hosts: nixos: porthos: services: enable pyload

hosts/nixos/porthos/secrets/pyload/credentials.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg nJbOfp0/wmFOZLzcWjoGB7wEB8e56aO1NntSmn5KomU
+/Vio4Z/t7IPJrdzdwUPidVH3wrouSkwRzNHP0T4z3x0
+-> ssh-ed25519 jPowng QXg/xqs7/VfkYQg3X77w4i53q64bL9oYeTxqb9NVhiQ
+sMHIXlmrIxtIr+s0X4lBqev/PPd3AKD5P7AP5K4NeJg
+--- gzTn+6+aa4Ptic1lsvSt+r3IEBysHrvMMIyONogMDF0
+<EFBFBD>ÏÂ<EFBFBD>Ë®UE_í</¯çQ·Ü+U“AГMÄÿ/kï×dAL/”úÕįÍoæ\XïEDÇÑfã\ièÄ‘½àpF„`#¬n4è–x1î<31>ûÞèDëàÂË5CéЦ&fòB»q${Gg…Aqˆ³@üVu!Cc…R\ªÖ¨

hosts/nixos/porthos/secrets/secrets.nix

@@ -64,6 +64,8 @@ in
 
   "podgrab/password.age".publicKeys = all;
 
+  "pyload/credentials.age".publicKeys = all;
+
   "sso/auth-key.age".publicKeys = all;
   "sso/ambroisie/password-hash.age".publicKeys = all;
   "sso/ambroisie/totp-secret.age".publicKeys = all;

hosts/nixos/porthos/services.nix

@@ -134,6 +134,10 @@ in
     };
     # Regular backups
     postgresql-backup.enable = true;
+    pyload = {
+      enable = true;
+      credentialsFile = secrets."pyload/credentials".path;
+    };
     # RSS provider for websites that do not provide any feeds
     rss-bridge.enable = true;
     # Usenet client

modules/nixos/services/default.nix

@@ -27,6 +27,7 @@
     ./podgrab
     ./postgresql
     ./postgresql-backup
+    ./pyload
     ./quassel
     ./rss-bridge
     ./sabnzbd

modules/nixos/services/pyload/default.nix

@@ -0,0 +1,70 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.pyload;
+in
+{
+  options.my.services.pyload = with lib; {
+    enable = mkEnableOption "pyload download manager";
+
+    credentialsFile = mkOption {
+      type = types.path;
+      example = "/run/secrets/pyload-credentials.env";
+      description = "pyload credentials";
+    };
+
+    downloadDirectory = mkOption {
+      type = types.str;
+      default = "/data/downloads/pyload";
+      example = "/var/lib/pyload/download";
+      description = "Download directory";
+    };
+
+    port = mkOption {
+      type = types.port;
+      default = 9093;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.pyload = {
+      enable = true;
+
+      # Listening on `localhost` leads to 502 with the reverse proxy...
+      listenAddress = "127.0.0.1";
+
+      inherit (cfg)
+        credentialsFile
+        downloadDirectory
+        port
+        ;
+    };
+
+    # User media group when downloading files
+    systemd.services.pyload = {
+      serviceConfig = {
+        Group = lib.mkForce "media";
+      };
+    };
+
+    # And make sure the download directory has the correct owners
+    systemd.tmpfiles.settings.pyload = {
+      ${cfg.downloadDirectory}.d = {
+        user = "pyload";
+        group = "media";
+      };
+    };
+
+    # Set-up media group
+    users.groups.media = { };
+
+    my.services.nginx.virtualHosts = {
+      pyload = {
+        inherit (cfg) port;
+      };
+    };
+
+    # FIXME: fail2ban
+  };
+}