WIP: autobrr

hosts: nixos: porthos: secrets: add autobrr
nixos: services: servarr: add autobrr
2025-03-31 22:59:56 +02:00 · 2025-03-31 22:59:20 +02:00 · 2025-03-31 22:59:09 +02:00 · 2025-03-31 22:49:11 +02:00 · 2025-03-31 21:43:05 +02:00 · 2025-03-31 21:43:05 +02:00
12 changed files with 224 additions and 90 deletions
--- a/flake.lock
+++ b/flake.lock
@ -136,11 +136,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1742771635,
-        "narHash": "sha256-HQHzQPrg+g22tb3/K/4tgJjPzM+/5jbaujCZd8s2Mls=",
+        "lastModified": 1743438213,
+        "narHash": "sha256-ZZDN+0v1r4I1xkQWlt8euOJv5S4EvElUCZMrDjTCEsY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ad0614a1ec9cce3b13169e20ceb7e55dfaf2a818",
+        "rev": "ccd7df836e1f42ea84806760f25b77b586370259",
        "type": "github"
      },
      "original": {
@ -152,11 +152,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1742669843,
-        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+        "lastModified": 1743315132,
+        "narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+        "rev": "52faf482a3889b7619003c0daec593a1912fddc1",
        "type": "github"
      },
      "original": {
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@ -80,6 +80,8 @@ in

  "pyload/credentials.age".publicKeys = all;

+  "servarr/autobrr/session-secret.age".publicKeys = all;
+
  "sso/auth-key.age" = {
    owner = "nginx-sso";
    publicKeys = all;
--- a/hosts/nixos/porthos/secrets/servarr/autobrr/session-secret.age
+++ b/hosts/nixos/porthos/secrets/servarr/autobrr/session-secret.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg bu09lB+fjaPP31cUQZP6EqSPuseucgNK7k9vAS08iS0
+NGL+b2QD/qGo6hqHvosAXzHZtDvfodmPdcgnrKlD1o
+-> ssh-ed25519 jPowng QDCdRBGWhtdvvMCiDH52cZHz1/W7aomhTatZ4+9IKwI
+Ou3jjV/O55G1CPgGS33l3eWhhYWrVdwVNPSiE14d5rE
+--- q0ssmpG50OX1WaNSInc2hbtH3DbTwQGDU74VGEoMh94
+ ¯mCùº<C3B9>Æ‘'hK.Ðì/™Xu(€«Õ×g$½'¼šM{fK˜”!ÛMZ²oR÷®ˆüÎÕ<C38E>ÍŸö;yb
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@ -51,10 +51,6 @@ in
        passwordFile = secrets."forgejo/mail-password".path;
      };
    };
-    # Meta-indexers
-    indexers = {
-      prowlarr.enable = true;
-    };
    # Jellyfin media server
    jellyfin.enable = true;
    # Gitea mirrorig service
@ -145,10 +141,20 @@ in
    # The whole *arr software suite
    servarr = {
      enableAll = true;
+      autobrr = {
+        sessionSecretFile = secrets."servarr/autobrr/session-secret".path;
+      };
      # ... But not Lidarr because I don't care for music that much
      lidarr = {
        enable = false;
      };
+      # I only use Prowlarr nowadays
+      jackett = {
+        enable = false;
+      };
+      nzbhydra = {
+        enable = false;
+      };
    };
    # Because I still need to play sysadmin
    ssh-server.enable = true;
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@ -15,7 +15,6 @@
    ./gitea
    ./grocy
    ./homebox
-    ./indexers
    ./jellyfin
    ./komga
    ./lohr
--- a/modules/nixos/services/indexers/default.nix
+++ b/modules/nixos/services/indexers/default.nix
@ -1,78 +0,0 @@
-# Torrent and usenet meta-indexers
-{ config, lib, ... }:
-let
-  cfg = config.my.services.indexers;
-
-  jackettPort = 9117;
-  nzbhydraPort = 5076;
-  prowlarrPort = 9696;
-in
-{
-  options.my.services.indexers = with lib; {
-    jackett.enable = mkEnableOption "Jackett torrent meta-indexer";
-    nzbhydra.enable = mkEnableOption "NZBHydra2 usenet meta-indexer";
-    prowlarr.enable = mkEnableOption "Prowlarr torrent & usenet meta-indexer";
-  };
-
-  config = lib.mkMerge [
-    (lib.mkIf cfg.jackett.enable {
-      services.jackett = {
-        enable = true;
-      };
-
-      # Jackett wants to eat *all* my RAM if left to its own devices
-      systemd.services.jackett = {
-        serviceConfig = {
-          MemoryHigh = "15%";
-          MemoryMax = "25%";
-        };
-      };
-
-      my.services.nginx.virtualHosts = {
-        jackett = {
-          port = jackettPort;
-        };
-      };
-    })
-
-    (lib.mkIf cfg.nzbhydra.enable {
-      services.nzbhydra2 = {
-        enable = true;
-      };
-
-      my.services.nginx.virtualHosts = {
-        nzbhydra = {
-          port = nzbhydraPort;
-        };
-      };
-    })
-
-    (lib.mkIf cfg.prowlarr.enable {
-      services.prowlarr = {
-        enable = true;
-      };
-
-      my.services.nginx.virtualHosts = {
-        prowlarr = {
-          port = prowlarrPort;
-        };
-      };
-
-      services.fail2ban.jails = {
-        prowlarr = ''
-          enabled = true
-          filter = prowlarr
-          action = iptables-allports
-        '';
-      };
-
-      environment.etc = {
-        "fail2ban/filter.d/prowlarr.conf".text = ''
-          [Definition]
-          failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
-          journalmatch = _SYSTEMD_UNIT=prowlarr.service
-        '';
-      };
-    })
-  ];
-}
--- a/modules/nixos/services/servarr/autobrr.nix
+++ b/modules/nixos/services/servarr/autobrr.nix
@ -0,0 +1,61 @@
+# IRC-based
+{ config, lib, ... }:
+let
+  cfg = config.my.services.servarr.autobrr;
+in
+{
+  options.my.services.servarr.autobrr = with lib; {
+    enable = mkEnableOption "autobrr IRC announce tracker";
+
+    port = mkOption {
+      type = types.port;
+      default = 7474;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    sessionSecretFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/autobrr-secret.txt";
+      description = ''
+        File containing the session secret.
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    # FIXME
+    services.autobrr = {
+      enable = true;
+
+      settings = {
+        inherit (cfg) port;
+        checkForUpdates = false;
+      };
+
+      secretFile = cfg.sessionSecretFile;
+    };
+
+    my.services.nginx.virtualHosts = {
+      autobrr = {
+        inherit (cfg) port;
+      };
+    };
+
+    services.fail2ban.jails = {
+      autobrr = ''
+        enabled = true
+        filter = autobrr
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/autobrr.conf".text = ''
+        [Definition]
+        failregex = ^.*Auth: invalid login \[.*\] from: <HOST>$
+        journalmatch = _SYSTEMD_UNIT=autobrr.service
+      '';
+    };
+  };
+}
--- a/modules/nixos/services/servarr/default.nix
+++ b/modules/nixos/services/servarr/default.nix
@ -5,7 +5,11 @@
 { lib, ... }:
 {
  imports = [
+    ./autobrr.nix
    ./bazarr.nix
+    ./jackett.nix
+    ./nzbhydra.nix
+    ./prowlarr.nix
    (import ./starr.nix "lidarr")
    (import ./starr.nix "radarr")
    (import ./starr.nix "readarr")
--- a/modules/nixos/services/servarr/jackett.nix
+++ b/modules/nixos/services/servarr/jackett.nix
@ -0,0 +1,41 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.servarr.jackett;
+in
+{
+  options.my.services.servarr.jackett = with lib; {
+    enable = lib.mkEnableOption "Jackett" // {
+      default = config.my.services.servarr.enableAll;
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 9117;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.jackett = {
+      enable = true;
+      inherit (cfg) port;
+    };
+
+    # Jackett wants to eat *all* my RAM if left to its own devices
+    systemd.services.jackett = {
+      serviceConfig = {
+        MemoryHigh = "15%";
+        MemoryMax = "25%";
+      };
+    };
+
+    my.services.nginx.virtualHosts = {
+      jackett = {
+        inherit (cfg) port;
+      };
+    };
+
+    # Jackett does not log authentication failures...
+  };
+}
--- a/modules/nixos/services/servarr/nzbhydra.nix
+++ b/modules/nixos/services/servarr/nzbhydra.nix
@ -0,0 +1,26 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.servarr.nzbhydra;
+in
+{
+  options.my.services.servarr.nzbhydra = with lib; {
+    enable = lib.mkEnableOption "NZBHydra2" // {
+      default = config.my.services.servarr.enableAll;
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.nzbhydra2 = {
+      enable = true;
+    };
+
+    my.services.nginx.virtualHosts = {
+      nzbhydra = {
+        port = 5076;
+        websocketsLocations = [ "/" ];
+      };
+    };
+
+    # NZBHydra2 does not log authentication failures...
+  };
+}
--- a/modules/nixos/services/servarr/prowlarr.nix
+++ b/modules/nixos/services/servarr/prowlarr.nix
@ -0,0 +1,53 @@
+# Torrent and NZB indexer
+{ config, lib, ... }:
+let
+  cfg = config.my.services.servarr.prowlarr;
+in
+{
+  options.my.services.servarr.prowlarr = with lib; {
+    enable = lib.mkEnableOption "Prowlarr" // {
+      default = config.my.services.servarr.enableAll;
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 9696;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.prowlarr = {
+      enable = true;
+
+      settings = {
+        server = {
+          port = cfg.port;
+        };
+      };
+    };
+
+    my.services.nginx.virtualHosts = {
+      prowlarr = {
+        inherit (cfg) port;
+      };
+    };
+
+    services.fail2ban.jails = {
+      prowlarr = ''
+        enabled = true
+        filter = prowlarr
+        action = iptables-allports
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/prowlarr.conf".text = ''
+        [Definition]
+        failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
+        journalmatch = _SYSTEMD_UNIT=prowlarr.service
+      '';
+    };
+  };
+}
--- a/modules/nixos/services/servarr/starr.nix
+++ b/modules/nixos/services/servarr/starr.nix
@ -15,12 +15,25 @@ in
    enable = lib.mkEnableOption (lib.toSentenceCase starr) // {
      default = config.my.services.servarr.enableAll;
    };
+
+    port = mkOption {
+      type = types.port;
+      default = ports.${starr};
+      example = 8080;
+      description = "Internal port for webui";
+    };
  };

  config = lib.mkIf cfg.enable {
    services.${starr} = {
      enable = true;
      group = "media";
+
+      settings = {
+        server = {
+          port = cfg.port;
+        };
+      };
    };

    # Set-up media group
@ -28,7 +41,7 @@ in

    my.services.nginx.virtualHosts = {
      ${starr} = {
-        port = ports.${starr};
+        port = cfg.port;
      };
    };
Author	SHA1	Message	Date
Bruno BELANYI	0f757ee732	WIP: autobrr All checks were successful ci/woodpecker/push/check Pipeline was successful Details	2025-03-31 22:59:56 +02:00
Bruno BELANYI	2a4306a62f	hosts: nixos: porthos: secrets: add autobrr	2025-03-31 22:59:20 +02:00
Bruno BELANYI	b0b0a45436	nixos: services: servarr: add autobrr	2025-03-31 22:59:09 +02:00
Bruno BELANYI	dc9b8b5492	flake: bump inputs All checks were successful ci/woodpecker/push/check Pipeline was successful Details	2025-03-31 22:49:11 +02:00
Bruno BELANYI	e6bda50a74	nixos: services: servarr: nzbhydra: fix websockets From what I could read, NZBHydra2 might require proxying websockets in new versions (better safe than sorry).	2025-03-31 21:43:05 +02:00
Bruno BELANYI	abd346d329	nixos: services: servarr: migrate nzbhydra	2025-03-31 21:43:05 +02:00
Bruno BELANYI	1c968bb4fe	nixos: services: servarr: jackett: add 'port'	2025-03-31 21:43:05 +02:00
Bruno BELANYI	20aa72611a	nixos: services: servarr: migrate jackett	2025-03-31 21:43:05 +02:00
Bruno BELANYI	8c4a41ffea	nixos: services: servarr: migrate prowlarr The configuration doesn't have `group`, so it's a slightly different configuration to the rest of the *arr services. I also want to move the other two indexer modules under `servarr`, as they are all closely related.	2025-03-31 21:43:05 +02:00
Bruno BELANYI	f783e4c789	nixos: services: servarr: starr: add 'port' Now that declarative configurations are supported for those applications.	2025-03-31 21:36:44 +02:00