jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

db is now optional for sonarr, radarr, and prowlarr.

Browse source
This commit is contained in:
Joseph Hanson 2025-02-19 15:33:09 -06:00
parent 18274be266
commit a7e673ac69
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
4 changed files with 408 additions and 372 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
nixos/hosts/shadowfax/default.nix
View file

@ -101,6 +101,7 @@ in {
# System packages # System packages
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
# Hyprland
libva-utils # to view graphics capabilities libva-utils # to view graphics capabilities
greetd.tuigreet greetd.tuigreet
rofi-wayland rofi-wayland
@ -114,6 +115,8 @@ in {
wl-clipboard wl-clipboard
wlogout wlogout
wlr-randr wlr-randr
# dev
uv
# fun # fun
fastfetch fastfetch
# Scripts # Scripts
@ -169,6 +172,8 @@ in {
9001 # api interface 9001 # api interface
# Beszel-agent # Beszel-agent
45876 45876
# scrypted
45005
]; ];
}; };
@ -265,13 +270,13 @@ in {
openFirewall = true; openFirewall = true;
hardening = true; hardening = true;
apiKeyFile = config.sops.secrets."arr/prowlarr/apiKey".path; apiKeyFile = config.sops.secrets."arr/prowlarr/apiKey".path;
db = { # db = {
enable = true; # enable = true;
hostFile = config.sops.secrets."arr/prowlarr/postgres/host".path; # hostFile = config.sops.secrets."arr/prowlarr/postgres/host".path;
port = 5432; # port = 5432;
userFile = config.sops.secrets."arr/prowlarr/postgres/user".path; # userFile = config.sops.secrets."arr/prowlarr/postgres/user".path;
passwordFile = config.sops.secrets."arr/prowlarr/postgres/password".path; # passwordFile = config.sops.secrets."arr/prowlarr/postgres/password".path;
}; # };
}; };
# Radarr # Radarr
radarr = { radarr = {
@ -289,14 +294,14 @@ in {
openFirewall = true; openFirewall = true;
hardening = true; hardening = true;
apiKeyFile = config.sops.secrets."arr/radarr/1080p/apiKey".path; apiKeyFile = config.sops.secrets."arr/radarr/1080p/apiKey".path;
db = { # db = {
enable = true; # enable = true;
hostFile = config.sops.secrets."arr/radarr/1080p/postgres/host".path; # hostFile = config.sops.secrets."arr/radarr/1080p/postgres/host".path;
port = 5432; # port = 5432;
dbname = "radarr_main"; # dbname = "radarr_main";
userFile = config.sops.secrets."arr/radarr/1080p/postgres/user".path; # userFile = config.sops.secrets."arr/radarr/1080p/postgres/user".path;
passwordFile = config.sops.secrets."arr/radarr/1080p/postgres/password".path; # passwordFile = config.sops.secrets."arr/radarr/1080p/postgres/password".path;
}; # };
}; };
moviesAnime = { moviesAnime = {
enable = true; enable = true;
@ -310,14 +315,14 @@ in {
openFirewall = true; openFirewall = true;
hardening = true; hardening = true;
apiKeyFile = config.sops.secrets."arr/radarr/anime/apiKey".path; apiKeyFile = config.sops.secrets."arr/radarr/anime/apiKey".path;
db = { # db = {
enable = true; # enable = true;
hostFile = config.sops.secrets."arr/radarr/anime/postgres/host".path; # hostFile = config.sops.secrets."arr/radarr/anime/postgres/host".path;
port = 5432; # port = 5432;
dbname = "radarr_anime"; # dbname = "radarr_anime";
userFile = config.sops.secrets."arr/radarr/anime/postgres/user".path; # userFile = config.sops.secrets."arr/radarr/anime/postgres/user".path;
passwordFile = config.sops.secrets."arr/radarr/anime/postgres/password".path; # passwordFile = config.sops.secrets."arr/radarr/anime/postgres/password".path;
}; # };
}; };
}; };
}; };
@ -337,14 +342,14 @@ in {
openFirewall = true; openFirewall = true;
hardening = true; hardening = true;
apiKeyFile = config.sops.secrets."arr/sonarr/1080p/apiKey".path; apiKeyFile = config.sops.secrets."arr/sonarr/1080p/apiKey".path;
db = { # db = {
enable = true; # enable = true;
hostFile = config.sops.secrets."arr/sonarr/1080p/postgres/host".path; # hostFile = config.sops.secrets."arr/sonarr/1080p/postgres/host".path;
port = 5432; # port = 5432;
dbname = "sonarr_main"; # dbname = "sonarr_main";
userFile = config.sops.secrets."arr/sonarr/1080p/postgres/user".path; # userFile = config.sops.secrets."arr/sonarr/1080p/postgres/user".path;
passwordFile = config.sops.secrets."arr/sonarr/1080p/postgres/password".path; # passwordFile = config.sops.secrets."arr/sonarr/1080p/postgres/password".path;
}; # };
}; };
anime = { anime = {
enable = true; enable = true;
@ -358,14 +363,14 @@ in {
openFirewall = true; openFirewall = true;
hardening = true; hardening = true;
apiKeyFile = config.sops.secrets."arr/sonarr/anime/apiKey".path; apiKeyFile = config.sops.secrets."arr/sonarr/anime/apiKey".path;
db = { # db = {
enable = true; # enable = true;
hostFile = config.sops.secrets."arr/sonarr/anime/postgres/host".path; # hostFile = config.sops.secrets."arr/sonarr/anime/postgres/host".path;
port = 5432; # port = 5432;
dbname = "sonarr_anime"; # dbname = "sonarr_anime";
userFile = config.sops.secrets."arr/sonarr/anime/postgres/user".path; # userFile = config.sops.secrets."arr/sonarr/anime/postgres/user".path;
passwordFile = config.sops.secrets."arr/sonarr/anime/postgres/password".path; # passwordFile = config.sops.secrets."arr/sonarr/anime/postgres/password".path;
}; # };
}; };
}; };
}; };

42
nixos/modules/nixos/services/prowlarr/default.nix
View file

@ -5,8 +5,7 @@
utils, utils,
... ...
}: }:
with lib; with lib; let
let
cfg = config.mySystem.services.prowlarr; cfg = config.mySystem.services.prowlarr;
dbOptions = { dbOptions = {
options = { options = {
@ -51,12 +50,11 @@ let
}; };
}; };
}; };
in in {
{
options.mySystem.services.prowlarr = { options.mySystem.services.prowlarr = {
enable = mkEnableOption "Prowlarr"; enable = mkEnableOption "Prowlarr";
package = mkPackageOption pkgs "prowlarr" { }; package = mkPackageOption pkgs "prowlarr" {};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
@ -109,7 +107,7 @@ in
extraEnvVars = mkOption { extraEnvVars = mkOption {
type = types.attrs; type = types.attrs;
default = { }; default = {};
example = { example = {
MY_VAR = "my value"; MY_VAR = "my value";
}; };
@ -125,6 +123,14 @@ in
db = mkOption { db = mkOption {
type = types.submodule dbOptions; type = types.submodule dbOptions;
default = {
enable = false;
host = "";
port = "5432";
user = "";
passwordFile = "";
dbname = "";
};
example = { example = {
enable = true; enable = true;
host = "10.5.0.5"; # or use hostFile host = "10.5.0.5"; # or use hostFile
@ -140,11 +146,11 @@ in
config = mkIf cfg.enable { config = mkIf cfg.enable {
assertions = [ assertions = [
{ {
assertion = !(cfg.db.host != "" && cfg.db.hostFile != ""); assertion = !(cfg.db.enable && (cfg.db.host != "" && cfg.db.hostFile != ""));
message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty)."; message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty).";
} }
{ {
assertion = !(cfg.db.user != "prowlarr" && cfg.db.userFile != ""); assertion = !(cfg.db.enable && (cfg.db.user != "prowlarr" && cfg.db.userFile != ""));
message = "Specify either a direct database user via db.user or a file via db.userFile."; message = "Specify either a direct database user via db.user or a file via db.userFile.";
} }
{ {
@ -159,7 +165,7 @@ in
"network.target" "network.target"
"nss-lookup.target" "nss-lookup.target"
]; ];
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
environment = lib.mkMerge [ environment = lib.mkMerge [
{ {
PROWLARR__APP__INSTANCENAME = "Prowlarr"; PROWLARR__APP__INSTANCENAME = "Prowlarr";
@ -171,7 +177,7 @@ in
PROWLARR__SERVER__PORT = toString cfg.port; PROWLARR__SERVER__PORT = toString cfg.port;
PROWLARR__UPDATE__BRANCH = "develop"; PROWLARR__UPDATE__BRANCH = "develop";
} }
(lib.mkIf cfg.db.enable { (lib.optionalAttrs cfg.db.enable {
PROWLARR__POSTGRES__PORT = toString cfg.db.port; PROWLARR__POSTGRES__PORT = toString cfg.db.port;
PROWLARR__POSTGRES__MAINDB = cfg.db.dbname; PROWLARR__POSTGRES__MAINDB = cfg.db.dbname;
}) })
@ -197,8 +203,8 @@ in
RestartSec = 5; RestartSec = 5;
} }
(lib.mkIf cfg.hardening { (lib.mkIf cfg.hardening {
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [""];
DeviceAllow = [ "" ]; DeviceAllow = [""];
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
# Needs access to .Net CLR memory space. # Needs access to .Net CLR memory space.
@ -237,7 +243,7 @@ in
#"~@resources" #"~@resources"
]; ];
}) })
(lib.mkIf cfg.db.enable { {
ExecStartPre = "+${pkgs.writeShellScript "prowlarr-pre-script" '' ExecStartPre = "+${pkgs.writeShellScript "prowlarr-pre-script" ''
mkdir -p /run/prowlarr mkdir -p /run/prowlarr
rm -f /run/prowlarr/secrets.env rm -f /run/prowlarr/secrets.env
@ -258,10 +264,12 @@ in
write_var "PROWLARR__AUTH__APIKEY" "$(cat ${cfg.apiKeyFile})" write_var "PROWLARR__AUTH__APIKEY" "$(cat ${cfg.apiKeyFile})"
fi fi
${lib.optionalString cfg.db.enable ''
# Database Configuration # Database Configuration
write_var "PROWLARR__POSTGRES__HOST" "$([ -n "${cfg.db.host}" ] && echo "${cfg.db.host}" || cat "${cfg.db.hostFile}")" write_var "PROWLARR__POSTGRES__HOST" "$([ -n "${cfg.db.host}" ] && echo "${cfg.db.host}" || cat "${cfg.db.hostFile}")"
write_var "PROWLARR__POSTGRES__USER" "$([ -n "${cfg.db.user}" ] && echo "${cfg.db.user}" || cat "${cfg.db.userFile}")" write_var "PROWLARR__POSTGRES__USER" "$([ -n "${cfg.db.user}" ] && echo "${cfg.db.user}" || cat "${cfg.db.userFile}")"
write_var "PROWLARR__POSTGRES__PASSWORD" "$(cat ${cfg.db.passwordFile})" write_var "PROWLARR__POSTGRES__PASSWORD" "$(cat ${cfg.db.passwordFile})"
''}
# Final permissions # Final permissions
chmod 600 /run/prowlarr/secrets.env chmod 600 /run/prowlarr/secrets.env
@ -269,18 +277,18 @@ in
''}"; ''}";
EnvironmentFile = ( EnvironmentFile = (
[ "-/run/prowlarr/secrets.env" ] ["-/run/prowlarr/secrets.env"]
++ lib.optional (cfg.extraEnvVarFile != null && cfg.extraEnvVarFile != "") cfg.extraEnvVarFile ++ lib.optional (cfg.extraEnvVarFile != null && cfg.extraEnvVarFile != "") cfg.extraEnvVarFile
); );
}) }
]; ];
}; };
networking.firewall = mkIf cfg.openFirewall { networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ]; allowedTCPPorts = [cfg.port];
}; };
users.groups.${cfg.group} = { }; users.groups.${cfg.group} = {};
users.users = mkIf (cfg.user == "prowlarr") { users.users = mkIf (cfg.user == "prowlarr") {
prowlarr = { prowlarr = {
inherit (cfg) group; inherit (cfg) group;

77
nixos/modules/nixos/services/radarr/default.nix
View file

@ -5,8 +5,7 @@
utils, utils,
... ...
}: }:
with lib; with lib; let
let
cfg = config.mySystem.services.radarr; cfg = config.mySystem.services.radarr;
dbOptions = { dbOptions = {
options = { options = {
@ -51,20 +50,18 @@ let
}; };
}; };
}; };
in in {
{
options.mySystem.services.radarr = { options.mySystem.services.radarr = {
enable = mkEnableOption "Radarr (global)"; enable = mkEnableOption "Radarr (global)";
instances = mkOption { instances = mkOption {
type = types.attrsOf ( type = types.attrsOf (
types.submodule ( types.submodule (
{ name, ... }: {name, ...}: {
{
options = { options = {
enable = mkEnableOption "Radarr (instance)"; enable = mkEnableOption "Radarr (instance)";
package = mkPackageOption pkgs "Radarr" { }; package = mkPackageOption pkgs "Radarr" {};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
@ -131,12 +128,20 @@ in
passwordFile = "/run/secrets/radarr_db_password"; passwordFile = "/run/secrets/radarr_db_password";
dbname = "radarr_main"; dbname = "radarr_main";
}; };
default = {
enable = false;
host = "";
port = "5432";
user = "";
passwordFile = "";
dbname = "";
};
description = "Database settings for radarr."; description = "Database settings for radarr.";
}; };
extraEnvVars = mkOption { extraEnvVars = mkOption {
type = types.attrs; type = types.attrs;
default = { }; default = {};
example = { example = {
MY_VAR = "my value"; MY_VAR = "my value";
}; };
@ -153,7 +158,7 @@ in
} }
) )
); );
default = { }; default = {};
description = "Radarr instance configurations."; description = "Radarr instance configurations.";
}; };
}; };
@ -163,8 +168,8 @@ in
assertions = flatten ( assertions = flatten (
mapAttrsToList ( mapAttrsToList (
name: instanceCfg: name: instanceCfg:
if instanceCfg.enable then if instanceCfg.enable
[ then [
{ {
assertion = !(instanceCfg.db.host != "" && instanceCfg.db.hostFile != ""); assertion = !(instanceCfg.db.host != "" && instanceCfg.db.hostFile != "");
message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty)."; message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty).";
@ -178,26 +183,27 @@ in
message = "Specify either a direct API key via apiKey or a file via apiKeyFile (leave direct API key empty)."; message = "Specify either a direct API key via apiKey or a file via apiKeyFile (leave direct API key empty).";
} }
] ]
else else []
[ ] )
) cfg.instances cfg.instances
); );
# Create systemd tmpfiles rules for each enabled instance # Create systemd tmpfiles rules for each enabled instance
systemd.tmpfiles.rules = flatten ( systemd.tmpfiles.rules = flatten (
mapAttrsToList ( mapAttrsToList (
name: instanceCfg: name: instanceCfg:
if instanceCfg.enable then if instanceCfg.enable
[ then [
"d ${instanceCfg.dataDir} 0775 ${instanceCfg.user} ${instanceCfg.group}" "d ${instanceCfg.dataDir} 0775 ${instanceCfg.user} ${instanceCfg.group}"
] ]
else else []
[ ] )
) cfg.instances cfg.instances
); );
# Create services for each enabled instance # Create services for each enabled instance
systemd.services = mapAttrs' ( systemd.services =
mapAttrs' (
name: instanceCfg: name: instanceCfg:
nameValuePair "radarr-${name}" ( nameValuePair "radarr-${name}" (
mkIf instanceCfg.enable { mkIf instanceCfg.enable {
@ -206,7 +212,7 @@ in
"network.target" "network.target"
"nss-lookup.target" "nss-lookup.target"
]; ];
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
environment = lib.mkMerge [ environment = lib.mkMerge [
{ {
RADARR__APP__INSTANCENAME = name; RADARR__APP__INSTANCENAME = name;
@ -244,8 +250,8 @@ in
RestartSec = 5; RestartSec = 5;
} }
(lib.mkIf instanceCfg.hardening { (lib.mkIf instanceCfg.hardening {
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [""];
DeviceAllow = [ "" ]; DeviceAllow = [""];
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false;
@ -282,7 +288,7 @@ in
"@system-service" "@system-service"
]; ];
}) })
(lib.mkIf instanceCfg.db.enable { {
ExecStartPre = "+${pkgs.writeShellScript "radarr-${name}-pre-script" '' ExecStartPre = "+${pkgs.writeShellScript "radarr-${name}-pre-script" ''
mkdir -p /run/radarr-${name} mkdir -p /run/radarr-${name}
rm -f /run/radarr-${name}/secrets.env rm -f /run/radarr-${name}/secrets.env
@ -303,10 +309,12 @@ in
write_var "RADARR__AUTH__APIKEY" "$(cat ${instanceCfg.apiKeyFile})" write_var "RADARR__AUTH__APIKEY" "$(cat ${instanceCfg.apiKeyFile})"
fi fi
${lib.optionalString instanceCfg.db.enable ''
# Database Configuration # Database Configuration
write_var "RADARR__POSTGRES__HOST" "$([ -n "${instanceCfg.db.host}" ] && echo "${instanceCfg.db.host}" || cat "${instanceCfg.db.hostFile}")" write_var "RADARR__POSTGRES__HOST" "$([ -n "${instanceCfg.db.host}" ] && echo "${instanceCfg.db.host}" || cat "${instanceCfg.db.hostFile}")"
write_var "RADARR__POSTGRES__USER" "$([ -n "${instanceCfg.db.userFile}" ] && cat "${instanceCfg.db.userFile}" || echo "${instanceCfg.db.user}")" write_var "RADARR__POSTGRES__USER" "$([ -n "${instanceCfg.db.userFile}" ] && cat "${instanceCfg.db.userFile}" || echo "${instanceCfg.db.user}")"
write_var "RADARR__POSTGRES__PASSWORD" "$(cat ${instanceCfg.db.passwordFile})" write_var "RADARR__POSTGRES__PASSWORD" "$(cat ${instanceCfg.db.passwordFile})"
''}
# Final permissions # Final permissions
chmod 600 /run/radarr-${name}/secrets.env chmod 600 /run/radarr-${name}/secrets.env
@ -314,25 +322,28 @@ in
''}"; ''}";
EnvironmentFile = ( EnvironmentFile = (
[ "-/run/radarr-${name}/secrets.env" ] ["-/run/radarr-${name}/secrets.env"]
++ lib.optional ( ++ lib.optional (
instanceCfg.extraEnvVarFile != null && instanceCfg.extraEnvVarFile != "" instanceCfg.extraEnvVarFile != null && instanceCfg.extraEnvVarFile != ""
) instanceCfg.extraEnvVarFile )
instanceCfg.extraEnvVarFile
); );
}) }
]; ];
} }
) )
) cfg.instances; )
cfg.instances;
# Firewall configurations # Firewall configurations
networking.firewall = mkMerge ( networking.firewall = mkMerge (
mapAttrsToList ( mapAttrsToList (
name: instanceCfg: name: instanceCfg:
mkIf (instanceCfg.enable && instanceCfg.openFirewall) { mkIf (instanceCfg.enable && instanceCfg.openFirewall) {
allowedTCPPorts = [ instanceCfg.port ]; allowedTCPPorts = [instanceCfg.port];
} }
) cfg.instances )
cfg.instances
); );
# Users and groups # Users and groups
@ -340,7 +351,7 @@ in
mapAttrsToList ( mapAttrsToList (
name: instanceCfg: name: instanceCfg:
mkIf instanceCfg.enable { mkIf instanceCfg.enable {
groups.${instanceCfg.group} = { }; groups.${instanceCfg.group} = {};
users = mkIf (instanceCfg.user == "radarr") { users = mkIf (instanceCfg.user == "radarr") {
radarr = { radarr = {
inherit (instanceCfg) group; inherit (instanceCfg) group;
@ -350,8 +361,8 @@ in
}; };
}; };
} }
) cfg.instances )
cfg.instances
); );
}; };
} }

80
nixos/modules/nixos/services/sonarr/default.nix
View file

@ -5,8 +5,7 @@
utils, utils,
... ...
}: }:
with lib; with lib; let
let
cfg = config.mySystem.services.sonarr; cfg = config.mySystem.services.sonarr;
dbOptions = { dbOptions = {
options = { options = {
@ -51,20 +50,18 @@ let
}; };
}; };
}; };
in in {
{
options.mySystem.services.sonarr = { options.mySystem.services.sonarr = {
enable = mkEnableOption "Sonarr (global)"; enable = mkEnableOption "Sonarr (global)";
instances = mkOption { instances = mkOption {
type = types.attrsOf ( type = types.attrsOf (
types.submodule ( types.submodule (
{ name, ... }: {name, ...}: {
{
options = { options = {
enable = mkEnableOption "Sonarr (instance)"; enable = mkEnableOption "Sonarr (instance)";
package = mkPackageOption pkgs "Sonarr" { }; package = mkPackageOption pkgs "Sonarr" {};
user = mkOption { user = mkOption {
type = types.str; type = types.str;
@ -131,12 +128,20 @@ in
passwordFile = "/run/secrets/sonarr_db_password"; passwordFile = "/run/secrets/sonarr_db_password";
dbname = "sonarr_main"; dbname = "sonarr_main";
}; };
default = {
enable = false;
host = "";
port = "5432";
user = "";
passwordFile = "";
dbname = "";
};
description = "Database settings for sonarr."; description = "Database settings for sonarr.";
}; };
extraEnvVars = mkOption { extraEnvVars = mkOption {
type = types.attrs; type = types.attrs;
default = { }; default = {};
example = { example = {
MY_VAR = "my value"; MY_VAR = "my value";
}; };
@ -153,7 +158,7 @@ in
} }
) )
); );
default = { }; default = {};
description = "Sonarr instance configurations."; description = "Sonarr instance configurations.";
}; };
}; };
@ -163,14 +168,14 @@ in
assertions = flatten ( assertions = flatten (
mapAttrsToList ( mapAttrsToList (
name: instanceCfg: name: instanceCfg:
if instanceCfg.enable then if instanceCfg.enable
[ then [
{ {
assertion = !(instanceCfg.db.host != "" && instanceCfg.db.hostFile != ""); assertion = !(instanceCfg.db.enable && (instanceCfg.db.host != "" && instanceCfg.db.hostFile != ""));
message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty)."; message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty).";
} }
{ {
assertion = !(instanceCfg.db.user != "sonarr" && instanceCfg.db.userFile != ""); assertion = !(instanceCfg.db.enable && (instanceCfg.db.user != "sonarr" && instanceCfg.db.userFile != ""));
message = "Specify either a direct database user via db.user or a file via db.userFile."; message = "Specify either a direct database user via db.user or a file via db.userFile.";
} }
{ {
@ -178,26 +183,27 @@ in
message = "Specify either a direct API key via apiKey or a file via apiKeyFile (leave direct API key empty)."; message = "Specify either a direct API key via apiKey or a file via apiKeyFile (leave direct API key empty).";
} }
] ]
else else []
[ ] )
) cfg.instances cfg.instances
); );
# Create systemd tmpfiles rules for each enabled instance # Create systemd tmpfiles rules for each enabled instance
systemd.tmpfiles.rules = flatten ( systemd.tmpfiles.rules = flatten (
mapAttrsToList ( mapAttrsToList (
name: instanceCfg: name: instanceCfg:
if instanceCfg.enable then if instanceCfg.enable
[ then [
"d ${instanceCfg.dataDir} 0775 ${instanceCfg.user} ${instanceCfg.group}" "d ${instanceCfg.dataDir} 0775 ${instanceCfg.user} ${instanceCfg.group}"
] ]
else else []
[ ] )
) cfg.instances cfg.instances
); );
# Create services for each enabled instance # Create services for each enabled instance
systemd.services = mapAttrs' ( systemd.services =
mapAttrs' (
name: instanceCfg: name: instanceCfg:
nameValuePair "sonarr-${name}" ( nameValuePair "sonarr-${name}" (
mkIf instanceCfg.enable { mkIf instanceCfg.enable {
@ -206,7 +212,7 @@ in
"network.target" "network.target"
"nss-lookup.target" "nss-lookup.target"
]; ];
wantedBy = [ "multi-user.target" ]; wantedBy = ["multi-user.target"];
environment = lib.mkMerge [ environment = lib.mkMerge [
{ {
SONARR__APP__INSTANCENAME = name; SONARR__APP__INSTANCENAME = name;
@ -244,8 +250,8 @@ in
RestartSec = 5; RestartSec = 5;
} }
(lib.mkIf instanceCfg.hardening { (lib.mkIf instanceCfg.hardening {
CapabilityBoundingSet = [ "" ]; CapabilityBoundingSet = [""];
DeviceAllow = [ "" ]; DeviceAllow = [""];
DevicePolicy = "closed"; DevicePolicy = "closed";
LockPersonality = true; LockPersonality = true;
MemoryDenyWriteExecute = false; MemoryDenyWriteExecute = false;
@ -283,7 +289,7 @@ in
"@system-service" "@system-service"
]; ];
}) })
(lib.mkIf instanceCfg.db.enable { {
ExecStartPre = "+${pkgs.writeShellScript "sonarr-${name}-pre-script" '' ExecStartPre = "+${pkgs.writeShellScript "sonarr-${name}-pre-script" ''
mkdir -p /run/sonarr-${name} mkdir -p /run/sonarr-${name}
rm -f /run/sonarr-${name}/secrets.env rm -f /run/sonarr-${name}/secrets.env
@ -304,10 +310,12 @@ in
write_var "SONARR__AUTH__APIKEY" "$(cat ${instanceCfg.apiKeyFile})" write_var "SONARR__AUTH__APIKEY" "$(cat ${instanceCfg.apiKeyFile})"
fi fi
${lib.optionalString instanceCfg.db.enable ''
# Database Configuration # Database Configuration
write_var "SONARR__POSTGRES__HOST" "$([ -n "${instanceCfg.db.host}" ] && echo "${instanceCfg.db.host}" || cat "${instanceCfg.db.hostFile}")" write_var "SONARR__POSTGRES__HOST" "$([ -n "${instanceCfg.db.host}" ] && echo "${instanceCfg.db.host}" || cat "${instanceCfg.db.hostFile}")"
write_var "SONARR__POSTGRES__USER" "$([ -n "${instanceCfg.db.userFile}" ] && cat "${instanceCfg.db.userFile}" || echo "${instanceCfg.db.user}")" write_var "SONARR__POSTGRES__USER" "$([ -n "${instanceCfg.db.userFile}" ] && cat "${instanceCfg.db.userFile}" || echo "${instanceCfg.db.user}")"
write_var "SONARR__POSTGRES__PASSWORD" "$(cat ${instanceCfg.db.passwordFile})" write_var "SONARR__POSTGRES__PASSWORD" "$(cat ${instanceCfg.db.passwordFile})"
''}
# Final permissions # Final permissions
chmod 600 /run/sonarr-${name}/secrets.env chmod 600 /run/sonarr-${name}/secrets.env
@ -315,25 +323,28 @@ in
''}"; ''}";
EnvironmentFile = ( EnvironmentFile = (
[ "-/run/sonarr-${name}/secrets.env" ] ["-/run/sonarr-${name}/secrets.env"]
++ lib.optional ( ++ lib.optional (
instanceCfg.extraEnvVarFile != null && instanceCfg.extraEnvVarFile != "" instanceCfg.extraEnvVarFile != null && instanceCfg.extraEnvVarFile != ""
) instanceCfg.extraEnvVarFile )
instanceCfg.extraEnvVarFile
); );
}) }
]; ];
} }
) )
) cfg.instances; )
cfg.instances;
# Firewall configurations # Firewall configurations
networking.firewall = mkMerge ( networking.firewall = mkMerge (
mapAttrsToList ( mapAttrsToList (
name: instanceCfg: name: instanceCfg:
mkIf (instanceCfg.enable && instanceCfg.openFirewall) { mkIf (instanceCfg.enable && instanceCfg.openFirewall) {
allowedTCPPorts = [ instanceCfg.port ]; allowedTCPPorts = [instanceCfg.port];
} }
) cfg.instances )
cfg.instances
); );
# Users and groups # Users and groups
@ -341,7 +352,7 @@ in
mapAttrsToList ( mapAttrsToList (
name: instanceCfg: name: instanceCfg:
mkIf instanceCfg.enable { mkIf instanceCfg.enable {
groups.${instanceCfg.group} = { }; groups.${instanceCfg.group} = {};
users = mkIf (instanceCfg.user == "sonarr") { users = mkIf (instanceCfg.user == "sonarr") {
sonarr = { sonarr = {
inherit (instanceCfg) group; inherit (instanceCfg) group;
@ -351,7 +362,8 @@ in
}; };
}; };
} }
) cfg.instances )
cfg.instances
); );
}; };
} }