overlays: add 'downgrade-transmission'

The 4.0.6 release is buggy and widely blacklisted.

flake.lock

@@ -136,11 +136,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723399884,
-        "narHash": "sha256-97wn0ihhGqfMb8WcUgzzkM/TuAxce2Gd20A8oiruju4=",
+        "lastModified": 1724435763,
+        "narHash": "sha256-UNky3lJNGQtUEXT2OY8gMxejakSWPTfWKvpFkpFlAfM=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "086f619dd991a4d355c07837448244029fc2d9ab",
+        "rev": "c2cd2a52e02f1dfa1c88f95abeb89298d46023be",
         "type": "github"
       },
       "original": {
@@ -152,11 +152,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1723362943,
-        "narHash": "sha256-dFZRVSgmJkyM0bkPpaYRtG/kRMRTorUIDj8BxoOt1T4=",
+        "lastModified": 1724479785,
+        "narHash": "sha256-pP3Azj5d6M5nmG68Fu4JqZmdGt4S4vqI5f8te+E/FTw=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "a58bc8ad779655e790115244571758e8de055e3d",
+        "rev": "d0e1602ddde669d5beb01aec49d71a51937ed7be",
         "type": "github"
       },
       "original": {
@@ -168,11 +168,11 @@
     },
     "nur": {
       "locked": {
-        "lastModified": 1723632306,
-        "narHash": "sha256-WzILwMkbQ4S1ks1g5AzeHNTIWj5AcJ6PwQDUnHNWmM8=",
+        "lastModified": 1724704503,
+        "narHash": "sha256-QcZKCI9d5UNuQt6UFQSNhQwzXnXDF8jgCy7julsbnvg=",
         "owner": "nix-community",
         "repo": "NUR",
-        "rev": "dc6d7986f1d0a0d03f1a270e22352181f074e70a",
+        "rev": "6b1fa8a8dec17eb73962a0eac8e04f2df1439448",
         "type": "github"
       },
       "original": {
@@ -194,11 +194,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1723202784,
-        "narHash": "sha256-qbhjc/NEGaDbyy0ucycubq4N3//gDFFH3DOmp1D3u1Q=",
+        "lastModified": 1724440431,
+        "narHash": "sha256-9etXEOUtzeMgqg1u0wp+EdwG7RpmrAZ2yX516bMj2aE=",
         "owner": "cachix",
         "repo": "pre-commit-hooks.nix",
-        "rev": "c7012d0c18567c889b948781bc74a501e92275d1",
+        "rev": "c8a54057aae480c56e28ef3e14e4960628ac495b",
         "type": "github"
       },
       "original": {

hosts/nixos/porthos/secrets/pdf-edit/login.age

@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 cKojmg VYlHgHSLpfKb5bn1XA3aCpfX7M23DgbraLxxOfo9PDk
+Rj+mDvAsWX3WwpuhTrOubmo17j/aud5+P87df5bosBA
+-> ssh-ed25519 jPowng o9ZFaYrITZ6DjWw07Vk/+TkuU187/ytlEK4sw7G32G4
+zmxlpDvDDEgQFqBVARXeX1ABhvfJ4uAHfa6mIxXzjAY
+--- k/d9FWW8/OSo8EllwOBV74pZyX918u54jEljGk3ATUc
+ü4+ø2{‘hE7!Ò­GA`×<>_@Íß—´
¡R_ý§6J„ñL4v,‚6%ô‡øó#^®	Ù¹
åB­§OøF‚|’7ܽÉL]œÙjR¨
+BþóÛ¾éaòs]xS<78>Î	pbÞo#¬J1QŸ=t}5Õ>Oï‘{+¼.
M"7e»yý÷—

hosts/nixos/porthos/secrets/secrets.nix

@@ -77,6 +77,8 @@ in
   "paperless/password.age".publicKeys = all;
   "paperless/secret-key.age".publicKeys = all;
 
+  "pdf-edit/login.age".publicKeys = all;
+
   "podgrab/password.age".publicKeys = all;
 
   "pyload/credentials.age".publicKeys = all;

hosts/nixos/porthos/services.nix

@@ -127,6 +127,11 @@ in
       passwordFile = secrets."paperless/password".path;
       secretKeyFile = secrets."paperless/secret-key".path;
     };
+    # Sometimes, editing PDFs is useful
+    pdf-edit = {
+      enable = true;
+      loginFile = secrets."pdf-edit/login".path;
+    };
     # The whole *arr software suite
     pirate = {
       enable = true;

modules/nixos/services/default.nix

@@ -26,6 +26,7 @@
     ./nginx
     ./nix-cache
     ./paperless
+    ./pdf-edit
     ./pirate
     ./podgrab
     ./postgresql

modules/nixos/services/nginx/sso/default.nix

@@ -59,15 +59,10 @@ in
         StateDirectory = "nginx-sso";
         WorkingDirectory = "/var/lib/nginx-sso";
         # The files to be merged might not have the correct permissions
-        ExecStartPre = ''+${pkgs.writeShellScript "merge-nginx-sso-config" ''
+        ExecStartPre = pkgs.writeShellScript "merge-nginx-sso-config" ''
           rm -f '${confPath}'
           ${utils.genJqSecretsReplacementSnippet cfg.configuration confPath}
-
-          # Fix permissions
-          chown nginx-sso:nginx-sso ${confPath}
-          chmod 0600 ${confPath}
-        ''
-        }'';
+        '';
         ExecStart = lib.mkForce ''
           ${lib.getExe pkg} \
             --config ${confPath} \

modules/nixos/services/pdf-edit/default.nix

@@ -0,0 +1,73 @@
+{ config, lib, ... }:
+let
+  cfg = config.my.services.pdf-edit;
+in
+{
+  options.my.services.pdf-edit = with lib; {
+    enable = mkEnableOption "PDF edition service";
+
+    port = mkOption {
+      type = types.port;
+      default = 8089;
+      example = 8080;
+      description = "Internal port for webui";
+    };
+
+    loginFile = mkOption {
+      type = types.str;
+      example = "/run/secrets/pdf-edit/login.env";
+      description = ''
+        `SECURITY_INITIALLOGIN_USERNAME` and `SECURITY_INITIALLOGIN_PASSWORD`
+        defined in the format of 'EnvironmentFile' (see `systemd.exec(5)`).
+      '';
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.stirling-pdf = lib.mkIf cfg.enable {
+      enable = true;
+
+      environment = {
+        SERVER_PORT = cfg.port;
+        SECURITY_CSRFDISABLED = "false";
+
+        SYSTEM_SHOWUPDATE = "false"; # We don't care about update notifications
+        INSTALL_BOOK_AND_ADVANCED_HTML_OPS = "true"; # Installed by the module
+
+        SECURITY_ENABLELOGIN = "true";
+        SECURITY_LOGINATTEMPTCOUNT = "-1"; # Rely on fail2ban instead
+      };
+
+      environmentFiles = [ cfg.loginFile ];
+    };
+
+    my.services.nginx.virtualHosts = {
+      pdf-edit = {
+        inherit (cfg) port;
+
+        extraConfig = {
+          # Allow upload of PDF files up to 1G
+          locations."/".extraConfig = ''
+            client_max_body_size 1G;
+          '';
+        };
+      };
+    };
+
+    services.fail2ban.jails = {
+      stirling-pdf = ''
+        enabled = true
+        filter = stirling-pdf
+        port = http,https
+      '';
+    };
+
+    environment.etc = {
+      "fail2ban/filter.d/stirling-pdf.conf".text = ''
+        [Definition]
+        failregex = ^.*Failed login attempt from IP: <HOST>$
+        journalmatch = _SYSTEMD_UNIT=stirling-pdf.service
+      '';
+    };
+  };
+}

modules/nixos/services/pirate/default.nix

@@ -10,6 +10,7 @@ let
     bazarr = 6767;
     lidarr = 8686;
     radarr = 7878;
+    readarr = 8787;
     sonarr = 8989;
   };
 
@@ -67,6 +68,10 @@ in
       enable = lib.my.mkDisableOption "Radarr";
     };
 
+    readarr = {
+      enable = lib.my.mkDisableOption "Readarr";
+    };
+
     sonarr = {
       enable = lib.my.mkDisableOption "Sonarr";
     };
@@ -85,6 +90,9 @@ in
     # Radarr for movies
     (mkFullConfig "radarr")
     (mkFail2Ban "radarr")
+    # Readarr for books
+    (mkFullConfig "readarr")
+    (mkFail2Ban "readarr")
     # Sonarr for shows
     (mkFullConfig "sonarr")
     (mkFail2Ban "sonarr")

overlays/downgrade-transmission/default.nix

@@ -0,0 +1,14 @@
+self: prev:
+{
+  transmission_4 = prev.transmission_4.overrideAttrs (_: {
+    version = "4.0.5";
+
+    src = self.fetchFromGitHub {
+      owner = "transmission";
+      repo = "transmission";
+      rev = "4.0.5";
+      hash = "sha256-gd1LGAhMuSyC/19wxkoE2mqVozjGPfupIPGojKY0Hn4=";
+      fetchSubmodules = true;
+    };
+  });
+}

pkgs/lohr/default.nix

@@ -1,16 +1,16 @@
 { lib, fetchFromGitHub, rustPlatform }:
 rustPlatform.buildRustPackage rec {
   pname = "lohr";
-  version = "0.4.5";
+  version = "0.4.6";
 
   src = fetchFromGitHub {
     owner = "alarsyo";
     repo = "lohr";
     rev = "v${version}";
-    hash = "sha256-p6E/r+OxFTpxDpOKSlacOxvRLfHSKg1mHNAfTytfqDY=";
+    hash = "sha256-dunQgtap+XCK5LoSyOqIY/6p6HizBeiyPWNuCffwjDU=";
   };
 
-  cargoHash = "sha256-hext0S0o9D9pN9epzXtD5dwAYMPCLpBBOBT4FX0mTMk=";
+  cargoHash = "sha256-EUhyrhPe+mUgMmm4o+bxRIiSNReJRfw+/O1fPr8r7lo=";
 
   meta = with lib; {
     description = "Git mirroring daemon";