From 5e0cd3a7eedf149b0477bdc4dc21f4639f06db2a Mon Sep 17 00:00:00 2001 From: Joseph Hanson Date: Fri, 24 Jan 2025 17:41:49 -0600 Subject: [PATCH] add sabnzbd --- nixos/hosts/shadowfax/default.nix | 16 +- nixos/modules/nixos/services/default.nix | 1 + .../nixos/services/sabnzbd/default.nix | 155 ++++++++++++++++++ 3 files changed, 169 insertions(+), 3 deletions(-) create mode 100644 nixos/modules/nixos/services/sabnzbd/default.nix diff --git a/nixos/hosts/shadowfax/default.nix b/nixos/hosts/shadowfax/default.nix index 80589cb..2a01498 100644 --- a/nixos/hosts/shadowfax/default.nix +++ b/nixos/hosts/shadowfax/default.nix @@ -188,6 +188,18 @@ in { # Misc libvirt-qemu.enable = true; podman.enable = true; + # Sabnzbd + sabnzbd = { + enable = true; + package = pkgs.unstable.sabnzbd; + configFile = "/nahar/sabnzbd/sabnzbd.ini"; + port = 8457; + # Security hardening. + dataDir = "/nahar/sabnzbd"; + downloadsDir = "/eru/media/sabnzbd"; + hardening = true; + openFirewall = true; + }; # Sanoid sanoid = { enable = true; @@ -215,10 +227,8 @@ in { qbittorrent = { enable = true; package = pkgs.unstable.qbittorrent.override {guiSupport = false;}; - user = "qbittorrent"; - group = "qbittorrent"; dataDir = "/nahar/qbittorrent"; - downloadsDir = "/eru/media/qb/downloads/complete"; + downloadsDir = "/eru/media/qb/downloads"; webuiPort = 8456; openFirewall = true; hardening = true; diff --git a/nixos/modules/nixos/services/default.nix b/nixos/modules/nixos/services/default.nix index e8216b9..eb9562f 100644 --- a/nixos/modules/nixos/services/default.nix +++ b/nixos/modules/nixos/services/default.nix @@ -12,6 +12,7 @@ ./podman ./qbittorrent ./reboot-required-check.nix + ./sabnzbd ./sanoid ./syncthing ./zfs-nightly-snap diff --git a/nixos/modules/nixos/services/sabnzbd/default.nix b/nixos/modules/nixos/services/sabnzbd/default.nix new file mode 100644 index 0000000..39bc78e --- /dev/null +++ b/nixos/modules/nixos/services/sabnzbd/default.nix @@ -0,0 +1,155 @@ +{ + config, + lib, + pkgs, + ... +}: +with lib; let + cfg = config.mySystem.services.sabnzbd; +in { + options = { + mySystem.services.sabnzbd = { + enable = mkEnableOption "sabnzbd"; + + package = mkPackageOption pkgs "sabnzbd" {}; + + dataDir = mkOption { + type = types.path; + default = "/var/lib/sabnzbd"; + description = "Path to the data directory."; + }; + + downloadsDir = mkOption { + type = types.path; + default = "/var/lib/sabnzbd/downloads"; + description = "Path to the data directory."; + }; + + configFile = mkOption { + type = types.path; + default = "/var/lib/sabnzbd/sabnzbd.ini"; + description = "Path to config file."; + }; + + user = mkOption { + default = "sabnzbd"; + type = types.str; + description = "User to run the service as"; + }; + + group = mkOption { + type = types.str; + default = "sabnzbd"; + description = "Group to run the service as"; + }; + + hardening = mkOption { + type = types.bool; + default = true; + description = "Enable security hardening features"; + }; + + openFirewall = mkOption { + type = types.bool; + default = false; + description = "Open ports in the firewall for the sabnzbd web interface"; + }; + + port = mkOption { + type = types.port; + default = 8080; + description = "Port to listen on for the Web UI."; + }; + + pidFile = mkOption { + type = types.str; + default = "/run/sabnzbd/sabnzbd.pid"; + description = "Path to the PID file."; + }; + + bindAddress = mkOption { + type = types.str; + default = "0.0.0.0"; + description = "Address to bind to."; + }; + }; + }; + + config = mkIf cfg.enable { + users.groups.${cfg.group} = {}; + users.users = mkIf (cfg.user == "sabnzbd") { + sabnzbd = { + inherit (cfg) group; + isSystemUser = true; + home = cfg.dataDir; + }; + }; + + systemd.services.sabnzbd = { + description = "sabnzbd server"; + wantedBy = ["multi-user.target"]; + after = ["network.target" "nss-lookup.target"]; + environment = { + HOME = cfg.dataDir; + }; + serviceConfig = lib.mkMerge [ + { + ExecStart = "${lib.getBin cfg.package}/bin/sabnzbd -d -f ${cfg.configFile} --server ${cfg.bindAddress}:${toString cfg.port} --pidfile ${cfg.pidFile}"; + PIDFile = cfg.pidFile; + Type = "forking"; + User = cfg.user; + Group = cfg.group; + WorkingDirectory = cfg.dataDir; + RuntimeDirectory = "sabnzbd"; + LogsDirectory = "sabnzbd"; + TimeoutStartSec = 10; + RuntimeDirectoryMode = "0750"; + } + (lib.mkIf cfg.hardening { + CapabilityBoundingSet = [""]; + DeviceAllow = [""]; + DevicePolicy = "closed"; + LockPersonality = true; + MemoryDenyWriteExecute = true; + NoNewPrivileges = true; + PrivateDevices = true; + PrivateTmp = true; + ProtectControlGroups = true; + ProtectHome = "read-only"; + ProtectKernelModules = true; + ProtectKernelTunables = true; + ProtectSystem = "strict"; + RestrictAddressFamilies = [ + "AF_INET" + "AF_INET6" + "AF_NETLINK" + ]; + RestrictNamespaces = [ + "uts" + "ipc" + "pid" + "user" + "cgroup" + "net" + ]; + RestrictSUIDSGID = true; + SystemCallArchitectures = "native"; + SystemCallFilter = [ + "@system-service" + "~@privileged" + "~@resources" + ]; + ReadWritePaths = [ + cfg.dataDir + cfg.downloadsDir + "/var/log/sabnzbd" + ]; + }) + ]; + }; + + networking.firewall = mkIf cfg.openFirewall { + allowedTCPPorts = [cfg.port]; + }; + }; +} -- 2.47.0