jahanson/mochi
1
0
Fork 0
Code Issues 1 Pull requests 1 Projects Releases Packages Wiki Activity Actions

db is now optional for sonarr, radarr, and prowlarr.

Browse source
This commit is contained in:
Joseph Hanson 2025-02-19 15:33:09 -06:00
parent 18274be266
commit a7e673ac69
Signed by: jahanson
SSH key fingerprint: SHA256:vy6dKBECV522aPAwklFM3ReKAVB086rT3oWwiuiFG7o
4 changed files with 408 additions and 372 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

83
nixos/hosts/shadowfax/default.nix
View file

@ -101,6 +101,7 @@ in {
# System packages
environment.systemPackages = with pkgs; [
# Hyprland
libva-utils # to view graphics capabilities
greetd.tuigreet
rofi-wayland
@ -114,6 +115,8 @@ in {
wl-clipboard
wlogout
wlr-randr
# dev
uv
# fun
fastfetch
# Scripts
@ -169,6 +172,8 @@ in {
9001 # api interface
# Beszel-agent
45876
# scrypted
45005
];
};
@ -265,13 +270,13 @@ in {
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/prowlarr/apiKey".path;
db = {
enable = true;
hostFile = config.sops.secrets."arr/prowlarr/postgres/host".path;
port = 5432;
userFile = config.sops.secrets."arr/prowlarr/postgres/user".path;
passwordFile = config.sops.secrets."arr/prowlarr/postgres/password".path;
};
# db = {
# enable = true;
# hostFile = config.sops.secrets."arr/prowlarr/postgres/host".path;
# port = 5432;
# userFile = config.sops.secrets."arr/prowlarr/postgres/user".path;
# passwordFile = config.sops.secrets."arr/prowlarr/postgres/password".path;
# };
};
# Radarr
radarr = {
@ -289,14 +294,14 @@ in {
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/radarr/1080p/apiKey".path;
db = {
enable = true;
hostFile = config.sops.secrets."arr/radarr/1080p/postgres/host".path;
port = 5432;
dbname = "radarr_main";
userFile = config.sops.secrets."arr/radarr/1080p/postgres/user".path;
passwordFile = config.sops.secrets."arr/radarr/1080p/postgres/password".path;
};
# db = {
# enable = true;
# hostFile = config.sops.secrets."arr/radarr/1080p/postgres/host".path;
# port = 5432;
# dbname = "radarr_main";
# userFile = config.sops.secrets."arr/radarr/1080p/postgres/user".path;
# passwordFile = config.sops.secrets."arr/radarr/1080p/postgres/password".path;
# };
};
moviesAnime = {
enable = true;
@ -310,14 +315,14 @@ in {
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/radarr/anime/apiKey".path;
db = {
enable = true;
hostFile = config.sops.secrets."arr/radarr/anime/postgres/host".path;
port = 5432;
dbname = "radarr_anime";
userFile = config.sops.secrets."arr/radarr/anime/postgres/user".path;
passwordFile = config.sops.secrets."arr/radarr/anime/postgres/password".path;
};
# db = {
# enable = true;
# hostFile = config.sops.secrets."arr/radarr/anime/postgres/host".path;
# port = 5432;
# dbname = "radarr_anime";
# userFile = config.sops.secrets."arr/radarr/anime/postgres/user".path;
# passwordFile = config.sops.secrets."arr/radarr/anime/postgres/password".path;
# };
};
};
};
@ -337,14 +342,14 @@ in {
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/sonarr/1080p/apiKey".path;
db = {
enable = true;
hostFile = config.sops.secrets."arr/sonarr/1080p/postgres/host".path;
port = 5432;
dbname = "sonarr_main";
userFile = config.sops.secrets."arr/sonarr/1080p/postgres/user".path;
passwordFile = config.sops.secrets."arr/sonarr/1080p/postgres/password".path;
};
# db = {
# enable = true;
# hostFile = config.sops.secrets."arr/sonarr/1080p/postgres/host".path;
# port = 5432;
# dbname = "sonarr_main";
# userFile = config.sops.secrets."arr/sonarr/1080p/postgres/user".path;
# passwordFile = config.sops.secrets."arr/sonarr/1080p/postgres/password".path;
# };
};
anime = {
enable = true;
@ -358,14 +363,14 @@ in {
openFirewall = true;
hardening = true;
apiKeyFile = config.sops.secrets."arr/sonarr/anime/apiKey".path;
db = {
enable = true;
hostFile = config.sops.secrets."arr/sonarr/anime/postgres/host".path;
port = 5432;
dbname = "sonarr_anime";
userFile = config.sops.secrets."arr/sonarr/anime/postgres/user".path;
passwordFile = config.sops.secrets."arr/sonarr/anime/postgres/password".path;
};
# db = {
# enable = true;
# hostFile = config.sops.secrets."arr/sonarr/anime/postgres/host".path;
# port = 5432;
# dbname = "sonarr_anime";
# userFile = config.sops.secrets."arr/sonarr/anime/postgres/user".path;
# passwordFile = config.sops.secrets."arr/sonarr/anime/postgres/password".path;
# };
};
};
};

42
nixos/modules/nixos/services/prowlarr/default.nix
View file

@ -5,8 +5,7 @@
utils,
...
}:
with lib;
let
with lib; let
cfg = config.mySystem.services.prowlarr;
dbOptions = {
options = {
@ -51,12 +50,11 @@ let
};
};
};
in
{
in {
options.mySystem.services.prowlarr = {
enable = mkEnableOption "Prowlarr";
package = mkPackageOption pkgs "prowlarr" { };
package = mkPackageOption pkgs "prowlarr" {};
user = mkOption {
type = types.str;
@ -109,7 +107,7 @@ in
extraEnvVars = mkOption {
type = types.attrs;
default = { };
default = {};
example = {
MY_VAR = "my value";
};
@ -125,6 +123,14 @@ in
db = mkOption {
type = types.submodule dbOptions;
default = {
enable = false;
host = "";
port = "5432";
user = "";
passwordFile = "";
dbname = "";
};
example = {
enable = true;
host = "10.5.0.5"; # or use hostFile
@ -140,11 +146,11 @@ in
config = mkIf cfg.enable {
assertions = [
{
assertion = !(cfg.db.host != "" && cfg.db.hostFile != "");
assertion = !(cfg.db.enable && (cfg.db.host != "" && cfg.db.hostFile != ""));
message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty).";
}
{
assertion = !(cfg.db.user != "prowlarr" && cfg.db.userFile != "");
assertion = !(cfg.db.enable && (cfg.db.user != "prowlarr" && cfg.db.userFile != ""));
message = "Specify either a direct database user via db.user or a file via db.userFile.";
}
{
@ -159,7 +165,7 @@ in
"network.target"
"nss-lookup.target"
];
wantedBy = [ "multi-user.target" ];
wantedBy = ["multi-user.target"];
environment = lib.mkMerge [
{
PROWLARR__APP__INSTANCENAME = "Prowlarr";
@ -171,7 +177,7 @@ in
PROWLARR__SERVER__PORT = toString cfg.port;
PROWLARR__UPDATE__BRANCH = "develop";
}
(lib.mkIf cfg.db.enable {
(lib.optionalAttrs cfg.db.enable {
PROWLARR__POSTGRES__PORT = toString cfg.db.port;
PROWLARR__POSTGRES__MAINDB = cfg.db.dbname;
})
@ -197,8 +203,8 @@ in
RestartSec = 5;
}
(lib.mkIf cfg.hardening {
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
CapabilityBoundingSet = [""];
DeviceAllow = [""];
DevicePolicy = "closed";
LockPersonality = true;
# Needs access to .Net CLR memory space.
@ -237,7 +243,7 @@ in
#"~@resources"
];
})
(lib.mkIf cfg.db.enable {
{
ExecStartPre = "+${pkgs.writeShellScript "prowlarr-pre-script" ''
mkdir -p /run/prowlarr
rm -f /run/prowlarr/secrets.env
@ -258,10 +264,12 @@ in
write_var "PROWLARR__AUTH__APIKEY" "$(cat ${cfg.apiKeyFile})"
fi
${lib.optionalString cfg.db.enable ''
# Database Configuration
write_var "PROWLARR__POSTGRES__HOST" "$([ -n "${cfg.db.host}" ] && echo "${cfg.db.host}" || cat "${cfg.db.hostFile}")"
write_var "PROWLARR__POSTGRES__USER" "$([ -n "${cfg.db.user}" ] && echo "${cfg.db.user}" || cat "${cfg.db.userFile}")"
write_var "PROWLARR__POSTGRES__PASSWORD" "$(cat ${cfg.db.passwordFile})"
''}
# Final permissions
chmod 600 /run/prowlarr/secrets.env
@ -269,18 +277,18 @@ in
''}";
EnvironmentFile = (
[ "-/run/prowlarr/secrets.env" ]
["-/run/prowlarr/secrets.env"]
++ lib.optional (cfg.extraEnvVarFile != null && cfg.extraEnvVarFile != "") cfg.extraEnvVarFile
);
})
}
];
};
networking.firewall = mkIf cfg.openFirewall {
allowedTCPPorts = [ cfg.port ];
allowedTCPPorts = [cfg.port];
};
users.groups.${cfg.group} = { };
users.groups.${cfg.group} = {};
users.users = mkIf (cfg.user == "prowlarr") {
prowlarr = {
inherit (cfg) group;

77
nixos/modules/nixos/services/radarr/default.nix
View file

@ -5,8 +5,7 @@
utils,
...
}:
with lib;
let
with lib; let
cfg = config.mySystem.services.radarr;
dbOptions = {
options = {
@ -51,20 +50,18 @@ let
};
};
};
in
{
in {
options.mySystem.services.radarr = {
enable = mkEnableOption "Radarr (global)";
instances = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
{name, ...}: {
options = {
enable = mkEnableOption "Radarr (instance)";
package = mkPackageOption pkgs "Radarr" { };
package = mkPackageOption pkgs "Radarr" {};
user = mkOption {
type = types.str;
@ -131,12 +128,20 @@ in
passwordFile = "/run/secrets/radarr_db_password";
dbname = "radarr_main";
};
default = {
enable = false;
host = "";
port = "5432";
user = "";
passwordFile = "";
dbname = "";
};
description = "Database settings for radarr.";
};
extraEnvVars = mkOption {
type = types.attrs;
default = { };
default = {};
example = {
MY_VAR = "my value";
};
@ -153,7 +158,7 @@ in
}
)
);
default = { };
default = {};
description = "Radarr instance configurations.";
};
};
@ -163,8 +168,8 @@ in
assertions = flatten (
mapAttrsToList (
name: instanceCfg:
if instanceCfg.enable then
[
if instanceCfg.enable
then [
{
assertion = !(instanceCfg.db.host != "" && instanceCfg.db.hostFile != "");
message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty).";
@ -178,26 +183,27 @@ in
message = "Specify either a direct API key via apiKey or a file via apiKeyFile (leave direct API key empty).";
}
]
else
[ ]
) cfg.instances
else []
)
cfg.instances
);
# Create systemd tmpfiles rules for each enabled instance
systemd.tmpfiles.rules = flatten (
mapAttrsToList (
name: instanceCfg:
if instanceCfg.enable then
[
if instanceCfg.enable
then [
"d ${instanceCfg.dataDir} 0775 ${instanceCfg.user} ${instanceCfg.group}"
]
else
[ ]
) cfg.instances
else []
)
cfg.instances
);
# Create services for each enabled instance
systemd.services = mapAttrs' (
systemd.services =
mapAttrs' (
name: instanceCfg:
nameValuePair "radarr-${name}" (
mkIf instanceCfg.enable {
@ -206,7 +212,7 @@ in
"network.target"
"nss-lookup.target"
];
wantedBy = [ "multi-user.target" ];
wantedBy = ["multi-user.target"];
environment = lib.mkMerge [
{
RADARR__APP__INSTANCENAME = name;
@ -244,8 +250,8 @@ in
RestartSec = 5;
}
(lib.mkIf instanceCfg.hardening {
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
CapabilityBoundingSet = [""];
DeviceAllow = [""];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = false;
@ -282,7 +288,7 @@ in
"@system-service"
];
})
(lib.mkIf instanceCfg.db.enable {
{
ExecStartPre = "+${pkgs.writeShellScript "radarr-${name}-pre-script" ''
mkdir -p /run/radarr-${name}
rm -f /run/radarr-${name}/secrets.env
@ -303,10 +309,12 @@ in
write_var "RADARR__AUTH__APIKEY" "$(cat ${instanceCfg.apiKeyFile})"
fi
${lib.optionalString instanceCfg.db.enable ''
# Database Configuration
write_var "RADARR__POSTGRES__HOST" "$([ -n "${instanceCfg.db.host}" ] && echo "${instanceCfg.db.host}" || cat "${instanceCfg.db.hostFile}")"
write_var "RADARR__POSTGRES__USER" "$([ -n "${instanceCfg.db.userFile}" ] && cat "${instanceCfg.db.userFile}" || echo "${instanceCfg.db.user}")"
write_var "RADARR__POSTGRES__PASSWORD" "$(cat ${instanceCfg.db.passwordFile})"
''}
# Final permissions
chmod 600 /run/radarr-${name}/secrets.env
@ -314,25 +322,28 @@ in
''}";
EnvironmentFile = (
[ "-/run/radarr-${name}/secrets.env" ]
["-/run/radarr-${name}/secrets.env"]
++ lib.optional (
instanceCfg.extraEnvVarFile != null && instanceCfg.extraEnvVarFile != ""
) instanceCfg.extraEnvVarFile
)
instanceCfg.extraEnvVarFile
);
})
}
];
}
)
) cfg.instances;
)
cfg.instances;
# Firewall configurations
networking.firewall = mkMerge (
mapAttrsToList (
name: instanceCfg:
mkIf (instanceCfg.enable && instanceCfg.openFirewall) {
allowedTCPPorts = [ instanceCfg.port ];
allowedTCPPorts = [instanceCfg.port];
}
) cfg.instances
)
cfg.instances
);
# Users and groups
@ -340,7 +351,7 @@ in
mapAttrsToList (
name: instanceCfg:
mkIf instanceCfg.enable {
groups.${instanceCfg.group} = { };
groups.${instanceCfg.group} = {};
users = mkIf (instanceCfg.user == "radarr") {
radarr = {
inherit (instanceCfg) group;
@ -350,8 +361,8 @@ in
};
};
}
) cfg.instances
)
cfg.instances
);
};
}

80
nixos/modules/nixos/services/sonarr/default.nix
View file

@ -5,8 +5,7 @@
utils,
...
}:
with lib;
let
with lib; let
cfg = config.mySystem.services.sonarr;
dbOptions = {
options = {
@ -51,20 +50,18 @@ let
};
};
};
in
{
in {
options.mySystem.services.sonarr = {
enable = mkEnableOption "Sonarr (global)";
instances = mkOption {
type = types.attrsOf (
types.submodule (
{ name, ... }:
{
{name, ...}: {
options = {
enable = mkEnableOption "Sonarr (instance)";
package = mkPackageOption pkgs "Sonarr" { };
package = mkPackageOption pkgs "Sonarr" {};
user = mkOption {
type = types.str;
@ -131,12 +128,20 @@ in
passwordFile = "/run/secrets/sonarr_db_password";
dbname = "sonarr_main";
};
default = {
enable = false;
host = "";
port = "5432";
user = "";
passwordFile = "";
dbname = "";
};
description = "Database settings for sonarr.";
};
extraEnvVars = mkOption {
type = types.attrs;
default = { };
default = {};
example = {
MY_VAR = "my value";
};
@ -153,7 +158,7 @@ in
}
)
);
default = { };
default = {};
description = "Sonarr instance configurations.";
};
};
@ -163,14 +168,14 @@ in
assertions = flatten (
mapAttrsToList (
name: instanceCfg:
if instanceCfg.enable then
[
if instanceCfg.enable
then [
{
assertion = !(instanceCfg.db.host != "" && instanceCfg.db.hostFile != "");
assertion = !(instanceCfg.db.enable && (instanceCfg.db.host != "" && instanceCfg.db.hostFile != ""));
message = "Specify either a direct database host via db.host or a file via db.hostFile (leave direct host empty).";
}
{
assertion = !(instanceCfg.db.user != "sonarr" && instanceCfg.db.userFile != "");
assertion = !(instanceCfg.db.enable && (instanceCfg.db.user != "sonarr" && instanceCfg.db.userFile != ""));
message = "Specify either a direct database user via db.user or a file via db.userFile.";
}
{
@ -178,26 +183,27 @@ in
message = "Specify either a direct API key via apiKey or a file via apiKeyFile (leave direct API key empty).";
}
]
else
[ ]
) cfg.instances
else []
)
cfg.instances
);
# Create systemd tmpfiles rules for each enabled instance
systemd.tmpfiles.rules = flatten (
mapAttrsToList (
name: instanceCfg:
if instanceCfg.enable then
[
if instanceCfg.enable
then [
"d ${instanceCfg.dataDir} 0775 ${instanceCfg.user} ${instanceCfg.group}"
]
else
[ ]
) cfg.instances
else []
)
cfg.instances
);
# Create services for each enabled instance
systemd.services = mapAttrs' (
systemd.services =
mapAttrs' (
name: instanceCfg:
nameValuePair "sonarr-${name}" (
mkIf instanceCfg.enable {
@ -206,7 +212,7 @@ in
"network.target"
"nss-lookup.target"
];
wantedBy = [ "multi-user.target" ];
wantedBy = ["multi-user.target"];
environment = lib.mkMerge [
{
SONARR__APP__INSTANCENAME = name;
@ -244,8 +250,8 @@ in
RestartSec = 5;
}
(lib.mkIf instanceCfg.hardening {
CapabilityBoundingSet = [ "" ];
DeviceAllow = [ "" ];
CapabilityBoundingSet = [""];
DeviceAllow = [""];
DevicePolicy = "closed";
LockPersonality = true;
MemoryDenyWriteExecute = false;
@ -283,7 +289,7 @@ in
"@system-service"
];
})
(lib.mkIf instanceCfg.db.enable {
{
ExecStartPre = "+${pkgs.writeShellScript "sonarr-${name}-pre-script" ''
mkdir -p /run/sonarr-${name}
rm -f /run/sonarr-${name}/secrets.env
@ -304,10 +310,12 @@ in
write_var "SONARR__AUTH__APIKEY" "$(cat ${instanceCfg.apiKeyFile})"
fi
${lib.optionalString instanceCfg.db.enable ''
# Database Configuration
write_var "SONARR__POSTGRES__HOST" "$([ -n "${instanceCfg.db.host}" ] && echo "${instanceCfg.db.host}" || cat "${instanceCfg.db.hostFile}")"
write_var "SONARR__POSTGRES__USER" "$([ -n "${instanceCfg.db.userFile}" ] && cat "${instanceCfg.db.userFile}" || echo "${instanceCfg.db.user}")"
write_var "SONARR__POSTGRES__PASSWORD" "$(cat ${instanceCfg.db.passwordFile})"
''}
# Final permissions
chmod 600 /run/sonarr-${name}/secrets.env
@ -315,25 +323,28 @@ in
''}";
EnvironmentFile = (
[ "-/run/sonarr-${name}/secrets.env" ]
["-/run/sonarr-${name}/secrets.env"]
++ lib.optional (
instanceCfg.extraEnvVarFile != null && instanceCfg.extraEnvVarFile != ""
) instanceCfg.extraEnvVarFile
)
instanceCfg.extraEnvVarFile
);
})
}
];
}
)
) cfg.instances;
)
cfg.instances;
# Firewall configurations
networking.firewall = mkMerge (
mapAttrsToList (
name: instanceCfg:
mkIf (instanceCfg.enable && instanceCfg.openFirewall) {
allowedTCPPorts = [ instanceCfg.port ];
allowedTCPPorts = [instanceCfg.port];
}
) cfg.instances
)
cfg.instances
);
# Users and groups
@ -341,7 +352,7 @@ in
mapAttrsToList (
name: instanceCfg:
mkIf instanceCfg.enable {
groups.${instanceCfg.group} = { };
groups.${instanceCfg.group} = {};
users = mkIf (instanceCfg.user == "sonarr") {
sonarr = {
inherit (instanceCfg) group;
@ -351,7 +362,8 @@ in
};
};
}
) cfg.instances
)
cfg.instances
);
};
}