feat: add *arr (#61)
* feat: add cockpit to all servers * hacing * feat: *arr bones * feat: add docker versioning --------- Co-authored-by: Truxnell <9149206+truxnell@users.noreply.github.com>
This commit is contained in:
parent
14e1aa9300
commit
c4e7e0215b
21 changed files with 891 additions and 35 deletions
17
.github/renovate.json5
vendored
17
.github/renovate.json5
vendored
|
@ -3,6 +3,7 @@
|
||||||
"extends": [
|
"extends": [
|
||||||
"github>truxnell/renovate-config",
|
"github>truxnell/renovate-config",
|
||||||
"github>truxnell/renovate-config:automerge-github-actions",
|
"github>truxnell/renovate-config:automerge-github-actions",
|
||||||
|
"github>truxnell/nix-config//.github/renovate/autoMerge.json5",
|
||||||
],
|
],
|
||||||
|
|
||||||
"gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>",
|
"gitAuthor": "Trux-Bot <19149206+trux-bot[bot]@users.noreply.github.com>",
|
||||||
|
@ -13,7 +14,19 @@
|
||||||
"nix": {
|
"nix": {
|
||||||
"enabled": "true"
|
"enabled": "true"
|
||||||
},
|
},
|
||||||
|
|
||||||
"lockFileMaintenance": {
|
"lockFileMaintenance": {
|
||||||
"enabled": "true"
|
"enabled": "true"
|
||||||
},
|
},
|
||||||
}
|
|
||||||
|
{
|
||||||
|
"regexManagers": [
|
||||||
|
{
|
||||||
|
fileMatch: ["^.*\\.nix$"],
|
||||||
|
matchStrings: [
|
||||||
|
'image *= *"(?<depName>[^"]+):(?<currentValue>[^"]+)(@(?<currentDigest>sha256:[a-f0-9]+))?";',
|
||||||
|
],
|
||||||
|
datasourceTemplate: "docker",
|
||||||
|
}
|
||||||
|
],
|
||||||
|
}
|
17
.github/renovate/autoMerge.json5
vendored
Normal file
17
.github/renovate/autoMerge.json5
vendored
Normal file
|
@ -0,0 +1,17 @@
|
||||||
|
{
|
||||||
|
packageRules: [
|
||||||
|
// auto update all up to major
|
||||||
|
{
|
||||||
|
matchDatasources: ['docker'],
|
||||||
|
automerge: "true",
|
||||||
|
matchUpdateTypes: [ 'minor', 'patch', 'digest'],
|
||||||
|
matchPackageNames: [
|
||||||
|
'onedr0p/sonarr',
|
||||||
|
'onedr0p/readarr',
|
||||||
|
'onedr0p/radarr',
|
||||||
|
'onedr0p/lidarr',
|
||||||
|
'onedr0p/prowlarr',
|
||||||
|
],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
}
|
10
docs/vm/k8s.md
Normal file
10
docs/vm/k8s.md
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
Removed complexity
|
||||||
|
|
||||||
|
- external secrets -> bog standard sops
|
||||||
|
- HA file storage -> standard file system
|
||||||
|
- HA database cluster -> nixos standard cluster
|
||||||
|
- Database user operator -> nixos standard ensure_users
|
||||||
|
- Database permissions operator -> why even??
|
||||||
|
- secrets reloader -> sops restart_unit
|
||||||
|
- easier managment, all services run through systemd for consistency, cockpit makes viewing logs/pod console etc easy.
|
||||||
|
|
|
@ -36,8 +36,8 @@
|
||||||
definedAliases = [ "@nhmo" ];
|
definedAliases = [ "@nhmo" ];
|
||||||
};
|
};
|
||||||
"NixOS Wiki" = {
|
"NixOS Wiki" = {
|
||||||
urls = [{ template = "https://nixos.wiki/index.php?search={searchTerms}"; }];
|
urls = [{ template = "https://wiki.nixos.org/w/index.php?search={searchTerms}"; }];
|
||||||
iconUpdateURL = "https://nixos.wiki/favicon.png";
|
iconUpdateURL = "https://wiki.nixos.org/favicon.ico";
|
||||||
updateInterval = 24 * 60 * 60 * 1000; # every day
|
updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||||
definedAliases = [ "@nw" ];
|
definedAliases = [ "@nw" ];
|
||||||
};
|
};
|
||||||
|
@ -47,6 +47,12 @@
|
||||||
updateInterval = 24 * 60 * 60 * 1000; # every day
|
updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||||
definedAliases = [ "@ks" ];
|
definedAliases = [ "@ks" ];
|
||||||
};
|
};
|
||||||
|
"Github Code Search" = {
|
||||||
|
urls = [{ template = "https://github.com/search?type=code&q={searchTerms}"; }];
|
||||||
|
iconUpdateURL = "https://github.githubassets.com/favicons/favicon-dark.svg";
|
||||||
|
updateInterval = 24 * 60 * 60 * 1000; # every day
|
||||||
|
definedAliases = [ "@gs" ];
|
||||||
|
};
|
||||||
|
|
||||||
# "Searx" = {
|
# "Searx" = {
|
||||||
# urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }];
|
# urls = [{ template = "https://searx.trux.dev/?q={searchTerms}"; }];
|
||||||
|
|
|
@ -13,11 +13,14 @@
|
||||||
|
|
||||||
mySystem.services = {
|
mySystem.services = {
|
||||||
openssh.enable = true;
|
openssh.enable = true;
|
||||||
cockpit.enable = true;
|
|
||||||
podman.enable = true;
|
podman.enable = true;
|
||||||
traefik.enable = true;
|
traefik.enable = true;
|
||||||
sonarr.enable = true;
|
|
||||||
homepage.enable = true;
|
homepage.enable = true;
|
||||||
|
sonarr.enable = true;
|
||||||
|
radarr.enable = true;
|
||||||
|
lidarr.enable = true;
|
||||||
|
readarr.enable = true;
|
||||||
|
|
||||||
};
|
};
|
||||||
mySystem.nfs.nas.enable = true;
|
mySystem.nfs.nas.enable = true;
|
||||||
|
|
||||||
|
@ -40,7 +43,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
networking.hostName = "shodan"; # Define your hostname.
|
networking.hostName = "shodan1"; # Define your hostname.
|
||||||
networking.useDHCP = lib.mkDefault true;
|
networking.useDHCP = lib.mkDefault true;
|
||||||
|
|
||||||
fileSystems."/" =
|
fileSystems."/" =
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
{
|
{
|
||||||
imports = [
|
imports = [
|
||||||
./sonarr
|
./sonarr
|
||||||
|
./radarr
|
||||||
|
./lidarr
|
||||||
|
./readarr
|
||||||
|
./prowlarr
|
||||||
];
|
];
|
||||||
}
|
}
|
||||||
|
|
79
nixos/modules/nixos/services/arr/lidarr/default.nix
Normal file
79
nixos/modules/nixos/services/arr/lidarr/default.nix
Normal file
|
@ -0,0 +1,79 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
app = "lidarr";
|
||||||
|
image = "ghcr.io/onedr0p/lidarr@sha256:6b9564037159c2b90f32a2ee34683275783a4b8eff4b609e2d2b1c0654c94bac";
|
||||||
|
user = "568"; #string
|
||||||
|
group = "568"; #string
|
||||||
|
port = 8686; #int
|
||||||
|
cfg = config.mySystem.services.sonarr;
|
||||||
|
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.${app} =
|
||||||
|
{
|
||||||
|
enable = mkEnableOption "${app}";
|
||||||
|
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# ensure folder exist and has correct owner/group
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets."services/${app}/env" = {
|
||||||
|
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
owner = config.users.users.kah.name;
|
||||||
|
inherit (config.users.users.kah) group;
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.${app} = {
|
||||||
|
image = "${image}";
|
||||||
|
user = "${user}:${group}";
|
||||||
|
environment = {
|
||||||
|
PUSHOVER_DEBUG = "false";
|
||||||
|
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
|
||||||
|
LIDARR__INSTANCE_NAME = "Lidarr";
|
||||||
|
LIDARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||||
|
LIDARR__LOG_LEVEL = "info";
|
||||||
|
};
|
||||||
|
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||||
|
volumes = [
|
||||||
|
"${persistentFolder}:/config:rw"
|
||||||
|
"/mnt/nas/natflix:/media:rw"
|
||||||
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
|
];
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||||
|
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||||
|
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
mySystem.services.homepage.media-services = [
|
||||||
|
{
|
||||||
|
Lidarr = {
|
||||||
|
icon = "${app}.png";
|
||||||
|
href = "https://${app}.${config.networking.domain}";
|
||||||
|
description = "Music management";
|
||||||
|
container = "${app}";
|
||||||
|
widget = {
|
||||||
|
type = "${app}";
|
||||||
|
url = "http://${app}:${toString port}";
|
||||||
|
key = "{{HOMEPAGE_VAR_LIDARR__API_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
59
nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/lidarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
services:
|
||||||
|
lidarr:
|
||||||
|
env: ENC[AES256_GCM,data:+Ja2gz7l5bueQJdMxtsF2o2rXtnPfsj9xfANoZ7T2wI4vf/VQRcHFG8IFvpJWr03kr+4iIK7BlSqE+o5CqL7pZLPbC6FW0mnqFKXUpZZxctPlrDXPHLR6UcnDbvJjNgSF4O+nLz0yzUFV28/C0I=,iv:j+q/uM16sxffCaKZHeXD957J8mFG6sLUL8vBwwO7/mE=,tag:QPDD6WiRTLrXtUeNytYGew==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bW9rRnF5TzBBQUdSdy9q
|
||||||
|
NExkZjdUWFI4VkFDUHF2REFQaXg4SGppUkcwCk12NW05NVUwaHBkNVdJRHA4L3Qw
|
||||||
|
d0VtVkVmdmJpRDJCOHBIU1lHNVFpT1UKLS0tIGhVQlVibk1aOEc2YnBCM3RXVHQ2
|
||||||
|
MUt0TzZTeXE3RkZBM0RBRkFkWkFYRTgKPQrxDiWBOyAIZpgLzHViMJGg4o+P/PlZ
|
||||||
|
pCj3n5C1z4lZgaWU+oE70a3r2CXg0toaG0Lg9lq7hh5pQV+KfLcO8g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3eWVSejhCcmhUT1hGZHlK
|
||||||
|
SVVUbmJ3UlVJT1k5azA3TkNsdDZCNWZQK0N3CnBYWUFWcXdSamhDT2pXTUFsZFIr
|
||||||
|
akgxSkZtRE44eW0yQlFGc0U5RWUxdjQKLS0tIExDdXBhSGh0dDM5ZnFNTzdmdVNj
|
||||||
|
MUY5UlFuNitiR08xeW9EZ09ZNThnQ1UKC+O/NlGD6ZdWAdJAAMyamGUJi8M6LhW2
|
||||||
|
2CRjIhXpfhiG4vjbgP5Xs6JXXYfiF7mFN6W3VZAZ/B4aO/S+BEVYoA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2Z1BYNDBVRjJDanVFNHMx
|
||||||
|
aUpXZW8wdGdDVkVQdXVRVnd0aFRLTnZuVUdFCmZJei84bVUyOFA5S2JaOVpLMVM2
|
||||||
|
T3B1YnNCcmNEV2s5WC9CRCtqd0pITTgKLS0tIHFmcjlmSjhXaWl2U09ralVjZzZE
|
||||||
|
ZW5LaVhIVUNlN09aUVN0eGZvRU1TUGMKxQXeVgv5pwTTSM+b5YV0Clys/z6spAd6
|
||||||
|
E8X0l9Q8QfKTw4JHhKZvVYtPQ/oKCqex7ez5WpARcOOcZmHojwuXdg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZmYzZElqQ0xBYmdrMHdD
|
||||||
|
dUVlTXlrVXJnNmNBZTZQMEdvYmwwMVIva2pvClZLU1pPV0xUVFZGQ0t5TGI5Mkhw
|
||||||
|
SE0wUWg2OWFnUTdBVEkzcTVOZWZFbWMKLS0tIEVCU2VnR3lIQXpqTnh0eHJzejEz
|
||||||
|
SzgxZG9TU1BsdVZlU1h5MkNyNG9ZaDgKGndrjZxBKRcvrLkPpE2cHCOGye3a6ek9
|
||||||
|
EmLowxl4EQ+pQqbukteFBfSlrs/302FfNrzL7cP4p2jzrCiT1RtHTw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlRlIyYnlxRmZYSzlhUzNX
|
||||||
|
am9iS3h5TVJ5TWhraVYrWU9ETHdGMUpJZEIwCjBmQ3FMZHJFcjg0SXM1Q1FybXZq
|
||||||
|
azVCL25XVXpHd01wbzRHMTN4QVd3N0UKLS0tIEFIc2dNNjErZFoxdzNDcEo4VE9B
|
||||||
|
NVJrMEs2Q09aQlphYXdaelluYjgveUUKJndBGHWzTUoexspNKF29jlaBgEruu/ee
|
||||||
|
acxnf1IGetFRKVNRu9mBPxAoMo+21Qi61E0/gdGaXWGmK2HEwSCaSA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-07T01:10:07Z"
|
||||||
|
mac: ENC[AES256_GCM,data:3WmOa5i4eB5L88TjzLhJG6tHF4/ecwZQHE1aC4b737nJjFw4F7tWMtHECIPHjRXM8wTie/FZgIQA4AHQS8WxLMILWkiSHVAei0jYWUQLie6R1qvcZu6NdSg22Co368pSBaEkDy+jy1uXmhTGOcAWYivKdhLyuVyr+jVO7W0B600=,iv:MFHlY+iRxS9udlgZSRSr/06BHnhfLXcIhYlDY3RUpRc=,tag:u7FnVRGcK6Y3Zoh3h2fEjw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
78
nixos/modules/nixos/services/arr/prowlarr/default.nix
Normal file
78
nixos/modules/nixos/services/arr/prowlarr/default.nix
Normal file
|
@ -0,0 +1,78 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
app = "prowlarr";
|
||||||
|
image = "ghcr.io/onedr0p/prowlarr@sha256:7f90035619b4dbff6bff985181275300cd999be5d4f03fcaf359ef7068fc5e5e";
|
||||||
|
user = "568"; #string
|
||||||
|
group = "568"; #string
|
||||||
|
port = 9696; #int
|
||||||
|
cfg = config.mySystem.services.sonarr;
|
||||||
|
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.${app} =
|
||||||
|
{
|
||||||
|
enable = mkEnableOption "${app}";
|
||||||
|
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# ensure folder exist and has correct owner/group
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets."services/${app}/env" = {
|
||||||
|
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
owner = config.users.users.kah.name;
|
||||||
|
inherit (config.users.users.kah) group;
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.${app} = {
|
||||||
|
image = "${image}";
|
||||||
|
user = "${user}:${group}";
|
||||||
|
environment = {
|
||||||
|
PUSHOVER_DEBUG = "false";
|
||||||
|
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
|
||||||
|
PROWLARR__INSTANCE_NAME = "Prowlarr";
|
||||||
|
PROWLARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||||
|
PROWLARR__LOG_LEVEL = "info";
|
||||||
|
};
|
||||||
|
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||||
|
volumes = [
|
||||||
|
"${persistentFolder}:/config:rw"
|
||||||
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
|
];
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||||
|
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||||
|
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
mySystem.services.homepage.media-services = [
|
||||||
|
{
|
||||||
|
Prowlarr = {
|
||||||
|
icon = "${app}.png";
|
||||||
|
href = "https://${app}.${config.networking.domain}";
|
||||||
|
description = "Content locator";
|
||||||
|
container = "${app}";
|
||||||
|
widget = {
|
||||||
|
type = "${app}";
|
||||||
|
url = "http://${app}:${toString port}";
|
||||||
|
key = "{{HOMEPAGE_VAR_PROWLARR__API_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
59
nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/prowlarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
services:
|
||||||
|
prowlarr:
|
||||||
|
env: ENC[AES256_GCM,data:NvGX3+harRQfv0x5L/6QznuIyu6su08EkD1btg2mZmemcxndZSVb+5odFZIDnoCsSUSMlxfZXHn2gOHB+7ePpHlVYy3/MZZTbn8I/nxVaAOPKYCJ7KXG5eKp7uEk+ZqEwIeMTI1MKekhCCwm43Ndn+oD,iv:uFpbHQMocdzFe+HQPEmC9Cz2hWOuL6TLi4Or94EzEIY=,tag:xeDbq4Ab5UuQQYa0kUnbig==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhSUwrZFliUC8wV1NKbm94
|
||||||
|
U0VmR2t2VndWUFRjMzVOcitHZXJlZ2ZDVDI4ClpieVJnR044N0JEcVgvcU8rcDlB
|
||||||
|
ZG5VbVhpOXVaYXpoMERkYnVjbkhWWEEKLS0tIEhXUGt2SnBVSmNtdEdibm9TbEx4
|
||||||
|
YnIrdkpGMGFYUXViQnE2Z0VlQVlHVVUKdh4QPZmkOUHY0nhZTgQHN/Is/OaHUKdB
|
||||||
|
fwPX5XltwaIgUCzKOJ18dOx24CA+xajvpRGDY5vdK6cN8N1lDnYPpw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiTDUySUpRbXBNOVlNSGNu
|
||||||
|
NTY1Q3Ntd1pWaDVnMzQ4MW94QXN6T3dQb1J3CkNIRnBINmNsRWt3OGFlR056Nk02
|
||||||
|
MEZlejIya2N6RUE2TlJtRkI3QTFTQlEKLS0tIGlneU1RSXBRdlhHMFFESU9wcE5W
|
||||||
|
YTlwU2srUjAySDI4TGt0bDlBT2VLL1kK8PJnEGhGAjDjQYBuPhS9NWsHg31ddkpq
|
||||||
|
UrC/SDONnawAVqC0djWkv2w71rHPh41GIFCW3V/IFS8vxQLSMiBo5w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUFp3MXFkVHU5dTdhcndG
|
||||||
|
aGdLWHY2Ti9ES0hjeWc2VXFTcXdPSWZrN25zCno2Snc1LzBTdC8zTS9lQSsrSmwz
|
||||||
|
d0VTb1Z6V0RxLzFzcEM4ZXEzZVpoSEkKLS0tIExvT2pKbzhaMUJaRHZoNlZpTXJY
|
||||||
|
eE5zVUhBblNFQ1RDVzl5K3VFaVMxRDAKuNxtVAqjbxaLJPr7LXKRj0Pt/gh8++Fp
|
||||||
|
AmYw0AVp/GMikWPCWVoCGiLr6svmNtbY0Q0B6KcN1N615G6AbrsoVg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicTlKS0FhRHRRRXNuMURH
|
||||||
|
UnN6QUhZUFNjSlRLRzJEYmU2cDAxdHhaQndZClRVR0p2UFBTdVNDUVhnSE1KSEQ3
|
||||||
|
elNJeDdhK3lBb0xPK2daMmVBWUtMamMKLS0tIFZWeU9wdDErby90S2VFUHcrYjIx
|
||||||
|
MlVtM1dqSmdaTWZtdjZMcmd2aEhCN2cKYbzlgLrLhoGutJ6PPgALF9O1Pe5zZrfB
|
||||||
|
RCciStCtTO0Geloxf7YqelPW3D3crSSCmf4Yq4VTMnLccudGNRgaLA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOXNBN3MrajlTa1cxZ05y
|
||||||
|
MWx4TW40c3dabzZtZjErU0JzVUR4S2p4VVRjCkxkRjJNODI0M0pkYXBIQ1RxcFZY
|
||||||
|
OVhra0NmNnRkb1VOTHJMaDFVR0RuR28KLS0tIFlLNFk4MSt1M1UwL0tnRzRkYk00
|
||||||
|
YTAwcUlzMGRDMldCYjUwM2lZYS9YOWcKdgArTqnH04EMDc8s4q8eIoAlRbD7hsYj
|
||||||
|
RJNesG9wKZlrGOlDydOX7CD7hyrVRH1CrhMIAzWggu5dy8Bl9Mbe4w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-07T03:01:12Z"
|
||||||
|
mac: ENC[AES256_GCM,data:ec1pzZ90D5jkY8jPDyDNyMxTovZqSjYBUryllybBPZwn08EeMPya/08+/mo3kqwgT4bVIFnEe/Fwk1ofEiz1G0YppcA4F43Rv0O7wGyTgRUKJ1sDuAcUvnvS/WSbG3POKibGcsu8v7wqDt9/JdFjoCfsurx+Ze17T9V+ZmYSQWo=,iv:oq55QVt2rMwCK8IPLNbUx5cs2sLAgWIp6/wb4faMpPU=,tag:rlmhn6XU7qgp58WpRlTwvA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
79
nixos/modules/nixos/services/arr/radarr/default.nix
Normal file
79
nixos/modules/nixos/services/arr/radarr/default.nix
Normal file
|
@ -0,0 +1,79 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
app = "radarr";
|
||||||
|
image = "ghcr.io/onedr0p/radarr@sha256:2de39930de91ae698f9461bb959d93b9d59610f88e0c026e96bc5d9c99aeea89";
|
||||||
|
user = "568"; #string
|
||||||
|
group = "568"; #string
|
||||||
|
port = 7878; #int
|
||||||
|
cfg = config.mySystem.services.sonarr;
|
||||||
|
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.${app} =
|
||||||
|
{
|
||||||
|
enable = mkEnableOption "${app}";
|
||||||
|
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# ensure folder exist and has correct owner/group
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets."services/${app}/env" = {
|
||||||
|
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
owner = config.users.users.kah.name;
|
||||||
|
inherit (config.users.users.kah) group;
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.${app} = {
|
||||||
|
image = "${image}";
|
||||||
|
user = "${user}:${group}";
|
||||||
|
environment = {
|
||||||
|
PUSHOVER_DEBUG = "false";
|
||||||
|
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
|
||||||
|
RADARR__INSTANCE_NAME = "Radarr";
|
||||||
|
RADARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||||
|
RADARR__LOG_LEVEL = "info";
|
||||||
|
};
|
||||||
|
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||||
|
volumes = [
|
||||||
|
"${persistentFolder}:/config:rw"
|
||||||
|
"/mnt/nas/natflix/series:/media:rw"
|
||||||
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
|
];
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||||
|
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||||
|
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
mySystem.services.homepage.media-services = [
|
||||||
|
{
|
||||||
|
Radarr = {
|
||||||
|
icon = "${app}.png";
|
||||||
|
href = "https://${app}.${config.networking.domain}";
|
||||||
|
description = "Movie management";
|
||||||
|
container = "${app}";
|
||||||
|
widget = {
|
||||||
|
type = "${app}";
|
||||||
|
url = "http://${app}:${toString port}";
|
||||||
|
key = "{{HOMEPAGE_VAR_RADARR__API_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
59
nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/radarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
services:
|
||||||
|
radarr:
|
||||||
|
env: ENC[AES256_GCM,data:Sup7QbkSx/m7KlXToXmd50pewu9Ofjz+mfhVWuDdLm0P3Z1mjNOwVEuvJPmgzj6xth2/nMxtStb+0HTxzPnPVx3pfVxM/AAUPNryvK4xPmhr2ROyJ6sdUFwCzv0QmT+mS1mYy4GJ6ms/6is5agViRdKu+uoTMI5ogb2L2UJR9D6S1V/VH/OuPr/KNcFQF+f1uuo76h42pCuagJ+Biek6Mr9qoLNAUA63+PkWuRkZs9XZxTSTmF38AdOXJhU+RF7HV7WCtNQhQvVIRmRO0wSm,iv:mbmOxJusIfhoQkT2B+etQh8afYFpLP+nRfKJnR212yE=,tag:huIYNNzZFR8oDzX3FM2SZQ==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyL0VUU1FrUGhsZ3RvTFQw
|
||||||
|
RVBLTXdMTEtUc0twalVUUTM5b0dnRU1WUWpFCjBNeG5zU1NUU1BkRGo5MWFESEg1
|
||||||
|
bTNmc2VFbHJXM1pKbkpTUzVHWmJSaTgKLS0tIGsydXlwRHpVeVE3VlZvbVdYNWps
|
||||||
|
L0hlSDVPQXlES1ZwQWxaYXlkaHhCeGMKKKzYAzrByU7kx2FaroGt1G7HJpmfxZ/4
|
||||||
|
m1q//Leo6qttDeLod8ZrZR+nCjx2LzqWiMFatEpirgUU1SxVYLsN0Q==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxZ2RKTUtYZW56cU91UHM4
|
||||||
|
NkJ5dnJjU1pjV09kUUtxOHU3dlJhMXkycFU0CmVWSCtJUHc2WkJyTDQ1c0J0dVBK
|
||||||
|
SFY5bmtpQWNTRXgvMi9RTWJCNXlJZkkKLS0tIFk5Wmk3Sy9ucjl1YVMwL3BSVCtF
|
||||||
|
aWxGNWtxZmJuR0RCRmFTdUs0c0xaR1kKEzEzyrAzLm812z7lqGMXY7hxX2zSanah
|
||||||
|
Z4+3X44basjM8FTI6CvZAFqtpouv5o4QAerggCZatQV2DEs+6iAvLw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwT3RtQk1uMjBIWnlMdEt2
|
||||||
|
MXJNMEhPVDc0bGxEb0tXY1JpWS9wQ3pKV0JJCnBqcUNJOUMyYVhJdGh5YzBuY0FC
|
||||||
|
eEhlZFRiK0NIcnhJZVA0Q2J6bytXNk0KLS0tIDlVSEd3NHFNakdqeEpwRC96M0lB
|
||||||
|
Ym95TkpWVS9JY1JjL0F1dUF1QkhDbHMKvBOtjm/T+s9xjPhSzicL5yAGg66qQGnf
|
||||||
|
7HJVClweQ343WwIw8lO2/GM3CVaU20Q/UibaBYszUTNyNbQSFv5Sow==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjcFVmMEdaN0oycG9sdk1m
|
||||||
|
bjdBem5lQVB4bEM4TmM0QnpPK3p4RldDT25VCmV6YVdoR2NnNEx4WC9kdzRySWl6
|
||||||
|
amxJeTNTRmdjZEJVc05UWnFDdDJ4UkkKLS0tIER1dmFGdmVPWHhXUUJ1Ym96NU9K
|
||||||
|
aE9NS04yblVQNmVxNFlVRFZlRnkyRDgK+/uf5R1GT5bFkSSsYx5R6aehDcyapsz0
|
||||||
|
1uzffKV95MSo0I2ZqZDJgJPqsh23IxhzBJKsFhCw233bIaOaCSApuA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxcXFxc1o4OVZqbVBkWW9S
|
||||||
|
d1FMY3Nma3VVNS9kQ2E2NHo2VXdlQS9jWVFzCkUrV3c3d3RkclZLaktuWG0yTitx
|
||||||
|
OVVkQm9uaEFmMVFhYW92SlJKTlA0bVEKLS0tIG5PZm9NTjF6blR6TzhDOS94ck5N
|
||||||
|
S1doVkdGQjIzNmtTQkp0VHJoSWp3czAK1NPIYn78CEqiLk7cZKoZU2RPeS0hZImd
|
||||||
|
Sj7V+yVS0zZvLnHVhHcOIOGuVIAhsxNZgQ2Wd4sT2GaueUS3dRVhyw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-07T00:54:00Z"
|
||||||
|
mac: ENC[AES256_GCM,data:Ale1C+ow3OyKdgyyVBSco6mmK/o+wbSUFOzW7QScn8v80itwe42rLqGHdcTrrfxONVY0hrYBbaTA9dbRekNUa04goZbzyzrVYHAfdqf9qw7ugFLazeL3GA4hHUdkmfCtYEhjqK3Y3Ef88i1uysvJWfBlm/ayE8N2mv17CRxl8cA=,iv:bY6/ih+Boc1oY1NpLOnd1RLZxASD/vbom/sirb8ktao=,tag:GU+nM1Oncx3j0x9UXJ784w==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
77
nixos/modules/nixos/services/arr/readarr/default.nix
Normal file
77
nixos/modules/nixos/services/arr/readarr/default.nix
Normal file
|
@ -0,0 +1,77 @@
|
||||||
|
{ lib
|
||||||
|
, config
|
||||||
|
, pkgs
|
||||||
|
, ...
|
||||||
|
}:
|
||||||
|
with lib;
|
||||||
|
let
|
||||||
|
app = "readarr";
|
||||||
|
image = "ghcr.io/onedr0p/readarr-nightly@sha256:dd429811956178223ca7db1699f4ce03641edfa39ea8a1436a33272618278ade";
|
||||||
|
user = "568"; #string
|
||||||
|
group = "568"; #string
|
||||||
|
port = 8787; #int
|
||||||
|
cfg = config.mySystem.services.sonarr;
|
||||||
|
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||||
|
in
|
||||||
|
{
|
||||||
|
options.mySystem.services.${app} =
|
||||||
|
{
|
||||||
|
enable = mkEnableOption "${app}";
|
||||||
|
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||||
|
};
|
||||||
|
|
||||||
|
config = mkIf cfg.enable {
|
||||||
|
# ensure folder exist and has correct owner/group
|
||||||
|
systemd.tmpfiles.rules = [
|
||||||
|
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||||
|
];
|
||||||
|
|
||||||
|
sops.secrets."services/${app}/env" = {
|
||||||
|
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
owner = config.users.users.kah.name;
|
||||||
|
inherit (config.users.users.kah) group;
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.${app} = {
|
||||||
|
image = "${image}";
|
||||||
|
user = "${user}:${group}";
|
||||||
|
environment = {
|
||||||
|
READARR__INSTANCE_NAME = "Lidarr";
|
||||||
|
READARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||||
|
READARR__LOG_LEVEL = "info";
|
||||||
|
};
|
||||||
|
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||||
|
volumes = [
|
||||||
|
"${persistentFolder}:/config:rw"
|
||||||
|
"/mnt/nas/natflix:/media:rw"
|
||||||
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
|
];
|
||||||
|
labels = {
|
||||||
|
"traefik.enable" = "true";
|
||||||
|
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||||
|
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||||
|
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||||
|
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
mySystem.services.homepage.media-services = [
|
||||||
|
{
|
||||||
|
Readar = {
|
||||||
|
icon = "${app}.png";
|
||||||
|
href = "https://${app}.${config.networking.domain}";
|
||||||
|
description = "Book management";
|
||||||
|
container = "${app}";
|
||||||
|
widget = {
|
||||||
|
type = "${app}";
|
||||||
|
url = "http://${app}:${toString port}";
|
||||||
|
key = "{{HOMEPAGE_VAR_READARR__API_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
59
nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/readarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
services:
|
||||||
|
readarr:
|
||||||
|
env: ENC[AES256_GCM,data:/nOtTAhPSy3jlzZb3CmmOOyyhoxH8wgF7/sOlQxWP6FC6+lDH/DhibckUVHscwNAlwSIT4MeuLaE2vyeNUOSwhx5WwxGXvqQFjXRv0hkIPcHpWriJmuc44c7rHga+sCDpQNGPCLRbEmcYvTpm403cA==,iv:G0Elt5Oe0yGzVCoLkKUKp5QexziHzOIZO/AUqx13JE4=,tag:Ue9xgKJ4QyDs2445y9/xtg==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d1V3dC9oWFR2RUV4RXFo
|
||||||
|
ZEw1QmlMc1VXc2hZTTFFK3d1TEtiSXJtcTFjCjFTMHpkK1Q2TFlTbFZEdjQ1RlVs
|
||||||
|
K3dsOGhLN011eXBEV21vckZRdHRsWVEKLS0tIDNQRDRxTHI3SjBkZGxGQmdoOWg0
|
||||||
|
TlUzeDRwNUppSHpSSHNnWkJKYS8vSU0KyIu/ttRKDqQ3mKtk1AyCDnL5ZwydMv/9
|
||||||
|
Mc9we7EXPzbGkOoGVNzFH+sP1GZM4k9f5wQ8OgiseVKTwzuHzqaFYg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNZW94S2VxL0QwN2gweThB
|
||||||
|
YUNhall0bFZvTm02ZHkwYXhRb0E1bTc0OEhVCnBtQ2FhSTZabmJzMm1RUzE4VzlE
|
||||||
|
MmJ1aEFMRUxwUTcwWVVGOXBXa05QNW8KLS0tIHJ3VjlDVzUremhkd25lM2IrR2tH
|
||||||
|
dlkxVkpnUFZTYTd0cDR6bTBCR1VzSUkKlUGI4JKzdWdvJuYSc8PeR3qEA3OXG7w3
|
||||||
|
Jv42OCDczivOR69E8ZBIU+dS+1XrLNgGxN7xSGFpHnz0ZgaZWYow/w==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLeG83T1RXckYralg3SzJP
|
||||||
|
QmVYa3lkZittTFJFSDBBRmdrQWFHNE5PTkdFCjcvK1J5SGhYVVlHM2xMempCMHVV
|
||||||
|
Mzh4eGR0QzZwMjZycFV4cGdJQ09RUzAKLS0tIFJGMnNQcW16eFhWeXY5V3dOUDV0
|
||||||
|
WUhuQUZDbGU3V3JIeXpxVytuUy9PNjgKy9Y/XkjkDX3ypVSWZhfACkXQdjz2Qm8N
|
||||||
|
4Am69qQRvOCnnFuw30RftgJSRvs1X7dTnvUKwCcweUiCAL+o2R/q6A==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6TWRLQzNGTHJZM0lzRkVx
|
||||||
|
OG9vdS9wc0VsYTRoR2FRM1dWdXREZ1RjK1M0CnczVjI1a0lNTVpCbmZMR0FmRDFS
|
||||||
|
aGpuQzdyMkc2WW1BWkp2ODFhc1JUcGMKLS0tIGNyOXd6a1dqdHRKUEJEOE1UNjBr
|
||||||
|
aU9EeWg4Rm9sbTdrWGZ4cmNMUVI3a3MKhUyeqGGZPxcHUCXVNAAcZtx35vzFmunQ
|
||||||
|
fTNNnoI6CM0Xmwznlp0576s3qmjbXMc5+Wm9Ni4tLnBrnyl/Y4oijg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0Z1doS3pjc0FaczdudDBp
|
||||||
|
Ykx4aGl0YVZUUmoxNUs2aWpieFZlQ0dYN0VNClZQQkF2QWtyeVpta2VBbEpMZjVZ
|
||||||
|
T3hrU2ozbE10M3c2ejlta2tNNEhBYWMKLS0tIHlGeVNnRmNiUzhKYmpUWG8xbDVo
|
||||||
|
V0JjaGpDTXpsSE5Ldm13N3N1UU9zRE0Ky8tp8tJkgwyLNBvnOM+puMy2+46Khf7n
|
||||||
|
LzxXw/7ZJnIPsYywXPj7IdeMha9nvXow8zpSriI52ecOmJZxSbkLeg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-07T01:10:50Z"
|
||||||
|
mac: ENC[AES256_GCM,data:8Cx1SzSIeNSYGCyOsPCkaWv/Z8A4t8a+o1UDYnf4KsuysH8NolDMZWziMiPnzKpWLMNBo6qzJfaDfm2b6MyvEsLRue1Z5iAuNIlMOWYeVkeQu9ZDPOOYuEqxCMmRLOpHdsQh9G++bcGzNjZoFOKMkh4uCCQrboohFGO38WEWnHY=,iv:hPbqJSYvPb1npIIyc4a92YytDMRm7c9pgPv3j6TvxoQ=,tag:1s3Jxup2X/gWAinn12Rxzg==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -5,46 +5,76 @@
|
||||||
}:
|
}:
|
||||||
with lib;
|
with lib;
|
||||||
let
|
let
|
||||||
|
app = "sonarr";
|
||||||
image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655";
|
image = "ghcr.io/onedr0p/sonarr@sha256:04d8e198752b67df3f95c46144b507f437e7669f0088e7d2bbedf0e762606655";
|
||||||
port = 8989;
|
user = "568"; #string
|
||||||
cfg = config.mySystem.services.sonarr;
|
group = "568"; #string
|
||||||
persistentFolder = "${config.mySystem.persistentFolder}/sonarr";
|
port = 8989; #int
|
||||||
|
cfg = config.mySystem.services.${app};
|
||||||
|
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||||
|
containerPersistentFolder = "/config";
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.mySystem.services.sonarr.enable = mkEnableOption "Sonarr";
|
options.mySystem.services.${app} =
|
||||||
|
{
|
||||||
|
enable = mkEnableOption "${app}";
|
||||||
|
addToHomepage = mkEnableOption "Add ${app} to homepage" // { default = true; };
|
||||||
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
# ensure folder exist and has correct owner/group
|
# ensure folder exist and has correct owner/group
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d ${persistentFolder} 0755 568 568 -" #The - disables automatic cleanup, so the file wont be removed after a period
|
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||||
];
|
];
|
||||||
|
|
||||||
virtualisation.oci-containers.containers.sonarr = {
|
sops.secrets."services/${app}/env" = {
|
||||||
|
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ./secrets.sops.yaml;
|
||||||
|
owner = config.users.users.kah.name;
|
||||||
|
inherit (config.users.users.kah) group;
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
|
virtualisation.oci-containers.containers.${app} = {
|
||||||
image = "${image}";
|
image = "${image}";
|
||||||
user = "568:568";
|
user = "${user}:${group}";
|
||||||
environment = {
|
environment = {
|
||||||
UMASK = "002";
|
PUSHOVER_DEBUG = "false";
|
||||||
|
PUSHOVER_APP_URL = "${app}.${config.networking.domain}";
|
||||||
|
SONARR__INSTANCE_NAME = "Radarr";
|
||||||
|
SONARR__APPLICATION_URL = "https://${app}.${config.networking.domain}";
|
||||||
|
SONARR__LOG_LEVEL = "info";
|
||||||
};
|
};
|
||||||
|
environmentFiles = [ config.sops.secrets."services/${app}/env".path ];
|
||||||
volumes = [
|
volumes = [
|
||||||
"${persistentFolder}:/config:rw"
|
"${persistentFolder}:${containerPersistentFolder}:rw"
|
||||||
"/mnt/nas/natflix/series:/media:rw"
|
"/mnt/nas/natflix:/media:rw"
|
||||||
"/etc/localtime:/etc/localtime:ro"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
];
|
];
|
||||||
labels = {
|
labels = {
|
||||||
"traefik.enable" = "true";
|
"traefik.enable" = "true";
|
||||||
"traefik.http.routers.sonarr.entrypoints" = "websecure";
|
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||||
"traefik.http.routers.sonarr.middlewares" = "local-only@file";
|
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||||
"traefik.http.services.sonarr.loadbalancer.server.port" = "${toString port}";
|
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||||
|
|
||||||
"homepage.group" = "Media";
|
|
||||||
"homepage.name" = "Sonarr";
|
|
||||||
"homepage.icon" = "sonarr.png";
|
|
||||||
"homepage.href" = "https://sonarr.${config.networking.domain}";
|
|
||||||
"homepage.description" = "Series manager";
|
|
||||||
# "homepage.weight" = -70000;
|
|
||||||
"homepage.widget.type" = "sonarr";
|
|
||||||
"homepage.widget.url" = "https://sonarr.${config.networking.domain}";
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
mySystem.services.homepage.media-services = [
|
||||||
|
{
|
||||||
|
Sonarr = {
|
||||||
|
icon = "${app}.png";
|
||||||
|
href = "https://${app}.${config.networking.domain}";
|
||||||
|
description = "TV show management";
|
||||||
|
container = "${app}";
|
||||||
|
widget = {
|
||||||
|
type = "${app}";
|
||||||
|
url = "http://${app}:${toString port}";
|
||||||
|
key = "{{HOMEPAGE_VAR_SONARR__API_KEY}}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
59
nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml
Normal file
59
nixos/modules/nixos/services/arr/sonarr/secrets.sops.yaml
Normal file
|
@ -0,0 +1,59 @@
|
||||||
|
services:
|
||||||
|
sonarr:
|
||||||
|
env: ENC[AES256_GCM,data:Lg92wQkiBY5gBZ2+ckLs7EBPo/0fEwqhEvnWcnU5quUMNlJeWnjWFqU8qu1TaW0Vmux/A/QgIJAiYgWnbQuD9benOR2swkt4+DazSeC+35VQOTbegVDrH4wiJikTHTtoKpgSKHLBQAy113jaDL/RBFRpsSjsXEsGGu+G+GZ1MFcW5hRbYam1o62NqOAG66efcIGXv8T+sD0ouLcN2g9ZjU2QqUqJqsGBtg1d0SIVj9bNW2vUHHmMtIQBTxfR6S5V3tzqjP2EfzaT/gDSPPJg,iv:e9/vpvTFDixP07fVXutIhJcAg8Qb9d7fVJNmn+XhMjU=,tag:7MAF0kHvcf5VDUMCpJATVA==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1lj5vmr02qkudvv2xedfj5tq8x93gllgpr6tzylwdlt7lud4tfv5qfqsd5u
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvYTlNSGpIclBoWVlWWDBz
|
||||||
|
ckVZQWdndVBreDRXV3k1UDhxR0Y4R1J5blNBCmh0RmtwbzMrcGxLL1FoQVBjSVUy
|
||||||
|
QUxPUXJmaFYxRXFFb0lTQ2JHd3M3aFUKLS0tIEZ6UWJOVXp1VE1XTnhzQVhGT2RS
|
||||||
|
MVhTTE1JbU5rZnZjUFI2NDNkRUEvY0EKxglGGpDa8xY9w9VKayRF2Oqjv+UhDiLY
|
||||||
|
3uPQWLasVcQviZE7AqG5n8azLTaX5DEoAOVFDCnhJYjU9NatXhcutw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age17edew3aahg3t5nte5g0a505sn96vnj8g8gqse8q06ccrrn2n3uysyshu2c
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkdU84WkVMVWl2UXQ2WHN3
|
||||||
|
ZE1IbENMU0JlN0pPMTZSeHFPdW5mN1NhcUVRCkovcEJSNm9FWU9LdWk2aWRMbzJO
|
||||||
|
b3VoM0F5VWxSU2I1UU9lblMreXNvcjQKLS0tIG9hSVk4RzRzbVgyektXQ1lkcGF6
|
||||||
|
Q1FLdWZGOUFqWm9Hc0NDVUFFczlXYXcKxxWKSOrDUGld40zvDzsmMBOAexWoijDN
|
||||||
|
tBxJteEnSbTd+s93MDfuM+axeNR5Ak4+f/pEoLho5xjjn8f/fdlebA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1u4tht685sqg6dkmjyer96r93pl425u6353md6fphpd84jh3jwcusvm7mgk
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdGV5ZU1ZSFNvaHpGRUFs
|
||||||
|
cWRkVWlMZUZrbDNLSlJJSUpZVkhKUHI3OVdnCk1pckRmbWJNMkdvOXZscE1sMFcw
|
||||||
|
QktRU0Foa2hNTU9tcUN0UmM0Y0h2TU0KLS0tIDY1c2lVb1Bnd1c0d1Y3NVMrYmVZ
|
||||||
|
UXJFb294d1Bqc3E0SUFjWmFqSjdka28K2cEgMCIxpzGe2Z1rgaWq+rWXKJvfsTi9
|
||||||
|
PFWywF6/E+9Egwrh98FspQAzYP/7zl+N8gjR5Pa+Scx2D2iOizXWfg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1cp6vegrmqfkuj8nmt2u3z0sur7n0f7e9x9zmdv4zygp8j2pnucpsdkgagc
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKallmeUFQMmRvNFZRbnho
|
||||||
|
SVYzYit2TWFSRnV6dVNjUzlSQ0ZhTEJUNEhjCmFmaEsvMkpPQVZBN0FLVVp1dzgv
|
||||||
|
Ym56YzhwcWdkNlVSbHA4cnQ2T2VVeXMKLS0tIENqdXZCaFNrZVpFVUIrakpsY1ZP
|
||||||
|
QUxPS3lqcTBISnByTXVWcWdtZWYwNXMK8FRzmS0q2l6MWUu0YreaqEnKKW085j4s
|
||||||
|
f1oTHPpErwPLuh3hUciUPFe5Mbm3zSdjBsGyQtxPF6xLtw8dFaDYBA==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1j2r8mypw44uvqhfs53424h6fu2rkr5m7asl7rl3zn3xzva9m3dcqpa97gw
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaTXg2S2R2M2tHYmllUXFZ
|
||||||
|
NkZzcTdRaU5RM29RQkdEQnpNWXowZUFoR3hZCm1TclN2K0FoQktVTzg4YkkyRUhC
|
||||||
|
NXRybXE5Ym1XYjF3cG53RitvK3VTR1kKLS0tIGtkZXFLWmJiRG81M2RyYzdXZUEx
|
||||||
|
M2tqQVZaUmNVbm9YZys0NUNpSk4vN3cKpkL37l/i3VD6zhWHK/ROvcvmCBQfifuw
|
||||||
|
EFYI+F+BTjkoptqIVFCDbATRrqSfOqsYPmEg5lM0e3Oul+vT++e0/g==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-04-06T21:26:23Z"
|
||||||
|
mac: ENC[AES256_GCM,data:ITWKix2aNhXzzzZTvq2sBPXO3Phvr+lS83fSwEbH7FTowD7uScxqAF4PMJ+txAfIpmZiaD5vXIK98YU9HOWRFUoOiYxdwVwfOiX63mB0JKj5jLHHeIe6bMaWfudITlIL9an6YO/qyUww9OVXaxYEmwOJI4W+HnMLbYLf5lGboEo=,iv:i8dddSV2W9FifN+ktwGsaYRRnK4UJtrG7g6LpWPtgu4=,tag:acP4YvJarHLCZUJ3dCFuOQ==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.8.1
|
|
@ -11,11 +11,32 @@ in
|
||||||
{
|
{
|
||||||
options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";
|
options.mySystem.services.cockpit.enable = mkEnableOption "Cockpit";
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config.services.cockpit = mkIf cfg.enable {
|
||||||
services.cockpit.enable = true;
|
enable = true;
|
||||||
services.cockpit.openFirewall = true;
|
openFirewall = true;
|
||||||
|
package = pkgs.cockpit.overrideAttrs (old: {
|
||||||
|
# remove packagekit and selinux, don't work on NixOS
|
||||||
|
postBuild = ''
|
||||||
|
${old.postBuild}
|
||||||
|
|
||||||
|
rm -rf \
|
||||||
|
dist/packagekit \
|
||||||
|
dist/selinux
|
||||||
|
'';
|
||||||
|
});
|
||||||
};
|
};
|
||||||
|
|
||||||
|
config.environment = mkIf cfg.enable {
|
||||||
|
systemPackages = with pkgs;
|
||||||
|
[
|
||||||
|
(mkIf config.virtualisation.podman.enable nur.repos.procyon.cockpit-podman) # only if server runs pods
|
||||||
|
|
||||||
|
# nur.repos.dukzcry.cockpit-machines # TODO enable with virtualisation on server
|
||||||
|
# nur.repos.dukzcry.libvirt-dbus # TODO enable with virtualisation on server
|
||||||
|
# pkgs.virt-manager # TODO enable with virtualisation on server
|
||||||
|
];
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -13,12 +13,121 @@ let
|
||||||
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
persistentFolder = "${config.mySystem.persistentFolder}/${app}";
|
||||||
|
|
||||||
cfg = config.mySystem.services.homepage;
|
cfg = config.mySystem.services.homepage;
|
||||||
|
|
||||||
|
settings = {
|
||||||
|
# title = "Hades";
|
||||||
|
# theme = "dark";
|
||||||
|
# color = "slate";
|
||||||
|
showStats = true;
|
||||||
|
};
|
||||||
|
settingsFile = builtins.toFile "homepage-settings.yaml" (builtins.toJSON settings);
|
||||||
|
|
||||||
|
bookmarks = [
|
||||||
|
{
|
||||||
|
Administration = [
|
||||||
|
{ Source = [{ icon = "github.png"; href = "https://github.com/truxnell/nix-config"; }]; }
|
||||||
|
{ Cloudflare = [{ icon = "cloudflare.png"; href = "https://dash.cloudflare.com/"; }]; }
|
||||||
|
];
|
||||||
|
}
|
||||||
|
{
|
||||||
|
Development = [
|
||||||
|
{ CyberChef = [{ icon = "cyberchef.png"; href = "https://gchq.github.io/CyberChef/"; }]; }
|
||||||
|
{ "Nix Options Search" = [{ abbr = "NS"; href = "https://search.nixos.org/packages"; }]; }
|
||||||
|
{ "Doppler Secrets" = [{ abbr = "DP"; href = "https://dashboard.doppler.com"; }]; }
|
||||||
|
{ "onedr0p Containers" = [{ abbr = "OC"; href = "https://github.com/onedr0p/containers"; }]; }
|
||||||
|
{ "bjw-s Containers" = [{ abbr = "BC"; href = "https://github.com/bjw-s/container-images"; }]; }
|
||||||
|
|
||||||
|
];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
bookmarksFile = builtins.toFile "homepage-bookmarks.yaml" (builtins.toJSON bookmarks);
|
||||||
|
|
||||||
|
widgets = [
|
||||||
|
{
|
||||||
|
resources = {
|
||||||
|
cpu = true;
|
||||||
|
memory = true;
|
||||||
|
cputemp = true;
|
||||||
|
uptime = true;
|
||||||
|
disk = "/";
|
||||||
|
units = "metric";
|
||||||
|
# label = "system";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
{
|
||||||
|
search = {
|
||||||
|
provider = "duckduckgo";
|
||||||
|
target = "_blank";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
];
|
||||||
|
widgetsFile = builtins.toFile "homepage-widgets.yaml" (builtins.toJSON widgets);
|
||||||
|
|
||||||
|
services = [
|
||||||
|
{ Infrastructure = cfg.infrastructure-services; }
|
||||||
|
{ Home = cfg.home-services; }
|
||||||
|
{ Media = cfg.media-services; }
|
||||||
|
];
|
||||||
|
servicesFile = builtins.toFile "homepage-config.yaml" (builtins.toJSON services);
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
options.mySystem.services.homepage.enable = mkEnableOption "Homepage dashboard";
|
options.mySystem.services.homepage = {
|
||||||
|
enable = mkEnableOption "Homepage dashboard";
|
||||||
|
infrastructure-services = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.attrs;
|
||||||
|
description = "Services to add to the infrastructure column";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
home-services = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.attrs;
|
||||||
|
description = "Services to add to the infrastructure column";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
media-services = lib.mkOption {
|
||||||
|
type = lib.types.listOf lib.types.attrs;
|
||||||
|
description = "Services to add to the infrastructure column";
|
||||||
|
default = [ ];
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
config = mkIf cfg.enable {
|
config = mkIf cfg.enable {
|
||||||
|
|
||||||
|
sops.secrets."services/sonarr/env" = {
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ../arr/sonarr/secrets.sops.yaml;
|
||||||
|
owner = "kah";
|
||||||
|
group = "kah";
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."services/radarr/env" = {
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ../arr/radarr/secrets.sops.yaml;
|
||||||
|
owner = "kah";
|
||||||
|
group = "kah";
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."services/lidarr/env" = {
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ../arr/lidarr/secrets.sops.yaml;
|
||||||
|
owner = "kah";
|
||||||
|
group = "kah";
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."services/readarr/env" = {
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ../arr/readarr/secrets.sops.yaml;
|
||||||
|
owner = "kah";
|
||||||
|
group = "kah";
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
sops.secrets."services/prowlarr/env" = {
|
||||||
|
# configure secret for forwarding rules
|
||||||
|
sopsFile = ../arr/prowlarr/secrets.sops.yaml;
|
||||||
|
owner = "kah";
|
||||||
|
group = "kah";
|
||||||
|
restartUnits = [ "podman-${app}.service" ];
|
||||||
|
};
|
||||||
|
|
||||||
# ensure folder exist and has correct owner/group
|
# ensure folder exist and has correct owner/group
|
||||||
systemd.tmpfiles.rules = [
|
systemd.tmpfiles.rules = [
|
||||||
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
"d ${persistentFolder} 0755 ${user} ${group} -" #The - disables automatic cleanup, so the file wont be removed after a period
|
||||||
|
@ -27,23 +136,43 @@ in
|
||||||
virtualisation.oci-containers.containers.${app} = {
|
virtualisation.oci-containers.containers.${app} = {
|
||||||
image = "${image}";
|
image = "${image}";
|
||||||
user = "${user}:${group}";
|
user = "${user}:${group}";
|
||||||
|
|
||||||
environment = {
|
environment = {
|
||||||
UMASK = "002";
|
UMASK = "002";
|
||||||
PUID = "${user}";
|
PUID = "${user}";
|
||||||
PGID = "${group}";
|
PGID = "${group}";
|
||||||
};
|
};
|
||||||
|
|
||||||
|
environmentFiles = [
|
||||||
|
config.sops.secrets."services/sonarr/env".path
|
||||||
|
config.sops.secrets."services/radarr/env".path
|
||||||
|
config.sops.secrets."services/readarr/env".path
|
||||||
|
config.sops.secrets."services/lidarr/env".path
|
||||||
|
config.sops.secrets."services/prowlarr/env".path
|
||||||
|
];
|
||||||
|
|
||||||
labels = {
|
labels = {
|
||||||
"traefik.enable" = "true";
|
"traefik.enable" = "true";
|
||||||
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
"traefik.http.routers.${app}.entrypoints" = "websecure";
|
||||||
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
"traefik.http.routers.${app}.middlewares" = "local-only@file";
|
||||||
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
"traefik.http.services.${app}.loadbalancer.server.port" = "${toString port}";
|
||||||
};
|
};
|
||||||
# mount socket for service discovery.
|
# not using docker socket for discovery, just
|
||||||
|
# building up the apps from a shared key
|
||||||
|
# this is a bit more tedious, but more secure
|
||||||
|
# from not exposing docker socet and makes it
|
||||||
|
# easier to have/move services between hosts
|
||||||
volumes = [
|
volumes = [
|
||||||
"${persistentFolder}:/app/config:rw"
|
"/etc/localtime:/etc/localtime:ro"
|
||||||
"/var/run/podman/podman.sock:/var/run/docker.sock:ro" # TODO abstract out podman/docker socket
|
"${persistentFolder}:/app/config/logs:rw"
|
||||||
|
"${settingsFile}:/app/config/settings.yaml"
|
||||||
|
"${servicesFile}:/app/config/services.yaml"
|
||||||
|
"${bookmarksFile}:/app/config/bookmarks.yaml"
|
||||||
|
"${widgetsFile}:/app/config/widgets.yaml"
|
||||||
|
|
||||||
];
|
];
|
||||||
|
|
||||||
};
|
};
|
||||||
|
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|
|
@ -18,6 +18,12 @@ in
|
||||||
|
|
||||||
dockerCompat = true;
|
dockerCompat = true;
|
||||||
extraPackages = [ pkgs.zfs ];
|
extraPackages = [ pkgs.zfs ];
|
||||||
|
|
||||||
|
# regular cleanup
|
||||||
|
autoPrune.enable = true;
|
||||||
|
autoPrune.dates = "weekly";
|
||||||
|
|
||||||
|
# and add dns
|
||||||
defaultNetwork.settings = {
|
defaultNetwork.settings = {
|
||||||
dns_enabled = true;
|
dns_enabled = true;
|
||||||
};
|
};
|
||||||
|
@ -27,7 +33,14 @@ in
|
||||||
};
|
};
|
||||||
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
|
networking.firewall.interfaces.podman0.allowedUDPPorts = [ 53 ];
|
||||||
|
|
||||||
|
# extra user for containers
|
||||||
|
users.users.kah = {
|
||||||
|
|
||||||
|
uid = 568;
|
||||||
|
group = "kah";
|
||||||
|
|
||||||
|
};
|
||||||
|
users.groups.kah = { };
|
||||||
};
|
};
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -14,6 +14,7 @@ with lib;
|
||||||
mySystem.services.promMonitoring.enable = true;
|
mySystem.services.promMonitoring.enable = true;
|
||||||
mySystem.services.rebootRequiredCheck.enable = true;
|
mySystem.services.rebootRequiredCheck.enable = true;
|
||||||
mySystem.security.wheelNeedsSudoPassword = false;
|
mySystem.security.wheelNeedsSudoPassword = false;
|
||||||
|
mySystem.services.cockpit.enable = true;
|
||||||
|
|
||||||
nix.settings = {
|
nix.settings = {
|
||||||
# TODO factor out into mySystem
|
# TODO factor out into mySystem
|
||||||
|
|
|
@ -15,6 +15,7 @@ with config;
|
||||||
# Lets see if fish everywhere is OK on the pi's
|
# Lets see if fish everywhere is OK on the pi's
|
||||||
# TODO decide if i drop to bash on pis?
|
# TODO decide if i drop to bash on pis?
|
||||||
shell.fish.enable = true;
|
shell.fish.enable = true;
|
||||||
|
services.cockpit.enable = true;
|
||||||
|
|
||||||
nfs.nas.enable = true;
|
nfs.nas.enable = true;
|
||||||
};
|
};
|
||||||
|
|
Reference in a new issue