732 ... 96129a8b2f

12 changed files with 90 additions and 224 deletions
Download patch file Download diff file Expand all files Collapse all files

12
flake.lock generated
View file

@ -136,11 +136,11 @@
]
},
"locked": {
"lastModified": 1743438213,
"narHash": "sha256-ZZDN+0v1r4I1xkQWlt8euOJv5S4EvElUCZMrDjTCEsY=",
"lastModified": 1742771635,
"narHash": "sha256-HQHzQPrg+g22tb3/K/4tgJjPzM+/5jbaujCZd8s2Mls=",
"owner": "nix-community",
"repo": "home-manager",
"rev": "ccd7df836e1f42ea84806760f25b77b586370259",
"rev": "ad0614a1ec9cce3b13169e20ceb7e55dfaf2a818",
"type": "github"
},
"original": {
@ -152,11 +152,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1743315132,
"narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=",
"lastModified": 1742669843,
"narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "52faf482a3889b7619003c0daec593a1912fddc1",
"rev": "1e5b653dff12029333a6546c11e108ede13052eb",
"type": "github"
},
"original": {

2
hosts/nixos/porthos/secrets/secrets.nix
View file

@ -80,8 +80,6 @@ in
"pyload/credentials.age".publicKeys = all;
"servarr/autobrr/session-secret.age".publicKeys = all;
"sso/auth-key.age" = {
owner = "nginx-sso";
publicKeys = all;

7
hosts/nixos/porthos/secrets/servarr/autobrr/session-secret.age
View file

@ -1,7 +0,0 @@
age-encryption.org/v1
-> ssh-ed25519 cKojmg bu09lB+fjaPP31cUQZP6EqSPuseucgNK7k9vAS08iS0
+NGL+b2QD/qGo6hqHvosAXzHZtDvfodmPdcgnrKlD1o
-> ssh-ed25519 jPowng QDCdRBGWhtdvvMCiDH52cZHz1/W7aomhTatZ4+9IKwI
Ou3jjV/O55G1CPgGS33l3eWhhYWrVdwVNPSiE14d5rE
--- q0ssmpG50OX1WaNSInc2hbtH3DbTwQGDU74VGEoMh94
 ¯mCùº<C3B9>Æ'hK.Ðì/™Xu(€«Õ×g$½'¼šM{fK˜ !ÛMZ²oR÷®ˆüÎÕ<C38E>ÍŸö;yb

14
hosts/nixos/porthos/services.nix
View file

@ -51,6 +51,10 @@ in
passwordFile = secrets."forgejo/mail-password".path;
};
};
# Meta-indexers
indexers = {
prowlarr.enable = true;
};
# Jellyfin media server
jellyfin.enable = true;
# Gitea mirrorig service
@ -141,20 +145,10 @@ in
# The whole *arr software suite
servarr = {
enableAll = true;
autobrr = {
sessionSecretFile = secrets."servarr/autobrr/session-secret".path;
};
# ... But not Lidarr because I don't care for music that much
lidarr = {
enable = false;
};
# I only use Prowlarr nowadays
jackett = {
enable = false;
};
nzbhydra = {
enable = false;
};
};
# Because I still need to play sysadmin
ssh-server.enable = true;

1
modules/nixos/services/default.nix
View file

@ -15,6 +15,7 @@
./gitea
./grocy
./homebox
./indexers
./jellyfin
./komga
./lohr

78
modules/nixos/services/indexers/default.nix Normal file
View file

@ -0,0 +1,78 @@
# Torrent and usenet meta-indexers
{ config, lib, ... }:
let
cfg = config.my.services.indexers;
jackettPort = 9117;
nzbhydraPort = 5076;
prowlarrPort = 9696;
in
{
options.my.services.indexers = with lib; {
jackett.enable = mkEnableOption "Jackett torrent meta-indexer";
nzbhydra.enable = mkEnableOption "NZBHydra2 usenet meta-indexer";
prowlarr.enable = mkEnableOption "Prowlarr torrent & usenet meta-indexer";
};
config = lib.mkMerge [
(lib.mkIf cfg.jackett.enable {
services.jackett = {
enable = true;
};
# Jackett wants to eat *all* my RAM if left to its own devices
systemd.services.jackett = {
serviceConfig = {
MemoryHigh = "15%";
MemoryMax = "25%";
};
};
my.services.nginx.virtualHosts = {
jackett = {
port = jackettPort;
};
};
})
(lib.mkIf cfg.nzbhydra.enable {
services.nzbhydra2 = {
enable = true;
};
my.services.nginx.virtualHosts = {
nzbhydra = {
port = nzbhydraPort;
};
};
})
(lib.mkIf cfg.prowlarr.enable {
services.prowlarr = {
enable = true;
};
my.services.nginx.virtualHosts = {
prowlarr = {
port = prowlarrPort;
};
};
services.fail2ban.jails = {
prowlarr = ''
enabled = true
filter = prowlarr
action = iptables-allports
'';
};
environment.etc = {
"fail2ban/filter.d/prowlarr.conf".text = ''
[Definition]
failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
journalmatch = _SYSTEMD_UNIT=prowlarr.service
'';
};
})
];
}

61
modules/nixos/services/servarr/autobrr.nix
View file

@ -1,61 +0,0 @@
# IRC-based
{ config, lib, ... }:
let
cfg = config.my.services.servarr.autobrr;
in
{
options.my.services.servarr.autobrr = with lib; {
enable = mkEnableOption "autobrr IRC announce tracker";
port = mkOption {
type = types.port;
default = 7474;
example = 8080;
description = "Internal port for webui";
};
sessionSecretFile = mkOption {
type = types.str;
example = "/run/secrets/autobrr-secret.txt";
description = ''
File containing the session secret.
'';
};
};
config = lib.mkIf cfg.enable {
# FIXME
services.autobrr = {
enable = true;
settings = {
inherit (cfg) port;
checkForUpdates = false;
};
secretFile = cfg.sessionSecretFile;
};
my.services.nginx.virtualHosts = {
autobrr = {
inherit (cfg) port;
};
};
services.fail2ban.jails = {
autobrr = ''
enabled = true
filter = autobrr
action = iptables-allports
'';
};
environment.etc = {
"fail2ban/filter.d/autobrr.conf".text = ''
[Definition]
failregex = ^.*Auth: invalid login \[.*\] from: <HOST>$
journalmatch = _SYSTEMD_UNIT=autobrr.service
'';
};
};
}

4
modules/nixos/services/servarr/default.nix
View file

@ -5,11 +5,7 @@
{ lib, ... }:
{
imports = [
./autobrr.nix
./bazarr.nix
./jackett.nix
./nzbhydra.nix
./prowlarr.nix
(import ./starr.nix "lidarr")
(import ./starr.nix "radarr")
(import ./starr.nix "readarr")

41
modules/nixos/services/servarr/jackett.nix
View file

@ -1,41 +0,0 @@
{ config, lib, ... }:
let
cfg = config.my.services.servarr.jackett;
in
{
options.my.services.servarr.jackett = with lib; {
enable = lib.mkEnableOption "Jackett" // {
default = config.my.services.servarr.enableAll;
};
port = mkOption {
type = types.port;
default = 9117;
example = 8080;
description = "Internal port for webui";
};
};
config = lib.mkIf cfg.enable {
services.jackett = {
enable = true;
inherit (cfg) port;
};
# Jackett wants to eat *all* my RAM if left to its own devices
systemd.services.jackett = {
serviceConfig = {
MemoryHigh = "15%";
MemoryMax = "25%";
};
};
my.services.nginx.virtualHosts = {
jackett = {
inherit (cfg) port;
};
};
# Jackett does not log authentication failures...
};
}

26
modules/nixos/services/servarr/nzbhydra.nix
View file

@ -1,26 +0,0 @@
{ config, lib, ... }:
let
cfg = config.my.services.servarr.nzbhydra;
in
{
options.my.services.servarr.nzbhydra = with lib; {
enable = lib.mkEnableOption "NZBHydra2" // {
default = config.my.services.servarr.enableAll;
};
};
config = lib.mkIf cfg.enable {
services.nzbhydra2 = {
enable = true;
};
my.services.nginx.virtualHosts = {
nzbhydra = {
port = 5076;
websocketsLocations = [ "/" ];
};
};
# NZBHydra2 does not log authentication failures...
};
}

53
modules/nixos/services/servarr/prowlarr.nix
View file

@ -1,53 +0,0 @@
# Torrent and NZB indexer
{ config, lib, ... }:
let
cfg = config.my.services.servarr.prowlarr;
in
{
options.my.services.servarr.prowlarr = with lib; {
enable = lib.mkEnableOption "Prowlarr" // {
default = config.my.services.servarr.enableAll;
};
port = mkOption {
type = types.port;
default = 9696;
example = 8080;
description = "Internal port for webui";
};
};
config = lib.mkIf cfg.enable {
services.prowlarr = {
enable = true;
settings = {
server = {
port = cfg.port;
};
};
};
my.services.nginx.virtualHosts = {
prowlarr = {
inherit (cfg) port;
};
};
services.fail2ban.jails = {
prowlarr = ''
enabled = true
filter = prowlarr
action = iptables-allports
'';
};
environment.etc = {
"fail2ban/filter.d/prowlarr.conf".text = ''
[Definition]
failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
journalmatch = _SYSTEMD_UNIT=prowlarr.service
'';
};
};
}

15
modules/nixos/services/servarr/starr.nix
View file

@ -15,25 +15,12 @@ in
enable = lib.mkEnableOption (lib.toSentenceCase starr) // {
default = config.my.services.servarr.enableAll;
};
port = mkOption {
type = types.port;
default = ports.${starr};
example = 8080;
description = "Internal port for webui";
};
};
config = lib.mkIf cfg.enable {
services.${starr} = {
enable = true;
group = "media";
settings = {
server = {
port = cfg.port;
};
};
};
# Set-up media group
@ -41,7 +28,7 @@ in
my.services.nginx.virtualHosts = {
${starr} = {
port = cfg.port;
port = ports.${starr};
};
};