From e782f7c268d9af3680b33f59066e50a80856e279 Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Sun, 9 Feb 2025 19:24:05 -0600 Subject: [PATCH] to remove/rearrange files privileged is required. --- .../modules/nixos/services/radarr/default.nix | 25 +++++++++---------- .../modules/nixos/services/sonarr/default.nix | 25 +++++++++---------- 2 files changed, 24 insertions(+), 26 deletions(-) diff --git a/nixos/modules/nixos/services/radarr/default.nix b/nixos/modules/nixos/services/radarr/default.nix index 9497df4..c2c6a2d 100644 --- a/nixos/modules/nixos/services/radarr/default.nix +++ b/nixos/modules/nixos/services/radarr/default.nix @@ -5,8 +5,7 @@ utils, ... }: -with lib; -let +with lib; let cfg = config.mySystem.services.radarr; dbOptions = { options = { @@ -51,12 +50,11 @@ let }; }; }; -in -{ +in { options.mySystem.services.radarr = { enable = mkEnableOption "Radarr"; - package = mkPackageOption pkgs "Radarr" { }; + package = mkPackageOption pkgs "Radarr" {}; user = mkOption { type = types.str; @@ -128,7 +126,7 @@ in extraEnvVars = mkOption { type = types.attrs; - default = { }; + default = {}; example = { MY_VAR = "my value"; }; @@ -169,7 +167,7 @@ in "network.target" "nss-lookup.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = ["multi-user.target"]; environment = lib.mkMerge [ { RADARR__APP__INSTANCENAME = "Radarr"; @@ -207,8 +205,8 @@ in RestartSec = 5; } (lib.mkIf cfg.hardening { - CapabilityBoundingSet = [ "" ]; - DeviceAllow = [ "" ]; + CapabilityBoundingSet = [""]; + DeviceAllow = [""]; DevicePolicy = "closed"; LockPersonality = true; # Needs access to .Net CLR memory space. @@ -225,6 +223,7 @@ in cfg.dataDir cfg.moviesDir "/var/log/radarr" + "/eru/media" ]; RestrictAddressFamilies = [ "AF_INET" @@ -243,7 +242,7 @@ in SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" - "~@privileged" + #"~@privileged" # .Net CLR requirement #"~@resources" ]; @@ -280,7 +279,7 @@ in ''}"; EnvironmentFile = ( - [ "-/run/radarr/secrets.env" ] + ["-/run/radarr/secrets.env"] ++ lib.optional (cfg.extraEnvVarFile != null && cfg.extraEnvVarFile != "") cfg.extraEnvVarFile ); }) @@ -288,10 +287,10 @@ in }; networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.port ]; + allowedTCPPorts = [cfg.port]; }; - users.groups.${cfg.group} = { }; + users.groups.${cfg.group} = {}; users.users = mkIf (cfg.user == "radarr") { radarr = { inherit (cfg) group; diff --git a/nixos/modules/nixos/services/sonarr/default.nix b/nixos/modules/nixos/services/sonarr/default.nix index a523ce9..4f43f62 100644 --- a/nixos/modules/nixos/services/sonarr/default.nix +++ b/nixos/modules/nixos/services/sonarr/default.nix @@ -5,8 +5,7 @@ utils, ... }: -with lib; -let +with lib; let cfg = config.mySystem.services.sonarr; dbOptions = { options = { @@ -51,12 +50,11 @@ let }; }; }; -in -{ +in { options.mySystem.services.sonarr = { enable = mkEnableOption "Sonarr"; - package = mkPackageOption pkgs "Sonarr" { }; + package = mkPackageOption pkgs "Sonarr" {}; user = mkOption { type = types.str; @@ -115,7 +113,7 @@ in extraEnvVars = mkOption { type = types.attrs; - default = { }; + default = {}; example = { MY_VAR = "my value"; }; @@ -169,7 +167,7 @@ in "network.target" "nss-lookup.target" ]; - wantedBy = [ "multi-user.target" ]; + wantedBy = ["multi-user.target"]; environment = lib.mkMerge [ { SONARR__APP__INSTANCENAME = "Sonarr"; @@ -207,8 +205,8 @@ in RestartSec = 5; } (lib.mkIf cfg.hardening { - CapabilityBoundingSet = [ "" ]; - DeviceAllow = [ "" ]; + CapabilityBoundingSet = [""]; + DeviceAllow = [""]; DevicePolicy = "closed"; LockPersonality = true; # Needs access to .Net CLR memory space. @@ -225,6 +223,7 @@ in cfg.dataDir cfg.tvDir "/var/log/sonarr" + "/eru/media" ]; RestrictAddressFamilies = [ "AF_INET" @@ -244,7 +243,7 @@ in SystemCallArchitectures = "native"; SystemCallFilter = [ "@system-service" - "~@privileged" + #"~@privileged" # .Net CLR requirement #"~@resources" ]; @@ -281,7 +280,7 @@ in ''}"; EnvironmentFile = ( - [ "-/run/sonarr/secrets.env" ] + ["-/run/sonarr/secrets.env"] ++ lib.optional (cfg.extraEnvVarFile != null && cfg.extraEnvVarFile != "") cfg.extraEnvVarFile ); }) @@ -289,10 +288,10 @@ in }; networking.firewall = mkIf cfg.openFirewall { - allowedTCPPorts = [ cfg.port ]; + allowedTCPPorts = [cfg.port]; }; - users.groups.${cfg.group} = { }; + users.groups.${cfg.group} = {}; users.users = mkIf (cfg.user == "sonarr") { sonarr = { inherit (cfg) group;