WIP: autobrr

hosts: nixos: porthos: secrets: add autobrr
nixos: services: servarr: add autobrr
2025-03-31 22:59:56 +02:00 · 2025-03-31 22:59:20 +02:00 · 2025-03-31 22:59:09 +02:00 · 2025-03-31 22:49:11 +02:00 · 2025-03-31 21:43:05 +02:00 · 2025-03-31 21:43:05 +02:00
12 changed files with 224 additions and 90 deletions
--- a/flake.lock
+++ b/flake.lock
@ -136,11 +136,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1742771635,
+        "lastModified": 1743438213,
-        "narHash": "sha256-HQHzQPrg+g22tb3/K/4tgJjPzM+/5jbaujCZd8s2Mls=",
+        "narHash": "sha256-ZZDN+0v1r4I1xkQWlt8euOJv5S4EvElUCZMrDjTCEsY=",
        "owner": "nix-community",
        "repo": "home-manager",
-        "rev": "ad0614a1ec9cce3b13169e20ceb7e55dfaf2a818",
+        "rev": "ccd7df836e1f42ea84806760f25b77b586370259",
        "type": "github"
      },
      "original": {
@ -152,11 +152,11 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1742669843,
+        "lastModified": 1743315132,
-        "narHash": "sha256-G5n+FOXLXcRx+3hCJ6Rt6ZQyF1zqQ0DL0sWAMn2Nk0w=",
+        "narHash": "sha256-6hl6L/tRnwubHcA4pfUUtk542wn2Om+D4UnDhlDW9BE=",
        "owner": "NixOS",
        "repo": "nixpkgs",
-        "rev": "1e5b653dff12029333a6546c11e108ede13052eb",
+        "rev": "52faf482a3889b7619003c0daec593a1912fddc1",
        "type": "github"
      },
      "original": {
--- a/hosts/nixos/porthos/secrets/secrets.nix
+++ b/hosts/nixos/porthos/secrets/secrets.nix
@ -80,6 +80,8 @@ in
  "pyload/credentials.age".publicKeys = all;
  "servarr/autobrr/session-secret.age".publicKeys = all;
  "sso/auth-key.age" = {
    owner = "nginx-sso";
    publicKeys = all;
--- a/hosts/nixos/porthos/secrets/servarr/autobrr/session-secret.age
+++ b/hosts/nixos/porthos/secrets/servarr/autobrr/session-secret.age
@ -0,0 +1,7 @@
 age-encryption.org/v1
 -> ssh-ed25519 cKojmg bu09lB+fjaPP31cUQZP6EqSPuseucgNK7k9vAS08iS0
 +NGL+b2QD/qGo6hqHvosAXzHZtDvfodmPdcgnrKlD1o
 -> ssh-ed25519 jPowng QDCdRBGWhtdvvMCiDH52cZHz1/W7aomhTatZ4+9IKwI
 Ou3jjV/O55G1CPgGS33l3eWhhYWrVdwVNPSiE14d5rE
 --- q0ssmpG50OX1WaNSInc2hbtH3DbTwQGDU74VGEoMh94
  ¯mCùº<C3B9>Æ‘'hK.Ðì/™Xu(€«Õ×g$½'¼šM{fK˜”!ÛMZ²oR÷®ˆüÎÕ<C38E>ÍŸö;yb
--- a/hosts/nixos/porthos/services.nix
+++ b/hosts/nixos/porthos/services.nix
@ -51,10 +51,6 @@ in
        passwordFile = secrets."forgejo/mail-password".path;
      };
    };
    # Meta-indexers
    indexers = {
      prowlarr.enable = true;
    };
    # Jellyfin media server
    jellyfin.enable = true;
    # Gitea mirrorig service
@ -145,10 +141,20 @@ in
    # The whole *arr software suite
    servarr = {
      enableAll = true;
      autobrr = {
        sessionSecretFile = secrets."servarr/autobrr/session-secret".path;
      };
      # ... But not Lidarr because I don't care for music that much
      lidarr = {
        enable = false;
      };
      # I only use Prowlarr nowadays
      jackett = {
        enable = false;
      };
      nzbhydra = {
        enable = false;
      };
    };
    # Because I still need to play sysadmin
    ssh-server.enable = true;
--- a/modules/nixos/services/default.nix
+++ b/modules/nixos/services/default.nix
@ -15,7 +15,6 @@
    ./gitea
    ./grocy
    ./homebox
    ./indexers
    ./jellyfin
    ./komga
    ./lohr
--- a/modules/nixos/services/indexers/default.nix
+++ b/modules/nixos/services/indexers/default.nix
@ -1,78 +0,0 @@
 # Torrent and usenet meta-indexers
 { config, lib, ... }:
 let
  cfg = config.my.services.indexers;
  jackettPort = 9117;
  nzbhydraPort = 5076;
  prowlarrPort = 9696;
 in
 {
  options.my.services.indexers = with lib; {
    jackett.enable = mkEnableOption "Jackett torrent meta-indexer";
    nzbhydra.enable = mkEnableOption "NZBHydra2 usenet meta-indexer";
    prowlarr.enable = mkEnableOption "Prowlarr torrent & usenet meta-indexer";
  };
  config = lib.mkMerge [
    (lib.mkIf cfg.jackett.enable {
      services.jackett = {
        enable = true;
      };
      # Jackett wants to eat *all* my RAM if left to its own devices
      systemd.services.jackett = {
        serviceConfig = {
          MemoryHigh = "15%";
          MemoryMax = "25%";
        };
      };
      my.services.nginx.virtualHosts = {
        jackett = {
          port = jackettPort;
        };
      };
    })
    (lib.mkIf cfg.nzbhydra.enable {
      services.nzbhydra2 = {
        enable = true;
      };
      my.services.nginx.virtualHosts = {
        nzbhydra = {
          port = nzbhydraPort;
        };
      };
    })
    (lib.mkIf cfg.prowlarr.enable {
      services.prowlarr = {
        enable = true;
      };
      my.services.nginx.virtualHosts = {
        prowlarr = {
          port = prowlarrPort;
        };
      };
      services.fail2ban.jails = {
        prowlarr = ''
          enabled = true
          filter = prowlarr
          action = iptables-allports
        '';
      };
      environment.etc = {
        "fail2ban/filter.d/prowlarr.conf".text = ''
          [Definition]
          failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
          journalmatch = _SYSTEMD_UNIT=prowlarr.service
        '';
      };
    })
  ];
 }
--- a/modules/nixos/services/servarr/autobrr.nix
+++ b/modules/nixos/services/servarr/autobrr.nix
@ -0,0 +1,61 @@
 # IRC-based
 { config, lib, ... }:
 let
  cfg = config.my.services.servarr.autobrr;
 in
 {
  options.my.services.servarr.autobrr = with lib; {
    enable = mkEnableOption "autobrr IRC announce tracker";
    port = mkOption {
      type = types.port;
      default = 7474;
      example = 8080;
      description = "Internal port for webui";
    };
    sessionSecretFile = mkOption {
      type = types.str;
      example = "/run/secrets/autobrr-secret.txt";
      description = ''
        File containing the session secret.
      '';
    };
  };
  config = lib.mkIf cfg.enable {
    # FIXME
    services.autobrr = {
      enable = true;
      settings = {
        inherit (cfg) port;
        checkForUpdates = false;
      };
      secretFile = cfg.sessionSecretFile;
    };
    my.services.nginx.virtualHosts = {
      autobrr = {
        inherit (cfg) port;
      };
    };
    services.fail2ban.jails = {
      autobrr = ''
        enabled = true
        filter = autobrr
        action = iptables-allports
      '';
    };
    environment.etc = {
      "fail2ban/filter.d/autobrr.conf".text = ''
        [Definition]
        failregex = ^.*Auth: invalid login \[.*\] from: <HOST>$
        journalmatch = _SYSTEMD_UNIT=autobrr.service
      '';
    };
  };
 }
--- a/modules/nixos/services/servarr/default.nix
+++ b/modules/nixos/services/servarr/default.nix
@ -5,7 +5,11 @@
 { lib, ... }:
 {
  imports = [
    ./autobrr.nix
    ./bazarr.nix
    ./jackett.nix
    ./nzbhydra.nix
    ./prowlarr.nix
    (import ./starr.nix "lidarr")
    (import ./starr.nix "radarr")
    (import ./starr.nix "readarr")
--- a/modules/nixos/services/servarr/jackett.nix
+++ b/modules/nixos/services/servarr/jackett.nix
@ -0,0 +1,41 @@
 { config, lib, ... }:
 let
  cfg = config.my.services.servarr.jackett;
 in
 {
  options.my.services.servarr.jackett = with lib; {
    enable = lib.mkEnableOption "Jackett" // {
      default = config.my.services.servarr.enableAll;
    };
    port = mkOption {
      type = types.port;
      default = 9117;
      example = 8080;
      description = "Internal port for webui";
    };
  };
  config = lib.mkIf cfg.enable {
    services.jackett = {
      enable = true;
      inherit (cfg) port;
    };
    # Jackett wants to eat *all* my RAM if left to its own devices
    systemd.services.jackett = {
      serviceConfig = {
        MemoryHigh = "15%";
        MemoryMax = "25%";
      };
    };
    my.services.nginx.virtualHosts = {
      jackett = {
        inherit (cfg) port;
      };
    };
    # Jackett does not log authentication failures...
  };
 }
--- a/modules/nixos/services/servarr/nzbhydra.nix
+++ b/modules/nixos/services/servarr/nzbhydra.nix
@ -0,0 +1,26 @@
 { config, lib, ... }:
 let
  cfg = config.my.services.servarr.nzbhydra;
 in
 {
  options.my.services.servarr.nzbhydra = with lib; {
    enable = lib.mkEnableOption "NZBHydra2" // {
      default = config.my.services.servarr.enableAll;
    };
  };
  config = lib.mkIf cfg.enable {
    services.nzbhydra2 = {
      enable = true;
    };
    my.services.nginx.virtualHosts = {
      nzbhydra = {
        port = 5076;
        websocketsLocations = [ "/" ];
      };
    };
    # NZBHydra2 does not log authentication failures...
  };
 }
--- a/modules/nixos/services/servarr/prowlarr.nix
+++ b/modules/nixos/services/servarr/prowlarr.nix
@ -0,0 +1,53 @@
 # Torrent and NZB indexer
 { config, lib, ... }:
 let
  cfg = config.my.services.servarr.prowlarr;
 in
 {
  options.my.services.servarr.prowlarr = with lib; {
    enable = lib.mkEnableOption "Prowlarr" // {
      default = config.my.services.servarr.enableAll;
    };
    port = mkOption {
      type = types.port;
      default = 9696;
      example = 8080;
      description = "Internal port for webui";
    };
  };
  config = lib.mkIf cfg.enable {
    services.prowlarr = {
      enable = true;
      settings = {
        server = {
          port = cfg.port;
        };
      };
    };
    my.services.nginx.virtualHosts = {
      prowlarr = {
        inherit (cfg) port;
      };
    };
    services.fail2ban.jails = {
      prowlarr = ''
        enabled = true
        filter = prowlarr
        action = iptables-allports
      '';
    };
    environment.etc = {
      "fail2ban/filter.d/prowlarr.conf".text = ''
        [Definition]
        failregex = ^.*\|Warn\|Auth\|Auth-Failure ip <HOST> username .*$
        journalmatch = _SYSTEMD_UNIT=prowlarr.service
      '';
    };
  };
 }
--- a/modules/nixos/services/servarr/starr.nix
+++ b/modules/nixos/services/servarr/starr.nix
@ -15,12 +15,25 @@ in
    enable = lib.mkEnableOption (lib.toSentenceCase starr) // {
      default = config.my.services.servarr.enableAll;
    };
    port = mkOption {
      type = types.port;
      default = ports.${starr};
      example = 8080;
      description = "Internal port for webui";
    };
  };
  config = lib.mkIf cfg.enable {
    services.${starr} = {
      enable = true;
      group = "media";
      settings = {
        server = {
          port = cfg.port;
        };
      };
    };
    # Set-up media group
@ -28,7 +41,7 @@ in
    my.services.nginx.virtualHosts = {
      ${starr} = {
-        port = ports.${starr};
+        port = cfg.port;
      };
    };
Author	SHA1	Message	Date
Bruno BELANYI	0f757ee732	WIP: autobrr All checks were successful ci/woodpecker/push/check Pipeline was successful Details	2025-03-31 22:59:56 +02:00
Bruno BELANYI	2a4306a62f	hosts: nixos: porthos: secrets: add autobrr	2025-03-31 22:59:20 +02:00
Bruno BELANYI	b0b0a45436	nixos: services: servarr: add autobrr	2025-03-31 22:59:09 +02:00
Bruno BELANYI	dc9b8b5492	flake: bump inputs All checks were successful ci/woodpecker/push/check Pipeline was successful Details	2025-03-31 22:49:11 +02:00
Bruno BELANYI	e6bda50a74	nixos: services: servarr: nzbhydra: fix websockets From what I could read, NZBHydra2 might require proxying websockets in new versions (better safe than sorry).	2025-03-31 21:43:05 +02:00
Bruno BELANYI	abd346d329	nixos: services: servarr: migrate nzbhydra	2025-03-31 21:43:05 +02:00
Bruno BELANYI	1c968bb4fe	nixos: services: servarr: jackett: add 'port'	2025-03-31 21:43:05 +02:00
Bruno BELANYI	20aa72611a	nixos: services: servarr: migrate jackett	2025-03-31 21:43:05 +02:00
Bruno BELANYI	8c4a41ffea	nixos: services: servarr: migrate prowlarr The configuration doesn't have `group`, so it's a slightly different configuration to the rest of the *arr services. I also want to move the other two indexer modules under `servarr`, as they are all closely related.	2025-03-31 21:43:05 +02:00
Bruno BELANYI	f783e4c789	nixos: services: servarr: starr: add 'port' Now that declarative configurations are supported for those applications.	2025-03-31 21:36:44 +02:00