From 445cb43cb42270065d312ded3d69160e2603833c Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 4 Sep 2024 10:34:37 +0000
Subject: [PATCH 1/7] nixos: services: nix-cache: fix deprecated config

---
 modules/nixos/services/nix-cache/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/nixos/services/nix-cache/default.nix b/modules/nixos/services/nix-cache/default.nix
index 1ce3161..f3a29aa 100644
--- a/modules/nixos/services/nix-cache/default.nix
+++ b/modules/nixos/services/nix-cache/default.nix
@@ -40,7 +40,7 @@ in
         inherit (cfg) priority;
       };
 
-      signKeyPath = cfg.secretKeyFile;
+      signKeyPaths = [ cfg.secretKeyFile ];
     };
 
     my.services.nginx.virtualHosts = {

From fb4047b2b303f2dbdf91a862ee4ab543594c21dd Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 4 Sep 2024 12:07:33 +0200
Subject: [PATCH 2/7] nixos: services: nginx: sso: align with upstream

This aligns with the PR I opened on nixpkgs [1].

[1]: https://github.com/NixOS/nixpkgs/pull/325838
---
 modules/nixos/services/nginx/sso/default.nix | 9 ++-------
 1 file changed, 2 insertions(+), 7 deletions(-)

diff --git a/modules/nixos/services/nginx/sso/default.nix b/modules/nixos/services/nginx/sso/default.nix
index 4a78282..d60e31b 100644
--- a/modules/nixos/services/nginx/sso/default.nix
+++ b/modules/nixos/services/nginx/sso/default.nix
@@ -59,15 +59,10 @@ in
         StateDirectory = "nginx-sso";
         WorkingDirectory = "/var/lib/nginx-sso";
         # The files to be merged might not have the correct permissions
-        ExecStartPre = ''+${pkgs.writeShellScript "merge-nginx-sso-config" ''
+        ExecStartPre = pkgs.writeShellScript "merge-nginx-sso-config" ''
           rm -f '${confPath}'
           ${utils.genJqSecretsReplacementSnippet cfg.configuration confPath}
-
-          # Fix permissions
-          chown nginx-sso:nginx-sso ${confPath}
-          chmod 0600 ${confPath}
-        ''
-        }'';
+        '';
         ExecStart = lib.mkForce ''
           ${lib.getExe pkg} \
             --config ${confPath} \

From 52197a4f965dab7fe16bfc2fe6f301da8bc184a4 Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 4 Sep 2024 12:07:33 +0200
Subject: [PATCH 3/7] nixos: services: pirate: add readarr

---
 modules/nixos/services/pirate/default.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/modules/nixos/services/pirate/default.nix b/modules/nixos/services/pirate/default.nix
index e500b54..822a8aa 100644
--- a/modules/nixos/services/pirate/default.nix
+++ b/modules/nixos/services/pirate/default.nix
@@ -10,6 +10,7 @@ let
     bazarr = 6767;
     lidarr = 8686;
     radarr = 7878;
+    readarr = 8787;
     sonarr = 8989;
   };
 
@@ -67,6 +68,10 @@ in
       enable = lib.my.mkDisableOption "Radarr";
     };
 
+    readarr = {
+      enable = lib.my.mkDisableOption "Readarr";
+    };
+
     sonarr = {
       enable = lib.my.mkDisableOption "Sonarr";
     };
@@ -85,6 +90,9 @@ in
     # Radarr for movies
     (mkFullConfig "radarr")
     (mkFail2Ban "radarr")
+    # Readarr for books
+    (mkFullConfig "readarr")
+    (mkFail2Ban "readarr")
     # Sonarr for shows
     (mkFullConfig "sonarr")
     (mkFail2Ban "sonarr")

From 6f00036b7963ac6674a40c5d2bc8fe8a25fe79cf Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Wed, 4 Sep 2024 12:07:33 +0200
Subject: [PATCH 4/7] overlays: add 'downgrade-transmission'

The 4.0.6 release is buggy and widely blacklisted.
---
 overlays/downgrade-transmission/default.nix | 14 ++++++++++++++
 1 file changed, 14 insertions(+)
 create mode 100644 overlays/downgrade-transmission/default.nix

diff --git a/overlays/downgrade-transmission/default.nix b/overlays/downgrade-transmission/default.nix
new file mode 100644
index 0000000..9d3fc8a
--- /dev/null
+++ b/overlays/downgrade-transmission/default.nix
@@ -0,0 +1,14 @@
+self: prev:
+{
+  transmission_4 = prev.transmission_4.overrideAttrs (_: {
+    version = "4.0.5";
+
+    src = self.fetchFromGitHub {
+      owner = "transmission";
+      repo = "transmission";
+      rev = "4.0.5";
+      hash = "sha256-gd1LGAhMuSyC/19wxkoE2mqVozjGPfupIPGojKY0Hn4=";
+      fetchSubmodules = true;
+    };
+  });
+}

From b7cc9426139353aa61b04451568b3a1bc1c27c0d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 22 Aug 2024 23:44:40 +0200
Subject: [PATCH 5/7] nixos: services: add pdf-edit

---
 modules/nixos/services/default.nix          |  1 +
 modules/nixos/services/pdf-edit/default.nix | 73 +++++++++++++++++++++
 2 files changed, 74 insertions(+)
 create mode 100644 modules/nixos/services/pdf-edit/default.nix

diff --git a/modules/nixos/services/default.nix b/modules/nixos/services/default.nix
index 60b2478..fb474de 100644
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@@ -26,6 +26,7 @@
     ./nginx
     ./nix-cache
     ./paperless
+    ./pdf-edit
     ./pirate
     ./podgrab
     ./postgresql
diff --git a/modules/nixos/services/pdf-edit/default.nix b/modules/nixos/services/pdf-edit/default.nix
new file mode 100644
index 0000000..d59507b
--- /dev/null
+++ b/modules/nixos/services/pdf-edit/default.nix
@@ -0,0 +1,73 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.pdf-edit;
+in
+{
+  options.my.services.pdf-edit = with lib; {
+    enable = mkEnableOption "PDF edition service";
+
+    port = mkOption {
+      type = types.port;
+      default = 8089;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    loginFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/pdf-edit/login.env";
+      description = ''
+        `SECURITY_INITIALLOGIN_USERNAME` and `SECURITY_INITIALLOGIN_PASSWORD`
+        defined in the format of 'EnvironmentFile' (see `systemd.exec(5)`).
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.stirling-pdf = lib.mkIf cfg.enable {
+      enable = true;
+
+      environment = {
+        SERVER_PORT = cfg.port;
+        SECURITY_CSRFDISABLED = "false";
+
+        SYSTEM_SHOWUPDATE = "false"; # We don't care about update notifications
+        INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true"; # Installed by the module
+
+        SECURITY_ENABLELOGIN = "true";
+        SECURITY_LOGINATTEMPTCOUNT = "-1"; # Rely on fail2ban instead
+      };
+
+      environmentFiles = [ cfg.loginFile ];
+    };
+
+    my.services.nginx.virtualHosts = {
+      pdf-edit = {
+        inherit (cfg) port;
+
+        extraConfig = {
+          # Allow upload of PDF files up to 1G
+          locations."/".extraConfig = ''
+            client_max_body_size 1G;
+          '';
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      stirling-pdf = ''
+        enabled = true
+        filter = stirling-pdf
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/stirling-pdf.conf".text = ''
+        [Definition]
+        failregex = ^.*Failed login attempt from IP: <HOST>$
+        journalmatch = _SYSTEMD_UNIT=stirling-pdf.service
+      '';
+    };
+  };
+}

From a70b23cc3fa38dc12a54270a62dd86a38b976e7d Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 22 Aug 2024 23:45:16 +0200
Subject: [PATCH 6/7] hosts: nixos: porthos: secrets: add pdf-edit

---
 hosts/nixos/porthos/secrets/pdf-edit/login.age | 8 ++++++++
 hosts/nixos/porthos/secrets/secrets.nix        | 2 ++
 2 files changed, 10 insertions(+)
 create mode 100644 hosts/nixos/porthos/secrets/pdf-edit/login.age

diff --git a/hosts/nixos/porthos/secrets/pdf-edit/login.age b/hosts/nixos/porthos/secrets/pdf-edit/login.age
new file mode 100644
index 0000000..7f13f88
--- /dev/null
+++ b/hosts/nixos/porthos/secrets/pdf-edit/login.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg VYlHgHSLpfKb5bn1XA3aCpfX7M23DgbraLxxOfo9PDk
+Rj+mDvAsWX3WwpuhTrOubmo17j/aud5+P87df5bosBA
+-> ssh-ed25519 jPowng o9ZFaYrITZ6DjWw07Vk/+TkuU187/ytlEK4sw7G32G4
+zmxlpDvDDEgQFqBVARXeX1ABhvfJ4uAHfa6mIxXzjAY
+--- k/d9FWW8/OSo8EllwOBV74pZyX918u54jEljGk3ATUc
+ü4+ø2{‘hE7!Ò­GA`×_@Íß—´¡R_ý§6J„ñL4v,‚6%ô‡øó#^®	Ù¹åB­§OøF‚|’7Ü½ÉL]œÙjR¨
+BþóÛ¾éaòs]xSÎ	pbÞo#¬J1QŸ=t}5Õ>Oï‘{+¼.M"7e»yý÷—
\ No newline at end of file
diff --git a/hosts/nixos/porthos/secrets/secrets.nix b/hosts/nixos/porthos/secrets/secrets.nix
index a9b9c51..a8a9819 100644
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@@ -77,6 +77,8 @@ in
   "paperless/password.age".publicKeys = all;
   "paperless/secret-key.age".publicKeys = all;
 
+  "pdf-edit/login.age".publicKeys = all;
+
   "podgrab/password.age".publicKeys = all;
 
   "pyload/credentials.age".publicKeys = all;

From 27673d7892f7f1bc7ba2e3f1ae75ba4eb9dbd80b Mon Sep 17 00:00:00 2001
From: Bruno BELANYI <bruno@belanyi.fr>
Date: Thu, 22 Aug 2024 23:46:25 +0200
Subject: [PATCH 7/7] hosts: nixos: porthos: services: enable pdf-edit

---
 hosts/nixos/porthos/services.nix | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/hosts/nixos/porthos/services.nix b/hosts/nixos/porthos/services.nix
index 23901f7..0d10e65 100644
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@@ -127,6 +127,11 @@ in
       passwordFile = secrets."paperless/password".path;
       secretKeyFile = secrets."paperless/secret-key".path;
     };
+    # Sometimes, editing PDFs is useful
+    pdf-edit = {
+      enable = true;
+      loginFile = secrets."pdf-edit/login".path;
+    };
     # The whole *arr software suite
     pirate = {
       enable = true;